Subscribe: SANS Internet Storm Center, InfoCON: green
http://isc.sans.org/rssfeed.xml
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
attachment pdf  attachment  domain  https isc  https  invoice attachment  isc sans  isc  pdf subject  pdf  sans  subject invoice 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: SANS Internet Storm Center, InfoCON: green

SANS Internet Storm Center, InfoCON: green



SANS Internet Storm Center - Cooperative Cyber Security Monitor



Published: Thu, 25 May 2017 06:13:32 GMT

Last Build Date: Thu, 25 May 2017 06:25:06 +0000

Copyright: (C) SANS Institute 2017
 



Critical Vulnerability in Samba from 3.5.0 onwards, (Thu, May 25th)

Thu, 25 May 2017 06:13:32 GMT

Developers of Samba[1] disclosed a critical vulnerability that affects the file sharing component. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows. The vulnerable component is the daemon that offers file sharing capabilities.

As reported by HD Moore on his Twitter account[2], its trivial to trigger the vulnerability(just a one-liner exploit). An attacker has to find an open SMB share (TCP/445), padding:5px 10px"> nt pipe support = no

to the [global] section of your smb.conf and restart smbd.

Samba is a very popular tool and used on many corporate networks, it is also a core component in many residential products like NAS. Many vendors could be affected (Synology, WD, Qnap, DLink, ...). Some vendors like Synology[5] already communicated about this issue and are working on a patch but others might take more time to react. Home users do not patch their products and many NAS could remain vulnerable for a long time.

As always, if you are exposing writable SMB shares for your users, be sure to restrict access to authorisedpeople/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.

[1]https://www.samba.org/
[2]https://twitter.com/hdmoore/status/867446072670646277
[3]https://www.samba.org/samba/security/CVE-2017-7494.html
[4]http://www.samba.org/samba/security/
[5]https://www.synology.com/en-global/support/security/Important_Information_Regarding_Samba_Vulnerability_CVE_2017_7494

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



ISC Stormcast For Thursday, May 25th 2017 https://isc.sans.edu/podcastdetail.html?id=5516, (Thu, May 25th)

Thu, 25 May 2017 00:00:09 GMT

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



ISC Stormcast For Wednesday, May 24th 2017 https://isc.sans.edu/podcastdetail.html?id=5514, (Wed, May 24th)

Wed, 24 May 2017 00:25:03 GMT

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



Jaff ransomware gets a makeover, (Wed, May 24th)

Wed, 24 May 2017 00:05:29 GMT

Introduction Since 2017-05-11, a new ransomware named Jaff has been distributed through malicious spam (malspam) from the Necurs botnet. This malspam uses PDF attachments with embedded Word documents containing malicious macros. border-width:2px" /> Shown above: Flow chart for this infection chain. Prior to Jaff, weve seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push Locky ransomware. Prior to that, this type of malspam was pushing Dridex. With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. With that in mind, todays diary reviews a wave of malspam pushing Jaff ransomware from Tuesday 2017-05-23. The emails This specific wave of malspam used a fake invoice theme. It started on Tuesday 2017-05-23 as early as 13:22 UTC and lasted until sometime after 20:00 UTC. I collected 20 emails for today border-width:2px" /> Shown above: border-width:2px" /> Shown above: border-width:2px" /> Shown above: Screenshot from one of the emails. As stated earlier, these emails all have PDF attachments, and each one contains an embedded Word document. border-width:2px" /> Shown above: border-width:2px" /> Shown above: The embedded Word document with malicious macros. The traffic Follow the entire infection chain, and youll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary thats been XORed with the ASCII string I6cqcYo7wQ. Post-infection traffic merely returns the string Created border-width:2px" /> Shown above: border-width:2px" /> Shown above: border-width:2px" /> Shown above: border-width:2px" /> Shown above: Alerts on the traffic using Security Onion with Suricata and the EmergingThreats Open ruleset. The infected Windows host The encoded binary from this wave of malspam was stored to the users AppData\Local\Temp directory as lodockap8. Then it was decoded and stored as levinsky8.exe in the same directory. border-width:2px" /> Shown above: The users AppData\Local\Temp directory from an infected host on 2017-05-23. On Tuesday 2017-05-23, Jaff ransomware had a makeover. border-width:2px" /> Shown above: border-width:2px" /> Shown above: Desktop of a Windows host infected with a Jaff ransomware sample from 2017-05-23. Encrypted files had been previously appended with the .jaff file extension. On Tuesday 2017-05-23, encrypted files from my infected host were appended with a .wlu file extension. border-width:2px" /> Shown above: Jaff decryptor from a Windows host infected on 2017-05-23. Indicators of Compromise (IoCs) The following are examples of email subject lines and attachment names from Tuesday 2017-05-23: Subject: Invoice(00-5523) -- Attachment name: 68-5182.pdf Subject: Invoice(00-5832) -- Attachment name: 72-6353.pdf Subject: Invoice(08-4031) -- Attachment name: 28-3137.pdf Subject: Invoice(09-5337) -- Attachment name: 98-9897.pdf Subject: Invoice(19-9273) -- Attachment name: 68-6414.pdf Subject: Invoice(23-0458) -- Attachment name: 53-3366.pdf Subject: Invoice(27-7813) -- Attachment name: 95-1750.pdf Subject: Invoice(28-3137) -- Attachment name: 68-4200.pdf Subject: Invoice(53-3366) -- Attachment name: 61-7808.pdf Subject: Invoice(54-9434) -- Attachment name: 78-8672.pdf Subject: Invoice(61-7808) -- Attachment name: 00-5832.pdf Subject: Invoice(68-4200) -- Attachment name: 98-3753.pdf Subject: Invoice(68-5182) -- Attachment name: 54-9434.pdf Subject: Invoice(68-6414) -- Attachment name: 27-7813.pdf Subject: Invoice(72-6353) -- Attachment name: 08-4031.pdf Sub[...]



