Our monthly Information Security Report includes a summary of security breaches, threats and vulnerabilities. It is designed to help you gain visibility over the latest events and to help you assess their implication on your environment.

September 2016 Internet Security Report


September 2016 successfully delivered an eventful month for cyber security with a handful of threats, breaches and interesting developments in the security of Internet of Things devices. A Denial of Service attack on the website of investigative journalist Brian Kerbs was found to be largely comprised of compromised Internet of Things devices.  Ransomware continued to cause troubles for computer users on all level with a number of new variants and delivery methods being mixed into the threat landscape.

 

Threats

  • Ransomware continues to be a major threat to organisations worldwide with cybercriminals finding new ways to infect users. This month a new variant of ransomware called Mamba was identified which encrypts the whole disk instead of individual files. This is achieved by using a pirated version of the open source disk encryption tool DiskCryptor to encrypt the victim’s hard drive(s). Similar to most other ransomware variants, Mamba uses malicious attachments to deliver its payload and compromise the user’s system.Please ensure that you have adequate backup and restore policies in place and routinely test them to reduce the threat posed by Ransomware.

https://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-files/120730/
https://nakedsecurity.sophos.com/2016/09/27/mamba-ransomware-strikes-at-your-whole-disk-not-just-your-files/

  • A new Ransomware campaign appears to be targeting educational institutions and government agencies. This Ransomware is called MarsJoke and is distributed via emails with a link that downloads a file called ‘file_6.exe’. These emails bare the branding of popular shipping and postal companies.

https://threatpost.com/marsjoke-ransomware-targets-edu-gov-agencies/120856/

  • Victorian Police have released an advisory that unmarked USB drives have been placed in the letterboxes of Melbourne residents. The USB drives contain malicious software which appears to render victim computers useless.If you receive an unexpected USB drive in the mail, do not plug it into your computer or other devices. On top of malware contained on USB devices, these devices can contain hardware to emulate your computers keyboard and mouse to deliver malware, or in the case of the “USB Killer” permanently disable your USB port or even your computer.

http://www.businessinsider.com.au/melbourne-residents-are-receiving-harmful-usb-drives-in-their-letterboxes-2016-9
https://www.usbkill.com/usb-killer/8-usb-killer.html

  • APT group under the names APT28, Fancy Bear, Sednit, and Pawn Storm are undergoing a phishing campaign targeted at Mac OS X users. The campaign involves emails sent with attachments designed to look like a PDF document, however, the attachment is not a pdf document but an executable that opens a pdf document after running it in order to not arouse suspicion. User interaction is still required to deliver malware, but Mac users may be less cautious after the common fallacy that Mac OS X does not have viruses.

https://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-trojan/120882/

  • Malvertising is a term used for an online add or pop-up that is used as a means to compromise an end user through malicious scripting. These malicious ads are encountered as a result of general internet use and are often able to seamlessly compromise a user without generating visual prompts. Although not a new method for actors to compromise a host it has recently seen a resurgence in certain cases to spread ransomware.One example of this occurring recently was when popular website answers.com was observed to have been distributing malware through embedded advertising where users would be exposed to the RIG Exploit Kit serving up ransomware potentially without answers.com even realising it was happening.Ensuring that your operating system and applications are adequately patched is still the most effective way to mitigate this sort of drive-by download attack.

https://blog.malwarebytes.com/cybercrime/exploits/2016/09/rig-exploit-kit-takes-on-large-malvertising-campaign/
http://www.infosecurity-magazine.com/news/malvertising-attack-threatens-2/

 

Breaches

  • Point of Sale merchant H&L Australia has reportedly been breached by an unknown threat actor. The treat actor allegedly sold access to a database server and it is believed that at the very least a 14.1Gb database dump has been stolen. Customers of H&L Australia include Australian Leisure and Hospitality Group who operate around 330 pubs and clubs in Australia.

http://www.theregister.co.uk/2016/09/20/exclusive_hackers_claim_pos_tech_firm_breach/

  • UK-based smartphone news and reviews forum MoDaCo has confirmed a breach of 880 000 member usernames, passwords, email and IP addresses. The breach itself is believed to have occurred in January 2016 through the use of a compromised administrator account. Although a lot of information has been leaked, MoDaCo says passwords were stored using the Blowfish cipher.”Security researcher Troy Hunt, who runs ‘Have I Been Pwnd?’, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.” – (Zeljka Zorz – helpnetsecurity.com, 2016)

Read more on Help Net Security website

 

Other

  • Investigative journalist Brian Krebs has been the target of one of the largest Distributed Denial of Service (DDoS) attacks ever recorded, with a whopping 620Gbps. Brian Krebs’s website krebsonsecurity.com had DDoS protection provided by Akamai, who were able to absorb the DDoS attack, but have since dropped Brian Kerbs as a client. The website is now protected by the Google Project Shield initiative, a free service for select journalists to protect from online censorship.

