Rapid7 Blog

Malware  

The CIS Critical Controls Explained- Control 8: Malware Defenses

This is a continuation of our CIS critical security controls blog series. Workstations form the biggest threat surface in any organization. The CIS Critical Security Controls include workstation and user-focused endpoint security in several of the controls, but Control 8 (Malware Defenses) is the only…

This is a continuation of our CIS critical security controls blog series. Workstations form the biggest threat surface in any organization. The CIS Critical Security Controls include workstation and user-focused endpoint security in several of the controls, but Control 8 (Malware Defenses) is the only control to strictly focus on antivirus and malware across the organization. It's pretty important, too: Malware networks are often run by organized criminals who profit from both the stolen identities of end users and access to the extensive computing and network resources that malware is designed to exploit. To a lesser extent, malware is also used for corporate and nation-state espionage, acts of vandalism, strategic attacks on infrastructure, and just about any circumstance where an attacker wants to compromise multiple hosts with minimal effort. Simply put: Malware is a big problem, and it puts everyone at risk. Much like disease prevention, malware prevention relies on a combination of "computing hygiene" and herd immunity; if it's done right, we all have a part in reducing the impact of malware and the risks associated with it. What this control covers Control 8 covers malware and antivirus protection at system, network, and organizational levels. It isn't limited to workstations, since even servers that don't run Windows are regularly targeted (and affected) by malware. Control 8 should be used to asses infrastructure, IoT, mobile devices, and anything else that can become a target for malicious software—not just endpoints. This control has been specifically included in version 6 of the CIS Critical Controls in a way that focuses on preventing the spread of worms and other self-propagating malicious code, but it's important to note that the Malware Defenses control is actually just a small subset of a good malware protection program. Following Control 8 will significantly improve any kind of incident response program you're developing, and it'll also help with the "top five" CIS controls, since it's dependent on them for effective implementation. Antivirus not dead, sun still rises: a note on terminology The term “malware” can be a little misleading, because it's often used to only describe viruses, or a specific subset of all of the malicious software used to attack information systems. The generally accepted definition of malware includes viruses, worms, ransomware, and anything that is purpose-built to be malicious software; that is what I'm going to stick with here. The nice part of this, though, is that many of the controls and mitigation techniques for viruses also cover typical malware. Another added bonus is that any decent antivirus software still scans for most malware signatures and malicious behavior. Despite claims to the contrary, antivirus is not dead; it just grew up. How To Implement it Centralize, automate, and configure The first step is a pretty big one, but the good news is that it's also fairly easy if you've even partially implemented “big five” critical controls. Asset configuration and management tools, as well as continual patching and careful system configuration, can go a long way in stopping most malware infections. This includes ransomware like CryptoLocker, WannaCrypt, and others, since they rely on poorly-configured or unpatched systems to spread. Simply put: You probably already have a good start if you're using any centrally managed antivirus service and managing your workstation and endpoint configuration. Central management of antivirus and antimalware clients is pretty important, since the logs generated by these systems can be used to aid in the incident detection process and generally help with cleanup and response. It's also important for the obvious reasons: Antivirus still protects against viruses, and centrally managed ones mean you can control precisely how. Log your incidents, and track them over time As Cindy Jones discussed in an earlier post on logging, tracking and reporting incident information at a log level is pretty important. It also acts as a good indicator of network health and security. Enterprise-level antivirus and antimalware solutions usually have some form of logging facility, and this—in concert with other logs from firewalls, network instruments, and critical systems—will give the security team a clear picture of what's going on inside the network. Logging both detection and response information from your antivirus is a good way to help color in that picture. Aside from detection statistics, it is critical to log what has been done with it when it's detected, and where it came from. Unfortunately, relying on individual incidents can be like drinking from a water cannon, so rather than relying on alerts for every incident, track the rate of change and the types of infection until you need to look at individual alerts or systems. If you don't already have one, you will need to build a service that can monitor the number of infected and damaged machines in order to give you a clear picture of where the malware is. Antimalware everything, all the time As I mentioned at the top of this post, network devices and other "non-computer" elements of your organization's information systems are vulnerable to malware. At an organization and policy level, you should be making it clear that everything on your network needs to have an antivirus installed, and anything that is run by your IT team should have an enterprise antivirus client that reports back to you. This is helpful for a few reasons: you will have visibility into the systems with the antivirus or endpoint protection client running, and you also can ensure that you're not granting network access to devices that may be carrying malware. While it may be tempting to ignore some systems, and some vendors don't make clients for some OSes, it's a good idea to aim for as much antivirus/antimalware coverage as possible. OS-level malware, removable media, installation and tampering detection Malware can show up from nearly anywhere, and removable media is a major source of infection. It's critical that you set up your antivirus policy to scan removable media before it's allowed on anything, and limit who can install software. Removing root privileges also removes the risk of user-installed software or malware attacking critical system objects, or exploiting access to administrator rights and privileged system objects. I've personally responded to ransomware cases where the only thing that limited the damage to the organization (and the end user) was the lack of local administrative privilege on the system that got infected. While this isn't mentioned in Control 8, it's brought up in Controls 14 and 5. Watch your edges Network-level scanning is definitely helpful, especially if you have the capacity to spot command and control traffic, malicious DNS and URL requests, and other stuff. It's less helpful if you're just replicating the work that your antivirus clients are already doing. In this case, IDS and logging are also going to play a huge role—specifically, log session lengths, DNS requests, and traffic patterns to look for access with Command and Control networks used by known malware. Session length logging can also give hints about data exfiltration, and looking at things like failed attempts to authenticate on services may also act as a virus or worm attack indicator. Looking at inbound and outbound network traffic from unusual IP addresses, or known bad actor addresses, will also help in identifying malware patterns as they emerge and localizing any response activities. One last word on malware prevention While the CIS doesn't include this in the top five controls, I think Control 8 isstill one of the most important. Good malware prevention actually does as much to help other people as it does for you and your network; you're cutting down the rate of transmission and infection and helping reduce the threat created by the people who use malware to commit crimes. Robust malware prevention techniques and programs actively reduce the threat to legacy systems and "high risk" networks that can't patch their systems for one reason or another. Fighting malware requires that we treat it like measles or smallpox: vaccinate against it, clean up infections, and monitor populations at risk. While it's often inconvenient or difficult, the end result is safer computing for everyone. Photos: Banner photo courtesy of the author- Safety notice from Angus Railyards (now a grocery store), Montreal. Flu virus TEM image from Wikimedia Commons courtesy of the CDC's fantactic Public Health Image Library (PHIL) Forestry Swing machine (and logs) in Kaibab National Forest, AZ also from Wikimedia commons. Inoculation picture courtesy of The University of Victoria's Flickr feed, originally from The Montreal Star.

