Monthly Archives: January 2018

“LEBANON IS BEHIND DATA-STEALING SPYWARE“ – EFF UNCOVERED

A security bug that has infected thousands of smartphones has been uncovered by campaign group the Electronic Frontier Foundation (EFF).

Working with mobile security firm Lookout, researchers discovered that malware in fake messaging designed to look like WhatsApp and Signal had stolen gigabytes of data.

Huge Botnet Attacking Italian Companies

On January 18 a colleague of mine (Luca) called me telling a malicious email was targeting Italian companies. This is the beginning of our new analysis adventure that Luca and I run together.

The email pretended to be sent by "Ministero dell' Economia e delle Finanze" the Italian Department of Treasury  and it had a smart subjects such as:
    • Codici Tributo Acconti
    • F24 Acconti-Codice Tributo 4034
The attacker knows very well the Italian Fiscal Year since those modules are very popular from company administration employees at that time. The attacker would probably exploit this attack path reaching out as many companies as possible. The email address was not coming from the "Ministero dell' economia e delle Finanze" at all, it was coming from the following addresses:
    • info@amber-kate.com
    • info@fallriverproductions.com
The email looks like :

Malicious eMail

A simple link pointing to a high reputation domain was popping out the default browser and downloading the following Javascript file. The high level of obfuscation and the way the content was provided was so suspicious to be worth to follow the analysis.

Infection: Stage 1 Obfuscated

After a deobfuscation phase the javascript looked much more easy te be read from a human side.

Infection: Stage 1 Clear Text
A romantic "drop and execute" section was happening. A GET connection to 239outdoors.com/themes5.php was dropping a file named 1t.exe and later on the same script was able to execute the dropped file.  The file 1t.exe was running on the victim machine contacting the Command and Control waiting for further commands.

The new sample looks like GootKit, a weaponized version of Banker Malware.  The malware installs itself and contacts Command and Control asking "what to do" and sending the "stolen credentials" directly to the Command and Control server. Details on IPs, Persistencies and so on, is provided in the IoC section, but todays we wont describe GootKit, we got access to the Dropping site !  

We want to figure out if we might help victims to deactivate the malicious botnet by providing as much as possible details without focusing on reverse the Malware per se since appears to be known. 

By getting further analyzing the dropping web site we immediately understood that the same URL was dropping another threat. The parallel threat the dropping website was spreading to the world was called "Nuovo Documento 2008" and it was a .bat file as follows.

New Threat Stage 1

That executable .bat file on a first stage opens up a browser pointing to a legitimate image but later on it uses an notorious technique called "certutil for delivery of file" to drop and execute an another file. This technique is well described here  by carnal0wnage. Basically the attacker uses the certutil.exe program do download a Base64 encoded payload, to decoded it and to run it. This technique is very silent since the User-Agent of certutils.exe is not suspicious because it needs to connect outside the company networks to check certificates, so not much IPS rules on it. The dropped file name unslss.exe appears to be very close to the previous analyzed one (1t.exe) it contacts the same C&C and it behaves in the similar way.   But again we wont focus on reverse such a malware but rather we wont be able to reach the highest number of IoC to protect as much as possible the victims. By analyzing the Dropping website we founded that a significative number of connections had additional referrers, so we decided to focus our attention on how many DNS were pointing to such a domain. We did it and the result was quite impressive (please see the Dropping URLS IoC Section). 

Following the research on the dropping website we found an interesting log within all the connection coming from possible victims. We collected that log, and we built the following possible infection list (possible Victims). We wont publish the Victims IP addresses but if you can prove you are legitimated by your company to ask that logs we can give you (for free, of course)  the IP addresses we've found related to your company. Please contact cert@yoroi.company. A detailed list of possible infected networks follows. 

Possible Victims:









  • ACI informatica s.p.a.

