The Hurricane Labs Foundry: Volume 2

Welcome back to The Hurricane Labs Foundry! I’m Tony Robinson, one of the senior security operations analysts at Hurricane Labs. The goal of this blog post is to inform viewers like you(™) about new and innovative information security and Splunk technology around the web, hot information security topics, and various in-house projects and observations that our Splunk and SOC analysts have been working on.

Just like last time, this blog post is in digest format, where I’ll give you a brief description of the topic at hand and links to supporting material, as necessary. So without further Adieu, let's get started!

Apache Struts2 Remote Code Execution Vulnerability discovered in the wild

Recently, members of the Cisco TALOS security team discovered a recent Apache Struts2 remote code execution vulnerability being actively exploited in the wild. It seems that attackers have weaponized a PoC (Proof of Concept) and are actively exploiting the vulnerability to create DDOS (Distributed Denial of Service) bots.

The attack methods observed and described in the Cisco TALOS blog post are very similar to the “Bill Gates”/”ChinaZ” botnet discovered by the security research organization, Malware Must Die. There have been several versions and iterations of these various botnets utilizing various methods to spread -- such as brute forcing weak SSH credentials, Shellshock, as well as a reported elasticsearch remote code execution vulnerability. Usually, after compromising a target, the actors behind these malicious payloads would disable system firewalls and use wget to download and execute a payload on the exploited system.

The obvious recommendation is to patch systems utilizing Apache Struts2 as soon as possible, or to consult your web application vendors to determine if they are utilizing Struts2 and inquire when a patch will be available. In the meantime, there are recommendations to work around the issue on the Struts2 Confluence page describing the vulnerability. There are also IDS rules for both Snort and Suricata to detect these attacks:

Snort SIDS: 41818, 41819

Emerging Threats (ET) SIDS: 2024038, 2024044

Suricata LUA scripting Introduction

Suricata has become more and more feature packed. We utilize it extensively here at Hurricane, and I can’t help but lean toward it heavily the more I use it. Most of the IDS/IPS features I would recommend for companies to improve their network visibility are all in one place. Suricata can parse Snort rules, passively collect DNS records and HTTP headers, collect SSL certificate information, Carve executable files off the wire, and collect network flow data. In addition to all that, Suricata boasts a LUA interpreter that can be used to analyze packet data on the fly.

My team lead recently made me aware of a blog post by NVISO labs. This post is an introduction to utilizing the Suricata LUA scripting engine to detect PDFs with obfuscated Javascript tags in the file, a method that is used to hide malicious javascript in a PDF and allow the PDF to bypass most network inspection tools.

This blog post goes through how to write a LUA script to analyze a downloaded PDF for obfuscated javascript tags, but it also shows you how to make an efficient Suricata rule that will not call the LUA script to scan a downloaded PDF unless it can be confirmed as a PDF. This is important since calling the LUA engine and using it tends to be CPU intensive if it gets used too heavily.

This blog post is supposed to be part one of a two part series, with the second to be released at a later date.

Vault 7

WikiLeaks has released a set of sensitive documents from what looks to be an internal document management system. The data leak, having been dubbed “Vault 7” contains a collection of the CIA’s exploits, implants, and tradecraft for CNA/CNE (Computer Network Attack/Computer Network Exploitation) portions of their operations.

Among the documents released so far (of which WikiLeaks states is only a small amount of the full collection), are tools for turning smart TVs into listening devices, a UEFI implant for persisting on Mac OSX targets, several exploits for various smart phones (of which Google and Apple both state that many, if not all, of the exploits in the leaks have been fixed), as well as collections of CIA software and hardware-based implants.

US Air Force Data Leak

An unsecure backup drive has resulted in the exposure of thousands of US Air Force documents, including personnel files that expose private information and clearances held for thousands of officers.

This isn’t the first time that public-facing backups have resulted in data leaks. For instance, Europol accidentally leaked several dozen terrorism probes through an employee’s personal NAS device that was somehow left exposed. More recently, a massive spam campaign by a group known as River City Media leaked 1.4 billion records due to an exposed backup.

Some time ago on my personal blog I wrote about how NAS devices often ship with insecure defaults, and due to how plug and play most NAS (Network Attached Storage) devices are, most never think to update these devices, or reconfigure them from the default settings. This results in exposed data being indexed for anyone with a web browser and a SHODAN account to find. Recently, Western Digital also announced several serious problems with their MyCloud NAS line.

If you have a NAS, or other network exposed backup system, be sure to verify that authentication is enabled, default credentials have been changed (if possible), and that the latest firmware has been applied to your product at the very least. If at all possible, avoid exposing your NAS and/or backup solutions to the internet due to a lack of effective security in most of these products.

Buscador, the OSINT (Open-Source INTelligence) Distribution has been released

Last year I did a conference talk on utilizing open data sources to help with threat intelligence and malware hunting that most threat hunters and Security Operation Centers are required to do on a daily basis. If you’re interested in the talk (and me making a fool of myself on stage), you can watch it here. While the slide deck and the resources/bookmarks gathered can be found here.

It's no secret that I love OSINT and utilizing the data that others make freely available. Information sharing is a huge tenant of threat intelligence and makes our job much easier as information security analysts and researchers. Enter Buscador. Buscador is a Virtual machine distribution that hosts a slew of pre-loaded tools for performing intelligence gathering from sources all over the web.

UNTIL NEXT TIME

Keep an eye out for the third edition of The Hurricane Labs Foundry. Follow us on Twitter @hurricanelabs for updates!