Not the Final Answer on NDR in the Cloud …

Not the Final Answer on NDR in the Cloud …

Back in my analyst years, I rather liked the concept of NDR or Network Detection and Response. And, despite having invented the acronym EDR, I was raised on with NSM and tcpdump way before that. Hence, even though we may still live in an endpoint security era, the need for network data analysis has not vanished.

As we discussed during this recent webinar, this is not about competing with endpoint or endlessly arguing about what security telemetry is “better.” This is about reminding the security leaders and technologists that network telemetry matters today! Not only in the 1980s (when tcpdump was born), 1990s, 2000s, 2010s, but today in 2020s.

To summarize, network security monitoring still matters because you can monitor unmanaged devices (BYOD, IoT, ICS, etc.), detect threats with no agents, offer broad coverage from a few points, and be out of band (go and see my old Gartner paper for details).

Still, I see a few common misconceptions (more details here in this webinar) about network security telemetry data. I wanted to cover a few and then focus on ONE, in particular.

You cannot monitor encrypted data: as I discussed here, encryption for sure saps some of the value of network security monitoring, but it does not destroy it. Both layer 3 (flow) and layer 7 (rich metadata) observation have value for encrypted data whereas full packet capture perhaps does not.
Network monitoring is only an auxiliary control, you need endpoint first: Well, OK, maybe, but so what? You may need an endpoint first,I’ve seen enough environments where it’s the truth. The point is that you need an endpoint first, but then you need NDR to cover the gaps, unmanaged devices, etc, etc.
“PCAP or it didn’t happen”: many years ago, before we had Bro/Zeek and the choices were “flow or pcap”, this may have been true. But you know what? In 2021, you are not saving full packet captures for weeks or months. Perhaps we have to change the slogan to “zeek decodes or it didn’t happen”?
Network traffic is too expensive to capture: this is not a misconception at all, if you see full packet capture as the way to go. It would be prohibitively expensive in most modern environments. However, you can get a lot of value from rich L7 metadata and this is much less expensive (but also more useful than mere flows)
Network data is not helpful in the cloud: while comparatively fewer people capture and monitor traffic in the cloud, the interest to do this grows rapidly. This is also discussed in depth below

Let’s now drill down into the last point:

Why some people think that NDR in the cloud is an anti-pattern (I prefer the term “worst practice” instead)?

In the cloud everything is locked down and immutable, what’s the point of traffic capturing? — Sure, but it is really? In theory, it should be, but is it in your cloud?
Everything is encrypted, so what’s there to sniff? — We already addressed this above in general for both cloud and on-premise. NDR has value for encrypted networks.
Cloud logs and this new fancy observability stuff provide visibility, why sniff traffic? — Well, are these logs complete and available, and can be leveraged for security value? Sometimes the answer is “yes”…
I can do flows logs in the cloud, I don’t need “costly” packets. — Same as on-premise, flow logs may not do the trick for the threat detection needs you have.
Applications are dynamic and everything changes so captures become useless over time. — This just works that an NDR vendor needs to work harder, but not that NDR is not useful.

Go and see this webinar for additional discussion.

On the other hand, I’d like to say that NDR fits well with the public cloud today.

Your main on-premise tool — EDR — may not be available at all (containers, etc)
Some cloud architectures do use what on-premise would be called a flat network, hence NDR is very useful for East/West visibility.
Cloud API logs are not exhaustive, but they are voluminous, often have inconsistent schemas and sometimes not designed for security use cases.
In-app observability for security is not common yet, even if it is coming.

Thus, NDR lives on in the cloud!

Now, if you live mostly in SaaS applications, NDR approach may not be a fit, but I have not seen many large organizations with no IT whatsoever, just SaaS management (I bet they do exist, but they are not common).

For everybody else, in the cloud or not, NDR works. This applies to both virtual machine environments and modern cloud environments, even if not equally …

Not the Final Answer on NDR in the Cloud … was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Not the Final Answer on NDR in the Cloud … appeared first on Security Boulevard.

