Archive

Archive for the ‘Cyber Security’ Category

Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

 

From: Wayne Millbrand <waynem@icon.co.za>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
Town
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299

Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. 

I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because they typically expect you to just launch the attachment and activate the payload immediately. 

So it appears that the attack strategy was to:

  • Send a threatening email
  • Add some publicly available information about the recipient to make it look genuine
  • Encrypt the document in order to hide the payload from an anti-virus scanner
  • Provide the password in the email to allow the user to open and decrypt the file
  • Activate the payload in the MS Word document and infect the user’s machine

Inside the encrypted Word document, I found the following API declarations, variable names, and this code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon"     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

This seems to be a variation on an old theme where as soon as the user opens the file, the routine executes a URL file download from one of these two backup sources: 

h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIF. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder. 

Yaacov Apelbaum-Ransomware e

The installed ransomware in action

Interestingly, the first compromised URL used by the malware was website that belongs to Adenzia.ch, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure Data storage” and:

  Accounting services

  Secure financial services

  Data entry from paper to digital

  Scanning paper data to digital

  Archiving data anonymously

Adenzia.ch 2

Adenzia

The before and after the breach Adenzia.ch websites

 

Mafia Scripts

The Kingofstreets.de website

Another noteworthy strategy is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provides an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the malware.

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker. The metadata from the Word document further supports this and suggest a strong link to a Russian origin. First, the author’s name was preserved as виньда (Vinda) and the company name came up as: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack

SPecialiST RePack infected content

As far as the unfortunate Adenzia.ch site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

I’ve tried to contact Adenzia and give them heads up that they need to have a look at their network. As of this date, I haven’t heard back from them. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.   

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Capturing the Flag

Yaacov Apelbaum - Who Knows What Evil Lurks in the Heart of a Cyber Attacker

If you are a typical cyber sec manager, you most likely catch-up on the latest developments by visiting on-line sites like News Now, by reading various publications, and by periodically attending various vendor workshops.  For the majority of executives, the daily work grind and life/work balance challenges diminish the prospects of going back to school and plowing through in-depth training.

Over the past two decades, the corporate cursus honorum for IT executives has been the much coveted MBA degree. In a large number of Fortune 500s, having an MBA from a good school was considered a prerequisite for an executive promotion. an MBA attested that an individual possessed all the current business acumen and the polish needed to take on any future corporate responsibility, it was the ultimate professional merit endorsement.

This trend—other than having the end result of a glut of MBAs on the market—has also resulted in a shortage of highly technical managers. Consider some of the wholesale data breaches in some of the largest US retailers for 2014 alone. Check out the biographical backgrounds of some of the CISOs of the impacted companies. Not surprisingly, you will find no shortage of MBAs from top tier schools. What appears to be missing are individuals with vocational specializations in cyber security, and I’m not referring to rank an file CISSPs.

Of course, a common counter argument to this is that as a manager you are not supposed to know the ‘nitty gritty’ details of every technology in your corporate inventory and instead are expected to delegate to and draw on the expertise of others.

I personally don’t think that this is the case. Cyber security is almost entirely a technological and procedural play and as such, a manager should not have gaping holes in his knowledge or overly rely on subordinates to make sense of threats and counter measures. After all, you wouldn’t accept a commercial airline pilot to have gaping holes in his aircraft operations knowledge or his delegation of actual flight responsibility to the cabin crew.

I’ve recently had a chance to witness just how limited classical enterprise defenses have become. This is especially true when it comes to Advanced Persistent Threats. In one incident that eventually became the catalyst for me going back to school, I witnessed how one cyber attacker managed within minutes to defeat all of the traditional enterprise defenses and counter measures without even braking a sweat.

Amazingly, even after the debriefing and root cause analysis, I was no closer to understanding how a properly configured and maintained brand name FW and an IDS/IDPS failed to stop the attack, let alone even detect it.

If you are thinking that this could not happen to you, think again. In the incident that I just described, all target boxes were patched, there were strict access control measures in place, the network was sub-netted, and there were effective audit and password management systems in place.

