(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This is a Guest Diary submitted by Pasquale Stirparo.

Phishing emails represent a big security issue, especially in corporate environments where an extra double click by an inattentive user may be fatal, opening the doors to compromise the entire companys network. This has also been confirmed in a study conducted by SANSstating that 95% of enterprise data breaches start with a spear phishing attack. I decided to take a deeper look at phishing from the point of view of incident response, particularly at any forensic artifacts left behind by an attack that uses BeEF.

BeEF, The Browser Exploitation Framework, is a penetration-testing tool focusing on web browsers. You can think of it as the Metasploit for web browsers security testing. In fact, it offers several modules that may allow the attacker to, for example, steal web login credentials, switch on microphone and camera, etc. Very briefly, what BeEF does is hooking the browser via a javascript placed inside a normal HTML page, which then exposes RESTful API that allows BeEF to be scripted through HTTP/JSON requests. The interesting aspect is that all of this is running inside the browser, hence leaving the chances of finding file system artifacts very low.

Attack Scenario

To go ahead with the tests, I built up a standard attack scenario like the following:

1. The user receives an email with a link to a legit but infected website.

2. Once clicked, the browser is hooked (it will appear in the console panel) and BeEF extract a complete fingerprint of it

3. A fake Facebook logout alert is prompted to steal credentials via the Pretty Theft">$ python vol.py "> p 4040 ">dest_dir
$ strings dest_dir/4040.dmp strings_ff_beefed.txt

So I decided to try hunting it with Yara. I created one Yara rule manually and generated two other rules with yarGen starting from the main BeEF module, and all of them worked correctly. At this point, I got curious and tried to generate a rule for the specific Pretty Theft module used to steal users Facebook credentials and guess what, it worked too. This means that an analyst can identify that BeEF was used, and even which specific module.

As next steps for this project, I am working on full Windows coverage (including Hiberfil.sys, pagefile, registry, and timeline) Mac OS X and Mobile, and I am looking into further expanding the Yara signatures and coverage.

In my next diary, Im going to show how the rules work in practice.

This work has been presented at the last SANS DFIR EU Summit 2015 in Prague. You can find the slides online if interested.

Happy Hunting.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Oracle Java SE CVE-2015-4872 Remote Security Vulnerability
Oracle Java SE CVE-2015-4860 Remote Security Vulnerability

InfoSec Skills Becomes ELCAS Cyber Security Learning Provider
PR.com (press release)
This allows UK military staff who are eligible for ELCAS credits to spend their grant on pursuance of a cyber security career, which can lead to professional certifications in security management, business continuity management, information security ...

and more »
[security bulletin] HPSBUX03522 SSRT102942 rev.1 - HP-UX BIND running named, Remote Denial of Service (DoS)

(credit: Lookout)

Two weeks ago, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

Read 4 remaining paragraphs | Comments


InfoSec Skills Becomes ELCAS Cyber Security Learning Provider
Virtual-Strategy Magazine
London, United Kingdom, November 19, 2015 --(PR.com)-- InfoSec Skills (www.infosecskills.com) has been added to the register of approved learning providers for the Ministry of Defence's Enhanced Learning Credits Scheme (ELC). This allows UK military ...

and more »


Video: Ron Ross Promotes New InfoSec Approach
"The best security programs are ones that are kind of indivisible because they disappear into the mainstream activities so you don't run around looking for the security officer," Ross says in a video interview recorded at at Information Security Media ...

CVE-2015-8131: Kibana CSRF vulnerability
IBM i Access Buffer Overflow Code DOS CVE-2015-7422
IBM i Access Buffer Overflow Code Exec CVE-2015-2023
NEW VMSA-2015-0008 - VMware product updates address information disclosure issue
Internet Storm Center Infocon Status