C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

News for week 32/17

  1. Will the real security community please stand up
    - reflection on Black Hat 2017
  2. Chrome Extensions Hacked
    - “Plugins are software. The developers were compromised with a phishing attack and as a result many users were impacted. Security professionals need to consider the security posture of their vendors and continue to reassess the security as part of their threat modeling.” – Jake Williams (Editor)
  3. US-CERT TA17-181A: Petya Ransomware – revised 28 July
    - added additional analysis on NotPetya
    - useful recommendations and best practices
  4. Links in phishing-like emails lead to tech support scam
    - “Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims…”

Have a great women’s day; till next time…

News for week 31/17

  1. Shark or not? 3 real-life security scenarios and how to tell which will really bite
  2. DMARC again (see our previous article on phishing)
  3. MS LAPS / Powershell?
    Refs: seclists.org/educause/2017/q3/102 , seclists.org/educause/2017/q3/117
  4. Awareness – Backup and Recovery: SANS OUCH! August 2017
  5. Lastly, relevant news for the week from SANS NewsBites
    Refs: www.sans.org/newsletters/newsbites/xix/59 , www.sans.org/newsletters/newsbites/xix/60

Till next time…

Under construction

What we wanted to provide under alerts, advisories and articles proved a little too ambitious – we’ve been overwhelmed by the sheer quantity of information. 100s (1000s on the odd occasion) of articles and advisories per day are impractical for “humans” to assimilate. Particularly as we want to provide relevant, interesting ones here and not just dump them all.

So we’ve had to pause this service. In the meantime we’ve been brain storming a lot and have some ideas on how to handle this (largely by automation and some intelligence) – getting it down to a manageable amount. Hopefully we’ll be able to implement in the next few months (we are focusing on the vulnerability assessment service right now). We will (as you may have noticed) issue the odd announcement as warranted and these should gradually increase as the service matures. Please stay subscribed…

Phishing and compromised accounts

Non-technical user mitigations

Technical mitigations

  • add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
  • use multi-factor authentication [use the last incident as incentive/motivation for implementing]
  • use email authentication with DNS: SPF and/or DKIM > DMARC (dmarc.org/overview/)
  • consider requiring remote users to access the mail server/website via VPN only [enforce on the server side]
  • alternatively use geo-fencing: only allow login to email/vpn/ssh services from expected countries/ip ranges
  • anti -malware,-spam,-phishing, etc. solutions
    • if letting through, take it up with vendor. If not resolved satisfactorily, change vendors – there are many solutions.
    • how can the filters be improved? Consider multi-layered approach + AI-backed (e.g. machine learning) – phishing emails are becoming more and more sophisticated (difficult to detect)
    • enable flagging of suspicious emails – e.g. passed the threshold but not with a clean score – allow through but notify user (pref. in subject)
    • support scanning of attachments
    • support previewing attachments (e.g. as an image)
  • kill switch to reset all user accounts
  • don’t email cleartext passwords. Use a secure system to store hashes. Use PGP/GPG to encrypt sensitive info that is emailed.

At user level / endpoints

  • use browsers containing anti-phishing measures – detection of fraudulent sites using a list of known phishing sites + clear warnings (e.g. banners/pop-ups to users)
  • use browser add-ins such as: RequestPolicy, Ghostery, DISCONNECT. and/or NoScript
  • use email client with built-in malicious email filtering, warnings, etc. (e.g. “this might be spam”)
  • disable macros by default (using group policy if possible)

Post attack

For MS Office 365 / Outlook specifically

University awareness examples

Further reading

Locky: New distribution techniques

Locky ransomware is now spreading via Flash, Windows kernel exploit(s), malicious DLLs and even images on Facebook and Twitter!1 2 3 4 :-/

Note: “Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported”5 though this is technically possible.


