Weekly Executive Summary for Week November 24, 2017

Blocking Phase:

The final phase in the ORB application uses a python library called python-iptables. Iptables is a tool used to manage netfilter, which is used for packet filtering and manipulation in Linux. Rules are created and packets are matched based on their contents and actions are taken based on these rules.

 

Source: n0where

Every packet that enters the networking system will trigger hooks in the Linux kernel’s networking stack. Hooks will trigger depending on whether the packet is incoming or outgoing, the packets destination, and whether the packet was dropped or rejected in a previous point of the stack. IPTables firewall uses tables to organize its rules and will classify rules according to types of decisions the rules will make. This application will primarily use the filter table which is used to make decisions on whether to let a packet continue to its intended destination or deny its request.

import iptc

ip_block = '192.168.18.177'

An IP address is set for an iptable rule and the python-iptables library is imported

chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()

The chain object is created on INPUT (all traffic coming into the network) and is applied to the FILTER table

rule.in_interface = "eth+"
rule.src = ip_block + "/255.255.255.0"

A interface is set, in this case it is all eth or ethernet interfaces and the IP address and subnet mask are applied to the rules src or source

target = iptc.Target(rule, "DROP")

The target rule is set to DROP all packets if detected by the earlier rule.src IP address

rule.target = target
chain.insert_rule(rule)

The rule for the target is created and is inserted into a chain in the ruleset

Once a target IP has been determined by the scanning phase, the IoT device will be monitored for all incoming traffic using the monitoring phase. If network traffic is detected targeting an IP address in the trusted list a user is given the ability to accept or block that traffic. If a user chooses to block traffic from an untrusted source a rule is created on in the FILTER table to DROP packets to the IoT device.

 

Sources:

https://n0where.net/how-does-it-work-iptables/ (n0where)

https://github.com/ldx/python-iptables (python-iptables)

https://github.com/buckyroberts/Python-Packet-Sniffer (Packet Sniffer)

 

Weekly Executive Summary for Week November 17, 2017

Monitoring Phase:

Socket: Python library used for Low-level networking interfaces. The socket library is used to open a raw socket and sniff network traffic on the network. Once network packets and headers are captured, struct, another python library is used to format and interpret the byte code that TCP and UDP packets are stored as.  

Ethernet packets are captured and data from the packet is extracted using formatting and struct. As you can see below, IP data and header information are contained in the DATA(Payload) section of the Ethernet frame. In this application IP information from the Ethernet packet is essential for creating network rules in other modules.

Source: Wikipedia

Once the Data section from the Ethernet packet is extracted we need to get data from the IP packet header. As seen by the image below, the IP packet contains version, header length, source IP address, destination IP address, and more. The ORB application will only be using the source/destination address for monitoring, once a trusted device is added to the list all incoming network traffic to that device is monitored.

Source: EDGIS

import socket
import struct

'''IP address of philips hue IoT device'''
ip_mon = '192.168.18.162'

Socket and Struct libraries are imported and IP address of philips hue device is stored as a variable to monitor

'''Creates an open raw socket to capture all network packets'''
conn = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(3))

A raw socket object is created to capture network traffic and act as a packet sniffer

while True:
raw_data, addr = conn.recvfrom(65536)
dest_mac, src_mac, eth_proto, data = ethernet_frame(raw_data)

An endless loop is created to constantly receive data from packets and extract packet data from ethernet frame

if eth_proto == 8:
(version, header_length, ttl, proto, src, target, data) = ipv4_packet(data)

If the ethernet protocol is equal to ‘8’ it is a IPv4 packet and a function is called to extract packet header information

if(src == ip_mon):
print(target + ':is trying to establish a connection, do you want to accept connections?')
break

The code will then check if the src address in sniffed packets is equal to the IPv4 address of the IoT device being monitored

 

To test connections to monitored devices I wrote a python script using a python library called  phue. Phue is a python library designed for Philips Hue smart lighting systems, it allows you to connect to a Philips Hue bridge and control lights on a lighting system.

from phue import Bridge

'''IP address of philips hue bridge'''
b = Bridge('192.168.18.162')

'''Used to connect to the hue bridge - button may need to pressed'''
b.connect()

'''Get the bridge state (This returns the full dictionary that you can explore)'''
b.get_api()

The phue library is imported and a connection is made to the philips hue lighting system bridge and information is returned

'''Prints if light 1 is on or not'''
b.get_light(1, 'on')

'''Set brightness of lamp 1 to max'''
b.set_light(1, 'bri', 254)

'''Turn lamp 1 on'''
b.set_light(1,'on', True)

Hue light information is obtained from the first light in the system and the brightness and power are set to on.

