Insider threats are redefined in 2021, the work-from-home trend will continue define the threat landscape and mobile endpoints become the attack vector of choice, according 2021 forecasts. Read More
OVAL is the Open Vulnerability Assessment Language, which uses XML based documents to define vulnerabilities based on characteristics of a host system. It can also be used to gather information about the host. When an OVAL file is evaluated, it generates a report file with the results of the vulnerability evaluation or a system characteristics file containing […]… Read More
Because of COVID, 2020 saw a major shift from working at the “office” to working at home which led to shift the attacks to the user @home. Everything points that 2020 was a year for ransomware and COVID-19 themed campaigns. Without exceptions, phishing emails have been the most prolific initial attack vector targeting organizations and home users. This will likely get worse and more disruptive this coming year.
Past 14 Days – My IP Threat Intel Activity
Every year there are prediction on what we should expect in the coming year and what to watch for. Instead, what can be done to secure the enterprise?
Implement multi-factor authentication
Extending security to a remote force
Review cloud security policies
Better protection for IoT
Must ensure backups are secure and cannot be reached to prevent attackers from finding and delete them
Equally important – regularly test backups to ensure the data can be recovered
Use and share Threat Intel to track suspicious activity [1][2]
Better network analytics and log collection [3][4][5]
Monitor host and network activity [3][4][5]
Better detection and prevention against phishing email attacks [10]
Review and test employees against security awareness program [11]
Apply system security update as soon as appropriate
Keep antivirus software current
Over the past year, one of the most difficult tasks has been how to detect and prevent being compromised by unmanaged devices. With a large population of employees working from a home office, some forced to use their personal devices, if compromised, have the potential of exploiting other systems in their home network as well as the enterprise connected network (i.e. VPN access to employer network). This challenge will continue for the forceable future.
Share your predictions for 2021, what is going to keep you up at night?
In this post, we will focus on the SUPERNOVA trojan, describing how this weaponized DLL was patched into Solarwinds SDLC (Software Development Life Cycle) post infiltration. Further, we will discuss anti evasion techniques employed by the APT actor.
The SUPERNOVA web shell implant is a trojanized copy of a legitimate ‘app_web_logoimagehandler.ashx.b6031896.dll’ library used by SolarWinds Orion web application.The purpose of the original DLL is to serve up a user-configured logo to web pages in the Orion web application. Let’s visually illustrate this benign functionality that serves a legitimate workflow in the Orion web application
Normal functionality of benign, unaltered DLL (app_web_logoimagehandler)
Web form of Orion with Logo rebranding workflowThe original ProcessRequest()
This module is purposed to return the logo image (white label based rebranding feature) configured by the user to various web pages of the SolarWinds Orion web application.
This is done through the ProcessRequest() method of the LogoImageHandler class.
Altered app_web_logoimagehandler DLL with backdoor to C2 server
Trojanized workflow during rebrandingTrojanized ProcessRequest that accepts the attacker controlled input
The DynamicRun() method is heart of the SUPERNOVA webshell.
This method accepts
C# source code blob,
the class to instantiate,
the associated method to invoke,
and the method’s arguments.
These parameters will be used to compile and execute an in-memory .NET assembly sent by the attacker over HTTP channel and after invoking successfully the response is packaged and returned to the attacker.
This functionality allows the attackers to compile and execute .NET payloads as and when needed, within the context of SolarWinds Orion Web Application. This mechanism does not leverage any exploit, but simply abuses weaponizes a fundamental .NET feature called MetaProgramming. This is powerful, as it allows the malware to execute robust compiled code on the fly, without dropping any additional files to the file system or running any obvious commands being monitored over the wire.
Hacking the SDLC to weaponize C# MetaProgramming
Writing new programs at runtime and manipulating programs at runtime aren’t mutually exclusive concepts.The classic definition for a metaprogram is “a computer program that writes new computer programs.” This sounds a lot like the definition of a compiler. A compiler for a programming language like C# could be thought of as the ultimate metaprogram, because its only job is to produce other programs from source code.
These classes are thin wrappers around the native compilers csc.exe, vbc.exe and jsc.exe. Since theses compilers operate on files on the file system, the wrapper classes need to save the source files into temporary files to be able to pass them to the compilers.
Likewise, the compiled assemblies are (temporarily) saved to disk and then loaded by the wrappers. Because of that, true in-memory assembly generation is not possible with these classes. Also, these classes need full-trust permissions. The compiler option can be set with the class CompilerParameters. Among others, there is a property called GenerateInMemory. If this is set to true, the compiled assemblies get deleted after being loaded into memory. Using this setting, an in-memory generation can be mimicked. On the other hand, assemblies that are loaded into memory but deleted from disk cannot be referenced by newer compilations. So if for instance different assemblies must be generated that reference each other, the property GenerateInMemory must be set to false.
