Monthly Archives: December 2015

Hack Naked TV: December 10, 2015

The lost episode! YouTube flagged this video as inappropriate, removed the video, and put our YouTube channel in bad standing. Now you can view the video for yourself, and see just how "bad" the content is to cause YouTube to flag us YET AGAIN for so-called "inappropriate" content. YET AGAIN, we have filed an appeal and are waiting to get our YouTube channel back in good standing. In the mean time, many features of our YouTube channel have been disabled, including the ability to upload videos longer than 15 minutes. This really puts a cramp in our style, and is an example of just how bad a job of YouTube is doing policing videos and channels.

dnscat2 0.05: with tunnels!

Greetings, and I hope you're all having a great holiday!

My Christmas present to you, the community, is dnscat2 version 0.05!

Some of you will remember that I recently gave a talk at the SANS Hackfest Summit. At the talk, I mentioned some ideas for future plans. That's when Ed jumped on the stage and took a survey: which feature did the audience want most?

The winner? Tunneling TCP via a dnscat. So now you have it! Tunneling: Phase 1. :)

Info and downloads.

High-level

There isn't a ton to say about this feature, so this post won't be particularly long. I'll give a quick overview of how it works, how to use it, go into some quick implementation details, and, finally, talk about my future plans.

On a high level, this works exactly like ssh with the -L argument: when you set up a port forward in a dnscat2 session, the dnscat2 server will listen on a specified port. Say, port 2222. When a connection arrives on that port, the connection will be sent - via the dnscat2 session and out the dnscat2 client - to a specified server.

That's pretty much all there is to it. The user chooses which ports to listen on, and which server/port to connect to, and all connections are forwarded via the tunnel.

Let's look at how to use it!

Usage

Tunneling must be used within a dnscat2 session. So first you need one of those, no special options required:

(server)

# ruby ./dnscat2.rb
New window created: 0

[...]

dnscat2>
(client)

$ ./dnscat --dns="server=localhost,port=53"
Creating DNS driver:
 domain = (null)
 host   = 0.0.0.0
 port   = 53
 type   = TXT,CNAME,MX
 server = localhost

Encrypted session established! For added security, please verify the server also displays this string:

Encode Surfs Taking Spiced Finer Sonny

Session established!

We, of course, take the opportunity to validate the six words - "Encode Surfs Taking Spiced Finer Sonny" - to make sure nobody is performing a man-in-the-middle attack against us (considering this is directly to localhost, it's probably okay :) ).

Once you have a session set up, you want to tell the session to listen with the listen command:

New window created: 1
Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
For added security, please ensure the client displays the same string:

>> Encode Surfs Taking Spiced Finer Sonny

dnscat2> session -i 1
[...]
dnscat2> listen 8080 www.google.com:80
Listening on 0.0.0.0:8080, sending connections to www.google.com:80

Now the dnscat2 server is listening on port 8080. It'll continue listening on that port until the session closes.

The dnscat2 client, however, has no idea what's happening yet! The client doesn't know what's happening until it's actually told to connect to something with a TUNNEL_CONNECT message (which will be discussed later).

Now we can connect to the server on port 8080 and request a page:

$ echo -ne 'HEAD / HTTP/1.0\r\n\r\n' | nc -vv localhost 8080
localhost [127.0.0.1] 8080 (http-alt) open
HTTP/1.0 200 OK
Date: Thu, 24 Dec 2015 16:28:27 GMT
Expires: -1
Cache-Control: private, max-age=0
[...]

On the server, we see the request going out:

command (ankh) 1> listen 8080 www.google.com:80
Listening on 0.0.0.0:8080, sending connections to www.google.com:80
command (ankh) 1>
Connection from 127.0.0.1:60480; forwarding to www.google.com:80...
[Tunnel 0] connection successful!
[Tunnel 0] closed by the other side: Server closed the connection!
Connection from 123.151.42.61:48904; forwarding to www.google.com:80...

And you also see very similar messages on the client:

Got a command: TUNNEL_CONNECT [request] :: request_id 0x0001 :: host www.google.com :: port 80
[[ WARNING ]] :: [Tunnel 0] connecting to www.google.com:80...
[[ WARNING ]] :: [Tunnel 0] connected to www.google.com:80!
[[ WARNING ]] :: [Tunnel 0] connection to www.google.com:80 closed by the server!

That's pretty much all you need to know! One more quick example:

To forward a ssh connection to an internal machine:

command (ankh) 1> listen 127.0.0.1:2222 192.168.1.100:22

Followed by ssh -p2222 root@localhost. That'll connect to 192.168.1.100 on port 22, via the dnscat client!

Stopping a session

I frequently used auto-commands while testing this feature:

ruby ./dnscat2.rb --dnsport=53531 --security=open --auto-attach --auto-command="listen 2222 www.javaop.com:22;listen 1234 www.google.ca:1234;listen 4444 localhost:5555" --packet-trace

The problem is that I'd connect with a client, hard-kill it with ctrl-c (so it doesn't tell the server it's gone), then start another one. When the second client connects, the server won't be able to listen anymore:

Listening on 0.0.0.0:4444, sending connections to localhost:5555
Sorry, that address:port is already in use: Address already in use - bind(2)

If you kill a session from the root window with the 'kill'
command, it will free the socket. You can get a list of which
sockets are being used with the 'tunnels' command!

I realize this is super awkward.. don't worry, it'll get
better next version! Stay tuned!

