Hackin9

The Register

Cisco borgs UK infosec bods
The Register
Cisco Systems is buying Portcullis Computer Security, a UK-based firm specialising in consulting to enterprise and government clients. Both firms are staying tight-lipped about the value of the deal which is expected to complete early in 2016. When ...

and more »
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Since mid-September 2015, Ive generated a great deal of Nuclear exploit kit (EK) traffic after checking compromised websites. This summer, I usually foundAngler EK. Now Im seeing more Nuclear.

Nuclear EK has alsobeen sending dual payloads. Idocumented dual payloads at least three times last year [1, 2, 3], but I hadnt noticed it again from Nuclear EKuntil recently. This time,one of the payloadsappears to beransomware. I sawFilecoder on 2015-09-18[4] and TeslaCrypt 2.0 on 2015-09-29[5]. In both cases,ransomware was a componentof the dual payloads from Nuclear EK.

To be clear, Nuclear EK isnt always sendingtwo payloads,but Ive noticed a dual payload trendwith this recent increase in Nuclear EK traffic.

Furthermore, on Wednesday 2015-09-30, the URL patternfor Nuclear EKs landing page changed. With that in mind, lets take a look at whats happening with Nuclear.

URL patterns

The images below show some examples of URL patterns for Nuclear EK">Shown above: Some URLsfrom Nuclear EK on 2015-09-15. Pcap" />
Shown above: Some URLs from Nuclear EK on 2015-09-16. ">Shown above: Some URLsfrom Nuclear EK on 2015-09-18. Pcap">Shown above: Some URLs from Nuclear EK on 2015-09-22. Pcap">Shown above: Some URLs from Nuclear EK on 2015-09-29.Pcapavailable here.

In the above images, the initial HTTP GET request always starts with /search?q= for the landing page URL. ">Shown above: Some URLs fromNuclear EK on 2015-09-30.

The initial HTTP GET request now starts with /url?sa= instead of">for the landing page URL. I saw the same thing from three different examples of Nuclear EK on 2015-09-30. Windows hosts from these examplesall had the exact">Nuclear EK examples from 2015-09-30

I had some trouble infectinga Windows 7 host running IE 11. ">The browser always crashed before the EK">payload was sent. SoI tried three different configurations to generate traffic for this diary. The first run hadaWindows 7 host running IE 10. The second run had a Windows 7 host runniningIE 8. The third run had a Windows 7 host running IE 11. All hosts were running">I found a compromised website withan injected iframe leading to Nuclear EK. The screenshot below shows an example of themalicious script at the bottom of the page. Itsright before the closing body and HTML tags. Youll" />
Shown above: ">The first run used IE 10 with Flash player 14.0.0.125. " />
Shown above: Desktop background from the infected host.

nstructions were left as a text file on the desktop. The authors behind this ransomwareused [email protected] and [email protected] as email addresses for further decryption" />
Shown above: Decryption instructions from the ransomware.

Playing around with the pcap in Wireshark, I got a decent representation of the traffic. Below, youll see the compromised website, Nuclear EK on 188.226.215.37, and some of the post infection traffic. TLS activityon ports 443 and 9001 with random characters for the server names is Tor traffic. Several other attempted TCP connections can be found in the pcap, but none of those were successful, and theyre not shown below. " />
Shown above: Some of the infection traffic from the pcap in Wireshark (from a Windows host usingIE 10 and Flash player 14.0.0.125).

Below are alerts on the infection traffic when Iused tcpreplay onSecurity Onion with the EmergingThreats(ET)and ET Pro">Shownabove: Alerts from the traffic using Sguil in Security Onion.

For the second run, Iinfecteda different Windows host running IE 8 and Flash player 11.2.202.228. This generatedNuclear EK from from the same IP address and a slightly different domain name. however, I didt see the same traffic that triggered" />
Shown above: Nuclear EK traffic using IE 8 and Flash player 11.2.202.228.

For the third run, I used a Windows host with IE 11 and Flash player 18.0.0.203. As mentioned earlier, the browser would crash before the EK sent the payload, so this host didnt get infected with malware. I tried it once with Flash player and once without Flash player, both times running an unpatched version of IE 11. Each time, the browser crashed. Nuclear EK was still using the same IP address, butdifferent domain names were different. Within a 4 minute timespan on the pcap,youll find" />
Shown above: Nuclear EK traffic using">1 and Flash">18.0.0.203... Tried twice but">below">Shown" />
Shown" />
Shown above: Nuclear EK sends the secondmalware payload.

Other than the landing page URL patternand dual payload,Nuclear EK looks remarkably similar to the last time we reviewed itin August 2015 [6].

