Blog

Archive for June, 2021

CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th)

[preliminary. please let us know if we missed something or made any mistakes]

As part of Microsoft’s June patch Tuesday, Microsoft released a patch for CVE-2021-1675. At the time, the vulnerability was considered a privilege escalation vulnerability. Microsoft considered exploitation “less likely” [1].

On June 21st, Microsoft modified the description of the vulnerability upgrading it to a remote code execution vulnerability. Earlier this week, an RCE exploit was posted to GitHub. While the exploit code was quickly removed, it had already been forked multiple times and can still easily be found on GitHub.

Further, it appears that the patch released by Microsoft on June 6th was incomplete. This exploit will work on fully patched systems, according to multiple reports. But remote exploitation requires normal user credentials [2].

A successful attack will leave the attacker with SYSTEM privileges.

What should you do:

  • Patch systems that need to run the printer spool service.
  • Disable the printer spool service where possible. You only need it on systems that share printers. You do not need it on clients that only print to shared printers.
  • Block port 445/TCP and 135/TCP at your perimeter. (that is a good idea anyway)

What we do not know for sure:

  • The effectiveness of the June patch is disputed. Some say that it may prevent the PoC from working, but there is evidence that it does not fully patch the vulnerability.
  • Are there any exploit scenarios that do not require valid user credentials?
  • Some reports indicate issues with printing after applying the June patch.

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
[2] https://twitter.com/gentilkiwi/status/1410066827590447108?s=21


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th)

Introduction

Thanks to everyone who participated in our June 2021 forensic contest originally posted two weeks ago.  We received 10 submissions through our contact page, and four people found all three infections in the pcap.  Unfortunately, we could only pick one winner.  In this case, our winner was chosen through a random process among the four eligible people.  Join us in congratulating this month’s winner, Dimitri!  Dimitri will receive a Raspberry Pi 4 kit.

You can still find the pcap for our June 2021 forensic contest at this Github repository.

Answers

Three infected Windows clients show signs of infection within the Active Directory (AD) environment from the packet capture (pcap).  The infected Windows hosts are:

  • IP address: 10.6.15.93
  • MAC address: 00:23:54:a2:1f:b4
  • Host name: DEKSTOP-A1CTJVY
  • User account: raquel.anderson
  • Infected with: AgentTesla
  • Date/Time of infection activity: 2021-06-16 15:44 UTC
  • IP address: 10.6.15.119
  • MAC address: 00:23:54:e3:a3:55
  • Host name: DESKTOP-NIEE9LP
  • User account: tommy.vega
  • Infected with: Hancitor, Cobalt Strike, and Ficker Stealer
  • Date/Time of infection activity: 2021-06-16 14:37 UTC
  • Note: Malicious Word doc was sent through ststephenskisugu[.]church at 14:35 UTC
  • IP address: 10.6.15.187
  • MAC address: 00:23:54:72:c9:13
  • Host name: DESKTOP-YS6FZ2G
  • User account: horace.maddox
  • Infected with: Qakbot (Qbot)
  • Date/Time of infection activity: 2021-06-16 15:37 UTC
  • Note: Malicious zip archive was sent through solarwindsonline[.]com at 15:30 UTC

To help in your analysis of this activity, please review the Requirements section in our original diary for this month’s contest.

Creating Pcaps for Individual Hosts

As stated in our original post, the infected Windows hosts are part of an AD environment, and its characteristics are:

  • LAN segment range: 10.6.15.0/24 (10.6.15.0 through 10.6.15.255)
  • Domain: saltmobsters.com
  • Domain Controller: 10.6.15.5 – Saltmobsters-DC
  • LAN segment gateway: 10.6.15.1
  • LAN segment broadcast address: 10.6.15.255

To find IP addresses for Windows clients in this AD environment, use Statsistics –> Endpoints to bring up Wireshark’s Endpoints window.


Shown above:  Getting to the Endpoints window in Wireshark.

The Endpoints window shows all endpoints in the pcap.  Click on the IPv4 tab and sort by address to find IP addresses in the 10.6.15.0/24 range.


Shown above:  Sorting by Address under the IPv4 tab and finding the 10.6.15.0/24 addresses.

This should reveal six internal IP addresses within the 10.6.15.0/24 LAN segment ior saltmobsters.com:

  • 10.6.15.1 (gateway)
  • 10.6.15.5 (Domain controller, Saltmobsters-DC)
  • 10.6.15.93
  • 10.6.15.119
  • 10.6.15.187
  • 10.6.15.255 (broadcast address)

10.6.15.1, 10.6.15.5, and 10.6.15.255 are already accounted for, we should filter on each of the three remaining IP addresses and export traffic for each one into a separate pcap.