Read More

The post Not the Final Answer on NDR in the Cloud … appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/not-the-final-answer-on-ndr-in-the-cloud/?utm_source=rss&utm_medium=rss&utm_campaign=not-the-final-answer-on-ndr-in-the-cloud

The Rise of the Cyborg: Arkose Labs’ Q2 2021 Fraud Report Shows Increase in Human-Bot Hybrid Attacks

Data from the Arkose Labs Global Network shows that humans are being deployed along with automation at much greater frequency in order to carry out human-bot hybrid attacks. Fraudsters are continuously innovating and targeting new avenues with increased sophistication, which means businesses must be more vigilant than ever before in their fight against fraud The […]

The post The Rise of the Cyborg: Arkose Labs’ Q2 2021 Fraud Report Shows Increase in Human-Bot Hybrid Attacks appeared first on Security Boulevard.

Read More

The post The Rise of the Cyborg: Arkose Labs’ Q2 2021 Fraud Report Shows Increase in Human-Bot Hybrid Attacks appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/the-rise-of-the-cyborg-arkose-labs-q2-2021-fraud-report-shows-increase-in-human-bot-hybrid-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=the-rise-of-the-cyborg-arkose-labs-q2-2021-fraud-report-shows-increase-in-human-bot-hybrid-attacks

Social Media Apps like LinkedIn Have Become Tools for Human Hacking

Hackers no longer rely solely on email when trying to infiltrate your organization. Social media, including LinkedIn, have become the new preferred method of attack for these criminals. This year, Google’s Threat Analysis Group (TAG) discovered a largescale cyberattack that originated out of North Korea. The cyberattack utilized fake blogs, fake email accounts, and even […]

The post Social Media Apps like LinkedIn Have Become Tools for Human Hacking first appeared on SlashNext.

The post Social Media Apps like LinkedIn Have Become Tools for Human Hacking appeared first on Security Boulevard.

Read More

The post Social Media Apps like LinkedIn Have Become Tools for Human Hacking appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/social-media-apps-like-linkedin-have-become-tools-for-human-hacking/?utm_source=rss&utm_medium=rss&utm_campaign=social-media-apps-like-linkedin-have-become-tools-for-human-hacking

How I Hacked Your Website and You Didn’t Even Know

Join us at RSA

The post How I Hacked Your Website and You Didn’t Even Know appeared first on Security Boulevard.

Read More

The post How I Hacked Your Website and You Didn’t Even Know appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/how-i-hacked-your-website-and-you-didnt-even-know/?utm_source=rss&utm_medium=rss&utm_campaign=how-i-hacked-your-website-and-you-didnt-even-know

World Password Day 2021 | Avast

World Password day is the perfect day to make sure you’re up to date on good password practices.

The post World Password Day 2021 | Avast appeared first on Security Boulevard.

Read More

The post World Password Day 2021 | Avast appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/world-password-day-2021-avast/?utm_source=rss&utm_medium=rss&utm_campaign=world-password-day-2021-avast

Protecting Industrial Control Systems Against Cyberattacks – Part 2

Industrial Control Systems (ICS) are the foundation that support numerous industries around the world. They form the backbone of industrialized society, including energy and power grids, food and beverage plants, oil and gas refineries, recycling plants, transportation systems, water treatment plants, manufacturing facilities and many more.

Critical infrastructures are so much a part of daily life that we rely on them every single day without giving them a second thought. Until they are suddenly interrupted.

The many types of ICS systems include a complex network of instrumentation and technology used in industrial production plants. The most common type of ICS is a SCADA – supervisory control and data acquisition – system, followed by DCS – distributed control system. Other smaller control systems exist as well.

SCADA systems manage operations equipment, devices, networks, and controls that operate and automate the industrial processes. Commands from the SCADA or DCS systems are distributed through remote stations to field devices. Each ICS environment functions somewhat differently depending on its industry. All are built to carry out complex tasks efficiently in their individual fields.

