Diaries

Published: 2024-12-11

Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS)

Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited.

 

iOS 18.2 and iPadOS 18.2 iPadOS 17.7.3 macOS Sequoia 15.2 macOS Sonoma 14.7.2 macOS Ventura 13.7.2 watchOS 11.2 tvOS 18.2 visionOS 2.2
CVE-2023-32395: An app may be able to modify protected parts of the file system.
Affects Perl
    x          
CVE-2024-44201: Processing a malicious crafted file may lead to a denial-of-service.
Affects libarchive
  x   x x      
CVE-2024-44220: Parsing a maliciously crafted video file may lead to unexpected system termination.
Affects AppleGraphicsControl
    x x        
CVE-2024-44224: A malicious app may be able to gain root privileges.
Affects StorageKit
    x x x      
CVE-2024-44225: An app may be able to gain elevated privileges.
Affects libxpc
x x x x x x x  
CVE-2024-44243: An app may be able to modify protected parts of the file system.
Affects StorageKit
    x          
CVE-2024-44245: An app may be able to cause unexpected system termination or corrupt kernel memory.
Affects Kernel
x x x x       x
CVE-2024-44246: On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the originating IP address to the website.
Affects Safari
x x x          
CVE-2024-44248: A user with screen sharing access may be able to view another user's screen.
Affects Screen Sharing Server
      x x      
CVE-2024-44291: A malicious app may be able to gain root privileges.
Affects Foundation
    x x x      
CVE-2024-44300: An app may be able to access protected user data.
Affects Crash Reporter
    x x x      
CVE-2024-54465: An app may be able to elevate privileges.
Affects LaunchServices
    x          
CVE-2024-54466: An encrypted volume may be accessed by a different user without prompting for the password.
Affects DiskArbitration
    x x x      
CVE-2024-54476: An app may be able to access user-sensitive data.
Affects PackageKit
    x x x      
CVE-2024-54477: An app may be able to access user-sensitive data.
Affects Apple Software Restore
    x x x      
CVE-2024-54479: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
  x            
CVE-2024-54484: An app may be able to access user-sensitive data.
Affects MediaRemote
    x          
CVE-2024-54485: An attacker with physical access to an iOS device may be able to view notification content from the lock screen.
Affects VoiceOver
x x            
CVE-2024-54486: Processing a maliciously crafted font may result in the disclosure of process memory.
Affects FontParser
x x x x x x x x
CVE-2024-54489: Running a mount command may unexpectedly execute arbitrary code.
Affects Disk Utility
    x x x      
CVE-2024-54490: A local attacker may gain access to user's Keychain items.
Affects AppleMobileFileIntegrity
    x          
CVE-2024-54491: A malicious application may be able to determine a user's current location.
Affects Logging
    x          
CVE-2024-54492: An attacker in a privileged network position may be able to alter network traffic.
Affects Passwords
x x x         x
CVE-2024-54493: Privacy indicators for microphone access may be attributed incorrectly.
Affects Shortcuts
    x          
CVE-2024-54494: An attacker may be able to create a read-only memory mapping that can be written to.
Affects Kernel
x x x x x x x x
CVE-2024-54495: An app may be able to modify protected parts of the file system.
Affects Swift
    x x        
CVE-2024-54498: An app may be able to break out of its sandbox.
Affects SharedFileList
    x x x      
CVE-2024-54500: Processing a maliciously crafted image may result in disclosure of process memory.
Affects ImageIO
x x x x x x x x
CVE-2024-54501: Processing a maliciously crafted file may lead to a denial of service.
Affects SceneKit
x x x x x x x x
CVE-2024-54502: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x   x     x x x
CVE-2024-54503: Muting a call while ringing may not result in mute being enabled.
Affects Audio
x              
CVE-2024-54504: An app may be able to access user-sensitive data.
Affects Notification Center
    x          
CVE-2024-54505: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x x x     x x x
CVE-2024-54506: An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.
Affects IOMobileFrameBuffer
    x          
CVE-2024-54508: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x   x     x x x
CVE-2024-54510: An app may be able to leak sensitive kernel state.
Affects Kernel
x x x x x x x  
CVE-2024-54513: An app may be able to access sensitive user data.
Affects Crash Reporter
x   x     x x x
CVE-2024-54514: An app may be able to break out of its sandbox.
Affects libxpc
x   x x x x x  
CVE-2024-54515: A malicious app may be able to gain root privileges.
Affects SharedFileList
    x          
CVE-2024-54524: A malicious app may be able to access arbitrary files.
Affects SharedFileList
    x          
CVE-2024-54526: A malicious app may be able to access private information.
Affects AppleMobileFileIntegrity
x   x x x x x  
CVE-2024-54527: An app may be able to access sensitive user data.
Affects AppleMobileFileIntegrity
x   x x x x x  
CVE-2024-54528: An app may be able to overwrite arbitrary files.
Affects SharedFileList
    x x x      
CVE-2024-54529: An app may be able to execute arbitrary code with kernel privileges.
Affects Audio
    x x x      
CVE-2024-54531: An app may be able to bypass kASLR.
Affects Kernel
    x          
CVE-2024-54534: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x   x     x x x

0 Comments

Published: 2024-12-11

Vulnerability Symbiosis: vSphere?s CVE-2024-38812 and CVE-2024-38813 [Guest Diary]

[This is a Guest Diary by Jean-Luc Hurier, an ISC intern as part of the SANS.edu BACS program]

Background

In April 2020, at the height of the global pandemic, virtualization was in high demand.  During that time, vSphere 7.0 was released. With that release, had two unknown vulnerabilities – a match made in heaven for threat actors. It wasn’t until June 2024 that China’s TZL security researchers revealed CVE-2024-38812 and CVE-2024-38813 at China’s 2024 Matrix Cup – a hacking contest.  Since then, both vulnerabilities were published and patched in September, however one of those patches required a hotfix just a month later (CVE-2024-38812).

Findings

The reason that this is a topic of conversation is because I noticed an intermittent pattern of reconnaissance of possible vSphere related web traffic over the course of the last 3.5 months.

On the surface, this is part of any other automated scan. They cover a lot of ground, probing for openings, vulnerabilities, etc. The URI /sdk stands out because it is a known endpoint for vSphere SOAP APIs. This could be a coincidence, but what I did notice is a slight uptick in scanning for that endpoint starting 9/18/2024. This is notably interesting due to the fact of CVE-2024-33812 and CVE-2024-33813 being public on 9/17/2024.

This activity spanned across 22 not-so-reputable IPs from providers based in USA, Germany, and Spain – most of which are associated to DigitalOcean. For /sdk: since the POST request content-length was short and included text/plain content, then the assumption is that the activity is merely looking for the existence of vSphere. The same can be said for /webui, which can be tied to vSphere’s legacy web client, which indicates an interest in older endpoints (and older vulnerabilities). The rare case of /ui/authentication GET requests also indicates probing instead of actual attempts of an exploit.  The IPs didn’t solely scan for vSphere endpoints – they also targeted other exposed management interfaces, web portals, configuration files, and source-code repositories. Analysis of other vSphere endpoints did not yield any other indicators.  

An interesting artifact of note is the use of User-Agent string related to Odin – an “AI” powered scanner to catalog internet assets.

While there is no public proof of concept, this activity piqued my interest – especially as it relates to a very recent post (11/18/2024) by Broadcom stating, “Updated advisory to note that VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813” [2].

Theory

My theory is that the vulnerabilities hedge on the existence of Platform Services Controller (PSC) introduced in v7.0 of the vCenter server appliance [8].  With the introduction of the PSC as an integrated service, backend processes such as authentication, token management, and inter-component communication began relying heavily on the DCERPC protocol. In a hypothetical break-in using CVE-2024-38812/13, an attacker could target either /ui/authentication (authentication workflows) or /sdk (SOAP API requests) to exploit these vulnerabilities. By sending a specially crafted request to either endpoint, CVE-2024-38812 (Heap Overflow) could be triggered in DCERPC, granting unauthorized RCE within the PSC environment. Once initial access is achieved, the attacker could exploit CVE-2024-38813 (Memory Corruption) through escalated API calls to /sdk, allowing privilege escalation and persistence. This chain would enable complete compromise of the vSphere environment, leveraging PSC’s central role in v7.0+ systems. A game of hypotheticals.

Even though there is technically not a public POC, the concept of heap overflow for this activity is well documented by SonicWall’s Capture Labs Threat Research Team [3]. There have been some POCs for sale on GitHub since October.  While mere reconnaissance isn’t enough to single out vulnerability specific probing, it does give us some insight into the threat landscape.
Simply put, CVE-2024-38812 provides initial access via heap-overflow vulnerability in VMware vCenter Server that enables unauthenticated remote code execution. CVE-2024-38813, a privilege escalation flaw, allows attackers to expand their control and maintain persistence. Together, these vulnerabilities create a "vulnerability symbiosis”.

Conclusion

Interestingly, the source IPs were organizationally tied to the likes of DigitalOcean, OVH SAS, and NextGenWebs; DigitalOcean being a popular choice in the near past regarding Volt Typhoon [6]. I cannot say for certain that this is coincidence since it is somewhat popular for TAs. What is apparent is that attacker interest in mapping publicly accessible vSphere endpoints is steadily on the rise. While this is a relatively “new” disclosure, research into these vulnerabilities has also led me down the path of what-ifs. After all, the vulnerable versions were vCenter Server 7.0 (released April 2020), and vCenter Server 8.0 (released October 2022) ...only a 4.5-year-old vulnerability. In addition to that, as stated earlier, this unknown vulnerability duo was originally disclosed from Chinese security researchers in June 2024. In the game of nation states, then you know what that means [6].

What now?  Patch vCenter to the latest possible versions, await a working POC to document artifacts, hunt for suspicious behavior, and create new detections to match.  Just like Log4J, attackers will continue to find new ways to outmaneuver patching and detections.  Continue to monitor and defend.  Happy hunting.

References
[1] https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/
[2] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
[3] https://www.sonicwall.com/blog/vmware-vcenter-server-cve-2024-38812-dcerpc-vulnerability
[4] https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-critical-vcenter-server-rce-flaw/
[5] https://www.securityweek.com/vmware-struggles-to-fix-flaw-exploited-at-chinese-hacking-contest/
[6] https://www.scworld.com/analysis/stats-say-chinese-researchers-are-not-deterred-by-chinas-vulnerability-law
[7] https://www.wired.com/story/china-vulnerability-disclosure-law/
[8] https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-135F2607-DA51-47A5-BB7A-56AD141113D4.html
[9] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 Comments

Published: 2024-12-10

Microsoft Patch Tuesday: December 2024

Microsoft today released patches for 71 vulnerabilities. 16 of these vulnerabilities are considered critical. One vulnerability (CVE-2024-49138) has already been exploited, and details were made public before today's patch release.

Significant Vulnerabilities

CVE-2024-49138: This vulnerability affects the Windows Common Log File System Driver, a subsystem affected by similar privilege escalation vulnerabilities in the past. The only reason I consider this "significant" is that it is already being exploited.

Windows Remote Desktop Services: 9 of the 16 critical vulnerabilities affect Windows Remote Desktop Services. Exploitation may lead to remote code execution. Microsoft considers the exploitation of these vulnerabilities less likely. Even without considering these vulnerabilities, Windows Remote Desktop Service should not be exposed to the internet.

LDAP: Remote code execution vulnerabilities in the LDAP service are always "interesting" given the importance of LDAP as part of Active Directory. Two critical vulnerabilities are patched for LDAP. One with a CVSS score of 9.8. A third critical vulnerability affects the LDAP client.

CVE-2024-49126: LSASS vulnerabilities always make me reminisce of the "Blaster" worm and the related vulnerability back in the day. This one does involve a race condition, which will make exploitation more difficult. It could become an interesting lateral movement vulnerability if a reliable exploit materializes.

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Input Method Editor (IME) Remote Code Execution Vulnerability
%%cve:2024-49079%% No No - - Important 7.8 6.8
Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
%%cve:2024-49124%% No No - - Critical 8.1 7.1
Microsoft Access Remote Code Execution Vulnerability
%%cve:2024-49142%% No No - - Important 7.8 6.8
Microsoft Defender for Endpoint on Android Spoofing Vulnerability
%%cve:2024-49057%% No No - - Important 8.1 7.1
Microsoft Edge (Chromium-based) Spoofing Vulnerability
%%cve:2024-49041%% No No Less Likely Less Likely Moderate 4.3 3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2024-49069%% No No - - Important 7.8 6.8
Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
%%cve:2024-49096%% No No - - Important 7.5 6.5
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
%%cve:2024-49122%% No No - - Critical 8.1 7.1
%%cve:2024-49118%% No No - - Critical 8.1 7.1
Microsoft Office Defense in Depth Update
ADV240002 No No - - Moderate    
Microsoft Office Elevation of Privilege Vulnerability
%%cve:2024-49059%% No No - - Important 7.0 6.1
%%cve:2024-43600%% No No - - Important 7.8 6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2024-49065%% No No - - Important 5.5 4.8
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2024-49068%% No No - - Important 8.2 7.1
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2024-49064%% No No - - Important 6.5 5.7
%%cve:2024-49062%% No No - - Important 6.5 5.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2024-49070%% No No - - Important 7.4 6.4
Microsoft/Muzic Remote Code Execution Vulnerability
%%cve:2024-49063%% No No - - Important 8.4 7.3
System Center Operations Manager Elevation of Privilege Vulnerability
%%cve:2024-43594%% No No - - Important 7.3 6.4
Windows Domain Name Service Remote Code Execution Vulnerability
%%cve:2024-49091%% No No - - Important 7.2 6.3
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2024-49114%% No No - - Important 7.8 6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2024-49088%% No No - - Important 7.8 6.8
%%cve:2024-49090%% No No - - Important 7.8 6.8
%%cve:2024-49138%% Yes Yes - - Important 7.8 6.8
Windows File Explorer Information Disclosure Vulnerability
%%cve:2024-49082%% No No - - Important 6.8 5.9
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2024-49117%% No No - - Critical 8.8 7.7
Windows IP Routing Management Snapin Remote Code Execution Vulnerability
%%cve:2024-49080%% No No - - Important 8.8 7.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2024-49084%% No No - - Important 7.0 6.1
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2024-49074%% No No - - Important 7.8 6.8
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
%%cve:2024-49121%% No No - - Important 7.5 6.5
%%cve:2024-49113%% No No - - Important 7.5 6.5
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
%%cve:2024-49112%% No No - - Critical 9.8 8.5
%%cve:2024-49127%% No No - - Critical 8.1 7.1
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
%%cve:2024-49126%% No No - - Critical 8.1 7.1
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
%%cve:2024-49073%% No No - - Important 6.8 5.9
%%cve:2024-49092%% No No - - Important 6.8 5.9
%%cve:2024-49077%% No No - - Important 6.8 5.9
%%cve:2024-49078%% No No - - Important 6.8 5.9
%%cve:2024-49083%% No No - - Important 6.8 5.9
%%cve:2024-49110%% No No - - Important 6.8 5.9
Windows Mobile Broadband Driver Information Disclosure Vulnerability
%%cve:2024-49087%% No No - - Important 4.6 4.0
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
%%cve:2024-49097%% No No - - Important 7.0 6.1
%%cve:2024-49095%% No No - - Important 7.0 6.1
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
%%cve:2024-49129%% No No - - Important 7.5 6.5
Windows Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2024-49106%% No No - - Critical 8.1 7.1
%%cve:2024-49108%% No No - - Critical 8.1 7.1
%%cve:2024-49115%% No No - - Critical 8.1 7.1
%%cve:2024-49119%% No No - - Critical 8.1 7.1
%%cve:2024-49120%% No No - - Critical 8.1 7.1
%%cve:2024-49123%% No No - - Critical 8.1 7.1
%%cve:2024-49132%% No No - - Critical 8.1 7.1
%%cve:2024-49116%% No No - - Critical 8.1 7.1
%%cve:2024-49128%% No No - - Critical 8.1 7.1
Windows Remote Desktop Services Denial of Service Vulnerability
%%cve:2024-49075%% No No - - Important 7.5 6.5
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
%%cve:2024-49093%% No No - - Important 8.8 7.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2024-49085%% No No - - Important 8.8 7.7
%%cve:2024-49086%% No No - - Important 8.8 7.7
%%cve:2024-49089%% No No - - Important 7.2 6.3
%%cve:2024-49102%% No No - - Important 8.8 7.7
%%cve:2024-49104%% No No - - Important 8.8 7.7
%%cve:2024-49125%% No No - - Important 8.8 7.7
Windows Task Scheduler Elevation of Privilege Vulnerability
%%cve:2024-49072%% No No - - Important 7.8 6.8
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
%%cve:2024-49076%% No No - - Important 7.8 6.8
Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability
%%cve:2024-49098%% No No - - Important 4.3 3.8
%%cve:2024-49099%% No No - - Important 4.3 3.8
%%cve:2024-49103%% No No - - Important 4.3 3.8
Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
%%cve:2024-49094%% No No - - Important 6.6 5.8
%%cve:2024-49101%% No No - - Important 6.6 5.8
%%cve:2024-49111%% No No - - Important 6.6 5.8
%%cve:2024-49081%% No No - - Important 6.6 5.8
%%cve:2024-49109%% No No - - Important 6.6 5.8
WmsRepair Service Elevation of Privilege Vulnerability
%%cve:2024-49107%% No No - - Important 7.3 6.4

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-12-09

CURLing for Crypto on Honeypots

I get a daily report from my honeypots for Cowrie activity [1], which includes telnet and SSH connection activity. One indicator I use to find sessions of interest is the number of commands run. Most of the time there are about 20 commands run per session, but a session with over 1,000 commands run in a session is unexpected.


Figure 1: Summary of Cowrie [2] attacks for the day, highlighting one with a large number of commands run.

 

The session was only attempting to curl the website for jvault[.]xyz, but did it a total of 1,344 times in about 180 seconds for an average of 7-8 requests every second.


Figure 2: Cowrie information for repeated curl request of hxxps://jvault[.]xyz.

Why do this? Well, it could be an indicator of an attempted DDoS attack if performing this kind of activity across a large number of systems. Was there something about this website that was of interest? It appears that the website is related to cyptocurrency. The main page mentions staking [3], DeFi [4], Launchpads [5] and DAO (Decentralized Autonomous Organization) [6].

 


Figure 3: Homepage screenshot of hxxps://jvault[.]xyz.

 

A couple of days since this initial finding, there were similar sessions that also tried to curl various websites. I used JQ with some raw logs on my honeypots to find similar activity.

# read cowrie JSON files
# cat /logs/cowrie.json*

# select any data from source IP 77.91.85.134
# jq 'select(.src_ip=="77.91.85.134")'

# select any data with the 'input' key present (commands run on honeypot)
# jq 'select(.input)'

# extract timestamp, source IP and command from logs returned
# jq '{timestamp, src_ip, input}'

# select elements of array and display in TSV (tab separated value) format
# jq -r '[.[]] | @tsv'

# sort alphabetically
# sort

# display first 10 items
# head

cat /logs/cowrie.json* | jq 'select(.src_ip=="77.91.85.134")' | jq 'select(.input)' \
| jq '{timestamp, src_ip, input}' | jq -r '[.[]] | @tsv' | sort | head

# output from GCP honeypot
2024-11-18T19:10:19.721578Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:19.860960Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:19.903455Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.098534Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.228898Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.282748Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.583350Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.636637Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:20.978894Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru
2024-11-18T19:10:21.022589Z     77.91.85.134    curl -o /dev/null https://sambot[.]ru

# output from Azure honeypot
2024-11-21T15:29:18.127274Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.282875Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.499913Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.744135Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:18.894551Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:19.257191Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:19.404682Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:19.900103Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:20.171343Z     77.91.85.134    curl -o /dev/null https://jambler[.]io
2024-11-21T15:29:20.594296Z     77.91.85.134    curl -o /dev/null https://jambler[.]io


# read cowrie JSON files
# cat /logs/cowrie.json*

# select any data from source IP 77.91.85.134
# jq 'select(.src_ip=="77.91.85.134")'

# select any data with the 'input' key present (commands run on honeypot)
# jq 'select(.input)'

# extract timestamp, source IP and command from logs returned
# jq '{timestamp, src_ip, input}'

# select elements of array and display in TSV (tab separated value) format
# jq -r '[.[]] | @tsv'

# get third value per line (command in this case)
# cut -f 3

# sort alphabetically
# sort

# give counts per command found
# uniq -c

# sort results by count, ascending
# sort -n

cat /logs/cowrie.json* | jq 'select(.src_ip=="77.91.85.134")' | jq 'select(.input)' \
| jq '{timestamp, src_ip, input}' | jq -r '[.[]] | @tsv' | cut -f 3 | sort | uniq -c \
| sort -n

#output from GCP honeypot
      1 curl -s -A "myuser" https://eth0[.]me
     79 curl -o /dev/null https://token-mining[.]org:443
   1035 curl -o /dev/null https://exchange-pool[.]com/
   1201 curl -o /dev/null http://193.222.99[.]121
   1244 curl -o /dev/null https://botman[.]pro
   1348 curl -o /dev/null https://umbrella[.]day/
   1452 curl -o /dev/null https://niolic[.]com
   1506 curl -o /dev/null https://steam-up[.]ru
   1594 curl -o /dev/null http://stk-ms[.]ru
   1764 curl -o /dev/null http://85.217.171[.]107:443
   1773 curl -o /dev/null https://bottap[.]ru/
   1867 curl -o /dev/null https://sambot[.]ru
   2282 curl -o /dev/null https://santasol[.]fun/
   2361 curl -o /dev/null https://static.tgcube[.]store/
   3296 curl -o /dev/null https://baboon-tg-web-app-v2.onrender[.]com
   4314 curl -o /dev/null https://mystars-hk.syllix[.]io
   4633 curl -o /dev/null https://btcbot[.]cc
   5699 curl -o /dev/null https://www.gogetsms[.]com/
   6179 curl -o /dev/null https://tgmaster[.]xyz


#output from Azure honeypot
    638 curl -o /dev/null https://freeapi.bot-t[.]com/
   1375 curl -o /dev/null https://jambler[.]io
   1626 curl -o /dev/null https://duda.com[.]ua/
   3876 curl -o /dev/null https://app.tbiz[.]pro
   4195 curl -o /dev/null https://www.gift-bnb[.]org/
   7759 curl -o /dev/null https://jvault[.]xyz/
  15743 curl -o /dev/null https://tgmaster[.]xyz

 

There were many other sessions with similar activity, using curl repeatedly for a website, all coming from the same source IP of %%ip:77.91.85.134%%. There were also many more websites than expected. Since I regularly backup and prune my local honeypot logs, I went to my DShield-SIEM [7] instance to build a dashboard to try and get some additional information.


Figure 4: Results for commands run during Cowrie sessions from %%ip:77.91.85.134%%.

 


Figure 5: Comparison of command volume and honeypot volume, highlighting one curl command that was running from two honeypots in the same timeframe.

 

An interesting item is activity for one website happening at the same time between two honeypots.

 


Figure 6: Activity from two honeypots asked to execute a curl command for tgmaster[.]xyz within a 3-4 hour timeframe.

 

The data was exporrted from the dashboard and the websites were manually reviewed to try and identify a general purpose. In many cases the websites were in Russian and Google Translate [8] was used to read the information. In a couple instances, the websites were also restricted by location, so a VPN was used to access the content from a Russian geolocated IP address.

 

Total Honeypot Requests Site Manual Review GeoIP Restricted
134,326 https://tgmaster[.]xyz Telegram Bot Construction No
46,290 https://btcbot[.]cc Sales Bots / Telegram No
21,570 https://mystars-hk[.]syllix[.]io MyStars Telegram Bot Yes
20,359 https://jvault[.]xyz/ Cryptocurrency / JetTon Staking No
17,538 https://www[.]gogetsms[.]com/ SMS / Temporary Numbers No
16,480 https://baboon-tg-web-app-v2[.]onrender[.]com Telegram Bots / Crytocurrency No
15,940 http://stk-ms[.]ru Building Construction Design No
14,936 https://sambot[.]ru Telegram Bot Construction No
14,184 https://bottap[.]ru/ Designer Chatbots No
14,112 http://85[.]217[.]171[.]107:443 "NeoVPN" (keys[.]neovpn[.]online) / Mention of bots to add money, may be cryptocurrentcy related No
12,585 https://www[.]gift-bnb[.]org/ BBAPool / Cryptocurrency Bots No
12,048 https://steam-up[.]ru Steam Balance Replenishment No
11,805 https://static[.]tgcube[.]store/ MARKETSSUPER No
11,628 https://app[.]tbiz[.]pro Trading Bots Yes
11,410 https://santasol[.]fun/ Mobile Game No
11,000 https://jambler[.]io Cryptocurrency / Bitcoin mixing No
10,784 https://umbrella[.]day/ Website and Bot Creation No
9,952 https://botman[.]pro Chatbot Creation No
9,608 http://193[.]222[.]99[.]121 Token Mining (token-mining[.]org) / MNG LAB No
8,280 https://exchange-pool[.]com/ Cryptocurrency Exchange No
7,260 https://niolic[.]com Cryptocurrency / Investments No
5,104 https://freeapi[.]bot-t[.]com/ Telegram Bots No
632 https://token-mining[.]org:443 Token Mining (token-mining[.]org) / MNG LAB No
6 https://eth0[.]me Uknown (returns visitor IP address) No

Figure 6: Webites from curl commands, number of times accessed and website purpose from manual review.

There is a general theme to the websites, including:

  • Bot construction
  • Communication platforms
  • Cryptocurrency

Since collecting the original data, a couple new sites have been seen being accessed in a similar way:

  • https://duda[.]com[.]ua/ - smoking-related sales website
  • https://178.159.43[.]149 - cerficate for express12[.]com domain, which redirects to https://t[.]me/durov (provides link to view "Thoughts from the CEO of Telegram" in Telegram)

From my collection of honeypots, these curl commands have only been seen originating from %%ip:77.91.85.134%% and the commands start with "curl -o /dev/null". The activity started on November 18, 2024 and new activity is still being seen.

 

[1] https://github.com/jslagrew/cowrieprocessor
[2] https://github.com/cowrie/cowrie
[3] https://www.coinbase.com/learn/crypto-basics/what-is-staking
[4] https://www.coinbase.com/learn/crypto-basics/what-is-defi
[5] https://cointelegraph.com/news/what-is-a-crypto-launchpad-and-how-does-it-work
[6] https://www.investopedia.com/tech/what-dao/
[7] https://github.com/bruneaug/DShield-SIEM
[8] https://translate.google.com/?sl=auto&tl=en&op=translate

 

--
Jesse La Grew
Handler

0 Comments

Published: 2024-12-05

[Guest Diary] Business Email Compromise

[This is a Guest Diary by Chris Kobee, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc.  Figure 1 is a distribution of social engineering attacks from Statista depicting Scamming, Phishing, and BEC attacks worldwide [4]. Scamming is the leader, followed by Phishing and BEC [5]. BEC and other social engineering attacks are the path of least resistance with a high rate of success versus attempting technical network intrusions.

In May 2024, a significant cybersecurity incident unfolded within an organization, showcasing the vulnerabilities that can arise from BEC harvesting user credentials and the exploitation of cloud services like Microsoft 365  . This post aims to break down the events, identify the vulnerabilities exploited, and review implemented and proposed mitigations to thwart similar threats.
 


Figure 1: Distribution of Worldwide Social Engineering Attacks

Organization Incident Overview

From May 20 to 23, 2024, a threat actor successfully accessed a Microsoft 365 account belonging to a user in the organization’s accounting department with the user’s valid credentials. The actor manipulated account details in a pending invoice and redirected funds to their own bank account. The incident was characterized by several key actions  beginning on May 20 when the actor successfully logged into the Microsoft 365 account after a rejection pattern of an expired session ID and MFA denials. 

The actor conducted reconnaissance on May 22, potentially identifying the pending vendor invoices for payment. The attacker logged into the user’s email account on May 23rd and created a new inbox rule to direct any correspondence with the vendor organization’s name to the RSS Feeds folder in the inbox. The actor altered the target document and sent it to the next stage in the approval process. The accounting department’s processes broke down and did not catch spelling and grammar errors that could have tipped off potential fraud. The document was approved, the ACH payment was authorized, and payment was completed. The organization’s Managed Service Provider/Managed Security Service Provider (MSP/MSSP) receive an alert and re-secured the account later in the early evening, effectively locking out the actor. Figures 2 and 3 display a high-level summary of the events and timeline. 


Figure 2: Business Email Compromise Attack Timeline

 


Figure 3: Threat Actor Login Attempts

Initial Access

The  attacker logged into the organization's M365 tenant using compromised credentials on May 20, 2024, and re-entered the system on May 22 for reconnaissance. The actor appears to have conducted reconnaissance on May 22 for approximately thirty-four minutes, during which the pending invoice was potentially discovered.

Fraud Executed

On May 23, the attacker logged into the email exchange and executed bank fraud by altering the invoice's destination bank account. They also implemented new inbox rules  (Figure 4) within the Outlook account to obscure their activities by redirecting any email traffic with the vendor’s name to an obscure folder. The newly created inbox rules, one rule for each organizational name the vendor employs, directed any incoming communications to the RSS Feeds folder for obscurity from the authorized account user. The target vendor was purchased by another company and sends correspondence from both companies, which the attacker covered with both rules. The attacker sent the fraudulent invoice to the next accounting staff member for further processing. 


Figure 4: Threat Actor Action on Objective

 

Covered Tracks 

The threat actor attempted to cover their actions by deleting items and folders created while in the organization’s cloud account (Figure 5),  withdrew the funds shortly after the transfer, and closed the bank account. The organization reached out to the actor’s financial institution to reverse the payment, but the financial institution rejected the request to reverse the payment due to the account closure.


Figure 5: Threat Actor’s Covering Tracks Attempt

Detection 

The organization's MSP/MSSP detected an unusual inbox rule change and resecured the compromised account (Figure 6), but not before the attacker could execute their plan. 


Figure 6: Threat Actor Activity Detected by MSP/MSSP

 

Analysis 

Analysis of the logs, provided by the Cloud Service Provider, suggests MFA was bypassed and potential collusion or manipulation of the organization’s assigned user. Further research revealed a CVE written against the Microsoft Authenticator application employed by the organization on company issue and BYOD mobile devices.

Multi-Factor Authentication (MFA)

MFA was enabled during the attack, with logs indicating the attacker faced several denied attempts before successfully logging in. This suggests potential insider collusion, manipulation of the authorized user, and/or an Attacker-in-the-Middle tool, such as evilginx2 [5] or later version used for to phish user credentials, session cookies, and bypass MFA. Figure 7 depicts the pattern of a failed login with an expired session ID, followed by three failed logins due to MFA denials, and a successful login on May 20th and 22nd [6]. 
 


Figure 7: Threat Actor Login Attempt Pattern

 

Vulnerability in Microsoft Authenticator

The incident points to a specific vulnerability (CVE-2024-21390) in the Microsoft Authenticator application (Figure 5), which can be exploited if an attacker gains access to the user's local device and convinces the user to relaunch the authenticator app [7][8]. The threat actor potentially compromised the user’s mobile device through malware delivered via phishing or smishing vector allowing the opportunity to manipulate the user to close and re-launch the application on the mobile device.
 


Figure 8: Microsoft Authenticator Vulnerability

 

Conclusion, Mitigations, Lessons Learned

Business Email Compromise was the main factor in this attack as the threat actor used it as the attack vector and sent emails between the accounting department from the compromised user’s account to commit bank fraud. The attacker most likely obtained the user’s credentials through a phishing email tricking the user into clicking a link and inputting credentials on a web page highly resembling a Microsoft login page. Due to the nature of the Cloud Service Provider (CSP) / Cloud Customer Software as a Service (SaaS) model employed by organization, limited logging and insights are available, as the CSP manages the lower network layers. Analysis of the provided logs suggests that MFA was enabled and operational before, during, and after the incident. The pattern of MFA rejections with the error code long description defined by Microsoft as "Strong authentication is required and the user did not pass the MFA challenge" indicates potential insider collusion (witting or unwitting) to authenticate the attacker, but the rapid succession of MFA denials before the successful login is evidence of an automated attack, such as evilginx2 interacting with the MFA server.

After a thorough review, the organization found gaps in log auditing by the organization and the MSP/MSSP, as well as process gaps in the affected department. MFA and password complexity were in place, but appear to have been bypassed. The MSP/MSSP alerting process operated successfully, allowing the account to be re-secured quickly to prevent further lateral movement, privilege escalation, or establishment of a C2 channel. The following Information Security mitigations were adopted to address the gaps:

  • All corporate personnel involved in accounting related duties were issued digital signature tokens from an external certification authority to enforce non-repudiation. Digitally signed emails provide recipients in the accounting department with validation the sender is the authorized user.
  • Internal IT/Cybersecurity personnel audit authentication logs provided by MSP/MSSP monthly.
  • Organization confirmed log retention of one year.
  • Confirmed through MSP/MSSP the Microsoft Authenticator application is the current patched version.
  • Developing a corporate phishing simulation program based on the Gophish open-source framework with custom python automation scripts.
  • Increasing the frequency of phishing email and social engineering bulletins and awareness training.

Lessons Learned:

  • Technical: Ensure authentication applications are patched and updated.
  • Training and Awareness: Increase organizational awareness of malicious phishing and smishing attempts.
  • Policy: Ensure data and document flow policies are understood and followed.
  • Policy/Compliance: Continue to improve Cybersecurity posture by working closer with the MSP/MSSP to ensure controls and policies are clear, updated, and enforced.

Organizations can apply the lessons learned in this post to avoid the financial losses and compliance reporting requirements this target organization suffered. Training and awareness coupled with continuous improvement in Cybersecurity posture will harden the organizations users and systems against social engineering and technical network attacks and intrusions.

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://abnormalsecurity.com/blog/fbi-bec-51-billion-threat
[3] https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/#:~:text=Almost%20all%20(98%25)%20cyberattacks,individuals%20into%20divulging%20sensitive%20information
[4] https://www.statista.com/statistics/1493497/globla-social-engineering-attack-by-type/
[5] https://www.kali.org/tools/evilginx2/
[6] https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-21390
[8] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21390

 

 

--
Jesse La Grew
Handler

0 Comments

Published: 2024-12-04

Data Analysis: The Unsung Hero of Cybersecurity Expertise [Guest Diary]

[This is a Guest Diary by Robert Cao, an ISC intern as part of the SANS.edu BACS program]

As a cybersecurity professional, I've always prided myself on my technical skills—understanding protocols, setting up secure systems, and knowing the ins and outs of firewalls and authentication mechanisms. But a recent deep dive into firewall and SSH logs taught me a lesson I wasn’t expecting: being technically savvy is only part of the equation. True success in cybersecurity also hinges on being an effective data analyst.

When I began examining the logs, I expected to find the usual culprits—brute force attempts, unusual traffic patterns, and the occasional misconfiguration. What I didn’t expect was how the data itself would tell a story far more valuable than any single technical fix. For instance, a repetitive pattern in the SSH logs from IP 137.184.185.209 showcased over 30 login attempts using common credentials like rootpaired with passwords such as Qaz@123456. At first glance, it seemed like just another brute force attempt. However, when I correlated this with firewall data, the same IP surfaced as repeatedly probing port 2222, a non-standard SSH port. Suddenly, it became clear: the actor wasn’t just relying on brute force; they were systematically targeting configurations presumed to be "secure by obscurity."

This realization made me question my own assumptions. In the past, I might have simply blocked the IP and moved on, feeling satisfied that I had applied a technical fix. But digging deeper into the data revealed patterns that informed broader strategies. Why was port 2222 being targeted? Could it be part of a larger campaign? These questions led to a more proactive approach: not just reacting to the attack, but trying to anticipate the next one.

Another revelation came from looking at overlapping datasets. By comparing SSH logs with firewall activity, I found four IPs—including 47.236.168.148 and 54.218.26.129—engaged in both brute force attempts and network probes. These actors were persistent, attempting to exploit systems over a short but intense window of time. Without correlating these datasets, I might have missed the coordinated nature of the attack entirely. This experience drove home the importance of cross-referencing data sources to uncover insights that no single log file could reveal.

Perhaps the most humbling realization was understanding that even advanced technical setups are only as good as the decisions behind them. Configurations that allowed root logins or didn’t enforce rate-limiting created vulnerabilities actors could exploit. As I analyzed the logs, I saw not just the actors' actions but also the blind spots in my own system's defenses. Technical knowledge helped me secure the systems, but it was the data analysis that highlighted the gaps.

This experience shifted my mindset. Cybersecurity isn't just about firewalls, encryption, and protocols—it's about understanding the data these systems generate. Data analysis is what transforms raw logs into actionable intelligence. It’s what turns a technically skilled professional into a strategist capable of predicting, preventing, and responding to threats effectively.

If there’s one thing I’ve learned, it’s that cybersecurity professionals must wear at least two hats: the technical expert and the data analyst. Technical skills build the foundation, but it’s the analysis of data that sharpens defenses and enables proactive security. As threats evolve and actors become more sophisticated, so too must our approach. Data is the key, and learning to harness its power is just as important as mastering the latest technical tools.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 Comments

Published: 2024-12-03

Extracting Files Embedded Inside Word Documents

I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools.

First I check with file-magic.py:

The identification says Word 2007+, so this is an OOXML document. These are ZIP containers that can be analyzed with zipdump.py to take a look inside:

Stream 6 (oleObject1.bin) is an OLE object that embeds the executable. There's no need to extract that OLE file from the OOXML container, oledump.py can handle this:

The O indicator for stream A2 tells us that this stream is the OLE data structure embedding the executable.

Selecting this stream and using option -i gives us info about the OLE contained, and the contained file:

This metadata gives you the names of the embedded file and it hashes, allowing me to look it up directly on VirusTotal, for example: 3d5fe12c0aa783252431834ed8e370102f47df65165680824b9287faa88e088a.

The file can also be extracted with option -e:

Malicious Word documents like these don't execute the embedded file when the document is opened: that requires social engeneering to entice the use to double-click the embedded file.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

0 Comments

Published: 2024-12-02

Credential Guard and Kerberos delegation

The vast majority of red team exercises that I (and my team, of course) have been doing lately are assumed breach scenarios. In an assumed breach scenario (and we cover this in the amazing SEC565: Red Team Operations and Adversary Emulation SANS course that I also teach!) red team is usually given access as a non-privileged domain user, simulating an attacker that has someone already established the first foothold in the organization.

This works quite well as we know that eventually the attacker will succeed and perhaps get a victim (most of the time through some kind of social engineering) to execute their binary. So the first part in such an engagement is to create a malicious binary (an implant) that will evade security controls in the target organization. Most of red teams will have specialists for this.

The next step includes delivery of implant and execution in context of a regular, non-privileged domain user, on the workstation designated for the red team exercise. And if everything works well, we’ll get that beacon communicating to our front end servers.

What now? While there are many things we do next, such as getting some awareness about the organization, setting up persistence, trying to move laterally, there are cases when we would like to fetch the user’s password, or their TGT (Ticket Granting Ticket) for Kerberos. Some actions will not need this, as we can use the builtin Windows authentication of the process our beacon is running under, but if you want, for example, to start a SOCKS proxy and tunnel some tools from your office, we will need to authenticate to target services, and for that we will either need the user’s password, their password hash or TGT. How do we get one through our implant, considering that we do not have local administrator privileges yet?

Unconstrained delegation

Back in 2018, Benjamin Deply, the famous Mimikatz/Kekeo author published a very interesting method (https://x.com/gentilkiwi/status/998219775485661184) of obtaining a user’s TGT without requiring administrator privileges.

The trick is the following: as our implant is running under a regular user, that is already authenticated, we will abuse Kerberos GSS-API to ask for a ticket for a service, but not any service – a service that has been configured for unconstrained delegation!

The idea is the following – as we will be requesting a service ticket for a service that is configured for unconstrained delegation, the resulting response that we will receive from a domain controller will also include our own TGT. In a normal workflow, this response is converted to an application request (AP-REQ) that is sent to the target service.

AP-REQ is made up of two components: a ticket and an authenticator. We are interested in the authenticator – it is encrypted with the ticket session key which is known to us, and to the target service that we want to access. And this is were Benjamin’s great research comes into place – if we request a service ticket for a service that has been configured for unconstrained delegation, the authenticator component will contain our TGT (since the target service will need it)!

In other words, we can carve out the TGT of the currently logged in user, without needing administrator privileges! This functionality exists in Rubeus, but if you are running your Cobalt Strike implant (in SEC565 we use Cobalt Strike and Empire), it is better to use a BOF for this purpose. There are several BOF’s you can use, one I like is the tgtdelegation BOF available at https://github.com/connormcgarr/tgtdelegation

Before we start using it, one thing we did not mention is how to find a service that has been configured for unconstrained delegation. This is actually trivial as Domain Controllers are configured for unconstrained delegation by default, so we can use, for example, CIFS/domain.controller or HOST/domain.controller as target SPN’s.

The figure above shows how easy it is to fetch the TGT. You can see how the BOF displayed the AP-REQ output, extracted the session key and identified the encryption algorithm (AES256) and finally (not visible) extracted the TGT.

Credential Guard

By fetching a TGT we can now perform a number of other things, including relaying traffic through a SOCKS proxy. So in a recent engagement I tried to do this but all requests failed – every single time the response received did not contain a TGT, even though the target service indeed was configured for unconstrained delegation, and the account used was not marked as “Account is sensitive and cannot be delegated.

In other words, we can see that the AP-REQ was indeed received, but it did not contain our TGT in the authenticator part of the response. What could cause this?

After some time and research, it turned out that the reason for this was Credential Guard, which was enabled on the client machine.

Among other (great) security features that Credential Guard brings, one thing that is important for this particular attack (or abuse) is that Credential Guard completely blocks Kerberos Unconstrained delegation, which effectively blocks us from extracting the TGT (and will break any application that relies on this feature as well!).

Besides this, Credential Guard also blocks NTLMv1 completely and there are a number of other nice security controls, as listed https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/

Test and enable!

In engagements I do I still do not see Credential Guard enabled in many enterprises. No wonder since it can break some things, however as Microsoft is now enabling Credential Guard by default in Windows 11 22H2 and Windows Server 2025, it is definitely worth checking whether your organization is ready for a wide adoption of it. It will not stop every attack, but every single step will help!

Thanks to my team members Luka, Neven, Fran and Mislav for debugging! In a RT you need a team!
 
--
Bojan
@bojanz
@bojanz.bsky.social
INFIGO IS

0 Comments