(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / A simplified diagram of a compromised brain-connected interface system. (credit: Bonaci et al.)

OAKLAND, Calif.—In the beginning, people hacked phones. In the decades to follow, hackers turned to computers, smartphones, Internet-connected security cameras, and other so-called Internet of things devices. The next frontier may be your brain, which is a lot easier to hack than most people think.

At the Enigma security conference here on Tuesday, University of Washington researcher Tamara Bonaci described an experiment that demonstrated how a simple video game could be used to covertly harvest neural responses to periodically displayed subliminal images. While her game, dubbed Flappy Whale, measured subjects' reactions to relatively innocuous things, such as logos of fast food restaurants and cars, she said the same setup could be used to extract much more sensitive information, including a person's religious beliefs, political leanings, medical conditions, and prejudices.

"Electrical signals produced by our body might contain sensitive information about us that we might not be willing to share with the world," Bonaci told Ars immediately following her presentation. "On top of that, we may be giving that information away without even being aware of it."

Read 4 remaining paragraphs | Comments

 

A Debian security update for tcpdump32 different vulnerabilities in tcpdump that are addressed by this update [1]. While there are not a lot of details available yet, some of the vulnerabilities can apparently be used to execute arbitrary code.

This is in particular worrying if you use tcpdump to look at live attack traffic. Of course, remember that you can have tcpdumprelinquish its root privileges after you start it up (-Z userid) , but it would still have the ability to execute code as the user running tcpdump.

All tcpdump versions prior to 4.9.0 may be vulnerable. (again, not a lot of details yet)

[1] https://www.debian.org/security/2017/dsa-3775

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Zimbra Collaboration Suite CVE-2016-3412 Multiple Unspecified Cross-Site Scripting Vulnerabilities
 
Zimbra Collaboration Suite CVE-2016-3410 Multiple Unspecified Cross-Site Scripting Vulnerabilities
 
Zimbra Collaboration Suite CVE-2016-3411 Unspecified Cross-Site Scripting Vulnerability
 
SHDesigns Resident Download Manager CVE-2016-6567 Remote Code Execution Vulnerability
 
Zimbra Collaboration Suite CVE-2016-3407 Multiple Unspecified Cross-Site Scripting Vulnerabilities
 
Zimbra Collaboration Suite CVE-2016-3409 Unspecified Cross-Site Scripting Vulnerability
 
Zimbra Collaboration Suite CVE-2016-3413 Unspecified Security Vulnerability
 
IBM AIX CVE-2017-1093 Local Privilege Escalation Vulnerability
 
[security bulletin] HPSBHF03693 rev.1 - HPE iMC PLAT Network Products running Microsoft SQL Server, Remote Elevation of Privilege
 
Trend Micro Virtual Mobile Infrastructure CVE-2016-6270 Remote Code Execution Vulnerability
 
Botan CVE-2016-9132 Integer Overflow Vulnerability
 
QEMU 'sdhci.c' Denial of Service Vulnerability
 
OnionShare '/tmp/onionshare' Directory Local Security Bypass Vulnerability
 
wavpack Multiple Out of Bounds Reads Local Denial of Service Vulnerabilities
 
Artifex MUJS CVE-2016-10141 Integer Overflow Vulnerability
 
HexChat 'src/common/text.c' Directory Traversal Vulnerability
 
ESA-2017-007: EMC Documentum eRoom Unverified Password Change Vulnerability
 
Dlink DWR-932B Multiple Security Vulnerabilities
 
GNU Screen 'screen.c' Local Privilege Escalation Vulnerability
 
Revive Adserver REVIVE-SA-2017-001 Multiple Security Vulnerabilities
 
ESA-2016-094: RSA BSAFE Micro Edition Suite Multiple Vulnerabilities
 

This is a Guest Diary submitted by Ismael Valenzuela and Marc Rivero. Interested in writing a guest diary? Let us know via our contact page.

Macro based malware that hides in Microsoft Word or Excel documents is nothing new to Incident Responders and Malware Analysts.

However, something that caught our attention in the last few days was the use of a fileless method to bypass UAC implemented in a malicious Excel file. This method leverages eventvwr.exe and was described in detail by the Enigma0x3 team in this post: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Bypassing UAC is nothing new either (see the UACME project created by hfiref0x). In fact, a few days ago we knew of a new Dridex sample that attempts to bypass UAC by using application compatibility databases (http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html). What is most interesting about the method described by the Enigma0x3s team, however, is that it doesn width:300px" />
Image 1: This Excel document implements a fileless UAC bypass using eventvwr.exe

KEYBASE is a primarily a keylogger with some other additional capabilities that are commonly found in other non-sophisticated Trojans such as password stealing, clipboard copying, etc.

