Posted by InfoSec News on Oct 08
https://www.wsj.com/articles/smaller-medical-providers-get-burned-by-ransomware-11570366801Posted by InfoSec News on Oct 08
https://www.washingtonpost.com/technology/2019/10/04/iran-tried-hack-us-presidential-candidates-journalists-effort-that-targeted-hundreds-microsoft-finds/Posted by InfoSec News on Oct 08
https://www.cyberscoop.com/vpn-vulnerabilities-china-apt-palo-alto/Posted by InfoSec News on Oct 08
https://www.ttnews.com/articles/trucking-industry-has-become-top-target-ransomware-attacksThis month we got patches for 59 vulnerabilities total. None of them have been previously disclosed nor are being exploited according to Microsoft.
Amongst 9 critical vulnerabilities, its worth mentioning the remote code execution one which affects Microsoft XML Core Services (CVE-2019-1060). To exploit this vulnerability, an attacker would have to convince a user to access a specially crafted website designed to invoke MSXML through the web browser. When Internet Explorer parses the malicious content, the attacker could run malicious code remotely on users’s system.
There is also a critical remote execution vulnerability Windows Remote Desktop Client (CVE-2019-1333). To exploit this vulnerability, an attacker would have to force the user to connect to a malicious server or compromise a legitimate server to host the malicious code on it, and wait for the users to connect.
See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| Azure App Service Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1372%% | No | No | Less Likely | Less Likely | Critical | ||
| Chakra Scripting Engine Memory Corruption Vulnerability | |||||||
| %%cve:2019-1307%% | No | No | - | - | Critical | 4.2 | 3.8 |
| %%cve:2019-1308%% | No | No | - | - | Critical | 4.2 | 3.8 |
| %%cve:2019-1335%% | No | No | - | - | Critical | 4.2 | 3.8 |
| %%cve:2019-1366%% | No | No | - | - | Critical | 4.2 | 3.8 |
| Hyper-V Information Disclosure Vulnerability | |||||||
| %%cve:2019-1230%% | No | No | Less Likely | Less Likely | Important | 6.8 | 6.1 |
| Internet Explorer Memory Corruption Vulnerability | |||||||
| %%cve:2019-1371%% | No | No | Less Likely | Less Likely | Important | 6.4 | 5.8 |
| Jet Database Engine Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1358%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
| %%cve:2019-1359%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
| Latest Servicing Stack Updates | |||||||
| ADV990001 | No | No | - | - | Critical | ||
| MS XML Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1060%% | No | No | Less Likely | Less Likely | Critical | 6.4 | 5.8 |
| Microsoft Browser Spoofing Vulnerability | |||||||
| %%cve:2019-0608%% | No | No | Less Likely | Less Likely | Important | 2.4 | 2.2 |
| %%cve:2019-1357%% | No | No | Less Likely | Less Likely | Important | 3.5 | 3.2 |
| Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability | |||||||
| %%cve:2019-1375%% | No | No | Less Likely | Less Likely | Important | ||
| Microsoft Edge based on Edge HTML Information Disclosure Vulnerability | |||||||
| %%cve:2019-1356%% | No | No | - | - | Important | 4.3 | 3.9 |
| Microsoft Excel Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1327%% | No | No | Less Likely | Less Likely | Important | ||
| %%cve:2019-1331%% | No | No | Less Likely | Less Likely | Important | ||
| Microsoft Graphics Components Information Disclosure Vulnerability | |||||||
| %%cve:2019-1361%% | No | No | - | - | Important | 5.5 | 5.0 |
| Microsoft IIS Server Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1365%% | No | No | Less Likely | Less Likely | Important | 7.5 | 6.7 |
| Microsoft Office SharePoint XSS Vulnerability | |||||||
| %%cve:2019-1070%% | No | No | - | - | Important | ||
| Microsoft SharePoint Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1329%% | No | No | - | - | Important | ||
| %%cve:2019-1330%% | No | No | Less Likely | Less Likely | Important | ||
| Microsoft SharePoint Spoofing Vulnerability | |||||||
| %%cve:2019-1328%% | No | No | - | - | Important | ||
| Microsoft Windows CloudStore Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1321%% | No | No | Less Likely | Less Likely | Important | 5.8 | 5.2 |
| Microsoft Windows Denial of Service Vulnerability | |||||||
| %%cve:2019-1317%% | No | No | Less Likely | Less Likely | Important | 6.4 | 5.8 |
| Microsoft Windows Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1320%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