    • AGOS-AS
    • AGSM Verona Spa
    • ASGARR Consortium GARR
    • Acantho S.p.a
    • Alfanews S.r.l.
    • Ambrogio s.r.l.
    • Asco TLC S.p.A.
    • Autostrade-as
    • BT Italia
    • BT Italia S.p.A.
    • Banca Monte Dei Paschi Di Siena S.P.A.
    • Brennercom S.p.A.
    • COLT Technology Services Group Limited
    • Camera dei deputati
    • Cesena Net srl
    • Clouditalia Telecomunicazioni S.p.A.
    • Comune Di Brescia
    • Comune di Bologna
    • Consortium GARR
    • Consorzio per il Sistema Informativo
    • Costacrociere-as
    • Duebite-as
    • E4A s.r.l.
    • Energente S.r.l.
    • FASTNET SpA
    • FASTWEB SPA
    • FINECO Banca del Gruppo Unicredit
    • Fastweb
    • Forcepoint Cloud Ltd
    • GenyCommunications
    • Global Com Basilicata s.r.l.
    • H3G Italy
    • Hynet S.R.L.
    • IBSNAZ
    • ICT Valle Umbra s.r.l.
    • InAsset S.r.l.
    • InfoCamere SCpA
    • Infracom Italia S.p.A.
    • Inrete s.r.l
    • Insiel- Informatica per il sistema degli enti loca
    • Integrys.it di Stefania Peragna impresa individual
    • Intred S.p.A.
    • KPNQWest Italia S.p.a.
    • LEPIDA
    • Lepida S.p.A.
    • Liguria Digitale S.C.p.A.
    • Linea Com S R L
    • Linkem spa
    • Lombardia Informatica S.p.A.
    • Mandarin S.p.A.
    • Mc-link SpA
    • Metrolink S.R.L.
    • Ministero dell'Interno
    • Mnet srl
    • NGI SpA
    • Nemo S.r.l.
    • Nordcom S.p.a.
    • Officine Informatiche Srl
    • Progetto Evo S.r.l.
    • Provincia di Reggio nell'Emilia
    • Qcom spa
    • Raiffeisen OnLine GmbH
    • Regione Basilicata
    • Regione Toscana
    • Regione Veneto
    • STI ADSL
    • Sardegnait-as
    • Societa' Gestione Servizi Bp S.p.A.
    • TELEX S.r.l.
    • TWT S.p.A.
    • Telecom Italia
    • Terra S.p.a.
    • Time-net S.r.l.
    • Tiscali SpA
    • Trenitalia SpA
    • Trentino Network S.r.l.
    • Universita' degli Studi di Milano
    • Venis S.p.A.
    • Videotime SPA
    • Vodafone Group Services GmbH
    • Vodafone Italia DSL
    • Vodafone Omnitel B.V.
    • Vodafone Omnitel N.v.
    • WIIT S.p.A.
    • Welcome Italia S.p.A
    • Wind Telecomunicazioni
    • Wind Telecomunicazioni SpA
    Following the found IoC provided by the long "analysis journey". I managed this analysis over the night, so I am sure there would be some imprecisions, but I preferred to speed up the entire analysis process to give the opportunity to block such infamous threat as soon as possible.

    Hope it helps the community.

    Original Early Warning (Italian): Yoroi Early Warning



    IoC:

    • eMail:
      • info@amber-kate.com
      • info@fallriverproductions.com
    • Dropping URLS:
      • 185.61.152.71
      • 239outdoors.com
      • bentlabel.com
      • cdvdautomator.com
      • cloudblueprintprogram.com
      • cnchalftone.com
      • comedyyall.com
      • conticellolaw.com
      • couplesdoingbusiness.com
      • dvoper.com
      • equinnex.com
      • ericandchrissy.com
      • evelynleekley.com
      • expungementstennessee.com
      • flaveme.com
      • grkisland.com
      • healingfoodconsulting.com
      • hertzsynergy.com
      • hollywoodisruption.com
      • home-sphere.com
      • integrativenutritiontherapy.com
      • jdkanyuk.com
      • kineloveclips.com
      • kylesinger.com
      • legionchristmas.com
      • menshoesonlinestore.com
      • microtiasurgery.com
      • movielotbar.com
      • muiienweg.com
      • niarhoslondon.com
      • opsantorinitours.com
      • progunjobs.com
      • rocketpak.com
      • scottishwindowsolutions.com
      • silkygames.com
      • snapshotsandwhatnots.com
      • snotterkind.com
      • solespin.com
      • strangerthanchristmas.com
      • synchronr.com
      • taramadden.com
      • terento.website
      • theargumint.com
      • thegildedwren.com
      • thejourneytogodsheart.com
      • thesaltybody.com
      • topsantorinitours.com
      • tuftandneedles.com
      • videospanishlessons.com
      • vovachka.com
      • wall-runners.com
      • war-arena.com
      • www.scottishwindowsolutions.com
      • z1logistics.com
      • zayantetinyhomes.com
      • zefeed.com
    • Command and Controls
      • 185.44.105.97 
      • ns15.dreamsinthesun.com
      • bdi2.nomadicdecorator.com
      • elis.k9redemptionrescue.com
      • api.hailstorm360.com
      • cerera.survivalbid.com
      • mark.k9redemptionrescue.org
      • nsc.dayswithsunrays.com
      • at.moonbeammagic.com
      • ssl.vci-cfo.com
      • sip3.propertiesandprojects.com
      • host1.jodiray.com
      • note.lawrencechoy.com
      • note.lawrencechoy.com:80
      • 185.44.105.97:80/200
      • note.lawrencechoy.com:80
    • Hashes
      • 63d6927881d4978da4e162c17d82e9c009d0a93e
      • 7ea33f51b6c4aa54beee7fd878886339c22d2232
      • 8cae0dc9255978a35cfd8db64cbe80001400de9b
      • 839ff9f4c3980ac67d4cbef296520ee364a0911f
      • 8cae0dc9255978a35cfd8db64cbe80001400de9b



    UPDATE 1:

    Many AV and NGFirewall Companies contacted me and they updated "signatures", so probably on from now everybody having such a products should be protected.

    UPDATE 2:

    Victims are still growing UP !

  •  Asco TLC S.p.A.
  •  ASGARR Consortium GARR
  •  Bancalombarda
  •  B.B.Bell SPA
  •  Brennercom S.p.A.
  •  BrianTel SRL
  •  Consiglio Nazionale delle Ricerche
  •  Elsynet S.r.l.
  •  Fastcon-as
  •  Informatica System S.r.l.
  •  Inrete s.r.l
  •  IPERV Internet Per Il Veneto
  •  I.S.I.D.E. S.p.A.
  •  Mc-link SpA
  •  Nemo S.r.l.
  •  NTRNET SRL
  •  Regione Autonoma Friuli Venezia Giulia
  •  Tiscali SpA
  •  UmbriaNet
  •  Universita' degli Studi di Palermo
  •  AGOS-AS
  •  Comune di Bologna
  •  ENEA - Agenzia nazionale per le nuove tecnologie
  •  Intred S.p.A.
  •  Iren Energia S.p.a
  •  Linkem spa
  •  NGI SpA
  •  Phoenix Informatica Bancaria S.p.A.
  •  Telemar s.p.a.
  •  TWT S.p.A.
  •  Wiplanet.it
  •  COLT Technology Services Group Limited
  •  Consortium GARR
  •  H3G Italy
  •  Banca Monte Dei Paschi Di Siena S.P.A.
  •  BT Italia S.p.A.
  •  Infracom Italia S.p.A.
  •  KPNQWest Italia S.p.a.
  •  Vodafone Omnitel B.V.
  •  Liguria Digitale S.C.p.A.
  •  Regione Toscana
  •  Welcome Italia S.p.A
  •  Wind Telecomunicazioni
  •  Lepida S.p.A.
  •  Vodafone Italia DSL
  •  Fastweb
  •  Telecom Italia



  • APPLE YAKIRI KUATHIRIWA NA “MELTDOWN” PAMOJA NA “SPECTRE”

    Ugunduzi wa mapungufu makubwa mawili yaliyopewa jina la “Meltdown na Spectre” yaliyoathiri Kifaa cha Kopyuta kinachojulikana kwa jina la“Chip”  ambapo athari zake ni kupelekea wizi wa taarifa kwa watumiaji mtandao umeendelea kuchukua sura mpya baada ya kampuni ya Apple kukiri kua bidhaa zake ikiwemo Komputa za Mac, iPhone na iPads kuathiriwa pia.

