1. Will the real security community please stand up
   - reflection on Black Hat 2017
   threatpost.com/will-the-real-security-community-please-stand-up/127156/
2. Chrome Extensions Hacked
   - “Plugins are software. The developers were compromised with a phishing attack and as a result many users were impacted. Security professionals need to consider the security posture of their vendors and continue to reassess the security as part of their threat modeling.” – Jake Williams (Editor)
   www.sans.org/newsletters/newsbites/xix/61#305
3. US-CERT TA17-181A: Petya Ransomware – revised 28 July
   - added additional analysis on NotPetya
   - useful recommendations and best practices
   www.us-cert.gov/ncas/alerts/TA17-181A
4. Links in phishing-like emails lead to tech support scam
   - “Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims…”
   blogs.technet.microsoft.com/mmpc/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/

Have a great women’s day; till next time…

1. Shark or not? 3 real-life security scenarios and how to tell which will really bite
   www.helpnetsecurity.com/2017/08/02/real-life-security-scenarios/
2. DMARC again (see our previous article on phishing)
   threatpost.com/senator-calls-for-use-of-dmarc-to-curb-phishing/126931/
3. MS LAPS / Powershell?
   Refs: seclists.org/educause/2017/q3/102 , seclists.org/educause/2017/q3/117
   technet.microsoft.com/en-us/library/security/3062591.aspx
   cyber-defense.sans.org/blog/2013/08/01/reset-local-administrator-password-automatically-with-a-different-password-across-the-enterprise
4. Awareness – Backup and Recovery: SANS OUCH! August 2017
   securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201708_en.pdf
5. Lastly, relevant news for the week from SANS NewsBites
   Refs: www.sans.org/newsletters/newsbites/xix/59 , www.sans.org/newsletters/newsbites/xix/60
   • Petya/Goldeneye Decryptor
     blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
   • Adobe Will End Support for Flash in 2020
     blogs.adobe.com/conversations/2017/07/adobe-flash-update.html
   • Targeting HTTP’s Hidden Attack-Surface
     blog.portswigger.net/2017/07/cracking-lens-targeting-https-hidden.html
   • Adobe Connect security update 9.6.2 / APSB17-22
     helpx.adobe.com/security/products/connect/apsb17-22.html
   • Microsoft Has No Plans to Patch SMBLoris Flaw
     smbloris.com/
     www.theregister.co.uk/2017/07/30/slow_loris_smbv1_attack/

Till next time…

What we wanted to provide under alerts, advisories and articles proved a little too ambitious – we’ve been overwhelmed by the sheer quantity of information. 100s (1000s on the odd occasion) of articles and advisories per day are impractical for “humans” to assimilate. Particularly as we want to provide relevant, interesting ones here and not just dump them all.

So we’ve had to pause this service. In the meantime we’ve been brain storming a lot and have some ideas on how to handle this (largely by automation and some intelligence) – getting it down to a manageable amount. Hopefully we’ll be able to implement in the next few months (we are focusing on the vulnerability assessment service right now). We will (as you may have noticed) issue the odd announcement as warranted and these should gradually increase as the service matures. Please stay subscribed…

Non-technical user mitigations

• Awareness – before and after
  • email alerts, websites, posters
  • see: Stop. Think. Connect.
  • certificate verification – click on and verify
  • use unique passwords for every account
  • how to detect:
    • www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf
    • resources.infosecinstitute.com/recognize-phishing-emails/
    • blog.malwarebytes.com/101/2017/06/somethings-phishy-how-to-detect-phishing-attempts/
    • phishme.com/project/how-to-spot-a-phish/
• reporting phished credentials, revoke and reset [preferably unassisted] (“I’ve been phished, now what?” with an anonymous option?)
• verify suspicious emails with the CSIRT / help-desk prior to clicking
• have an option for users to submit mail as spam / phishing to train the filtering system
• post-incident interview = learning (anything more we can do) + training (anything more they can do) [consider on case-by-case basis or for high-profile accounts]