Read more on Krebs on Security website

  • Threat actor ‘The Shadow Brokers’ have acquired stolen NSA hacking tools and are attempting to sell them on the black market. These tools have been confirmed to be NSA tools via an unnamed source within the FBI investigation group currently investigating the incident. It is believed these tools were stolen when these tools were left on a remote staging server 3 years ago, that has since been compromised.So far there has been reportedly little interest in buying these tools, likely due to the NSA currently looking for evidence that the tools are being used, and the fear that the use of these tools could garner too much attention from the NSA.

Read more on Naked Security website

  • There has been an increase in technology development into sandbox-aware malware. There have been observed cases where a document based macro will search a system for the presence of word documents in order to detect if it is running in a sandbox environment or a real user’s system. As a result of this if the script did not detect more than 2-word documents on the host the script would terminate. However, where more than 2-word documents are identified the macro would call back to download its desired malware for execution.These advancements are showing a growing requirement to tailor sandbox environments to be a more realistic snapshot of the kinds of machines that malware target.

https://it.slashdot.org/story/16/09/24/1834249/malware-evades-detection-by-counting-word-documents
https://threatpost.com/malware-evades-detection-with-novel-technique/120787/

August 2016 Internet Security Report


August 2016 was an overall interesting month for cyber security with the annual conferences taking place in America, the Census providing some interesting lessons learnt and discussion; and the Olympics creating an interesting platform for malicious actors. In addition to this, the industry as a whole experienced a diverse range of new threats, breaches and success stories.

Threats

  • Sophos have identified a trend where shortcut files (.LNK) have been used to hide ransomware downloaders. By using a shortcut file malicious actors are able to better mask malware by making the link appear benign. Users are reminded to always be wary of any links or attachments they receive in emails and when in doubt report it or have an extra opinion.

https://nakedsecurity.sophos.com/2016/08/03/beware-of-ransomware-hiding-in-shortcuts/

  • US-based researcher Elie Bursztein presented his findings of a social experiment conducted at a US university where a number of USBs containing ‘phone home’ capabilities were dropped. Surprisingly 48% of the 297 USBs dropped were plugged into a computer and the phone home capabilities activated. When surveyed the majority of people who activated the USBs claimed to have been trying to return the USB to its rightful owner. This study highlights the level of trust that people have for USB devices and although the USBs used in the study were not actually malicious. It is important to always be wary as to the origin of a USB device, especially if they have been found or are free.

https://threatpost.com/never-trust-a-found-usb-drive-black-hat-demo-shows-why/119653/

  • It is believed that as a result of the increase in attention created by the Olympics has resulted in an increase in banking malware in Brazil. This is a good reminder as to how current events both globally and domestically can be used by malicious actors as a means to increase their chances in successful social engineering attacks.

http://www.infosecurity-magazine.com/news/olympics-panda-zeus-chomps-into/
http://www.infosecurity-magazine.com/news/brazil-hit-with-a-second-banking/

  • A new banking Trojan kit has been discovered being sold as a service that goes by the name of Scylex. This is likely to fill the gap in the malware as a service void created by the downfall of previously dominate trojans such as Zeus/SpyEye, Citadel and ZeroAccess. It is still unsure as to how operational or effective this new service is. However, if it is able to deliver on its promises it has the potential to wreck mayhem on financial institutions.

http://www.securitynewspaper.com/2016/08/13/new-scylex-banking-trojan-kit-surfaces-dark-web/
http://www.infosecurity-magazine.com/news/meet-scylex-the-new-financial/

Breaches

  • Accountancy software providers The Sage Group experienced an incident in which a user used valid internal credentials to access a number of sensitive customer files. Unfortunately, as this is still an ongoing investigation it is uncertain as to the scale of the breach, however, there have been reports of an arrest in regards to this breach resulting in fraud charges. This incident highlights the reality of the risk that insider threats can pose to an organisation.

