Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

As early as Wednesday2015-05-27, there have been more waves of malicious spam (malspam) spoofing myfax.com. On Tuesday 2015-06-02, the messages contained links to a zip archive ofa Pony downloader. Tuesdaysmessages also had links pushingNeutrinoexploit kit (EK). Spoofed myfax emails are nothing new. Theyve been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day.

Background

Earlier on 2015-06-02, @Techhelplistcomtweeted aboutmyfaxmalspamhed found [1], and he posted links from these emails to pastebin[2]. " />

I noticedsimilar messages last week, but they were all blocked. At that time,I wasnt able to investigate any further. On 2015-06-02, checkingmy employers spam filters revealed spoofed myfax">Below is an example of the messages blocked by my organization" />
Shown above: myfax-themed">The aboveexample shows 2 types of">URLs. The firstpointsto a zip file. The second points toURLs ending in fax.php that pushNeutrino EK. Last weeks">Shown above:myfax-themedmalspamfrom Thursday,">In a lab environment,those links ending with fax.php returned HTML with iframes">Unfortunately,I wasnt able to generate any Neutrino EK traffic. The domain names for the Neutrino URLs didn">We saw the following fax.php URLsfrom the malspam:">www.faura-casas.com - GET /wp-content/plugins/feedweb_data/fax.php">We also found the following URLs for zip files from the malspam:

    .com.vn - GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip
  • edenika.net - GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • edujay.com - GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • eciusda.org - GET /wp-content/plugins/cached_data/pdf_fax_message238413995.zip
  • nightskyhotel.com - GET /wp-content/plugins/feedweb_data/incoming_myfax_doc.zip
  • sciclubtermeeuganee.it - GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip
  • serenityonthesquare.com - GET /wp-content/plugins/cached_data/pdf_efax_message_3537462.zip
  • vanepcanhcuong.com - GET /modules/mod_vvisit_counter/images/digit_counter/embwhite/pdf_efax_message_3537462.zip
  • www.ditta-argentiero.it - GET /wp-content/plugins/feedweb_data/pdf_efax_message_3537462.zip

Here" />
Click on the above image for a full-size view

Indicators of compromise (IOC) from the infection traffic:

  • 112.78.2.223 - nightskyhotel.com - GET /wp-content/plugins/feedweb_data/incoming_myfax_doc.zip HTTP/1.1
  • 78.136.221.141 - moskalvtumane.com POST /gate.php HTTP/1.0
  • 94.73.151.210 - mechgag.com - GET /wp-content/plugins/feedweb_data/k1.exe HTTP/1.0
  • 87.250.250.8 - yandex.ru - GET / HTTP/1.1
  • 93.158.134.3 - www.yandex.ru - GET / HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /confk.jpg HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com- POST /gate.php HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /confk.jpg HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /ki.exe HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - POST /gate.php HTTP/1.1
  • 213.152.181.66 - dortwindfayer.com - GET /confk.jpg HTTP/1.1

The imagebelow shows Emerging Threats-based Snort events on the infection traffic using Security Onion. The eventsindicate a Fareit/Pony downloaderinfectedthe labhost with Graftor" />

A sample of the Pony downloader was submitted to malwr.com at:https://malwr.com/analysis/ODExOWNlY2Y4N2QwNDhkNmE4YmFkODc2ODA3NzlkNDI/

A sample of the follow-up malware was also submitted to malwr.com at:https://malwr.com/analysis/OTc4MWY3OTdmZDZkNGYxMGJhNGRkMDAzOThlNmQ1NmI/

Post-infection traffic contains HTTP GET requests for a small image file with an image of Marlon Brandofrom the Godfather movies. Matthew Mesafound" />

The image contains some ASCII text for the last 1.4 KB or so of the file, which indicates">-artifacts.zip

The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

Special thanks to Techhelplist and Matthew Mesa for their Twitterposts aboutthis activity. Techhelplistalso updated his blog entryabout fake myfax emails with this recentinformation [4].

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://twitter.com/Techhelplistcom/status/605765844258287618
[2] http://pastebin.com/0WXz209K
[3] http://pastebin.com/x6U940wj
[4]https://techhelplist.com/index.php/spam-list/125-inbound-fax-fake-myfax-notification

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

GitHub has revoked an unknown number of cryptographic keys used to access accounts after a developer found they contained a catastrophic weakness that came to light some seven years ago.

