Hackin9

Weve posted a number of stories lately about various exploit kits and the malware they post. What Im seeing lately is a bit of an uptick in the use of Javascript by these exploit kits.

Why might this be, you ask? Isnt Javascript contained and hopefully secured within the browser sandbox? Arent we protected by the combined security smarts of Microsoft, Mozilla and Google, right? We-e-e-e-l, the short answer is NO. If the Javascript arrives in an inbound email, and one of your windows based users clicks it, it doesnt execute in the browser, it executes inside of the windows shell (the same shell used by cscript.exe or wscript.exe)! So as Brad Duncan (another of the ISC Handlers) pointed out, this isnt really a Javascript *exploit*, it"> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
and youll find jsfile"> computer\hkey_classes_root\.js = jsfile
computer\hkey_classes_root\jsfile = wshext.dll

Or, when you check the file extension in explorer, Shazam!, it" width="273" />
Not only that, cscript.exe is meant as an admin tool, so all of the Javascript protections that we take for granted in our browser are ABSOLUTELY NOT in play. All kinds of new (or rather old) features that arent allowed in the browser now work again. For instance, javascript executed in cscript can create a tcp client or a tcp server. Like perhaps to pull malware, maybe crypto-malware down, then install it. Or to create a basic tcp backdoor or a reverse-shell backdoor.

Worse yet, when you receive a JS file in an email, youll see an icon that makes it look like its a text or document file of some kind. On top of all of that, what were seeing as a common SPAM practice that makes this more confusing for the folks reading their mail is a double extension approach - so these are arriving as corporate layoffs.doc.js, bonus Q2.xls.js or ups shipping notice.pdf.js - when this shows up in your mail client, by default Windows (not so helpfully) wont display the known file extension of js, so your folks will see these as docs, excel sheets or pdf files.

So how can we as system administrators protect our users? Out of the gate we should strip out attachments of type .JS in emails at the SPAM gateway - theres no good reason to be emailing javascript files in and out of the organization (in almost all cases)

In the spirit of defense in depth though, lets assume that one of our trusted business partners (who might be whitelisted in the spam filter) or one of our internal users (internal mail doesnt typically go through the spam filter) is already compromised. How do we protect our users in those scenarios? Lets re-associated .JS file with something that wont actually execute the file - how about notepad?

To do this for a single workstation, right-click on a .js file, and open it with notepad, be sure to click the always use the selected program to open this kind of file radio box when you do that.

For an entire organization, you can force the file association in Group Policy, at Computer Configuration / Preferences / Control Panel Settings / Folder Options, then add New / File Type

You can see here that we can change how the file opens, and even change the icon thats being displayed.

Now when we receive some malicious javascript in our inbox, itll look very different. And when your folks click on the file, that advanced persistent malicious hello.js" />

So if youre walking around the office, you can look for the screen that has 10 or 12 notepad files of code open, and feel good that theres one that didnt get infected! Or more likely (and sadly), check that machine to see how *else* they found to get infected :-)

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Gartner's top-10 list of infosec techs addresses concerns over cloud, IoT
SC Magazine
Cloud access security brokers, endpoint detection and response solutions, and remote browsers were among the infosec technology categories that made Gartner's 2016 top-10 list. Cloud access security brokers (CASBs), endpoint detection and response ...

and more »
 

BankInfoSecurity.com (blog)

12 Sights: Infosec Europe 2016
BankInfoSecurity.com (blog)
12 Sights: Infosec Europe 2016 This year's conference was held at London's Olympia exhibition center. The recent Infosecurity Europe 2016 conference in London drew attendees from more than 70 different countries. The free conference, which is Europe's ...

 
CVE-2016-0199 / MS16-063: MSIE 11 garbage collector attribute type confusion
 
[ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability
 
[ERPSCAN-16-013] SAP NetWeaver AS Java ctcprotocol servlet - XXE vulnerability
 
[ERPSCAN-16-014] SAP NetWeaver AS Java NavigationURLTester - XSS vulnerability
 

(credit: Erik (HASH) Hersman)

Dave Aitel is CEO of Immunity Inc., an offensive security firm that consults for Fortune 500s and government agencies. He is a former "security scientist" for the NSA and a past contractor for DARPA's Cyber Fast Track program. His firm specializes in vulnerability research, penetration testing and network testing tools. His views don't necessarily reflect the opinions of Ars Technica.

What occurred with the recently disclosed breach of the Democratic National Committee servers, and the dumping of stolen data on a WordPress site, is more than an act of cyber espionage or harmless mischief. It meets the definition of an act of cyberwar, and the US government should respond as such.

The claims by “Guccifer 2.0”—that a lone hacker carried out this attack—are not believable. Of course, anything is possible, but the attack looks to be an operation conducted by Russian intelligence services. Had this been a “normal” operation—that is, covert intel gathering by Russia's Foreign Intelligence Service or any other foreign intelligence service (as the Chinese have done in past election seasons)—it would be business as usual. To be honest, the US government would not really be justified in denouncing it, as it does the same thing. But what makes this attack very different—and crosses the line—is the Russian team’s decision to dump the Clinton campaign’s opposition strategy on the public Web, presumably for the dual purpose of both spreading misinformation about the party responsible for the breach and interfering with the Clinton campaign.

Read 4 remaining paragraphs | Comments

 

TechWeekEurope UK

InfoSec 2016: IoT Security Needs A Serious Shake-Up, Says Sophos
TechWeekEurope UK
The explosion of connected Internet of Things (IoT) devices could actually be raising the risk of serious security risks for businesses and consumers alike, it has been warned. Advertising. Speaking to TechWeekEurope at the recent InfoSecurity Europe ...

 
[CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player
 
Internet Storm Center Infocon Status