Category: SANS ISC Bulletins

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Based on Lubuntu-18.04 x64, the RedHunt Linux virtual machine for adversary emulation and threat hunting is a “one stop shop for all your threat emulation and threat hunting needs. It integrates an attacker’s arsenal as well as defender’s toolkit to actively identify the threats in your environment.”

RedHunt Linux is available as an OVA virtual machine file from http://bit.ly/RedHUNTv1. I imported it with ease via VirtualBox and was up and running in minutes. This distribution includes tools for attack emulation, logging and monitoring, open source intelligence (OSINT) gathering and threat intelligence. As such, I’m going focus on one each from attack emulation, OSINT, and threat intelligence. The virtual machine username and password are hunter. The menu is simple and laid out categorically, you’ll have no trouble navigating accordingly. I’ll follow the same sequence for continuity.

Attack Emulation

Of the attack emulation tool list, there are a few I’ve been meaning to test prior to spotting RedHunt, this is a nice opportunity to do so on a ready made platform. There are a few that may be new to you so allow me to break them down a bit. You’ll notice the Mitre ATT&CK framework leveraged throughout.

• CALDERA “is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project.”

• Atomic Red Team “allows every security team to test their controls by executing simple “atomic tests” that exercise the same techniques used by adversaries (all mapped to Mitre’s ATT&CK).“”

• Metta is an “information security preparedness tool that uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants. The various actions live in the MITRE folder sorted by MITRE ATT&CK phases.”

I’ll focus specifically on Metta. I used the RedHunt Linux VM instance itself as my targert and ran the following OS-appropriate scenario, resulting in output as noted in Figure 1.

sudo python run_simulation_yaml.py -f MITRE/Credential_Access/credaccess_linux_bash_history.yml

Figure 1: Metta Linux credential access bash history results

As expected, when I reviewed /var/log/auth.log, Metta’s activity was immediately evident, as seen in Figure 2.

Figure 2: /var/log/auth.log Metta entries

One can imagine that a properly configured detection and alerting scenario should have effictively triggered and fired if tuned to react to such behaviors.

OSINT

The OSINT selection includes Maltego, Recon-ng, and Datasploit, all of which I’ve covered in earlier toolsmith articles, as far back as December 2009 for Maltego.
The one remaining offering I’ve not already discussed is the theHarvester, “a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).” As described, it is indeed a simple tool, and effective for the early stages of a penetration test, as well assessing your target’s Internet exposure. Select theHarvester from the OSINT menu, a shell will open and dump the menu for you.
I ran

python theHarverster.py -d holisticinfosec.org -b twitter

and received results as seen in Figure 3.

Figure 3: theHarverster Twitter search results

Threat Intelligence

Finally, in the threat intelligence offerings you’ll find Yeti and Harpoon. I’ll focus on Yeti for our purposes here. Yeti is “a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don’t have to.” Yeti is really where the rubber hits the road for me with the RedHunt OS. I’ll set up a real world scenario for you with Yeti, using it in what could be considered a production manner. Do add your API keys under the user profile so you can take advantage of analytics functionality.
I decided to use IOCs (observables) from GCHQ’s National Cyber Security Centre Indicators of Compromise for Malware used by APT28 report (also known as Fancy Bear, Pawn Storm, the Sednit Gang and Sofacy), released 4 OCT 2018. These include IOCs for X-AGENT (also known as CHOPSTICK), “a second-stage modular remote access trojan (RAT). It can run on Windows, iOS and Unix-based operating systems.” These IOCs include IPs, domains, and hashes.
Additionally there are CompuTrace IP and hash-based IOCs. “CompuTrace/Lojack is a legitimate piece of software, which can track and assist in the recovery of lost or stolen laptops as well as remotely locking and deleting files.”
Also available are IP, domain, and hash X-TUNNEL IOCs. X-TUNNEL is a “network tunnelling tool used for network traversal and pivoting. It provides a secure tunnel to an external command and control server, through which the actors can operate using a variety of standard networking tools and protocols to connect to internal services.”
Finally, there are ZEBROCY IOCs. ZEBROCY is a tool observed since late 2015. “The communications module used by ZEBROCY transmits using HTTP. The implant has key logging and file exfiltration functionality and utilises a file collection capability that identifies files with particular extensions.”
Yeti allows you to add observables manually, and does include excellent guessing functionality if you tag IOCs as unknown. But by now you’re likely saying “Russ, STFU, you had me at Fancy Bear.” Right on, so let me give you that “Dude, that’s awesome” moment. Above all else, read Yeti’s documentation, there’s much to learn here as well as features and capabilities I won’t explore. Yeti can import an Investigation from text, a URL, or a file. Choose Investigations then Import. I literally copied the text I wanted to import from GCHQ’s report (pages 2 through 6) into the Import from text window and clicked Start Import. Figure 4 is the result.

