Hackin9

ackground: url(">VMWarehas released a security advisory background: url(">VMSA-2015-0009that address a critical background: url(">deserializationvulnerability.A background: url(">deserializationvulnerability involving Apache Commons-collections and a specially constructed chain of classes exists. Successful exploitation could result in remote code execution, with the permissions of the application using the Commons-collections library.

More details are available at the background: url(">VMWareSecurity Advisory page located at background: url(">russelleubanks (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Introduction

On Thursday 2015-12-18 during a Rig exploit kit (EK) infection in my lab environment, I saw the same infection chain patterns from a criminal group I hadnt noticed in a long time.

This appears to be the same actor that was using Sweet Orange EK to distribute Qbot malware in 2014 and early 2015 [1, 2, 3]. Why? Because the same type of obfuscation is used to generate the gate URL that I saw last year. The payload is also the same that Ive seen from this actor (Qbot).

This actor appears to be using Rig EK now. Let" />
Shown above: Flow chart for todays infection by this actor.

The traffic

The EK traffic was identified as Rig EK when I read a traffic of the traffic using Snort 2.9.8.0 with the Snort registered rule set." />
Shown above: Alerts from the traffic using the Snort subscriber ruleset.

Gate traffic

How does this actor generate the gate URL from the compromised website? Its done through injected script that uses several obfuscation tricks. One of the HTTP GET requests to the compromised website returned a .js file withe the malicious script tacked on the end of it. If you look at the TCP stream for this HTTP GET request in Wireshark, it" />
Shown above: HTTP GET request for the .js file when viewing the TCP stream in Wireshark.

Youll neet to export HTTP objects from the pcap to look at the actual .js file." />
Shown above: Malicious script in .js file from the compromised site.

In the above image, the end of the normal .js file is highlighted in orange near the top. Everything after that is the injected malicious script. Ive highlighted code for the gate URL in yellow. How do you translate that to the actual gate URL? It uses both unicode and hexadecimal obfuscation for some of the letters in the URL. Theres also a j7aMn function thats previously defined earlier in the script, and that" />
Shown above: How to resolve some of the obfuscation for the gate URL.

The gate URL returns a variable called main_color_handle. This contains a long string of characters that the earlier malicious script uses to get the Rig EK landing page URL. First, youll have to take everything away except 0 through 9 and a through f from the variable. Then translate the result from hexadecimal to ASCII. Thats how you" />
Shown above: How to get the EK landing page URL from data returned by the gate.

Final words

Todays Rig EK example follows the same traffic patterns that Ive examined many times before." />
Shown above: VirusTotal results showing recent URLs on 192.185.21.183.

Pcap and malware samples used in this diary are available here.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://www.malware-traffic-analysis.net/2014/10/27/index2.html
[2] https://isc.sans.edu/forums/diary/An+Example+of+Evolving+Obfuscation/19403/
[3] http://malware-traffic-analysis.net/2015/02/09/index2.html
[4] https://www.virustotal.com/it/ip-address/192.185.21.183/information/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Earlier today, we were notified of a vulnerability in an operating system named ScreenOS used to manage firewalls sold by Juniper Networks. Yesterday, Juniper Networks announced that ScreenOS contains unauthorized code that surreptitiously decrypts traffic sent through virtual private network (VPN) connections [1].

The vulnerability has been designated as CVE-2015-7755. Junipers Security Incident Response Team (SIRT) strongly recommends users upgrade to a fixed release of ScreenOS to resolve these critical vulnerabilities [2].

Juniper firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and should be patched immediately.

A notification has come out through the US CERT [3]. Some other sources have also issued reports about it [4, 5].

See the CVE link above or references below for more information.

References:

[1] http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554
[2] http://kb.juniper.net/InfoCenter/index?page=contentid=JSA10713
[3] https://www.us-cert.gov/ncas/current-activity/2015/12/17/Juniper-Releases-Out-band-Security-Advisory-ScreenOS
[4] http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/
[5] https://threatpost.com/juniper-finds-backdoor-that-decrypts-vpn-traffic/115663/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Democratic presidential candidate Bernie Sanders. (credit: Michael Vadon)

The Democratic National Committee has cut off the Bernie Sanders campaign's access to a voter database after allegations that Sanders staff members improperly viewed confidential information gathered by the campaign of Hillary Clinton.

The Sanders campaign fired the staff member who was responsible for accessing the data, according to multiple media reports. The breach was made possible by a bad patch applied by the software vendor that operates the database.

"The discovery sparked alarm at the DNC, which promptly shut off the Sanders campaign’s access to the strategically crucial list of likely Democratic voters," The Washington Post reported today. "The DNC maintains the master list and rents it to national and state campaigns, which then add their own, proprietary information gathered by field workers and volunteers. Firewalls are supposed to prevent campaigns from viewing data gathered by their rivals."

Read 6 remaining paragraphs | Comments

 
Microsoft Windows Environment Variable Expansion in PATH Security Bypass Weakness
 
GNU Wget CVE-2010-2252 Arbitrary File Overwrite Vulnerability
 

Posted by InfoSec News on Dec 18

https://www.washingtonpost.com/politics/dnc-sanders-campaign-improperly-accessed-clinton-voter-data/2015/12/17/a2e2e14e-a522-11e5-b53d-972e2751f433_story.html

By Rosalind S. Helderman, Anne Gearan and John Wagner
The Washington Post
December 17, 2015

Officials with the Democratic National Committee have accused the
presidential campaign of Sen. Bernie Sanders of improperly accessing
confidential voter information gathered by the rival...
 

Posted by InfoSec News on Dec 18

http://motherboard.vice.com/read/when-the-internet-of-things-starts-to-feel-like-the-internet-of-shit

By LORENZO FRANCESCHI-BICCHIERAI
STAFF WRITER
Motherboard.vice.com
December 17, 2015

If you listen to tech companies’ marketing reps, the future is made of
internet connected devices that seamlessly talk to each other, as well as
your smartphone, and turn your good-old house into a truly sci-fi-esque
smart home where you don’t even need...
 

Posted by InfoSec News on Dec 18

http://www.fayobserver.com/military/civilian-found-living-in-special-forces-barracks-on-fort-bragg/article_dfe374fe-846e-5dfd-9459-bb73a6d27fbe.html

By Drew Brooks
Military Editor
fayobserver.com
December 17, 2015

Investigators are looking into how a civilian was able to move into
barracks reserved for Fort Bragg's 3rd Special Forces Group.

A spokesman for the group confirmed the unit discovered a civilian living
in the barracks on...
 

Posted by InfoSec News on Dec 18

http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/

By Dan Goodin
Ars Technica
Dec 17, 2015

An operating system used to manage firewalls sold by Juniper Networks
contains unauthorized code that surreptitiously decrypts traffic sent
through virtual private networks, officials from the company warned
Thursday.

It's not clear how the code got there or how long it has been there....
 

Posted by InfoSec News on Dec 18

Forwarded fFrom: Alexander Lashkov <ALashkov (at) ptsecurity.com>

Positive Hack Days VI, the international forum on practical information
security, opens Call for Papers. Our international program committee
consisting of very competent and experienced experts will consider every
application, whether from a novice or a recognized expert in information
security, and select the best proposals.

Now, more than ever before, cybersecurity...
 
[slackware-security] grub (SSA:2015-351-01)
 
[slackware-security] libpng (SSA:2015-351-02)
 
Executable uninstallers are vulnerable^WEVIL (case 12): Avira Registry Cleaner allows arbitrary code execution with escalation of privilege
 
[SECURITY] [DSA 3426-1] linux security update
 
Internet Storm Center Infocon Status