If you know which session is the problem, it's pretty easy.. just kill it from the main window (Window 0 - press ctrl-z to get there):

dnscat2> kill 1
Session 1 has been sent the kill signal!
Session 1 killed: No reason given

If you don't know which session it is, you have to go into each session and run tunnels to figure out which one is holding the port open:

dnscat2> session -i 1
[...]
command (ankh) 1> tunnels
Tunnel listening on 0.0.0.0:2222
Tunnel listening on 0.0.0.0:1234
Tunnel listening on 0.0.0.0:4444

Once that's done, you can either use the 'shutdown' command (if the session is still active) or go back to the main window and use the kill command.

I realize that's super awkward, and I have a plan to fix it. It's going to require some refactoring, though, and it won't be ready for a few more days. And I really wanted to get this release out before Christmas!

Implementation details

As usual, the implementation is documented in detail in the protocol.md and command_protocol.md docs.

Basically, I extended the "command protocol", which is the protocol that's used for commands like upload, download, ping, shell, exec, etc.

Traditionally, the command protocol was purely the server making a request and the client responding to the request. For example, "download /etc/passwd" "okay, here it is". However, the tunnel protocol works a bit differently, because either side can send a request.

Unfortunately, the client sending a request to the server, while it was something I'd planned and written code for, had a fatal flaw: there was no way to identify a request as a request, and therefore when the client sent a request to the server it had to rely on some rickety logic to determine if it was a request or not. As a result, I made a tough call: I broke compatibility by adding a one-bit "is a response?" field to the start of request_id - responses now have the left-most bit set of the request_id.

At any time - presumably when a connection comes in, but we'll see what the future holds! - the server can send a TUNNEL_CONNECT request to the client, which contains a hostname and port number. That tells the client to make a connection to that host:port, which it attempts to do. If the connection is successful, the client responds with a TUNNEL_CONNECT response, which simply contains the tunnel_id.

From then on, data can be sent in either direction using TUNNEL_DATA requests. This is the first time the client has been able to send a request to the server, and is also the first time a message was defined that doesn't have a response - neither side should (or can) respond to a TUNNEL_DATA message. Which is fine, because we have guaranteed delivery from lower level protocols.

When either side decides to terminate the connection, it sends a TUNNEL_CLOSE request, which contains a tunnel_id and a reason string.

One final implementation detail: tunnel_ids are local to a session.

Future plans

As I said at the start, I've implemented ssh -L. My next plans are to implement ssh -D (easysauce!) and ssh -R (hardersauce!). I also have some other fun ideas on what I can do with the tunnel protocol, so stay tuned for that. :)

The tricky part about ssh -R is keeping it secure. The client shouldn't be able to arbitrarily forward connections via the server - the server should be able to handle malicious clients securely, at least by default. Therefore, it's going to require some extra planning and architecting!

Conclusion

And yeah, that's pretty much it! As always, if you like this blog or the work I'm doing on dnscat2, you can support me on Patreon! Seriously, I have no ads or monetization on my site, and I spend more money on hosting password lists than I make off it, so if you wanna be awesome and help out, I really, really appreciate it! :)

And as always, I'm happy to answer questions or take feature requests! You're welcome to email me, reply to this blog, or file an issue on Github!

California Attorney General Announces $25 Million Settlement with Comcast

On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.

In its complaint, the California Attorney General alleged that Comcast disposed of “customer records without shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means” in violation of California Civil Code 1798.81 (the “Civil Code”). When disposing of customer records, the Civil Code requires businesses to take “all reasonable steps” to securely dispose of those records containing personal information. The complaint also contained numerous causes of action related to Comcast’s alleged improper disposal of hazardous materials in violation of environmental, health and safety statutes.

In addition to the monetary penalty, the settlement requires Comcast to:

  • Take all reasonable steps to securely delete or destroy customer records containing personal information, before disposing of such records.
  • Prohibit the disclosure of customer records containing personal information to third parties, except in accordance with applicable law.
  • Document the company’s procedures for disposing of customer records containing personal information and provide relevant employees with readily available electronic access to such documents.
  • Post signage regarding the company’s procedures for disposing of customer records in relevant facilities in which the records are handled.
  • Provide employees with at least one written and one verbal communication annually that addresses (1) the company’s procedures for disposing of customer records, (2) information regarding identity theft, including its potential impact on customers, and (3) information regarding relevant California laws about the disposal of customer records.
  • Provide training to relevant employees about the company’s procedures for disposing of customer records.
  • Designate an employee to as serve as the “Customer Records Privacy Officer.”
  • Make available its customer records disposal procedures to the Attorney General.
  • Retain an independent third party auditor to perform three audits over the next five years assessing Comcast’s compliance with its obligations under the settlement related to its disposal of customer records containing personal information.

In the press release announcing the settlement, California Attorney General Kamala D. Harris said, “Comcast’s careless and unlawful hazardous waste disposal practices jeopardized the health and environmental well-being of California communities and exposed their customers to the threat of identity theft.”

Read the settlement with Comcast.

FTC Settles with Oracle over Charges of Software Security Misrepresentations

On December 21, 2015, the Federal Trade Commission announced software company Oracle Corporation (“Oracle”) has agreed to settle FTC charges that accused the company of misrepresenting the security of its software updates. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company had deceived consumers about the security provided by updates to the Java Platform, Standard Edition software (“Java SE”).

