BLOG

Securing a company ... a group of basic steps a company can take

 
Wed, 05 Dec 2018 14:08:00 +0000

---

Vulnerability chain exploits MacOS

Dropbox recently revealed three critical security vulnerabilities in MacOS that would allow execution of arbitrary programs on a target machine triggered just by visiting a webpage. The vulnerabilities were found by the cybersecurity firm Syndis, who were hired for red team exercises on Dropbox’s infrastructure. The three vulnerabilities by themselves were of minimal actual security impact on their own but when chained together could be used to compromise a target machine by simply getting them to visit a webpage.
The first vulnerability found (CVE-201713890) allowed a malicious webpage to force the target machine to mount an arbitrary disk image. This was due to a content identifier conflict in the Safari web browser. When known filetypes are handled in the Safari browser actions are taken to handle the media automatically. Usually this results in things like a media player opening to handle a download or a PDF client opening a document. But due to the same identifier being defined in multiple locations the wrong action was taken when downloading a .smi file.
The second vulnerability (CVE-20184176) starts the execution path of the arbitrary files in the disk image downloaded by the first vulnerability. During creation of a disk image the creator is able to use the bless utility to set specific options. One of those is —openfolder which allows Finder to open an arbitrary folder upon mounting a disk image. By pointing to a bundle file instead of a folder it will be executed when the image is mounted. Being able to launch the application isn’t quite enough though because the Gatekeeper utility prevents unsigned code from actually launching until it is whitelisted. 
The third vulnerability (CVE-2018-4175) allows launch of an arbitrary program from the malicious disk image without any security checks. The first step is to include a legitimate signed binary in the image, like the Terminal app. At this point the researchers tried launching a malicious script through the Terminal app but it was still blocked due to the quarantine flag being set. This is set when applications are downloaded from the internet and is cleared when the user explicitly says that the application is safe. By modifying the Info.plist for the bundle they were able to associate a new filetype with the Terminal app. When launching the newly associated filetype the quarantine flag was not checked and code execution was achieved.
This vulnerability chain highlights how a string of seemingly not serious vulnerabilities can often be strung together to achieve a compromise. The vulnerabilities were reported to Apple in February and patched in their March security update.

Sources
https:// thehackernews.com/2018/11/applemacos-zeroday.html
https://blogs.dropbox.com/ tech/2018/11/offensive-testing-tomake-dropbox-and-the-world-asafer-place/
and Peraton
Sun, 02 Dec 2018 15:44:00 +0000

---

New breakthroughs in combatting tech support scams

This is an article from Microsoft that i thought was intresting..

Anyone may receive an unwanted phone call or experience a pop-up window on your device with a “warning” that your computer has a problem requiring immediate tech support. These messages are often very convincing and use scare tactics to entice consumers into contacting a fraudulent “tech support” call center. Call center operators typically encourage the victim to provide remote access to their device for “further diagnosis” before charging the victim a fee – typically between $150 – $499 – for unnecessary tech support services. In addition to losing money, victims leave their computer vulnerable to other attacks, such as malware, during a remote access session.
Tech support fraud operations typically involve multiple entities including those engaged in marketing, payment processing and call centers. Recent law enforcement successes in India build on a solid track record of global law enforcement taking action to combat the multiple layers of tech support fraud supported by referrals from Microsoft and other industry partners. For example, the U.S. Federal Trade Commission and multiple partners announced 16 separate civil and criminal enforcement actions against tech support fraudsters in May 2017 as part of “Operation Tech Trap.”  And, in June 2017, the City of London Police announced the arrest of four individuals engaged in computer software services fraud.
Our work to partner with law enforcement agencies in addressing this problem is driven by a combination of technology and action taken by our customers. In 2014, Microsoft launched an online “report a scam” portal to enable victims to share their tech support fraud experiences directly with our Digital Crimes Unit team. The reports have been a critical starting point for our international investigations and referrals. Our data analytics and innovation team has added additional tools to proactively hunt and pull data from approximately 150,000 suspicious pop-ups daily targeting millions of people and use machine learning to identify those related to tech support fraud.
In addition to making referrals to law enforcement based on this data, we are building what we learn about cybercriminals’ behavior into improved products and services for consumers. Microsoft has built-in protection in Windows 10 which includes more security features, safer authentication and ongoing updates delivered for the supported lifetime of a device. Windows Defender delivers comprehensive, real-time protection against software threats across email, cloud and the web. The SmartScreen filter, built into Windows, Microsoft Edge and Internet Explorer, helps protect against malicious websites and downloads, including many of those frustrating pop-up windows. People who have experienced tech support scams should know they aren’t alone, but there are steps you can take to identify and help defend yourself against criminals looking to impersonate legitimate companies. According to our recently released 2018 global survey, three out of five consumers have experienced a tech support scam in the previous 12 months. Although this reflects movement in the right direction, and a 5-point reduction since 2016, these scams persist and successfully target people across all ages and geographies. The best thing you can do to help protect yourself from fraud is to educate yourself. If you receive a notification or call from someone claiming to be from a reputable software company, here are a few key tips to keep in mind:

• Be wary of any unsolicited phone call or pop-up message on your device.
• Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication we have with you must be initiated by you.
• Do not call the phone number in a pop-up window on your device and be cautious about clicking on notifications asking you to scan your computer or download software. Many scammers try to fool you into thinking their notifications are legitimate.
• Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
• If skeptical, take the person’s information down and immediately report it to your local authorities