Introspective Intelligence: Understanding Detection Techniques

To provide insight into the methods devised by Rapid7, we'll need to revisit the detection methods implemented across InfoSec products and services and how we apply data differently. Rapid7 gathers volumes of threat intelligence on a daily basis - from new penetration testing tools, tactics,…

To provide insight into the methods devised by Rapid7, we'll need to revisit the detection methods implemented across InfoSec products and services and how we apply data differently. Rapid7 gathers volumes of threat intelligence on a daily basis - from new penetration testing tools, tactics, and procedures in Metasploit, vulnerability detections in Nexpose, and user behavior anomalies in InsightIDR. By continuously generating, refining and applying threat intelligence, we enable more robust detection strategies to identify adversaries wherever they may hide. Slicing Through the Noise There are many possible combinations of detection strategies deployed in enterprise environments, with varying levels of efficacy. At a minimum, most organizations have deployed Anti-Virus (AV) software and firewalls, and mature organizations may have web proxies, email scanners, and intrusion detection systems (IDS). These "traditional" detection technologies are suitable for blocking "known-bad" activity, but they provide little insight into the origin, purpose, and intent of detections. Additionally, many of these techniques falter against uncommon threats due to a lack of applicable rulesets or detection context. Consider an AV detection for Mimikatz, a well-known credential dumper: Mimikatz may be detected by AV; however, standard AV detection alerts do not provide the background information required to accurately understand or prioritize the threat. The critical context in this scenario is that the presence of Mimikatz typically indicates an active, human attacker rather than an automated commodity malware infection. Additionally, a Mimikatz detection indicates that an attacker has already circumvented perimeter defenses, has the administrator rights required to dump credentials, and is moving laterally through your environment. Without a thorough understanding or explanation of the samples your detection technologies identify as malicious you do not have the information required to understand the severity of detections. Responders who are not armed with appropriate context cannot differentiate or prioritize low, medium, and high severity events, and they often resort to chasing commodity malware and low severity alerts. Adding Context – Intelligence Implementation Many organizations integrate ‘threat feeds' into their existing technology to compensate for the lack of context and to increase detections for less common threats. Threat feeds come in many forms, from open source community-driven lists to paid private feeds. The effectiveness of these feeds strongly depends on a number of factors: Intel type (hash, IP, domain, contextual, strategic) Implementation Indicator age Intelligence source When consuming intelligence feeds, context remains the critical element – feeds containing only hashes, domains, and IPs are the least effective form of threat intelligence due to the ease with which an attacker can modify infrastructure and tools. It is important to understand why a particular indicator has been associated with attacker activity, how old the intelligence is (as domains, IPs, tools are often rotated by attackers), and how widely the intelligence has been disseminated (does the attacker know that we know?). We routinely work in environments wherein the customers have enabled every open source threat intel feed and every IDS rule available in their detection products, and they chase thousands of false positives daily. Effective threat intelligence application requires diligence, review, and active research into the origin, age, and type of indicators coming in through threat feeds. Contextual intelligence feeds provide customers not only with indicators of compromise but also a thorough explanation of the attacker use of infrastructure, tools, and particular methodologies. Feeds containing contextual information are far more effective for successful threat detection, for example: MALWARE DETECTED: FUZZY KOALA BACKDOOR The ‘Fuzzy Koala Backdoor' is a fully-functional remote access utility that communicates to legitimate, compromised servers over DNS using a custom binary protocol. This backdoor provides file upload, file download, command execution, and VNC-type capabilities. The ‘Fuzzy Koala Backdoor' is typically delivered via spearphishing emails containing Office documents with malicious macros, and is sent via the ‘EvilSpam' mail utility. Files Created: %systemdrive%\programdata\iexplore.exe %systemdrive%\programdata[a-z]{6}%UUID%.dll Persistence: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell=explorer.exe,%systemdrive%\programdata\iexplore.exe Network Indicators: Domains: SuperCoolEngineeringConference.com With that context, a successful detection team can: Look for other anomalous DNS traffic matching the attacker's protocol to catch additional domains Look for unusual emails containing documents with macros Including header data provided by the attacker's mail client Identify systems on which Office applications spawned child processes Identify file-based and registry-based indicators of compromise Monitor for traffic to the legitimate compromised domain Similarly, a successful incident detection and response team will build additional strategies to identify underlying attacker techniques and cycle out stale static indicators to minimize false positives. Traditional detection mechanisms, including contextual intelligence feeds, provide security teams the ability to identify and respond to threats in the wild. In our next blog post we'll discuss approaches for finding previously-unseen malware and attacker activity using hunting and anomaly detection.