Technical mitigations

• add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
• use multi-factor authentication [use the last incident as incentive/motivation for implementing]
• use email authentication with DNS: SPF and/or DKIM > DMARC (dmarc.org/overview/)
• consider requiring remote users to access the mail server/website via VPN only [enforce on the server side]
• alternatively use geo-fencing: only allow login to email/vpn/ssh services from expected countries/ip ranges
• anti -malware,-spam,-phishing, etc. solutions
  • if letting through, take it up with vendor. If not resolved satisfactorily, change vendors – there are many solutions.
  • how can the filters be improved? Consider multi-layered approach + AI-backed (e.g. machine learning) – phishing emails are becoming more and more sophisticated (difficult to detect)
  • enable flagging of suspicious emails – e.g. passed the threshold but not with a clean score – allow through but notify user (pref. in subject)
  • support scanning of attachments
  • support previewing attachments (e.g. as an image)
• kill switch to reset all user accounts
• don’t email cleartext passwords. Use a secure system to store hashes. Use PGP/GPG to encrypt sensitive info that is emailed.

At user level / endpoints

• use browsers containing anti-phishing measures – detection of fraudulent sites using a list of known phishing sites + clear warnings (e.g. banners/pop-ups to users)
• use browser add-ins such as: RequestPolicy, Ghostery, DISCONNECT. and/or NoScript
  • (see: tma.ifip.org/wordpress/wp-content/uploads/2017/06/tma2017_paper30.pdf)
• use email client with built-in malicious email filtering, warnings, etc. (e.g. “this might be spam”)
• disable macros by default (using group policy if possible)

Post attack

• reset credentials
• add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
• report for takedown
  • start with your ISP
  • contact abuse at remote ISP if known (e.g. whois)
  • safebrowsing.google.com/safebrowsing/report_phish/?hl=en
  • www.phishtank.com/
  • apwg.org/report-phishing/
• implement honeypot allowing compromised credentials for monitoring, attacker/intent identification, etc. (CSIRT/advanced)

For MS Office 365 / Outlook specifically

• blogs.technet.microsoft.com/office365security/how-to-review-and-mitigate-the-impact-of-phishing-attacks-in-office-365/
• blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
• support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification
• support.office.com/en-us/article/Help-keep-spam-out-of-your-Inbox-in-Outlook-com-a3ece97b-82f8-4a5e-9ac3-e92fa6427ae4
• Report junk email and phishing scams in Outlook on the web

University awareness examples

• blink.ucsd.edu/technology/security/user-guides/phishing.html
• itservices.uchicago.edu/page/identify-phishing-scams
• technology.pitt.edu/security (search: “Phishing Awareness”)
• www.weber.edu/iso/Phishing.html
• help.uis.cam.ac.uk/user-accounts-security/security/malware/phishing/phishing-faq
• oit.colorado.edu/it-security/security-awareness/phishing
• www.angelo.edu/services/technology/support/phishing.php

Further reading

• digitalguardian.com/blog/dont-get-hooked-how-recognize-and-avoid-phishing-attacks-infographic
• resources.office.com/rs/microsoftdemandcenter/images/insiders-guide-to-social-engineering-ebook.pdf
• digitalguardian.com/blog/phishing-attack-prevention-how-identify-avoid-phishing-scams
• phishme.com/awareness-resources/

Locky ransomware is now spreading via Flash, Windows kernel exploit(s), malicious DLLs and even images on Facebook and Twitter!^1 2 3 4 :-/

Note: “Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported”⁵ though this is technically possible.

Recommendations

In addition to csirt.sanren.ac.za/posts/160302-rm-locky.html

• Educate users on the new risks – “Stop! Think! Connect…”
  • Don’t install/execute unknown browser add-ons / extensions especially from unexpected websites (e..g resulting from clicking on an image in a chat message)
• Revisit and verify backup process, systems, etc.
• Ensure that the latest patches are applied for anti-malware, web and email filtering, etc. products in use

Further reading

• Check Point: ImageGate: Check Point uncovers a new method for distributing malware through images

References

¹Trend Micro: Locky Ransomware Spreads via Flash and Windows Kernel Exploits

²The Hacker News: Spammers using Facebook Messenger to Spread Locky Ransomware

³Blaze’s Security Blog: Nemucod downloader spreading via Facebook

⁴McAfee Labs: Locky Ransomware Hides Inside Packed .DLL

⁵Kaspersky Lab: Nemucod Infections Spreading Over Facebook

A surge in activity has been detected^1 2 of exploits targeting TR-069³, dubbed Misfortune Cookie⁴. This attack is aimed at home DSL routers commonly issued by ISP’s.

