Malware Devil

Thursday, October 1, 2020

AR20-275A: MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA

Original release date: October 1, 2020

Description

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as SlothfulMedia, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP).

The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10303705-1.v1.stix.

Submitted Files (1)

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273 (448838B2A60484EE78C2198F2C0C9C…)

Additional Files (2)

4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa (wHPEO.exe)

927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae (mediaplayer.exe)

Domains (1)

sdvro.net

Findings

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Tags

botdropperinformation-stealerkeyloggerremote-access-trojantrojan

Details

Name	448838B2A60484EE78C2198F2C0C9C85
Size	117760 bytes
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	448838b2a60484ee78c2198f2c0c9c85
SHA1	f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
SHA256	64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
SHA512	9e532af06e5f4764529211e8c5c749baa7b01c72f11b603218c3c08d70cf1e732f8d9d81ec257ca247aaa96d1502150a2f402b1b3914780b6344222b007dd53f
ssdeep	3072:PGA5q4Xmco7ciR7BiU+q+TESaiQ4RHpxJdW:O0qtUYBiU+qRiQy
Entropy	6.156007

Antivirus

BitDefender	Dropped:Generic.Malware.Fdldg.B04B59A4
Comodo	TrojWare.Win32.ButeRat.PP
Emsisoft	Dropped:Generic.Malware.Fdldg.B04B59A4 (B)
Ikarus	Trojan-PWS.Win32.Zbot
Lavasoft	Dropped:Generic.Malware.Fdldg.B04B59A4

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2019-04-29 10:19:52-04:00
Import Hash	3e935061f369e95ac9d62c7cbdf4acf1

PE Sections

MD5	Name	Raw Size	Entropy
502dceaf120f990b5118230438102568	header	1024	2.390635
1ec70611505f1cebfc859820b45b6cc3	.text	39424	6.506891
dfebe81d71d56100ac07b85046f07b77	.rdata	12288	4.988754
06f5259aac1a4462eaf12334dc0e8daf	.data	59392	6.004077
c2d6c399730fd89b16d2b6d6cec5e393	.rsrc	512	5.105006
1587227ab56ecfb9c5b85aaf24d98454	.reloc	5120	3.993742

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

64d78eec46…	Dropped	4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
64d78eec46…	Connected_To	sdvro.net
64d78eec46…	Dropped	927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

Description

This file is a 32-bit Windows executable. When executed, it will drop a file called ‘mediaplayer.exe’ (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) into the path %AppData%Media. A link file called ‘media.lnk’ is also placed in this path. A third file is placed in the path %TEMP% and is given a five character random name with an ‘.exe’ extension, e.g. ‘wHPEO.exe’ (4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa). This file is created with a ‘hidden’ attribute to insure that it is not visible to the user.

Next, the program will create a service on the system called “TaskFrame” with the following parameters:

— Begin Service Parameters —
HKLMSystemCurrentControlSetServicesTaskFrame    Type: 272
HKLMSystemCurrentControlSetServicesTaskFrame    Start: 2
HKLMSystemCurrentControlSetServicesTaskFrame    ErrorControl: 1
HKLMSystemCurrentControlSetServicesTaskFrame    ImagePath: C:Users<user>AppDataRoamingMediamediaplayer.exe
HKLMSystemCurrentControlSetServicesTaskFrame    DisplayName: TaskFrame
HKLMSystemCurrentControlSetServicesTaskFrame    ObjectName: LocalSystem
— End Service Parameters —

This service is used to create persistence on the system and is designed to start the ‘mediaplayer.exe’ (927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae) program each time the system is started.

Next, the program will collect system information to send to the command and control (C2). A unique identifier is created and sent in a POST request along with a Unix timestamp of the time of infection to the domain www[.]sdvro.net. Connection attempts are made via both HTTP and HTTPS. The following is a sample of the POST request:

— Begin POST Request —
POST /v?m=u2fssrqh8cl0&i=1598908417 HTTP/1.1
Accept: application/octet-stream,application/xhtml
Content-Length: 436
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75
Host: www[.]sdvro.net
Connection: Keep-Alive
Cache-Control: no-cache

..D……!F.1y^.4.&….{ ..f]..Fz…;..H.L`p..$.H..0A.A(An_8…;..$yH.t..4H…3..K.QvRkX.c..|r r=..V.F…..Hc.H……H.<..tfH….@..uU.@…..uL..D.=o..l!’..D$hH.&.H.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t..gH…3..f..K..-.
..|
=../.:…..Hc.H……H.<..tfH….@..uU.r.0.0.[L..t.
o..2!v..D
hy…p.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t$.WH..03..K..K(…3..|$ ;=……….Hc.H……H.:..tWH….@..uU.@…..uL..D.
— End POST Request —

The domain did not resolve to an IP address at the time of analysis. Note: The malware uses the fixed User-Agent string, “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75” in its communication.

The following notable strings were found in unreferenced data within the file. The purpose of the strings could not be determined. The strings are not used by the code.

— Begin Notable Strings —
C:UsersdavidAppDataRoamingMediamediaplayer.exe
david-pc
— End Notable Strings —

sdvro.net

Tags

command-and-control

Ports

80 TCP
443 TCP

HTTP Sessions

POST /v?m=u2fssrqh8cl0&i=1598908417 HTTP/1.1
Accept: application/octet-stream,application/xhtml
Content-Length: 436
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75
Host: www.sdvro.net
Connection: Keep-Alive
Cache-Control: no-cache
..D……!F.1y^.4.&….{ ..f]..Fz…;..H.L`p..$.H..0A.A(An_8…;..$yH.t..4H…3..K.QvRkX.c..|r r=..V.F…..Hc.H……H.<..tfH….@..uU.@…..uL..D.=o..l!’..D$hH.&.H.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t..gH…3..f..K..-.
..|
=../.:…..Hc.H……H.<..tfH….@..uU.r.0.0.[L..t.
o..2!v..D
hy…p.f..H.f(..F..n.H..H.$`H.l$pH..0A_A]A_^…H.$.H.t$.WH..03..K..K(…3..|$ ;=……….Hc.H……H.:..tWH….@..uU.@…..uL..D.

Whois

Domain Name: SDVRO.NET
Registry Domain ID: 2371496862_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.west263.com
Registrar URL: http://www.west.cn/
Updated Date: 2020-03-31T08:26:43Z
Creation Date: 2019-03-21T07:42:43Z
Registry Expiry Date: 2021-03-21T07:42:43Z
Registrar: Chengdu West Dimension Digital Technology Co., Ltd.
Registrar IANA ID: 1556
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
DNSSEC: unsigned

Domain Name: sdvro.net
Registry Domain ID: whois protect
Registrar WHOIS Server: whois.west.cn
Registrar URL: www.west.cn
Updated Date: 2019-03-21T07:42:42.0Z
Creation Date: 2019-03-21T07:42:42.0Z
Registrar Registration Expiration Date: 2021-03-21T07:42:42.0Z
Registrar: Chengdu west dimension digital technology Co., LTD
Registrar IANA ID: 1556
Reseller:
Domain Status: ok http://www.icann.org/epp#ok
Registry Registrant ID: Not Available From Registry
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: Chengdu
Registrant State/Province: Sichuan
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: CN
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext:
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext:
Registrant Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Registry Admin ID: Not Available From Registry
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: Chengdu
Admin State/Province: Sichuan
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: CN
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext:
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext:
Admin Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Registry Tech ID: Not Available From Registry
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: Chengdu
Tech State/Province: Sichuan
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: CN
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext:
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext:
Tech Email: link at https://www.west.cn/web/whoisform?domain=sdvro.net
Name Server: ns3.myhostadmin.net
Name Server: ns4.myhostadmin.net
DNSSEC: signedDelegation

Relationships

sdvro.net

Connected_From

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Description

This domain did not resolve to an IP address at the time of analysis.