Malware and Advanced Threat Protection: A User-Host-Process Model

[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED 2016 in November. Learn more and secure your pass at http://www.unitedsummit.org!]In today's big data and data science age, you need to think outside the box when…

[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED 2016 in November. Learn more and secure your pass at http://www.unitedsummit.org!]In today's big data and data science age, you need to think outside the box when it comes to malware and advanced threat protection. For the Analytic Response team at our 24/7 SOC in Alexandria, VA, we use three levels of user behavior analytics to identify and respond to threats. The model is defined as User-Host-Process, or UHP. Using this model and its supporting datasets allows our team to quickly neutralize and protect against advanced threats with a high confidence rate.What is the User-Host-Process Model?The UHP model supports our incident response and SOC analysts by adding context to every finding and pinpointing anomalous behavior. At its essence, it asks three main questions:What users are on the network?What hosts are they accessing?What processes are users running on those hosts?This model also includes several enrichment sources such as operating system anomalies, whitelisting and known evil to help in the decision-making process. Once these datasets are populated, the output from the model can be applied in a variety of different ways.For example, most modern SIEM solutions alert if a user logs in from a new, foreign country IP address. If you need to validate the alert armed only with log files, you'd be hard-pressed to confirm if the activity is malicious or benign.  Our Analytic Response team uses the UHP model to automatically bring in contextual data on users, hosts, and processes to help validate the alert. Here are artifact examples below:User Account InformationAccount created, Active Directory, accessed hosts, public IPs...Host InformationDestination host purpose, location, owner, operating system, service pack, criticality, sensitivity...Process InformationProcess name, process id, parent process id, path, hashes, arguments, children, parents, execution order, network connections...With this supporting data, we build a profiles for each user or artifact found. Circling back to our example “user logged in from a new IP address in a foreign country”, we can add this context:Does the user typically log in and behave in this way?Day/time of login, process execution order, duration of loginHow often does the user run these particular processes?Common, unique, rareHow common is this user's authentication onto this system?How often have these processes executed on this system?Armed with UHP model data, we have a baseline of user activity to aid in threat validation. If this user has never logged in from this remote IP, seldom logs into the destination system, and their process execution chain deviates from historical activity, we know that this alert needs further investigation.Analyzing Malware, the UHP WayAdhering to a UHP model means that for every executable, important metadata and artifacts are collected not only during execution, but also as a static binary. When you're able to compare binary commonality, arguments, execution frequency and other lower level attributes, you now have additional context to make nuanced decisions about suspected malware.For example, for the question, “How unique is a process?”, there are several layers to the question. Let's look at four:Process commonality on a single assetSingle host baselineProcess commonality at an organizational levelAcross all of my assets, how many are running this process?Process commonality at an industry/sector levelAcross organizations in the same vertical, how common is this process?Process commonality for all available datasets.To be most effective, the User, Host, and Process model applies multiple datasets to a specific question to aid in validation. So in the event that the “U” or user dataset finds no anomalies, the next Host layer is applied.  Finally, the Process layer is applied to find anomalies.Use Case: (Webshell)Rapid7 was called to assist on an Incident Response engagement involving potential unauthorized access and suspicious activity on a customer's public facing web server. The customer had deployed a system running Windows Internet Information Services (IIS) to serve static/dynamic content web pages for their clients.We started the engagement by pulling data around the users in the environment, hosts, and real-time process executions to build up the UHP model. While in this case, User and Host models didn't detect any initial anomalies, the real-time process tracking, cross process attributes, baselines and context models was able to identify suspicious command-line execution from the parent process w3wp.exe. This process happens to be the IIS process responsible for running the webserver. Using this data, we pivoted to the weblogs, which identified the suspicious web shell being accessed from a remote IP address. From there we were able to thoroughly remediate the attack.SummaryThe Analytic Response team uses models such as UHP to help automate alert validation and add context to findings. Adding in additional datasets from external sources such as VirusTotal, NSRL and IP related tools helps infuse additional context to the alerts, increasing analyst confidence and slashing incident investigation times. For each of our Analytic Response customers, we take into account their unique user, host, and process profiles. By applying the UHP model during alert triage, hunting and incident response, we can quickly identify and protect against advanced threats and malware in your enterprise quickly and accurately.If you'd like to learn more about Analytic Response, check out our Service Brief [PDF]. If you need Incident Response services, we're always available: 1-844-RAPID-IR.

