The Hurricane Labs Foundry: Volume 10 - The Reboot Edition

The goal of this blog is to inform viewers like you(™) about new and innovative information security and Splunk technology around the web, hot information security topics, and various in-house projects and observations that our Splunk and SOC analysts have been working on.

Intro

Welcome back to the Hurricane Labs Foundry. It's been a little while since I’ve posted one of these, so let’s recap what The Foundry is all about.

The goal of this publication is to serve as a sort of newsletter containing information about the latest cybersecurity trends and news that you may want to be aware of. These could be threat intel reports, high-profile vulnerabilities, newly released tools and resources, information regarding the latest Splunk and/or information security trends, news on the latest security breaches to be aware of, along with a host of other subjects.

Threat Intel

70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS

GhostDNS is a massive campaign targeting SOHO routers for users located in Brazil. While malware that attempts to override the DNS settings of infected systems aren’t exactly new, this campaign was to exploit a wide variety of SOHO devices in a variety of different ways, with tools written with shell scripts, python, javascript, and everything else in between.

Once compromised, the default DNS configuration of these devices would be modified and pointed to an “upstream” DNS server under attacker control. When users would request specific websites (primarily Brazilian banking websites), the attack-controlled DNS servers would redirect users utilizing the compromised SOHO routers to phishing websites that would gather credentials in an attempt to perform bank fraud.

IOCs (Courtesy of Netlab 360):

#Phishing Web Server
[takendown] 193.70.95.89
[takendown] 198.27.121.241
[takendown] 35.237.127.167

#Rogue DNS Server
139.60.162.188
139.60.162.201
173.82.168.104
18.223.2.98
185.70.186.4
200.196.240.104
200.196.240.120
80.211.37.41
[takendown] 35.185.9.164
[takendown] 144.22.104.185
[takendown] 192.99.187.193
[takendown] 198.27.121.241

#Web Admin Server
[takendown] 198.50.222.139

#DNSChanger Scanner Server
[takendown] 104.196.177.180
[takendown] 104.196.232.200
[takendown] 104.197.106.6   
[takendown] 104.198.54.181  
[takendown] 104.198.77.60   
[takendown] 198.50.222.139
[takendown] 35.185.127.39   
[takendown] 35.185.9.164    
[takendown] 35.187.149.224  
[takendown] 35.187.202.208  
[takendown] 35.187.238.80   
[takendown] 35.188.134.185  
[takendown] 35.189.101.217  
[takendown] 35.189.125.149  
[takendown] 35.189.30.127   
[takendown] 35.189.59.155   
[takendown] 35.189.63.168   
[takendown] 35.189.92.68    
[takendown] 35.194.197.94   
[takendown] 35.195.116.90   
[takendown] 35.195.176.44   
[takendown] 35.196.101.227  
[takendown] 35.197.148.253  
[takendown] 35.197.172.214  
[takendown] 35.198.11.42    
[takendown] 35.198.31.197   
[takendown] 35.198.5.34
[takendown] 35.198.56.227   
[takendown] 35.199.106.0    
[takendown] 35.199.2.186    
[takendown] 35.199.61.19    
[takendown] 35.199.66.147   
[takendown] 35.199.77.82    
[takendown] 35.200.179.26   
[takendown] 35.200.28.69    
[takendown] 35.203.111.239  
[takendown] 35.203.135.65   
[takendown] 35.203.143.138  
[takendown] 35.203.167.224  
[takendown] 35.203.18.30    
[takendown] 35.203.183.182  
[takendown] 35.203.25.136   
[takendown] 35.203.3.16
[takendown] 35.203.48.110   
[takendown] 35.203.5.160    
[takendown] 35.203.8.203    
[takendown] 35.204.146.109  
[takendown] 35.204.51.103   
[takendown] 35.204.77.160   
[takendown] 35.204.80.189   
[takendown] 35.205.148.72   
[takendown] 35.205.24.104   
[takendown] 35.221.110.75
[takendown] 35.221.71.123
[takendown] 35.227.25.22    
[takendown] 35.228.156.223  
[takendown] 35.228.156.99   
[takendown] 35.228.240.14   
[takendown] 35.228.244.19   
[takendown] 35.228.73.198   
[takendown] 35.228.90.15    
[takendown] 35.230.104.237  
[takendown] 35.230.158.25   
[takendown] 35.230.162.54   
[takendown] 35.230.165.35   
[takendown] 35.231.163.40   
[takendown] 35.231.60.255   
[takendown] 35.231.68.186   
[takendown] 35.232.10.244   
[takendown] 35.234.131.31   
[takendown] 35.234.136.116  
[takendown] 35.234.156.85   
[takendown] 35.234.158.120  
[takendown] 35.234.77.117   
[takendown] 35.234.89.25    
[takendown] 35.234.94.97    
[takendown] 35.236.117.108  
[takendown] 35.236.2.49
[takendown] 35.236.222.1    
[takendown] 35.236.246.82   
[takendown] 35.236.25.247   
[takendown] 35.236.254.11   
[takendown] 35.236.34.51    
[takendown] 35.237.127.167  
[takendown] 35.237.204.11   
[takendown] 35.237.215.211  
[takendown] 35.237.32.144   
[takendown] 35.237.68.143   
[takendown] 35.238.4.122    
[takendown] 35.238.74.24    
[takendown] 35.240.156.17   
[takendown] 35.240.212.106  
[takendown] 35.240.234.169  
[takendown] 35.240.94.181   
[takendown] 35.241.151.23   
[takendown] 35.242.134.99   
[takendown] 35.242.140.13   
[takendown] 35.242.143.117  
[takendown] 35.242.152.241  
[takendown] 35.242.203.94   
[takendown] 35.242.245.109  
[takendown] 40.74.85.45

Vulnerabilities

CVE 2018-8453 - Windows Local Privilege Escalation in win32k.sys

Researchers at Kaspersky Lab discovered a new local privilege escalation “in the wild” (that is, being actively exploited), that’s being utilized as a part of a highly targeted malware campaign targeting users in the middle east.