Figure 4: Yeti import function

Yeti then presents you with what it determines are the observables by categories, IP, hostname, and hash in this scenario. Scroll down the list and then choose Import. If you then go to Observables, then Browse, you’ll see all the IOCs you just imported. Organizationally, you can/should tag the entities as they’re associated (xagent, computrace, xtunnel, zebrocy) in the report. You’ll also want to go to Investigations, then List, and select Unnamed. Choose the Investigation you just imported and tagged, name it and save it accordingly. I used APT28 NCSC for mine. You can add a new Actor via the New menu. Again, APT28 makes sense here, and you can mark this Actor entity with your above created tags. Similarly, you can bind to entities with the same tags. I did the same thing again with a Campaign, also calling it APT28 NSCS. I then drilled to Entities and selected this campaign. I created a new Investigation then selected Go To Graph.
Now for the magic. You’re presented with a node map that for you Maltego users may look conceptually familiar as noted in Figure 5..

Figure 5: Yeti Graph

Select an individual node or all nodes then run a variety of analytics (Figure 6). These depend on the API keys you set in your profile as discussed earlier.

Figure 6: Yeti Analytics

You can import Yara rules too (Figure 7). I opted for Florian Roth’s,@cyb3rops, APT28 rule.

Figure 7: Yeti Yara import

I intend to continue using RedHunt Linux beyond simply testing it for toolsmith. I’m particularly invested in Yeti and recognize of only touched on the basics of its use here. I plan to dig into the API and export, there are numerous interesting features yeti to explore. 🙂 Yeti is definitely a truly viable option for managing your threat intelligence practice.
I strongly suggest you dig in to RedHunt and Yeti, I’d love to hear more about your experience. Ping me via email (russ at holisticinfosec dot io) or Twitter @holisticinfosec.
Cheers…until next time.

Russ McRee | @holisticinfosec 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I often use commandline tools for malware analysis, like for the BASE64/XOR decoding I did in my last diary entry.

Of course, there are alternatives if you prefer to use a tool with a graphical user interface. Like the online tool CyberChef.

Here I’m illustrating how I use CyberChef to decode the obfuscated URL from last diary entry’s sample:

First I drag-and-drop the “From BASE64” operation to the recipe:

Then I provide the obfuscated URL (IDc1O2ltbFs9KCc9JjZbPi5DNSZiNicqbC00ITQsI0YiXCItXjo4V2gqSlY=) as input:

Finally I drag-and-drop the “XOR” operation to the recipe, and provide the key (HCAKSBC2PIUVCB2PI3GILUHGCIUGUYO2F3UC2UY3FO23OUYCF32OYUDHOYGU32FVYUO23GF) as UTF8 text:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I was asked for help with malicious Word document MD5 7ea8e50ce884dab89a13803ccebea26e.

Like always, I first run oledump.py on a sample:

As expected, it contains VBA macros. Then I quickly look at the source code of the VBA code in all macro streams (options -s a -v):

I noticed a string that looks like BASE64 at the end of the VBA source code (that’s why I used a tail command in this screenshot). Checking with my tool base64dump.py confirms that this is indeed BASE64:

The output confirms that it is BASE64, although I don’t recognize the binary data (most bytes are not printable characters).

The string is BASE64, and function gFpVdtRecxaZD is most likely a BASE64 decoder function. The return value of this function is used as first argument to function MOMCqdxBOimtoI. Function MOMCqdxBOimtoI takes 2 arguments, the second argument is a printable string.

I’ve seen this often before, MOMCqdxBOimtoI is most likely a decoding function, and the second string is the decoding key.

What encoding function? First I try XOR encoding, because it’s popular. With my tool cipher-tool.py I check what the result is of XORing the decoded BASE64 string with the key:

I get a readable, known string: MSXML2.XMLHTTP. This confirms that the encoding is indeed XOR and that the second argument is the key.