Fri, 30 Nov 2018 16:59:00 +0000

---

Starwood Guest Reservation Database Security Incident - Marriott

Go herefor more information
Fri, 30 Nov 2018 16:38:00 +0000

---

Major Online Ad Fraud Operation

National Cyber Awareness System:

 

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

• %UserProfile%\AppData\Local\VirtualStore\lsass.aaa
• %UserProfile%\AppData\Local\Temp lt;RANDOM>.exe
• %UserProfile%\AppData\Local lt;Random eight-character folder name> lt;original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run lt;Above path to executable>\

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

• %UserProfile\AppData\Local\Temp lt;RANDOM> .exe/.bat
• %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe
• %UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.lnk
• %UserProfile%\AppData\Local lt;RANDOM> lt;RANDOM>.bat

Kovter is known to hide in the registry under:

• HKCU\SOFTWARE lt;RANDOM> lt;RANDOM>

The customized CEF browser is dropped to:

• %UserProfile%\AppData\Local lt;RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

• /?ptrackp=\d{5,8}
• /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
• /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-]

The following is a YARA rule for detecting Kovter:

Solution

If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

• Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
• Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
• Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
• Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.
• ESET Online Scanner
• F-Secure
• Malwarebytes
• McAfee
• Microsoft Safety Scanner
• Norton Power Eraser
• Trend Micro HouseCall

References

• DOJ Press Release
• ewhitehats White Paper on Kovter Malware
• ewhitehats: THE HUNT FOR 3VE
• Google Security Blog: Industry collaboration leads to takedown of the “3ve” ad fraud operation

Tue, 27 Nov 2018 22:34:00 +0000

---

There are many frameworks that you can use to protect a company infrastructure

Mon, 12 Nov 2018 23:03:00 +0000

---

Windows 10 shortcuts

Keyboard shortcuts are keys or combinations of keys that provide an alternative way to do something that you’d typically do with a mouse.

Fri, 09 Nov 2018 14:16:00 +0000

---

RID Hijacking

Relative Identifier (RID) Hijacking has recently gained public attention as a simple, novel, and effective technique to maintain persistence on a Windows system after initial compromise. As information security awareness continues to rise in many organizations their overall security posture also increases, especially in larger organizations that can afford it. As a result, many attackers are forced to leverage stealth techniques when targeting these types of companies to bypass security mechanisms.
RID Hijacking effectively allows attackers to assign higher level administrative privileges to lower level accounts that they might have direct access to after initial system compromise. What makes this method so attractive to attackers is that it leverages strictly Windows native commands to execute the technique, does not require installing any additional software, and is a relatively simple process. Therefore, it does not make much noise on a system and in many cases is difficult to detect unless defenders are carefully monitoring the Security Account Manager ( SAM) registry.
Since Windows XP, Windows uses the SAM to store security descriptors for user accounts. These Windows systems store most of this information in the ‘HKLM\SAM\SAM\Domains\Account\Use rs’ key, which does require SYSTEM level privileges to access. This key contains a variety of structured information representing user privilege information. The ‘Names’ subkey contains all the local user account names and looking at the ‘F’ value within this structure is a long number that contains the RID value at hex offset 30 within it along with other interesting information such as whether the account is enabled or disabled. According to security researcher, Sebastian Castro the RID copy stored in the ‘F’ value hex number is the value that is used by the Local Security Authority Subsystem Service (LSASS) and the Security Reference Monitor (SRM) to generate the primary access token used when translating from username to security identifier (SID). This token essentially is used on the system when users are attempting to access system services and applications. So if an attacker can modify the RID value to hex 0x1f4 or 500 in decimal of a guest user account as an example, they can give that guest account system level access. This technique is known as RID hijacking.
Sebastian Castro, the security researcher investigating this vulnerability also published an exploit which automates this attack in Metasploit, which is a popular open source exploit framework used by many worldwide. The exploit can be found at ‘post/windows/manage/ rid_hijack’ within the framework. This exploit has been tested on Windows XP, Windows Server 2003, Windows 8.1, and Windows 10. The best-recommended way to defend against this attack is by monitoring the system registry and looking for inconsistencies within the SAM.
  Sources:
https://threatpost.com/trivial-postintrusion-attack-exploits-windowsrid/138448/  https://csl.com.co/en/rid-hijacking/

Fri, 26 Oct 2018 20:07:00 +0000

---

Zero-day jQuery Exploit

A zero-day exploit in the jQuery file upload tool may have had an open secret for years. A security researcher at Akamai Security Intelligence Response Team (SIRT) by the name of Larry Cashdollar found the exploit designated CVE-20189206. The vulnerability affects the plugin authored by Sabastian Tschan commonly known as “blueimp”. The jQuery File upload is one of the most starred plugins on github next to the jQuery framework itself. The tool appears to have been forked over 7800 times and has most likely been integrated on thousands of other projects. 
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
 https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
 https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/  
Fri, 26 Oct 2018 20:06:00 +0000

---

Windows 10, version 1809 Features removed or planned for replacement

Here is a Blog from Microsoft about changes to Windows 10 1809.

Features we removed in this release

We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.

Features we’re no longer developing

We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.

If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.


Sat, 20 Oct 2018 19:51:00 +0000

---