http://www.theregister.co.uk/2016/08/15/sage_breached_in_apparent_insider_attack/
http://www.welivesecurity.com/2016/08/15/high-profile-data-breach-sage-draws-attention-internal-threats/
http://www.infosecurity-magazine.com/news/sage-employee-arrested-data-breach/

  • This month 20 US hotels were identified as being infected with Point-of-Sale malware designed to harvest credit card information. These attacks continue to highlight how all devices on a network need to be considered and assessed from a security standpoint.With malicious actors becoming more creative and aware of the weakest points of an organisations information’s systems it is important to be aware of all hosts and their business importance within the scope of a network and to ensure that appropriate security and risk management controls are in place and adhered to.

http://www.zdnet.com/article/20-top-us-hotels-hit-by-fresh-malware-attacks/
http://www.theregister.co.uk/2016/08/15/pos_malware_stings_20_us_hotels/

Patches and Updates

  • Microsoft Office patch MS16-099 resolved some issues that would allow remote code execution if a user opened a specially crafted document. These continue to be an issue, with common phishing emails claiming to be an invoice or a resume likely to make use of these exploits. Ensure these patches are deployed as soon as possible.

https://technet.microsoft.com/en-us/library/security/MS16-099

  • In one of the most interesting security news events in recent history tools from the notorious ‘Equation Group’ which has been previously attributed to being an NSA backed threat actor were put up for auction in an underground forum by an actor known as ‘The Shadow Brokers’. The Shadow Broker initially floated the price of the tools to be 1 million bitcoin (roughly 580 million USD) which naturally drew a lot of suspicion and skepticism as to the legitimacy of the claim.As time continued and the tools up for auction were slowly released for proof of concept. The reality of the situation bean to set in with a number of large companies validating the legitimacy of the tools and exploits and subsequently releasing urgent patches to resolve the issue. Some of the companies who have released updates and comments include:

Cisco – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
– FortiNet – http://fortiguard.com/advisory/FG-IR-16-023
– Juniper – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10605&actp=search

Other

  • Project Sauron also known as Strider is a high-level modular cyber-espionage platform believed to be part of an Advanced Persistent Threat (APT) campaign that has been documented in some detail in the below link. This cyber-espionage platform has been found to be attacking high profile targets in Government, Finance, Military, Telecommunications, and Scientific Research.

https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/

  • Brisbane City Council have lost $450,000 AUD in a sophisticated spear-phishing scam where scammers pretending to be a legitimate professional services provider used a series of fake invoices to fraud the Brisbane City Council of just over $450,000 AUD thought 9 payments between the 13ht of July and the 16th of August. Unfortunately the likelihood of recovering the funds are low and law enforcement is currently pursuing the matter. Deloitte have also been engaged to conduct an investigation into the incident.Sadly this type of fraud is a constant threat and is most effective where financial payment controls and processes are less stringent or existing processes are being bypassed by staff. By ensuring outgoing payments are peer reviewed and structural separation of duties it is possible to better mitigate the risk of these scams being successful.

http://www.theregister.co.uk/2016/08/16/brisbane_councillors_lose_500k_to_scammers/
http://www.abc.net.au/news/2016-08-16/brisbane-city-council-loses-450k-to-scammers/7746812

July 2016 Internet Security Report


Threats

  • Ransomware delivery through compromised websites continues to be a continued threat for end users despite the slowdown in major ransomware and exploit kit activity over previous months. There have been reports of the SoakSoak botnet performing automated reconnaissance and exploitation of websites through a vulnerable wordpress plugin resulting in the delivery of CryptXXX ransomware via the Neutrino Exploit Kit.With ransomware and access to malware as a service becoming easier for criminals looking to make a quick dollar it is important that user are conscious of their web browsing activities and their interactions with web sites and downloaded files.

http://www.itnews.com.au/news/aussie-site-caught-up-in-cryptxxx-ransomware-spreading-campaign-431101
– https://www.invincea.com/2016/07/major-websites-getting-soaksoakd-delivering-cryptxxx-ransomware/

  • Chimera ransomware private keys have been reportedly leaked on pastebin. Since this announcement the Kaspersky Lab have since updated their RakhniDecrypter to now decrypt files affected by Chimera ransomware. It is believed that the keys have been obtained and leaked by the authors of competing ransomware variants as somewhat of a business strategy to control the ransomware market.