Grepping for string MOMCqdxBOimtoI shows me all the lines with encoded strings:

I check the longest string first, because that’s most likely the URL:

This analysis can also be automated with plugins.

My oledump plugin plugin_http_heuristics was not able to decode the URL of this sample, until I made a small change:

I’ll explain the changes to this plugin in the next diary entry.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This morning, I spotted another wave of malicious documents that (ab)use again %%cve:2017-11882%% in the Equation Editor (see my yesterday’s diary[1]). This time, malicious files are RTF files. One of the samples is SHA256:bc84bb7b07d196339c3f92933c5449e71808aa40a102774729ba6f1c152d5ee2 (VT score: 19/57[2]).

Once opened, it downloads a payload via the bit.ly URL shortening service. The URL is:

hxxps://bitly[.]com/2EapuIc

bit.ly is very convenient for security analysts because, adding a “+” sign at the end of the URL, you can see what is the original URL but also some statistics. It always impresses me to see how many times such URLs are visited:

We can see that 193 “clicks” have been performed in this URL, which means that the RTF document has successfully exploited the vulnerability 193 times only for this URL. In the meantime, I spotted others bit.ly URLs:

/2QJY8dD
/2QGnbyg
/2EdlK92
/2QKOqaX
/2yry5A8
/2EdlAOO

Of course, the shortened URLs are not images but a malicious PE file (SHA256:a4dd1c849d1e66faecbf29c0304cc26c7948e96ead0e73896f15b0db44bed3fa – VT Score: 30/67[3])

This means, that this Equation Editor vulnerability is still present on many computers.

[1] https://isc.sans.edu/forums/diary/New+Campaign+Using+Old+Equation+Editor+Vulnerability/24196/
[2] https://www.virustotal.com/#/file/bc84bb7b07d196339c3f92933c5449e71808aa40a102774729ba6f1c152d5ee2/details
[3] https://www.virustotal.com/#/file/a4dd1c849d1e66faecbf29c0304cc26c7948e96ead0e73896f15b0db44bed3fa/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Yesterday, I found a phishing sample that looked interesting:

From: [email protected][.]com
To: me
Subject: RE: Re: Proforma Invoice INV 075 2018-19 ’08
Reply-To: [email protected][.]com

Dear Respected Sir,
Please find the proforma invoice attached.

Kindly check and confirm.
Material will be dispatched with 5-7 working days.
Regards,
Armit Thakkar
Head Sales Development
Technovinyl Polymers India Ltd.
Filix 901 -C1, 9th Floor,
Opp. Asian Paints,
L.B.S.Road, Bhandup (W), 
Mumbai - 400 078, India
Mob: +91-9322266143
Ph: +91-22-61721888

There was an attached document “INV 075 2018-19.xlsx” (SHA256: abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624) with a score of 28/60 on VT[1]. When I opened the document, it presented a nice picture asking the victim to disable the default Office security feature:

But I also received an error message from Office about an application that could not be opened. Excel tried to spawn a new process:

EQNEDT32.EXE -Embedding

Google this and you will discover that the “Equation Editor” is an Office tool that helps to write cool equations:

This tool is very useful for mathematicians or engineers who must add complex equations in their documents but who install this in a malware analysis sandbox? This is a nice way to evade automated analysis. Once my sandbox fixed and the Equation Editor installed, I re-opened the document and, immediately, the Equation Editor was launched. It downloaded and executed the following payload:

http://216.170.114.195/klonnx.exe

(SHA256: 7fe5f06d04390dd22e1065491c43c33dbebd03400826897c814db8d10469a8eb – VT score: 41/69).

Once executed, the malware copies itself into %APPDATA%Roamingsvhostsvhost.exe

It schedules a task via schtasks.exe:

schtasks.exe /create /sc MINUTE /tn svhost.exe /MO 1 /tr "C:UsersadminAppDataRoamingsvhostsvhost.exe

But also creates a shortcut in: %APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartupsvhost.exe.url:

[InternetShortcut]
URL=file:///C:/Users/admin/AppData/Roaming/svhost/svhost.exe

The malware is a Razy trojan and it phones home to datalogsbackups[.]hopto[.]org (91.192.100.20) to port 2233.

