Hackin9

Enlarge (credit: @ChelseaGatesTV)

Online miscreants took over the National Football League's Twitter account and used it to falsely report the death of league commissioner Roger Goodell.

During the brief span that @NFL was taken over, it followed exactly one new Twitter account—specifically, @IDissEverything, which has now been suspended. Before the account was suspended, it claimed the password protecting the NFL Twitter feed was "olsen3culvercam88." The Daily Dot said someone connected to the IDissEverything account claimed the password was revealed after someone managed to get into the email of a social media staffer at the NFL, where we found the credentials in a message." It's still not clear how the group got access to the e-mail account.

Tuesday's breach was only the latest one to affect a high-profile Twitter user. Facebook founder and CEO Mark Zuckerberg recently saw his dormant Twitter account taken over by someone who discovered its password—"dadada"—was the same one that protected his LinkedIn account. Zuckerberg's LinkedIn account, in turn, had been compromised in a 2012 breach of the career networking site. Other celebrities, including Kate Perry, Lana Del Rey, and Kylie Jenner have also reportedly had their Twitter accounts taken over in recent days.

Read 2 remaining paragraphs | Comments

 

Introduction

By Monday 2016-06-06, the pseudo-Darkleech campaign began using Neutrino exploit kit (EK) to send CryptXXX ransomware [1]. Until then, Id only seen Angler EK distribute CryptXXX. However, this is not the first time weve seen campaigns associated with ransomware switch between Angler EK and Neutrino EK [2, 3, 4, 5]. It was documented as early as August 2015 [2]. This can be confusing, especially if youre expecting Angler EK. Campaigns can (and occasionally do) switch EKs.

For an explanation of EK fundamentals, see this blog post.

On Tuesday 2016-06-07, I found a compromised website with injected script from two different campaigns: pseudo-Darkleech and EITest. On that day, both campaigns were distributing CryptXXX ransomware. In todays diary, we examine two examples of Neutrino EK triggered by the same compromised website. One example starts with pseudo-Darkleech script, and the other starts with EITest script. Pcaps for today" />
Shown above: Flow chart for one website compromised by two campaigns.

Of note, Ive never seen both infections at the same time. Ive only generated EK traffic from one campaign or the other. Injected script from the pseudo-Darkleech campaign tends to prevent injected script by other campaigns from running.

Development and spread of CryptXXX

Below is a timeline with documenting the development of CryptXXX and its spread from pseudo-Darkleech to other campaigns. Its not a complete list of everything about CryptXXX, but it provides a general outline.

  • 2016-04-16, Proofpoint reports the first sightings of CryptXXX ransomware [6]
  • 2016-04-23, ISC diary describes pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections [7]
  • 2016-04-28, PaloAlto Networks reports Afraidgate campaign switched from sending Locky to sending CryptXXX [8]
  • 2016-05-09, Proofpoint issues another report on CryptXXX, now at version 2 [9]
  • 2016-05-24, BleepingComputer reports CryptXXX updated to version 3 [10]
  • 2016-06-01, New decryption instructions indicate version 3 of CryptXXX may actually be named UltraCrypter [11, 12]
  • 2016-06-03, Proofpoint posts update about CryptXXX, now at version 3.1 [13]
  • 2016-06-05, EITest campaign noted sending CryptXXX through Angler EK [14]

Proofpoints most recent entry lists the version history of CryptXXX from 1.001 on April 16th to version 3.100 on May 26th." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: Traffic from EITest Neutrino EK filtered in Wireshark.

r used in the above two images was: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

Indicators of compromise (IOCs) from the traffic follow:

  • 45.32.183.118 port 80 - ktljl.g3alead.top - Neutrino EK (pseudo-Darkleech campaign)
  • 85.93.0.72 port 80 - nulesz.tk - EITest flash redirect
  • 45.32.183.118 port 80 - vnogjnbaf.c0ecompare.top - Neutrino EK (EITest campaign)
  • 45.32.183.118 port 80 - zijkhhcsrd.c0ecompare.top - Neutrino EK (EITest campaign)
  • 188.0.236.7 port 443 - CryptXXX callback traffic (custom encoding)

In both cases, Neutrino EK delivered CryptXXX ransomware as a DLL file. As usual with CryptXXX infections, we saw C:\Windows\System32\rundll32.exe copied to the same folder as the CryptXXX DLL file." />
Shown above: The CryptXXX DLL file and rundll32.exe copied and renamed as explorer.exe.