The keys, which allow authorized users to log into public repository accounts belonging to the likes of Spotify, Yandex, and UK government developers, were generated using a buggy pseudo random number generator originally contained in the Debian distribution of Linux. During a 20-month span from 2006 to 2008, the pool of numbers available was so small that it made cracking the secret keys trivial. Almost seven years after Debian maintainers patched the bug and implored users to revoke old keys and regenerate new ones, London-based developer Ben Cartwright-Cox said he discovered the weakness still resided in a statistically significant number of keys used to gain secure shell (SSH) access to GitHub accounts.

"If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time," Cartwright-Cox wrote in a blog post published Monday. "It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker."

Read 6 remaining paragraphs | Comments

 
NIST Director Willie May shown at the June 1, 2015, event in Washington D.C. together with Their Majesties King Willem-Alexander and Queen Mxe1xima of The Netherlands.Credit: Peter CuttsNISTView hi-resolution imageIn a new blog post, Willie
 
 

IT PRO

Infosec 2015: Cloud location doesn't deter hackers, says Google chief
IT PRO
So claims Eran Feigenbaum, director of security for Google Apps, who said that where data resides has no bearing on how safe it is. Speaking at a keynote at this week's Infosec show in London, he asked delegates if they thought where data was stored ...
Data centre location is irrelevant to hackers, argues GoogleV3.co.uk

all 2 news articles »
 

Thanks to resistance from Senator Rand Paul and other members of the Senate, the provisions of the USA Patriot Act that were used to justify the National Security Administration's broad collection of phone call metadata have expired. The Senate leadership is now scrambling to pass legislation that will restore some of these provisions, though the phone metadata provision—Section 215 of the Patriot Act—will likely not be renewed as it stood prior to its expiration.

So what does that do to the NSA's surveillance capabilities from a technical standpoint? All it really does is change where phone records are retained—they're back at the telephone carriers. It may create some technical and administrative hurdles to gain access to records, but those are hurdles the NSA has likely already addressed.

Section 215 changed aspects of the Foreign Intelligence Surveillance Act to allow requests through the Foreign Intelligence Surveillance Court for secret warrants that would grant access to "certain business records" by the FBI—including individuals' library and medical records, book sales records, educational records, and other "tangible things" related to interactions with businesses and public institutions. The NSA's bulk collection of phone records was justified under this provision—the request was made jointly with the FBI, and the phone companies who were served with the warrants were compelled to provide the data directly to the NSA. Because of their secrecy, these warrants compelled those served with them not to reveal that they had turned over data.

Read 9 remaining paragraphs | Comments

 
[SECURITY] [DSA 3277-1] wireshark security update
 

IT PRO

Infosec 2015: More UK businesses than ever face data breaches as costs spiral
IT PRO
The number of security breaches suffered by UK companies has increased, according to a government-backed report. Unveiled at the Infosec conference in London this week, the 2015 Information Security Breaches Report found that nine-in-ten organisations ...
Do You Know How Much a Data Breach Would Cost Your Organization?SYS-CON Media (press release)

all 33 news articles »
 
Innovations in cloud computing, big data and cyber-physical systems are bringing dramatic changes to how we use information technology. But while these technologies promise important benefits for the nationaposs economy and security and ...
 
 

IT PRO

Infosec 2015: Power, money and propaganda are main aims of cyberattacks ...
IT PRO
GCHQ's cyber security chief warned that the nation's businesses are at risk of being attacked by criminals and terrorists whose main motivations are money, power and propaganda. Giving a keynote speech at the Infosec conference held in London this week ...
GCHQ gros fromage stays schtum on Snowden and snoopingThe Register
GCHQ 'genuinely surprised' at scale and scope of cyberattacks against UKInternational Business Times UK
GCHQ launches cybersecurity consultancy to help reduce vulnerabilities in ...The Stack
SC Magazine UK -Belfast Telegraph
all 35 news articles »
 
WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability
 
LinuxSecurity.com: The export cipher suites have been disabled in OpenSSL.
 
LinuxSecurity.com: ipsec-tools could be made to crash if it received specially crafted networktraffic.
 
LinuxSecurity.com: Security update to make libinfinity properly check certificates:https://github.com/gobby/gobby/issues/61
 
LinuxSecurity.com: The 4.0.4-202 update contains a fix for a namespace crash issue.
 
LinuxSecurity.com: Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
 
LinuxSecurity.com: Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
 
LinuxSecurity.com: Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
 
LinuxSecurity.com: Security update to make libinfinity properly check certificates:https://github.com/gobby/gobby/issues/61
 
LinuxSecurity.com: The 4.0.4-303 update contains a fix for a namespace crash issue.
 