Examples of compiling metaprograms based on CodeDom (predates Roslyn) and Roslyn are presented here
Not the same actor as #SUNBURST (UNC2452) as trojanized DLL is not digitally signed
The try { … } catch(Exception) { } block sinkholes any exception generated leading to no log being created which further on does not trigger rules. How did this change request pass simple code review?
GenerateInMemory is set to true leading to source code blob not leave any traces of persisting source files to disk prior to passing them of to the compiler
The APT (advanced persistent threat) actor possibly infiltrated the SDLC process of SolarWinds Orion in order to study version compatibility as well (needed some formal knowledge to understand whether he/she should use aCodeDomorRoslynbased meta program — refer section above)
Using Code Property graph to detect webshell/backdoor patterns
What is Code Property Graph uniquely position to detect complex backdoor patterns?
The code property graph is a concept based on a simple observation: there are many different graph representations of code (abstract syntax tree, control flow graph and data flow graph), and patterns in code can often be expressed as patterns in these graphs. While these graph representations all represent the same code, some properties may be easier to express in one representation over another. So, why not merge representations to gain their joint power, and, while we are at it, express the resulting representation as a property graph, the native storage format of graph databases, enabling us to express patterns via graph-database queries.
Creating policy using NGSAST to detect SUPERNOVA
Autodetect SOURCE (EntryPoints) — functions that are public and accept HTTPContext from external calls (via API/Web from)
Search graph for empty catch block associated with a try block and get encapsulating block to determine if it contains any SINKS from (2)
Determine taint reachability from SOURCE to SINK that passes through compiler assembly function(s)
I use Address space layout randomization (ASLR) as an exploit protection technique, so am I immune to web-shells based backdoors?
Address Space Layout Randomization (ASLR) is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process’s address space. The random mixing of memory addresses performed by ASLR means that an attack no longer knows at what address the required code (such as functions or ROP gadgets) is actually located. That way, rather than removing vulnerabilities from the system, ASLR attempts to make it more challenging to exploit existing vulnerabilities..
ASLR was introduced in Windows Vista and is in all newer versions. To make use of it, the executable needs to be compiled with /DYNAMICBASE option as well. OS based DLLs have it by default.
ASLR is not supported when the executable or DLLs are not built with ASLR support. Although Windows 8 and Windows 10 try to overcome this limitation (e.g., force ASLR in Windows 8), there are still exceptions that many times render the ASLR protection ineffective. Older version of Windows and legacy programs are particularly prone to this limitation. In addition, ASLR on 32-bit systems suffers from low entropy, making it vulnerable to brute force and similar attacks.
ASLR aims to prevent an attack from reliably reaching its target memory address. ASLR does not focus on trapping the attack, rather on making the attack unlikely to work. Once the shellcode jumps to the wrong address during the exploit (due to the memory randomization), the program behavior is undefined. The process might receive an exception, crash, get stuck or simply continue with inconsistent behavior as a result.
ASLR does not give any alerts about attack attempts. When a vulnerability is exploited and fails (due to ASLR’s memory randomization), no alert or attack indication is received. Essentially ASLR doesn’t ‘know’ when an attack happened.
Forensic information about an attack, exploitation and shellcode is crucial for any serious forensic investigation. Exploited processes, memory dumps and call stacks can be used to identify, fingerprint and tag exploits. ASLR cannot provide this information because it doesn’t actually know if an attack happens or at which point it was stopped.
Since Address Space Layout Randomization was introduced in Windows OS, it has been bypassed many times by real-world exploits and attacks. Attackers continuously develop new techniques to defeat ASLR defense. Bypass techniques include
using ROP chain in non-ASLR modules (e.g., CVE 2013–1347),
JIT/NOP spraying (e.g., CVE-2013–3346),
as well as memory disclosure vulnerabilities and other techniques (e.g., CVE-2015–1685, CVE-2015–2449, CVE-2013–2556, CVE-2013–0640, CVE-2013–0634).
Deborah Blyth is Colorado’s Chief Information Security Officer (CISO), with over 25 years technology background and 15 years leading information security programs. As the CISO, she serves as the point of contact for all information security initiatives in Colorado, informing the state Chief Information Officer and executive agency leadership on security risks and impacts of..
Ticketmaster has agreed to pay a $10 million fine after being charged with illegally accessing computer systems of a competitor repeatedly between 2013 and 2015 in an attempt to “cut [the company] off at the knees.”