Java SE is a version of the Java computing platform commonly installed on personal computers to enable consumers to run various types of Java-compatible applications on their computers. In its complaint, the FTC alleged that the process for updating Java SE made it likely that consumers unknowingly would have older, insecure versions of Java SE remaining on their computers, despite the company’s representations to consumers that installing the update would be “safe and secure” and provide “the latest…security improvements.” In light of this representation, the FTC believed that Oracle misrepresented the security of its update process by failing to adequately disclose that older and less secure versions of the software could remain on the consumer’s computer. As a result, the FTC charged Oracle with engaging in a deceptive act or practice in violation of Section 5 of the FTC Act. According to Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, “[w]hen a company’s software is on hundreds of millions of computers, it is vital that its statements are true and its security updates actually provide security for the software.”

The proposed Consent Order will prohibit Oracle from misrepresenting the privacy and security of its consumer-facing software, and require Oracle to inform consumers how to uninstall older iterations of such software. In addition, the Consent Order will require Oracle to clearly and conspicuously disclose to consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of keeping the older software on the device and provide instructions on how to uninstall it. The Consent Order also will require that Oracle provide consumers with several forms of notice about the settlement and how consumers can remove older versions of the software. Under the Consent Order, Oracle must post the notice on its website and via social media (i.e., on Twitter and Facebook), and also must request that third party software developers publish the notice in their security bulletins.

SANS Hackfest writeup: Hackers of Gravity

Last weekA few weeks ago, SANS hosted a private event at the Smithsonian's Air and Space Museum as part of SANS Hackfest. An evening in the Air and Space Museum just for us! And to sweeten the deal, they set up a scavenger hunt called "Hackers of Gravity" to work on while we were there!

We worked in small teams (I teamed up with Eric, who's also writing this blog with me). All they told us in advance was to bring a phone, so every part of this was solved with our phones and Google.

Each level began with an image, typically with a cipher embedded in it. After decoding the cipher, the solution and the image itself were used together to track down a related artifact.

This is a writeup of that scavenger hunt. :)

Challenge 1: Hacker of Tenacity

The order of the challenges was actually randomized, so this may not be the order that anybody else had (homework: there are 5040 possible orderings of challenges, and about 100 people attending; what are the odds that two people had the same order? The birthday paradox applies).

The first challenge was simply text:

Sometimes tenacity is enough to get through a difficult challenge. This Hacker of Gravity never gave up and even purposefully created discomfort to survive their challenge against gravity. Do you possess the tenacity to break this message? 

T05ZR1M0VEpPUlBXNlpTN081VVdHMjNGT0pQWEdaTEJPUlpRPT09PQ==

Based on the character set, we immediately recognized it as Base64. We found an online decoder and it decoded to:

ONYGS4TJORPW6ZS7O5UWG23FOJPXGZLBORZQ====


We recognized that as Base32 - Base64 will never have four "====" signs at the end, and Base32 typically only contains uppercase characters and numbers. (Quick plug: I'm currently working on Base32 support for dnscat2, which is another reason I quickly recognized it!)

Anyway, the Base32 version decoded to spirit_of_wicker_seats, and Eric recognized "Spirit" as a possible clue and searched for "Spirit of St Louis Wicker Seats", which revealed the following quote from the Wikipedia article on the Spirit of St. Louis: "The stiff wicker seat in the cockpit was also purposely uncomfortable".

The Spirit of St. Louis was one of the first planes we spotted, so we scanned the QR code and found the solution: lots_of_fuel_tanks!

Challenge 2: Hacker of Navigation

We actually got stuck on the second challenge for awhile, but eventually we got an idea of how these challenges tend to work, after which we came back to it.

We were given a fragment of a letter:

The museum archives have located part of a letter in an old storage locker from some previously lost collection. They'd REALLY like your help finding the author.

You'll note at the bottom-left corner it implies that "A = 50 degrees". We didn't notice that initially. :)

What we did notice was that the degrees were all a) multiples of 10, and b) below 260. That led us to believe that they were numbered letters, times ten (so A = 10, B = 20, C = 30, etc).

The numbers were: 100 50 80 90 80 100 50 230 120 130 190 180 130 230 240 50.

Dividing by 10 gives 10 5 8 9 8 10 5 23 12 13 19 18 13 23 24 5.

Converting that to the corresponding letters gave us JEHIH JEWLMSRMWXE. Clearly not an English sentence, but it looks like a cryptogram (JEHIH looks like "THERE" or "WHERE").

That's when we noticed the "A = 50" in the corner, and realized that things were probably shifted by 5. Instead of manually converting it, we found a shift cipher bruteforcer that we could use. The result was: FADED FASHIONISTA

Searching for "Faded Fashionista Air and Space" led us to this Smithsonian Article: Amelia Earhart, Fashionista. Neither of us knew where her exhibit was, but eventually we tracked it down on the map and walked around it until we found her Lockheed Vega, the QR code scanned to amelias_vega.

Challenge 3: Hacker of Speed

This was an image of some folks ready to board a plane or something:

This super top secret photo has been censored. The security guys looked at this SO fast, maybe they missed something?

Because of the hint, we started looking for mistakes in the censoring and noticed that they're wearing boots that say "X-15":

We found pictures of the X-15 page on the museum's Web site and remembered seeing the plane on the 2nd floor. We reached the artifact and determined that the QR code read faster_than_superman.

Once we got to the artifact, we noticed that we hadn't broken the code yet. Looking carefully at the image, we saw the text at the bottom, nbdi_tjy_qpjou_tfwfo_uxp.

As an avid cryptogrammer, I recognized tfwfo as likely being "never". Since 'e' is one character before 'f', it seemed likely that it was a single shift ('b'->'a', 'c'->'b', etc). I mentally shifted the first couple letters of the sentence, and it looked right, so I did the entire string while Eric wrote it down: mach_six_point_seven_two.

