I recently transitioned into a new role at Palo Alto Networks Unit 42. Since then, Ive published a couple of blog posts describing recent developments in ongoing campaigns [1, 2]. Those are examples of ongoing dialog for known threats. But like most people, I get excited about new malware. Many reporters tend to focus on new campaigns, exploits, malware, and vulnerabilities. Any why not? They usually make a more interesting story. However, we should also keep track of ongoing campaigns. Its often news-worthy to announce something is still happening.

The importance of a continuing discussion

Continuing discussion--an ongoing dialog--of security matters is important.

But even security professionals are sometimes jaded, especially by the constant waves of malicious spam (malspam) that hit our mail filters. For example, many of us know about the continuing malspam used to distribute Locky ransomware. It was first discovered last month [3, 4, 5]. But after youve seen Locky on a near-daily basis, and youve implemented protective measures, the threat loses its impact.

Thats good. Thats also the desired outcome. But what happens after weve done our due diligence? What happens when the threat is no longer new, but its still profitable for the criminals behind it? The majority of people (those not in security) tend to forget about it.

That also assumes the average person knows about specific issues like Locky ransomware. Locky must compete for media attention with many other threats. Information about any specific threat can easily get lost in the constant stream of issues we read about.

For Locky, this can happen, despite near-daily reporting by some sources of Locky-related malspam [6, 7, 8]. For example, on Wednesday 2016-03-23, the ISC received the following notification through our contact page:

">Weve been getting quite a file attachments with .zip files that contain javascript files. The email messages originate from a number of different countries and the sending IP address has only a single recipient.">Im submitting these because I">FILE UPLOAD. Original File Name: javascript-malware.tar

t sounds like botnet-based malspam. But what was the payload?" />
Shown above: Traffic after running one of the .js files on a Windows host.

The infected Windows host looked like what Ive seen before with Locky. Someone had also seen the HTTP GET request for 762trg22e2.exe associated with Locky [9]. I replied to the person who notified us. Another ISC handler, Didier Stevens, noted the obfuscation in those .js files looks like what he" />
Shown above: A previous example of a Windows host infected with Locky.

Final words

This is a good example, I think, of why we should keep discussing ongoing threats.

Its always fun to investigate these notifications. As ISC handlers, we take great satisfaction in assisting others on security-related issues. Hopefully, todays diary raises awareness about this particular flavor of botnet-based malspam. Its a threat seen on a daily basis, whether you realize it or not.

Have you run across Locky ransomware? Have you found any indicators of compromise (IOCs) that havent been posted publicly? Are there any stories about Locky youd like to share? If so, please leave a comment. Lets keep the dialog going.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-through-nuclear-ek/
[2] http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/
[3] http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/
[4] http://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky
[5] https://labsblog.f-secure.com/2016/02/22/locky-clearly-bad-behavior/
[6] https://techhelplist.com/component/tags/tag/275-locky
[7] http://blog.dynamoo.com/search/label/Locky
[8] https://myonlinesecurity.co.uk/tag/locky/
[9] https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransomware/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

USSD is monopoly of telcos, we could improve our services if we get to use it: SBI CTO, Shiv Kumar Bhasin
Cloud based infoSec advancements, harnessing the power of social media, surviving Regulatory norms – the need for a strong data governance structure, secure and multi-channelled approach to enable anytime & anywhere banking, addressing the ...


The Register

Trivial path for DDoS amplification attacks found by infosec bods
The Register
Security researchers have discovered a new vector for DDoS amplification attacks – and it's quite literally trivial. Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over ...

[SECURITY] [DSA 3529-1] redmine security update
[SECURITY] [DSA 3528-1] pidgin-otr security update

Enlarge (credit: John Karakatsanis)

Jonathan Zdziarski, a leading independent Apple iOS security researcher and forensics expert, has a theory about the FBI's newly discovered potential route into the iPhone 5C used by San Bernardino shooter Syed Farook. In a blog post, Zdziarski wrote that the technique the FBI is planning to use to get around having to compel Apple to help bypass the phone's security is likely a method called NAND mirroring—a hardware-based approach that, while effective, is far from the "golden key" software the FBI had sought.