Types of Critical Infrastructure 

Critical infrastructures can be categorized in the following sectors:

Chemical

Commercial Facilities

Communications

Critical Manufacturing

Dams

Defense Industrial Base

Emergency Services

Energy

Financial Services

Food and Agriculture

Government Facilities

Healthcare and Public Health

Information Technology

Nuclear Reactors, Material, and Waste

Transportation Systems

Water and Wastewater Systems

A single compromise to these systems can result in devastating physical, financial and environmental damage, impacting thousands and amounting to millions in losses.
 

Threats to Critical Infrastructure in the United States

 

Sophisticated hackers, including nation states, are targeting critical civilian infrastructure. They use advanced techniques to bypass conventional security systems. Most have been dangerous because attackers were able to take direct control over facilities. Such control is possible through power station switches and circuit breakers or leveraging industrial communication protocols used worldwide in power infrastructure, transportation control systems, water and gas delivery, and more.

In Verizon’s 2020 Data Breach Investigation’s Report (DBIR), 4,000 data breaches out of 32,000 incidents impacted critical infrastructure.

In the energy sector, at the start of 2020, the United States had 22,731 electric generators at 10,346 electric power plants. In the nuclear sector, ninety-six functional commercial nuclear reactors at 58 nuclear plants were operating in 29 states. Four-hundred forty (440) power reactors are stationed around the world with 55 under construction and 109 more being planned.

The Department of Homeland Security (DHS) has already discovered that Russia has broken into US power grids. Claiming hundreds of victims, Russian attackers began their attacks on the US utilities by targeting key vendors working with industrial control facilities. The hackers said their intent was to learn how the ICS worked. But the DHS confirmed they knew more. They had enough access and information to throw switches and disrupt service.

Recent Attack in Florida Shows Just How Bad an ICS Attack Could Be

Severe attacks have already occurred on many ICS systems around the globe. Then some time goes by without a big headline and for various reasons – a shortage of resources, time, budget, operational feasibility – nothing changes. But no one can afford inertia, as February 5, 2021, reminded us. The Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida was invaded by hackers two times in one day on Super Bowl Sunday. The attacks came at 8:00 am and 1:30 pm.

The water plant runs on Windows 7, which hasn’t had an update or support in over a year. The FBI issued a warning about upgrading systems to supported operating systems. After the attack, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and others put out an alert saying, “Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system.”

They have made previous warnings as well. But changing from Windows 7 could be too significant an undertaking for these kinds of plants to tackle any time soon. This is a common situation for critical infrastructures still relying on outdated software.

The water plant also had a dormant TeamViewer remote desktop application that allows for desktop sharing and remote access on its system. The TeamViewer app has a vulnerability, identified as CVE 2019 18196. While the app wasn’t actively being used by the water plant, it provided the perfect access door for the attackers to get inside.

Hackers Changed Settings to Drastically Increase Levels of Lye in Public Drinking Water

 

The bad actors gained the ability to change critical settings of the water treatment plant. The first login at 8:00am may have been a test effort. At 1:30pm they logged in remotely again and after 3-5 minutes, they opened several functions within the systems.

One of those functions was a control where they raised the amount of sodium hydroxide (lye) in the water from an acceptable level (100 ppm) to harmful levels (11,100 ppm). In low quantities, it controls water acidity and removes unwanted metals from drinking water in treatment plants. In high quantities, this substance is used as lethal drain cleaner and is not a safe level for drinking water. The hacker raised the amount from 100 parts per million to 11,100, a toxic amount.

No one knows why the attackers chose the times of day they did. They might just as easily have made this change in the middle of the night when no one would have witnessed it. But this time, guardian angels in Florida were on duty. It was pure coincidence that a plant manager saw the hacker’s actions playing out in real-time onscreen by noticing the mouse cursor moving.