The funny thing is, the word was "seven", not "never", but the "e"s still matched!

Challenge 4: Hacker of Design

While researching some physics based penetration testing, you find this interesting diagram. You feel like you've seen this device before... maybe somewhere or on something in the Air and Space museum?

The diagram reminded Eric of an engine he saw on an earlier visit, we found the artifact on the other side of the museum:

Unfortunately there was no QR code so we decided to work on decoding the challenge to discover the location of the artifact.

Now that we'd seen the hint on Challenge 2, we were more prepared for a diagram to help us! In this case, it was a drawing of an atom and the number "10". We concluded that the numbers probably referred to the atomic weight for elements on the periodic table, and converted them as such:

10=>Ne
74=>W
... and so on.

After decoding the full string, we ended up with:

new_plan_schwalbe

We actually made a mistake in decoding the string, but managed to find it anyways thanks to search autocorrect. :)

After searching for "schwalbe air and space", we found this article, which led us to the artifact: the Messerschmitt Me 262 A-1a Schwalbe (Swallow). The QR code scanned revealed the_swallow.

Challenge 5: Hacker of Distance

While at the bar, listening to some Dual Core, planning your next conference-fest with some fellow hackers, you find this interesting napkin. Your mind begins to wander. Why doesn't Dual Core have a GOLDEN RECORD?! Also, is this napkin trying to tell you something in a around-about way?

The hidden text on this one was obvious… morse code! Typing the code into a phone (not fun!), we ended up with .- -.. .- ... - .-. .- .--. . .-. .- ... .--. . .-. .-, which translates to ADASTRAPERASPERA

According to Google, that slogan is used by a thousand different organizations, none of which seemed to be space or air related. However, searching for "Golden Record Air and Space" returned several results for the Voyager space probe. We looked at our map and scurried to the exhibit on the other side of the museum:

Once we made it to the exhibit finding the QR code was easy, scanning it revealed, the_princess_is_in_another_castle. The decoy flag!

We tried searching keywords from the napkin but none of the results seemed promising. After a few frustrating minutes we saw the museum banquet director and asked him for help. He told us that the plane we were looking for was close to the start of the challenge, we made a dash for the first floor and found the correct Voyager exhibit:

Scanning the QR code revealed the code, missing_canards.

Challenge 6: Hacker of Guidance

The sixth challenge gave us a map with some information:

You have intercepted this map that appears to target something. The allies would really like to know the location of the target. Also, they'd like to know what on Earth is at that location.

We immediately noticed the hex-encoded numbers on the left:

35342e3133383835322c
31332e373637373235

Which translates to 54.138852,13.767725. We googled the coordinates, and it turned out to be a location in Germany: Flughafenring, 17449 Peenemünde, Germany.

After many failed searches we tried "Peenemünde ww2 air and space", which led to a reference to the German V2 Rocket. Here is the exhibit and QR code:

Scanning the QR code revealed aggregat_4, the formal name for the V-2 rocket.

Challenge 7: Hacker of Coding

This is an image with a cipher on the right:

Your primary computer's 0.043MHz CPU is currently maxed out with other more important tasks, so converting all these books of source code to assembly is entirely up to you.

On the chalkboard is a cipher:

We couldn't remember what it was called, and ended up searching for "line dot cipher", which immediately identified it as a pigpen cipher. The pigpen cipher can be decoded with this graphic:

Essentially, you find the shape containing the letter that corresponds to the shape in that graphic. So, the first letter is ">" on the chalkboard, which maps to 'T'. The second is the upper three quarters of a square, which matches up with 'H', and the third is a square, which matches to E. And so on.

Initially we found a version that didn't map to the proper English characters, and translated it to:

Later, we did it right and found the text "THE BEST SHIP TO COME DOWN THE LINE"

To find the artifact, we googled "0.043MHz", and immediately discovered it was "Apollo 11".

The QR code scanned to the_eleventh_apollo

And that's it!

And that's the end of the cipher portion of the challenge! We were first place by only a few minutes. :)

The last part of the challenge involved throwing wood airplanes. Because our plane didn't go backwards, it wasn't the worst, but it's nothing to write home about!

But in the end, it was a really cool way to see a bunch of artifacts and also break some codes!

Germany Adopts Law to Enable Class Actions for Data Protection Violations

On December 17, 2015, the German Federal Diet (Bundestag) adopted a draft law introducing class action-like claims that will enable consumer protection associations to sue companies for violations of German data protection law.

The law amends Germany’s Act on Actions for Injunctions to allow consumer protection associations to bring lawsuits against companies for improper use of consumer data in violation of German data protection law. At this time, only affected individuals, German criminal prosecutors and data protection authorities have legal standing to sue businesses for breaches of data protection law.

The law will enable consumer protection associations to allege claims for violations of the German rules governing the processing of consumers’ personal data for the purposes of (1) advertising, market and opinion research; (2) operation of a credit agency; (3) creation of personality or usage profiles; (4) address or other data trading; and (5) comparable commercial purposes. Such comparable commercial purposes, however, do not include the collection, processing or use of consumer personal data exclusively for the establishment, performance or termination of a business relationship with a consumer. As such, the law is designed to mainly address data processing by companies whose business models are based on the commercialization of personal data in both the offline and online contexts.

Importantly, the law prevents consumer protection associations from bringing claims for violations of international data transfer rules against companies relying on the invalidated Safe Harbor agreement until the end of the day of September 30, 2016 to the extent the transfer of data was based on the Safe Harbor Framework until October 6, 2015.