This vulnerability in the win32k.sys system affects many different versions of Windows, up to, and including some of the latest Windows 10 releases. A patch was made available on 10/9/18. Details can be found here.

CVE 2018-10933 -- Authentication bypass in libssh version .6 and above

It was recently discovered that there is a vulnerability in libssh, version .6 and above, that allowed attackers to bypass authentication on systems that utilize libssh for SSH server functions. 

The details of the vulnerability are seemingly trivial. As a part of the SSH connection, all the attacker has to do in order to exploit the vulnerability is send an SSH2_MSG_USERAUTH_SUCCESS message to the server in order to bypass authentication entirely and gain access to the remote system. This is the equivalent of saying, “I’m definitely the user that I say I am and totally don’t need to give you a password” and the server responding, “this is fine.”

Users should not confuse this as being a vulnerability in libssh2 or the popular OpenSSH project. It has been suggested that the biggest user of libssh is GitHub, and they have gone on record stating that they are not vulnerable due to their implementation of libssh. Additionally, in an abundance of caution, GitHub has stated they have patched for this vulnerability as soon as the patch was made available with the advisory on 10/16.

It is believed that aside from GitHub, the most prominent use of libssh is going to likely be in embedded and/or IoT devices. This presents a significant problem, as most IoT and/or embedded devices aren’t particularly well cared for, or updated when new security patches are made available.

In fact, in most cases, updating against security vulnerabilities is left to the manufacturer, and often requires a full firmware update to be made available. Not only that, most of these devices do not have an option to automatically update, leaving it as an exercise to the user in order to update their devices. If the GhostDNS story above isn’t indicator enough of this problem, then the Mirai botnet is another perfect example of how IoT devices are being deployed with default settings is a significant issue.

As of 10/17/18, on Shodan.io, often referred to as “Google for hackers”, there are over 3,000 devices utilizing some version of libssh. Upon further examination, over 600 of these devices appear to be tied to Verizon Wireless -- most likely mobile hotspots, further driving home the point that this has the potential to severely impact IoT and embedded devices.

Tools and Tradecraft

Metasploit antivirus evasion modules

It's no secret that the Metasploit framework is a pentester favorite for quick and easy access to exploits and payloads for penetration testing. Recently, Rapid7 has begun developing evasion modules for the Metasploit framework, so that means evading antivirus is built directly into the framework.

In the past, integrated antivirus evasion has been fairly limited, in the form of MSFvenom, and that is more or less a tool for generating custom shellcode in order to exploit vulnerabilities that don’t allow certain characters or symbols and/or for anti-exploit tools in order to “randomize” the shellcode, making it difficult to discern what is actually being done. There have been a few open-source projects outside of the framework to assist penetration testers in antivirus evasion, the most notable of which are the VEIL-Framework, and Shellter

If you’d like to read up about the new evasion category, and the first module, evasion for Windows Defender, go check out the research paper here [PDF].

Information Security trends

Derbycon 2018

Derbycon has taken place again in Louisville, Kentucky, for the eighth year in a row. Once again, Adrian “Irongeek” Crenshaw has recorded the vast majority of the talks at the conference and posted them to several video streaming services.

Splunk .Conf 2018

Splunk’s .Conf conference has come and gone, having been hosted this year in Orlando, Florida, this year. Members of the Hurricane Labs team were on-site to keep up to date with the latest Splunk trends, as well as compete in the “Boss of the NOC” competition

CSO online has written a post detailing their takeaways from the conference this year. If you’re interested in watching some of the videos from this year’s .conf event, as well as recordings from previous years, you can do so here.

Data Breaches

Google Plus shutting down after API bug exposes details on 500,000 users

Google Plus, the social network Google attempted to launch as a rival to Facebook, will be shutting down. The supposed reason for the shutdown is a bug in the platform that exposed the information of users on the platform.

This bug has been around since 2015, and was only recently discovered in March of 2018. Google knew about the issue for six months, and chose not to disclose any information regarding the issue. This caused some security researchers to call out Google for hypocrisy regarding Project Zero, and their strict 90 day timeline, taking double that amount of time to disclose this problem.

While this event isn’t a direct threat to most organizations (including our customers) there are INDIRECT consequences that you and your employees should be made aware of.

While we do not have any evidence that credentials have been leaked as a result of this issue, when there are breaches in which credentials (hashed or unhashed passwords, email addresses and/or usernames) are publicly available, password re-use, as well as employees utilizing company email addresses to register to various services becomes a concern. For that reason, I would recommend informing employees to NOT register their company email addresses for non work-related internet services, including but not limited to social media accounts. Additionally, you may want to have a discussion about the risks of password reuse.

Until Next Time

Keep an eye out for the eleventh edition of The Hurricane Labs Foundry. In the meantime, follow us on Twitter @hurricanelabs for updates!



Close off Canvas Menu