As soon as the hackers finished their deadly task, the manager immediately reversed the dangerous settings. One can’t overstate the good fortunate of that timing. Due to an automated delay of 24-36 hours before any change in settings would take effect, the public was fortunately not endangered.

This time, Florida residents were spared a disaster. But this kind of takeover is every hacker’s objective. They had achieved full control of the most dangerous settings in the water plant. Luckily, no one was harmed, but disaster was only narrowly avoided by a chance intervention.

Florida Water Attack Details – Tactics Included Phishing, Credential Stealing, DLL Injection

The hackers carried out the attack using several different tactics. Using phishing and key logging attacks, the attackers phished the login credentials of a supervisor.

The CVE 2019 18196 vulnerability allows a DLL injection to get side loaded into the system. They extracted the passwords to access the SCADA HMI and SCADA web interface to take control of the most critical systems. Once logged into the victim’s machine, the attackers could connect to the Team Viewer application, which also connected directly to the SCADA system.

For more step-by-step details on how this attack unfolded, please watch our webinar Analysis of the Florida Water Utility Cyberattack. Stay tuned to our blog for the next installment in this series.

Additional Learning

Blog: Protecting Industrial Control Systems Against Cyberattacks – Part 1

Webinar: Analysis of the Florida Water Utility Cyberattack

Webinar: Florida Water Utility Attack Demonstration

Webinar: Leave No Apps Behind: Protecting Legacy Applications

White paper: Taxonomy of The Attack on SolarWinds and Its Supply Chain

 

The post Protecting Industrial Control Systems Against Cyberattacks – Part 2 appeared first on Security Boulevard.

Read More

The post Protecting Industrial Control Systems Against Cyberattacks – Part 2 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/protecting-industrial-control-systems-against-cyberattacks-part-2/?utm_source=rss&utm_medium=rss&utm_campaign=protecting-industrial-control-systems-against-cyberattacks-part-2

ESB-2021.1526 – [Appliance] Delta Electronics CNCSoft ScreenEditor: Multiple vulnerabilities

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2021.1526
Advisory (icsa-21-124-02) Delta Electronics CNCSoft ScreenEditor
5 May 2021

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: Delta Electronics CNCSoft ScreenEditor
Publisher: ICS-CERT
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands — Existing Account
Denial of Service — Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22672

Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-21-124-02

– ————————–BEGIN INCLUDED TEXT——————–

ICS Advisory (ICSA-21-124-02)

Delta Electronics CNCSoft ScreenEditor

Original release date: May 04, 2021

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided
“as is” for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .

1. EXECUTIVE SUMMARY

o CVSS v3 7.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Delta Electronics
o Equipment: CNCSoft ScreenEditor
o Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability could crash the device, and an
out-of-bounds write may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CNCSoft ScreenEditor, a software management platform,
are affected:

o CNCSoft ScreenEditor versions prior to v1.01.28

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An out-of-bounds write vulnerability exists and could cause the corruption of
data, a denial-of-service condition, or allow code execution. The vulnerability
may allow an attacker to remotely execute arbitrary code.

CVE-2021-22672 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).

3.3 BACKGROUND

o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Kimiya, working with Trend Micro Zero’s Day Initiative, reported this
vulnerability to CISA.

4. MITIGATIONS

Delta Electronics has released an updated version of CNCSoft ScreenEditor and
recommends users install update v1.01.30 on all affected systems.

Delta Electronics also recommends users restrict the interaction of the
application to trusted files.