    Hadi wakati huu ma bilioni ya kompyuta, Simu za mkononi “smartphones” na Tabiti “Tablets” zimeathirika na mapungufu haya ambapo kuna hatari ya taarifa za mabilioni ya watu kuweza kuishia mikononi mwa wahalifu mtandao endapo hatua stahiki kutochukuliwa kwa wakati.



    Tayari hatua mbali mbali zimeweza kuchukuliwa kuzuia maafa makubwa kujitokeza kutokana na mapungufu yaliyo gunduliwa ikiwa ni pamoja na kusambaza viraka “Patches” ili kuziba mianya ya mapungufu yaliyo gundulika.


    Aidha, Elimu ya uelewa imeendelea kutolewa kwa watumiaji wa mwisho (End user) katika mataifa mbali mbali ili kuweza kuchukua hatua za kusahihisha mapungufu hayo katika vifaa vilivyo athiriwa.

    Itakumbukwa – Mwaka Jana Kulikua na ugunduzi wa mapungufu yaliyo athiri program za Microsoft na baadae watumiaji wakashindwa kusahihisha mapungufu hayo kama yalivyokua yamesahihishwa na Microsoft, tukio ambalo lilisababisha uhalifu mkubwa wa kimtandao aina ya “WanaCry” ambapo mataifa Zaidi ya miamoja hamsini yaliathiriwa na mabilioni ya fedha kuingia katika mikono ya wahalifu mtandao.

    Kwa kuzingatia hilo, wakati huu imeonekana ni muhimu kuziba mianya hii ambayo tayari imegundulika mapema ili kuepusha wizi mkubwa wa taarifa za watu unaoweza kutokea endapo hili halitochukuliwa hatua stahiki.

    Makampuni mbali mbali tayari yamechkua hatua za kusambaza viraka matandao “Patches” na kuwataka watumiaji kufanyia kazi hatua hizi zilizo chukuliwa.

    Kumekua na malalamishi kwa baadhi ya watumiaji mtandao ambapo wamedai baada ya kutatua mapungufu yaliyogundulika yamepelekea komputa kupunguza uwezo wake wa kufanya kazi – Kampuni ya Apple imewathibitishia watumiaji wake kua tatizo hili halitojitokeza kwemye bidhaa zake.

    Mapungufu yaliyo gundulika bado hayajasababisha madhara kwa tumiaji – Ingawa Hofu kubwa ni kwamba wahalifu mtandao wanaweza kutumia mwanya wa mapungufu haya kusababisha madhara makubwa siku za usoni endapo hayata fanyiwa kazi mapema.


    Angalizo kuu lililotolewa kwa wanaokimbilia kuziba mwanya huu kuhakiki wanakua makini kwani pamegundulika uwepo wa wahalifu mtandao wanao sambaza viraka mtandao “Patches” ambazo sio sahihi na zina mlengo wa kudhuru watumiaji.

    Katika hatua nyingine kampuni ya Apple imesisitiza kua mapungufu yaliyo gundulika hayadhuru saa zake maarufu kama “Apple watch” na pia kueleza kua Hadi sasa Kiraka mtandao “Patches” kwa ajili ya Meltdown pekee ndio kimetolewa na baadae watakapo kua tayari watatoa nyingine kwa ajili ya Spectre.


    Makampuni mengine ikiwemo Microsoft tayari yamesha toa viraka mtandao “Patches” ikiwa ni hatua ya kukabiliana na changamoto hii ya kimtandao.

    2017 – The Year The World Realized the Value of Active Directory Security

    Folks,

    As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

    This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!


    I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



    Active Directory Security Goes Mainstream Cyber Security

    Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -


    1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

    2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

    3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

    4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

    5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

    6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

    7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

    8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

    9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

    10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.





    Helping Defend Microsoft's Global Customer Base
    ( i.e. 85% of  Organizations Worldwide )

    Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...


    ...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

    This year, I ( / we) ...

    1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

    2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

    3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

    4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

    5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

    6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

    7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

    8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

    9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

    10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security


    In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





    Summary

    All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

    In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.


    Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

    Best wishes,
    Sanjay.

    PS: Why I do, What I Do.