Compromised Credentials Have a High ROI for Attackers

Given that detecting the use of compromised credentials is at the core of user behavior analytics', and InsightIDR's, focus, I want to explain why compromised credentials are so valuable to attackers. To effectively understand any attacker tools and techniques, we have to put them into…

Given that detecting the use of compromised credentials is at the core of user behavior analytics', and InsightIDR's, focus, I want to explain why compromised credentials are so valuable to attackers. To effectively understand any attacker tools and techniques, we have to put them into the context of their challenges and goals the same way you would a business, or supply chain of businesses. Accordingly, I will use some common microeconomics terms to explain. Phishing has a high expected return While it may not be the only way to steal valid credentials, there have been various statistics published and they all show that roughly one out of every ten phishing emails will be successful. This could mean that your users open a malicious attachment, enter their corporate credentials into a phony site, or simply visit a website attempting to compromise them in some other way. This statistic is relatively broad, but you can be confident that a professional social engineer with a few days for reconnaissance can far exceed this success rate with targeted spear phishing. Stolen passwords offer simple and inexpensive distribution Once credentials are stolen from a user in your organization, those responsible for harvesting them have hundreds of ways to distribute them to potential buyers. Once a buyer is identified, most likely on an eBay rip-off focused on such criminal tools, the credentials can be distributed through any medium that accepts text. This means that individuals creative enough to avoid jail time and immoral enough to knowingly steal from others need only decide whether to insert the (username/password combination) text into a website, send it in an email, embed it in a PowerPoint slide deck, send over IRC, post in comments to a random article, tweet from a short-lived Twitter account, or transmit via any number of other ways. Comparatively, exploits and malware pose a much greater challenge around distribution because they run the risk of being discovered in transit and they are not the same simple text. Compromised credentials lower the cost of production Each phase of the attacker supply chain produces something different, but they all lead to the production of one type: monetizable information that belongs to someone else. For the attackers that are actively attempting to compromise systems in your organization, the approaches fall into two buckets: Take control of a company asset, either manually or through malware Use the credentials of a legitimate user to pose as someone that should have access to multiple company assets A major reason stolen credentials have become the weapon of choice is a few of their costs. It is inexpensive to purchase credentials, it is inexpensive to try using stolen credentials, and they have a low opportunity cost. Purchasing credentials is relatively straightforward: you can either buy them in bulk from someone who harvests them and puts them up for sale online or you can hire a black hat social engineer to harvest them for you. Using stolen credentials currently has a very low likelihood of being detected or traced back to the attacker, so while the attempted use might be complex, having a single access point makes it very easy and fast to test their validity. This makes it easy to discuss opportunity cost: while it is still very possible to take control of an organization's assets with exploits, a well-patched organization with a bevy of security controls in place means that you will likely need a very expensive zero-day exploit to reach the success rate and low likelihood of detection that come with compromised credentials. The cost of production for 0-days is massive because they require a great deal of both expertise and research to develop and their guarantee of success rapidly depreciates from the second they are used. Improved malware defenses have had a secondary economic impact on compromised credentials Starting with antivirus, then the detection of signatures in your network traffic, and more recently with sandboxing and the latest Endpoint Detection & Response (EDR) solutions, organizations have invested heavily in identifying and blocking malware before it is delivered, when it attempts to install itself, and when it starts performing malicious operations. While we will never see a 100% success rate, modern malware defenses have been very effective at achieving one goal: making it expensive to use malware alone to attack an organization. While this cost has increased, the cost of sourcing and using stolen credentials has stayed very low because they remain in the blind spot of these evolved detection solutions. Often, mass malware opens opportunities of chance in organizations that are not investing heavily in security, but more advanced, custom-built malware variants must be leveraged for a targeted attack, and even then, it is used with precision to only compromise systems that have been accessed (with stolen credentials) and deemed susceptible. The day-to-day system reconnaissance and lateral movement can be done with widely available tools, like Windows Credential Editor, and stolen passwords or hashes to evade detection. So, given these factors, if you are comfortable breaking international laws, stealing from other people, and working with other criminals who may be capable of even more, it is poor business management not to use compromised credentials. This is exactly why we built InsightIDR: to help diminish the return on stolen accounts by detecting their use. If you want to see more details on how we raise the cost for attackers, you can register for a free, guided demo of InsightIDR. I think you'll quickly see how we'll raise the cost to attack your organization. Not ready quite yet? Check out our resource page to learn more about our products and solutions that help you detect attacks leveraging compromised credentials here.

Attackers Take Advantage Of The Options You Give Them - Malware vs. Credentials

When InsightIDR was purpose-built to detect compromised credentials in the first months of 2014, we did so because we identified a significant gap in detection solutions currently available to security teams. The 2014 Verizon DBIR just happened to subsequently quantify the size of this gap…