The vulnerability exploited by this campaign is not new. It abuses the %%cve:2017-11882%% present in eqnedt32.exe[2].

[1] https://www.virustotal.com/#/file/abbdd98106284eb83582fa08e3452cf43e22edde9e86ffb8e9386c8e97440624/detection
[2] https://borncity.com/win/2017/11/28/hacker-are-misusing-cve-2017-11882-in-office-eqnedt32-exe/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For vendors, the cybersecurity landscape is a nice place to make a very lucrative business. New solutions and tools are released every day and promise you to easily detect malicious activities on your networks. And it’s a recurring story. Once they have been implemented by many customers, vendors come back again with new version flagged as “2.0”, “NG” or “Next Generation”. Is it really useful or just a hype? I won’t start the debate but keep in mind that good old tools and protocols remain still very valuable today.

I was contacted by a company which had a security incident. Apparently, they suffer from an ongoing data leak and customers’ information are leaked to the competition. If you are working in this field and you need to investigate quickly, you probably already faced the following situation. I visited them and started to grab details about the infrastructure, the architecture and the key point: logs or any kind of data that could help to spot the source of the leak. You realise quickly that nothing or only a low amount of information is available. A good point, they had a bunch of logs extracted from the local resolver. Based on the DNS queries performed by the hosts, we were able to spot a compromised one. But not all of them were using the local resolver (yes, it was possible to use any public DNS) and some hosts might communicate directly with IP addresses…

My next question to them was: “Do you know the NetFfow protocol?”. No, they did not. NetFlow[1] is a very old protocol developed by Cisco in 1996(!). At the origin, it was developed for accounting reasons when the Internet was slow and subscription plans based on the amount of traffic you used (I’m feeling old now). A Cisco router/switch which has NetFlow enable (called an exporter) send UDP packets to a Netflow collector with the following details (resumed):

• timestamp (flow start)
• duration
• protocol
• source IP /port
• destination IP / port
• number of packets
• number of bytes

This information is very useful to spot malicious activity! Once you started to collect Netflow data you can easily generate stats like:

• Top speakers on the network
• Top destinations
• Top protocols (based on the port)
• Hosts talking to suspicious hosts (ex: located in a country where you don’t have business thanks to the GeoIP)
• Hosts talking a regular interval with a low amount of traffic (typically systems phoning home to their C2)
• Hosts starting to talk at night
• And many more…

Compared to a full packet capture, you won’t see the traffic payload but the amount of data is very low and you don’t need a very powerful computer to process them.

To collect NetFlow data, you just have to install a collector (nfdump[2] is the most known)

# apt-get install nfdump
# vi /etc/default/nfdump (change the value of nfcapd_start to “yes”)
# service nfdump start

Now, connect to your Cisco device and enable NetFlow:

Router(config)# ip flow-export  

The default port is 9996 and is the IP/FQDN of the server running the nfcapd daemon. Now, have a look at the nfdump command to extract interesting stats from the captured data. Note that many tools are able to digest NetFlow data. Logstash from the ELK stack is a good example[3]. This setup can be deployed in a few minutes and will give you a nice visibility of your network traffic to quickly spot a malicious behaviour.

Conclusion: “Old Generation” tools remain valuable when you need to investigate security incidents.

[1] https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html
[2] https://github.com/phaag/nfdump
[3] https://www.elastic.co/guide/en/logstash/current/netflow-module.html

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

https://www.vmware.com/security/advisories/VMSA-2018-0025.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft released patches for 48 vulnerabilities today and one advisory regarding a defense in depth update for Office. No Adobe updates are included so far, but Adobe has released updates to PDF Reader / Acrobat about a week ago.

Two vulnerabilities have been disclosed before:

CVE-2018-8531: A memory corruption vulnerability in the Azure IoT Device Client SDK (rated important)

CVE-2018-8432: A remote code execution vulnerability in the JET database engine (this issue was widely covered. It requires an attacker to convince the victim to open a malicious JET database file. Office products include JET).

CVE-2018-8453: This vulnerability, a privilege escalation issue in Win32k, was already exploited in the wild.

CVE-2018-8497: Another privilege escalation issues that was made public prior to today but not yet seen in exploits per Microsoft.

For a more detailed breakdown, see again Renato’s dashboard: https://patchtuesdaydashboard.com/

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.