The draft law still needs to be signed by the president and published in the Federal Law Gazette before becoming law.

FTC Announces Largest Settlement Ever with LifeLock

On December 17, 2015, the Federal Trade Commission announced that LifeLock, Inc. (“LifeLock”) has agreed to pay $100 million to settle contempt charges for deceptive advertising. According to the FTC, “[t]his is the largest monetary award obtained by the Commission in an order enforcement action.” Under the terms of the settlement, $68 million of the settlement amount will be paid to class action consumers who were injured by the identity theft protection company’s violation of a 2010 settlement with the FTC that required LifeLock to protect consumer information. The rest of the money will be used for settlements with state attorneys general, and any remaining money will go to the FTC. The case is Federal Trade Commission v. LifeLock Inc., et al. (2:10-cv-00530), in the U.S. District Court for the District of Arizona.

As part of the 2010 settlement, LifeLock had agreed to strengthen its safeguarding of customer data and refrain from making deceptive claims about its services. On July 21, 2015, the FTC alleged that LifeLock violated its 2010 settlement because it did not properly protect customers’ sensitive personal data and continued to “make deceptive claims about its identity theft protection services.” Specifically, the FTC alleged that LifeLock: (1) failed to establish and maintain a comprehensive information security program to protect its customers’ sensitive personal data; (2) falsely advertised that it protected customers’ sensitive data with the same high-level safeguards as financial institutions; and (3) falsely claimed that it protected customers’ identity at all times by providing alerts “as soon as” it received any indication there was an identity theft problem.

XXX is Angler EK


Snipshot of MonterAV Affiliate


As I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.

XXX Control Panel
Login Page.


XXX is Angler EK ( it's the real name of its most documented instance at least)

Angler EK / XXX  IE sploit only Stats on 2015-07-25
(for some reason Flash Exploits were not activated on that thread)
Note the Chase Logo >> JPMorgan  >>  Cool EK's Exploit Buyer ;)

You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :
Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.

Snipshot of "The Transition" after Paunch's Arrest

But Angler was around before the Reveton team started to use it.

Here is one used against Ukrainian that i captured  in August 2013

2013-08-27 - Exploit Kit unknown to me at that time
Ancestor of Angler EK as we know it
[Payload here is most probably Lurk]
when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.

A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitors

So the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.

This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march

2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits
[Payload here is most probably Lurk]

Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014

Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!

Files : 2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)

Read More :
Police Locker land on Android Devices - 2014-05-04
Paunch's arrest...The end of an Era ! - 2013-10-11
Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurity
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09
A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - Securelist

Post publication Reading :
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News [Cf Lurk]
Is it the End of Angler ? - 2016-06-11
How we helped to catch one of the most dangerous gangs of financial cybercriminals - 2016-08-30 - SecureList

FTC Issues COPPA Settlements Against Mobile App Operators

On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.

Defendant LAI Systems, LLC markets child-directed apps such as My Cake Shop, Hair Salon Makeover and Animal Sounds on the Apple App. LAI’s apps are free to download and generate revenues through in-app advertising and in-app purchases. Defendant Retro Dreamer markets child-directed apps such as Ice Cream Jump, Sneezies and Tappy Pop. Some of Retro Dreamer’s apps are free to download; others are paid apps. The FTC named Retro Dreamer’s President and Vice-President individually in its civil penalty action.

Both LAI and Retro Dreamer permitted third party ad networks to collect persistent identifiers from users of its apps in order to serve them with behaviorally targeted ads. The FTC’s complaints allege that the defendants failed to inform these ad networks that their apps were directed to children, and failed to instruct or contractually require the ad networks to refrain from targeting their users with interest-based advertising. The complaints further allege that the defendants never provided COPPA-required parental notices or obtained parental consent.

With respect to Retro Dreamer, the FTC’s complaint further alleged that the app developers were aware of COPPA, including the regulatory change that swept persistent identifiers into the COPPA Rule, and had been informed by one ad network that the developers’ apps would be excluded based on their child-directed nature. According to the FTC, the Retro Dreamer defendants continued to permit persistent identifiers used for behavioral advertising to be collected by other ad networks operating in their apps.

The FTC’s settlements include injunctive provisions requiring future compliance with COPPA. In addition, LAI Systems is required to pay $60,000 in civil penalties and the Retro Dreamer defendants must pay $300,000 in penalties.

The EU General Data Protection Regulation

On December 17, 2015, after three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the final draft of the EU General Data Protection Regulation (the “Regulation”), which is backed by the Committee on Civil Liberties, Justice and Home Affairs.

The Regulation replaces Directive 95/46/EC (the “Directive”), which was enacted in 1995, and will significantly change EU data protection laws. Once officially adopted by the European Parliament and the Council of the European Union, it will apply in EU Member States after a period of two years.

The Regulation will significantly affect businesses in all industry sectors. Below is a summary of key changes to the EU data protection landscape under the informal text published on December 17:

Harmonization of Legislations

  • One-Stop-Shop. Where a business is established in more than one EU Member State, the data protection authority (“DPA”) of the main establishment of the business will act as the lead authority for the business’ cross-border processing. In addition, each DPA will have jurisdiction over complaints and possible violations of the Regulation.
  • Reduction of Administrative Burden. National registrations and prior authorization registrations will be abolished by the Regulation. Each controller will have to maintain a record of its data processing activities, however.
  • Legitimate Interest. Under the Regulation, throughout the EU, legitimate interest will become a legal ground for lawful processing and in certain circumstances, for international transfers of personal data.