When InsightIDR was purpose-built to detect compromised credentials in the first months of 2014, we did so because we identified a significant gap in detection solutions currently available to security teams. The 2014 Verizon DBIR just happened to subsequently quantify the size of this gap (and it has repeated in 2015 and 2016). User behavior analytics, as an industry, emerged to cover this gap in SIEM and other solutions. This does not mean that malware is not heavily used in attacks today, but there is a great deal of prevention and detection already in place for malware and you need to detect more malicious activity. Perfect malware detection can detect less than one-third of attacker actions Antivirus vendors first started to release consumer software around 1990. In the twenty-four years since that time, a great deal of innovation has occurred in the realm of both (a) malware development and (b) malware detection. Attackers have created full supply chains for malware, the most famous of which was around the Zeus Trojan (which is still around!), and malware detection now ranges from the modern evolution of that original antivirus software to the more innovative solutions of the past few years that leverage sandboxing and kernel-layer software agents. None of these solutions, on its own, can completely stop malware from reaching your organization or claim to detect its operation 100% of the time. However, by layering a few of these solutions and some perimeter defenses, your organization can detect a sizable contingent of malware in the wild. What any red team can tell you is that today's attackers can breach your organization using the "attack tools" that often double as administrator tools, like Windows Credential Editor (WCE) and PsExec. Just as more usable software has made if possible to receive Facebook updates from our grandparents, improved software has enabled criminals with serviceable technical skills to manually attempt to run exploits and use stolen credentials to compromise your organization. This rise in malicious acts that can be, and are, carried out against networks without any automated malicious software (malware) is what concerned us. Verizon places these acts into the "hacking" bucket, whereas the theft or guessing of your credentials is in the "social" bucket. As you can see from their data, these two categories of actions have comprised more than half of all malicious activities since 2008 and represented over two-thirds of all "threat actions" in 2013. It makes sense, when you consider the return on investment that I discussed in my previous post. Two well-publicized attacks show just how little malware is used in some attacks It is likely that you remember hearing the news that RSA was attacked in 2011. I have no doubt that you know a great deal about the Target breach in 2013. Even the hack of The Hacking Team in 2015 is a perfect example. If you look at these breaches, of which more details have been made public than almost any in history, you can see just how little malware is sometimes used by attackers. For good reason, a lot of detail is never released to the public, but what we do know is that malware played two very different roles in these breaches: Once as the initial entry point into RSA's network via email attachment before a great deal of lateral moves with scraped credentials and hashes Once as a means to scrape credit card details from memory on point-of-sale systems after initially entering the Target network and moving laterally to those systems with credentials stolen from Target's HVAC vendor In both cases, there were a lot more malicious actions involving stolen credentials than malware and neither was what led to detection in either attack. Malware was not the only option to enter RSA and it was not the only way to get credit card data out of Target; in both cases, it was just what worked. From the information available on the non-POS portion of the Target breach, the personal information of millions of Americans (including mine) was not stolen with malware, either. Think like an attacker: they use malware when it suits them At Rapid7, our research team, services organization, and product teams are constantly challenged to "think like an attacker," whether that means helping you to defend your organization, simulate attacks with exploits, credentials, and social engineering, or to detect attacks as early as possible. If I ask some of our experts how to get in and get data out, their response is always "it depends on what works." As long as attackers are able to stay undetected while they experiment, there is a great deal of iteration in their process: Entry: Try using some mass market malware because you might get lucky. That didn't work? Okay, try phishing a user for their credentials. That didn't work? Okay, use your expensive 0-day. Data theft: Install some malware on a processing system. Cannot find anything valuable? Okay, try reading data straight out of a database. Any one attacker may be partial to initially trying malware or impersonating users at any stage of an attack, but they are willing to use either to find success. If all of your defenses are focused on preventing and detecting malware, they are going to lean on their other tools to compromise your network and move from system to system. If you want to successfully detect the attackers, you need to have solutions for detecting malware and compromised credentials to maximize your chances. If you want to learn more about how InsightIDR can increase your chances of detecting malicious activity, please contact us to schedule an InsightIDR demo. We think you will appreciate our approach. Not ready for a demo? See how Rapid7 products and services help you detect attacks leveraging compromised credentials here.

Ransomware FAQ: Avoiding the latest trend in malware

Recently, a number of Rapid7's customers have been evaluating the risks posed by the swift rise of ransomware as an attack vector. Today, I'd like to address some of the more common concerns.What is Ransomware?Cryptowall and Cryptolocker are among of the best known…

Recently, a number of Rapid7's customers have been evaluating the risks posed by the swift rise of ransomware as an attack vector. Today, I'd like to address some of the more common concerns.What is Ransomware?Cryptowall and Cryptolocker are among of the best known ransomware criminal malware packages today. In most cases, users are afflicted by ransomware by clicking on a phishing link or visiting a website that is either compromised is is hosting a compromised advertising network. While ransomware is usually associated with Windows PCs and laptops, there have been recent reports of new ransomware on Apple OSX called KeRanger.Ransomware works by encrypting files that the user has access to, which is usually their local documents. However, some ransomware variants can target and encrypt files on mapped SMB drives as well. Once encrypted, the user is alerted with instructions on how to obtain the recovery key, typically for the price of $300-$500 equivalent in Bitcoin. Some attacks, however, are enterprise-centric and demand much more; the Hollywood Presbyterian Medical Center reportedly paid over $17,000 to a criminal enterprise to recover its encrypted data.How Can I Avoid Ransomware?Ransomware attacks happen similarly to other malware-based attacks. User education is the first line of defense -- people should not be clicking suspicious links, or visit websites that are known carriers of malvertising networks. In the event the user encounters a live link to a ransomware download, web-based threat prevention, email-based threat prevention, and application sandboxing can all help avoid infection.In addition, enterprises can harden their user-based infrastructure preemptively by following some baseline cyber hygiene as described in Jason Beatty's blog post. Of special interest is the enforcement of role-based access control; all too often, organizations accrue "access cruft," where users inherit permission sets that are far too broad for their normal job functions as temporary access grants accidentally become permanent access grants. By limiting user access across network resources, the damage incurred by the compromise of a single user can be effectively contained.I've Been Hit! How Can I Recover?In the event a user or enterprise falls victim to a ransomware attack, the best solution is to treat the event as any other disaster: restore the lost data from backups, conduct an investigation into how the disaster occurred, and educate the users involved on how to avoid this disaster in the future. As of today, there is no known method for recovering lost data without cooperating with the criminals responsible for the ransomware.Of course, backing up valuable data before an attack is critical in order to recover from this kind of attack. Backup schedules can vary widely between people and enterprises, many backup plans are implemented but remain untested, and the appearance of ransomware seems to have dramatically increased the chances of a data loss disaster. IT administrators who are concerned about ransomware affecting their users should investigate the relevance and reliability of their existing backup solutions, and weigh the costs of a sudden loss of data against the cost of more robust and frequent backup plans.That Didn't Work. Should I Pay?In most areas of crime, paying blackmail or ransom demands is counterproductive. It funds criminal enterprise directly and encourages more blackmail and ransom activity for both the original victim and future victims.However, even the United States FBI seems to be advising people that, given no other disaster recovery alternative, victims may want to consider paying for recovery. In October of 2015, Joseph Bonavolonta of the FBI admitted, "To be honest, we often advise people just to pay the ransom." This position was later clarified that victims should only consider paying when there is no other recourse, such as recovering from backups.The criminal enterprises running ransomware campaigns today are remarkably organized, and can even be considered helpful when it comes to getting their victims in a position to pay the ransom, nearly always via Bitcoin transactions. There is significant "victim support" built into these campaigns that walk users through the process of acquiring Bitcoin and ensuring that recovery is actually possible once they are paid. That said, these organizations are criminal, after all, and operate across international borders. It would appear that they are making good on their offers to decrypt the data held hostage, but there is absolutely no guarantee that they will continue to do so.ConclusionsWhile ransomware represents the latest trend in drive-by, opportunistic malware, it is avoidable and containable by following fundamental security and disaster recovery best practices. Encouraging secure habits in an enterprise's user base is the cornerstone of avoiding the problem in the first place. Enterprises struck by ransomware are urged to treat the event as they would any local disk disaster: restore from backups, conduct a post-mortem investigation into how the disaster happened, and take the lessons learned to become more resilient in the event of future disasters.