| %%cve:2019-1322%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
| %%cve:2019-1340%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
| Microsoft Windows Setup Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1316%% | No | No | Less Likely | Less Likely | Important | 7.3 | 6.6 |
| Microsoft Windows Transport Layer Security Spoofing Vulnerability | |||||||
| %%cve:2019-1318%% | No | No | Less Likely | Less Likely | Important | 7.7 | 6.9 |
| Microsoft Windows Update Client Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1323%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
| %%cve:2019-1336%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
| Open Enclave SDK Information Disclosure Vulnerability | |||||||
| %%cve:2019-1369%% | No | No | Less Likely | Less Likely | Important | ||
| Remote Desktop Client Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1333%% | No | No | More Likely | More Likely | Critical | 7.5 | 6.7 |
| SQL Server Management Studio Information Disclosure Vulnerability | |||||||
| %%cve:2019-1313%% | No | No | Less Likely | Less Likely | Important | ||
| %%cve:2019-1376%% | No | No | Less Likely | Less Likely | Important | ||
| VBScript Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1238%% | No | No | Less Likely | Less Likely | Critical | 6.4 | 5.8 |
| %%cve:2019-1239%% | No | No | - | - | Critical | 6.4 | 5.8 |
| Win32k Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1362%% | No | No | - | - | Important | 7.0 | 6.3 |
| %%cve:2019-1364%% | No | No | - | - | Important | 7.0 | 6.3 |
| Windows 10 Mobile Security Feature Bypass Vulnerability | |||||||
| %%cve:2019-1314%% | No | No | Less Likely | Less Likely | Important | ||
| Windows Code Integrity Module Information Disclosure Vulnerability | |||||||
| %%cve:2019-1344%% | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
| Windows Denial of Service Vulnerability | |||||||
| %%cve:2019-1343%% | No | No | Less Likely | Less Likely | Important | 6.5 | 5.9 |
| %%cve:2019-1346%% | No | No | Less Likely | Less Likely | Important | 5.7 | 5.1 |
| %%cve:2019-1347%% | No | No | Less Likely | Less Likely | Important | 5.7 | 5.1 |
| Windows Error Reporting Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1319%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
| Windows Error Reporting Manager Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1342%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
| %%cve:2019-1315%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
| %%cve:2019-1339%% | No | No | - | - | Important | 7.8 | 7.0 |
| Windows GDI Information Disclosure Vulnerability | |||||||
| %%cve:2019-1363%% | No | No | - | - | Important | 5.5 | 5.0 |
| Windows Imaging API Remote Code Execution Vulnerability | |||||||
| %%cve:2019-1311%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
| Windows Kernel Information Disclosure Vulnerability | |||||||
| %%cve:2019-1345%% | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
| %%cve:2019-1334%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
| Windows NTLM Security Feature Bypass Vulnerability | |||||||
| %%cve:2019-1338%% | No | No | - | - | Important | 5.3 | 4.8 |
| Windows NTLM Tampering Vulnerability | |||||||
| %%cve:2019-1166%% | No | No | Less Likely | Less Likely | Important | 5.9 | 5.3 |
| Windows Power Service Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1341%% | No | No | More Likely | More Likely | Important | 7.8 | 7.0 |
| Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability | |||||||
| %%cve:2019-1325%% | No | No | Less Likely | Unlikely | Important | 5.5 | 5.0 |
| Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability | |||||||
| %%cve:2019-1326%% | No | No | Less Likely | Less Likely | Important | 7.5 | 6.7 |
| Windows Secure Boot Security Feature Bypass Vulnerability | |||||||
| %%cve:2019-1368%% | No | No | Less Likely | Less Likely | Important | 4.9 | 4.4 |
| Windows Update Client Information Disclosure Vulnerability | |||||||
| %%cve:2019-1337%% | No | No | Less Likely | Less Likely | Important | 5.5 | 5.0 |
--
Renato Marinho
Morphus Labs| LinkedIn|Twitter>
Introduction
What is Vidar? Vidar is malware that's an information stealer. It has very distinct infection traffic. What does it steal? Let's examine some infection traffic to find out. Today's diary reviews some infection traffic from a malicious Word document discovered on Tuesday 2019-10-08 that uses macros to push Vidar.