What did we Learn from WannaCry? - Oh Wait, We Already Knew That!, (Tue, May 23rd)

Tue, 23 May 2017 14:59:46 GMT

In the aftermath of last weeks excitement over the WannaCry malware, Ive had a lot of lessons learned meetings with clients. The results are exactly what youd expect, but in some cases came as a surprise to the organizations we met with. There was a whole outcry about not victim shaming during and after this outbreak, and I get that, but in most cases infections were process failures that the IT group didnt know they had, these lessons learned sessions have contributed to improving the situation at many organizations. The short list is below - affected companies had one or more of the issues below: 1/ Patch Plain and simple, when vendor patches come out, apply them. In a lot of cases, Patch Tuesday means Reboot Wednesday for a lot of organizations, or worst case Reboot Saturday. If you dont have a test the patches process, then in a lot of cases simply waiting a day or two (to let all the early birds test them for you) will do the job. If you do have a test process, in todays world it truly needs to take 7 days or less. There are some hosts that you wont be patching. The million dollar MRI machine, the IV pump or the 20 ton punch press in the factory for instance. But you know about those, and youve segmented them away (in an appropriate way) from the internet and your production assets. This outbreak wasnt about those assets, what got hammered by Wannacry was the actual workstations and servers, the hospital stations in admitting and emergency room, the tablet that the nurse enters your stats into and so on. Normal user workstations that either werent patched, or were still running Windows XP. That being said, there are always some hosts that can be patched, but cant be patched regularly. The host thats running active military operations for instance, or the host thats running the callcenter for flood/rescue operations, e-health or suicide hotline. But you cant give just up on those - in most cases there is redundancy in place so that you can update half of those clusters at a time. If there isnt, you do still need to somehow get them updated on a regular schedule. Lesson learned? If your patch cycle is longer than a week, in todays world you need to revisit your process and somehow shorten it up. Document your exceptions, put something in to mitigate that risk (network segmentation is a common one), and get Sr Management to sign off on the risk and the mitigation. 2/ Unknown Assets are waiting to Ambush You A factor in this last attack were hosts that werent in ITs inventory. In my group of clients, what this meant was hosts controlling billboards or TVs running ads in customer service areas (the menu board at the coffee shop, the screen telling you about retirement funds where you wait in line at the bank and so on). If this had been a linux worm, wed be talking about projectors, TVs and access points today. One and all, I pointed those folks back to the Critical Controls list (https://www.cisecurity.org/controls/ ). In plain english, the first item is know whats on your network and the second item is know what is running on whats on your network. If you dont have a complete picture of these two, you will always be exposed to whatever new malware (or old malware) that tests the locks at your organization. 3/ Watch the News. .... And I dont mean the news on TV. Your vendors (in this case Microsoft) have news feeds, and there are a ton of security-related news sites, podcasts and feeds (this site is one of those, our StormCast podcast is another). Folks that watch the news knew about this issue starting back in 2015, when Microsoft started advising us to disable SMB1, then again last year (2016) when Microsoft posted their Were Pleading with you, PLEASE disable SMB1 post. We knew specifically about the vulnerabilities used by Wannacry in January when the Shadowbrokers dump happened, we knew again when the patches were released in March, and we knew (again, much more specifically[...]