The FBI reported in its filing to delay a hearing on its dispute with Apple, originally scheduled for March 22, that an outside company had approached the FBI with a solution to the "self-destruct" issue preventing the FBI from repeatedly guessing the device's four-digit PIN. In that filing, FBI officials said that they needed just two weeks to certify that they could use the alternative approach to gain access to the phone.

Based on a number of factors, Zdziarski said that the company in question was likely one of the FBI's external forensics contractors and that it was unlikely that it had found a "zero day" software technique to bypass the password. "Whatever technique is being used likely isn't highly experimental (or it'd take more time)," Zdziarski noted. "Chances are the technique has been developed over the past several weeks that this case has been going on."

Read 4 remaining paragraphs | Comments

Cisco Security Advisory: Cisco IOS Software Wide Area Application Services Express Denial of Service Vulnerability
Cisco Security Advisory: Cisco IOS and NX-OS Software Locator/ID Separation Protocol Packet Denial of Service Vulnerability
Cisco Security Advisory: Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability
Cisco Security Advisory: Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability
[SECURITY] [DSA 3526-1] libmatroska security update
Hardcoded root password in Zyxel MAX3XX series Wimax CPEs
CA20160323-01: Security Notice for CA Single Sign-On Web Agents
CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for 'amqps' if SSL/TLS not supported

Cyber insurance gets Hill attention
... provide access or the circumstances under which they could be ordered to help. It also does not create specific penalties for noncompliance, leaving that determination to judges,” the news service reported. ... A TOUGH MONTH FOR INFOSEC AT VA ...

and more »

National Catholic Reporter

'All or nothing' Obamacare objections threaten religious liberty
National Catholic Reporter
My disclaimer here is that I have gotten my info second hand as regards Switzerland, and, although the Irish system is more first hand, I may have misunderstood some of the aspects. My main point is that we need not always look at UK and Canada, not ...

and more »

Saudi Arabian government and private sectors urge for better cyber security
CPI Financial
Established cyber security insiders provided valuable insights through security talks that covered vulnerability validation, internal segmentation, cyber security from a GRC perspective, cyber security implications for a layman and infosec guidelines ...

and more »

iT News

Android phones menaced by Linux kernel bug
iT News
Google has rushed out an emergency patch for its Nexus devices following the discovery of an overlooked Linux kernel bug that can be used to permanently compromise Android devices. In an advisory issued over the weekend, Google revealed it had been ...

and more »


Apple explains what the 'SE' in iPhone SE actually means
Apple yesterday uncovered a new smaller addition to its handset range, the iPhone SE. While the launch of the iPhone SE raised many questions, the one that was perplexing the minds of the majority of Apple fans was this: what does the 'SE' in iPhone SE ...

and more »

IoT Tech News

Study argues InfoSec workers not able to deal with IoT enterprise security concerns
IoT Tech News
Good news and bad news: information security professionals are becoming more aware of the risks presented by the proliferation of endpoints through the Internet of Things (IoT), but they are struggling to prepare to address the growing threat. That is ...

and more »


Apple's CareKit Is the Best Argument Yet for Strong Encryption
“If we are going to trust Apple with this data, I think this makes a very strong argument for keeping the data away from prying eyes,” says Jake Williams, founder of Rendition Infosec, who also highlighted potential concerns about handing over this ...
Apple explains what the 'SE' in iPhone SE actually meansTechworm

all 3,792 news articles »

Softpedia News

Bugfix for Overhyped Badlock Windows & Samba Flaw Coming in April
Softpedia News
With clues leaked here and there, many infosec experts fear that attackers might narrow down the source of the vulnerability and use it in attacks before April 12. As it looks right now, Metzmacher might have got the notoriety he desired, but it's not ...

