(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ISC reader Renato Marihno wrote in with some interesting observations out of Brazil the last couple of days. It seems for about 30 minutes on January 3rd, google.com.br did not point to Googles IP space and the nameservers were set to ns1-leader.vivawebhost.com and ns2-leader.vivawebhost.com. The issue was relatively quickly discovered and corrected but still shows the risk that hijacked registrant account access can be for enterprises. You can read Renatos write up on LinkedIn.

This is a reminder that if an attacker controls DNS, they control everything. And if they control your domain registrant account, they control DNS. This attack was crude and easy to discover, but it would be very easy to set of a man-in-the-middle attack using such a technique without a mitigating control like TLS in place. Make sure your domain registry accounts require two-factor authentication and have strong passwords.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

If youre looking to build your own malware lab using open-source tools to take your GREM skills to the next level, take a look at Robert Simmons of ThreatConnects talk at VirusBulletin from a few months ago. Has a brief paper, but the video is people what you want to look at if you are new to all this. In essence, it is set up of the following components: Cuckoo Sandbox (with some modications), volatility (for memory analysis), thug (for a low interaction honeyclient), and Bro (for network analysis). It probably would only take a half-day of your time to set up and you can be off to the races on analyzing malware thats fresh off the wire.

Couple of notes, always be sure to do this from a non-attributed network (i.e. not your company). Sandboxing involves running actual malware so it will set off the IDS. Many of my sandbox systems run behind a pfsense firewall that connects to a commodity VPN so I cant easily be directly tied to things and has the advantages of letting me change what country I am in as malware may behave differently when it thinks it is running in different countries.

Take a look and let us know if you find more interesting things out there with your malware hunting efforts.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
phpMyAdmin CVE-2016-6618 Denial of Service Vulnerability
 
phpMyAdmin CVE-2016-6617 SQL-Injection Vulnerability
 
[SECURITY] [DSA 3753-1] libvncserver security update
 
[SECURITY][UPDATE] CVE-2016-8745 Apache Tomcat Information Disclosure
 
ESA-2016-157: EMC ScaleIO Multiple Vulnerabilities
 
Linux Kernel 'path_openat()' Function Use After Free Memory Corruption Vulnerability
 
Linux Kernel 'mm/memory.c' Local Code Execution Vulnerability
 
IBM BigFix Platform CVE-2016-6084 Denial of Service Vulnerability
 
Google Pixel Binder CVE-2016-8468 Privilege Escalation Vulnerability
 
IBM UrbanCode Deploy CVE-2016-9008 Security Bypass Vulnerability
 
Google Android One Qualcomm Radio Driver CVE-2016-5345 Privilege Escalation Vulnerability
 
IBM BigFix Inventory CVE-2016-8963 Local Information Disclosure Vulnerability
 
Google Android Synaptics CVE-2016-8458 Privilege Escalation Vulnerability
 
Google Android Synaptics Touchscreen Driver CVE-2016-8451 Privilege Escalation Vulnerability
 
Pivotal GemFire for PCF CVE-2016-9885 Remote Privilege Escalation Vulnerability
 
Linux Kernel CVE-2016-9754 Local Integer Overflow Vulnerability
 
Drupal Doubleclick for Publishers Module Multiple Cross Site Scripting Vulnerabilities
 
Google Nexus Qualcomm Wi-Fi Driver CVE-2016-8452 Privilege Escalation Vulnerability
 
Multiple Google Devices Qualcomm Sound Driver CVE-2016-8450 Privilege Escalation Vulnerability
 
Internet Storm Center Infocon Status