927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

Tags

remote-access-trojan

Details

Name	mediaplayer.exe
Size	46080 bytes
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	9f23bd89694b66d8a67bb18434da4ee8
SHA1	db8c6ea90b1be5aa560bfbe5a34577eb284243af
SHA256	927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
SHA512	72e95a90dc8ee2fd69b26665e88d19b1d36527fe8bbc03e252d4be925cf4acae20a3155dcd7caa50daf6e16d201a16822d77356c91654a6e4a05981425574c5b
ssdeep	768:NRw4PZcMc8ie9+dZL6DSKdzxSGyCevVcxjw3e3PxKfRXAxo3vhxfFORpa9sxw:NRwaBiU+dZODSKeGHSaxjw3QUfRH/hx7
Entropy	6.320571

Antivirus

BitDefender	Gen:Variant.Fugrafa.6689
Emsisoft	Gen:Variant.Fugrafa.6689 (B)
Lavasoft	Gen:Variant.Fugrafa.6689
Symantec	Heur.AdvML.B

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2019-04-29 10:18:34-04:00
Import Hash	db182005fc9fccab434ec0764ea5a244
Company Name	Tdl Corporation
File Description	Local Security Process
Internal Name	None
Legal Copyright	Copyright (C) 2018
Original Filename	None
Product Name	Tdl Corporation
Product Version	1.0.0.1

PE Sections

MD5	Name	Raw Size	Entropy
faf4cd402ffdb84551c382ea45f2f893	header	1024	2.514929
7e3095c827af75a349f3c206925932cd	.text	31232	6.493665
614ccbacb5de6dae94b6af93aa5a83fc	.rdata	8192	5.232371
543ffbd535401feb9f37c585d9f161f3	.data	1536	4.679413
7c1584feb039309d7a4307c39adaa54f	.rsrc	1024	2.333786
79345fb74e56359cd6eb957ceb52e0ab	.reloc	3072	4.519356

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

927d945476…

Dropped_By

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Description

This file is a 32-bit Windows executable file that is dropped and executed by 448838B2A60484EE78C2198F2C0C9C85. The file is called ‘mediaplayer.exe’. When executed, it will look for a file called ‘Junk9’ and will attempt to delete it. The file ‘Junk9’ was not available for analysis. Next, it will take a screenshot of the user’s desktop and name it ‘Filter3.jpg’ and store this in the local directory. The program then looks for a service called ‘TaskFrame’ and attempts to start it. The ‘TaskFrame’ service is able to delete, add, or modify registry keys, and start and stop a keylogger program on the system. If the ‘TaskFrame’ service is already installed and running the program will terminate.

The malware will create a mutex on the system called ‘Globalmukimukix’. The program changes the proxy configuration of the system with the following registry modifications:

— Begin Registry Modification —
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
Name: ProxyBypass Value: 1
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
Name: IntranetName Value: 1
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap
Name: UNCAsIntranet Value: 1
— End Registry Modification —

The program collects the computer name, user name, OS version, adapter information, memory usage, and logical drives for the system. This information is concatenated into a string that is hashed and sent as part of the initial POST request to the C2. The program will expect to receive a ‘200 OK’ response from the C2 before it begins transmission. If it receives a ‘501 Error’ the program sleeps for three seconds and attempts another connection. If the initial connection to the C2 is successful, the program will await a command. The program is capable of executing the following tasks from commands issued by the C2:

— Begin Program Capabilities —

1. Create, Write, and Delete files.
2. Open a Command Line.
3. Move Files.
4. Enumerate Open Ports.
5. Enumerate Drives.
6. Enumerate Processes by ID, Name, or Privileges.
7. Start and Stop Processes.
8. Enumerate Files and Directories.
9. Open a Named Pipe and Send and Receive Data.
10. Take Screenshots.
11. Inject into User Processes.
12. Enumerate Services.
13. Start/Stop Services.
14. Modify the Registry.
15. Open/Close TCP and UDP Sessions.

— End Program Capabilities —

The program will also look for the following paths: SetupUi, AppIni, and ExtInfo. The purpose for this search could not be determined.

4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa

Tags

remote-access-trojan

Details

Name	wHPEO.exe
Size	7168 bytes
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	92a40c64cea4a87de1c24437612f2e0f
SHA1	f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9
SHA256	4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
SHA512	d0714d09dcac070eb8d0971e953ce0c0382658d5682982a8045dcf29da9a729be57dc7d60c4e18f1833966f6c6584e9a883871eef8d1c9f9d3b5dd100c69b9a4
ssdeep	192:DcTrBTVdZzgW+mpWpc9aThFJJRmqSA9iu:c7EmpWpc9aThFVviu
Entropy	5.395407

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2017-12-04 08:14:24-05:00
Import Hash	6ab19ee53c87a04ccb965f5f658b717a

PE Sections

MD5	Name	Raw Size	Entropy
d6cd352d657372b25707fed98bc3bd0b	header	1024	2.379332
c036d2e814490871e54dd84e8117e044	.text	2560	5.788179
2f2819452977bcfd6dcac4389a2cd193	.rdata	1536	4.849405
afadce14c7f045a0390158515331a054	.data	512	1.342806
554d0cedd69e96ee00c8324ce4da604c	.rsrc	1024	5.194460
ed7fec6ad28b233df4676dad7f306c3c	.reloc	512	4.741130

Packers/Compilers/Cryptors

Microsoft Visual C++ ?.?

Relationships

4186b5beb5…

Dropped_By

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Description

This artifact is a 32-bit Windows executable that is dropped by 448838B2A60484EE78C2198F2C0C9C85. This program has some anti-forensic capability and is designed to clear indicators of compromise (IOCs) from the system. The program first verifies that the service ‘TaskFrame’ is running then adds the following key to the registry:

— Begin Registry Modification —
HKLMSystemCurrentControlSetControlSessionManagerPendingFileRenameOperations
Data: ??C:Users<user>AppDataLocalTempwHPEO.exe
— End Registry Modification —

This modification insures that the file is deleted with the next system restart. The program will also delete the user’s ‘index.dat’ file thus removing the user’s recent Internet history from the system.

Relationship Summary

64d78eec46…	Dropped	4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
64d78eec46…	Connected_To	sdvro.net
64d78eec46…	Dropped	927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
sdvro.net	Connected_From	64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
927d945476…	Dropped_By	64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
4186b5beb5…	Dropped_By	64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870
CISA Service Desk (UNCLASS)
CISA SIPR (SIPRNET)
CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Revisions

October 1, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

The post AR20-275A: MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/ar20-275a-mar-10303705-1-v1-remote-access-trojan-slothfulmedia/?utm_source=rss&utm_medium=rss&utm_campaign=ar20-275a-mar-10303705-1-v1-remote-access-trojan-slothfulmedia

96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws

Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.

Why is it important to scan open source libraries?

For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ﾂ?ﾂ?ﾂ?

Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax’s stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ﾂ?

Why aren???t more organizations scanning open source libraries?

If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.

What are your options for managing library security flaws?

First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update.

So, when it comes to managing your library security flaws, the concentration should not just be, ???How am I going to fix the flaws???? but also ???How am I going to find the flaws???? That???s where tools like Veracode Software Composition Analysis (SCA) come in handy. Veracode SCA scans open source dependencies for known vulnerabilities and makes recommendations on version updating.

Veracode SCA is fast and easy to use. You can integrate it into your pipeline through a simple command-line scan agent and delivers results in seconds. Or, you can use the same agent directly in your IDE to get feedback even earlier.

By using a tool like SCA, you can uncover not only flaws introduced directly by the application developer, but also transitive flaws introduced indirectly by other libraries several layers deep. In addition, Veracode SCA can find more vulnerabilities than the National Vulnerability Database (NVD). How? Because not every developer reports flaws to the NVD. So Veracode is able to use data mining, natural language processing, and machine learning to significantly grow its SCA database and find new or unreported flaws.

To learn more about application scanning statistics and trends, download the ESG report, Modern Application Development Security.

The post 96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws appeared first on Security Boulevard.