First, filter on ip.addr eq 10.6.15.93 then use File –> Export Specified Packets… to save the displayed traffic in a new pcap as shown below.


Shown above:  Filtering on 10.6.15.93 and saving the traffic to a new pcap.

Do the same thing for 10.6.15.119 and 10.6.15.187.  Now you should have three new pcaps that contain traffic from each of the Windows clients.


Shown above:  Three pcaps from Windows clients extracted from the June 2021 contest pcap.

Infection Traffic for Agent Tesla (AgentTesla)

Let’s review traffic from 10.6.15.93.  We can quickly determine host information by filtering on Kerberos.CNameString and viewing a customized column for CNameString as described in this tutorial.  The host information is:

  • IP address: 10.6.15.93
  • MAC address: 00:23:54:a2:1f:b4
  • Host name: DEKSTOP-A1CTJVY
  • User account name: raquel.anderson

You can find host information for the other two IP addresses using this method.  Note: When setting up this environment, I misspelled DESKTOP in the host name for DEKSTOP-A1CTJVY.


Shown above:  Host information for 10.6.15.93.

There’s nothing unusual in web traffic from 10.6.15.93, except for a dns query to turtleoil1998b[.]com that resolves to 45.142.212[.]61, but no TCP connection is established with that IP.  This traffic is related to the TA551 (Shathak) campaign, and it was pushing Ursnif (Gozi/ISFB) during this timeframe.  My personal research has confirmed turtleoil1998b[.]com was a domain used by TA551 to host malware DLL files for Ursnif on 2021-06-16.

Despite a lack of interesting web traffic, 10.6.15.93 generated unusual SMTP activity.  Filter on smtp, and the display will show unencrypted SMTP traffic over TCP port 587 to an external IP address.  This is not normal activity from a Windows client.


Shown above: SMTP traffic seen from 10.6.15.93.

Follow the TCP stream for any of the first few frames in the SMTP results.  Your TCP stream should reveal an email to [email protected] with usernames and passwords from the Windows host.  This is definitely malicious traffic.


Shown above:  TCP stream of unencrypted SMTP traffic with info from the infected host.

This activity matches what I’ve seen for AgentTesla malware.  It triggered an alert for AgentTesla-generated SMTP when I tested it in my lab environment.


Shown above:  EmergingThreats (ET) alert for AgentTesla.

The infected Windows host at 10.6.15.93 sent four emails to [email protected].


Shown above:  Four different emails sent from 10.6.15.93.

The first message has passwords from the infected Windows host, and its subject line starts with PW.  The next three messages have keylogging data, and their subject lines start with KL.

Infection Traffic for Hancitor, Cobalt Strike, and Ficker Stealer

Traffic from 10.6.15.119 fits patterns for Hancitor, Cobalt Strike, and Ficker Stealer as described in this Wireshark Tutorial.  In recent weeks, Hancitor has used Google Feedproxy links as the initial URL to kick off an infection chain.  The initial Google Feedproxy link in this pcap redirected to a URL from, ststephenskisugu[.]church as part of this infection chain.

Indicators for the remaining activity are listed below.

Hancitor traffic:

  • port 80 – api.ipify.org – GET /
  • 194.226.60[.]15 port 80 – hadevatjulps[.]com – POST /8/forum.php

Hancitor-infected host retrieves follow-up malware:

  • 8.209.119[.]208 port 80 – srand04rf[.]ru – GET /16.bin
  • 8.209.119[.]208 port 80 – srand04rf[.]ru – GET /16s.bin
  • 8.209.119[.]208 port 80 – srand04rf[.]ru – GET /f7juhkryu4.exe

Cobalt Strike traffic:

  • 162.244.83[.]95 port 80 – 162.244.83[.]95 – GET /VOoH
  • 162.244.83[.]95 port 443 – 162.244.83[.]95:443 – GET /4Erq
  • 65.60.35[.]141 port 80 – 65.60.35[.]141 – GET /pixel
  • 65.60.35[.]141 port 443 – 65.60.35[.]141:443 – GET /g.pixel

Ficker Stealer traffic:

  • port 80 port api.ipify.org – GET /?format=xml
  • 185.66.15[.]228 port 80 – pospvisis[.]com – TCP traffic (not HTTP)

EXE retrieved from the traffic:

Infection Traffic for Qakbot (Qbot)