Wider Scope

  • Territorial Scope. The Regulation will apply to the processing of personal data by controllers or processors established within the EU. The Regulation also will apply to controllers and processors established outside the EU, where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of such individuals’ behavior.
  • Definition of Personal Data. The definition of personal data will cover a wider range of data types, including online identifiers or any factors specific to the individual’s physical, physiological, genetic, mental, economic cultural or social identity.

Increased Obligations

  • Consent. Under the Regulation, consent must be freely given, specific, informed and constitute an unambiguous indication of the data subject’s wish to, either by a statement or by a clear affirmative action, agree to the processing of his or her personal data.
  • Consent for Children’s Data Processing. Parental consent is required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
  • Mandatory Data Protection Officer. The designation of a data protection officer (“DPO”) will be compulsory where (1) the processing is carried out by a public authority or body, (2) the core activities of the controller or processor require regular and systematic monitoring of individuals on a large scale, or (3) the core activities of the controller or processor include processing certain types of data on a large scale, including data relating to criminal convictions and offenses. In other situations, a DPO may be appointed by the controller or processor on a voluntary basis, or must be appointed where required by EU Member State law.
  • Privacy Impact Assessments. Controllers will be required to perform a data Privacy Impact Assessment (“PIA”) where the processing of personal data likely involves high risk to the rights and freedoms of individuals. In particular, a PIA will be required for automated data processing activities, including (1) profiling leading to decisions that produce legal effects for the individual, (2) where the processing includes large scale processing of certain types of data, or (3) systematic monitoring of a publicly accessible area on a large scale.
  • Privacy by Design and by Default. Controllers will be required to establish and maintain appropriate technical and organizational measures (e.g., such as pseudonymization) to implement data protection principles in an effective way and to integrate necessary safeguards for data processing. In addition, appropriate technical and organizational measures also must be implemented so that, by default, only data necessary for each specific purpose of processing is collected.
  • Data Breach Notification. In the event of a data breach, controllers must notify the competent DPA without undue delay and, where feasible, no later than 72 hours after being aware of the breach, unless the breach is unlikely to result in risk to individuals’ rights and freedoms. Where the breach likely involves high risks to individuals’ rights and freedoms, controllers also must communicate the breach to the individual without undue delay.
  • More Obligations on Data Processors. The processing of personal data by a processor must be governed by a contract between the processor and the controller. Furthermore, the processor will directly be liable for the security of personal data during its processing activities.
  • Accountability. Controllers must implement “appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.”

Strengthened Individuals Rights

  • Information Notices. Controllers must take appropriate measures to provide information regarding the processing of personal data to individuals in a concise, transparent, intelligible and easily accessible form.
  • Right to Object. Where a controller relies on the public interest or legitimate interest as legal basis for the data processing, individuals will be allowed to object to that processing “unless the controller demonstrates compelling legitimate grounds for the processing,” which override the rights of the individual. The individual also will be allowed to object to the processing of his or her personal data for direct marketing purposes, including profiling.
  • Profiling. Individuals will have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects for them or otherwise significantly affects them. However, profiling will be allowed, if necessary, to enter into a contract between the controller and the data subject, if authorized by the law of a Member State that provides measures to safeguard the data subject’s rights, or when based on the data subject’s explicit consent.
  • Data Portability. The Regulation will allow individuals to receive personal data concerning them in a structured, commonly-used and machine-readable format. Individuals also will be able to request, where technically feasible, that the controller send his or her personal data to another controller.
  • Right to Erasure. Subject to certain exceptions, individuals will be able to request the erasure of their personal data without undue delay.

Increased Enforcement, Fines and Liability

  • Right to a Remedy. The Regulation grants data subjects the right to seek judicial remedies against DPAs, controllers and processors.
  • Right to Compensation. Individuals will have the right to obtain compensation for damages resulting from violations of the Regulation by a controller or processor.
  • Sanctions for Non-Compliance. Depending on the provision of the Regulation that is violated, companies may be sanctioned with fines up to € 20 million or 4% of annual worldwide turnover.
  • Supervisory Authorities Enforcement Powers. DPAs will be given wide-ranging powers to enforce compliance with the Regulation, ranging from the power to order the controller or processor to comply with a data subject’s request, to the power to impose a ban on data processing.
  • European Data Protection Board (“EDPB”). The Regulation grants the EDPB the authority to issue opinions, adopt binding decisions on the application of the Regulation, and issue guidelines, recommendations and best practices.

Cross-border Data Transfers

  • Data Transfers. Transfers of personal data outside the EU will be allowed where the European Commission has issued an adequacy decision regarding the level of data protection provided in the jurisdiction where the data is transferred. Previous adequacy decisions issued under the Directive will remain in force. In addition, transfers of personal data will be allowed based on legitimate interest if the transfer is not repetitive and concerns only a limited number of individuals.
  • EU Model Clauses. Under the Regulation, no specific authorization from DPAs will be required with respect to EU Model Clauses. In addition, EU Model Clauses approved by the European Commission under the Directive will remain valid under the Regulation.
  • Binding Corporate Rules (“BCRs”). The Regulation officially recognizes BCRs as a valid mechanism to transfer personal data outside the EU.

Next Steps

The informal agreement will be discussed at the Council level, in the Committee of Permanent Representatives on Friday, December 18, 2015. The Regulation still has to be voted on by the European Parliament in plenary during spring 2016, or if no further discussion is required, by early 2016.

See the European Parliament press release.