Hammertoss Demonstrates Need for Applying Attacker Knowledge to Behavior Analytics

A recent report on a new type of malware dubbed “Hammertoss” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest…

A recent report on a new type of malware dubbed “Hammertoss” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest for the trees. To effectively detect intruders, we must look at the entire attack chain and the methods attackers will always use to complete their mission. Hammertoss is an example of a backdoor that is reportedly deployed at a late stage of an attack, using a variety of tactical methods. You can only be effective in the game if you have broad detection for the methods that intruders will use regardless of tools, using approaches including traditional threat intelligence, intruder analytics, and endpoint detection. While interesting on many levels, Hammertoss caught my eye because it tries to mimic regular user behavior to avoid detection, albeit in a fairly crude way: It can be configured to operate during normal working hours to blend into regular network traffic It gets commands from and exfiltrates to mainstream cloud services, such as Twitter and GitHub Attackers changing their methods means behavior analytics is working Attackers are making economic decisions: They don't change their methods unless their methods start becoming ineffective. The fact that Hammertoss built in ways to avoid anomaly behavior detection shows that these methods have caused attackers some pain. However, the evasion techniques are very basic steps to avoid the simplest User and Entity Behavior Analytics (UEBA) solutions because they rely only on baselining work hours and cloud usage without context. Behavior analytics must take attacker methodologies into account When Rapid7 started out researching behavior analytics solutions, we quickly realized that “pure math” could not solve the problem. Looking for outliers such as unusual times to log in quickly lead to an unsurpassable mountain of false positive alerts. The fact is: people do unpredictable things for legitimate reasons. I may have a report due that forces me to work late or on weekends. One approach we continually find effective in detecting bad actors is to take behavior analytics and pair it with our knowledge of attacker methodologies. We're taking this knowledge from many sources: The Metasploit project, Rapid7 Labs' primary research, and our offensive security and incident response services teams. Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit Detection must occur throughout the attack chain It's also interesting to note that the Hammertoss malware is reportedly used late in the attack chain. It is a backdoor that enables attackers who have gained access to a network to maintain persistence over the long term. The communication methods are low, slow, and obfuscated to avoid detection. Rapid7 recommends detecting attacks throughout the kill chain by detecting phishing, use of compromised credentials, lateral movement and other attacker activity, which is where Rapid7 UserInsight focuses its detection. That said, UserInsight can detect and investigate incidents related to Hammertoss in the following ways: Detecting malicious Hammertoss processes running on the network through agentless endpoint monitoring Honey pot alerts as Hammertoss runs reconnaissance operations on network Spotting lateral movement on the network, which Hammertoss issues through PowerShell commands Investigation of data exfiltration as Hammertoss uploads data to cloud services If you're interested in learning more about how Rapid7 can help you detect intruders on your network and give them the boot, talk to us about the UserInsight intruder analytics solution and Rapid7's incident response services. Related Resources: What is User Behavior Analytics? Image courtesy of RiverArt.net: Journey across Russia: swimming against the tides

More Flash Exploits in the Framework

As todb pointed out in the last weekly metasploit update wrapup we recently added two new exploits for Flash: CVE-2015-3090 and CVE-2015-3105, based on the samples found in the wild. As you're probably aware, the last years, and especially the end of 2014 and 2015,…