Traffic from 10.6.15.187 fits patterns for Qakbot (Qbot) malware.  Indicators are:

  • 192.186.204[.]161 port 80 – solarwindsonline[.]com – GET /miss-alicia-abbott/Oliver.Williams-84.zip
  • 192.186.204[.]161 port 80 – solarwindsonline[.]com – GET /miss-alicia-abbott/documents.zip
  • 103.28.39[.]29 port 443 – khangland[.]pro – HTTPS traffic
  • 104.244.121[.]13 port 443 – jaipurbynite[.]com – HTTPS traffic
  • 149.28.99[.]97 port 2222 – attempted TCP connections
  • 95.77.223[.]148 port 443 – attempted TCP connections
  • 207.246.77[.]75 port 2222 – HTTPS/SSL/TLS traffic

The initial URL for solarwindsonline[.]com was reported to URLhaus as returning a zip archive for Qakbot.  Unfortunately, due to packet loss in our pcap, we cannot export the zip archive that appears in this traffic.

However, this malware sample is an Excel spreadsheet associated with Qakbot that generates traffic to khangland[.]pro and jaipurbynite[.]com. Tria.ge sandbox analysis of the sample shows it generates the following HTTPS URLs when macros are enabled:

  • hxxps://khangland[.]pro/v8gEDeSB/sun.html
  • hxxps://jaipurbynite[.]com/stLdQs9R53/sun.htm

These two URLs fit patterns associated with Qakbot infections in recent weeks.  207.246.77[.]75:2222 is also known for malicious traffic associated with Qakbot.

Final Words

This month’s quiz was significantly more difficult than our previous two forensic contests, so thanks to all who participated.

Congratulations again to Dimitri for winning this month’s competition!

You can still find the pcap and malware at this Github repository.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th)

I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information. Figure 1 below shows the headers, while Figure 2 shows the content of the e-mail message.

Figure 1: E-Mail Headers

Figure 2: Contents of Phishing E-Mail

With reference to Figure 1, the e-mail was sent via an academic institution’s e-mail system (details redacted to protect privacy of the affected asset owner). We can also see that the perpetrator attempted to use legitimate looking e-mail addresses (e.g., “info-corp.ltd”).

We can see that the e-mail appeared to be quite sparse (Figure 2), and subtly nudged the recipient to open the pdf file for additional details. Before opening unknown pdf files, let’s dissect it and see if there is any malicious code embedded within the file. I used Didier’s pdfid.py and pdf-parser.py to perform the analysis.

Figure 3: Analysis of Official Notification.pdf via pdfid.py

Looking at the output (as shown in Figure 3), we can see that the file is pretty tame. We would see some additional outputs such as /JS, /JavaScript, /AA or /OpenAction if the pdf file had malicious functionality embedded inside. I was also curious if any metadata could be obtained so as to have some insight on the perpetrator. Using pdf-parser.py, I looked through the objects within the pdf file and discovered object 36 containing some data. Figure 4 shows the output of object 36 (the -c flag displays the content, and -w displays the raw output). It appears that the author’s name was “hp”, and the file was created with Microsoft Word 2013. The file timestamps showed that it was created on June 21 2021 at 11:13:28 (+8 GMT). Unfortunately, there was nothing much else of interest. Although the author’s name (in this case, the author’s name would also reflect the name of the user account), program that created the pdf file and time zone setting could be retrieved, it could be something that the perpetrator had deliberately set up/created. Nevertheless, it is still useful Open Source Information (OSINT) that should be noted down to track down phishing campaigns.

Figure 4: Metadata of Official Notification.pdf via pdf-parser.py

After noting down these details, I examined the contents of the pdf file. Figures 5 and 6 show an excerpt of the content, and the perpetrator have taken quite a bit of care to ensure that the document looked legitimate. The address used was a legitimate address used by Google UK, and reference numbers were also used to make it look more official. Finally, the document purportedly states that the recipient has won £1,950,000.00 (~US$2,710,110.00), along with some Google hardware. However, there were evidently some suspicious areas. For example, it was highly unlikely that a contact from Google would be using the domain “goocoperate.com” for correspondence. A quick check on that domain name showed that “goocoperate.com” was registered on September 29 2020, and directed the visitor to the default site landing page of the hosting provider.