A subsidiary of Live Nation, the California-based ticket sales and distribution company used the stolen information to gain an advantage over CrowdSurge — which merged with Songkick in 2015 and later acquired by Warner Music Group (WMG) in 2017 — by hiring a former employee to break into its tools and gain insight into the firm’s operations.
“Ticketmaster employees repeatedly – and illegally – accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” said Acting U.S. Attorney Seth DuCharme.
“Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers, as if that were an appropriate business tactic.”
The allegations were first reported in 2017 after CrowdSurge sued Live Nation for antitrust violations, accusing Ticketmaster of accessing confidential business plans, contracts, client lists, and credentials of CrowdSurge tools.
According to court documents released on December 30, after being hired by Live Nation in 2013, Stephen Mead, who was CrowdSurge’s general manager of U.S. operations, shared with Zeeshan Zaidi, the former head of Ticketmaster’s artist services division, and another Ticketmaster employee the passwords to Artist Toolbox, an app that provided real-time data about tickets sold through the victim company.
Besides password theft, Mead is also accused of providing “internal and confidential financial documents” retained from his former employer, as well as URLs for draft ticketing web pages so as to learn which artists planned to use CrowdSurge to sell tickets and “dissuade” them from doing so.
On October 18, 2019, Zaidi pled guilty in a related case to conspiring to commit computer intrusions and wire fraud for his participation in the scheme, stating, “we’re not supposed to tip anyone off that we have this view into [the victim company’s] activities.”
An unnamed Ticketmaster executive said in an internal email the goal was to “choke off” and “steal” its signature clients by winning back the presale ticketing business for a second major artist that was a client of CrowdSurge.
Both Mead and Zaidi are no longer employed by Ticketmaster.
Ticketmaster previously settled a lawsuit brought by Songkick in 2018 by agreeing to pay the company’s owners $110 million and acquire its remaining intellectual property not sold to WMG for an undisclosed amount.
Besides paying the $10 million penalties, Ticketmaster is expected to maintain a compliance and ethics program to detect and prevent such unauthorized acquisition of confidential information belonging to its rivals.
The company will also be required to make an annual report to the U.S. Attorney’s Office over the next three years to ensure compliance.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded, undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.
The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects version 4.60 present in a wide-range of Zyxel devices, including Unified Security Gateway (USG), USG FLEX, ATP, and VPN firewall products.
EYE researcher Niels Teusink reported the vulnerability to Zyxel on November 29, following which the company released a firmware patch (ZLD V4.60 Patch1) on December 18.
According to the advisory published by Zyxel, the undocumented account (“zyfwp”) comes with an unchangeable password (“PrOw!aN_fXp“) that’s not only stored in plaintext but could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.
Zyxel said the hardcoded credentials were put in place to deliver automatic firmware updates to connected access points through FTP.
Noting that around 10% of 1000 devices in the Netherlands run the affected firmware version, Teusink said the flaw’s relative ease of exploitation makes it a critical vulnerability.
“As the ‘zyfwp‘ user has admin privileges, this is a serious vulnerability,” Teusink said in a write-up. “An attacker could completely compromise the confidentiality, integrity and availability of the device.”
“Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”
The Taiwanese company is also expected to address the issue in its access point (AP) controllers with a V6.10 Patch1 that’s set to be released in April 2021.
It’s highly recommended that users install the necessary firmware updates to mitigate the risk associated with the flaw.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
If you make extensive use of Google’s products, you almost certainly noticed the worldwide outage of Google’s services.
As details continue to emerge about the outage, it’s increasingly clear that Google has some egg on its face and that the outage was an entirely self-inflicted wound.
The failure was ultimately caused by the company’s Identity Management System, which failed after a bug limited the amount of storage space available to it. As a result of that failure, users around the world suddenly found themselves unable to access their Google Drives, YouTube accounts, Gmail, Google Calendar, and more. Even Google Maps was offline for a time. Google responded quickly and efficiently and limited the outage to a bit less than an hour.
Once the issue had been resolved, the company tweeted out the following from their Google Cloud Account:
“Today, at 3.47AM PT Google experienced an authentication system outage for approximately 45 minutes due to an internal storage quota issue. This was resolved at 4:32AM PT, and all services are now restored.”
Later, on the Google Cloud’s status page, the posted the following update and clarification:
“Google Cloud Platform and Google Workspace experienced a global outage affecting all services which require Google account authentication for a duration of 50 minutes. The root cause was an issue in our automated quota management system which reduced capacity for Google’s central identity management system, causing it to return errors globally. As a result, we couldn’t verify that user requests were authenticated and served errors to our users.”