After recovering from my momentary shock, I had an epiphany and realized that I urgently needed to re-hone my skills. I’ve heard about the SANS Institute from a number of colleagues and after checking it out, I decided to enroll in their Penetration Tester program. After juggling account my schedule and their course availability and selected the following four courses:

  1. SEC504 Hacker Techniques Exploits & Incident Handling
  2. SEC560 Network Penetration Testing and Ethical Hacking
  3. SEC575 Mobile Device Security and Ethical Hacking
  4. SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses

    The SANS courses tuition is on the expensive side, ranging from $6000-$8000 USD. Add travel and accommodations and you are looking at about $10K per class. Each course is delivered in about a week (40-60 hours of classroom activity).  Classes are divided into lectures and hands-on labs with heavy emphasis on getting down and dirty. 

Though it took me several months to complete the coursework, I have found the whole experience to be uplifting. In addition to getting access to practical, real-world expertise from some of the world’s best penetration testers, we learned the gray art of performing detailed reconnaissance on would-be targets including mining a social media, and infrastructure data from blogs, forums, search engines, social networking sites, and other Internet resources.

In each course, we used the latest cutting-edge attack vectors as well as the traditional low budget techniques that are still quite prevalent. The aim of the course was to push the envelope in each domain and not to merely teach a handful of hacks and tricks. Another great component was exploring various administrative questions such as legal issues associated with responding to computer attacks, employee monitoring, working with law enforcement, and the collection and handling of evidence.

Yaacov Apelbaum - SANS Capture the Flag Las Vagas 2015

When it came to performing the actual exploit, we got to use the best tools on the market. This included both, COTS components and custom written utilities and scripts. In each class we learned dozens of methods for exploiting target systems and how to gain access to the systems post-exploitation. Just to illustrate the extensive hands-on approach that SANS adapted in teaching Penetrating Testing, here is a list of tools and techniques that we used in just the SEC 504 course:

– RootKits and detection
– Hidden file detection with LADS
– HTTP Reverse Shells using Base64
– InSSIDer for Wireless LAN discovery
– Nmap Port Scanner and Operating System fingerprinting tool
– Nessus Vulnerability Scanner
– Windows Command Line Kung-Fu for extracting Windows data through SMB sessions
– Sniffers, including Tcpdump
– Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
– Netcat for transferring files, creating backdoors, and setting up relays
– Metasploit, Metasploit, Metasploit Lots of Metasploit
– ARP and MAC analysis for ARP cache poisoning attack detection
– Password cracking
– Cross-site scripting and SQL injection web application attacks
– Intercepting and forging session cookies
– Detecting and executing DoS attacks techniques
– Detecting backdoors with Netstat, lsof
– Covert channels using Covert TCP
– clandestine network scanning and mapping
– Exploitation using built in OS commands
– Privilege escalation
– Advanced pivoting techniques

The great thing about the SANS curriculum is that they go pretty far down into the rabbit hole. A few of the classes required hard core coding skills (we actually got to execute some buffer overflows). Other classes were procedural and got down to the wire in terms of the inner functioning of RFC and protocol. For example, in the Wireless Ethical Hacking we had comprehensive coverage of WiFi, cordless telephones, smart devices, embedded home devices, mash technologies like ZigBee and Z-Wave, Bluetooth, DECT, and NFCs.

In the Mobile Device Security we practiced reverse-engineering iOS binaries in Objective-C, reverse-engineering Android binaries in Java and Dalvik Bytecode, evaluating mobile malware threats through source-code analysis, defeating Apple FairPlay encryption for application binary access, and overcoming anti-decompilation techniques.

Yaacov Apelbaum - SANS Capture the Flag Washington DC 2015

The participants in the classes came from diverse backgrounds, including three letter agencies, incident handling team members, and administrators. The classes are well-suited for anyone with a good command of TCPIP and networking and they would also greatly benefit architects and technical leads involved in security operations and R&D.

The delivery of the material is completely immersive. You go from 0-90 in one second.  Each course is equivalent to a traditional graduate semester course of 4 credits so we had to complete an average of one textbook per day.  At times, I felt like I was drinking from a fire hose.

Taking good notes and hitting the books at night helped me stay afloat. It goes without saying that the instructors were outstanding; they offered unlimited tutoring and were always available—even during lunch and after hours—to help answer questions and work through the labs.

Yaacov Apelbaum - SANS SEC504 Yaacov Apelbaum - SANS SEC560 Yaacov Apelbaum - SANS SEC575 Yaacov Apelbaum - SANS SEC617

Several interesting sessions in each class revolved around learning how to avoid being caught through various tactics and strategies for covering your tracks such as: File and directory camouflage, piggybacking on existing user Internet sessions to avoid detection, event log pruning, and performing memory cleanups.