As todb pointed out in the last weekly metasploit update wrapup we recently added two new exploits for Flash: CVE-2015-3090 and CVE-2015-3105, based on the samples found in the wild. As you're probably aware, the last years, and especially the end of 2014 and 2015, Flash has become the trending target for browser exploits in the wild. Here is a summary of Flash vulnerabilities abused by different Exploit Kits. It is based on the contagiodump overview and the Malware Dont Need Coffe blog data. It also shows the vulnerabilities actually supported in Metasploit, and the targets for every exploit. It's just a summary, maybe the vulnerability set is not complete! I'm not a malware researcher after all! Vulnerability Metasploit Targets **CVE-2013-0634** Adobe Flash ActiveX IE 32 bits on Windows XP SP3 and Windows 7 SP1 **CVE-2013-5329** **CVE-2014-0497** Adobe Flash ActiveXIE 32 bits on Windows XP SP3, Windows 7 SP1 and Windows 8 **CVE-2014-0502** **CVE-2014-0515** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux **CVE-2014-0556** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux **CVE-2014-0569** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1 and Windows 8.1 **CVE-2014-8439** **CVE-2014-8440** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1 and Windows 8.1 **CVE-2015-0310** **CVE-2015-0311** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux **CVE-2015-0313** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1 and Windows 8.1 **CVE-2015-0336** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux **CVE-2015-0359** Adobe Flash ActiveX / IE 32 bits on Windows 7 SP1 Adobe Flash Plugin / Firefox 32 bits on Windows 7 SP1 and Windows 8.1 **CVE-2015-3043** **CVE-2015-3090** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux **CVE-2015-3104** **CVE-2015-3105** Adobe Flash ActiveXIE 32 bits on Windows 7 SP1 Adobe Flash PluginFirefox 32 bits on Windows 7 SP1, Windows 8.1 and Linux **CVE-2015-3113** As you can read, we are doing our best to keep the Framework up to date with Flash vulnerabilities exploited in the wild, so hopefully people can simulate/test them from a confident source. Because of the amount of Flash exploits, we've added a kind of Flash exploitation library to make easier the task of adding them to the framework. We'd like to share 5 cents about how to use this code. Let me start by refreshing our memory... Since 2013 Oct 2012 (thanks Haifei Lei) a common technique to exploit Flash vulnerabilities has been to abuse the AS3 Vectors, for both spraying and to achieve full memory read/write. It is facilitated by the Flash allocator and the own Vector object layout, whose length lives together with its data. The abuse of these objects has been well explained in the past. The first (and excellent) explanation which I can remind is the one provided by Haifei Li in his article Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-day Attack. And it is precisely the technique used by the exploits in the Framework. Since I don't think I can explain it better than Haifei Li I recommend you to check the above link before going ahead, in case you're not familiar with the topic. That said, back to the Metasploit Framework, let me start by helping you to locate the source code for the Flash exploitation library in the code base. It can be found on the data directory, at data/external/source/flash_exploiter path. Actually it supports exploitation for Adobe Flash (32 bits), ActiveX and plugin versions, for both Windows and Linux platforms. (Remark: we're not testing Flash coming with Google Chrome and IE since Windows 8, so the exploits available on MSF don't cover these targets actually). Last but not least, worths to say this code uses some ideas from @hdarwin89, whose flash exploits can be found on its own repository. So, summarizing, the goal is which new Flash exploits just need to provide an "Exploit" class. An Exploit object must be able to corrupt a Vector.<uint>'s length with the value 0x3fffffff or longer. Once this condition has been achieved the Exploit just needs to create a new "Exploiter" instance and allow the magic to happen. Here is an "Exploit" template: package { import flash.display.Sprite import flash.display.LoaderInfo import mx.utils.Base64Decoder import flash.utils.ByteArray public class Exploit extends Sprite { private var uv:Vector.<uint> private var b64:Base64Decoder = new Base64Decoder() private var payload:ByteArray private var platform:String private var os:String private var exploiter:Exploiter public function Exploit() { platform = LoaderInfo(this.root.loaderInfo).parameters.pl os = LoaderInfo(this.root.loaderInfo).parameters.os var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh var pattern:RegExp = / /g; b64_payload = b64_payload.replace(pattern, "+") b64.decode(b64_payload) payload = b64.toByteArray() /* The exploit code here. The goal is to corrupt the uv vector length with 0x3fffffff or bigger. */ exploiter = new Exploiter(this, platform, os, payload, uv, 0x13e) } } } A couple of things to take into account. First of all, notice which the Exploit template get the platform and the operating system (as the shellcode) from FlashVars. It is because BrowserExploitServer provides this information from a prior stage, and we're using it, but you could get it by writing your own AS code on the exploit, of course. The second important thing is the Exploiter constructor documentation, because it's the last call which the Exploit should do: /* Creates an Exploiter instance and runs the exploitation magic * exp: Exploit object instance, its toString() vtable entry will be overwritten to achieve EIP. * pl: target platform, "linux" and "win" supported * os: target operating system for "win" platforms, "Windows 8.1" and "Windows 7" supported * p: ByteArray with the payload to execute * uv: Vector.<uint> whose length is overwritten with 0x3ffffffff or longer * uv_length: original uv's length, so the Exploiter can (hopefully) restore everything after exploitation. */ public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>, uv_length:uint):void Most of the Flash exploits in the framework have been written or migrated to use the Exploiter code, but be careful, because we keep updating the Exploiter code, and not all of them use the last version of the code! The Flash modules actually using the flash_exploiter code are: CVE-2014-0515, CVE-2014-0556, CVE-2014-0569, CVE-2014-8440, CVE-2015-0311, CVE-2015-0313, CVE-2015-0336, CVE-2015-0359, CVE-2015-3090 and CVE-2015-3105. And that's all for today! Stay tuned for more Flash exploits and the new Browser Autopwn being developed by sinn3r. We find the combination of these a powerful way to simulate targeted campaigns on your next pentest!

What exactly is Duqu 2.0?