and more »


Only 42% of infosec pros use threat intelligence, survey shows
Less than half of information security professionals use shared cyber threat intelligence, a survey has revealed. This is despite the fact that 97% of those who do report that it improves their enterprise security posture, according to Intel Security ...
Threat intelligence exchanges OK, but most prefer to receive intel rather than giveIT World Canada

all 10 news articles »

Security Intelligence (blog)

Hands-On Approach: UK Opts for One-Stop Information Security Shop
Security Intelligence (blog)
Information security (InfoSec) is now a top priority for many companies. As their potential attack surface grows, businesses often find themselves playing catch-up with insider and external threats, desperately trying to stay ahead of cybercriminals ...

and more »

Methodist Hospital in Henderson, Kentucky, initiated an "internal state of emergency" after discovering a Locky crypto-ransomware infection of its network. (credit: Methodist Hospital)

A month after a Los Angeles hospital was crippled by crypto-ransomware, another hospital is in an "internal state of emergency" for the same reason. Brian Krebs reports that Methodist Hospital in Henderson, Kentucky, shut down its desktop computers and Web-based systems in an effort to fight the spread of the Locky crypto-ransomware on the hospital's network.

Yesterday, the hospital's IT staff posted a scrolling message at the top of Methodist's website, announcing that "Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web-based services. We are currently working to resolve this issue, until then we will have limited access to web-based services and electronic communications." As of this morning, the message has been taken down from the site.

Methodist Hospital's information systems director told Krebs that the Locky malware, which came in as an attachment to a spam e-mail, attempted to spread across the network after it had infected the computer it was triggered on. Locky has been known to use malicious scripts in Microsoft Office documents as a means of infecting victims' computers. The malware succeeded in infecting several other systems, prompting the hospital staff to shut down all the hospital's computers. Each PC is brought back online individually after being scanned for telltale signs of Locky while off the network.

Read 2 remaining paragraphs | Comments


It got a catchy name, it got a logo... so it must be serious. Or at least that is what is implied with the Badlock vulnerabilitythat was pre-announced this week.

At this point, there is only a vague pre-announcement. The details, and a patch, will be released on April 12th, Microsofts next patch Tuesday. S

The vulnerabilitywill affect systems running SAMBA (an open source implementation of the SMB protocol, commonly found on Unix systems) as well as Windows systems . The second group is probably easier to identify, and given that we should have a patch from Microsoft on April 12th, your normal patch procedures should have you covered.

The Unix part can be a bit more tricky. To get ready for April 12th, it may be worth-while to scan your environment for systems with SMB enabled. This will get you a head start once the patch is released. Due to the high-profile pre-announcement, I expect major Unix versions to release a patch on April 12th as well.

OS X started using its own implementation of the SMB protocol, sometimes referred to asm SMBX, With OS X 10.7 (Lion). You are probably not going to find a lot of pre-10.7 systems still around, and if you do, you probably wont get a patch from Apple. SMBX is not listed in the Badlock pre-announcement. We can assume at this point that it is not vulnerable.

A possible twist to this would be vulnerable clients. It is possible to trick a client to connect to an SMB share using the smb: protocol. Outbound traffic from clients is often less strictly controlled then inbound.

Short summary: What should you do before April 12th

  • inventory SMB servers
  • verify firewall rules to block SMB inbound AND outbound
  • order some donuts/pizza for the patch team for April 12th. It could be a busy day.

Side note:">Stefan Metzmacher, who is credited with discovering the vulnerability, is the author of the file lock.c in Samba. This file appears to deal with SMB2 lock requests. It is pretty short, but includes an interesting comment: ">/* this is quite bizarre - the spec says we must lie about the length! */.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

No, no this has nothing to do with Oracle Corporation! This diary is about abusing encryption and decryption Oracles. First a bit of a background story.