CISA recommends users take the following measures to protect themselves from
social engineering attacks:

o Do not click web links or open unsolicited attachments in email messages.
o Refer to Recognizing and Avoiding Email Scams for more information on
avoiding email scams.
o Refer to Avoiding Social Engineering and Phishing Attacks for more
information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target this vulnerability.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

– ————————–END INCLUDED TEXT——————–

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYJHznuNLKJtyKPYoAQgcVxAAhSh58qMqTsFSw5+rsECVfvgccYcK83IX
LgUfJbRrkvez80I/evFMrfZqe8ruLHaY1mR21h5rF7PlL4KgYNw5WC8w5qiDutJZ
lJgdm1EfRJNDy7WMz5qeKlOj8ftjOjEhAsJcAlq2EYCo7UA/VjhhR7V4s9cux494
+64baIT3wOZYcdnJpp49RBTFfWBPXaouAW5MebVzL0g/oHBc7DHk3GQm1BC17662
zweaa7eSTXBZ0OotF3G9FXkbj0QzJEO3WuHgXjWPM3Nn4f4BrdxBXaccU8Dmd8LP
sp6HrzH5EEuYxD6qBxrU52DdgiyAskdKgMykQ/zVv79Rj2aQ7iQp698kIG/soBto
kRROL4s4PFo2P2qYMloxKnJyX1cz1lThPW8caU+kNUf7X+xQZ1cjE6qXiQkRnnKI
4bm6gbC4Q3y6kCB8Hn+WiSnfeTCMkx/n7/nZWyPIoOKybJHYC4+eXCjmP9Js5CCF
4BDjec8pA2WUfP4DG0LxjqHFytvDqgmMRFFzHgeDpjis/789fjicWE0OuzNQxLRS
/I4Ga9ld5DXz9stdWMVA1nPz14OhyeltH7NhtGlo4RtPHzslKIh4I/FhK8cC9P2a
pk6PfBvTo7blb6X+NGU2kjk0WN3e+rafdoOtDtHOTdD+yqo2TBY/imNiUGa+qT6Z
tFmVpqMNbqQ=
=1sVL
—–END PGP SIGNATURE—–

Read More

The post ESB-2021.1526 – [Appliance] Delta Electronics CNCSoft ScreenEditor: Multiple vulnerabilities appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/esb-2021-1526-appliance-delta-electronics-cncsoft-screeneditor-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1526-appliance-delta-electronics-cncsoft-screeneditor-multiple-vulnerabilities

This Day in History 1970: Ohio National Guard Kills Kent State University Students

On this day in 1970 four students were killed during an assault on Kent State University campus by Ohio National Guard carrying M1 rifles with bayonets attached: …three shot in the chest and one in the head… with some injured by bayonets… Allison Krause Jeffrey Miller Sandra Scheuer William Schroeder In total over a dozen … Continue reading This Day in History 1970: Ohio National Guard Kills Kent State University Students →

The post This Day in History 1970: Ohio National Guard Kills Kent State University Students appeared first on Security Boulevard.

Read More

The post This Day in History 1970: Ohio National Guard Kills Kent State University Students appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/this-day-in-history-1970-ohio-national-guard-kills-kent-state-university-students/?utm_source=rss&utm_medium=rss&utm_campaign=this-day-in-history-1970-ohio-national-guard-kills-kent-state-university-students

Achieving CIP Compliance, NERC-Style

It’s often said that cybersecurity is hard. Anyone who has ever worked their way through the SANS Critical Controls, PCI-DSS or even something deceptively minimalist as the OWASP Top 10 knows that success in achieving these security initiatives requires time-consuming, diligent and often a multi-team effort. Now imagine amplifying that responsibility over a power plant […]… Read More

The post Achieving CIP Compliance, NERC-Style appeared first on The State of Security.

The post Achieving CIP Compliance, NERC-Style appeared first on Security Boulevard.