LinuxSecurity.com: Fix CVE-2015-3202.
 
LinuxSecurity.com: **Zend Framework 1.12.13*** 567: Cast int and float to string when creating headers**Zend Framework 1.12.12*** 493: PHPUnit not being installed* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase* 513: Save time and space when cloning PHPUnit* 515: !IE conditional comments bug* 516: Zend_Locale does not honor parentLocale configuration* 518: Run travis build also on PHP 7 builds* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress* 536: Zend_Measure_Number convert some decimal numbers to roman with space char* 537: Extend view renderer controller fix (#440)* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server* 541: Fixed errors in tests on PHP7* 542: Correctly reset the sub-path when processing routes* 545: Fixed path delimeters being stripped by chain routes affecting later routes* 546: TravisCI: Skip memcache(d) on PHP 5.2* 547: Session Validators throw 'general' Session Exception during Session start* 550: Notice "Undefined index: browser_version"* 557: doc: Zend Framework Dependencies table unreadable* 559: Fixes a typo in Zend_Validate messages for SK* 561: Zend_Date not expected year* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation**Security*** **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.
 
LinuxSecurity.com: **Zend Framework 1.12.13*** 567: Cast int and float to string when creating headers**Zend Framework 1.12.12*** 493: PHPUnit not being installed* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase* 513: Save time and space when cloning PHPUnit* 515: !IE conditional comments bug* 516: Zend_Locale does not honor parentLocale configuration* 518: Run travis build also on PHP 7 builds* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress* 536: Zend_Measure_Number convert some decimal numbers to roman with space char* 537: Extend view renderer controller fix (#440)* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server* 541: Fixed errors in tests on PHP7* 542: Correctly reset the sub-path when processing routes* 545: Fixed path delimeters being stripped by chain routes affecting later routes* 546: TravisCI: Skip memcache(d) on PHP 5.2* 547: Session Validators throw 'general' Session Exception during Session start* 550: Notice "Undefined index: browser_version"* 557: doc: Zend Framework Dependencies table unreadable* 559: Fixes a typo in Zend_Validate messages for SK* 561: Zend_Date not expected year* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation**Security*** **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.
 

[Guest Diary: Xavier Mertens] [Playing with IP Reputation with Dshield ">]

When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increasethe reliability of generated alerts. It can help toprioritizeincidents. Lets take an example with a Wordpress blog. Itwill, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In this case, IP reputationcan be helpful: An attack performed from an IP address reported as actively scanning the Internet will not (or less)attract my attention. On the contrary, if the same kind of attack is coming from an unkown IP address, this could bemore suspicious...

By using a reputation system, our monitoring tool can tag an IP address with a label like reported as maliciousbased on a repository. The real value of this repository depends directly of the value of collected information. Im abig fan ofdshield.org(https://www.dshield.org), a free service provided by the SANS Internet Storm Center. Such service is working thanks tothe data submitted by many people across the Internet. For years, Im also pushing my firewall logs to dshield.orgfrom my OSSEC server. I wrote a tool to achieve this:ossec2dshield (https://github.com/xme/ossec2dshield). By contributing to the system, its now time toget some benefits from my participation: Im re-using the database to automatically check the reputation of the IPaddresses attacking me. We come full circle!

To achieve this, lets use theAPI (https://isc.sans.edu/api/)provided on isc.sans.org and theOSSEC (http://www.ossec.net)feature called Active-Response whichallows to trigger a script upon a set of conditions. In this example, we call the reputation script with ourattacker address for any alert with a level = 6.

(Check the Active-Response(http://ossec-docs.readthedocs.org/en/latest/manual/ar/)documentationfor details)