The post 96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/96-of-organizations-use-open-source-libraries-but-less-than-50-manage-their-library-security-flaws/?utm_source=rss&utm_medium=rss&utm_campaign=96-of-organizations-use-open-source-libraries-but-less-than-50-manage-their-library-security-flaws

ESB-2020.3420 – [Appliance] F5 Products: Access confidential data – Existing account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3420
         Intel CPU SRBDS side-channel vulnerability CVE-2020-0543
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 Products
Publisher:         F5 Networks
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-0543  

Reference:         ESB-2020.2018
                   ESB-2020.2006
                   ESB-2020.1994

Original Bulletin: 
   https://support.f5.com/csp/article/K25920352

- --------------------------BEGIN INCLUDED TEXT--------------------

K25920352:Intel CPU SRBDS side-channel vulnerability CVE-2020-0543

Security Advisory

Original Publication Date: 01 Oct, 2020

Security Advisory Description

Incomplete cleanup from specific special register read operations in some Intel
(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access. (CVE-2020-0543) 

Impact

This is a new domain bypass transient execution attack known as Special
Register Buffer Data Sampling (SRBDS). All exposure is limited to the control
plane, also known as the management plane. There is no exposure on BIG-IP
products by way of the data plane. Additionally, on the control plane, the
vulnerabilities are exploitable only by the following four authorized,
authenticated account roles: Administrator, Resource Administrator, Manager,
and iRules Manager. An attacker must be authorized to access the system in one
of these roles to attempt to exploit the vulnerabilities.

This vulnerability requires an attacker who can provide and run binary code of
their choosing on the BIG-IP platform. As a result, these conditions severely
restrict the exposure risk of BIG-IP products.

Single-tenancy products

For single-tenancy products, such as a standalone BIG-IP device, the risk is
limited to a local, authorized user employing one of the vulnerabilities to
read information from memory that they would not normally access, exceeding
their privileges. A user may be able to access kernel-space memory instead of
their own user-space.

Multi-tenancy environments

For multi-tenancy environments, such as cloud, Virtual Edition (VE), and
Virtual Clustered Multiprocessing (vCMP), the same local kernel memory access
risk applies as in single-tenancy environments. Additionally, there is a risk
of attacks across guests, or attacks against the hypervisor or host. In cloud
and VE environments, preventing these new attacks falls on the hypervisor or
host platform, which is outside the scope of F5's ability to support or patch.
Contact your cloud provider or hypervisor vendor to ensure their platforms or
products are protected against Spectre variants.

Vulnerability research

For vCMP environments, F5 believes that while the Spectre Variant attacks offer
a theoretical possibility of guest-to-guest or guest-to-host attacks, these
would be very difficult to successfully conduct in the BIG-IP environment. The
primary risk in the vCMP environment with Spectre variants only exists when
vCMP guests are configured to use a single core. If the vCMP guests are
configured to use two or more cores, the Spectre Variant vulnerabilities are
eliminated.

F5 is working with its hardware component vendors to determine the scope of
vulnerabilities across its various generations of hardware platforms. All of
the current information from the F5 vendors is represented in this security
advisory. F5 is working to obtain the remaining information from its vendors
and will update the security advisory as F5 receives new information regarding
its hardware platforms.

F5 is also testing the fixes produced by the Linux community, and is conducting
an extensive test campaign to characterize the impact of the fixes on system
performance and stability to ensure a good experience for its customers. F5
does not want to rush the process and release fixes without a full
understanding of potential issues. Given the limited exposure, the complexity
of the fixes, and the potential issues, a detailed approach is warranted, and
rushing a fix could result in an impact to system stability or unacceptable
performance costs. F5 will update this article with fixes as the fixes become
available.

Security Advisory Status

F5 Product Development has assigned ID 947709 (BIG-IP) to this vulnerability.

To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.

+-------------------+------+----------+----------+----------+------+----------+
|                   |      |Versions  |Fixes     |          |CVSSv3|Vulnerable|
|Product            |Branch|known to  |introduced|Severity  |score^|component |
|                   |      |be        |in        |          |1     |or feature|
|                   |      |vulnerable|          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |16.x  |16.0.0    |None      |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |15.x  |15.1.0    |None      |          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IP (LTM, AAM,  |14.x  |14.1.0 -  |None      |          |      |          |
|Advanced WAF, AFM, |      |14.1.2    |          |          |      |F5        |
|Analytics, APM,    +------+----------+----------+          |      |hardware  |
|ASM, DDHD, DNS,    |13.x  |13.1.0 -  |None      |Medium    |5.9   |platforms^|
|FPS, GTM, Link     |      |13.1.3    |          |          |      |2         |
|Controller, PEM,   +------+----------+----------+          |      |          |
|SSLO)              |12.x  |12.1.0 -  |None      |          |      |          |
|                   |      |12.1.5    |          |          |      |          |
|                   +------+----------+----------+          |      |          |
|                   |11.x  |11.6.1 -  |None      |          |      |          |
|                   |      |11.6.5    |          |          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|                   |7.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
|                   +------+----------+----------+          |      |          |
|BIG-IQ Centralized |6.x   |None      |Not       |Not       |None  |None      |
|Management         |      |          |applicable|vulnerable|      |          |
|                   +------+----------+----------+          |      |          |
|                   |5.x   |None      |Not       |          |      |          |
|                   |      |          |applicable|          |      |          |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC        |5.x   |None      |Not       |Not       |None  |None      |
|                   |      |          |applicable|vulnerable|      |          |
+-------------------+------+----------+----------+----------+------+----------+

^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.

^2For information about the affected hardware platforms, refer to the
Vulnerable platforms section.

Vulnerable platforms

BIG-IP

+-----------+---------------+----------+
|Model      |Processor types|Vulnerable|
+-----------+---------------+----------+
|BIG-IP 2xx0|Intel          |Y         |
+-----------+---------------+----------+
|BIG-IP 4xx0|Intel          |Y         |
+-----------+---------------+----------+
|BIG-IP 5xx0|Intel          |Y         |
+-----------+---------------+----------+
|BIG-IP 7xx0|Intel          |Y         |
+-----------+---------------+----------+

Security Advisory Recommended Actions

If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

o K41942608: Overview of security advisory articles
  o K4602: Overview of the F5 security vulnerability response policy
  o K4918: Overview of the F5 critical issue hotfix policy
  o K9502: BIG-IP hotfix and point release matrix
  o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
  o K167: Downloading software and firmware from F5
  o K9970: Subscribing to email notifications regarding F5 products
  o K9957: Creating a custom RSS feed to view new and updated documents

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3Uv9eNLKJtyKPYoAQitxBAAnWvrvhYAHd0EkI4/cm+twMAGY1mV6MuP
d2Yc5Rn5HpRY7yMhYj+kl0Rc8WZO3sqmWbEpPIsyUJkp47K0jnkuxELmvZrqJvR2
T7uabOi4oDkp+oify5IeaglAK95t91nVj7YgpwuS074YCS+JNSPcXi7bzRfnM4ws
J6PNZjFf9Mi+H6Rcp35PVQgoIAZSY02NbAbzEfxiDscV/MYt8mZ/mLnXVpY2cJV9
tgbbjGoJyEf4l9Zk7RtDlNCK21SJzo0PJQnRRnN2FowCOWmengBsEJCRJw/1aeGb
OswUhY/ptr4nWjKRh1yVu4jG91iSk5BahD4nFrT3bz4eJkj+x9Rczp0+J++5FKda
m26YOTUtSVc8nKHZHvPGCIXwO7thBRpxKk5yyZNvk4uyAap3ikINngYAMt1+sZPa
1I4IEh7YX/Ik9Kos7TmsW3f6CRBBv8MOVQr5mro7oTo0908hHT7aCRROF+tulVSa
Kn6fZUFUdM6OQNogb8s5j9LtP4icwhtXU1eADZBTahZt8lEyVISD8ad+0SX521jk
RgIkaqMmasw3mWAcEERatLePaZyYLFQezLWmsOtp52UPSewbEQBTqaK+DC3slYRa
OIdsuekHpSP2H/w26zRzUteM9Q2MK6/6WgE7MZ2i002xS2NkBJTyCPTt1A1MVG8j
h6x6dlG12Ds=
=aAur
-----END PGP SIGNATURE-----