The two CryptXXX DLL files from these infections are:

  • 2016-06-07-EITest-Neutrino-EK-payload-CryptXXX.dll (419 kB) - VirusTotal link
    SHA256: d322e664f5c95afbbc1bff3f879228b40b8edd8e908b95a49f2eb87b9038c70b
  • 2016-06-07-pseudoDarkleech-Neutrino-EK-payload-CryptXXX.dll (440 kB) - VirusTotal link
    SHA256: 75a927e636c788b7e54893161a643c258fecbbf47d6e7308d3439091aa3ce534

CryptXXX will have different domains in the decryption instructions depending on the campaign it came from. In the two images below, you" />
Shown above:" />
Shown above:" />
Shown above: Using tcpreplay on one of the pcaps in Security Onion.

utrino EK was documented using Flash exploits based on CVE-2016-4117 effective against Adobe Flash Player up to version 21.0.0.213 [15]. Post-infection traffic for CryptXXX is similar to what weve seen before. Overall, we found no real surprises from these infections." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: CryptXXX callback traffic from one of the infections.

ier, EmergingThreats has a rule for CryptXXX callback traffic." />
Shown above:">]. The only big change? Neutrino EK now sticks to port 80. Before October or November of 2015, Neutrino EK almost always used a non-standard port for its HTTP traffic. Since then, its consistently used TCP port 80 (like every other EK I currently see).

eople protect themselves against Neutrino EK? As always, properly administered Windows hosts that follow best security practices (up-to-date applications, latest OS patches, software restriction policies, etc.) should be protected against this EK threat.

Unfortunately, a large percentage of Windows hosts dont follow best practices, and criminal groups are quick to take advantage.

User awareness is an important part of any defense. You cant protect yourself from threats you dont understand. With that in mind, Ill mention again a post on EK fundamentals located here. It hopefully clears up some misconceptions I" />
Shown above: Desktop for one of the Windows hosts when rebooted after a CryptXXX infection.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://malware-traffic-analysis.net/2016/06/06/index.html/
[2] https://isc.sans.edu/forums/diary/Actor+using+Angler+exploit+kit+switched+to+Neutrino/20059/
[3] https://isc.sans.edu/forums/diary/Actor+that+tried+Neutrino+exploit+kit+now+back+to+Angler/20075/
[4] https://isc.sans.edu/forums/diary/Whats+the+situation+this+week+for+Neutrino+and+Angler+EK/20101/
[5] https://isc.sans.edu/forums/diary/EITest+campaign+still+going+strong/21081/
[6] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler
[7] https://isc.sans.edu/forums/diary/Angler+Exploit+Kit+Bedep+and+CryptXXX/20981/
[8] http://researchcenter.paloaltonetworks.com/2016/04/afraidgate-major-exploit-kit-campaign-swaps-locky-ransomware-for-cryptxxx/
[9] https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool
[10] http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/
[11] http://www.bleepingcomputer.com/news/security/cryptxxx-rebranding-as-ultracrypter/
[12] http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cryptxxx-gets-overhaul-now-known-as-ultracrypter
[13] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100
[14] http://www.broadanalysis.com/2016/06/05/angler-exploit-kit-via-eitest-gate-sends-cryptxxx-ransomware/
[15] http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html
[16] https://isc.sans.edu/forums/diary/Exploit+Kit+Evolution+Neutrino/19283/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

TeamViewer and Other Major Security Breaches May Be Linked
SYS-CON Media (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

Softpedia News

SNSLocker Author Leaves C&C Server Credentials in Ransomware's Source Code
Softpedia News
Epic fails happen all the time, but in the world of infosec, there are very few that can top this one. As Trend Micro reported today, the author of the SNSLocker ransomware forgot the access credentials to his C&C (command and control) server in the ...

 

What You Can Learn About Incident Response Planning from the Major Data Breaches
CloudTweaks News
The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it's almost impossible to read news headlines without noticing yet another story about a data breach. ... In its ...

and more »
 
[security bulletin] HPSBGN03623 rev.1 - HPE Universal CMDB, Remote Disclosure of Sensitive Information
 
[security bulletin] HPSBGN03622 rev.1 - HPE UCMDB, Universal Discovery, and UCMDB Configuration Manager using Apache Commons Collection, Remote Code Executon
 
[security bulletin] HPSBGN03621 rev.1 - HPE Universal CMDB using OpenSSL, Remote Disclosure of Sensitive Information
 

Infosecurity Magazine

Jeremiah Grossman Plans Ransomware Battle at SentinelOne
Infosecurity Magazine
He said: “In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I've said many times, we who work InfoSec are responsible for protecting the greatest invention we'll see if our lifetime ...

and more »
 

(credit: GotCredit)

In a scenario that's growing increasingly common, the chief technologist of the US Federal Trade Commission recently lost control of her smartphone after someone posing as her walked into a mobile phone store and hijacked her number.

Details of the incident were provided by the FTC's Lorrie Cranor in a blog post published Tuesday morning with the headline "Your mobile phone account could be hijacked by an identity thief." In it, Cranor wrote:

A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.

My Experiences as a Victim of ID Theft

One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.

The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.

I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.

I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s identitytheft.gov website to report the theft and learn how to protect myself. Identitytheft.gov is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the Identitytheft.gov checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.

The FTC chief technologist went on to invoke federal law to force the unnamed carrier to provide the paperwork filed by the identity thief who hijacked her account. Cranor discovered that the thief used a fake ID that showed Cranor's name and the thief's photo. The thief acquired the iPhones at a retail store in Ohio hundreds of miles from Cranor's home and charged them to Cranor's account on an installment plan.