– https://blog.malwarebytes.com/cybercrime/2016/07/keys-to-chimera-ransomware-leaked/
– https://threatpost.com/petya-sabotages-rival-ransomware-chimera-leaks-decryption-keys/119543/

  • New Android based malware named ‘SpyNote’ has reportedly surfaced that allows for a malicious actor to steal user messages, contacts and eavesdrop on voice calls. This provides a good reminder to users to keep mobile devices up to date and always double check the permissions you grant applications on installation. Especially when installing from a third party application store.

– http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojan-builder-leaked/

Breaches

  • Although there has been a decrease in major breaches this month there have been some interesting observations being made as a result of mid-year reporting from the wider industry.Some of these key observations were:Continual employee security awareness training and education efforts are essential to ensure that end users are able to identify and understand the threats that face them at both work and home.The increasing need to always consider the security requirements of new technology trends to “eliminate the weaknesses exposed in an evolving computing environment.”The additional risk exposure that mobile devices and the internet of things can introduce into an environment.The importance of securing cloud applications and understanding where your important data is being stored, how it is handled and more importantly how it gets there.

– https://www.paloaltonetworks.com/company/press/2016/cybersecurity-education-efforts-yielding-results
– http://www.pandasecurity.com/mediacenter/src/uploads/2016/05/Pandalabs-2016-T1-EN-LR.pdf-
– http://cdn2.hubspot.net/hubfs/349272/2016-1h-Shadow_Data_Report/ShadowDataReport_1H_2016.pdf

Patches and Updates

  • Google researchers through Project Zero released a report on some critical issues in the cloud based password management system LastPass. The identified issues where confirmed to only affect users who use the LastPass Firefox add on. The issues allowed for a malicious actor to compromise the LastPass account and gain access to the stored passwords through the use of malicious code on a website.The issue has since been resolved by LastPass with updates being pushed to affected versions of the FireFox addon.

-http://thehackernews.com/2016/07/lastpass-password-manager.html
-https://bugs.chromium.org/p/project-zero/issues/detail?id=884
-https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

Other

  • SANS have produced an interesting write up on CEO Fraud in this month’s edition of OUCH!. CEO Fraud also known as Business Email Compromise (BEC) occurs when a malicious actor pretends to be a CEO or senior executive of an organisation as a means to manipulate users through spear phishing emails or phone calls. Examples of these attacks can include requests for urgent money transfers, sensitive and employee information or emails advising the recipient to expect an urgent phone call to discuss confidential matters.Users are advised to always question emails or correspondents that just don’t look or feel right and to always ensure that correct security policy and procedures are followed regardless as to how urgent the situation may appear and when in doubt, ask for a second opinion.

– http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201607_en.pdf

 

April 2016 Internet Security Report



April continues on a growing trend of high-profile vulnerabilities with Badlock, a man-in-the-middle vulnerability in Windows and Samba services. The author of Badlock provided a very long patch preparation time so that teams could apply the patch within the shortest possible time after release. There is a growing need for critical patches that need to be applied within the shortest possible period of time after their release, especially in open source components, however, many vendors are lagging behind in providing a quick turnaround for patch releases, if at all. Apple Quicktime for Windows is an example of a company deciding to abandon its product, rather than fixing its discovered vulnerabilities, leaving any users who may still be using the software or still have it installed, vulnerable to serious exploits.
 
PCI DSSv3.2 has now been released with new requirements. The biggest impact of these requirements is on service providers. Some of these new requirements are recommended practices until June 2018 while others must be in place by June 30, 2016. We have released an overview of the changes on our website https://www.shearwater.com.au/new-version-of-pci-dss-released-v3-2/

 

Threats

 

 

Breaches

 