In addition to csirt.sanren.ac.za/posts/160302-rm-locky.html

  • Educate users on the new risks – “Stop! Think! Connect…“
    • Don’t install/execute unknown browser add-ons / extensions especially from unexpected websites (e..g resulting from clicking on an image in a chat message)
  • Revisit and verify backup process, systems, etc.
  • Ensure that the latest patches are applied for anti-malware, web and email filtering, etc. products in use

Further reading


1Trend Micro: Locky Ransomware Spreads via Flash and Windows Kernel Exploits

2The Hacker News: Spammers using Facebook Messenger to Spread Locky Ransomware

3Blaze’s Security Blog: Nemucod downloader spreading via Facebook

4McAfee Labs: Locky Ransomware Hides Inside Packed .DLL

5Kaspersky Lab: Nemucod Infections Spreading Over Facebook

TR-06FAIL: Rise in Misfortune Cookie Exploitation Activity

A surge in activity has been detected1 2 of exploits targeting TR-0693, dubbed Misfortune Cookie4. This attack is aimed at home DSL routers commonly issued by ISP’s.

If possible, please block the following URL’s on any firewalls:

  • http://l.ocalhost.host/1
  • http://l.ocalhost.host/2
  • http://l.ocalhost.host/3
  • http://l.ocalhost.host/x.sh
  • http://p.ocalhost.host/x.sh
  • http://timeserver.host/1
  • http://ntp.timerserver.host/1
  • http://tr069.pw/1
  • http://tr069.pw/2


If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.2

Further Reading


1SANS ISC: Port 7547 Activity

2SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

3broadband forum: TR-069 – CPE WAN Management Protocol


DDoS Mitigation Techiniques

DDoS Attack Categories

DDoS attacks can be classified into five categories6:

  1. Network Device Level Attacks
  2. Operating System Level Attacks
  3. Volume Based Attacks
  4. Protocol Attacks
  5. Application Layer Attacks

From these, the three primary categories utilised in online media are:

  1. Volume Based Attacks attempt to disrupt services by flooding the target host with large amount of requests.
  2. Protocol Attacks attempt to exploit a feature of a communication protocol (eg. SYN flood) or a bug in an implementation of a protocol, thereby rendering the service unavailable.
  3. Application Layer Attacks attempts to render a service unusable by exploiting features of an application that may cause application lock, as is the case in an XML Denial-of-Service attack.

DDoS Mitigation Strategies

To minimise the effect of Volume Based DDoS attacks, one of the following methods can be used. The choice of DDoS mitigation method is ultimately determined by the level of risk versus desired control.

  • Geographically distributed cloud hosting services (e.g. Akamai1, CloudFare2, Level33) can ensure that a web presence remains accessible in the event that a specific site/location is targeted. Advantage: cloud redundancy and advanced DDoS protection (make sure this is in your package); Disadvantage: increased latency for local visitors as traffic usually goes overseas (+ potential privacy concerns). Tip: some providers have nodes in South Africa.
  • Network security devices that specialise in DDoS prevention, specifically devices capable of blacklisting known botnet and malicious IP ranges, can prevent DDoS traffic from entering or exiting a network (e.g. Arbor4, Ixia5). Modern firewalls can usually do this in a limited form. Advantage: local control; Disadvantage: depending on where it’s deployed, this only stops the malicious traffic at the “gate” – so your Internet/SANReN link can still be congested (effective DoS).
  • Failover site hosting through multiple independent ISPs as an alternative to distributed cloud hosting. E.g. DR at other institutions and/or data centres.

Further Reading

For self hosted sites: www.slideshare.net/intruguard/10-ddos-mitigation-techniques-presentation.


1Akamai: DDoS Mitigation

2CloudFlare: DDoS

3Level3: DDoS Mitigation

4Arbor Networks: DDoS Protection Products

5Ixia: ThreatARMOR

6 Douligeris, C. and Mitrokotsa, A., 2004. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44(5), pp.643-666.

Armada Collective Threats

One of our institutions received the following threatening email. Research attributed no attacks (only threats) to this group. The SANReN CSIRT assisted by providing a quick vulnerability assessment and advised patching one public facing system with a significant vulnerability. No further actions/incidents were reported.