Read 3 remaining paragraphs | Comments

 
[CVE-2016-0392] IBM GPFS / Spectrum Scale Command Injection
 
[SECURITY] [DSA 3597-1] expat security update
 
Microsoft Education - Code Execution Vulnerability
 
Wordpress Levo-Slideshow 2.3 - Arbitrary File Upload Vulnerability
 
 

PCR-online.biz

#Infosec16: Managing Talent a Key Factor in Building a Strong Security Team
Infosecurity Magazine
A significant aspect in building a good and effective security team comes down to managing the talent within your organization. That's according to Cory Scott, director of information security at Linkedin and keynote speaker at Infosecurity Europe 2016.
LinkedIn advises hiring from within and practical tests to source cyber security skillsV3.co.uk
Infosec 2016 kicks off, here's what to expect from this year's showPCR-online.biz

all 5 news articles »
 

Infosecurity Magazine

#infosec16: Levison Wood Urges IT Security Pros to Embrace Risk
Infosecurity Magazine
Mitigating risk, building resilience and incident response, and tireless training have been at the heart of explorer Levison Wood's success to date and he believes the same focus could help information security professionals. Speaking at the opening ...

 

Cyber weapons are perfect weapons, says security expert Mikko Hypponen
ComputerWeekly.com
“These attacks are very effective because they send victims emails from known and trusted contents with attached documents that require the recipients to click the 'enable content' button to view them, but if you take nothing else from Infosec 2016 ...

and more »
 

IBS Intelligence (blog) (subscription)

Infosecurity Europe 2016: Ransomware criminals becoming specialist B2B hackers
IBS Intelligence (blog) (subscription)
“Cybercrime is being industrialised,” he tells an audience at Infosec Europe 2016, taking place in London this week. “Every market has its forces, even the dark ones.” Hackers are becoming frustrated with the lack of financial gains to be had from ...

and more »
 

A provocative white hat hacker who has previously disclosed vulnerabilities in both California’s ObamaCare portal and FireEye's core security product has now revealed a serious flaw in the Council of Better Business Bureau’s (CBBB) Web-based complaints application, which is used by nearly a million people annually to file complaints against businesses.

The CBBB criticized the “unauthorized application vulnerability test” but said in a statement that they believe “the motivation was not malicious," and are "not pursuing the matter further."

The CBBB is the umbrella organization for the independent local BBBs, the not-for-profit consumer advocacy groups that operate in the United States, Canada, and Mexico. The BBBs attempt to mediate disputes between consumers and businesses, and also accredit businesses based on how well the business meets the BBB’s “Standards of Trust.”

Read 20 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03620 rev.1 - HPE Helion OpenStack using OpenSSL and QEMU, Remote Unauthorized Data Access
 
[security bulletin] HPSBGN03619 rev.1 - HPE Discovery and Dependency Mapping Inventory (DDMi) using Java Deserialization, remote Code Execution
 
[security bulletin] HPSBGN03442 rev.2 - HP Helion OpenStack using glibc, Remote Denial of Service (DoS), Arbitrary Code Execution
 

Yesterday, the Germanfederal CERT (CERT-BUND) warned of phishing e-mails that are more plausible by using data that appears to originate from the recently leaked LinkedIn data set. The e-mail address the recipient by full name and job title. Typically, the attachments claim to contain an invoice.

We have since received a couple of users who reported receiving e-mails that match the pattern. For example:" />

(Thanks to our reader Arjan for the sample)

The e-mails arrive in different languages. They address the recipient by full name, job title and company name, to make the e-mail more plausible.

This is similar to the way social media was used in the past to create more convincing phishing e-mails. For example, see thisold article from 3 years agoabouthow Facebook data is used in this way. With the LinkedIn leak, data has become available that wasnt reachable by simple screen scrapers (or API users) in the past.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

TeamViewer and Other Major Security Breaches May Be Linked
SYS-CON Media (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

Naked Security

At Infosec Europe this week? Would you like a free gift?
Naked Security
If you're attending the event, please do stop by our stand (C120) and say hello to us. While you're there, pretend you're at the amusement arcades and make sure you have a go on our prize grabber – you can win t-shirts, caps, stress balls and socks.

 

PCR-online.biz

Infosec 2016 kicks off, here's what to expect from this year's show
PCR-online.biz
This year, the largest information security event in Europe will feature over 160 hours of sessions with over 260 renowned thought-leading speakers presenting in eight conference theatres. Infosec 2016 will see more companies exhibit than ever before ...
LinkedIn advises hiring from within and practical tests to source cyber security skillsV3.co.uk

all 5 news articles »
 

SecurityNewsDesk

HEAT Software navigate the security threat landscape at Infosec
SecurityNewsDesk
HEAT Software, a leading provider of IT service and endpoint security management, has outlined its programme of activities for Infosecurity Europe 2016. The company will be showcasing the latest version of its endpoint security platform which provides ...

 
Re: rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion
 
Internet Storm Center Infocon Status