Patches and Updates

  • Badlock is a man in the middle vulnerability that affected DCERPC traffic that allowed an attacker to impersonate an authenticated user. This vulnerability affected windows computers, and any computer using the SAMBA software. The CVE number for windows is CVE-2016-0128 and the CVE number for SAMBA is CVE-2016-2118. Patches are available for windows and SAMBA. http://rhelblog.redhat.com/2016/04/15/how-badlock-was-discovered-and-fixed/
  • US-CERT advises windows users to uninstall Apple Quicktime. The Trend Micro Zero Day Initiative have discovered two new unpatched vulnerabilities that could be used to remotely compromise Windows computers. As Apple will no longer be providing security updates for Quicktime for Windows it should be uninstalled on all systems as soon as possible.
    http://krebsonsecurity.com/2016/04/us-cert-to-windows-users-dump-apple-quicktime/
  • OpenSSL will release versions 1.0.2h and 1.0.1t that will fix a range of vulnerabilities that are rated as high severity.
    https://www.openssl.org/news/secadv/20160503.txt
  • Oracle has released a Critical Patch advisory for April 2016 which contains 136 security fixes across the various Oracle products including: Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL. It is recommended that these updates are applied as soon as possible.
    http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
  • SAMBA patched multiple vulnerabilities including denial of service and man in the middle vulnerabilities. In addition to applying these patches, they recommend that additional configuration steps be taken to protect from man in the middle vulnerabilities. The changes involve setting mandatory server signing and disable NTLMv1 authentication. Without these settings man in the middle attacks are still possible. For more information please see the following link.
    https://www.samba.org/samba/history/samba-4.4.2.html

 

Other

January 2016 Internet Security Report


Threats

  • Microsoft DNS patching – Microsoft released a patch for DNS this month. Reported internally, however may allow remote code execution and should be applied to all Microsoft DNS servers. (MS15-127). Soon after release traffic to port 53 increased on the internet suggesting there may be an exploit available.

 If you have external facing Microsoft DNS server these should be patched as soon as possible.

  • Drive-by Ransomware – Cryptowall 4.0 is being used in another drive-by campaign. This campaign is conducted in stages, the first being the installation of Pony which harvests all usable usernames and passwords. Second is the installation of the angler exploit kit which is used to find flaws on the victims system. Once the flaws have been identified, they are used to install Cryptowall 4.0 onto the victim’s computer. This is actively being distributed using emails with word attachments as well as Excel spreadsheets. http://arstechnica.com/security/2015/12/newest-ransomware-pilfers-passwords-before-encrypting-gigabytes-of-data/

Educate users regarding opening emails with attachments, especially those that ask for content to be enabled.

Remind users regarding the reporting process in your organisation should they accidentally open and activate such email. The first action of the user should be to pull the network cable on their computer.

Ensure that there are viable backups of critical files in the organisation.

  • Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive [1]. Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files. These zipped .js files–called Nemucod by ESET and some other security vendors [2]–download and install the TeslaCrypt ransomware. https://isc.sans.edu/diary/TeslaCrypt+ransomware+sent+using+malicious+spam/20507

Educate users regarding opening emails with attachments, especially those that ask for content to be enabled.

Remind users regarding the reporting process in your organisation should they accidentally open and activate such email. The first action of the user should be to pull the network cable on their computer.

Ensure that there are viable backups of critical files in the organisation

Whilst the risk currently in AU is considered low, it may need a rethink of how machines with malware are remediated. To ensure this threat, if present, is removed the volume boot records and master boot record should be rebuilt.

  • The war in Syria, which began several years ago, has recently become one of the most widely reported events in the media. Along with the growing interest of the international community in Middle East events, “Nigerian” scammers have also jumped on the bandwagon. Over the last few months, we have recorded an increase in the number of fraudulent emails utilizing the Syrian theme.” https://securelist.com/blog/spam-test/72867/arabian-tales-by-nigerians/

As these are standard phishing activities users should be educated regarding following links and opening attachments on emails.

Educate users regarding opening emails with attachments, especially those that ask for content to be enabled.

 

Breaches

  • Invest Bank in Sharjah, United Arab Emirates – A hacker has leaked customer data after the bank declined to pay approximately US $3 Million in Bitcoin as a ransom. The hacker has been identified as Hacker Buba. It is believed that Hacker Buba has a number of other files, other than those released, on customer data including entire SQL databases. Hacker Buba claimed to also have data from the following banks “UAE, Qater, ksa and etc”.

 

  • OPM breach update – A handful of hackers that allegedly broke into OPM’s database and stole data related to approximately 22 million current and former federal employees have been arrested by the Chinese government. Information about the suspects and their potential ties to the Chinese government have not been disclosed.

 

 

  • JD Wetherspoon – A breach consisting of around 656000 customers’ data has been made public by the retail company JD Wetherspoon. Data obtained includes names, dates of birth, email addresses, phone numbers, and a ‘limited’ number of credit card details belonging to around 100 customers. It appears that the breach vector was their website, which has since had a ‘complete overhaul. http://www.zdnet.com/article/jd-wetherspoon-loses-data-of-over-650000-customers-in-cyberattack/

 

 

 

Patches and Updates*

 

 

  • It appears that all major AV vendors have a flaw with the way they allocate memory for read, write and execute permission. They allocate these RWX permissions in a predictable way which could allow an attacker to inject malicious code. McAfee, Kaspersky and AVG have released patches for the flaw, others will follow. “Given the possible widespread nature of the problem, enSilo has created a free checking utility called AVulnerabilityChecker and stuck it on Github for anyone to use.” http://www.theregister.co.uk/2015/12/10/kaspersky_mcafee_avg_vulnerable/

 

 

Unauthorised admin access – ScreenOS 6.3.0r17 through 6.3.0r20.

VPN Traffic can be decrypted – ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

 

  • The admin issue CVE-2015-7755 relates to a hardcoded backdoor password in the system. It allows access via SSH or Telnet, regardless of the userid used. The second issue CVE-2015-7756 relates to IPSEC VPNs and may allow someone who intercepts VPN traffic to decode the traffic.
    Please review the KB and determine whether you have systems that may be susceptible. Scans for accessible juniper devices is ongoing.

\* Please note these are not all patches released during December. Our list outlines those patches or notifications that may have been missed, or have changed status since released or after additional information has been made available.

 

Other

  • DNS – Between November 30 and December 1, distributed denial-of-service attacks were carried out against the internet’s root name servers, a set of 13 server networks that are at the root of the domain-name system, or DNS, sometimes called the internet’s address book. The root server zones contain information that allows browsers to find top-level domains such as .com, .org, .net, and the country-specific domains attached to them. According to an incident report by root-servers.org, “most, but not all” DNS root name servers were experiencing five million queries per second, which was enough junk traffic to prevent some normal queries. http://www.zdnet.com/article/mystery-attackers-bombard-servers-at-the-internets-core/

 

  • Google will no longer trust one of Symantec’s root certificates, PCA3-G1, as a result of Symantec’s advisory that “this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications.” http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/

MS15-034 – HTTP.sys Advisory


By Mark Hofman, Terry Darling, and Simon Treadaway


1- MS15-034 – HTTP.sys Advisory (CVE CVE-2015-1635)

Microsoft earlier this week released a patch for both servers and workstations, MS15-034. This patch addresses an issue in the file http.sys. The http.sys file is used by the operating system to accept and process HTTP and HTTPS requests. At the time of release the information provided by Microsoft was that remote code exploitation may have been possible. Since its release on Tuesday Proof Of Concept (PoC) code has been published on the Internet. The initial versions would only check for a particular response from the server. However these have now morphed into simple requests that will cause a Denial of Service (DoS) and cause the Windows system to blue screen.

The vulnerability may result in a complete takeover or disruption of systems and services through a successful DoS attack. Microsoft states it has not received any information to indicate that this vulnerability has yet been publicly used in attacks, however since its release PoC code has emerged, and multiple threat intelligence honeypots are detecting scans for this vulnerability utilising the strings that result in a DoS.

Mass scale exploitation of Internet-facing web-servers having the vulnerability is expected.

As exploitation does not require authentication or an indicator of compromise the most effective response is to implement remediation measures as soon as reasonably possible.


2- How does it work

The vulnerability is in the main component of the Windows HTTP protocol stack known as http.sys and is caused when http.sys improperly parses what Microsoft describes as “specially crafted HTTP requests”. The specially crafted packet is a header request sent to the server with a RANGE parameter and some values.

 

GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615

 

Successful exploitation of the vulnerability could allow an attacker to remotely execute arbitrary code in the context of the IIS account being used (the default IIS user account is SYSTEM) and to thereby gain full remote access to the affected Windows system. It is however more likely that the DoS version of the code will be used to disrupt services.

Further technical details can be found at:


3- Who is affected

Any Microsoft server or workstation that accepts HTTP/HTTPS traffic is likely to be affected by this issue. Whilst most of the information available focuses on IIS, as this is the main application that utilises this particular file, it is not the only product running in Windows environment that will be vulnerable.

Microsoft states the following versions of their operating system is vulnerable:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation option)
  • Windows Server 2012 R2 (Server Core installation option)


4- How can you identify if you are vulnerable

The mainstream testing tools such as Nessus, Nexpose and nmap have updated scripts and signatures to perform checks.

The simplest method to test if your machine is vulnerable is to perform the following check from either a linux system or windows system (that has curl):

$ curl -v [ipaddress]/ -H “Host: test” -H “Range: bytes=0-18446744073709551615”


if the response includes “Requested Header Range Not Satisfiable” the server is likely vulnerable.

 

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML
4.01//EN””http://www.w3.org/TR/html4/strict.dtd”>
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=us-ascii”></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>


Some PowerShell alternatives are available but testing suggests these scripts may not be reliable.


5- How can you remediate

To fix the issue the only approach at this time is to patch and apply the fix released earlier this week (i.e. MS15-034). Priorities:

  1. Internet facing Microsoft web servers should receive first priority, especially those utilising IIS as the web server.
  2. As a second priority any remaining internet facing Windows systems should be patched.
  3. Internal servers utilising IIS
  4. Remaining internal servers
  5. Workstations (unless these are running IIS in which case they should be treated as a level 3 priority)

Alternate options:

  • Disable IIS caching (IIS 7 upwards) – This will prevent the attack from being successful however will have significant impact on the performance of the server and is not a first choice.
  • Intrusion Prevention Signatures – The main Intrusion Detection vendors as well as those with Next Generation firewalls will already have signatures for this attack. Please be aware that effectiveness depends on the signature.
    • The more effective signatures will target the RANGE request as that means it will identify and drop all requests. It is not a parameter that is regularly passed in a normal application.

Given the criticality of the vulnerability Shearwater’s recommendation is to patch in accordance with the priorities outlined above.


6- How can we help

If required there are several ways in which we can assist. These include:

  • Identifying vulnerable services
  • Prioritising patch deployment
  • Assisting with risk management

Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us.

GHOST Vulnerability Advisory


By Terry Dolbey and Matt Stiles

1- Background on GHOST Vulnerability CVE-2015-0235

GNU C Library (glibc) is the implementation of the C library used by the GNU project. This library provides the core functionality to Unix and Linux (Nix) based Operating Systems and access to common functions used by applications installed on the Operating Systems.

The “__nss_hostname_digits_dots()” function within glibc was identified as vulnerable to a heap-based buffer overflow exploit. This vulnerability was given the name GHOST and corresponds to the following reference: CVE-2015-0235. The bug can be reached by the use of the “gethostbyname()” and, “gethostbyname2()” functions, which perform a DNS resolution of a hostname to an IP address.

Successful remote exploitation of the vulnerability could allow a cyber-criminal to gain remote access to a system, while local exploitation could be used for a privilege escalation attack with the goal of increasing the cyber-criminals privilege level.


2- Who is affected

Currently the GHOST vulnerability affects GNU C libraries from glibc-2.2, which was release in the year 2000, to a recent version of glibc-2.18 released in August 2013. This affects both 32 bit and 64 bit releases of the glibc libraries.

A few popular Nix based operating systems that are currently affected include Debian 7 (Wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04 and prior. Furthermore, any other Nix based operating system that was released prior to August 2013 may also be affected.

As this is a core Nix library, several software packages that require the specific set of functions from “gethostbyname*()” in glibc are affected by this vulnerability. A non-exhaustive list of the Nix software packages that have been validated as vulnerable include:

  • Exim SMTP mail server
  • Clockdiff
  • Procmail
  • Pppd (ms-wins, ms-dns and socket options)
  • Ping (special conditions required)
  • Arping (special conditions required)


3- How can you identify if you are vulnerable

Red Hat/CentOS

The following command can be used to detect the version of glibc library installed:

rpm –query –info glibc

Debian/Ubuntu

Similarly, the following commands can be used to determine the version of glibc installed on Debian/Ubuntu based systems.

dkpg –s libc6

This will return information related to the affected package including the version installed of the glibc libraries. Any version number between 2.2 and 2.18 can be assumed as vulnerable and requires patching.

 

4- How can you remediate

Shearwater recommends performing an upgrade of all Nix based systems affected to the secure September 2014 release of glibc (glibc-2.20).


Redhat/CentOS Upgrade Process

To perform the update of the glibc on Red hat and CentOS based distributions, follow the below instructions:

1- Clear the package cache on the system.

sudo yum clean all

2- Perform a package update.

sudo yum update glibc

3- Install the package update.

During the update process, a prompt asking if it is ok to install the updates will appear.


Debian/Ubuntu Upgrade Process

1- Clear the package cache on the system.

sudo apt-get clean

Note: This will remove all packages from the package cache. “apt-get autoclean” will only remove packages that are no longer install on the system from cache.

2- Perform a package update.

sudo apt-get update glibc

3- Install the package update.

sudo apt-get upgrade glibc


5- How can we help

If required there are several ways in which we can assist. These include:

  • Identifying vulnerable services
  • Prioritising patch deployment
  • Assisting with risk management

Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us

Heartbleed Advisory


Background on CVE-2014-0160 (Heartbleed)

Secure Sockets Layer (SSL), and Transport Layer Security (TLS) are cryptographic protocols that are used to provide secure communications between a client and a server, and is most often used to encrypt HTTP traffic. SSL and TLS can also be used to secure other communications protocols including those used by email servers, chat clients, databases and more. In addition to providing encryption SSL/TLS also provides authentication functions by utilising certificates to positively identify the other party. Once a trusted third party has signed the certificate a certain level of trust is established between the two parties communicating providing independent assurance that the certificate holder is indeed who they claim to be.

OpenSSL is a software package used to generate SSL and TLS encryption keys and provides code libraries that are used in many applications to establish the secure communications channel using SSL or TLS. CVE-2014-0160 documents a serious security flaw in several versions of the OpenSSL package that may impact upon the protection of these keys.

Successful exploitation of the vulnerability allows a cyber-criminal to access a dynamic portion of the remote system memory. The data contained within the memory space will vary dependent upon the sever function and role, but as many connections can be established large portions of memory can be retrieved. Another risk that has been reported is that the actual cryptographic keys used to encrypt the communications may be compromised, allowing an attacker to decrypt current and possible past communications. This would also permit them to potentially impersonate a site.

As exploitation does not require authentication or an indicator of compromise the most effective response is to implement remediation measures as soon as reasonably possible.

 

Who is affected

Several versions of OpenSSL released in late 2011 and later have been identified as vulnerable to the heartbleed attack. OpenSSL versions 1.0.1 through to and including 1.0.1f are vulnerable. OpenSSL versions outside of this range are not vulnerable.

Successful exploitation is also dependant on the protocol being used to encrypt traffic.

If you are utilising one of the vulnerable OpenSSL versions and are allowing TLS v1.2 connections to your web site you are likely vulnerable.

 

How can you identify if you are vulnerable

  • On unix/linux systems the command openssl version –a will show the version being used.
  • Utilise nmap and the ssl-heartbleed.nse script to scan the environment.
  • Use ssllabs free online scanner (https://www.ssllabs.com/ssltest/).
  • Additionally, ensure that the ‘Do not show the results on the boards’ checkbox is enabled.
  • Be cautious, not all sites offering free scans for this issue are legitimate sites.

In addition to checking your web sites, web applications, web services, etc. you will also need to check your commercial products and appliances as many vendors embed openSSL within their code base. For example Juniper, CISCO, DELL, Symantec all utilise openSSL within their product base.

How can you remediate

A risk-based approach should be taken into implementing the following steps;

  1. Identify all services using OpenSSL, and specifically those that are internet facing,
  2. Update vulnerable version of OpenSSL. If a third party appliance is vulnerable, contact the vendor obtain a patch or in the absence of a patch apply mitigating controls. Disallowing TLS v1.2 can remediate the issue, but will likely require a new certificate.
  3. Once all vulnerable version of OpenSSL have been remediated, all SSL/TLS keys generated using a vulnerable version of OpenSSL should then be replaced,
  4. Once replaced, old SSL/TLS keys should be revoked,
  5. Update system passphrases (passwords).

How can we help

If required there are several ways in which we can assist. These include;

  1. Identifying vulnerable services
  2. Prioritising patch deployment
  3. Assisting with risk management

Shearwater is dedicated to its customers, and are always happy to provide advice. If any assistance is required please contact us.