Read More

The post Achieving CIP Compliance, NERC-Style appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/achieving-cip-compliance-nerc-style/?utm_source=rss&utm_medium=rss&utm_campaign=achieving-cip-compliance-nerc-style

ISC Stormcast For Wednesday, May 5th, 2021 https://isc.sans.edu/podcastdetail.html?id=7486, (Wed, May 5th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post ISC Stormcast For Wednesday, May 5th, 2021 https://isc.sans.edu/podcastdetail.html?id=7486, (Wed, May 5th) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/isc-stormcast-for-wednesday-may-5th-2021-https-isc-sans-edu-podcastdetail-htmlid7486-wed-may-5th/?utm_source=rss&utm_medium=rss&utm_campaign=isc-stormcast-for-wednesday-may-5th-2021-https-isc-sans-edu-podcastdetail-htmlid7486-wed-may-5th

May 2021 Forensic Contest, (Wed, May 5th)

Introduction

Today’s diary is a forensic contest for May 2021 based on a packet capture (pcap) with Windows-based infection traffic.  Like last month, this month’s prize is a Raspberry Pi.  Rules for the contest follow:

Only one submission per person.
The first person to submit the correct answers will win the Raspberry Pi.
Submissions will be made using the form on our contact page at: https://isc.sans.edu/contact.html
Use May 2021 Forensic Contest for the Subject: line.
Provide the following information:

IP address of the infected Windows computer.
Host name of the infected Windows computer.
User account name on the infected Windows computer.
Date and time the infection activity began in UTC (the GMT or Zulu timezone).
The family of malware involved.

Material for our May 2021 forensic contest is located at this Github repository.  The repository contains a zip archive with a pcap of network traffic from the infected Windows host.  I always recommend people review pcaps of malware in a non-Windows environment, if possible.

The source of this infection was a malicious email.  Fortunately, an email provider’s spam filters usually catch the vast majority of malware before it hits someone’s inbox.  Unfortunately, due to the vast amount of spam, some malicious emails make it through to their intended victims.

Shown above:  A visual representation of email spam filtering on a daily basis.

Requirements

Analysis of the infection traffic requires Wireshark or some other pcap analysis tool.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That’s why I encourage people to customize Wireshark after installing it.  To help, I’ve written a series of tutorials.  The ones most helpful for this quiz are:

Wireshark Tutorial: Changing Your Column Display
Wireshark Tutorial: Identifying Hosts and Users
Wireshark Tutorial: Display Filter Expressions
Using Wireshark – Exporting Objects from a Pcap

I always recommend participants review these pcaps in a non-Windows environment like BSD, Linux, or macOS.  Why?  Because this pcap contains traffic with Windows-based malware.  If you’re using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

LAN segment range: 172.17.4.0/24 (172.17.4.0 through 172.17.4.255)
Domain: nutmeg-station.com
Domain Controller: 172.17.4.4 – NutmegCrazy-DC
LAN segment gateway: 172.17.4.1
LAN segment broadcast address: 172.17.4.255

Final Words

Again, the zip archive with a pcap of the infection traffic is available in this Github repository.  The winner of today’s contest and analysis of the infection traffic will be posted in an upcoming ISC diary two weeks from today on Wednesday May 19th.

—

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post May 2021 Forensic Contest, (Wed, May 5th) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/05/may-2021-forensic-contest-wed-may-5th/?utm_source=rss&utm_medium=rss&utm_campaign=may-2021-forensic-contest-wed-may-5th

The Security Digest: #59

Hello and welcome to TSD, your weekly blog post with top of mind security issues. TSD began as an internal newsletter that our Security Lead, …

The post The Security Digest: #59 appeared first on Cyral.

The post The Security Digest: #59 appeared first on Security Boulevard.

Read More

The post The Security Digest: #59 appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/the-security-digest-59/?utm_source=rss&utm_medium=rss&utm_campaign=the-security-digest-59

Inaccessible Entropy II: IE Functions and Universal One-Way Hashing

Read More

The post Inaccessible Entropy II: IE Functions and Universal One-Way Hashing appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/inaccessible-entropy-ii-ie-functions-and-universal-one-way-hashing/?utm_source=rss&utm_medium=rss&utm_campaign=inaccessible-entropy-ii-ie-functions-and-universal-one-way-hashing

Securing the Inter-Spacecraft Links: Physical Layer Key Generation from Doppler Frequency Shift

Read More

The post Securing the Inter-Spacecraft Links: Physical Layer Key Generation from Doppler Frequency Shift appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/securing-the-inter-spacecraft-links-physical-layer-key-generation-from-doppler-frequency-shift/?utm_source=rss&utm_medium=rss&utm_campaign=securing-the-inter-spacecraft-links-physical-layer-key-generation-from-doppler-frequency-shift

The IronNet May Threat Intelligence Brief

We are happy to report that, following the Emotet takedown operation in January, law enforcement pushed an Emotet uninstaller module to infected systems that would automatically uninstall the malware on April 25, 2021. In addition, the FBI removed ProxyLogon web shells from U.S.-based Exchange servers without warning the servers’ owners in mid-April. While these kinds of malware removal operations by law enforcement are unprecedented, it is possible we will see more operations such as this in the future. You can hear more about these success stories in today’s threat intelligence webinar, now available on demand here.

The post The IronNet May Threat Intelligence Brief appeared first on Security Boulevard.

Read More

The post The IronNet May Threat Intelligence Brief appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/the-ironnet-may-threat-intelligence-brief-3/?utm_source=rss&utm_medium=rss&utm_campaign=the-ironnet-may-threat-intelligence-brief-3

The IronNet May Threat Intelligence Brief

We are happy to report that, following the Emotet takedown operation in January, law enforcement pushed an Emotet uninstaller module to infected systems that would automatically uninstall the malware on April 25, 2021. In addition, the FBI removed ProxyLogon web shells from U.S.-based Exchange servers without warning the servers’ owners in mid-April. While these kinds of malware removal operations by law enforcement are unprecedented, it is possible we will see more operations such as this in the future. You can hear more about these success stories in today’s threat intelligence webinar, now available on demand here.

The post The IronNet May Threat Intelligence Brief appeared first on Security Boulevard.

Read More

The post The IronNet May Threat Intelligence Brief appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/the-ironnet-may-threat-intelligence-brief-2/?utm_source=rss&utm_medium=rss&utm_campaign=the-ironnet-may-threat-intelligence-brief-2

The IronNet May Threat Intelligence Brief

We are happy to report that, following the Emotet takedown operation in January, law enforcement pushed an Emotet uninstaller module to infected systems that would automatically uninstall the malware on April 25, 2021. In addition, the FBI removed ProxyLogon web shells from U.S.-based Exchange servers without warning the servers’ owners in mid-April. While these kinds of malware removal operations by law enforcement are unprecedented, it is possible we will see more operations such as this in the future. You can hear more about these success stories in today’s threat intelligence webinar, now available on demand here.

The post The IronNet May Threat Intelligence Brief appeared first on Security Boulevard.

Read More

The post The IronNet May Threat Intelligence Brief appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/the-ironnet-may-threat-intelligence-brief/?utm_source=rss&utm_medium=rss&utm_campaign=the-ironnet-may-threat-intelligence-brief

[Valve] critical – Specially Crafted Closed Captions File can lead to Remote Code Execution in CS:GO and other Source Games (7500.00USD)

Google Chrome

Download latest

Mozilla Firefox

Download latest

Opera

Download latest

Apple Safari

Upgrade your OS

Microsoft Internet Explorer

Download latest

Read More

The post [Valve] critical – Specially Crafted Closed Captions File can lead to Remote Code Execution in CS:GO and other Source Games (7500.00USD) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/valve-critical-specially-crafted-closed-captions-file-can-lead-to-remote-code-execution-in-csgo-and-other-source-games-7500-00usd/?utm_source=rss&utm_medium=rss&utm_campaign=valve-critical-specially-crafted-closed-captions-file-can-lead-to-remote-code-execution-in-csgo-and-other-source-games-7500-00usd

Quick and dirty Python: masscan, (Tue, May 4th)

Those who know me are aware that I am a recovering shell programmer.  I have 35+ years of various shell scripts involving complicated code pipelines with grep, cut, sort, uniq, awk, input files, output files, redirects, pipes etc…cobbled together to get jobs done. None of it is elegant and little of it could be called pretty. The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable.

A simple example of this is the various scripts I have around as simple port scanners used to scan large swaths of IP address ranges for vulnerabilities. Since nmap is too slow for large numbers of IPs, my tool of choice for initial scanning of swaths of IPs and ports is the very speedy masscan.  masscan will find the open ports and then typically I will write the results to a file, manipulate the masscan output file to create an input file that nmap will read and then launch nmap to do the detailed scanning on the smaller set of IPs sending that output to even more files which then need to be manipulated and analyzed to extract the information I need.

Just recently I discovered there is a Python module for both masscan and nmap.   So far I have only spent time on the masscan module.  

Suppose you needed a script which will find all the web servers (port 80, 443)  in an address range.  It took me about 5 minutes to code up scan_web.py.

#!/usr/local/bin/python3
import sys,getopt,argparse
import masscan
import pprint

def main():
# read in the IP parameter
parser = argparse.ArgumentParser()
parser.add_argument(‘IP’, help=”IP address or range”)
args=parser.parse_args()
ip=args.IP

#scan address(es) using Masscan
try:
mas = masscan.PortScanner()
mas.scan(ip, ports=’80,443′)
except:
print(“Error:”, sys.exc_info()[0])
sys.exit(1)

# output result
pprint.pprint(mas.scan_result)

if __name__ == “__main__”:
main()

The script takes IP address(es) as an input and then scans those IPs using masscan to check if port 80 or 443 are open.

Running the script results in:

# ./scan_web.py 45.60.103.0,45.60.31.34
[2021-05-04 20:05:28,652] [DEBUG] [masscan.py 10 line] Scan parameters: “masscan -oX – 45.60.103.0,45.60.31.34 -p 80,443”
{‘masscan’: {‘command_line’: ‘masscan -oX – 45.60.103.0,45.60.31.34 -p 80,443’,
‘scanstats’: {‘downhosts’: ‘0’,
‘elapsed’: ’12’,
‘timestr’: ‘2021-05-04 20:05:41’,
‘totalhosts’: ‘4’,
‘uphosts’: ‘4’}},
‘scan’: {‘45.60.103.0’: {‘tcp’: {80: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’53’,
‘services’: [],
‘state’: ‘open’},
443: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’53’,
‘services’: [],
‘state’: ‘open’}}},
‘45.60.31.34’: {‘tcp’: {80: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’61’,
‘services’: [],
‘state’: ‘open’},
443: {‘endtime’: ‘1620158730’,
‘reason’: ‘syn-ack’,
‘reason_ttl’: ’61’,
‘services’: [],
‘state’: ‘open’}}}}}

The result is a Python dictionary that can be easily be parsed and fed into python-nmap (an exercise for another day).

 

Caveat1: Never scan an IP range you don’t have permission to scan.  While port scanning is not illegal in most jurisdictions it is questionable ethically to scan things you don’t own or have permission to scan.

Caveat2: I am not a professional Python programmer.  My scripting gets the job done that I need it to do.  I know there are many smart people out there who can write way better code than I can. 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post Quick and dirty Python: masscan, (Tue, May 4th) appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/quick-and-dirty-python-masscan-tue-may-4th/?utm_source=rss&utm_medium=rss&utm_campaign=quick-and-dirty-python-masscan-tue-may-4th

SSD Advisory – TG8 Firewall PreAuth RCE and Password Disclosure

Read More

The post SSD Advisory – TG8 Firewall PreAuth RCE and Password Disclosure appeared first on Malware Devil.

https://malwaredevil.com/2021/05/04/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure-2/?utm_source=rss&utm_medium=rss&utm_campaign=ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure-2