U.S. Congress Releases Compromise Bill on Cybersecurity Information Sharing

On December 16, 2015, leaders in the U.S. House of Representatives and Senate released a $1.1 trillion omnibus spending bill that contained cybersecurity information sharing language that is based on a compromise between the Cybersecurity Information Sharing Act, which passed in the Senate in October, and two cybersecurity information sharing bills that passed in the House earlier this year. Specifically, the omnibus spending bill included Division N, the Cybersecurity Act of 2015 (the “Act”). 

Notably, the Act:

  • does not contain the Senate’s provision concerning critical infrastructure at greatest risk. The language required government-directed agencies to report to Congress on the status of cyber incident reporting and develop potential cyber mitigation strategies at critical infrastructure at greatest risk. Many industry advocates expressed concern that this language could be the precursor to cybersecurity regulations regarding certain critical infrastructure facilities;
  • adopts the “knows at the time of sharing” standard for removal of personal information from shared cybersecurity information, as opposed to the higher “reasonably believes at the time of sharing” or “removes to the extent possible” standards;
  • directs that cybersecurity information be shared with the Federal government through a Department of Homeland Security (“DHS”) Portal, but allows the President to designate other portals (including, potentially, the Federal Bureau of Investigation) to also receive shared cybersecurity information;
  • provides liability protection for private entities that share cybersecurity information through the DHS portal, as well as through the presidentially-designated portals;
  • exempts shared cybersecurity information from Freedom of Information Act (“FOIA”) disclosure under existing FOIA exemptions; and
  • adopts the Senate’s longer 10-year sunset.

The House is scheduled to vote on the omnibus spending bill on Friday, with the Senate to follow. The Obama Administration has already signaled that it supports the bill.

Update: On December 18, 2015, President Obama signed into law the omnibus spending bill, which includes the Cybersecurity Act of 2015.

HIPAA Settlement Emphasizes Importance of Risk Analyses

On December 14, 2015, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with the University of Washington on behalf of the university’s medical center, medical school and affiliated labs and clinics (collectively, “UW Medical”).

OCR investigated UW Medical after receiving a breach report in November 2013 involving an incident in which almost 100,000 individuals had their protected health information (“PHI”) accessed after an employee downloaded malware. While UW Medical had policies and procedures that required its relevant covered entities to conduct HIPAA Security Rule risk analyses, those entities failed to do so which led to the lax anti-malware controls that precipitated the incident.

In the resolution agreement, UW Medical agreed to pay a $750,000 settlement to OCR and enter into a Corrective Action Plan that requires UW Medical to:

  • Develop current, comprehensive and thorough risk analyses for relevant UW Medical entities.
  • Provide OCR with a risk management plan to address the risks identified in the analyses.
  • Reorganize its entire HIPAA compliance program.
  • Report any events of noncompliance with its HIPAA policies and procedures.
  • Submit annual compliance reports to OCR for a period of two years.

In the press release accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that covered entities often conduct limited risk analyses and noted that “[a]n effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

This settlement is the latest OCR enforcement action this year that has collectively resulted in over $6 million in fines.

Hack Naked TV – December 4, 2015 – The Banned Episode

The lost episode! YouTube flagged this video as inappropriate, removed the video, and put our YouTube channel in bad standing. Now you can view the video for yourself, and see just how "bad" the content is to cause YouTube to flag us YET AGAIN for so-called "inappropriate" content. YET AGAIN, we have filed an appeal and are waiting to get our YouTube channel back in good standing. In the mean time, many features of our YouTube channel have been disabled, including the ability to upload videos longer than 15 minutes. This really puts a cramp in our style, and is an example of just how bad a job of YouTube is doing policing videos and channels.

Deal on EU Data Protection Regulation Imminent

Today, Jan Philip Albrecht, MEP and Vice Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, tweeted the following:

“Yes, reports on white smoke are right but press information only to follow after second part of our work tonight is done, too.”

More information is expected to follow later today or tomorrow.

View the European Parliament’s press release.

CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits




One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446

Angler EK :
2015-12-14
CVE identification by Anton Ivanov ( Kaspersky ) and FireEye  (Thanks !)
Angler EK exploiting Flash 19.0.0.245 via CVE-2015-8446
2015-12-14


Sample in that pass : b5920eef8a3e193e0fc492c603a30aaf
Sample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522



Fiddler sent to VT.
(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc...  mailboxes)

Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a stream
f5c1a676166fe3472e6c993faee42b34
d65f155381d26f8ddfa304c83b1ad95a (Credential Stealer)
and after that performing Adfraud


Last safe version of Flash against commercial exploit kit  was 19.0.0.226 fixing CVE-2015-7645


Post publication readings :
(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

Hack Naked TV: December 2, 2015

Welcome to another episode of Hack Naked TV recorded December 2nd 2015. Today Aaron talks about Dell root certificate fiasco, Hacking Back being reviewed by the government, the LANDesk breach, new tool releases, and more!

For a full list of stories, visit our wiki here.

Wyndham Settles FTC Charges in FTC v. Wyndham

On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corporation (“Wyndham”) settled charges brought by the FTC stemming from allegations that the company unfairly failed to maintain reasonable data security practices. The case is FTC v. Wyndham Worldwide Corporation, et al. (2:13-CV-01887-ES-JAD) in the U.S. District Court for the District of New Jersey.