The post ESB-2020.3420 – [Appliance] F5 Products: Access confidential data – Existing account appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/esb-2020-3420-appliance-f5-products-access-confidential-data-existing-account/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3420-appliance-f5-products-access-confidential-data-existing-account

ESB-2020.3418 – [Ubuntu] Gon gem: Cross-site scripting – Remote with user interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3418
                     USN-4560-1: Gon gem vulnerability
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Gon gem
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25739  

Reference:         ESB-2020.3315

Original Bulletin: 
   https://usn.ubuntu.com/4560-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4560-1: Gon gem vulnerability
30 September 2020

Gon gem could be made to run programs if it received specially crafted network
traffic.
Releases

  o Ubuntu 18.04 LTS

Packages

  o ruby-gon - Ruby library to send data to JavaScript from a Ruby application

Details

It was discovered that Gon gem did not properly escape certain input. An
attacker could use this vulnerability to execute a cross-site scripting
(XSS) attack.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 18.04

  o ruby-gon - 6.1.0-1+deb9u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References

  o CVE-2020-25739

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3UvZ+NLKJtyKPYoAQjwxhAAgzpc15Ls0LqVYHwEQvQmV0+oz+FKPKso
ezNdp8bCEMA+9EsO9Bch3BzQGFrGjOVmKfuT1lCJ4/dqcWrKmnBeOZl3wEmgZJwi
uv4RuJT1EvbVv5Y4erFueJvWJ0+LJKxPygU/gkQIUowVUPqv5xLa3Zm3/Ho7ggyI
i2ZN/Nfs5LK/QC8mm5HeUaoFi9kKeJC0evxI122/hyuQFcjZyhTCPwozsJMGKLdF
iRbY5kAVLa6pmNgzNBUFlMQ5h4OiCIB2ICBO2Tnm87Qb5uIhBjjqgojCxYmawywb
7sqO1g5n0ZoatZrC2LC15S5Pal8y8RYB6141Yh3ATdf/6WCMFpIkg8HAQv9kXW+g
KRjMQdrNYti/1BebBcZ5uO6CdiJP7YUO0Zw4IW+RdJ77PhemECtknv7JRY2qzJzt
g7ofktWMoQ8sTrM/EGk2RZb+UgkOMAfRalzDW7HDJZgSiXX5rQjYq3IxGqZUViTv
8DO2tbLAoQW81crt8jSj6Z2SCJlFwogtKgUnAZYPXgZ6icUgnei29U7mNCM15BVn
lw4IY8NFpp4cQxmlFyUd8qsxmqm498SKuPZA/AdRNVGTb6k+SUC9o4K036rgOnn0
HlelVYqOlqJPwsDg2++X2gPkIG+h3JhBZBS0v+RjKStLwWCrmd9dQqNAF9votA9d
Z0BadOCQ46Q=
=dEym
-----END PGP SIGNATURE-----

The post ESB-2020.3418 – [Ubuntu] Gon gem: Cross-site scripting – Remote with user interaction appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/esb-2020-3418-ubuntu-gon-gem-cross-site-scripting-remote-with-user-interaction/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3418-ubuntu-gon-gem-cross-site-scripting-remote-with-user-interaction

ESB-2020.3417 – [Ubuntu] Samba: Increased privileges – Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3417
                         USN-4559-1: Samba update
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Samba
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Increased Privileges -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-1472  

Reference:         ESB-2020.3219
                   ESB-2020.3188

Original Bulletin: 
   https://usn.ubuntu.com/4559-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4559-1: Samba update
30 September 2020

Several security improvements were added to Samba.
Releases

  o Ubuntu 20.04 LTS
  o Ubuntu 18.04 LTS
  o Ubuntu 16.04 LTS

Packages

  o samba - SMB/CIFS file, print, and login server for Unix

Details

Tom Tervoort discovered that the Netlogon protocol implemented by Samba
incorrectly handled the authentication scheme. A remote attacker could use
this issue to forge an authentication token and steal the credentials of
the domain admin.

While a previous security update fixed the issue by changing the "server
schannel" setting to default to "yes", instead of "auto", which forced a
secure netlogon channel, this update provides additional improvements.

For compatibility reasons with older devices, Samba now allows specifying
an insecure netlogon configuration per machine. See the following link for
examples: https://www.samba.org/samba/security/CVE-2020-1472.html

In addition, this update adds additional server checks for the protocol
attack in the client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results when
running the proof-of-concept exploit.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 20.04

  o samba - 2:4.11.6+dfsg-0ubuntu1.5

Ubuntu 18.04

  o samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.20

Ubuntu 16.04

  o samba - 2:4.3.11+dfsg-0ubuntu0.16.04.31

In general, a standard system update will make all the necessary changes.

References

  o CVE-2020-1472

Related notices

  o USN-4510-1 : samba
  o USN-4510-2 : samba

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3UvIeNLKJtyKPYoAQgESA/+Oe+NSEoPOvw87juFUvR5WsgzoZuyzzEo
jJod8jfK/NbystmhuGfNeq63uTM+zBsrYEkcIU1dim7ItqtVMrAAzsLyI7Ei6rD8
whobuZtTTg6ax1KDkMMoA3Vpt1cHZIWtqXbXm9cYZWG5o9ShMqzSihcyygK8F4iB
sKGc9wfniHsqKpWpbZ0VSW7OLcGxxSHkt4aTJy+r8K+JATHa3Yq9y+21Dx57GJ90
45yGZ66RZl46Nnvoupn4vk+t/y3KI7KTMqxrua2x7YQQTZU11fg8ej/Dfz6w3OsL
m8wdqrp/yAjXw9fzhIH508WRhj3iQca38bpJNMokkE26Ww09ioAL/6Pj6whJchlA
je6g+kGqRMqaDxIwB6P0keiJbywShxayBf9uQl23PI+j6/thA7rZpgB88LBVf7tu
HU9AYsoDkmlwpHt7ObThRIaYzNaUsLSxCyqKMBcw4HiEwmgHYO91Mlf3926dJQv6
0/GkmFwWwnCmusDwumttNcsvgiPHE2eROlkSQhclNAUCsHuf4FCub4ijI62Ldx6e
SAvtGBwy5ujqbdbHgKyloo1X3yLxs73KpZQpEsTB4Jl9luE/ZTK3QJIKyBuE2svZ
yW3rHfowOAXBdMphS1By75PetY63aA0xTk1b0mCkO9oNDYlBrMvYkMzxmKvmmbzT
O2M9gAOmp9M=
=e2hu
-----END PGP SIGNATURE-----

The post ESB-2020.3417 – [Ubuntu] Samba: Increased privileges – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/esb-2020-3417-ubuntu-samba-increased-privileges-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3417-ubuntu-samba-increased-privileges-remote-unauthenticated

ESB-2020.3416 – [Ubuntu] libapreq2: Denial of service – Remote with user interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3416
                   USN-4558-1: libapreq2 vulnerabilities
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libapreq2
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12412  

Reference:         ESB-2019.3733
                   ESB-2019.3723

Original Bulletin: 
   https://usn.ubuntu.com/4558-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4558-1: libapreq2 vulnerabilities
30 September 2020

libapreq2 could be made to crash if it received specially crafted network
traffic.
Releases

  o Ubuntu 18.04 LTS

Packages

  o libapreq2 - a safe, standards-compliant, high-performance library used for
    parsing HTTP cookies, query-strings and POST data