The ISC API can be used to query information about an IP address. The returned results are:
$ wget -O - -q https://isc.sans.edu/api/ip/195.154.243.219?json
{ip:{abusecontact:unknown,number:195.154.243.219,country: FR ,as:12876 ,asname: AS12876 ONLINE S.A.S.,FR,network: 195.154.0.0\/16 ,comment:null}}
The most interesting fields are:
count - the number of times the IP address has been reported as an attacker
attacks - the number of targeted IP addresses
mindate - the first report
maxdata - the last report
The script isc-ipreputation.py can be used from the command line or from an OSSEC Active-Responseconfiguration block. To reduce the requests against the API, a SQLite database is created and populated with a localcopy of the data. Existing IP addresses will be checked again after a specified TTL (time-to-live), by default 5 days.Data are also dumped in a flat file or Syslog for further processing by another tool. Here is an example of entry:
$ tail -f /var/log/ipreputation.log
[2015-05-27 23:30:07,769] DEBUG No data found, fetching from ISC
[2015-05-27 23:30:07,770] DEBUG Using proxy: 192.168.254.8:3128
[2015-05-27 23:30:07,772] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be)
[2015-05-27 23:30:09,760] DEBUG No data found, fetching from ISC
[2015-05-27 23:30:09,761] DEBUG Using proxy: 192.168.254.8:3128
[2015-05-27 23:30:09,762] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be)
[2015-05-27 23:30:10,138] DEBUG Saving 178.119.0.173
[2015-05-27 23:30:10,145] INFO IP=178.119.0.173, AS=6848(TELENET-AS Telenet N.V.,BE), Network=178.116.0.0/14, Country=BE, Count=148, AttackedIP=97, Trend=0, FirstSeen=2015-04-21, LastSeen=2015-05-27, Updated=2015-05-27 18:37:15
In this example, you can see that this IP address started to attack on the 21st of April. It was reported 148 timeswhile attacking 97 different IP addresses (This IP is certainly part of a botnet).

The script can be configuration with a YAML configuration file (default to /etc/isc-ipreputation.conf) which is veryeasy to understand:
logging:
debug: yes
database:
path: /data/ossec/logs/isc-ipreputation.db
network:
exclude-ip: 192\.168\..*|172\.16\..*|10\..*|fe80:.*
ttl-days: 5
http:
proxy: 192.168.254.8:3128
user-agent: isc-ipreputation/1.0 (blog.rootshell.be)
Finally, the SQLite database can use used to get interesting statistics. Example, to get the top-10 of suspicious IPaddresses that attacked me (and their associated country):
$ sqlite3 isc-ipreputation.db
SQLite version 3.8.2 2013-12-06 14:53:30
Enter .help for instructions
Enter SQL statements terminated with a
sqlite
61.240.144.66|4507455|32533|CN
218.77.79.43|2947146|63295|CN
61.240.144.65|2408418|24185|CN
61.240.144.64|1947038|22054|CN
61.240.144.67|1759210|25421|CN
184.105.139.67|1678608|63055|US
61.160.224.130|1553361|62140|CN
61.183.128.6|1385025|13829|CN
61.160.224.129|1312580|15202|CN
61.160.224.128|1209176|61006|CN
sqlite
It is also very easy to generate dynamic lists of IP addresses (orCDB (http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html)as called by OSSEC). The following commandwill generate a CDB list with my top-10 of malicious IP addresses:
$ sqlite3 isc-ipreputation.db \
do
echo $IP:Suspicious
done /data/ossec/lists/bad-ips
$ cat /data/ossec/lists/bad-ips
61.240.144.66:Suspicious
218.77.79.43:Suspicious
61.240.144.65:Suspicious
61.240.144.64:Suspicious
61.240.144.67:Suspicious
184.105.139.67:Suspicious
61.160.224.130:Suspicious
61.183.128.6:Suspicious
61.160.224.129:Suspicious
61.160.224.128:Suspicious
$ ossec-makelists
* File lists/bad-ips.cdb needs to be updated
Based on this list, you can add more granularity to your alerts by correlating the attacks with the CDB list. Note thatdshield.org proposes arecommended block list(http://feeds.dshield.org/block.txt)ready to be used. A few months ago,Richard Porter (http://www.twitter.com/packetalien)explainedhow (https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365)to integrate one of them in a Palo Alto Networks firewall. This is a great resource but I think that both arecomplementary.

The script is available on my githubrepository (https://github.com/xme/toolbox/blob/master/isc-ipreputation.py).
">If the enemy leaves a door open, you must rush in.">PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x42D006FD51AD7F2
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
vfront-0.99.2 CSRF & Persistent XSS
 
Enhanced SQL Portal 5.0.7961 XSS Vulnerability
 
Freebox OS Web interface 3.0.2 XSS, CSRF
 

The Register

Thousands of 'lost data' reports mean we should ARM the ICO, says infosec bod
The Register
Infosec 2015 Thefts and losses of computers and laptops often go unreported to data privacy watchdogs and could represent a huge hidden risk for the leak of confidential data, according to new research. The Information Commissioner's Office received 1 ...

and more »
 
t2'15: Call for Papers 2015 (Helsinki / Finland)
 
Internet Storm Center Infocon Status