As we previously reported on June 26, 2012, the FTC announced that it filed suit against Wyndham and three of its subsidiaries, alleging that the company posted misleading representations on Wyndham websites regarding how the company safeguarded customer information. In addition, the FTC alleged that Wyndham unfairly failed to maintain reasonable data security practices, leading to three separate data breaches involving hackers accessing sensitive consumer data. In response, Wyndham challenged the FTC’s authority to bring charges against private companies’ data security, arguing that by adopting targeted security legislation such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, Congress had precluded the FTC’s jurisdiction over data security. Wyndham also argued that before bringing a Section 5 enforcement action, the FTC must publish “rules, regulations, or other guidelines” setting out the acceptable security standards.

On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion which allowed the FTC to proceed with its case against the company. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices.

On August 24, 2015, the Third Circuit’s three-judge panel upheld the District Court’s ruling that the unfairness prong of Section 5 of the FTC Act does empower the FTC to bring lawsuits against private companies for insufficient data security practices, and that the FTC is not required to publish rules or regulations regarding what constitutes reasonable security standards.

The December 9, 2015 settlement requires Wyndham, for the next 20 years, to:

  • Establish, implement and maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of cardholder data.
  • Annually obtain a written assessment and certification of Wyndham’s hotels’ PCI Data Security Standard (“PCI DSS”) compliance from a qualified and independent third party professional. The assessor also must certify that Wyndham safeguards the network connections between its franchisee hotels and engages in a comprehensive risk assessment as laid out in the PCI DSS Risk Assessment Guidelines. If Wyndham obtains the assessment certifying that it is PCI DSS compliant, Wyndham will not be required to establish the comprehensive information security program mentioned above.
  • Within 180 days following a cardholder data breach involving more than 10,000 unique payment card numbers, obtain a PCI Forensic Investigator Final Incident Report (or the equivalent of such report). The Report must be provided to the FTC within 10 days.

European Negotiators Close Deal on First EU Rules on Cybersecurity

On December 7, 2015, European negotiators reached an agreement on the draft text of the Network and Information Security Directive (the “NIS Directive”), the first pan-EU rules on cybersecurity. The NIS Directive was first proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union and aims to ensure a uniform level of cybersecurity across the EU.

The NIS Directive requires transport and energy companies, as well as online marketplaces, search engines and cloud providers to provide a robust security for their digital infrastructure. In addition, companies in these sectors also will have to report serious breaches to national authorities.

The NIS Directive also aims to foster cooperation among EU Member State authorities by setting up a strategic cooperation group to exchange information and best practices, draw up guidelines, and assist Member States in building cybersecurity capacity. In addition, a network of Computer Security Incident Response Teams will be established and implemented by each Member State to discuss and identify potential coordinated responses to cross-border security incidents.

The Parliament’s Internal Market Committee and the Council of the European Union Committee of Permanent Representatives are expected to approve the agreed text around December 18, 2015. After official publication of the text, EU Member States will have 21 months to transpose the NIS Directive into national law.

Read the Members of the European Parliament press release.

President Signs Law Providing Exception to Annual Privacy Notice Requirement under the Gramm-Leach-Bliley Act

On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. The FAST Act, which is aimed at improving the country’s surface transportation infrastructure, contains a provision that modifies the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).

Under the current GLBA Privacy Rule, financial institutions must mail an annual privacy notice to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing. The exception in the FAST Act states that a financial institution does not have to provide an annual privacy notice if it (1) only shares NPI with nonaffiliated third-parties in a manner that does not require an opt-out right be provided to customers (e.g., if the institution discloses NPI to a service provider or for fraud detection and prevention purposes) and (2) has not changed its policies and practices with respect to disclosing NPI since it last provided a privacy notice to its customers.

If a financial institution changes its practices and discloses NPI to nonaffiliated third-parties in a manner that requires it to offer an opt-out right to its customers, the financial institution would be required to send the revised privacy notice to its customers. For example, if a financial institution began to disclose NPI to nonaffiliated third-parties so that those parties could market to the financial institution’s customers, it would need to mail the privacy notice to its customers and only share the NPI after those customers have not exercised their rights to opt out of such sharing.

The FAST Act’s GLBA provision is expected to save financial institutions millions of dollars in postage and printing costs, and comes after the Consumer Financial Protection Bureau finalized a rule that enabled certain financial institutions to comply with GLBA notice requirements by publishing their financial privacy notices online instead of mailing them to their customers.

Triple-S Management Corporation Enters into $3.5 Million HIPAA Settlement

On November 30, 2015, the U.S. Department of Health and Human Services (“HHS”) announced that Triple-S Management Corporation (“Triple-S”), an insurance holding company based in San Juan, Puerto Rico, agreed on behalf of certain of its subsidiaries to settle potential violations of the HIPAA Privacy and Security Rules with HHS’s Office for Civil Rights (“OCR”).

The case stems from an OCR investigation into the company’s compliance with HIPAA rules, which was initiated after OCR received multiple notifications from Triple-S regarding breaches of unsecured protected health information (“PHI”). The investigation indicated “widespread non-compliance” throughout Triple-S and its subsidiaries, including (1) failure to implement appropriate administrative, physical and technical safeguards to protect PHI; (2) failure to do a thorough and accurate risk analysis of its IT equipment, applications and data systems utilizing PHI; and (3) impermissible disclosure of PHI to an outside vendor with which it did not have an appropriate business associate agreement.

Under the settlement agreement, Triple-S is required to pay $3.5 million and establish a comprehensive compliance program designed to protect the security, confidentiality and integrity of the personal information it collects from its beneficiaries.

Nuclear Pack loads a fileless CVE-2014-4113 Exploit



Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign
It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)
Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro