Hackin9

Networks Asia

Is the information security industry having a midlife crisis?
Networks Asia
The daily announcements about breaches and lost data confirm that criminals are winning the security battle, but how can InfoSec reposition itself in order to win the war? Last month, Tsion Gonen, chief strategy officer at SafeNet spoke at the CIO ...

and more »
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Angler exploit kit (EK) has been evolving quite a bit lately. Recently, this EK hasbeen altering its URL patterns on a near-daily basis. Thechanges accumulate, and you might not recognize current traffic generated byAngler. Aftertwo weeks of vacation, I almost didnt recognize it. This diary provides twotraffic examples of Angler EK as we enter July 2015.

Angler EKstill pushing a lot ofCryptoWall 3.0

Angler pushes different payloads, but were still seeinga lot ofCryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Anglernear the end of May 2015 [1], and weve seen a great dealof itsince then[2]. The CryptoWall 3.0sample for todays diary used1LY58fiaAYFKgev67TN1UJtRveJh81D2dU as a bitcoin">xamples

Traffic from Tuesday, 2015-07-01 shows Angler EKfrom 148.251.167.57 and">148.251.167.107 at different times during the day. ">The people at Emerging Threats do a good job of keeping their Snort-based signatures up-to-date through their ETOpen and Proofpoint ET Pro rulesets. Below is an image of events fromthe infection traffic I saw using Suricata on" />

Preliminary malware analysis

Sample of a CryptoWall 3.0 malware payload delivered by Angler EK on 2015-07-01:

Final words

Pcap files of the 2015-07-01 infection traffic are available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[2] https://isc.sans.edu/diary/Increase+in+CryptoWall+30+from+malicious+spam+and+Angler+exploit+kit/19785

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Wednesday, WikiLeaks published two new top-secret National Security Agency briefs that detail American and British espionage conducted against German leaders as they were discussing responses to the Greek economic crisis in 2011.

The organization also published a redacted list of 69 German government telephone numbers that were targeted for snooping. That list includes Oskar Lafontaine, who served as German finance minister from 1998 to 1999, when the German government was still based in Bonn—suggesting that this kind of spying has been going on for over 15 years at least.

As with the recent documents concerning NSA spying against France, WikiLeaks did not explain how it obtained the documents. However, it did share them with Greek, French, and German-language media, which all published them simultaneously on Wednesday evening, Europe time.

Read 9 remaining paragraphs | Comments

 
iTunes 12.2 and QuickTime 7.7.7 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...
 
ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Exploit Code for ipTIME firmwares < 9.58 (root RCE against 127 router models)
 
ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities
 
ESA-2015-112: EMC Isilon OneFS Command Injection Vulnerability
 
FCS Scanner v1.0 & v1.4 - Command Inject Vulnerability
 
Ebay Magento Bug Bounty #14 - Persistent Description Vulnerability
 
Pinterest Bug Bounty #1 - Persistent contact_name Vulnerability
 
Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects
 

Yesterday, Apple released patches for OS X, iOS, Safari, Mac EFI, iTunesand Quicktime (Windows) [1]. Here some of the highlights:

EFI Update

EFI is the firmware running your Mac. This update will only apply on certain Apple computer models. Two bugs that are being fixed by this updata:

CVE-2015-3692: This issues could allow an attacker to modify the EFI firmware, gaining persistent access to the system. The bug was made public about two months ago and the basic issue was that the firmware is not properly locked as a system returns from sleep[2].

CVE-2015-3693: Researchers at Intel and Carnegie Mellon University originally discovered this issue, and in March, Googles project zero released details about a working exploit forthe rowhammer vulnerability [3][4]. This problem is not specific to Apple, but effects many systems using modern DRAM memory. In short, by repeatedly writing to some areas of memory, adjacent rows of memory can be effected allowing an attacker to manipulate code they would not have access to otherwise.

OS X Update

This update affects versions of OS X back to Mountain Lion (10.8). A total of 46 issues are addresses (and even more individual vulnerabilities). So here just some highlights:

Open Source Software: OS X includes many standard open source software products like Apache and libraries like OpenSSL. These open source products are updates.

SSL: A number of changes were made to SSL. For example, some intermediate certificates issues by CNNIC are no longer trusted. Interestingly, the CNNIC CA itself still seems to be trusted (others, like Google, removed CNNICentirely). Apple does not provide a list of new certificates added, but just refers to its complete list of trusted certificates [5]. You can still manually distrust the certificate by adjusting the trust in Keychain Access. To respond to the logjam vulnerability, Diffie-Hellman parameters are now restricted to 768 bits or larger (before this, 512 bit was possible). This is in line with what other operating systems have implemented in response. There is a small chance that this will cause problems with connections to legacy servers.

EFI Related: The issues address by the EFI update, are also addresses by the OS X update.

Mail: An e-mail message was able to load web pages, which then could be used to various phishing attacks, for example by displaying a popup password dialog that appears to come from Mail.app. This issue was already made public early June [6]

iOS

Due to the overall similar code base between iOS and OS X, many of the OS X issues apply to iOS as well. For example the TLS issues, as well as the Mail issue affect iOS and are patched with this update.On interesting issuethat I hadnt heard of before (but not surprising). Malicious SIM cards could lead to arbitrary code execution.

Safari

As usual, Safari is made available as its own update. Only 4 different issues here ranging from cross origin issues to remote code execution.

iTunes/ QuickTime

These updates affect Windows (the OS X version is rolled into the OS X patch). There is no official QuickTime version for Windows beyond Windows 7. But if you are using the Windows 7 version on Windows 8/8.1, you will likely still need to update.

[1]https://support.apple.com/en-us/HT201222
[2]https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/
[3]http://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf
[4]http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
[5]https://support.apple.com/en-us/HT202858
[6]https://github.com/jansoucek/iOS-Mail.app-inject-kit/tree/master

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status