- IPv4 Packet: - IPv4 Packet: - Version: 4, Header Length: 20, TTL: 64, - Source: 192.168.18.177, Target: 192.168.18.162
- IPv4 Packet: - Version: 4, Header Length: 20, TTL: 64, - Source: 192.168.18.162, Target: 192.168.18.177
- IPv4 Packet: - Version: 4, Header Length: 20, TTL: 64, - Protocol: 6, Source: 192.168.18.177, Target: 192.168.18.162
- IPv4 Packet: - Version: 4, Header Length: 20, TTL: 64, - Source: 192.168.18.177, Target: 192.168.18.162

IPv4 packets are captured and we can see that the Target is the philips hue device as commands are sent to the lights on the hue bridge

 

Once devices are added to a trusted list from the scanning phase packets in network traffic will be examined, any network traffic to the devices will be captured, and users will be alerted through the application. At this point, users can choose whether they want to traffic from trusted sources or block traffic from untrusted or unrecognized sources.

 

Weekly Executive Summary for Week November 10, 2017

Scanning Phase:

Netdisco: Python 3 library is used to discover local devices and services. This library is used to power Home Assistant; which is an open-source home automation platform that is used to track and control all Internet of Things (IoT) devices at home and automate certain controls.

import time
from netdisco.discovery import NetworkDiscovery

netdis = NetworkDiscovery()

netdis.scan()

for dev in netdis.discover():
print(dev, netdis.get_info(dev))

netdis.stop()

Code snippet that will import the netdisco library and scan a LAN for IoT devices

 

When netdisco scans a network it is using certain requests to test if it is one of many protocols used by IoT devices.

Below are a list of protocols that will be searched for during a scan.

Protocols scanned:

Web OS discovery protocol (LG TVs)
Daikin discovery protocol (HVAC systems)
Logitech Media Server discovery protocol (LMS)
Universal Plug and Play (uPnP)
Plex Media Server discovery protocol (Back-end media server)
mDNS (Multicast Domain Name Service – chromecast, Homekit)
Gdm (Gateway Device Management)
Simple Service Discovery Protocol (SSDP)
Tellstick

The above python script was run on a test network to see what IoT devices could be discovered and to see what data would be provided by the scan.

Discovered devices:
homekit:
[{'host': '192.168.18.162',
'hostname': 'Philips-hue.local.',
'port': 8080,
'properties': {'c#': '5',
'ci': '2',
'ff': '1',
'md': 'BSB002',
'pv': '1.0',
's#': '1',
'sf': '1'}}]

Homekit device was discovered on network; host and port number are  relevant here

samsung_tv:
[{'host': '192.168.18.105',
'model_name': 'Samsung DTV RCR',
'model_number': '1.0',
'name': 'UN55C7000',
'port': 52235,
'ssdp_description': 'http://192.168.18.105:52235/rcr/RemoteControlReceiver.xml'}]

Samsung TV was discovered on network; host: 192.168.18.105 port number: 52235

philips_hue:
[{'host': '192.168.18.162',
'model_name': 'Philips hue bridge 2015',
'model_number': 'BSB002',
'name': 'Philips hue (192.168.18.162)',
'port': 80,
'ssdp_description': 'http://192.168.18.162:80/description.xml'}]

Philips Hue bridge was discovered on network; host: 192.168.18.162 port number: 80

google_cast:
[{'host': '192.168.18.104',
'hostname': '4db2ef75-177c-adc2-ada7-0663cc63489e.local.',
'port': 8009,
'ca': '4101',
'cd': '8312D6CCB6D5822135042D06A8739646',
'fn': 'Bedroom TV',
'ic': '/setup/icon.png',
'id': '4db2ef75177cadc2ada70663cc63489e',
'md': 'Chromecast',
'nf': '1',
'rm': False,
'rs': False,
'st': '0',
've': '05'}}]

Discovered 4 devices

Google Cast was discovered on network; host: 192.168.18.104 port number: 8009

 

As we can see a number of IoT devices can be discovered using netdisco, in this instance a total of four have been discovered on the test network. Below is a list of other devices that can be found using this library.

 

IoT product discovery:
Amazon echo (Voice home assistant)
Arduino (Microcontroller)
Belkin WeMo (Smart plug)
Nest (Smart indoor/outdoor cams)
Philips Hue (Smart lightbulbs)
Wink (Smart Home Hub)
More…

 

To test connectivity to smart devices I used python scripts that are designed to be used as a samsung remote control, the code is available on github and uses Python 3 samsungctl(library for remote controlling Samsung televisions via TCP/IP connections), and websocket-client. I connected to the discovered host for the Samsung TV 192.168.18.105 and sent a KEY signal to power it off. 

