Daily Archives: April 13, 2018

Threat Roundup for April 6 – 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 6 and 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and we will discuss how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Dropper.Fareit-6500687-1
    A credential and sensitive information harvester. Select information, such as banking credentials or web browser password databases, are queried for on the infected host. Any discovered data is propagated to a comm and control (C2).
  • Win.Dropper.Generickdz-6500702-1
    This cluster focuses on malware that creates a Run key for persistence and uses various Win32 API to perform malicious activities.
  • Win.Dropper.Generic-6502500-0
    This cluster focuses on malware that creates a Run key for persistence with embedded HTML to get the user to download additional files.
  • Win.Dropper.Mikey-6502276-0
    This cluster focuses on malware that creates a service for persistence, and is known for the plugin architecture.
  • Win.Dropper.Neutrinopos-6500704-1
    Neutrino has evolved over time. This variant targets point of sale (PoS) terminals. This family is known for using anti-sandbox techniques to hinder automatic analysis.
  • Win.Dropper.Shipup-6503419-0
    The typical behavior includes modifying the AutoRun feature for certain devices. It gains persistence by creating a scheduled task to conduct its activities.
  • Win.Dropper.Startsurf-6502245-0
    A trojan targeted at collecting personal information, and sometimes labeled as a potentially unwanted application (PUA) in other coverage signatures.
  • Win.Dropper.Upatre-6498441-1
    Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
  • Win.Packed.Tofsee-6504793-0
    A multi-purpose malware that can contain a number of modules to carry out various activities, including installing itself as a service to carry out its spam botnet functionality.



Indicators of Compromise

Registry Keys
  • N/A
  • \BaseNamedObjects\00291FDE1ED259137753E922
IP Addresses
  • 101[.]99[.]75[.]151
Domain Names
  • makewebomb[.]xyz
Files and or directories created
  • N/A
File Hashes
  • b4abd9556f093b7d80bdc755d502917310a807d5ee9d9f9bac19bb0c8d596dbc
  • 1ca88b2c00b625bf596b93abafae873a6aec5bf1afeee1e116dc402cae69f83a
  • 3f2925b26b0f0b0f141346d8a654a74704d9326492537de17518bd6fb11671e8
  • ba0a2f6e001bc9c02ee8c5fbcd6cceaa74ced5ec058dfda71623146f06ff2490
  • f68b0c32da95c0fb06c4cefb992e1a0039afed32f6cfcef083db39a0702a06c7
  • 61ff6f5d48f02c0a5b7a28936f8aa9ebad2344f3552608fae2ce3f14a9bf14d4
  • a7d667e9d67d4b7db00c52572ca1e945b1aba8139dce9c647b8b9bce89ba45e0
  • 6a1a4a21545538c2dd34ba9beec07cbfe17c8ff65a10f1bcdf8598a8f1b58e42
  • 85d0021f75a2d312a27bc1c17702d09520006aff590d439a90d8045d2325a04e
  • 09574981553c2729c9779beee8e6007734f932a155de278eb46d9fc557c39400
  • e981fd64b4c1f1d50cdf3f21d3cd07dfb04dec58c518bee8697a187069997498
  • 7c83266775aceac7e54b9d7db2620245520a52e854a5e61f5c5f2452a60432de
  • 3ed671f4ea7e92ef0e0bf61e7bacc0b7a2a82ccea73a53e7cde66e3497a86520
  • 97702356739358d428d1e7c7ddcc8aa08379562b290edb12348cae2bc0ddbb32
  • 9c6def0cb6963372a10888e6f702d80381559a29db1da32ab149273b3d10ca34
  • df58773cc519e82a8beebeca8035018168cb3cb26aa491aae89c8d68cec835a7
  • 5eb40ac46872c6d26cd7ebdb0938a9375d7cdf28017a5c625d890a7d2ba7852d
  • afcdd2fda5b3c9e78a977df31be307ea7323b746e07e35e4d3c39a3a3f4b4b79
  • a854a9702c14be3508d35873e80577ee9b1296c993ee2a4269c283884775564e
  • 431e6a8252837a5e1c7c98aa9b72c1df4b21e34ae8c7e73882294097f140466e
  • 1d7a1a4181706379a7f80ed926c47cb0ebc7beb953739c9b41cec20093c63914
  • 7b24f0523af239668ee8946c433c53d0c233b0290bbaca405885d39dff86fa1f
  • 444147472ba54f1f58776a84e98152ae28dfbca23602cb440a830fddd4a283cf
  • b33436701b6a54b78141a2812264f4b3ee93ac0a5ae0149e636e7db8c4f38a28
  • e5d34b53cb6e4e111e167cf13b608b87f7ab7d43d7f08f995ae9f2c1139e8f51


Screenshots of Detection



Indicators of Compromise

Registry Keys
    • Value: kdivknmyqwz
    • Value: ProxyServer
    • Value: AutoDetect
    • Value: ProxyOverride
    • Value: ProxyEnable
    • Value: AutoConfigURL
  • N/A
IP Addresses
  • 66[.]171[.]248[.]178
Domain Names
  • gandcrab[.]bit
  • dns1[.]soprodns[.]ru
  • nomoreransom[.]bit
  • nomoreransom[.]coin
  • ipv4bot[.]whatismyipaddress[.]com
Files and or directories created
  • %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.tmp
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\W7RSB4SE.htm
  • %AppData%\Microsoft\zkwnlf.exe
File Hashes
  • 599d9e37c39ec47a50b512e01449a37ff3c3354ed0b9b4de2ca7e8f2d3a33bfa
  • 4d0f0b7c9a3b8694895275fcc45aa1df3e6f2ad0c58563a40ac80776c705f821
  • 0aeb76bb929ea68275b904412054c3b15a73fd6479ee3daecd5ffd4c407eb721
  • c76394aaf293cbf4bf3b9d7a94c251feac11435204664d700bb4bd87da3c1898
  • 66c2586add3eac9184972cfc7a6172532c16dc0d1e1f874e4cd3fa2276657c2a
  • 02cb3c5568577ed9658fcf68b9f776d720e2f7355090b10875f0f9bb2b8ed161
  • 5f7f8a6fd32cf4d91efe01c2f1b7c4fd5f509b504af134a08c6c688ba9597ea6
  • 3c9c3423951655b97251bf5d3d12fe59fcf96d4274c4887b88744438371fe61b
  • 4e496591b9c2c9722c07746edfc7892b178b8965bb4c452322caab68b2d5f262
  • 2eed2f22d055d605a8387d35610e4e82815eb29b7212de12088202efa54d3c31
  • 0073f6d57c2e4ca1871dc1a5e270160e734b2d79bd9b7b55b82a8ddc53aaac0f
  • c21fdd9a5d244aed75890c59094789c2f46815983084f4bc5966ae28630908a8
  • 98f7b5afa98edbfcb4a6f502d9d29e6bb0912a6bcb7a14abe3a9a60e0487b201
  • c7e92cc3f88c7180e2774f2641c593ebebedee3424314fdd8fa8365f6cd0000a
  • 1937b1e07be1737d79a3a4b1ea9c5ab0a56f1c3ce44d2e34d705a7b69b9346cd
  • 310848da5dd6e75c8df5bc00223582a7b7e6fbef90ca45222948eaba546be3bd
  • 40a0f808c1fd873c364850d95e2f0adb0ca24740945702de5c0552a5afc60612
  • b609c46124d069b2299de3896a5cc2f7540e4effcba462e7f5300573666efd4a
  • d7e95936470c9747f9c803d3839159e86112afbe49d68b578775f1c29141d502
  • 036d8c2a089ea0870fa37060c96928789a8b373ca0795d1c06db443b53dc5882
  • 2b7662b93abcd312eb2c4d66c246af9dc7c43a511fae5dddd11617bf2ced16c3
  • 5795c26debe0c06d1f1968730a84efeed69f0493b23f8411b3ea60781e7a24a7
  • 6856286bb8ac5961f58831e7e4fa6debe7a4a399e5ffa56d37e7ca78f1588871
  • 6db67b808d476e3412034571798447aafbbe320a0884a417a7d7fae604440c6e
  • acaa87b92f1e2ee316033624e4760ca4f9c781e82b72949c46861c7652cf74c2


Screenshots of Detection





Indicators of Compromise

Registry Keys
    • Value: NZVHFTBPMBN
  • N/A
IP Addresses
  • 198[.]54[.]117[.]217
  • 68[.]65[.]121[.]51
  • 104[.]200[.]23[.]95
  • 104[.]250[.]149[.]195
Domain Names
  • www[.]atopgixn[.]info
  • www[.]gstringguitarco[.]com
  • www[.]mymugcity[.]com
  • www[.]mankafei[.]net
  • www[.]9999zh[.]com
  • www[.]dltecgeradores[.]com
  • www[.]snhvwa[.]men
  • www[.]zswlu[.]info
  • www[.]bitstubs[.]com
  • www[.]allsystemstoupgrades[.]win
Files and or directories created
  • %AppData%\K27P0CT0\K27logrv.ini
  • %TEMP%\Gsdf0d
  • %TEMP%\nsnD1EF.tmp
  • %TEMP%\zvu
  • %AppData%\K27P0CT0\K27logim.jpeg
  • %ProgramFiles(x86)%\Microsoft\Windows\WebCache\WebCacheV01.tmp
  • %TEMP%\nstD210.tmp\System.dll
  • %AppData%\K27P0CT0\K27logri.ini
  • %TEMP%\Gsdf0d\mshlg4q6x.exe
  • %ProgramFiles(x86)%\Gsdf0d
  • %TEMP%\nsc8B5E.tmp
  • %AppData%\K27P0CT0\K27log.ini
  • %TEMP%\nsi8B7F.tmp\System.dll
  • %ProgramFiles(x86)%\Gsdf0d\mshlg4q6x.exe
  • %AppData%\K27P0CT0\K27logrc.ini
  • %TEMP%\nsi8B7F.tmp
  • %AppData%\K27P0CT0
  • %TEMP%\nstD210.tmp
File Hashes
  • 44f6b3cea3a371a7cd6161739dcc6f9f96a40c8c732b1acd8042a2991a9bbf73
  • d62ee1186d8a8c7d84b2a03e0bee1c13c47d133a55238ba7c367f9539e6c9b17
  • df9f1a4e2cb4247132c7442aedfe873c5e801ab048e0236407066c3acd5ec79b
  • d8f1f59b81a985f538fc0a51c85c688794f94b28a06883ba9dadfb4b0c8bccd6
  • 2ca04f3c65e3fd16b9c879c7db4cc8025279463dbb965e3954e35106fe952e86
  • 3538c0a7785ab6d418112d10cd6844ded5745064840d18d74d9b978dea1fe1a9
  • 09cc6c9e39425a71ccdc26ffd8a67179043b20f646286685eea24e6bb00b12d9
  • 725752c4bda82acf554aad37fe97d08f4367c9a1e5d40b6fe17cdc94adf040fc
  • 3d756dcf4397cb6b0d406b9f70eb18029965fce0110c0290af6ad73468aa2c1f
  • ef4d20220eaecedc0b3069192843bd5eddc196b25a9e083fd16d19ae100374df
  • 70d50a77db7cb028163638a7e58c354e1fbab4757323ad9eccfb51e9b257f83c
  • 35c996576eba666a33e26bc25122196de365465da8ebee70930b9c4ec6be7313
  • 330a8b46f74f5d4af759b18db64dfd9af2ef3e429d597cd4522148fb78633000
  • ac6fbd8f18bb93cfac31af73eb9cf6a1aa925b95d44b42b3659ecfd49209ec76
  • 711155de0073adc2f68fc4088253f92f43a696bbf5d8f892f902724be37668f3
  • c1e6324086192a47c60daee91f9f906c2ceb03cac0c67a8ed3f0a31c37e3a991
  • 5301f9401c7d7ac485d0169085222c64ec2de6f14783cad6150b7c6f0f368c7c
  • 96847279dd3564a5d689bf310483fe351fac55e54a440d15e55f0bb7d35baab6
  • aebb84da20c2c92da398b1e5fcc8adc6bfe893d5a8b56c5cd1beb42b3fa5f069
  • 2a0904b6301b42ed0838633b161c947a781600fc884b0fc499f906a49ea38292
  • 0e1c8a62bd632cd364d16dcf0839531c8dcb443269f4478f301e4adf758977a6
  • f34354749657c44beee0b1d7f5cdc4a31c858eab565fc2592f96c69eb9d501e1
  • 8ecfcfc939e40cc943df83f548286c2f7f519a53e195b3ae595e0bef39baee29
  • 21178d6e06ded3b1a43e98eb781220c37e729ef081bd160f168fc465313ea4ff
  • ef4b97346e1ee359feff43d136f3dd6031993fb47bdfd25520b4fc3279d3649b


Screenshots of Detection




Indicators of Compromise

Registry Keys
    • Value: Blob
    • Value: DefaultInstance
    • Value: Altitude
    • Value: Flags
    • Value: atimode
    • Value: shield_count
    • Value: set_pt
    • Value: set_bl
    • Value: 9B4DFF593EC4945503B76D97E83BADF6893F2597
    • Value: DisabledComponents
    • Value: ImagePath
    • Value: DisplayName
    • Value: St
    • Value: Start
    • Value: ErrorControl
    • Value: WOW64
    • Value: Group
    • Value: Type
    • Value: DisableTaskOffload
    • Value: igfxmtc_time
    • Value: Liveup
  • <HKLM>\Software\Microsoft\WBEM\CIMOM
  • N/A
IP Addresses
  • 45[.]77[.]68[.]17
  • 45[.]32[.]78[.]78
  • 45[.]63[.]57[.]87
  • 173[.]192[.]16[.]184
  • 174[.]37[.]56[.]249
Domain Names
  • gpt9[.]com
  • optcdn[.]com
  • www[.]userbest[.]com
  • optitm[.]com
Files and or directories created
  • %System32%\drivers\spbiovxl.sys
  • %LocalAppData%\exhpugb\dowmload.tmp
  • %WinDir%\TEMP\UDD7B8B.tmp
  • %System32%\pwkmbru
  • %TEMP%\3ED5.tmp
  • %TEMP%\400F.tmp
  • %WinDir%\TEMP\msidntfs\SSL\cert.db
  • %TEMP%\nsy4211.tmp\ioSpecial.ini
  • %System32%\pwkmbru\dsieovx.exe
  • %WinDir%\TEMP\msidntfs\SSL
  • %WinDir%\TEMP\UDD73AE.tmp
  • %LocalAppData%\igfxmtc\igfxmtc.exe
  • %WinDir%\TEMP\msidntfs\SSL\SecureTrust Network Root CA 2.cer
  • %TEMP%\4119.tmp
  • %TEMP%\nsy4211.tmp\modern-wizard.bmp
  • %WinDir%\TEMP\UDD6BD1.tmp
  • %WinDir%\TEMP\msidntfs
  • %LocalAppData%\exhpugb
  • %TEMP%\3DCC.tmp.exe
  • %WinDir%\TEMP\UDD63F3.tmp
  • %WinDir%\TEMP\UDD8369.tmp
  • %TEMP%\3FFE.tmp
  • %TEMP%\nss41A2.tmp
  • %WinDir%\SysWOW64\pwkmbru
  • %TEMP%\nsy4211.tmp\GetVersion.dll
  • %System32%\pwkmbru\dsieovx.sys
  • %System32%\pwkmbru\dsieovxdrv.sys
  • %TEMP%\3E3A.tmp
  • %WinDir%\TEMP\UDD4441.tmp
  • %LocalAppData%\igfxmtc\dowmload.tmp
  • %LocalAppData%\igfxmtc
  • %TEMP%\nsy4211.tmp
  • %TEMP%\3DCC.tmp
  • %TEMP%\nsy4211.tmp\InstallOptions.dll
File Hashes
  • 4605f6041d93c6390c1ed856336c01a6cf3982bea1987c6de846752ca7006882
  • a10aefc70a3d3512cf54f74e39b3ee5cc5403c003179c57aeea7fb3895ed8ace
  • a0365a881396fa66719255cd617e5ef7e175343f28b7ee7ec347bf87811274c0
  • 05be7b2de818dcb358a4f24d6050ae2b91d728c80a8af279894b5e701b060926
  • a32a315ae45f62d26cdd22281a69932c83f147fc4e820a9cc7bf05bcc4680777
  • 6bd49db136718b3cef01348bc839e206d566a1e1c32e0537be61dfa2ee87de6b
  • a677a593cebda3734ab26828b65fd93b54bbc02199a080a26da61afcff29ae48
  • 84c269a1661a987058f51dea4644ec2703b28170324fbeab6920e40ad1a05a54
  • ad7c7472d980025e3edbab89988fec2d5776b4f72b0757c2b1dac54d1c991c37
  • 877d9c4195c38a9dc55c472f7c72ec3d6ad0d95a544458a2050edf22df3aac5c
  • 0a6cabedfabfbab3fba2057d30b1faab2f1b2d2d47a6227aa3b677af45f92da2
  • 683339b58c7cbc066f84c625efa0248eb89bfcd24de916f5fe600c33867084e7
  • 7bc897c2c55ff708cbccff1461d2406aaef7953686817bd2d6a39ad58af393f9
  • e1e31a797b01f5f4ec694fb03d894e5ab331f41f3bc8c34bb407d390554bfe3a
  • fa8c301685d5ceb6a97b75f3bb665871e3ddf5b47410179dd7a55f4f3cebf4ab
  • 9b4536855237fe80447950bf86d1177489dbc1b231122e4a5d2157ba93c1b504
  • 19a5f6fc34e531409c787b00444671b44a5c11dec0dafab0e0ef699de29eea6d
  • b4e2b99c18bf61acedaff5b1908a212470eb902ddfe8e164e01ffcfbab19834b
  • db5b0bb4d05292e6649fa84f076195d7a0cfb15516ce386f214dc2dd96a5e467
  • 11117fe96292e5d5702f2c82e4b21c3cbc4234f13417b22ad963a9f746978482
  • 33ab8e652c16836caf3b22518485757f417fab73a92e916f0c6aaf27b57f3be4


Screenshots of Detection




Indicators of Compromise

Registry Keys
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\host2lc
  • <HKLM>\SOFTWARE\Microsoft\Tracing\FWCFG
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
  • \BaseNamedObjects\DRBCXMtx
IP Addresses
  • 216[.]58[.]217[.]174
  • 62[.]75[.]222[.]235
  • 216[.]58[.]206[.]78
  • 84[.]16[.]241[.]77
  • 66[.]199[.]229[.]251
Domain Names
  • google[.]com
  • u[.]drawfixmydesign[.]com
  • r[.]drawfixmydesign[.]com
Files and or directories created
  • N/A
File Hashes
  • 2593e0c6d66d36c7d8b3061f3c242875113310a2939f89aea73eda1397e44e31
  • e9a7b16189e27dff9ff67e31d09fa05e7f32658dfa56bb51feff8ca0cfb4eb85
  • 1a1144444adb05aee9ef8adfb3c892a97d32b870d1ee300975a5f3597f2ed638
  • ff5d541f260063a88b04a892cacfb3bcb13b8dd83c5f29ed5000737dbd6662c4
  • b1d0bfdd95f168cea0df0e138ee627cb7feb0a26ac7a736baa031547bb6fb08d
  • 9af34cdb7f0b01c044fdeb64f0b733d78e8b9be854c4beeee679f8ee083530b1
  • 24281907f8904bf6b9af4116f52ae2ba8b4b97ce586cd3b2b2777a8f3c76c8cc
  • 61cb5cbccb6d1c329cb1a641c3a74fd4a4521dee0d2d03e810f3f12303e0f1f1
  • 3431065d2208123137714d2d432427d33cff576d202e1fc7ea2990b21847cce1
  • ba975d346f8f543f348e1e42f03bf50167045740b321ae6dc8a8497e608e8766
  • 2df889657dd28f91ea10c08d5a72cf890bf142a6fb4928520ecdefcf708cc2b5
  • 174286f1a0bd66552237da989be39ef821b11fc6acccef5eabc00448991d1876
  • 4632c1023c0baaa1e227defd4923098c4f3c49317964ff1cb088b40b9df7a605
  • 530607f9b54be981e420a7bca1d33d0fa180e6c42877beddeb23836cc440f062
  • e9bcf85599744033e320f5031ecc8157e0498a42d699cb175d7242c95b9f4358
  • 86746d7dfa923b5b1e0e5a0d27f19eb40979dcf342f2fba01ccbb09175b9363c
  • 973c024f2af38334bfe80a5c1fc2f96b2215397124ff08110e3c96aa986e7440


Screenshots of Detection



Indicators of Compromise

Registry Keys
    • Value: data
    • Value: aybbmte.job.fp
    • Value: aybbmte.job
    • Value: Index
    • Value: Id
    • Value: DynamicInfo
    • Value: Path
    • Value: Hash
    • Value: Triggers
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %ProgramFiles%\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
File Hashes
  • 082f1ce18a378ec6eb67565fb7bd89cd29db886b44fe4312a863382af9e13df7
  • 0e1d3984bd6c33ba0fc108329e3906bd074d70ed44a4c7fa6d8f857531bbc437
  • 380545cfde4acaf2c29969d175db1cecd28c5691693e097e52da5c0e886a8301
  • 13da7abee3f2ea4275c1434900db5ba9f620fde8743eb0ff2388b32897685e0b
  • 9dc0c514ea1aaa91c1255857cb261bd6c94f8565ffef4420b75c5d5320717b09
  • 30103085dd67ac6e9bdf14255fc5c8b697d68b810e732b4ae29798b62e5ad677
  • 663ecdfa115605418b2826e4de7e289b0cd12849b719c7a171ee7524bf22fe99
  • cc203d955e3e33479423f7b2aea1f13c2ba5895da16159a779407e03e747d116
  • 3784e5b40ff8687265efe5dacfd5b6c9d744fe294f425703ddafbf687192eb8e
  • 0a52739b2a45b1002b78230df60dd42d2ffa0897197953639dd627bcc0454134
  • 1824bb4ea96c6107c6660b104d60073be3a9f5c3bdbbc2c801771fc34a03e01c
  • a1175ff8f5544f4ec078e4d55db4b6aff7a7844e9df2057d3fe906cfa77d25f0
  • 61dede4113d1eda504f7360ae535cd88ede9425722db4a43577185d0312acd5a
  • ac755dfabf99ea6fc8c334dcef526d1dce3680200deeaac5e80077a27042af9c
  • 786c1b55e5e73fd3c2231d7e6fa0565aacb4fb239807f42c2f0cb83f57186271
  • 4e27ccfd0c90aab501d16d45b1e9d13bde3e2d6c2ba6d230b7973dcc8567e556
  • c7dcf76652af54cf4cbbfdfc4fa5cc8d4a8e1807d478eceee32270260dbfecf7
  • 228ffe97f34e097a0cb3b3288ee56a063da65d890b1f888d59d59f0ad2b3bb71
  • 39c05a8b0d635eb221023154423dd3e26c93d16bb5a16a2512c68bde62996023
  • 6bd38baca4b923c26628e9dcf9ee64d8bcc5c4ba9cb9f2298e32f8db7816de08
  • cb2155b65879f66eb449b60a90c632c701fbea7ac8d4011e3b24b238c3302de0
  • 8fdabcedb02b4ae9364e53f38738710a1f6e9851077c29dbda34cf934229b47d
  • fdb559a29e0374fa7ce71d8661400fcc2d2db7d3486822a5cf1e0eba5c5634c8
  • 4a6043017f598162263d52315c79bfcb5fbef86f19d51beb718fe8093dc1af16
  • 2f9ca1b196aa915e3c87dabe20f353a4a69ee5998f8559ef8073194918dc7ea9


Screenshots of Detection




Indicators of Compromise

Registry Keys
  • N/A
  • N/A
IP Addresses
  • 52[.]85[.]88[.]217
Domain Names
  • bush[.]basinafterthought[.]bid
Files and or directories created
  • N/A
File Hashes
  • 9ad10ae09760aa994fdf2d6132a60276badb77b0ab773ee5d07d5b5e7a259207
  • 2c31ec1ded95ec22f07a3bc29c03badd9158d8ddc19e1cdb98ccdab3482f2421
  • 433403d0f920938654f1592148f99110a5dd35fed88260c44a022983e12bdaa1
  • a02c5f7013b02bbc66380276f4250ea42173971c60e8836bb676243b648dd3a0
  • f0bfcb581935377def575a18a89290427d335c95da6781b11d1ad91711cb4a81
  • 41bf7b4e4d7a87395cc8867e026ed9d586830420a70325a672d07ea9c1a351e0
  • e616d1e7e2b6e1d4f1ac2fea3e2041b842d27f5de05ff941b5661997cfe8a856
  • 4300dc69146725fe7476b6ee4a81ecbed78604e4575e299f52f6b6f3c65eaaa1
  • bc782f40d16fd6574c1e84edd0728470f426a31d2ff94e4bbb87a19cf3992048
  • 04ead5ee82c762a26e1dc0e6a8b21c54669c771cca0291b5d41282d2e73a7fc0
  • 739f27ac00dc449895f589ff28e86d78ea17ca298ffc0b40021136d7c77ed679
  • cc4c722e0d6e2bbff6119e1895f6dfbbb2ed75b3d786e4de507b48792a2660a2
  • 28589697e00deb562a29f3cb335167b2880f3ef3065e418f57f1b626d9ea8c94
  • b622971e681f9e2fa5f84bfcb9e7144b6198d3fb554de8d4488117ca1e3f51c8
  • 0fee9d67ef1967d2bee1f67b1dc5ae24dff5d6dba17b9247e33b87f5bf6e6856
  • 6c8ca3ba14ee685739ea32a3ddc613d4544c69194a97c55365c570c053609938
  • f1dbfaf0378434cd1758feaabe050171df1c234ddc6215df494c6592a9e92547
  • e586da2bd9fd73223281176033b97e6e4e137249f9aff8430004099b31508e12
  • 1d70d1eb3210984b8d2c3c62ca6ade7b018f44688d009cbde3c2c214224a3ffb
  • 404746279f7d963489d1d7d2d9be4bd1b1dd82e81e21f6ebf09091ee7b059988
  • 4696ddd4a7ed96a86a09413f14657c7e01053213f6f1f6008a3a3bbe4fe45229
  • 66af9dc27feb2b69729b82e4076dd699cc504c3c8dce943d2023c7bdeca00f2a
  • 4694e19504a1bbc0335c213bad487727ab75faab3bf29d92cb7e3d14a2d3a8d0
  • 0863bf4a5476b5de02a15c3bdec1604c7d8ab7c8ca1c0546edf2f16a756e0d8f
  • 39974f2161bc0151692ae2f380d38b626f2b47904f92ce5706e29b2fe05122d3


Screenshots of Detection




Indicators of Compromise

Registry Keys
  • N/A
  • N/A
IP Addresses
  • 72[.]230[.]82[.]80
  • 216[.]146[.]43[.]71
  • 173[.]248[.]31[.]6
  • 93[.]185[.]4[.]90
  • 173[.]243[.]255[.]79
Domain Names
  • checkip[.]dyndns[.]org
Files and or directories created
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\W7RSB4SE.htm
  • %TEMP%\serizay.exe
File Hashes
  • 91122476660eff79e0de0f30752e1cf9b37985013cb2fd6ad51c6ea6f20dbdf5
  • fccaca287d58a30c33cc6a52e49fc16c9c5f08143624b82c8ea1df216ec42db0
  • 6b93b7b97c1d5f3ad00378c8ff279c2f2ef8ba4ca16fdde45fe0557c37e8630a
  • e9574e34b580958e83aa060868edf408751f89f2844da98f2a8c4df24a175efd
  • 2b0dbfbc6f7018646a9ec428424986969a8bcf3ca1c4e1b23d7aab3e7e7dda5f
  • d4be54137269f8b720abd45b5f900e513c8e9c6144169900c673a07b3181006a
  • 45919cf6c7ca6e97bcbf5f3bcf670db27c29d81aaa50b3563c50ec4e80ec6f4c
  • 388a22678ed13c5fc9a26d8d89a37805143b38d782677b49d9abbfa1dcd47105
  • d9b137bba139689b08b01f59dfc61b161f522c8618cd74321a7ae4531e093ebb
  • 702c79933e6afba258861251597fc1eb6fada3273a1a3038f4332f09eac44237
  • ccbf0df625484ab8244a47737514ff698fa00fe2ed8da99e779134c4f96c2a3f
  • 5c80cd096858030abfb8ec87a0aceb8b9d791dfdc67259e668ec2cabab3abef4
  • 6b6eb4cc4aa8e3d71a97a8657ffcd27d2bd12466faf3b1f7fcbcd274a4b9561c
  • 06c65a259d7c96000fcec97a7d8c5b6c4d0c8b8e52ed1d45c934a50d0369b3eb
  • f43312efa07fe063b6fd50de8f1bc3e7ccfe27b4d80d9082e8faaced210f6be0
  • 84f1fd4c31d0c21517ffe56eea666d6c7954aec47e958c33238b91f6bc9ef0e0
  • 07cb19e9013ac45d8e99618944ebd9d1a81499239d20800f8aaf5789b6fbb47e
  • e122d91eb62a33c8b4ef56b2299caf2f58fd4e48694c97e06c92f858497cf860
  • ea284de1551e367f736ce661b7342fc3a98297cfa8358972120375702dd14ccf
  • e4b38a225a2703c06bcf4d26acc22753a86b74fa461720bda700c1fa2c1b3db6
  • daeded4fb715741d4045fa7ff6e7d81920c3e7ce892c1c29676a51ee70d63712
  • bc417721acee0afa960d71a7c59acfb6d233384625620bd0856734521b028005
  • 79a50327843a8ccf58147971d1c86945f9a40cd0d4ee35084b8af26c9f5ab210
  • 53e260744b0f3d02c6d629cd466483b79c147d882e6749639631c4c7eeb46808
  • 2e5bff8f11e5ed171ac94f1a5656014fbffd46b66493c90aaf47b640568faa1e


Screenshots of Detection




Indicators of Compromise

Registry Keys
  • <HKLM>\SYSTEM\ControlSet001\Services\xkqrdots
  • <HKU>\Control Panel\Buses
  • N/A
IP Addresses
  • 85[.]25[.]185[.]229
  • 43[.]231[.]4[.]7
  • 12[.]167[.]151[.]116
Domain Names
  • 116[.]151[.]167[.]12[.]in-addr[.]arpa
Files and or directories created
  • N/A
File Hashes
  • c6eeffc5eb2ee7203e7abef9e60c5edffd5471aa02760e1b2ef0cce5c5a73aa3
  • cd159019d822551dd72c81fc954042275f65deaee88469c05682e7575a27e8e8
  • f0bd29ac4f11195c79f8b1812cbf93fcb2b8e67bd219c287e9e93c8136c44a32
  • 40b0cde3e58f802d799ce9b3baa86d3b03582b8d52af828fcf33a7b71fa704de
  • 842fd3e6342f2eab3bb49c69a6d963e3c7022221bdb074b4437310f8170b2c6f
  • e5633dfe5df0eadc14ee162af1c1f47c6350f514f6867cdeea8efeaf2cdd4f90
  • ea088b52681001876b19f1b4c22823d347b734e167cb634208a204d95f6c01f5
  • 268b1d9cc88537d6ba2301845262a82bc6df00b07a74fa7ead0242e5cf0dc9ae
  • 9b389a4e17438eeba6cba94c6359317175b36e38329ae8ccfef2e7bc5d3b5a61
  • e411592afee8c0a1d6baab011017672dea44c307ed4ea223999eb0152cd95db6
  • 8ab34d8df0858423dd1f4f70f407ca929cf9300839c783ef40f64024e477b4f0
  • c8aeb4cf24afcabea69ac048a658fe031b033534a9cc77e249c03b1d0464a75c
  • 10de8c9c16f71496e3c55f0d50640741449ea8f0e7b84dfabc80e13232dcee74
  • d2f102299b545cf1efc42b2e7d2de46dc6edf49b4da4ec4ee475539b21c7bad7
  • 5a9b3c474315a6cc941b44e2e1563266497d7c3a8fc88653b12d3b6fa9283439
  • f5c742ff51664195be30bba05c56c909b07cf7a475c570a704435e99ec925c92
  • 8d6c39242bb75f30437e3a3712cd54e5f4a1ccba7deef3ced7607c3894391297
  • 5e7847c2c9edb9a8cd764e28cdb8f575fa157846ed1b0e4ccf0612f915a794a1
  • 17595c6caf5362a043f81d32dc30dae30f27354fa9783de374301cbf42be2ff3
  • 35dcd9cd70c1047b835736be487536a3f3d6f2c2d40752f40ab278149972c481
  • 6812a316ac2f2fa0affd0977f61a97f7463f3dd77e18b217e8b97e2414d4ea18
  • 81233480a520d005f90f203e99bc325fca56eff338e6761a11295315ac9010d1
  • 8014614d9085f4ada71d6c403e8042ffdd715974ad826a19ec2fb8a4f713ca9f
  • 1f26c8b1dada5dc707651958630211824886556eb23f77f04d7a4818f8c8e756
  • 018ba4d9446e31d228b829f0f90f2f4519b87359d5d5750177152e0b986d8aad


Screenshots of Detection


Weekly Update 82 (Honolulu Edition)

Presently sponsored by: Netsparker - a scalable and dead accurate web application security solution. Scan thousands of web applications within just hours.

Weekly Update 82 (Honolulu Edition)

I'm in Honolulu! And I apologise in advance for the audio quality - the background noise is air conditioning units in the hotel and I didn't realise quite how much sound they make until I listened to the audio afterwards. Next week I'll be home and back to a quality audio setup.

Regardless, I did pump out a shorter update with a bunch of bits and pieces that popped up during the week. Firstly, the obnoxious behaviour that is Twitter thread hijacking (think of everything you hate about spam, just distilled down to 280 characters). I also caught up with a bunch of people from 1Password during my time in Hawaii and fleshed out how I'm going to be clearer about why I'm recommending them on HIBP and spoke about some cool new integration work we can do with the partnership (to be announced at a later date). Then there's the password extortion scam where you pay money to have your password removed from a publicly searchable site (the future is not bright for that one). On a more positive note, T-Mobile in Austria turned themselves around after the debacle I talked about last week and they seem to have genuinely taken notice of community feedback. And finally, my Microsoft Regional Director renewal came through which made me exceptionally happy!

That's it for this week, I'm about to jump on a plane in Honolulu and head home to the sunshine 😎

iTunes podcast | Google Play Music podcast | RSS podcast

Oh - and the chocolates - turns out they weren't chocolates but yes, they were Trump:


  1. Twitter thread hijacking is spam and most people are pretty unimpressed by it (it's a rather cringe-worthy thread to read, I opted out of it early and will write about it properly next week)
  2. Someone is actually asking for BTC in order to remove your password from a public search service (either that site is going to disappear or the operator is going to be "picked up", only question is how long it takes)
  3. T-Mobile Austria has made good and promised to fix some of the issues people raised concerns about (there were a bunch of other problems not mentioned in this tweet, but I assume due to the press they got on them they're at least aware of the issues)
  4. I'm back as a Microsoft Regional Director for another couple of years! (a big "thank you" to everyone that's given me a platform that's enabled me to do this)
  5. Raygun are back in the sponsor bar (they've launched some cool new APM stuff, big thanks to them for their ongoing support!)

IDG Contributor Network: From NSTIC to improved federal identity, credential and access management

7 years ago – the NSTIC and the goal of an identity ecosystem

Seven years ago this month, the Obama Administration published the “National Strategy for Trusted Identities in Cyberspace (NSTIC)”.  NSTIC called for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

Born out of the NSTIC and operating under grants from the National Institute of Standards and Technology (NIST) is the Identity Ecosystem Steering Group (IDESG), a private sector-led non-for-profit organization. Any identity ecosystem requires trust and specifically a trust framework.  The IDESG’s Identity Ecosystem Framework provides a baseline set of standards and policies that enables individuals and organizations to use a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.  Full disclosure, I currently serve on the IDESG’s Board of Directors.

To read this article in full, please click here

Content Security Policy

Content Security Policy

As a website owner, it’s a good idea to be aware of the security issues that might affect your site. For example, Cross-site Scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

You probably know too that client-side scripts can be programmed to do pretty much anything. They can be as simple as showing an alert message in your website, to animating images, mining cryptocurrencies or showing pop-ups that contain NSFW pharma products.

Continue reading Content Security Policy at Sucuri Blog.

CVE-2018-6547 (plays.tv)

plays_service.exe in the plays.tv service before, as distributed in AMD driver-installation packages and Gaming Evolved products, contains an HTTP message parsing function that takes a user-defined path and writes non-user controlled data as SYSTEM to the file when the extract_files parameter is used. This occurs without properly authenticating the user.

CVE-2018-6546 (plays.tv)

plays_service.exe in the plays.tv service before, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user.

Typosquatting: What You Need to Know Now

As it turns out, your high school English teacher was right—spelling does matter. This is especially true now, when mistyping a simple web address could potentially land you in hot water. Although “typosquatting” has been around for a long time, cybercriminals are becoming more systematic in how they use this technique, aiming to steal personal information, make money, or spread malware.

If you’ve ever typed in a web address and landed on a page that is nothing like the one you intended to go to, you may be familiar with this practice, also known as “URL hijacking.” This is when a webpage is put up at a similar web address to another well-known site, in the hopes of capturing some of the legitimate website’s traffic.

These sites often rely on the small typos we make when we type in web addresses, like accidentally omitting the “o” in “.com”. In fact, researchers recently found a whole host of addresses that were registered in the names of well-known sites, but terminating in  “.cm”, instead of “.com”. These copycat addresses included financial websites, such as Chase.cm and Citicards.cm, as well as social and streaming sites.

The .cm sites were used to advertise promotions and surveys used to collect users’ personal information. What’s more, over 1,500 of them were registered to the same email address, indicating that someone was trying to turn typosquatting into a serious business.

While early typosquatting efforts were often aimed at stealing traffic alone, we’re now seeing a move toward clever copycats. Some look like real banking websites, complete with stolen logos and familiar login screens, hoping to trick you into entering your passwords and others sensitive information.

Earlier this year, for instance, the Reserve Bank of India (RBI) warned customers that someone had bought the URL “www.indiareserveban.org”, and put up a fake site, asking for banking details and passwords, even though the real RBI is a central bank that holds no individual accounts.

But, cybercrooks don’t even need to put up fake websites to try to steal your information; they can also trick you into downloading malware. They may lead you to a site that delivers a pop-up screen telling you to update your Adobe Flash Player, for instance.

That’s exactly what happened not too long ago to Netflix users who accidentally typed in “Netflix.om”, instead of “.com”. The cybercrooks had smartly used the Netflix address ending in the top-level domain for Oman to try to redirect at least some of the streaming site’s over 118 million users to a malware-laden site instead. In fact, “.om” was used as part of a larger typosquatting campaign, targeting over 300 well-known organizations.

Given that typos are easy to do, and fake websites are becoming more convincing, here are the steps you should take to protect yourself from typosquatting:

  • Whether you type in a web address to the address field, or a search engine, be careful that you spell the address correctly before you hit “return”.
  • If you are going to a website where you might share private information, look for the green lock symbol in the upper left-hand corner of the address bar, indicating that the site uses encryption to secure the data that you share.
  • Be suspicious of websites with low-quality graphics or misspellings, since these are telltale signs of fake websites.
  • Consider bookmarking sites you visit regularly to make sure you get to the right site, each time.
  • Don’t click on links in emails, text messages and popup messages unless you know and trust the sender.
  • Consider using a safe search tool such as McAfee WebAdvisor, which can alert you to risky websites right in your search results.
  • Always use comprehensive security software on both your computers and devices to protect you from malware and other online threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Typosquatting: What You Need to Know Now appeared first on McAfee Blogs.

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

Vulnerability Details

TALOS-2017-0472 (CVE-2017-12120) Moxa EDR-810 Web Server ping Command Injection Vulnerability

TALOS-2017-0472 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker may be able to inject OS commands into the ifs= parm in the "/goform/net_WebPingGetValue" uri to trigger this vulnerability and take control over the targeted device.

TALOS-2017-0473 (CVE-2017-12121) Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability

TALOS-2017-0473 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability and take control over the targeted device.

TALOS-2017-0474 (CVE-2017-14435 to 14437) Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities

TALOS-2017-0474 describes three separate exploitable denial of service vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.

TALOS-2017-0475 (CVE-2017-12123) Moxa EDR-810 Cleartext Transmission of Password Vulnerability

TALOS-2017-0475 is an exploitable clear text transmission of password vulnerability that exists in the web server and telnet functionality of Moxa EDR-810. An attacker may be able to inspect network traffic to retrieve the administrative password for the device. The attacker may then use the credentials to login into the device web management console as the device administrator.

TALOS-2017-0476 (CVE-2017-12124) Moxa EDR-810 Web Server URI Denial of Service Vulnerability

TALOS-2017-0476 is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.

TALOS-2017-0477 (CVE-2017-12125) Moxa EDR-810 Web Server Certificate Signing Request Command Injection Vulnerability

TALOS-2017-0477 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request can cause a privilege escalation resulting in access to root shell. An attacker may be able to inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.

TALOS-2017-0478 (CVE-2017-12126) Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability

TALOS-2017-0478 is an exploitable cross-site request forgery (CSRF) vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP request can trigger a CSFR vulnerability which may allow the attacker to change the device configuration. An attacker can create a malicious html code to trigger this vulnerability and entice the user to execute the malicious code.

TALOS-2017-0479 (CVE-2017-12127) Moxa EDR-810 Plaintext Password Storage Vulnerability

TALOS-2017-0479 is a password storage vulnerability that exists in the operating system functionality of Moxa EDR-810. The device stores credentials in plaintext in /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG. This file mirrors the contents of /etc/shadow, except that all the passwords are stored in plaintext.

TALOS-2017-0480 (CVE-2017-12128) Moxa EDR-810 Server Agent Information Disclosure Vulnerability

TALOS-2017-0480 is an exploitable information disclosure vulnerability that exists in the Server Agent functionality of Moxa EDR-810. A specially crafted TCP packet can cause the device to leak data and result in an information disclosure. An attacker may be able to send a specially crafted TCP packet to trigger this vulnerability.

TALOS-2017-0481 (CVE-2017-12129) Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability

TALOS-2017-0481 is an exploitable Weak Cryptography for Passwords vulnerability that exists in the web server functionality of Moxa EDR-810. After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.

TALOS-2017-0482 (CVE-2017-14432 to 14434) Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities

TALOS-2017-0482 describes multiple exploitable command injection vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request may cause a privilege escalation resulting in an attacker having access to a root shell. An attacker may be able to inject OS commands into various parameters in the "/goform/net_Web_get_value" uri to trigger this vulnerability.

TALOS-2017-0487 (CVE-2017-14438 and 14439) Moxa EDR-810 Service Agent Multiple Denial of Service

TALOS-2017-0487 describes two exploitable denial of service vulnerabilities that exist in the Service Agent functionality of Moxa EDR-810. A specially crafted packet can cause a denial of service. An attacker may be able to send a large packet to tcp ports 4000 or 4001 to trigger this vulnerability.

For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:


Affected versions

The discovered vulnerabilities have been confirmed in Moxa EDR-810 V4.1 build 17030317 but they may also affect earlier versions of the product.


Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks.

Although some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments.

One of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks.

ICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment.

Cisco Talos vulnerability research team also focuses on non traditional computing environments, including ICS, to find previously unknown vulnerabilities and work with vendors to responsibly disclose them while allowing the vendor enough time to improve security of the products by fixing the discovered vulnerabilities.

Moxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes. Cisco Talos researchers have discovered several vulnerabilities affecting the security of the product. Moxa EDR-810 users are recommended to update the software as soon as possible to avoid their ICS environment potentially being exploited by attackers.


The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

  • 31939, 40880, 44835-44837, 44840-44842, 44847-44852, 44855, 44858

US discusses authorizing cyber attacks outside “war zone”

In a nutshell, traditional definitions of war linked to kinetic action and physical space are being framed as overly restrictive given a desire by some to engage in offensive attacks online. The head of NSA is asking whether reducing that link and authorizing cyber attack within a new definition of “war” would affect the “comfort” of those holding responsibility.

“[On offense] the area where I think we still need to get a little more speed and agility — and as Mr. Rapuano indicated it is an area that is currently under review right now — what is the level of comfort in applying those capabilities outside designated areas of hostility,” Rogers asked out loud.

“I don’t believe anyone should grant Cyber Command or Adm. Rogers a blank ticket to do whatever you want, that is not appropriate. The part I am trying to figure out is what is the appropriate balance to ensure the broader set of stakeholders have a voice.”

Rapuano also referenced challenges associated with defining “war” in the context of cyber, which can be borderless due to the interconnected nature of the internet.

“In a domain that is so novel in many respects, and for which we do not have the empirical data and experience associated with military operations per say particularly outside areas of conflict, there are some relatively ambiguous areas around ‘well what constitutes traditional military activities,'” said Rapuano. “This is something that we are looking at within the administration and we’ve had a number of discussions with members and your staffs; so that’s an area we’re looking at to understand the trades and implications of changing the current definition.”

While I enjoy people characterizing the cyber domain as novel and border-less, let’s not kid ourselves too much. The Internet has far more borders and controls established, let alone a capability to deploy more at speed, given they are primarily software based. I can deploy over 40,000 new domains with high walls in 24 hours and there’s simply no way to leverage borders as effectively in a physical world.

Even more to the point I can distribute keys to access in such a way that it spans authorities and bureaucratically slows any attempts to break in, thus raising a far stronger multi-jurisdictional border to entry than any physical crossing.

We do ourselves no favors pretending technology is always weaker, disallowing for the prospect of a shift to stronger boundaries of less cost, and forgetting that Internet engineering is not so much truly novel as a revision of prior attempts in history (e.g. evolution of transit systems).

My recent talk at AppSecCali for example points out how barbed wire combined with repeating rifles established borders faster and more effectively than the far more “physical” barriers that came before. Now imagine someone in the 1800s calling a giant field with barbed wire border-less because it was harder for them to see in the same context as a river or mountain…

What humans do better than machines

The second in a series of three blogs by Grant and Jason on the process of identifying actionable insights.

In the last post in this series, we looked at the process by which data is collected from the operating environment and is then processed and distributed in a consumable manner as information. The collection and processing actions are typically automated. However, the last phase, analysis, has been almost exclusively the domain of human analysts until very recently.

And it is that human intervention at the “last mile” for intelligence that presents the challenge when your operating environment is throwing off 1,200, of even 100,000 warning bells a day from a chatty Network IPS.

It would be easy to say that the way forward is to apply artificial intelligence (AI) to this analysis phase and automate our way out of the chokepoint. But the reality is that AI, for the foreseeable future is still going to be insufficient for the task.

In data science, there is a direct correlation between the false positive rate and the true positive rate, resulting in a less than 100% accurate model.  While the execution of machine learning and deep learning is critical in the SOC, it is essential to understand the relationship between Receiver Operating Characteristics (ROC) curves in the SOC. Assuming that machine learning models and classifiers will work 100% of the time is setting your SOC up to fail.  Instead, a better approach is to use different technologies to filter out the noise. Then you can identify signals to gather insights that enable you to make a decision.

What is needed here is a reinforcing loop of education and information between humans and machines: “human-machine teaming” to borrow from our CTO, Steve Grobman. The goal is to augment the person, instead of replacing them.

It’s important to say that there are some things that human analysts can do on their own to get to actionable insights without the assistance of any machine, thank you very much. At McAfee, our security analysts focus on:

  • Prevalence – How pertinent is this information to the enterprise? Is it local threat intelligence? Or used in a specialized way? Is it industry-level threat intelligence? Or global threat intelligence?
  • Age – Understanding “new” signals, whether they are process, scripts, or files in the environment.
  • Diversity – By leveraging prevalence, we apply diversity from sources like McAfee’s Global Threat Intelligence (GTI), which allows for more context across the globe.

Additionally, these traits are essential to SOC processes:

  • Completeness – Do you have sufficient noise collection to capture context and evidence to deliver effective detection?
  • Timeliness – Are you acting on the signals quickly?
  • Accuracy – Do you understand the relationship between true positives, false positives, true negatives, and false negatives?
  • Confidence  – Are you aggregating data and models to understand confidence level and importance of the decisions?

You will always want a lot of signals to investigate that can be created using data science methodologies, because these are often the clues that allow you to start the triage and investigate process.

So this is where automation and machine learning can help to bridge the human labor gap. As you start down that path, what you realize is you’re going to need tools that are easier to manage. The focus becomes enabling your staff to do more. Learning mechanisms – for humans and machines – become a vital part of the equation. The idea is to put the human in the middle of the self-reinforcing data science capabilities like machine learning, deep learning and AI.

In the final post in this series, we’ll look at how McAfee Product Management, Engineering and the Office of the CISO are collaborating to generate that self-reinforcing learning loop.

You can look for Grant Bourzikas on Twitter and LinkedIn and at security events like MPOWER, Blackhat, and RSA. Jason Rolleston can also be found at similar events and on Twitter and LinkedIn.

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.


McAfee does not control or audit third-party benchmark data or the websites referenced in this document. You should visit the referenced website and confirm whether referenced data is accurate.

The post What humans do better than machines appeared first on McAfee Blogs.

Malware monitor – leveraging PyREBox for malware analysis

This post was authored by Xabier Ugarte Pedrero

In July 2017 we released PyREBox, a Python Scriptable Reverse Engineering Sandbox as an open source tool. This project is part of our continuous effort to create new tools to improve our workflows. PyREBox is a versatile instrumentation framework based on QEMU.

It allows us to run a whole operating system in a virtual environment (emulator), and to inspect and modify its memory and registers at run-time. A small set of QEMU modifications allows users to instrument certain events such as instruction execution or memory read/writes.

On top of this, PyREBox leverages Virtual Machine Introspection techniques to bridge the semantic gap, that is, understanding OS abstractions such as processes, threads, or libraries. You can find the more detailed description of the framework as well as its capabilities in the original blogpost.

In the past few months we have received positive feedback from the community, fixed bugs and added features suggested by the users. We also added support for GNU/Linux guests, and implemented an agent (program run inside the emulated guest) that allows file transfer between a host and a guest, as well as execution of samples in the guest on demand.

As part of this ongoing effort, today we are releasing a set of PyREBox scripts that are designed to aid malware analysis: Malware monitor. These scripts automate different tasks, such as code coverage analysis, API tracing, memory monitoring, and process memory dumping.

This new toolset also includes IDA Python scripts that help with visualization of the information extracted from the execution of a program. All these tools are configurable via JSON configuration files, and serve to assist automation of sample execution and analysis.

The scripts are released during the first public talk about PyREBox held as a part of the CommSec track at the Hack In the Box conference in Amsterdam. This blog post is a follow up with a brief explanation of the newly released features.

Code coverage

Understanding the code paths that get executed in a binary during the reverse engineering process can be very useful to researchers. While static analysis provides a fairly complete view of the code, we often cannot know in advance if a certain piece of code will get executed or not.

Analysis of code paths often demands anticipation of complex computations and non-trivial path conditions. In order to overcome this limitation, a reverse engineer will mix static analysis with dynamic analysis tools, such as sandboxes or debuggers. Understanding if a code path gets executed requires the reverse engineer to either trace the sample instruction by instruction, or to set breakpoints and let the sample run, waiting to hit one of the breakpoints at some point during the execution.

The first approach can be slow, while the latter may require many attempts, sometimes letting the sample to run freely, that is, not hitting any breakpoint, and fully infecting the system. This usually requires restoring the clean machine snapshot and restarting the analysis process.

In situations like this, having information about the code coverage is useful to better understand which instructions have been executed. The code coverage module in Malware monitor traces the execution of emulator translation blocks.

For the sake of simplicity, we can define translation blocks as equivalent to basic blocks, despite the fact that there are some differences in the way QEMU divides instructions into translation blocks and the formal definition of a basic block.

In any case, the code coverage module generates two different output files - a binary trace file, and a text summary. The binary trace can be imported into IDA in order to colorize the blocks of code that have been executed in the emulator. The user can then inspect at a glimpse which code paths were taken during the execution.

Figure 1. An IDA graph, in which the executed blocks have been colorized in orange, while the non-executed basic block remains white

The second file provides a coarse-grained summary of the executed memory regions. Moreover, it shows an execution transition whenever the execution jumps from one Virtual Address Descriptor (VAD) region to another. VADs are internal structures that Windows uses to keep track, in a form of a tree, of the different memory regions reserved in a given virtual address space.

The main module of the process, the imported DLLs, the stack, the heap, and other allocated memory regions are all represented as independent VAD regions in this tree. Therefore, this log allows the user to find points in the trace where the execution jumps into a memory buffer outside the main module or DLL, which is a behavior typically found in some run-time packers.

The log also includes addresses of the first instruction executed in every VAD region after each transition, helping in some cases to identify the Original Entry Point (OEP) of the unpacked binary.

Figure 2. A snippet of a coverage text log file, showing several transitions between VAD regions.

API tracer

The second component of Malware monitor helps the user to understand the behavior of the sample by tracing function calls to common Windows DLLs (i.e., Windows API). The Malware monitor API tracing is done completely outside the guest system, while most other API tracing frameworks and sandboxes use traditional API hooking that requires modification of the process memory and introduces potentially detectable artifacts.

The API tracer module instruments only specific instructions (such as call / jmp), and detects when one of the control flow instructions jumps into the first bytes of any Windows API function.

API tracer can operate in two modes - the light mode and the full mode. If the light mode is enabled, it will only log API function calls, but it will not inspect their parameters, while the full mode also inspects the stack and registers every time an API function call occurs.

The full mode leverages a database containing information about the number of API parameters, their names and data types. The module is capable of dereferencing pointers and nested structures.

Generated information can either be written in a text file, or saved in a binary file and later loaded in IDA in order to be visualized. Once this information is imported in IDA there are two ways to visualize it - a dedicated tab with search capabilities, and a context menu displayed for every traced call.

Figure 3. A dedicated tab is displayed in IDA, which allows to inspect function calls and their input and output parameters

Figure 4. A snippet of a text log of the API Call trace

Memory monitor

The third new component, memory monitor, tracks different memory related events during the execution of a sample, including:

  • Process creation
  • Remote process memory reading and writing
  • Memory sharing (shared memory regions)
  • File writing and reading
  • File mapping into memory
  • Memory allocation
  • Changes in memory access permissions

The monitored events allow the researcher to understand the memory related behavior of the sample, focusing on aspects such buffer unpacking, process creation and process injection. The module is also capable of monitoring file dropping events, that is, when the sample under analysis writes a binary to disk and executes it.

The information related to memory behavior is condensed into two reports. The first one contains all events related to the above categories, while the second one only summarises the collected information, showing the following:

  • Started and injected processes
  • Modules/DLLs loaded by these processes
  • VAD regions for each process, including heuristics to mark those that contain potentially injected code, unusual permissions, as well as changes in their access permissions
  • Memory maps (mapped files and memory sharing)
  • Memory injections
  • File operations

The summary information can be useful to gain a high level understanding of the malware bootstrap routines. Many malware families contain components that have to be deployed in the system memory. As a part of the deployment, malware often injects the payload into one or more system processes, creates other processes or drops files to disk.

The memory monitor component of PyREBox is able to provide initial information to the analyst containing the memory related behavior of the sample during the deployment phase.

Memory dumper

The last component of Malware monitor is a configurable memory dumper able to dump process memory, including the main module, loaded DLLs, as well as other memory regions (such as heaps, stacks and allocated buffers), at a certain point during execution. The appropriate point to dump the memory has to be chosen by the user, and is configured in the main JSON configuration file. Several options are allowed:

  • Dumping memory at process exit.
  • Dumping memory when a certain API function is called.
  • Dumping memory when a certain address is executed.

In order to dump the memory at a point where the sample has been fully unpacked, the analyst needs knowledge about how the sample operates. However, other Malware monitor modules should be able to help the user to identify the point at which to dump the process memory.

Once the memory dump and the associated information concerning the memory regions of the process is created, we can load the dumped segments manually in IDA and conduct static analysis of the unpacked process.


These newly released Malware monitor components are useful for gathering sample execution information and complementing the data extracted from more traditional sandboxes and debuggers.

The presented modules can help the reverse engineer in the initial information gathering analysis phase, and they are just examples of how PyREBox can become an essential tool in the malware analysis workflow.

PyREBox is a powerful, highly versatile and customizable tool and we encourage every user to create their own scripts that adapt to their research areas.

CVE-2017-6158 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator, big-ip_websafe)

In F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 there is a vulnerability in TMM related to handling of invalid IP addresses.

CVE-2017-6148 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_websafe)

Responses to SOCKS proxy requests made through F5 BIG-IP version 13.0.0, 12.0.0-, 11.6.1-11.6.2, or 11.5.1-11.5.5 may cause a disruption of services provided by TMM. The data plane is impacted and exposed only when a SOCKS proxy profile is attached to a Virtual Server. The control plane is not impacted by this vulnerability.

CVE-2017-6156 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator, big-ip_websafe)

When the F5 BIG-IP 12.1.0-12.1.1, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 system is configured with a wildcard IPSec tunnel endpoint, it may allow a remote attacker to disrupt or impersonate the tunnels that have completed phase 1 IPSec negotiations. The attacker must possess the necessary credentials to negotiate the phase 1 of the IPSec exchange to exploit this vulnerability; in many environment this limits the attack surface to other endpoints under the same administration.

CVE-2017-6155 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_edge_gateway, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_protocol_security_module, big-ip_webaccelerator, big-ip_websafe)

On F5 BIG-IP 13.0.0, 12.0.0-, 11.6.0-11.6.2, 11.4.1-11.5.5, or 11.2.1, malformed SPDY or HTTP/2 requests may result in a disruption of service to TMM. Data plane is only exposed when a SPDY or HTTP/2 profile is attached to a virtual server. There is no control plane exposure.

CVE-2018-10066 (routeros)

An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client's internal network (for example, at site-to-site tunnels).

CVE-2018-5506 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator, big-ip_websafe)

In F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.1, 11.5.1-11.5.5, or 11.2.1 the Apache modules apache_auth_token_mod and mod_auth_f5_auth_token.cpp allow possible unauthenticated bruteforce on the em_server_ip authorization parameter to obtain which SSL client certificates used for mutual authentication between BIG-IQ or Enterprise Manager (EM) and managed BIG-IP devices.

CVE-2018-5510 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_webaccelerator, big-ip_websafe)

On F5 BIG-IP 11.5.4 HF4-11.5.5, the Traffic Management Microkernel (TMM) may restart when processing a specific sequence of packets on IPv6 virtual servers.

ZenMate VPN review: This simple VPN clears your mind of complexity

ZenMate VPN in brief:

  • P2P allowed: Yes
  • Business location: Berlin, Germany
  • Number of servers: 300+
  • Number of country locations: 29
  • Cost: $60 per year
  • VPN protocol: IPSec + L2TP
  • Data encryption: 2048-bit PSK/ESP 
  • Data authentication: AES 256/HMAC
  • Handshake encryption: IKEv2 sha256 with 4096-bit RSA

When you think of Zen you probably think of monks, meditation, and cryptic sayings meant to expand your understanding of the world. But the word also suggests a certain sparseness and simplicity. Germany-based ZenGuard took those latter notions to heart when it created its ZenMate VPN service.

To read this article in full, please click here

Security newsround: April 2018

We round up reporting and research from across the web about the latest security news. This month: privacy palaver at Facebook, a cyberattack with explosive intent, securing the IoT, sportswear maker uncovers data breach, and authorities arrest an alleged cybercrime mastermind.

Facebook shook by reverberations and revelations

The worlds of privacy and security collided last month after revelations that consulting group Cambridge Analytica had obtained records of 86 million Facebook users. It then used the data to target voters with pro-Trump messages during the 2016 US presidential election campaign. Scientists working on profiling technology had developed a free personality quiz app that harvested the friend information of users who downloaded the app via Facebook. They then provided this data to Cambridge Analytica. The New York Times reported that the idea for building the app came via Palantir, the data analysis company that works with intelligence agencies.

Facebook initially argued that it didn’t consider this as a breach, because anyone using the app had consented to the terms of service. Such semantic gymnastics didn’t cut much ice with commentators who considered it a ‘breach of trust’ – or worse. The scandal seemed to grow ever more complex as more details emerged. At one point, Facebook saw more than $50 billion wiped off its share price. When CEO Mark Zuckerberg eventually broke his silence days later, his response was “evasive and disingenuous”, wrote Karlin Lillington. Facebook has since suspended another data analytics firm, CubeYou, whose tactics were similar to those of Cambridge Analytica.

Sarah Clarke has written a nuanced perspective on the original story and its privacy implications on her Infospectives blog. Meanwhile, SANS published a guide for infosec professionals on communicating to staff about protecting privacy and deactivating social media profiles.

Life’s a breach

Staying with breaches of a different kind, Verizon has just published its 2018 Data Breach Investigations Report. Now in its 11th year, the DBIR is one of the most widely respected and authoritative sources of security research. Here are some of the key findings: financial gain is the motivation behind 76 per cent of incidents. Outsiders conducted 73 per cent of cyber attacks – mostly organised criminal groups. Ransomware’s unstoppable rise continues: it was the leading malware type last year, responsible for 39 per cent of all infections. The report analyses nine industry sectors and looks at the specific security risks facing each one. The full report is here, with an executive summary available here. The 2018 edition draws on more than 53,000 real-world incidents and 2,347 confirmed data breaches. Ireland’s IRISS-CERT was among 67 agencies contributing to the research.

Cyber crossover

Security experts have long argued that before long, a cyber-attack that began in the virtual world would have real-world consequences. Now there’s an example. News emerged that a petrochemical plant in Saudi Arabia suffered a malware intrusion designed to set off an explosion. The only thing that stopped the explosion from triggering was an error in the computer code, the New York Times reported. The attackers reportedly compromised controllers made by Schneider, which are used in 18,000 plants around the world. The NYT quoted an expert who said a technique that worked against Schneider controllers in Saudi Arabia could also be used in the United States. In separate but related news, the US Department of Homeland Security and the FBI accused Russian hackers of attacking energy companies. The attackers reportedly used spear-phishing to compromise networks in small organisations that are part of US critical infrastructure.

Embedded devices to get embedded security

The UK Government has published  a proposed code of practice aimed at improving security for the Internet of Things. The ‘Secure By Design’ report aims to encourage manufacturers and service providers to embed security at the earliest stages of developing IoT products and services. Recommendations include not allowing universal default passwords, securely storing sensitive data, and making it easier for consumers to configure the devices. The average UK household owns at least 10 connected devices. This blog from the Information Commissioner’s Office covers the main points. James Lyne, head of R&D at SANS Institute, described the development as “positive and much needed”. The issue also came into focus after a fatal collision in Arizona last month, involving a self-driving car. After all, what is an autonomous car but a very large connected device? The Electronic Frontier Foundation called for sharing data as a way to improve both safety and security.

Under Armour doesn’t run for cover after breach

Under Armour disclosed that its MyFitnessPal app and website was hacked, exposing personal information about almost 150 million accounts. The incident occurred in February and affected usernames, emails and passwords, but not payment data. Under Armour said it used strong encryption to protect the passwords. This story is important for two reasons. It’s less a finger-pointing exercise at a data breach victim; more a testament to Under Armour’s transparency. The company informed affected users quickly, and was on the front foot when dealing with media questions. Security experts praised the company’s proactive steps to deal with the fallout: it had a plan and executed against it. Financial markets weren’t so forgiving, though. Shares in Under Armour fell 3.8 per cent after the company disclosed the breach.

A win for the good guys as Carbanak chief cuffed

Let’s wrap up this roundup with a good news story for a change. Law enforcement agencies arrested the alleged ringleader behind the Carbanak and Cobalt attacks. The arrest was a complex operation conducted by Spain’s National Police, supported by Europol, the FBI, and authorities in Romania, Moldova, Belarus and Taiwan, along with private cybersecurity companies. Since 2013, the gang had targeted banks worldwide with a combination of spear phishing and malware like Carbanak and Cobalt. The phishing emails contained a malicious attachment that, when downloaded, gave criminals remote control of the infected machines. Europol said this gave the gang access to the internal banking network and infected the servers controlling the ATMs. As the agency’s infographic shows, the group’s ill-gotten gains amounted to more than $1 billion.


The post Security newsround: April 2018 appeared first on BH Consulting.