Shown above: The malicious Word document found in VirusTotal.
The malicious Word document
VirusTotal and other sources like URLhaus show a malicious Word document (SHA256 hash: 0c91fa2d30e1981d8ac276ecaacb4225c3bef5be8143597720e37e7dc5447099) was available on two blacklisted URLs hosted at speciosarepublic[.]com as early as Tuesday 2019-10-08. I checked one of the URLs and was able to retrieve the Word document.
Shown above: Downloading the malicious Word document.
Shown above: Opening the malicious Word document.
Shown above: After enabling macros, you can see text that was probably supposed to appear before enabling macros.
Infection traffic
I submitted the URL to the Any.Run sandbox, and it generated traffic with alerts for Vidar. When viewed in Wireshark, the last HTTP request in the infection traffic ends with:
POST / HTTP/1.1 (zip)
This indicates a zip archive was sent to a command and control server at weimachel[.]net.
Shown above: Infection traffic from the Any.Run analysis filtered in Wireshark.
Shown above: Follow TCP stream in Wireshark for the last HTTP POST request.
Shown above: This TCP stream has multiple HTTP POST requests, so scroll down to find the final one.
Shown above: Scroll down further, and you'll find the zip archive sent during the final HTTP POST request.
Extracting the zip archive from the pcap
We can extract data from the final HTTP POST request from the pcap. Then we can carve the zip archive from the extracted data as shown in the images below.
Shown above: File --> Export Objects --> HTTP...
Shown above: Wireshark's HTTP object list, and exportable data that contains the POST-ed zip archive.
Shown above: After exporting the binary from Wireshark, open it in a hex editor and delete data POST-ed before the actual zip archive.
Shown above: The first two bytes of a zip archive show as ASCII characters PK, so delete POST-ed data before that.
Shown above: The beginning is of the zip archive is now the beginning of the file.
Shown above: Delete the ending boundary marker from the HTTP POST request at the end of this file.
After you've carved and saved the binary, it should be a fully-functional zip archive. The contents can be extracted with an archive manager, and you can review what data was exfiltrated from the infected Windows host. This data includes system information, passwords, browser cookies, and a screenshot of the desktop.
Shown above: Contents of the zip archive, after it's carved from the extracted data.
Final words
Sandbox analysis of this malicious Word doc can be found here, where you can download the pcap, review the data, and try extracting the zip archive using Wireshark.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Posted by InfoSec News on Oct 10
https://www.theguardian.com/technology/2019/oct/09/melbourne-cyber-conference-organisers-pressured-speaker-to-edit-biased-talkPosted by InfoSec News on Oct 10
https://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/Posted by InfoSec News on Oct 10
https://techcrunch.com/2019/10/09/cisa-subpoena-powers-isp-vulnerable-systems/Posted by InfoSec News on Oct 10
https://www.vanityfair.com/news/2019/10/the-untold-story-of-the-sony-hackPosted by InfoSec News on Oct 10
https://www.healthcareitnews.com/news/fda-s-bill-materials-crates-cybersecurity-blind-spot-medical-devicesMy last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI. (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.
A few things to note:
On with today's story - First, the function:
|
# assumes that the oui.txt file exists, and that its in c:\utils - edit this to fit your implementation $global:ouilist = import-csv -Delimiter "`t" -path "c:\utils\oui.txt" function OUILookup { # grab the first 6 chars for an OUI first pass #find the OUI in the table |
How can we use this? In our first case, let's read all MAC addresses from a switch, then lookup the vendor for each unique MAC. There are several OID (Object ID) strings that return MAC addresses, I picked the one I did because it also returns the interface number the MAC is associated with - that might be useful in a future story :-)
Note that I'm using SNMPv2 in this (just to keep the code simple). I would strongly suggest that you use SNMPv3 in any production environment (SNMPv2 calls and returns are all in clear text, SNMPv3 adds encryption). I'd also suggest that you use an ACL on your SNMP configuration so that only trusted hosts are allowed to make SNMP calls. The CIS Benchmark for your switch will give you more detail on this, as well as a plethora of other advice on hardening your switch configuration against various attacks.
|
$IP = "192.168.122.6" $OID = ".1.3.6.1.2.1.17.4.3.1.2" $CommString = "SomeComplexString"
$WalkVals = invoke-snmpwalk -ip $IP -OIDStart $OID -Community $CommString -Walkmode WithinSubtree
$trimlength = $OID.length +1 $MACtoOUIList = @()
foreach($val in $walkvals) { # get the decimal representation of the MAC $macdec = ($val.oid).Substring($trimlength) $machex = "" $macdec.split(".") | foreach { $machex += '{0:x2}' -f [int32]$_ } $ouitemp = ouilookup $machex $ouitemp | add-member -membertype NoteProperty -name MAC -value $machex.toupper() $MACtoOUIList += $ouitemp } |
Now we have the list of MACs with the OUI information for each:
|
$MACtoOUIList OUI Vendor VendorString MAC |
Let's sort and group them now, to get a count of unique OUIs. We'll sort them so that the "outliers" bubble up to the top - in so many situations we're looking for values that are "odd"
|
$MACtoOUIList | select OUI, Vendor | sort -Property OUI | Group-Object OUI,Vendor -NoElement | sort count Count Name |
Not a lot of oddness to find on my home network - that TctMobil OUI I think is my wife's new phone, which was interesting - that's about it.
Let's cast our net a bit wider, and read the DHCP database from a windows DHCP server and return the vendor for each MAC address, with the device name and IP.
We covered how to "mine" the DHCP database in a story a while back: https://isc.sans.edu/forums/diary/DNS+and+DHCP+Recon+using+Powershell/20995/
First, collect the DHCP Leases, then for each MAC Address (Client-ID), get the OUI, all collected into on variable list:
|
$leases = foreach ($lease in $leases) { $targetouilist += OUILookup $lease.clientid } |
Again, lets look for outliers, sorting by ascending count:
|
$MACtoOUIList | select OUI, Vendor | sort -Property OUI | Group-Object OUI,Vendor -NoElement | sort count Count Name |
In a network of a couple thousand workstations, there definitely is some stuff to dig into here. Just for starters (and without more than a glance at the data), this client had recently completed a VOIP migration from one vendor to another - you see from our "outliers" list that there's one phone that got missed. I'll be digging into this a bit more (and for a few more clients) over the next while - feel free to do the same! (on your own networks of course)
Please, use our comment form and let us know if you find anything "interesting"!
===============
Rob VandenBrink
rob <at> coherentsecurity.com
Posted by InfoSec News on Oct 11
https://www.itnews.com.au/news/victorian-hospitals-slowly-restoring-systems-after-cyber-attack-532210Posted by InfoSec News on Oct 11
https://gizmodo.com/jeremy-hammond-former-wikileaks-source-held-in-contem-1838947403Posted by InfoSec News on Oct 11
https://www.militarytimes.com/veterans/2019/10/10/hackers-target-job-hunting-service-members-veterans-with-sham-employment-website/Posted by InfoSec News on Oct 11
https://www.infosecnews.org/university-of-minnesota-announces-three-year-collaboration-with-target-on-cyber-security-education/Posted by InfoSec News on Oct 11
https://www.cyberscoop.com/fin7-fireeye-new-malware/