Preliminary malware analysis

The first and second runs generated a full infection chain and post-infection traffic. The malware payload was the same during the first and second run. The first run had additional malware on the infected host. The third run using IE 11 didnt generate any malware payload.

Nuclear EK malware payload 1 of 2:

 

Earlier today, various sources reporteda highly-suspicious Windows update. According to Ars Technica,a Microsoft spokesperson stated the company hadincorrectly published a test update and isin the process of removing it [1]. The update is no longer available, and ZDNet hasconfirmed this wasa test update gone errant">Thanks to everyone who notified us at the ISC.">www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1]">http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/
[2]">[3]">https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

FCW.com

5 things agencies get wrong about infosec
FCW.com
Why: Despite the Federal Information Security Management Act of 2002, which requires agencies to put cybersecurity programs in place to protect their IT and data, two dozen federal agencies still have persistent weaknesses in information security ...

and more »
 
APPLE-SA-2015-09-30-01 iOS 9.0.2
 
[security bulletin] HPSBST03502 rev.1 - HP 3PAR Service Processor (SP) SPOCC, Remote Disclosure of Information
 
APPLE-SA-2015-09-30-2 Safari 9
 
APPLE-SA-2015-09-30-3 OS X El Capitan 10.11
 

Enlarge

Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn't correctly implemented.

"We incorrectly published a test update and are in the process of removing it," a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.

The explanation came more than 12 hours after people around the world began receiving the software bulletin through the official Windows Update, raising widespread speculation that Microsoft's automatic patching mechanism was broken or, worse, had been compromised to attack end users. Fortunately, now that Microsoft has finally weighed in, that worst-case scenario can be ruled out. What follows is the remainder of this post as it appeared before the company issued its explanation.

Read 8 remaining paragraphs | Comments

 
Re: Cisco AnyConnect elevation of privileges via DMG install script
 

John McCain is not pleased. (credit: US Senate Armed Services Committee / CSPAN)

The employee records from the Central Intelligence Agency were not included in the data cache from the Office of Personnel Management hack, according to government officials. However, that doesn't mean the CIA has been unaffected by the breach. The Washington Post reports that according to unnamed current and former US officials, the CIA pulled "a number of officers" from the US Embassy in Beijing as a precautionary measure following the breach—precisely because their names would not appear in State Department personnel files believed to have been obtained by Chinese intelligence operatives.

The question of how to respond to the OPM breach was raised yet again during testimony by intelligence and defense officials on September 29 before the Senate Armed Services Committee. The hearing on "United States Cybersecurity policy and threats" delved into the distinction being made by the Obama administration between electronic economic espionage and the hacking of government agencies and why the breach at the OPM was not considered an attack warranting a proportionate response from the US. No US official has gone on the record to attribute the OPM breach to China.

Director of National Intelligence James Clapper told the committee that while "we don't know in terms of specifics" what was taken in the OPM breach, it had "potentially very serious implications, first among them close to home [for me] in terms of the Intelligence Community and identifying people who may be under public status... This is a gift that's going to keep on giving for years." Still, he said, as "egregious" as the OPM breach was, it didn't amount to an attack on national infrastructure. "Rather, it would be a form of theft or espionage. We, too, practice cyber espionage. We're not bad at it."

Read 2 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As part of its efforts to provide practical solutions to real-world cybersecurity challenges, the National Cybersecurity Center of Excellence (NCCoE) is requesting comments on a draft guidance to help organizations better control who has ...
 
RE: WinRAR SFX v5.21 - Remote Code Execution Vulnerability
 
Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability
 
Apache James Server 2.3.2 security vulnerability fixed
 

Enlarge / The file names in this screenshot have been redacted to protect the vulnerable. (credit: Patrick Wardle)

Since its introduction in 2012, an OS X feature known as Gatekeeper has gone a long way to protecting the Macs of security novices and experts alike. Not only does it help neutralize social engineering attacks that trick less experienced users into installing trojans, code-signing requirements ensure even seasoned users that an installer app hasn't been maliciously modified as it was downloaded over an unencrypted connection.

Now, a security researcher has found a drop-dead simple technique that completely bypasses Gatekeeper, even when the protection is set to its strictest setting. The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software.

Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates. Gatekeeper's sole function is to check the digital certificate of a downloaded app before it's installed to see if it's signed by an Apple-recognized developer or originated from the official Apple App Store. It was never set up to prevent apps already trusted by OS X from running in unintended or malicious ways, as the proof-of-concept exploit he developed does.

Read 7 remaining paragraphs | Comments

 
 
Re: WinRAR SFX v5.21 - Remote Code Execution Vulnerability
 
Internet Storm Center Infocon Status