If possible, please block the following URL’s on any firewalls:

• http://5.8.65.5/1
• http://5.8.65.5/2
• http://l.ocalhost.host/1
• http://l.ocalhost.host/2
• http://l.ocalhost.host/3
• http://l.ocalhost.host/x.sh
• http://p.ocalhost.host/x.sh
• http://timeserver.host/1
• http://ntp.timerserver.host/1
• http://tr069.pw/1
• http://tr069.pw/2

Recommendation

If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.²

Further Reading

• bløgg.no: TCP/7547 on the rise
• Ars Technica: Newly discovered router flaw being hammered by in-the-wild attacks
• Check Point: The Internet of TR-069 Things: One Exploit to Rule Them All [pdf]
• Check Point: Too Many Cooks – Exploiting the Internet of TR-069 Things [pdf]

References

¹SANS ISC: Port 7547 Activity

²SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

³broadband forum: TR-069 – CPE WAN Management Protocol

⁴CVE-2014-9222

DDoS Attack Categories

DDoS attacks can be classified into five categories⁶:

1. Network Device Level Attacks
2. Operating System Level Attacks
3. Volume Based Attacks
4. Protocol Attacks
5. Application Layer Attacks

From these, the three primary categories utilised in online media are:

1. Volume Based Attacks attempt to disrupt services by flooding the target host with large amount of requests.
2. Protocol Attacks attempt to exploit a feature of a communication protocol (eg. SYN flood) or a bug in an implementation of a protocol, thereby rendering the service unavailable.
3. Application Layer Attacks attempts to render a service unusable by exploiting features of an application that may cause application lock, as is the case in an XML Denial-of-Service attack.

DDoS Mitigation Strategies

To minimise the effect of Volume Based DDoS attacks, one of the following methods can be used. The choice of DDoS mitigation method is ultimately determined by the level of risk versus desired control.

• Geographically distributed cloud hosting services (e.g. Akamai¹, CloudFare², Level3³) can ensure that a web presence remains accessible in the event that a specific site/location is targeted. Advantage: cloud redundancy and advanced DDoS protection (make sure this is in your package); Disadvantage: increased latency for local visitors as traffic usually goes overseas (+ potential privacy concerns). Tip: some providers have nodes in South Africa.
• Network security devices that specialise in DDoS prevention, specifically devices capable of blacklisting known botnet and malicious IP ranges, can prevent DDoS traffic from entering or exiting a network (e.g. Arbor⁴, Ixia⁵). Modern firewalls can usually do this in a limited form. Advantage: local control; Disadvantage: depending on where it’s deployed, this only stops the malicious traffic at the “gate” – so your Internet/SANReN link can still be congested (effective DoS).
• Failover site hosting through multiple independent ISPs as an alternative to distributed cloud hosting. E.g. DR at other institutions and/or data centres.

Further Reading

For self hosted sites: www.slideshare.net/intruguard/10-ddos-mitigation-techniques-presentation.

References

¹Akamai: DDoS Mitigation

²CloudFlare: DDoS

³Level3: DDoS Mitigation

⁴Arbor Networks: DDoS Protection Products

⁵Ixia: ThreatARMOR

⁶ Douligeris, C. and Mitrokotsa, A., 2004. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44(5), pp.643-666.

One of our institutions received the following threatening email. Research attributed no attacks (only threats) to this group. The SANReN CSIRT assisted by providing a quick vulnerability assessment and advised patching one public facing system with a significant vulnerability. No further actions/incidents were reported.