 

Once a user has discovered a list of IoT devices on their network they will have the ability to save devices they recognize. These saved devices will be stored in a trusted list which will be monitored for network traffic in other modules of the application. 

 

Weekly Executive Summary for Week November 02, 2017

What has it been dubbed? REMCOS | Remote Control & Surveillance Software

 

 

What does it do?

According to researchers at Fortinet and The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC), Remote Control & Surveillance Software (REMCOS) Remote Administration Tool (RAT) was first discovered being sold in hacking forums in the second half of 2016. It was not until around February of 2017 that researchers at Fortinet observed the payload being distributed in the wild. The malware is being deployed using malicious Microsoft Office documents going by the filenames of Quotation.xls or Quotation.doc, and these are most likely attached to SPAM emails. The malware uses a malicious macro which is designed to bypass Microsoft Windows User Account Control (UAC) security and execute the malware with high privilege.

 

How does it do it?

REMCOS has five main tabs:

  1. Connections – This tab is used to monitor all active connections in the client application, there is also a list of commands that can be initiated on all infected host (shown in the figure below).
  2. Automatic Tasks – This tab will allow the controller of the client to send tasks to the infected host as soon as they connect, this can all be done without the physical presence of the client application.
  3. Local Settings – These are settings for the client side application like which TCP port to listen on and a password can be applied for encryption of network traffic.
  4. Builder – Creates a server binary and can be compressed with UPX or MPRESS which are used for executable file compression.
  5. Event Log – This will give the client information about connections that have happened between the server and an infected client or its hosts.

 

The latest version of REMCOS has the following capabilities:

  • Automatic Tasks
  • Screen Capture
  • Remote Chat
  • File Manager
  • File Search
  • Fully fledged Remote Registry Editor
  • Remote Scripting
  • ScreenLogger
  • Download & Execute function

List of Windows functions commonly used by malware and found in sample:

  • GetProcAddress – Retrieves the address of a function in a DLL loaded into memory. Used to import functions from other DLLs in addition to the functions imported in the PE file header.
  • GetModuleHandleA – Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
  • GetModuleHandleW – Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
  • GetModuleHandleExW – Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
  • WideCharToMultiByte – Used to convert a Unicode string into an ASCII string.
  • GetStartupInfoW – Retrieves a structure containing details about how the current process was configured to run, such as where the standard handles are directed.
  • QueryPerformanceCounter – Used to retrieve the value of the hardware-based performance counter. This function is sometimes using to gather timing information as part of an anti-debugging technique. It is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
  • GetTickCount – Retrieves the number of milliseconds since bootup. This function is sometimes used to gather timing information as an anti-debugging technique. GetTickCount is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
  • IsDebuggerPresent – Checks to see if the current process is being debugged, often as part oan anti-debugging technique. This function is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
  • LoadLibraryExW – Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.
  • OutputDebugStringW – Outputs a string to a debugger if one is attached. This can be used as an anti-debugging technique.
  • CreateFileW – Creates a new file or opens an existing file.

 

Language identified in the PE:

LANG_LITHUANIAN

 

Sample:

dd67accf-b42e-11e7-9674-80e65024849a.file.zip

a38c6f04ad56e8c855ec908221c3da09a2cf8507b345f7e67e480c62e257fd63

 

Conclusion:

Remote Administration Tools (RAT) are not new tools for hackers though this particular tool is advertised to work on all versions of Windows from WinXP to Win10 on both 32-64 bit machines. This could be very dangerous if used in targeted attacks as it encompasses a wide variety of systems and requires very little technical knowledge for attackers. The tool is able to capture a victims screen, download files from the infected system, download and execute other code/software, and much more. Though this tool has been available since 2016, over that time period it has grown and improved at it capabilities, and researchers are only recently observing its use in the wild.

 

Sources:

https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2 (Fortinet)

https://www.cyber.nj.gov/threat-profiles/trojan-variants/remcos (NJCCIC)

Taking advantage of the 4-way handshake

What is the 4-way handshake?

The 4-way handshake is an amendment to the original 802.11 standard to address security problems in WEP, which was implemented as Wi-Fi Protected Access II (WPA2). Method designed so that an access point (AP) or authenticator, and a wireless client or supplicant can individually prove that each other know the PSK or PMK without ever sending the key.

Terms and definitions:

TK – Temporal Key = session “encryption” key

KCK – Key Confirmation Key = session “authentication” key

KEK – Key Encryption Key = session key for encryption keys

4-Way Handshake – 802.11i key management protocol

AP – Access Point (Authenticator)

STA – STAtion – Client (Supplicant)

GTK – Group Temporal Key

ACK – ACKnowledgement

MIC – Message Integrity Code

PTK – Pairwise Transient Key

PSK – Pre-Shared-Key

 

Inputs for key encryption:

ANonce – Authenticator Number used once

Nonce – Number used once

PMK – Pairwise Master Key = session authorization token

SNonce – Supplicant Number used once

AA – Authenticator Address – MAC Address

SA – Supplicant Address – MAC Address

 

Source: Kali Tutorials

How messages are sent:

  1. The Access Point (AP) or the authenticator sends a Authenticator Number used once (ANOnce) to the Client. At this point the STAtion (STA) or the client in this case, has all of the inputs required for the construction of Pairwise Transient Key (PTK) for Unicast encryption keys that will be used in the session.
  2. The STA constructs the PTK and sends its own SNonce to the AP and protects the frame with a Message Integrity Code (MIC) and AP can now calculate the PTK.
  3. The AP constructs and sends the Group Temporal Key (GTK) and a sequence number. A MIC is used to protect this frame and to prevent tampering of the frame.
  4. The STA sends a confirmation to the AP to let it know it is ready for encryption.

The PMK is never transferred across the wireless medium

Brute-force attack against 4-way Handshake:
Aircrack-ng is a complete suite of tools used to assess WiFi network security and will be used to monitor/capture the 4-way handshake and eventually crack the WPA Pre-Shared-Key (PSK).  

First Step (Monitoring):

Airmon-ng is a tool in the aircrack-ng suite that allows you to enable a monitoring mode on a wireless interface. It is best when using this tool to stop network managers and kill interfering processes, this feature is built into the tool and a user will be prompted when running it.

Step Two (Capture Packets):

Airdump-ng is another tool in the aircrack-ng suite that can be used to capture 802.11 frames, this is used to capture the 4-way handshake eventually. Capturing the handshake is essential for the eventual cracking.

Running airdump-ng allows you to capture a devices Basic Service Set Identifier (BSSID) or the media access control address (MAC Address), the channel the device is broadcasting on, what type of encryption is used (WPA2 in this case), the Extended Service Set IDentification (ESSID) of the network or simply the Service Set IDentifier (SSID).  

Step Three (Capture 4-way Handshake):

Users or a single user needs to be bumped of the network so when they reauthenticate the 4-way handshake can be captured. Aireplay-ng is a tool that can be used to deauthenticate users or a single user on the network by jamming the signal. In the example below the deauthentication count is set to 2 and the “-a” or access point is set to the BSSID of the AP.

After a user has been successfully deauthenticated from the network, airdump-ng is used to capture the packets that have the 4-way handshake.   

Now that we have obtained the packet captures and the WPA handshake from the reauthentication of a registered user.

PRO:

  • Stealthier than a technique like phishing  and attacks can be carried out offline.
  • A brute-force attack tends can help to raise less suspicion as the attacks can be done after capturing the handshake.

CON:

  • Not very reliable – Password needs to be in a list or fairly easily guessed
  • Time consuming – This all depends on a system’s resources

Sources:

http://ieee802.org/16/liaison/docs/80211-05_0123r1.pdf (IEEE)

http://www.kalitutorials.net/2014/06/hack-wpa-2-psk-capturing-handshake.html (Kali Tutorials)

Weekly Executive Summary for Week October 13, 2017

What is it? Advanced internet activity logging software | Data stealer

What has it been dubbed? FormBook

What has been affected? Mainly: Aerospace, Defense Contractor, Manufacturing Sector

What does it do?

Infects victims through phishing campaigns that include malicious attachments. These campaigns were mostly targeted at Aerospace, Defense Contractor, and Manufacturing sectors in the U.S. and South Korea. PDFs had malicious download links in them and DOC and XLS files had malicious macros that were primarily targeting the United States, while Archive files  (e.g., Zip, RAR, ACE, and ISOs) contained EXE payloads and were mainly used on the United States and South Korea. The malware used in the campaigns is called FormBook and it is a data stealer that is being sold on hacking forums as Malware-as-a-Service (MaaS). The malware injects itself into various processes and installs function hooks. The malware has capabilities to log keystrokes, clipboard monitoring, grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests, grabbing passwords from browsers and email clients, and screenshots. FormBook has the ability to receive commands from a C2 server like downloading and executing a file, updating a bot on host system, reboot infected system, collect passwords and create a screenshot, and more.

How does it do it?

The FormBook data stealer is available for purchase on hacking forums and has been since 2016. The price of service ranges from $29/week to a $299 – Pro version. A customer of FormBook is paying for access to a panel and then the malware creator will generate executable files as a service this is known as Malware-as-a-Service (MaaS).

Source: FireEye

Source: FireEye

According to researchers at FireEye, FormBook was being distributed through phishing campaigns that we’re targeting Aerospace, Defense Contractor, and Manufacturing Sectors in the United States and South Korea in the last few months. Attackers used a number of distribution mechanisms to deliver FormBook like PDFs that contained download links, DOC  and XLS files that had malicious macros, and Archive files (Zip, Rar, Ace, and ISOs) that contained EXE payloads. PDF/XLS files were mainly used to target the United States, while Archive files were used to target United States and South Korea.

Capabilities of the actual malware include:

  • Key logging
  • Clipboard monitoring
  • Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
  • Grabbing passwords from browsers and email clients
  • Screenshots

Commands from the C2 server FormBook can receive:

  • Update bot on host system
  • Download and execute file
  • Remove bot from host system
  • Launch a command via ShellExecute
  • Clear browser cookies
  • Reboot system
  • Shutdown system
  • Collect passwords and create a screenshot
  • Download and unpack ZIP archive

“One of the malware’s most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective.“ (FireEye)

The Command and Control serves domains have been using generic top-level domains (gTLDs) like .site, .website, .info, etc. Domains observed by FireEye have been using WhoisGuard privacy protection service and are being hosted on a Ukrainian hosting provided.

FormBook malware is a self-extracting RAR file that starts at an AutoIt loader. The malware will choose a string to use as a prefix to its installed filename. If the malware is running with elevated privileges it will copy itself to %ProgramFiles% or %CommonProgramFiles%, if it is running with normal user privileges it copies itself to %USERPROFILE%, %APPDATA%, or %TEMP%.  Depending on the infected user’s permissions again, the malware will configure persistence in one of two locations:

  • (HKCU|HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • (HKCU|HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

One of the malicious PDF campaigns found by FireEye was a phishing email disguised as coming from DHL shipping or packaging.   

Source: FireEye

The PDFs contained links to “tny.im” which is a URL-shortening service, which would redirect victims to a staging server that contained FormBook executable downloads.

Conclusion:

Malware-as-a-Service is no new trick in the industry and has been seen by exploit kits like Angler, Neutrino, RIG, Nuclear Pack, and much more. Threat actors will develop exploit kits or various types of malware that users can purchase as a service to exploit their targets. What is different in the case of FormBook is its targeted use and what motive the attackers may have. Espionage of sectors like Aerospace, Defense Contractors, and Manufacturing tend to come from government sponsors actors or nation-states. These types of groups normally have a good deal of resources from their government and a lot of the attack tools are custom made, so it would seem unusual for an attacker at this level to use purchased malware.

FormBook has a long list of capabilities and at a price range of $29  – $299 it is quite affordable to a mass audience. This could prove to be quite dangerous if sold as a  service and used to target essential industries. This is another reminder of how effective phishing emails and how dangerous they can be when used against certain industries. 

Sources:

https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html (FireEye)

https://threatpost.com/formbook-malware-targets-us-defense-contractors-aerospace-and-manufacturing-sectors/128334/ (Threatpost)

Weekly Executive Summary for Week October 06, 2017

What is it? Monero Mining | Crypto-mining

What is affected? [UNPATCHED] Windows Server 2003 R2

What does it do? 

Mining cryptocurrencies is expensive and takes a lot of computing power. Attackers use malware to steal computing resources of computers to make money in digital currency. Malware infected hundreds of Windows web servers, with modified cryptocurrency miner. Attacker made more than $63,000 in Monero (XMR), in three months. Exploited vulnerability in Microsoft IIS 6.0 to install the  modified miner on unpatched Windows servers. Attackers have been infecting unpatched Windows web servers since at least May 2017. Vulnerability exploited (CVE-2017-7269) resides in WebDAV service of Microsoft IIS version 6.0 – the web server in Windows Server 2003 R2. Attackers targeting unpatched machines running Windows Server 2003, making them part of a botnet. Monero uses a proof-of-work algorithm called CryptoNight, which can use computer server CPUs and GPUs, while Bitcoin mining requires specific hardware.

How does it do it?

Monero is a cryptocurrency, users can contribute in solo or pool mining, the Monero miner uses CPU and GPU resources, versus specific hardware that other cryptocurrencies like Bitcoin require. The CPU miner used in these attacks is an open-source CPU miner called xmrig, which was released on May 26, 2017, just two days before the first attacks were seen in the wild. According to researchers at eset, attackers didn’t change much of the original source code for the miner, they just added hardcoded CLI arguments of the attackers mining pool URL, and arguments to kill previously running versions of the miner (if they existed).

Source: eset

The next phase of the attack required the malware to scan devices to see if they were vulnerable to CVE-2017-7269. There were two IP addresses identified as the source of brute-force scans which point to servers hosted on Amazon Web Services cloud. The vulnerability exists in the WebDAV service that is part of Microsoft IIS version 6.0, which is the web server in Windows Server 2003 R2. The bug comes from a buffer overflow in the WebDAV service, this overflow allows remote attackers to execute arbitrary code from a long header that starts with “if: <http://” in a specially crafted PROPFIND request.

Source: Javier  M. Mellid

The exploit is available in metasploit as Microsoft IIS WebDav ScStoragePathFromUrl Overflow, it affects unpatched Windows Server 2003 R2.

The payload is in the form of an alphanumeric string, experts say this wasn’t that sophisticated as online tools like alpha3 can help convert any shellcode into a desired string. Researchers at eset say the shellcode downloads “dasHost.exe” from “hxxt://postgre[.]tk/” into the %TEMP% folder. This is a well-known Windows 2003 exploit that was used by attackers to take advantage of vulnerable servers. 

Source: eset

Conclusion:

There are a number of cryptocurrencies available to, from Bitcoin, Ethereum, Dash, Ripple, LiteCoin, Neo, and much more. Monero is a cryptocurrency that can be extremely attractive to criminals as it provides anonymity, by being a secure, private untraceable currency. By default, Monero transactions have sending and receiving addresses obfuscated as well as all transacted amounts. This type of anonymity can allow attackers to avoid detection and further prosecution by following a financial trail. Attackers used an open-source tool that is available to anyone, xmirg source code was easily manipulated to allow attackers to make a profit from vulnerable servers.

Attackers used a well-known exploit CVE-2017-7269 to exploit vulnerable servers, this isn’t the first time this has been seen in the wild. A cryptocurrency-mining botnet called Adylkuzz took advantage of vulnerable systems using EternalBlue, the exploit was apart of the NSA FuzzBunch leak and took advantage of Windows SMB Server. This is a clear indication that attackers are opportunistic and can use tools that already exist, this requires very little technical knowledge, but as seen by these attacks, criminals are able to make a substantial amount of money from them.

Sources:

https://thehackernews.com/2017/09/windows-monero-miners.html (HackerNews)

https://getmonero.org/get-started/mining/ (Monero)

https://blog.eset.ie/2017/09/28/money-making-machine-monero-mining-malware/ (eset)

https://javiermunhoz.com/blog/2017/04/17/cve-2017-7269-iis-6.0-webdav-remote-code-execution.html (Javier M. Mellid)

Weekly Executive Summary for Week September 29, 2017

What is it? Supply-Chain Malware

What has been affected? CCleaner v5.33.6162 | CCleaner Cloud v1.07.3191 (32-bit version) | Payload 2

What does it do?

The second part of the payload in the CCleaner infection was delivered to a specific list of computers based on local domain names. The predefined list used in the configuration of the C&C(Command and Control) server was designed to find computers inside the networks of major technology companies, like Google, Microsoft, Cisco, Samsung, Intel, and much more, and eventually deliver the second payload. Researchers at Talos (Cisco cyber threat intel), have confirmed that at least 20 machines were infected with this secondary payload, even though Piriform initially stated that none of its customers were affected by this second payload. Kaspersky researchers have claimed that the malware samples have code similarities to a Chinese affiliated APT known as Group 72.

How does it do it?

A series of PHP files were discovered on the attackers C2 (Command and Control) server. A symlink, which is used to make a symbolic link in PHP, was used to redirect all regular traffic that was requesting ‘index.php’, to the ‘x.php’ file (this contained the malicious PHP script).  The C2 server initiated a series of checks to determine if it should proceed with standard operations or redirect to the legitimate Piriform website.

Source: arstechnica

The malicious PHP script compares the infected system that is calling to the C2 server with three values; $DomainList, $IPList, and $HostList. These checks are to determine whether or not the infected system should have the Stage 2 payload delivered.

Source: Talos

The stage 2 installer is named “GeeSetup_x86.dll”, this installer identifies the OS version on the system, and drops either a 32-bit or 64-bit version of the trojan. The 32-bit version uses a trojanized TSMSISrv.dill, which drops VirtCDRDrv, this is the filename of a legitimate executable used by Corel(digital drawing suite). The 64-bit version drops a trojanized EFACli64.dll named SymEFA, which is a filename used by Symantec Endpoint, none of the files dropped are signed.

Source: Avast

 

Using a trojanized binary, attackers can decode and execute a PE (Portable Executable) in the register, this PE performs queries to the C2 servers and executes in-memory PE files. This method makes detection by researchers more difficult, this is because the executable files are never stored on the file system, and are just run through memory.

An encoded PE is put into the following registries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

Kaspersky researchers say that the malware samples examined from the CCleaner infections have code similarities to a threat group known as Group 72. The group has been dubbed a number of aliases; Deep Panda, Axiom, and Shell_Crew, but have been suspected of ties to the Chinese government.

Source: Talos

Researchers at Avast were able to find kill switch to the malware that would work in certain instances. The second stage of the payload checks for a file “%TEMP%\spf”, if this file is found on the system the payload will terminate itself.

Source: Avast

The payload runs in an endless loop, it attempts to communicate with the C2 server, the kill switch can be used to exit this loop. The kill switch is checked after a communication attempt is made, so if the server responds to the request the user has already run the second stage payload which means the kill switch won’t work.

Conclusion:

Piriform’s original statement to its customers was that no customers of the company had been infected with the second stage of the malware. Cisco’s Talos team later confirmed that at least 20 users were infected with the second stage. This is a good example of how companies need to keep up-to-date backups to re-image systems after a compromise. They should always treat a vulnerability in third-party vendors with utmost importance.

Initial examinations of the infections didn’t reveal the full motivation or complexity of the attacks. In-depth research proved that a targeted attack was what the attackers were after, and this proves to be much more dangerous.  

Avast found evidence that attackers initially had trouble with their command and control server. The server was up and running in July, then data gathering started on August 11, but the database didn’t contain data older than September 12. Researchers say the MariaDB database ran out of disk space, even after a user connected and try to free up space on the database, the logs show that the DB experienced major issues. On September 12 a user logged into the server and did a complete reinstall of the database.

Sources:

http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users (Piriform)

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html (Talos)

http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor (Morphisec)

https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident (Avast)

 

Weekly Executive Summary for Week September 22, 2017

What is it? Supply-Chain Malware

What has been affected? CCleaner v5.33.6162 | CCleaner Cloud v1.07.3191 (32-bit version) | 1

What does it do?
CCleaner is an application that allows users to clean temporary files, analyze systems in an effort to optimize performance, and to perform routine maintenance on a device. Attackers were able to modify the CCleaner.exe binary that users were installing from the company Piriform, which was just acquired by Avast on July 18, 2017, a company that provides Antivirus services.

When the 32-bit CCleaner v5.33.6162 was downloaded it contained a malicious payload, that included a two-stage backdoor. The executable was signed by a valid digital signature issued to Piriform by Symantec and is valid until 2018.

The malware has the ability to and has been seen collecting information from infected users systems such as the name of the computer, IP address, list of installed software, list of running processes, list of network adapters, and MAC addresses of network adapters. The collected data is then sent back to a C2(Command and Control) server, that attackers have control of.  The company estimates that the compromised download “may have been used by up to 3% of our users”(Piriform), which would equate to around 3.9 Million users.

Source: Piriform

How does it do it?

Payload Part One: 
The first part of the malware’s payload was hidden in the application’s initialization code called CRT(Common Runtime). The modified code performed actions before the application’s code ran, it decrypted and unpacked hard-coded shellcode(a simple XOR-based cipher was used). The result of this was a DLL(dynamic link library) with a missing MZ header. The DLL was subsequently loaded and executed in an independent thread.  After this is through, normal execution of CRT code and the CCleaner is continued, which means the thread with the payload is run in the background.

Source: Piriform

The code executed within the thread was obfuscated to make its analysis harder. Payload stored information in the Windows registry key
HKLM\SOFTWARE\Piriform\Agomo

TCID function is a timer value used for checking whether to perform certain actions. It records the current system time on the infected system, it delays for 601 seconds, then continues operations, which according to researchers at Cisco Talos, could be a way to avoid analysis systems. The malware will call a function which attempts to ping 224.0.0.0 using a delay_in_seconds timeout set to 601 seconds, it then checks the system time to see if it has been 600 seconds if the condition is not met the malware will terminate.

Source: Talos

The malware will then try to determine what the privileges are of the infected user if the current user running the malicious processes is not an administrator the malware will terminate.

Source: Talos

Though if the victim does have administrative privileges the malware will read the value of “InstallID” which is stored in HKLM\SOFTWARE\Piriform\Agomo:MUID. Once the earlier task have been completed the malware will gather information on the system which is eventually sent to a C2 server. The data collected is encrypted and then encoded using modified Base64.

Source: Talos

Continue to second payload

Conclusion:
Supply chain style attacks seem to be becoming a trend among attackers. Just last week ten malicious packages we’re found in PyPI(Python Package Index), which is a huge index of repositories for software for the Python programming language. The attackers used a technique called typosquatting, which allowed them to use their own malicious code by using misspelled words that closely relate to legitimate packages (e.g., acqusition instead of acquisition). Another example is the dispersion of the NotPetya ransomware through MeDoc update servers, in June 2017. These type of attacks are extremely dangerous as they take advantage of the trust users have between these systems.

If you are able to spread malware through a dispersion source, like package manager, update server, or through packaged software downloads you wouldn’t have to go out looking for targets, you could filter what you have. The malware seems to be highly sophisticated in its evasion techniques, to avoid detection by analysis/debugging by researchers. This is a strong indication that the attackers behind the malware have an abundance of resources, hinting toward a nation state actor.

Sources:
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users (Piriform)
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html (Talos)

Weekly Executive Summary for Week September 15, 2017

What is it? Botnet

What has it been dubbed? Mirai

What does it do?

The malware was designed to infect vulnerable IoT devices, which would later be used to launch enormous DDoS attacks. Mirai launches large scans of IP addresses to detect which IoT devices are internet accessible. Mirai uses dictionary attacks to gain admin access to devices, from a hardcoded list in its source code, these combinations are usually factory or default username and password combinations.

The botnet has the ability to launch HTTP floods, and numerous attacks in both the Transport and Network layers of the OSI model. Mirai contains a hardcoded list of IPs that Mirai bots will avoid when performing IP scans, these addresses belong to organizations like the US Postal Service, the Department of Defense, Internet Assigned Numbers Authority(IANA), HP, and General Electric.

Mirai contains a function to search for and destroy other worms or Trojans that may exist on infected infected devices, like the Anime malware which also infects IoT devices.

The largest attacks due to the malware include the DDoS(Distributed Denial of Service) on September 20, 2016 on security journalist Brian Krebs website, and the attack on October 21, 2016 that was targeted at DNS provider Dyn. The Dyn attacks resulted in an array of large corporations being affected like Amazon, HBO, Netflix, Twitter, Verizon Communications, and much more.

How does it do it?

Mirai scans for random IP addresses on the internet in an attempt to connect and take control of vulnerable IoT devices that use default credentials. The malware will use a brute force attempt (dictionary attack), to gain admin control of infected devices.

Default credentials list (username – password)

These attempted connections are through ports 7547/5555(TCP/UDP), 22(SSH), and 23(Telnet). Once the malware has infected enough device to create it’s botnet, which many of these infections in 2016 were seen from countries like Vietnam, Brazil, United States, China, etc. the malware has the ability to launch a number of DDoS attacks.

Mirai has the ability to launch HTTP flood attacks, which is a type of DDoS attack which exploits HTTP GET and POST requests to attack a web server or application, this is done through a flood of the web requests. Another type of attack that Mirai utilizes is a SYN-ACK flood attack, which involves sending a spoofed SYN-ACK packet at a high rate to a targeted server.

The botnet also uses STOMP (Simple Text Oriented Message Protocol) floods, this is a simple text-based protocol, very similar to HTTP. The attack works by first opening an authenticated TCP handshake with a targeted device, then a spoofed STOMP TCP request, then a flood of fake STOMP request leads to network instability.  

Mirai bots are programmed to not scan a hardcoded list of IP addresses, these addresses belong to companies like General Electric, HP, IANA, DoD, and the US Postal Service.

List of unscanned IPs

Source: incapsula

Mirai also attempts to search for and destroy any other Trojans and worms that may be infecting the targeted system. It will locate and kill any processes from memory that are known to be used by other botnets. One of these well known IoT targeted malware “Anime”, is searched for and destroyed using the following function.

Function used to locate and kill anime malware

Conclusion:

Though this botnet has become a bit aged, it is worth noting that IoT devices remain just as vulnerable as they have been in the past. Many vendors release these devices with hardcoded credentials(embedded in firmware), that may never be updated. Recent attack vector “Bluebourne” could allow attackers to exploit bluetooth vulnerabilities to run remote code, which could allow for further spreading of malware.

The source code of the Mirai botnet was released on a well known hacker forum, and researchers say that attackers will do this to “muddy the waters” and try and lead researchers away from their trail. With the code publicly available other attackers could make changes/variants and it is harder to detect the origin of original infection.

IoT devices aren’t going away, and more and more devices are popping up every day. Though, through the rapid increase in the development of these devices, security seems to be lackluster, to say the least. This type of attack is done with little to no awareness from infected users, and we’ve actually seen the devastating effects these types of botnets can have on a company’s infrastructure.

Sources:

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (incapsula)

http://www.zdnet.com/article/mirai-botnet-attack-hits-thousands-of-home-routers-throwing-users-offline/ (zdnet)

https://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks (symantec)