Most of the days I do web and mobile application penetration testing. While technical vulnerabilities, such as SQL Injection, XSS and similar are still commonly found, in last couple of years I would maybe dare to say that the Direct Object Reference (DOR) vulnerabilities have become prevalent.

With these vulnerabilities, it is typical that an attacker can directly manipulate parameters by changing an ID submitted to the application, if no sufficient security controls have been implemented on the server side, the attacker can retrieve (or modify) arbitrary data.

Same parameters are key to exploiting other vulnerabilities: in case of SQL injection vulnerabilities, contents of parameters submitted by users are directly used in SQL queries, allowing an attacker to carefully modify the resulting SQL query and perform unexpected activities on the database.

We all know how these vulnerabilities should be mitigated: by implementing proper security controls on the server side.

In last couple of months, I actually encountered couple of interesting security mechanisms (or at least attempts to secure applications): the developers decided that they will encrypt contents of parameters.
This sounds like a cool idea ">http://my.web.application.local/process.aspx?ID=FBBFA70485E12DC2

In this second case, the application actually encrypted the ID (number 23531) and the user was able to see only the encrypted content.

Notice that such way of handling parameters also prevents SQL injection attacks the attacker cannot (simply) add dangerous characters such as or into the ID parameter since that will simply break encryption (the server side will fail to decrypt the contents, and automated vulnerability scanners wont really find anything here).

However, one thing that developers forget is that encryption != security. Those experienced among our readers will immediately notice that this does not prevent DOR attacks if the key is static for the whole application we can simply copy another users ID parameter and exploit a DOR vulnerability however, we still cannot (easily) brute force IDs in this example.

Oracles to the rescue

So what are encryption or decryption Oracles? They are simply any interfaces that allow us to encrypt or decrypt arbitrary (or almost arbitrary) data, without knowing the secret key or maybe even the encryption algorithm that is used.
The most famous usage of such Oracles was in BEAST and POODLE attacks (where POODLE stands for Padding Oracle On Downgraded Legacy Encryption), where such an Oracle is abused to let us know if certain content has been successfully decrypted or not.

In this case I am referring to much simpler Oracles those that will perform encryption or decryption activities on our behalf.
If we go back to the example above, lets imagine that there is a different screen in the application that takes another encrypted parameter but for some reason prints it somewhere on the web page (maybe even hidden in HTML). If the key and the algorithm are the same an attacker can simply copy the encrypted string from any other request and see the plain text contents. And this is exactly what a decryption Oracle will do.

An encryption Oracle will, on the other side, allow encryption of arbitrary content. This can be even more dangerous in the example above, the attacker encrypt the content 23531 OR 1=1 and try to exploit a SQL injection vulnerability.

This can be particularly devastating for couple of reasons:

  1. In most cases where Ive seen such encryption being used to protect contents of parameters the developers did not pay a lot of attention on the real security thinking that no one can tamper the parameters (after all, they are encrypted). This means that proper filtering is probably missing.
  2. Such encryption will even prevent some network based IPS/WAF products to work they will not be able to inspect parameters and will be effectively blind in front of such attacks.

A question you may ask now is how are such Oracles possible? Well, while normally the developer can control what is printed (encrypted/decrypted) where, in larger applications it is easy to make a mistake and inadvertently create such an Oracle, and an attacker only need one such vulnerability.

Lessons learned

Correct usage of cryptographic protocols is not a trivial thing and should be carefully assessed and designed before implementation in any application.

In the example above, even if the application uses a strong key, due to existence of both encryption and decryption Oracle, an attacker does not need to crack the key at all since he can freely perform both encryption and decryption of arbitrary content.

While encryption can provide confidentiality and integrity, if used properly, it is by no means a security control. Any application must not rely on encryption for security controls. Additionally, every security control must be carefully implemented, on any parameter received from the client.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status