Time to look back on the top AlienVault blogs of 2018! Here we go:
Crypto-currencies could provide a financial lifeline to a country hit hard by sanctions. Therefore it’s not surprising that universities in North Korea have shown a clear interest in cryptocurrencies. Recently the Pyongyang University of Science and Technology invited foreign experts to lecture on crypto-currencies. The Installer we’ve analysed above may be the most recent product of their endeavours.
This type of exploit allows an attacker to bypass any layer 2 restrictions built to divide hosts. With proper switch port configuration, an attacker would have to go through a router and any other layer 3 devices to access their target. However, many networks either have poor VLAN implementation or have misconfigurations which will allow for attackers to perform said exploit. In this article, I will go through the two primary methods of VLAN hopping, known as 'switched spoofing', and 'double tagging'. I will then discuss mitigation techniques.
DNS Poisoning and How To Prevent It by Jeff Thompson
The first thing to understand about DNS 'poisoning' is that the purveyors of the Internet were very much aware of the problem. Essentially, DNS requests are "cached", or stored, into a database which can be queried in almost real-time to point names like 'hotmail.com' or 'google.com' to their appropriate IP addresses. Can you imagine having to remember a string of numbers instead of a fancy name to get to your desired WWW (or GOPHER - if that's your thing) resources? 321.652.77.133 or 266.844.11.66 or even 822.214.171.124 would be very hard to remember. [Note: I have obfuscated REAL IP addresses with very fake ones here. Always trying to stay one step ahead of the AI Armageddon. Real IP addresses end with the numerical value of '255' within each octet.]
Companies both large and small must plan to protect their data. Failing to do so puts you at risk for financial trouble, legal liability, and loss of goodwill.
Make sure to deploy SIEMs to prevent such misfortunes befalling your business. If you know how to put them to use, SIEMs provide value out of the box. Here’s a quick recap on how SIEMs can benefit you with a few clicks.
- Prevent SQL injection attacks by keeping an eye on the health of your systems. This will keep you ready if and when attacks do happen.
- For handling watering hole intruders, SIEMs make it easy to monitor suspicious communication hinting at an attack in progress.
- If you’re worried about malware infection, community-powered data makes it likely that even new malware won’t be able to infiltrate your system.
- Ensure auditors and regulators don’t have a reason to turn off your lights with easy, one-step compliance status monitoring.
The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM correlation rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack. When “x” and “y” or “x” and “y” plus “z” happens, your administrators should be notified.
Here are some examples of SIEM correlation rules which illustrate this concept.
Detect new DHCP servers in your network by watching for inside or outside connections which use UDP packets (“x”), have port 67 as the destination (“y”), and the destination IP address isn’t on the registered IP list (“z”).
Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes (“x”), if that event is followed by a successful login occuring from that same IP address to any machine inside the network (“y”).
This Satan variant attempts to propagate through:
EternalBlue exploit CVE-2017-0143
Tomcat web application brute forcing
If you work in security anywhere, you do a lot searching, analyzing, and alerting. It’s the underpinning for almost any keyword you can use to describe the actions we take when working. The minute any equation I’m working on comes down to “finding” or “analyzing”, I know what to reach for and put to use. It’s YARA. The variables of the equation really don’t matter. A quick interrogation of a file to find out about its contents? Dig through source code to find a specific algorithm? Determining if something is malicious or safe to whitelist? YARA handles those use cases and plenty more. Really, it comes down to finding things. Finding fragments of what I’m looking for, whether I want to do so directly, by absence, via a pattern or through some form of calculus. YARA is my go-to.
OTX Endpoint Security is a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild—all. for. free.
Tools like Sysmon and Osquery are useful in detecting anomalous behavior on endpoints. These tools give us good visibility of what’s happening on endpoints by logging multiple types of events, which we can forward to a SIEM or other correlation system for analysis.
15 Reasons to Not Use PGP:
SECUSHARE published an article “15 reasons not to start using PGP”. Since I feel that they had communicated some great points regarding the risks of using PGP, I briefly summarized most of their key-points for us to consider. This information will help us understand how and why we should practice good operational security during PGP-involved communications.
- Misusage: a party may use PGP wrong or respond to an encrypted email in plaintext
- The OpenPGP Format: PGP is noticeable during packet analysis and surveillance efforts (i.e. government dragnets)
- Transaction Metadata: metadata reveals context and parties involved in the conversation (i.e. email address, subject line, message size, etc.)
- No Forward Secrecy: risk of long-term keys being compromised, it is hard and even impractical to use short-term keys
- Cryptography is Crackable: parties may store encrypted messages and could hypothetically start decrypting messages once technology advances enough to do so (i.e. using quantum computing for cracking RSA cryptography, encrypted messages may be collected and stored via dragnet surveillance, to be cracked in the future)
- Overexposure: using surveilled services and networks will draw attention to our PGP usage, especially on centralized or cloud-hosted services that participate in surveillance
- Discovery (Web of Trust): web of trust is publicly available information and can be analyzed for investigative/discovery purposes, and it doesn’t scale well globally
- PGP Conflates Non-repudiation and Authentication: if a message is signed, we only know that the sender’s private key was used to sign the message, it is possible that the sender’s key could be compromised and used by a third-party (i.e. spy, espionage). Also, by signing a message, we sacrifice any plausible deniability of writing that message
- Message Size Analysis: we can guess the size of messages based on encrypted length
- Workflow: group messaging is impractical, PGP is used for one-on-one communication
- Message Drafts & Message Storage: drafts of messages may be transferred or stored insecurely, in plaintext, without encryption
- Overhead: DNS / X.509 must work harder, thus more expensive servers and networking equipment may be required at scale
- Targeted Attacks Against PGP Key IDs: an adversary could generate a PGP key with a matching short-key ID or long-key ID, the shortened key ID could be used for impersonation
- “I’ve got nothing to hide”: people may not want to use PGP simply because “they have nothing to hide” - this is a worthy consideration, but an invalid excuse to not care about your human right to privacy
- Public Key Exchange: to use PGP, a public key must be shared. We must exchange public keys securely and privately in a contextually safe manner
MassMiner Malware Targeting Web Servers by Chris Doman
One of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers.
One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us how many different exploits and hacking tools it leverages in a single executable.
MassMiner spreads first within the local network, before attempting to propagate across the wider internet:
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
Into 2019, look for more technical and thought leadership blogs to help the InfoSec community!