To understand how this sample behaves and have a look at its capabilities we can use a popular free online resource like Hybrid Analysis width:300px" />

an style="font-size:11.0pt">Image 2: Dynamic analysis shows the execution of eventvwr.exe and pu457.exe

While the output is pretty self-explanatory, lets dive a bit deeper and explain whats going on there:

  • The embedded macro starts a hidden instance of PowerShell.exe (via cmd.exe) which downloads a file (mi.exe) from a remote server (ridart.ru), storing it in the %TEMP% folder as pu457.exe.
  • A registry key is added under HKCU\Software\Classes\mscfile\shell\open\command pointing to the binary downloaded (more on this on Enigma0x3s post).
  • Finally, the PowerShell command invokes EventViewer.exe, which will successfully query/open HKCU\Software\Classes\mscfile\shell\open\command and execute the malicious file that the registry key points to.
  • In case you are wondering, PING -n 15 127.0.0.1 , as expected, does nothing else but sending 15 ICMP echo requests packets to the iPv4 localhost address, which is just an alternative way to implement the sleep command, in an attempt to evade sandbox detection.

The sequence of events described above will ultimately result in code execution in a high integrity process, effectively bypassing UAC!

As expected, there is an HTTP connection to ridart.ru to download an additional binary (mi.exe):

Powershell initiates an HTTP GET request to ridart.ru to download mi.exe

Image 3: Powershell initiates an HTTP GET request to ridart.ru to download mi.exe

The static analysis performed on pu457.exe helps us to confirm the capabilities of this Portable Executable:

  • Ability to retrieve keyboard strokes

  • Contains ability to query volume size

  • Contains ability to open the clipboard

Finally, using these IOCs found during our investigation, we can leverage Virustotal (https://www.virustotal.com) to check the reputation of this site and pivot to associated URLs, domains, other related samples. If you check the IPs on the network traffic on Hybrid Analysis, you can extract more malicious information related:

Image 4: Associated artifacts for 144.76.106.114 (ridart.ru)

As the Enigma0x3 team reminds us in their post, this method to bypass UAC is expected to work on all versions of Windows that implement UAC, including Windows 10, but can be prevented by removing the current user from the Local Administrators group, which is something that you should do anyways!

From a monitoring perspective, its recommended to monitor and alert on any new registry entries in HKCU\Software\Classes, something that can be easily implemented with the latest version of Microsofts Sysmon, v5 (https://technet.microsoft.com/en-us/sysinternals/sysmon).

Further references:

Full report in Hybrid Analysis:
https://www.hybrid-analysis.com/sample/e431bc1bacde51fd39a10f418c26487561fe7c3abee15395314d9d4e621cc38e?environmentId=100

pu457.exe on Virustotal: https://www.virustotal.com/es/file/a3a8959b5505029b773fb2ad1c2dc7adf657b17199d5e77b6cc796327d4a1561/analysis/

Information on Keybase:
https://securingtomorrow.mcafee.com/mcafee-labs/malicious-forums-turn-amateur-hackers-into-cybercriminals/

Ismael Valenzuela, GSE #132 (@aboutsecurity)
SANS Instructor Global Director, Foundstone Services at Intel Security

Marc Rivero @seifreed
Head of Research, Payload Security

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
RubyGems minitar and archive-tar-minitar CVE-2016-10173 Local Directory Traversal Vulnerability
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Adobe Flash Player APSB16-10 Multiple Use After Free Remote Code Execution Vulnerabilities
 
Squashfs and sasquatch 'read_fragment_table_4' Multiple Stack Buffer Overflow Vulnerabilities
 
Adobe Reader and Acrobat CVE-2016-1008 Remote Code Execution Vulnerability
 
Cisco Unified Communications Manager CVE-2017-3798 Cross Site Scripting Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SVG Salamander CVE-2017-5617 Server Side Request Forgery Security Bypass Vulnerability
 
cgiemail and cgiecho Multiple Security Vulnerabilities
 
Microsoft Office CVE-2016-7276 Information Disclosure Vulnerability
 
Microsoft Office CVE-2016-7262 Remote Code Execution Vulnerability
 
[REVIVE-SA-2017-001] Revive Adserver - Multiple vulnerabilities
 
Perl CVE-2015-8853 Denial of Service Vulnerability
 
Perl CVE-2016-6185 Local Privilege Escalation Vulnerability
 
Perl CVE-2016-1238 Local Privilege Escalation Vulnerability
 
Perl 'File::Spec' module CVE-2015-8607 Security Bypass Vulnerability
 
Internet Storm Center Infocon Status