For me, the best part of each course was the final session called “Capture the Flag”.  There, in a culmination of all of the hard work, we got to practice everything we had learned over the previous week. Each class had different parameters for capturing the flag, but they tended to follow the same patterns. We needed to do some reconnaissance, reconstruct the network layout of our target, map our victim’s equipment and software inventory, and then proceed to execute the attacks. Once we breached the target, we would perform some additional exploits and start ‘living off the land”. The overall objective of this exercise was to collect flags that had been placed on various locations on the victims’ network by the instructor.  Some of these flags contained encrypted files or messages that we needed to decrypt and use as clues for other attacks, others involved passwords that were being sent over VOIP, in memory session information, or data hidden in binaries.

Yaacov Apelbaum - SANS Capture the Flag Boston 2015

      The capture the flag event usually lasts a full day and ends when one team successfully recovers all flags. At that point, the competition is stopped, the results are verified, and the winners are awarded the coveted challenge coins.

    Yaacov Apelbuam SANS 575 Capture the Flag Token  Yaacov Apelbuam SANS 617 Capture the Flag Token

    If you are a cyber practitioner, I highly recommend that you take all four courses. Even if you can only afford one, go for it. It will change your prospective on pen testing forever and help you take a proactive role in keeping your company safe and out of the negative limelight.

    Performing a good penetration test is much more than just hiring some outside help and rubber stamping an audit. Verifying the integrity of your corporate security, takes more than kicking the tires and lifting the hood these days. Anyone can throw a bunch of attacks against an organization and regurgitate the output of some automated tools in hundreds of pages of reports. Participating in this structured training will help you avoid this trap and allow you to fully grasp your company’s real security needs so that you can formulate the most appropriate plan of action to address these needs in the most cost effective and timely manner.

    Going through the meat grinder, you get to witness first hand the process of hot dog making.  It’s not a pretty sight, but its an informative one. One of my most profound takeaways from this whole experience was answering the existential question of the spoon. Yes, the spoon does exist, but only for the end-user, sysadmin, DBA, and auditors. There is no spoon if you are a proficient attacker. With the right attack strategy and tools, concepts such as access control, event log integrity, and passwords are meaningless and are but chaff before the wind.

    Yaacov Apelbaum - There is no Spoon

    I keep my hard earned challenge coins on my office bookshelf as a reminder that there is likely someone out there right now who is targeting my network through some kind a a clever attack. He has all the right tools and resources and he is as determined and hard working as I was to get his coins.

    And as far as my earlier MBA comment is concerned, if you are curious to know just how many executives attended the classes that I did, the answer is just one. None of the 20-40 participants in each classes had senior managerial responsibility. In fact most of the folks I spoke to were surprised that a CTO would take time from his schedule and opt to get his hands dirty instead of just delegating this to one of his directs.

    After all, ‘Isn’t that what a manager is supposed to do?’

     

    © Copyright 2015 Yaacov Apelbaum All Rights Reserved.

    Cyber Security Poetry

    January 28, 2014 3 comments

    Yaacov Apelbaum - Cyber Beatnic Poetry


    Tokens of Distrust
    It was on a starless March night,
    The spear phishers went out for bite.

    Through a zero day vulnerability,
    They breached RSA’s network security.

    A Trojan attached to an email transmission,
    Gave the attackers remote access permission. 

    Deep into the corporate systems they dove, 
    Collecting the SecureID key seeds treasure trove.

    The theft effected over forty million tokens,
    Transparency failed and trust was broken.

    A few weeks followed and on a moonless May night,
    The spear fishers returned with a renewed appetite.

    Over the internet via secure VPN and a forged key,
    They breached Lockheed’s defenses and Pwned ’their IP.


    Ties That Bind
    Identity, how do I bind thee to an object? Let me recount the days.
    In the days of Spring, by a secret.
    In the days of Summer, by a token.
    In the days of Fall, by who you are.
    In the days of Winter, by seasons’ past and where you’ve been.


    Risk Appetite
    A little shiftless man named Phil,
    got a CISO gig through a shady deal. 

    Clueless about APT threats,
    He managed upwards like a rat.

    Pen tests and audits took a back seat,
    To what the cafeteria was serving to eat.


    When the company was finally breached by a hack,
    He said “C’est la vie! The insurance will cover our back.”


    IDS
    IP traffic flood,
    Malignant packets rush-in,
    Snort calmly says: “Halt!”