ISC Stormcast For Tuesday, May 23rd 2017 https://isc.sans.edu/podcastdetail.html?id=5512, (Tue, May 23rd)

Tue, 23 May 2017 01:00:05 GMT

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



Investigating Sites After They are Gone; And a Case of Uber Phishing With SSL, (Mon, May 22nd)

Mon, 22 May 2017 20:53:02 GMT

A reader sent us an interesting find of a phishing site that is going after Uber credentials. Uber credentials are often stolen and resold to obtain free rides. One method the credentials are stolen is phishing. The latest example is using convincing looking Uber receipt emails. These emails feature a prominent link to uberdisputes.com.

(image)

Uberdisputes.com then requests the users Uber credentials to log in. Overall, the site uses the expected Uber layout. But more: The site uses a valid SSL certificate.

Turns out that the site was hosted behind a Cloudflare proxy. Cloudflare does issue free SSL certificates, and just like most certificate authorities, it only requires proof of domain ownership to obtain this service. This does make it more difficult to distinguish a fake site from the real thing.

Now by the time I started to investigate this, the original site was already taken down. But there was still some evidence left to see what happened. First of all, passive DNS databases did record the IP address of the site, which pointed to Cloudflare. Secondly, when searching certificate transparency logs, it was clear that a certificate for this site was issued to Cloudflare. Like for all Cloudflare certificates, the certificate was valid for a long list of hostnames hosted by Cloudflare. Sadly, it looks like whois history sites like Domaintools have no record of the site, so we do not know when it was exactly registered, but likely just before the domain started to get used.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



ISC Stormcast For Monday, May 22nd 2017 https://isc.sans.edu/podcastdetail.html?id=5510, (Mon, May 22nd)

Mon, 22 May 2017 00:20:03 GMT

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.



Typosquatting: Awareness and Hunting, (Sat, May 20th)

Sat, 20 May 2017 06:01:52 GMT

Typosquatting has been used for years to lure victims You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was mircosoft.com. Be honest, at the first time, you read microsoft.com right? This domain was registered in 1997 butit has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes its difficult to detect rogue domains due to the font used to display them. Anl looks like a 1 or a 0 looks like an O. Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Lets put the malware aside and focus on the domain name that was used: dhll.com(with a double L). A quick check reveals that this domain is hopefully owned by DHL (not DHL Express but the Deutsche Post DHL padding:5px 10px"> Domain Name: dhll.com Registry Domain ID: 123181256_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2016-09-23T04:00:10-0700 Creation Date: 2004-06-22T00:00:00-0700 Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Registry Registrant ID: Registrant Name: Deutsche Post AG Registrant Organization: Deutsche Post AG Registrant Street: Charles-de-Gaulle-Strasse 20 Registrant City: Bonn Registrant State/Province: - Registrant Postal Code: 53113 Registrant Country: DE Registrant Phone: +49.22818296701 Registrant Phone Ext: Registrant Fax: +49.22818296798 Registrant Fax Ext: Registrant Email: domains@deutschepost.de Registry Admin ID:Admin Name: Domain Administrator Admin Organization: Deutsche Post AG Admin Street: Charles-de-Gaulle-Strasse 20 Admin City: Bon Admin State/Province: - Admin Postal Code: 53113 Admin Country: DE Admin Phone: +49.22818296701Admin Phone Ext: Admin Fax: +49.22818296798 Admin Fax Ext: Admin Email: admincontact.domain@deutschepost.de Registry Tech ID: Tech Name: Technical Administrator Tech Organization: DHL Tech Street: 8701 East Hartford Drive Tech City: Scottsdale Tech State/Province: AZ Tech Postal Code: 85255 Tech Country: US Tech Phone: +1.4089616666 Tech Phone Ext: Tech Fax: - Tech Fax Ext: Tech Email: netmaster@dhl.com Name Server: ns4.dhl.com Name Server: ns6.dhl.com DNSSEC: unsigned The zone dhll.com is also hosted on the DHL name servers. Thats a good point that DHL registered potentially malicious domains but... if you do this, dont only park the domain, go further and really use it! Its not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails. First point: dhll.com or www.dhll.com donot resolve to an IP address. If you register such domains, create a website and make them pointto it and log whos visiting th[...]



ISC Stormcast For Friday, May 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5508, (Fri, May 19th)

Fri, 19 May 2017 02:25:03 GMT

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.