Details

It was discovered that libapreq2 did not properly sanitize the Content-Type
field in certain, crafted HTTP requests. An attacker could use this
vulnerability to cause libapreq2 to crash.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 18.04

  o libapache2-mod-apreq2 - 2.13-7~deb10u1build0.18.04.1
  o libapache2-request-perl - 2.13-7~deb10u1build0.18.04.1
  o libapreq2-3 - 2.13-7~deb10u1build0.18.04.1
  o libapreq2-dev - 2.13-7~deb10u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References

  o CVE-2019-12412

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3Uu4uNLKJtyKPYoAQhaDA/+I+QK1FREbyRx68vi14rmUGFYD6MMCM+z
4E2e7g8AliKOWhPCBJmjfWxN33ouQ/P3bqd8h+2qVPWS9MgbQTmH8zEd0TubloTb
XavJeb5B9fo0XcwpUSULXSwgmev3xQGuEMPQlsxoN2YebhH1zFWqSHlR0AvZUEv9
3AjmxLMOrV+uJvD5SIrqUPcunvo/OqbQEfUnV+Wns3Pi1QUUJINXPfwRw4blO0vt
MjvEpWA9P4hQJpwzpb+i52pGeLTXAsPmbgyKCImkcDySZGUSDEBt6XCmv28wYTpL
slp5cRiuwXrCfwcQxU9jSn6gqWkMXMfgYyGxgGYI2+UmWP6uIkVMDGBHRb8p95UU
Jl6Mq9uVf/YhT3NO/NGH1Z7FEPCZ6z6GpchNKdHuXyQUF0u50TZThGwpWji459xq
fh9X2vA/ZxIcDa7DeMFniVV+Ld1UzW2/GyoPRghPyLVofiZTvO0hWSQi7kBxbCii
e39ydnjLtfJEi12aYZeCOqQ4PBhpteeB6Nqh166C2ppletyJJ6wqCPUSFD1EbTWn
+uEFteP3Q9I9yV6NvILfQtc0L9wsSfwKD5Ll4xfsftU8n3pu7M+O3S/P9IAD8G4d
Xb4aJDv7bkkt2djK6NNhahKMSKoQs0Cc6IqeUtKx2Yu5mCTvo/14rsraFX2UBz3i
bX2Go5ToGOs=
=2ClP
-----END PGP SIGNATURE-----

The post ESB-2020.3416 – [Ubuntu] libapreq2: Denial of service – Remote with user interaction appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/esb-2020-3416-ubuntu-libapreq2-denial-of-service-remote-with-user-interaction/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3416-ubuntu-libapreq2-denial-of-service-remote-with-user-interaction

ESB-2020.3414 – [Ubuntu] Rack: Access confidential data – Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3414
                     USN-4561-1: Rack vulnerabilities
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Rack
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8184 CVE-2020-8161 

Reference:         ESB-2020.2359
                   ESB-2020.1836

Original Bulletin: 
   https://usn.ubuntu.com/4561-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4561-1: Rack vulnerabilities
30 September 2020

Rack could be made to expose sensitive information over the network.
Releases

  o Ubuntu 18.04 LTS

Packages

  o ruby-rack - modular Ruby webserver interface

Details

It was discovered that Rack incorrectly handled certain paths. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-8161)

It was discovered that Rack incorrectly validated cookies. An attacker
could possibly use this issue to forge a secure cookie. (CVE-2020-8184)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 18.04

  o ruby-rack - 1.6.4-4ubuntu0.2

In general, a standard system update will make all the necessary changes.

References

  o CVE-2020-8161
  o CVE-2020-8184

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3UtkeNLKJtyKPYoAQjxCRAAjYfJCXaCFJ5JVuIG3nBp+zrMDH2X2ePY
zWAPIYy9rbsca0n8XkgKaS55bc+dNpZkHoygh643wFfs0njd7BoDLKBSaTDkOz1F
0bAWSsLDT3ya8kPotlTcMCz1WatG6GFSVJ7ZuVrHXSUYNiekRBpsrrkwU1nZdY4a
cPUpbosjicil+9Y0n+uN7gEtMehXHC1qeJTYPzFs9xj2ASrtdbpI4S4Z9LSNgpgT
fFMxDWgVRi7E+YlWwruRa6eZFF2v/f1jjktcnjQs4C8IVftk5xhyBdxEEmwaBNp0
9iqREb5Ib3x3w9vZJTPq/YJyRHrgbKOUKgXbjYBlu2VpO4dQ+6+fKs7EAhpox8Gj
qtjdkREHJD+0svUMV5V1u/CLyDYmugG+IGdtdoo7dHj+1Qpx7lLZghEE4RP5m2FD
fdiuUgExsUfpkbmx6xha28zzbYnmkfHrqlbqel6RU322GTBfa7YqrRlFpkLVOd3b
48/OezJMECv8of6zyb0RvMKR9y/4Er/gm4AQwCSqH21uB93nuGxx8bkmPhZpFeWd
JvGzvHiQuQd0vzRJGqrv+9rEz/a4wVGdORseDwj0pKSbPv7eFe6mgyTvcLMU8Kaa
sTB62EzrfynAL73rSbFG6N14VWsEr3poK3P84EHMm7ASICeX7EwzrhiIFGRmTag4
0ZIuUGaJyeU=
=ofEK
-----END PGP SIGNATURE-----

The post ESB-2020.3414 – [Ubuntu] Rack: Access confidential data – Remote/unauthenticated appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/esb-2020-3414-ubuntu-rack-access-confidential-data-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3414-ubuntu-rack-access-confidential-data-remote-unauthenticated

ESB-2020.3415 – [Ubuntu] Tomcat: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3415
                    USN-4557-1: Tomcat vulnerabilities
                              1 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Tomcat
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
                   Unauthorised Access      -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-8735 CVE-2016-6816 CVE-2016-6797
                   CVE-2016-6796 CVE-2016-6794 CVE-2016-5018
                   CVE-2016-0762  

Reference:         ESB-2017.1892
                   ESB-2017.1595
                   ESB-2017.1560

Original Bulletin: 
   https://usn.ubuntu.com/4557-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4557-1: Tomcat vulnerabilities
30 September 2020

Several security issues were fixed in Tomcat.
Releases

  o Ubuntu 16.04 LTS

Packages

  o tomcat6 - Servlet and JSP engine

Details

It was discovered that the Tomcat realm implementations incorrectly handled
passwords when a username didn't exist. A remote attacker could possibly
use this issue to enumerate usernames. (CVE-2016-0762)

Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly
limited use of a certain utility method. A malicious application could
possibly use this to bypass Security Manager restrictions. (CVE-2016-5018)

It was discovered that Tomcat incorrectly controlled reading system
properties. A malicious application could possibly use this to bypass
Security Manager restrictions. (CVE-2016-6794)

It was discovered that Tomcat incorrectly controlled certain configuration
parameters. A malicious application could possibly use this to bypass
Security Manager restrictions. (CVE-2016-6796)

It was discovered that Tomcat incorrectly limited access to global JNDI
resources. A malicious application could use this to access any global JNDI
resource without an explicit ResourceLink. (CVE-2016-6797)

Regis Leroy discovered that Tomcat incorrectly filtered certain invalid
characters from the HTTP request line. A remote attacker could possibly
use this issue to inject data into HTTP responses. (CVE-2016-6816)

Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not
implement a recommended fix. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2016-8735)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 16.04

  o libservlet2.5-java - 6.0.45+dfsg-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References

  o CVE-2016-6797
  o CVE-2016-6816
  o CVE-2016-6794
  o CVE-2016-5018
  o CVE-2016-8735
  o CVE-2016-6796
  o CVE-2016-0762

Related notices

  o USN-3177-1 : tomcat8, tomcat7, libtomcat6-java, libtomcat8-java,
    libtomcat7-java, tomcat6

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3UtyuNLKJtyKPYoAQhgRQ//epsZ1VSz1+gVj5ZJTUW7Hm4gFrxwAuzD
5Sk4dgSDGSJb4FK0YiVCYoW7fp667roPH03HnlyWttaFuE6hOOHZwWUFl0E2DL5d
30LrJCBItBLl7efWLztkUrpKMpVp/KPsuSSn2IyDACrlp8DagzSIpKUlz7MQfxn6
yKE66UMDDoDn9GP17y3whVoGugad3vvXFL1LdLEEqVROqErHcQWP3h7ABCk4Ve0V
8NzbEk8qJVgRXlVitD54Sn9DZhxIwM1AlGUFymX82o/5cy9p6YhhwwJ/JKLiJGYd
WJfpgiw/IknweVz7+LsFELhxrSvRVdO6ahkbwRCQY3Lq221yOp5/SPGHRNSwJOQM
/cO9Fzdtyms7F8ytZsg/CwRtwidg60VfvqEzcJAtixKmYOsASpGdueBhRTUgXHnp
dq+L2N6GDD2TSeFDjaRZFhZ41/ItpXgUtwp8r+mP0/4SBeM56P3wxAj1rbYWUJKW
uAGhT0OxMjEvhsUyl60xRtPs5BcUg02e6AbBxVVv3aL3TZkrDTrnqDxiMwjrXhrs
m6cLgJwfAi1oowhW0MDQQkKQD8eb6p0jaV+MwS9/Are76rch6iKishJk7nta7vKB
8mcqqt+AQ6OHI0nB7H5ebct8tCWJkjiOX57Hg7vpYFkpjcXE3UGStIAYY70tbLxJ
kHEoRWhxeNM=
=v113
-----END PGP SIGNATURE-----

The post ESB-2020.3415 – [Ubuntu] Tomcat: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/esb-2020-3415-ubuntu-tomcat-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3415-ubuntu-tomcat-multiple-vulnerabilities

2020-09-23 – Spambot activity from Qakbot-infected host

The post 2020-09-23 – Spambot activity from Qakbot-infected host appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/2020-09-23-spambot-activity-from-qakbot-infected-host/?utm_source=rss&utm_medium=rss&utm_campaign=2020-09-23-spambot-activity-from-qakbot-infected-host

Making sense of Azure AD (AAD) activity logs, (Thu, Oct 1st)

Chances are, you are quite familiar with the logs of your on-premises Active Directory (AD) domain controller. The corresponding Event IDs have been well documented over the years (though not thanks to Microsoft), and many blog posts have been written about how to use AD logs to detect Pass-the-Hash, brute force attempts, Kerberoasting, and more.

Increasingly though, we all find our Active Directory slowly (or quickly) migrating into the Cloud, and becoming an Azure Active Directory (AAD). Some of the old on-premises AD body of knowledge in detection and defense still applies, but most is obsolete. And – brave new world – AAD is usually exposed to the Internet in some form or fashion, so it is subject to all the noise that all the miscreants on the planet can fire against the IP address that happens to be yours.

As was the case with Active Directory, Microsoft isn’t really making huge strides in sharing the knowledge needed to keep Azure AD safe, either. The https://github.com/MicrosoftDocs and https://github.com/Microsoft repositories are sharing some samples, many of which are outdated, but in general, the documentation is still kinda thin.

If you are like many small businesses or institutions who use AAD, but can’t afford the full-fledged Microsoft offering with Sentinel, Azure ATP (now called Microsoft Defender for Identity) and other $$$-gadgets, you are kinda on your own.

You still should look at them logs though, because … as mentioned above … AAD is usually “internet-facing”, and if there is any chink in your armor, the miscreants will find it eventually.

Rather than to stream your AAD logs back to on-premises into your existing ELK or Splunk or what-have-you, I’d suggest you look into connecting your AAD into a LogAnalytics space in Azure. It isn’t exactly cheap, but if you don’t go overboard with the volume or retention period, you’ll find it useful. More info how to set it up, here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-analyze-activity-logs-log-analytics

Once you have this in place, you can use the Kusto Query Language to run quickfire analysis queries like this one, to look for failed logins that originate from the same IP, and hit several user IDs:

SigninLogs
| where ResultType != 0 // failed logins only
| extend TimeBin=bin(TimeGenerated,2h) // in 2h interval buckets
| summarize IDs=make_set(Identity) by IPAddress,TimeBin // attempted usernames per source IP and time bucket
| extend targets=array_length(IDs) // count how many
| render columnchart // paint a pretty picture

which in my case, for the community college where I’m watching the AAD, is resulting in something like this for last week:

which in turn provides ample incentive to drill down further, and to also look into how to deploy some kind of automatic responder that bans this kind of nonsense, by pushing a temporary block rule to zap the offending IPs.

If you know of useful resources on how to monitor Azure AD, please let us know, or share in the comments below.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Making sense of Azure AD (AAD) activity logs, (Thu, Oct 1st) appeared first on Malware Devil.

https://malwaredevil.com/2020/10/01/making-sense-of-azure-ad-aad-activity-logs-thu-oct-1st/?utm_source=rss&utm_medium=rss&utm_campaign=making-sense-of-azure-ad-aad-activity-logs-thu-oct-1st

Wednesday, September 30, 2020

Network Security News Summary for Thursday October 1 2020

A brief daily summary of what is important in cybersecurity. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minutes long, summary of current network security-related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Storm Center. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .

The post Network Security News Summary for Thursday October 1 2020 appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/network-security-news-summary-for-thursday-october-1-2020-2/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-thursday-october-1-2020-2

Network Security News Summary for Thursday October 1 2020

The post Network Security News Summary for Thursday October 1 2020 appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/network-security-news-summary-for-thursday-october-1-2020/?utm_source=rss&utm_medium=rss&utm_campaign=network-security-news-summary-for-thursday-october-1-2020

The No Good, Very Bad Week for Iran’s Nation-State Hacking Ops

A look at the state of Iran’s cyber operations as the US puts the squeeze on it with a pile of indictments and sanctions.

The US government hit the Iran state hacking machine hard earlier this month: In a 72-hour period, it unsealed three separate indictments of seven Iran-based individuals with a total of 22 charges. It also issued economic sanctions against a front technology company for Iran’s Ministry of Intelligence and Security (MOIS) and an Iranian nation-state hacking team of some 45 people.

It was all part of a coordinated disruption and deterrence effort by the US government against Iran’s MOIS, Islamic Revolutionary Guard Corps (IGRC), and other individuals in the country who have been targeting victims in the US and elsewhere.

Terry Wade, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch, described it as an effort to “impose consequences” on the Iranian hackers.

“No cyber actor should think they can compromise US networks, steal our intellectual property, or hold our critical infrastructure at risk without incurring risk themselves,” he said in a statement after the indictments and sanctions were handed down that week.

The multiple filings by the feds the week of Sept. 14 that unmasked some of Iran’s key cyber espionage actors and groups also came amid a Sept. 15 joint warning by the FBI and US Department of Homeland Security about cyberattacks out of Iran targeting US federal agencies and other organizations.

Naming and shaming by US law enforcement of suspects from nations with no extradition agreements with the US, like Iran – as well as China and Russia – may seem mostly symbolic, but policymakers contend it gives the US some leverage in policymaking as well as a way to nab a suspect who dares to travel to a nation friendly to the US. The feds increasingly have been using this tool to pressure nation-state adversaries such as Iran to dial back their cyber spying and cybercrime campaigns.

Tom Bossert, former US Homeland Security Advisor to the White House under President Donald Trump and co-author of the 2007 National Strategy for Homeland Security, says indictments and sanctions are part of a larger response strategy in cyber. Public attribution of cyber threat actors was policy during his tenure in the Trump administration.

“[The indictments and sanctions] don’t modify the choices of behavior by leadership in Iran, Russia, and China – not alone, anyway. But they are important parts of a larger strategic response. Among other things, it lets them know what we know and, in some cases, makes them fear we know more,” says Bossert, who is president of Trinity Cyber, a threat prevention service startup co-founded by the former deputy director of the National Security Agency’s Threat Operations Center. “It starts to make them fear ghosts around every corner and starts to make them redouble their efforts in secrecy. It may delay … their operation cycle.”

Bossert, who served the Trump administration from its beginning in 2017 until April 2018, says these efforts can help with ongoing investigations.

“It’s useful, disruptive, and can often help us with some of the things we don’t put in those reports,” says Bossert. “If it makes them think for a moment, then it’s effective.”

Will Iran Strike Back?
It’s too soon to determine whether the recent flurry of indictments and sanctions will disrupt existing or planned cyberattack campaigns by Iran – or trigger any retaliatory destructive hacking. Bossert says it’s possible Iran could strike back more aggressively against the US – especially if Trump wins the 2020 presidential election again the current stringent positions against Iran continue – but it’s difficult to discern.