Subject: “EXS” Armada-Collective Invoice “EXS”

We are a HACKER TEAM – Armada Collective

1 – We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete.
2 – We’ll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!
3 – We’ll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power
4 – We’ll run a security breach test of your servers through the determined vulnerability, and we’ll gain the access to your databases.
5 – All the computers on your network will be attacked  for Cerber – Crypto-Ransomware
6 – You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS:  ####removed####
7 – If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins
8 – You have time to decide! Transfer 1 bitcoin to ADDRESS: ####removed####

These kinds of emails are reportedly attempts to extort money from targeted institutions by coercion. Authoritative news articles indicate that these threats from “Armada Collective” are not carried out irrespective of whether the money is paid or not1 2. They can take various forms but follow a similar pattern3. (Note though that there was previously group called “DD4BC” which did carry out their threats but on a smaller scale. The Armada Collective may be a copycat group banking on DD4BC’s reputation.)


  1. Do not pay.
  2. Follow the advice on mitigating DDoS attacks as a precaution.
  3. Please forward the email to our team for further analysis and advice.
  4. Contact us for a vulnerability assessment.


1Cloudfare: Empty DDoS Threats: Meet the Armada Collective

2Recorded Future: DD4BC, Armada Collective, and the Rise of Cyber Extortion

3GovCERT.ch: Armada Collective blackmails Swiss Hosting Providers

Locky Ransomware

Locky is new encryption ransomware utilising macro scripts in malicious attachments (initially Word documents) to deliver the malware payload1 2. The payload proceeds to encrypt almost all local files as well as files on network shares. Instructions for purchasing the decryption key using bitcoins are then presented (originally 0.5 – 1 bitcoin(s) [~R3000-R6500 (03/16)])3. Paying the “ransom” seems to result in successful recovery of files though this reportedly isn’t always the case.

See references and further reading for more information including samples.

Means of infection

Macros in malicious email attachments, particularly Word files4. The emails are sent in the guise of invoices, but other variants have been seen. Various email addresses are used including spoofed ones.


“If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.”2


Disconnect the infected PC immediately from the network. Unfortunately, besides from paying the ransom (which we don’t advocate), there is no known (to us) method of recovering encrypted files. Clean the malware and restore from backups. In the case where no backups are available (or backups appear infected – local/network share) some alternative approaches may work5.


  1. Backup local and shared drives regularly (daily/weekly?) and store backups off-line/off-net
  2. Educate users on spam and particularly not opening suspicious attachments
  3. Flag emails using spoofed addresses (inconsistent “source” and “from”)
  4. Disable macros by default. Only enable on trusted documents if required
  5. Make sure anti-virus and email security (if applicable) product definitions are constantly updated
  6. Verify that backups can be restored (i.e. are usable and working correctly)

Further reading


1PhishMe: Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

2Medium: Locky ransomware virus spreading via Word documents [Kevin Beaumont]

3Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

4Symantec: Locky ransomware on aggressive hunt for victims

5Comments @ Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

DROWN Vulnerability

We would like to bring to your attention the latest SSL/TLS vulnerability known as the DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) attack1. Although there is much hype around such vulnerabilities it is rated as important and seems serious enough for us to send out this alert particularly as the tester identifies weak SSL configurations / vulnerable library versions which may be subject to other vulnerabilities.

For more information


Test your site(s) here and mitigate if vulnerable:

Generally mitigation involves disabling support for SSLv2 and possibly updating SSL libraries (e.g. OpenSSL). Shared keys/certificates with a vulnerable server also presents risk. For more specific directions please consult your specific OS reference (e.g.2).

Further reading


1CVE-2016-0800: Vulnerability Summary

2Red Hat: DROWN – Cross-protocol attack on TLS using SSLv2