Subject: “EXS” Armada-Collective Invoice “EXS”

We are a HACKER TEAM – Armada Collective

1 – We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete.
2 – We’ll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!
3 – We’ll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power
4 – We’ll run a security breach test of your servers through the determined vulnerability, and we’ll gain the access to your databases.
5 – All the computers on your network will be attacked  for Cerber – Crypto-Ransomware
6 – You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS:  ####removed####
7 – If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins
8 – You have time to decide! Transfer 1 bitcoin to ADDRESS: ####removed####

These kinds of emails are reportedly attempts to extort money from targeted institutions by coercion. Authoritative news articles indicate that these threats from “Armada Collective” are not carried out irrespective of whether the money is paid or not^1 2. They can take various forms but follow a similar pattern³. (Note though that there was previously group called “DD4BC” which did carry out their threats but on a smaller scale. The Armada Collective may be a copycat group banking on DD4BC’s reputation.)

Recommendations

1. Do not pay.
2. Follow the advice on mitigating DDoS attacks as a precaution.
3. Please forward the email to our team for further analysis and advice.
4. Contact us for a vulnerability assessment.

References

¹Cloudfare: Empty DDoS Threats: Meet the Armada Collective

²Recorded Future: DD4BC, Armada Collective, and the Rise of Cyber Extortion

³GovCERT.ch: Armada Collective blackmails Swiss Hosting Providers

Locky is new encryption ransomware utilising macro scripts in malicious attachments (initially Word documents) to deliver the malware payload^1 2. The payload proceeds to encrypt almost all local files as well as files on network shares. Instructions for purchasing the decryption key using bitcoins are then presented (originally 0.5 – 1 bitcoin(s) [~R3000-R6500 (03/16)])³. Paying the “ransom” seems to result in successful recovery of files though this reportedly isn’t always the case.

See references and further reading for more information including samples.

Means of infection

Macros in malicious email attachments, particularly Word files⁴. The emails are sent in the guise of invoices, but other variants have been seen. Various email addresses are used including spoofed ones.

Detection

“If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.”²

Recovery

Disconnect the infected PC immediately from the network. Unfortunately, besides from paying the ransom (which we don’t advocate), there is no known (to us) method of recovering encrypted files. Clean the malware and restore from backups. In the case where no backups are available (or backups appear infected – local/network share) some alternative approaches may work⁵.

Recommendations

1. Backup local and shared drives regularly (daily/weekly?) and store backups off-line/off-net
2. Educate users on spam and particularly not opening suspicious attachments
3. Flag emails using spoofed addresses (inconsistent “source” and “from”)
4. Disable macros by default. Only enable on trusted documents if required
5. Make sure anti-virus and email security (if applicable) product definitions are constantly updated
6. Verify that backups can be restored (i.e. are usable and working correctly)

Further reading

• Medium: You, your endpoints and the Locky virus [Kevin Beaumont]
• IOCs @ Palo Alto Networks: Locky: New Ransomware Mimics Dridex-Style Distribution
• What to do? @ Naked Security by Sophos: ‘Locky’ ransomware – what you need to know
• Malwarebytes: Look Into Locky Ransomware
• Avast: A closer look at the Locky ransomware

References

¹PhishMe: Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

²Medium: Locky ransomware virus spreading via Word documents [Kevin Beaumont]

³Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

⁴Symantec: Locky ransomware on aggressive hunt for victims

⁵Comments @ Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

We would like to bring to your attention the latest SSL/TLS vulnerability known as the DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) attack¹. Although there is much hype around such vulnerabilities it is rated as important and seems serious enough for us to send out this alert particularly as the tester identifies weak SSL configurations / vulnerable library versions which may be subject to other vulnerabilities.

For more information

• drownattack.com/

Recommendation

Test your site(s) here and mitigate if vulnerable:

• test.drownattack.com/

Generally mitigation involves disabling support for SSLv2 and possibly updating SSL libraries (e.g. OpenSSL). Shared keys/certificates with a vulnerable server also presents risk. For more specific directions please consult your specific OS reference (e.g.²).

Further reading

• news.softpedia.com/news/a-third-of-all-https-websites-are-vulnerable-to-the-drown-attack-501202.shtml

References

¹CVE-2016-0800: Vulnerability Summary

²Red Hat: DROWN – Cross-protocol attack on TLS using SSLv2