Interestingly, while Iran’s cyber operations have matured over the years and expanded more broadly in cyber espionage, its hacking MO for the most part has not changed dramatically, according to threat intelligence experts. The Iranian nation-state actors rarely alter their attack patterns and methods, notes Mandiant senior threat intelligence analyst Sarah Jones.

“They stick with what works for them,” says Jones, who specializes in Iranian cyber activity. “A lot of Iranian TTPs [tactics, techniques and procedures] tend to get reused [by their various groups],” she says. “There’s not a lot of technical sophistication, actually, but it’s very difficult for network defenders to detect and respond to it.”

Jones says one Iranian group she follows, best known by its Charming Kitten moniker, targets the personal email accounts of its victims as a way into their targeted organizations’ networks.

“It’s difficult for a network defender to protect against this,” she says, especially when users have their personal accounts on a mobile device and they aren’t logged into their companies’ networks when using their personal email accounts. Once the attacker is in the victim’s private email account, the attacker has access to all of the victim’s other contacts, she notes, which provides rich intel for other targets.

Allison Wikoff, strategic cyber threat analyst for IBM X-Force and an expert on Iranian operations, describes Iran’s hacking activity similarly: It’s “business as usual,” she says. To date, her team hasn’t witnessed any increase or decline in Iran’s normal cyber operation activity.

“I would argue that the tactics, malware, and techniques all work” for Iran, so there’s no motivation for them to change course, Wikoff says. Charming Kitten, known as ITG18 by IBM, “is a testament to sticking to what works.”

Iranian hackers rarely develop their own exploits, either.

“They wait for them to come on the market …. and change a few things there and deploy it themselves,” says Vikram Thakur, technical director of security response at Broadcom’s Symantec.

While Iran’s hacking tools haven’t really changed, how they’re employed has evolved. And how the hackers conduct and run their operations has become more sophisticated, says Adam Meyers, vice president of intelligence at CrowdStrike.

“We’ve seen them learning from how Russia has done it and how China has done it, and they have learned a lot of lessons in Syria” from Russian nation-state hackers, he says. “They’ve upped how they use [cyberattacks].”

Meyers believes the leaks of sensitive Iranian cybertools and the doxing of Iranian hackers by the so-called Lab Dookhtegan and others last year may have helped solidify the wave of indictments handed down by the US this month. “It’s consistent with the maximum-pressure strategy on Iran,” he points out.

Researchers at VMware, meanwhile, have seen Iran, as well as North Korea, employ evasion tactics akin to what Russian nation-state hackers use.

“They’re using a lot of techniques for counter-IR [incident response] and evasion that have been used successfully in the past by Russia,” says Tom Kellermann, head of cybersecurity strategy at VMware and a member of the US Secret Service’s Cyber Investigations Advisory Board. “They’re blocking events from hitting the SIEM, disabling Windows AMSI [anti-malware scan interface], and deploying ransomware as DDoS.”

Unmasked Nation-State Hackers
In the first of the three DoJ indictments, which was unsealed on Sept. 15, Behzad Mohammadzadeh, aka Mrb3hz4d, and Palestinian Marwan Abusrour, aka Mrwn007, each were charged with hacking and defacing websites hosted in the US on three counts. Their alleged acts, which were believed to be an apparent retaliation for the Jan. 2, 2020, US airstrike that killed IGRC official Qasem Soleimani, were part of a larger defacement campaign of some 1,400 websites worldwide.

On Sept. 16, the DoJ unsealed a 10-count indictment charging Iranian citizens Hooman Heidarian, aka neo, and Medhi Farhadi, aka Mehdi Mahdavi, for allegedly stealing hundreds of terabytes of data from targets in the US, Europe, and Middle East – including confidential national security, intelligence, aerospace, scientific research, and human activist information. The defendants also monetized some of the data, which included financial information about their victims, by selling it in the cyber underground.

The third indictment, on Sept. 17, charged three Iranian nationals with nine counts of hacking and targeting organizations in the aerospace and satellite technology industries from around June 2015 to February 2019. Said Pourkarim Arabi, 34, Mohammad Reza Espargham, 25, and Mohammad Bayati, 34, were charged with identity theft and hacking for the IGRC. According to the indictment, the men impersonated aerospace and satellite industry employees in the US via stolen online identities in order to send spear-phishing emails and drop malware on targeted systems.

The hacks were directed by the IGRC, of which Arabi is a member.

The US Department of Treasury issued sanctions on Iran’s APT39 (aka Chafer and ITG07) hacking team as well as on 45 other associates and a front company known as Rana Intelligence Computing Company on Sept. 17. The hacking team under the guise of Rana waged cyberattacks on Iranian dissidents, journalists, and US-based travel services companies.

Contractors as Cover
The indictments and sanctions shed more light on the blurred lines between nation-state hackers and cybercriminals in Iran.

“I think it’s a way of doing business in cyber,” says Paul Kurtz, co-founder and chairman of security intelligence management platform provider TruStar. Kurtz worked for Presidents Bill Clinton and George W. Bush on cybersecurity and critical infrastructure policy.

Russia is infamous for its practice of hiring cybercriminals to do its nation-state hacking and looking the other way when they carry out non-state hacking. It’s a relatively economical way for nations like Russia and Iran to tap tech talent at home.

“So if you’re a young person and have cyberskills … it’s a great way to put food on the table. [I’m] not excusing their behavior at all,” he says, but some Iranians struggle to find jobs given the poor economy there. “We often miss that.”

It also provides cover for governments. “They can always say these [individuals] are not part” of the government, says Broadcom’s Thakur.

[See Paul Kurtz speak next week at the Cybersecurity Crash Course at Interop Digital on How to Know When You’ve Been Compromised]

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Webcasts

White Papers

[Forrester Research] The State of Data Security & Privacy

2020 SANS Cyber Threat Intelligence

More White Papers

Reports

Special Report: The Changing Face of Threat Intelligence

2019 Threat Hunting Report

More Reports

The post The No Good, Very Bad Week for Iran’s Nation-State Hacking Ops appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/the-no-good-very-bad-week-for-irans-nation-state-hacking-ops/?utm_source=rss&utm_medium=rss&utm_campaign=the-no-good-very-bad-week-for-irans-nation-state-hacking-ops

GitHub Tool Spots Security Vulnerabilities in Code

Scanner, which just became generally available, lets developers spot problems before code gets into production.

A code-scanning capability that GitHub has been testing for the past several months is now generally available for organizations using the platform as part of their software development process.

The scanner is based on CodeQL, a code analysis technology that GitHub acquired from its purchase of Semmle last year. It gives developers a way to scan code for security vulnerabilities during development and to address the issues before the code gets into production.

GitHub released the first beta of the natively integrated code scanner at its GitHub Satellite virtual event earlier this year. Since then, more than 6,000 user accounts — belonging to both individuals and organizations — have enabled code scanning on their GitHub repositories, says Justin Hutchings, product manager at GitHub.

Over 12,000 repositories on GitHub have been scanned a total of 1.4 million times since the scanner went into beta. Over that period, the scanner has helped uncover more than 20,000 security issues in code stored on GitHub, including remote execution flaws, SQL injection errors, and cross-site scripting flaws, according to GitHub.

“Thanks to their testing and feedback, we’re confident that code scanning is ready for the wider community,” Hutchings says. “The code-scanning beta proved the hypothesis that if you build security tooling for developers first, developers will use it. According to Hutchings, GitHub made multiple improvements to the product based on feedback from beta users of the code scanner so it meets requirements of the open source community and commercial organizations.

More source code is currently stored on GitHub than any other platform. Some 50 million developers and 2.9 million businesses worldwide collectively use GitHub to host a staggering 100 million code repositories. Since launching as a place for individual developers to securely host and manage code revisions back in 2008, GitHub has grown into the most widely used platform for managing software development projects worldwide.

In 2011 GitHub launched an enterprise version of the platform that organizations can use on-premise to manage software projects. In 2017, it launched an enterprise cloud version of the technology. Microsoft acquired GitHub for $7.5 billion in 2018. Some of its better-known customers include Facebook, American Airlines, Dow Jones, and 3M.