In a nutshell, Google experienced, on a global scale, what you’ll run into on your desktop PC if you run out of hard drive space. Suddenly, the various applications you’re running start to crash.
In any event, the problem is now solved, and in addition to wiping the egg off their collective faces, Google has taken steps to ensure that they don’t find themselves in a similar circumstance in the future.
Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.
The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects version 4.60 present in wide-range of Zyxel devices, including Unified Security Gateway (USG), USG FLEX, ATP, and VPN firewall products.
EYE researcher Niels Teusink reported the vulnerability to Zyxel on November 29, following which the company released a firmware patch (ZLD V4.60 Patch1) on December 18.
According to the advisory published by Zyxel, the undocumented account (“zyfwp”) comes with an unchangeable password (“PrOw!aN_fXp“) that’s not only stored in plaintext but could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.
Zyxel said the hardcoded credentials were put in place to deliver automatic firmware updates to connected access points through FTP.
Noting that around 10% of 1000 devices in the Netherlands run the affected firmware version, Teusink said the flaw’s relative ease of exploitation makes it a critical vulnerability.
“As the ‘zyfwp‘ user has admin privileges, this is a serious vulnerability,” Teusink said in a write-up. “An attacker could completely compromise the confidentiality, integrity and availability of the device.”
“Someone could for example change firewall settings to allow or block certain traffic. They could also intercept traffic or create VPN accounts to gain access to the network behind the device. Combined with a vulnerability like Zerologon this could be devastating to small and medium businesses.”
The Taiwanese company is also expected to address the issue in its access point (AP) controllers with a V6.10 Patch1 that’s set to be released in April 2021.
It’s highly recommended that users install the necessary firmware updates to mitigate the risk associated with the flaw.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Researchers on the Global Research and Analysis Team (GReAT) at Kaspersky Lab have recently discovered a new malware strain dubbed PyMICROPSIA, currently being used by a group tracked as AridViper.
AridViper operates primarily in the Middle East, focusing mainly on Palestine, Egypt, and Turkey. Their malware was designed specifically to attack Windows-based machines.
The group hasn’t been terribly active, having compromised a relatively modest 3,000 or so machines since they appeared on Kaspersky’s radar in 2015. That, however, may be changing.
Recent samples of the code reveal that AridViper is continuing to develop their info-stealing malware. They’re arming it with new capabilities and expanding their reach by building in architecture that will allow them to begin attacking machines running both Linux and MacOS.
In terms of new capabilities, AridViper seems to be pulling out all the stops. Not all of these have been activated yet, but hooks are now in the code to build out additional functions.
The Other Functions Include:
File uploading
Payload download and execution
Screen captures
File compression for easier exfiltration
Collection of process information which would allow killing system processes
File deletion
Automatic reboot
Disabling Outlook processes
Creating, deleting, compressing and exfiltrating files and folders
Collecting information from USB drives
Audio recording
And more
All this, in addition to the malware’s current info-stealing capabilities, which include the ability to steal credentials from browsers, clearing browser histories, keylogging and the like.
All that to say, if AridViper completes development on all the functionalities listed above and builds out the capability to deploy their malware against Linux and MacOS machines, it will be a dangerous strain indeed.
If you have business dealings in the Middle East, you may have already run afoul of this particular strain. Even if you don’t, this is clearly one to watch for as AridViper seems intent on flexing its muscles in the months ahead.
This year, for my diary entries with malware analysis, I will check each time if a malware sample can be analyzed with the strings command (or a variant). And if it does, I’ll write-up a second analysis with the strings command.
Although most malware samples don’t contain clear text strings, I regularly encounter samples that do.
I hope this will make malware analysis more accessible to a larger audience.
Best wishes for the new year to you and your family from all of us at the SANS Internet Storm Center!
There has been a 600 percent increase in mobile SMS phishing attacks (also known as SMiShing) in 2020, and there is no end in sight. We’ve seen creative scammers use AI to send text messages with fake tracking codes and delivery preference updates that look like they’re coming from FedEx, the U.S. Postal Service, and […]
A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020. This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview
Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain ‘The Hospital Group’, and threatening to publish patient’s ‘before and after’ photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK’s Information Commissioner’s Office about their loss of personal data.
If you make extensive use of Google’s products, you almost certainly noticed the worldwide outage of Google’s services.
Researchers on the Global Research and Analysis Team (GReAT) at Kaspersky Lab have recently discovered a new malware strain dubbed PyMICROPSIA, currently being used by a group tracked as AridViper.