Figure 5: Content of Official Notification.pdf (Part 1)

Figure 6: Content of Official Notification.pdf (Part 2)

The style of phishing is not new, and it looks like the phishing mail has been upgraded. I did some research and the previous “prize” offered was £950,000.00 (US$1,320,310.00). Victims who wrote back to them would be persuaded to pay for the bank and delivery charges, and never receive the purported prize money. It appears that this tactic has worked well, or else the perpetrators would not have bothered to refresh the “congratulatory” letter and also increase the prize winnings. Thankfully, the pdf file was not weaponized, though it remains to be seen that it would stay that way. As mentioned in my previous diary, always verify the authenticity of the e-mail you receive when in doubt [1]. Don’t forget to look out for your loved ones, and remind them about the various phishing e-mails/messages they might receive.

 

Indicators of Compromise (IOCs):
Official Notification.pdf (304KB)
MD5: 15ff78d798d1c32f6017a99f1b675ce3
SHA1: 7749a3d4be7505abca3000d1c3e3a4afdd428d04

References:
[1] https://isc.sans.edu/diary/27356

———–
Yee Ching Tok, ISC Handler
Personal Site
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

CFBF Files Strings Analysis, (Mon, Jun 28th)

The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format.

It’s a binary file format, and is uncompressed (disregarding application specific exceptions, like VBA source code).

That lends itself to strings analysis, as I’ve wrote about in previous diary entries.

There is a potential problem when you run the strings command on a .doc file, for example. The CFBF file format, is similar to a file system format: it is made up of sectors, and has File Allocation Tables. This means that the data that is contained into streams, is written into sectors. These sectors don’t have to be sequential.

If you are looking for URLs for example, you could run the strings command on a .doc file, and grep for string http.

It can happen, that a URL straddles the boundary of 2 sectors: its first part is at the end of sector N, and its last part is at the start of sector N+1. If both sectors are written sequentially into the CFBF file, there is no problem. But if they are not contiguous, the strings command can not extract the complete URL, as it is split into 2 strings that are separated by other data.

I have a couple of solutions to this problem.

The first one I’ll cover in this diary entry, is quite simple: my tool oledump.py, a tool to analyze CFBF files, has an option to extract all strings from a stream: -S.

Take this Word document, a .doc file, where I have typed a URL on the first page:

Stream 6 contains the content that I typed:

This is for a single stream. Use “-s a” to extract strings from all streams:

With this last command, you can extract all strings from all streams. And you will not extract strings that are not located in streams, like the names of the streams for example.

You don’t have control over oledump’s string extraction method, for example, you can not specify a minimum string length (it’s minimum 4).

There are other methods where you can do that: that is for another diary entry.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

DIY CD/DVD Destruction, (Sun, Jun 27th)

I have some personal CDs & DVDs to dispose of. And I don’t want them to reamain (easily) readable.

There are paper shredders that also shred CDs & DVDs, but I don’t own such a shredder.

So I ended up drilling a hole in my optical disks.

My recommendation: don’t to this, it’s difficult and hazardous.

Even though I used a drill press with a clamp to hold the optical disks, I had disks that came loose and started to spin, with risk of flying in all directions.

That’s because I drilled with a speed (around 2500 rpm) that was too high: it made the plastic meld, and got the drill bit stuck in the stack of disks.

A lower drill speed (500 rpm) solved that problem, the plastic no longer melted, but I still had small pieces of plastic and metal film detaching from the disks.

I drilled the hole close to the center of the optical disk, because I remembered that CDs and DVDs are written from the center to the edge. Assuming that data structures that describe the layout of the disk are found at the beginning, drilling a hole there would make the complete disk unreadable.

I tested one disk with a hole, and indeed, my drive was not recognizing any disk:

It’s a difficult and hazardous process, don’t do it. Especially not with a handheld power drill.

Please post a comment if you have destroyed data supports like CDs and DVDs, especially if you have a safe and easy DIY solution.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th)

This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account.

Sample Log

20210625-144918: 192.168.25.9:443-45.146.165.123:41062 data
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: XX.XX.28.221:443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Length: 314
Content-Type: application/xml
Accept-Encoding: gzip
Connection: close
<!DOCTYPE xxe [

]>

aaaaa
&xxe;

Indicators (AS Name: HOSTWAY-AS, SELECTEL)

Information on the patch is available here [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-9670
[2] https://bugzilla.zimbra.com/show_bug.cgi?id=109129
[3] https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10
[4] https://programmersought.com/article/89298322178/
[5] https://www.shodan.io/search?query=zimbra
[6] https://isc.sans.edu/forums/diary/Is+XXE+the+new+SQLi/17375
[7] https://isc.sans.edu/forums/diary/Blindly+confirming+XXE/19257

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 1 of 6 12345...»