Ongoing Effort
Hutchings says the new code-scanning feature is part of GitHub’s ongoing effort to help secure the open source software ecosystem. In 2019, GitHub launched Security Lab, an initiative under which it working with security researchers, developers, and others to detect and report bugs in popular open source projects. Among those participating in the effort are Microsoft, Google, HackerOne, and Intel.

Such efforts are important because in recent years a high number of data breaches have resulted from vulnerabilities, such as SQL injection efforts, input validation mistakes, and cross-site scripting flaws in web applications. Vulnerabilities in open source software in particular have been of high concern because of how widely used these components are in modern applications.

CodeQL, on which GitHub’s new scanner is based, is a semantic code analysis tool that lets developers query software code like it was data. GitHub has described the tool as allowing developers to write a query for all variants of a security vulnerability and then sharing the query with others so they can look for the same issues in their code as well.

Code scanning is free for public repositories and available as an add-on as part of GitHub Advanced Security for GitHub Enterprise Server and GitHub Enterprise Cloud, Hutchings says. Its unique proposition is in shifting security left, or earlier, in the security development life cycle. “It allows enterprise security teams to scan every commit made to their applications and to provide feedback automatically during code review,” Hutchings says.

Such feedback can help developers address issues faster. In the last 30 days of GitHub’s beta, developers and maintainers using the platform fixed 72% of the security issues they identified in their code he says. “We were extremely pleased to see this direct positive impact … given industry data shows that less than 30% of all flaws are fixed one month after discovery.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Maximizing Database Performance to Improve Customer Experience

More Webcasts

White Papers

[Forrester Research] The State of Data Security & Privacy

2020 SANS Cyber Threat Intelligence

More White Papers

Reports

IT Automation Transforms Network Management

Making the Financial Case for Outsourcing Endpoint Protection

More Reports

The post GitHub Tool Spots Security Vulnerabilities in Code appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/github-tool-spots-security-vulnerabilities-in-code/?utm_source=rss&utm_medium=rss&utm_campaign=github-tool-spots-security-vulnerabilities-in-code

Cloud Misconfiguration Mishaps Businesses Must Watch

Cloud security experts explain which misconfigurations are most common and highlight other areas of the cloud likely to threaten businesses.

IT security teams are well aware of the dangers of cloud misconfigurations. Poorly configured cloud infrastructure, applications, and storage have proved to be a major threat as attackers capitalize on an opportunity to sneak into enterprise environments and steal information or move laterally.

Misconfigurations have only grown more common amid the COVID-19 pandemic and a global rush to shift organizations into fully virtualized workforces. The accelerated jump to the cloud has led to careless mistakes and, consequently, opportunistic attacks to take advantage of them.

“You get this combination of cloud security issues that are primarily the users of the cloud – not the cloud providers themselves – misconfiguring, embedding credentials inappropriately, leaving passwords, not hardening their cloud because they’re moving so quickly … that’s led to several compromises,” explains Jim Reavis, co-founder and CEO of the Cloud Security Alliance.

Organizations hastily moving to the cloud often lack a strategic view and fail to consider factors such as threats that could put them at risk and high-priority security functionalities, Reavis says. They forget to lock down storage buckets and databases, leave credentials viewable in Github, and fail to patch or maintain good security hygiene in virtual machines and containers, he adds.

“Out of this, you give the attackers an ability to really be able to do some pretty quick scanning of cloud environments, finding several things that are insecure, and then being able to go do a deeper dive hack,” Reavis continues. Configuration management can help prevent these threats.

IT and security teams are discovering several unexpected gaps resulting from the rapid transition to cloud. Now they have to consider tactical solutions and a more strategic architectural shift. Many have accepted the operational changes resulting from COVID-19 are here to stay. As a result, they should consider how to better strengthen their cloud security.

“A lot of it goes back to the shared responsibility model and understanding that this is a combined responsibility for us to secure the cloud,” Reavis says.

When dealing with products like infrastructure-as-a-service, it’s incumbent on cloud consumers to understand they’re given a blank slate. It’s on them to worry about encryption, identity management, and other parts of their cloud environments.

[Check out Jim Reavis’ upcoming talk, “Practical Solutions for Securing Your Cloud Services,” on Oct. 5 during the Cybersecurity Crash Course at next week’s Interop Digital]

Misconfigurations can help attackers get into your cloud environment and achieve their goals once inside, explains Josh Stella, co-founder and CTO at Fugue Security. What they care about is exploiting misconfigurations, typically in services like identity and access management (IAM). These credentials can help them navigate the network and quietly exfiltrate data they’re looking for.

“The blast radius of these is devastation,” he says. “You can have a very small crack in your defenses, and if it’s cloud misconfiguration-related, that can mean in five minutes all your data is gone.”

Stella points to a few examples of places where security teams can double-check their assets for configuration mistakes. The first step is to understand your security posture: Know where you stand and learn where errors are. Businesses will inevitably slip up when configuring the cloud.

“I guarantee you mistakes have been made because it’s just too hard to not,” he says.

A common mistake is placing too much trust in the “block public access” feature for AWS S3 buckets. Many people think when they turn this feature on, they’re protected from attackers. But while it’s a good step to take, it’s “vastly incomplete,” Stella says. An organization can have an exception to “block public access” that could expose its private information to the Internet.

Similarly, Stella says he often sees the issue of overly permissive IAM roles. Amazon’s Elastic Compute Cloud (EC2) has many possible permissions in IAM; when confronted with all these choices, people often choose big chunks, he explains. The problem is, these permissions are all very detailed and may be granting a level of access that someone shouldn’t necessarily have.

Stella also urges organizations to ensure they limit the ability of their cloud infrastructure to list and describe other parts of their cloud infrastructure. Security admins often think having list permissions is safe; this capability lists the contents of their EC2 fleet or containers, or lists data storage service options, buckets, and other objects.

“These are extremely dangerous things to leave on because hackers’ first, and often most difficult, job is discovery,” Stella explains. “If you give them a map to your safe, that’s a bad idea. They can probably break into your safe.” Security teams should limit the ability of their cloud infrastructure to know about the other cloud infrastructure they’re running, he says.

In his upcoming Interop Digital talk, “Simulating Real-Time Cloud Misconfiguration Attacks to Improve Cloud Security,” Stella will simulate an attack against his own infrastructure and, in doing so, demonstrate how these small, simple mistakes can have major consequences.

“It’s really important to view your own infrastructure from the perspective of someone who is going to [venture] into it and do bad things,” he says. Businesses can put bars on their front windows and lock the doors, but attackers will find a small open basement window to sneak in.

“What you should be doing – what everyone should be doing – is not sleeping well until you find some of those because they’re there,” Stella adds. “You have to think that way.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Maximizing Database Performance to Improve Customer Experience

[Free Virtual Event] Managing Apps in a Multi-Cloud Environment

More Webcasts

White Papers

[Forrester Research] The State of Data Security & Privacy

2020 SANS Cyber Threat Intelligence

More White Papers

Reports

2020 State of DevOps Report

Special Report: Computing’s New Normal, a Dark Reading Perspective

More Reports

The post Cloud Misconfiguration Mishaps Businesses Must Watch appeared first on Malware Devil.

https://malwaredevil.com/2020/09/30/cloud-misconfiguration-mishaps-businesses-must-watch/?utm_source=rss&utm_medium=rss&utm_campaign=cloud-misconfiguration-mishaps-businesses-must-watch

Malware Devil

Thursday, October 1, 2020

Description

Notification

Summary

Description

Submitted Files (1)

Additional Files (2)

Domains (1)

Findings

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

sdvro.net

Tags

Ports

HTTP Sessions

Whois

Relationships

Description

927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

Relationship Summary

Recommendations

Contact Information

Document FAQ

Revisions

Why is it important to scan open source libraries?

Why aren???t more organizations scanning open source libraries?

What are your options for managing library security flaws?

Wednesday, September 30, 2020

Blog Archive

About Me