Overview:Duqu, a very complex and modular malware platform thought to have gone dark in late 2012, has made its appearance within the environment of Kaspersky Labs. Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware represents a…

Overview:Duqu, a very complex and modular malware platform thought to have gone dark in late 2012, has made its appearance within the environment of Kaspersky Labs. Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware represents a high level of sophistication, skill, funding and motivation seen by nation-sponsored actors. Infections related to this malware have revealed links to the P5 1 events and related discussions regarding Iran's nuclear talks. Analysis:While the initial attack vector is unknown, evidence such as wiped mailboxes and cleared browser history suggest spearphishing and the use of a zero-day exploit to gain a foothold on patient zero. Other Zero-day exploits were noted by Kaspersky such as CVE-2014-6324 and CVE-2015-2360, allowing the attacker to run code at the highest privilege level and aid in lateral movement.Digging into the analysis reveals the authors made almost every attempt to either mislead analysis using layered encryption/compression functions or keywords pertaining to other known APT groups. In the wild, most malware uses generic encryption algorithms such as XOR, DES and AES or third party libraries. Duqu 2.0 on the other hand defines its own algorithms such as Camellia 256, AES, XXTEA, according to Kaspersky. In addition to using specific encryption and compression methods, the Duqu 2.0 platform utilizes “In-Memory” backdoors rather then using other persistence mechanisms. The attackers targeted servers with high uptime to ensure the foothold on the network would last. After installing backdoors, the attackers could deploy a number of pluggable modules. Some of the different modules capabilities have been outlined below:WMI Data collectionExfiltration and data encryptionAble to search for specific files/foldersExtensive system/user information collectionFile/directory manipulationNetwork and domain discoveryMS SQL, Oracle DB and ADOdb discoverySniffer (network reconnaissance)Document metadata extractionEmails, images, multimedia files, pdf, office and archivesNetwork communication is also unique. Duqu 2.0 can append encrypted data to .gif or .jpeg image formats. Unlike the 2011 version of Duqu, which implemented a single user agent string, Duqu 2.0 selects a random user agent string from a table of 53 possibilities. By using network drivers, traffic can also be proxied through the victims LAN.In summary, actors such as the authors of Duqu 2.0 show that the state of nation-sponsored attacks is reaching new heights. With multiple zero-day exploits and in-memory techniques, Duqu 2.0 goes beyond the traditional aspects of commodity malware. We appreciate Kaspersky publishing its in-depth findings and offering a level of transparency rarely seen in most public reports.For more information: https://threatpost.com/duqu-resurfaces-with-new-round-of-victims-including-kaspe rsky-lab/113237

Rapid7 UserInsight Brings User Context to Palo Alto WildFire Alerts

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts.…

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts. What does user context mean? For incident alerts, monitoring solutions often provide the IP addresses or assets affected. However, as users connect to the corporate LAN, WiFi, and VPN, they are assigned many different IP addresses throughout a regular work day, and IP addresses are recycled regularly for other users. This means when investigating an advanced malware alert, security streams often struggle with which person in the organization to follow up with. When retracing a single day of network activity often takes four hours of concentrated, sometimes painful effort, cutting right to a user-centric viewport means a much happier security team. Our investigation tools combine with WildFire malware detection to quickly visualize the attacker's steps on the network. This includes intruders switching user identities, password guessing attempts, and suspicious access to critical assets, cloud services, or applications. If you have UserInsight and WildFire setup, head to the UserInsight Collector page. As WildFire is primarily a software add-on, click Firewall Sources and make sure Palo Alto Networks Firewall is configured. As long as you are forwarding everything from the firewall, we will automatically parse the WildFire data. In addition to the malware alerts provided by WildFire, UserInsight provides detection of compromised credentials, so you're armed with all-round incident detection. You're done! This integration is available now. If you have Palo Alto WildFire and are interested in learning more, join us for a Guided Demo or contact us. In case you're at the Palo Alto Ignite conference this week, please find us in the vendor area for a demo.

Top 3 Takeaways from the "Getting One Step Ahead of the Attacker: How to Turn the Tables" Webcast

For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials…

For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials and phishing, which works more often than not. They bank on security teams being too overwhelmed by security alerts to be able to sift through the noise to detect their presence. In this week's webcast, Matt Hathaway explored what security professionals need to do to get ahead of attackers whether by increasing the cost of attacks, catching attackers in their favorite hiding spots, or knowing how to recognize tools and techniques all attackers use. Read on for the top 3 takeaways from “Getting One Step Ahead of the Attacker: How to Turn the Tables”: 1) Attackers Have Gotten Creative – Defenders have progressed malware detection to the point where even newer and more innovative malware can get detected and blocked with a high success rate, which is great. However, success in this area pushes attackers to adopt more stealthy and creative tactics, often involving social engineering and user impersonation. Attackers study their targets, and will use spear phishing to get a foothold on an organization's network through its users. Once in, they can move from system to system by continuing to impersonate user activity. Attackers also understand things like how the average network is laid out, gaps they may be able to take advantage of, and where people generally have monitoring in place. Attackers don't even necessarily have to be too sophisticated to be successful, sometimes persistence will be enough. 2) Anomalous Activity is the Answer – Alliteration aside, it really is crucial for security professionals to be able to recognize what kind of user activity on their network is normal, and what is not. How many systems should and does each individual usually access? What data is typically transmitted internally and externally from different groups in your organization? Have a baseline, simple measurement of what constitutes normal access for the average user. The ability to access and review all the data for an individual, account, or system is also important for when something abnormal occurs and you need more context to determine whether the alert is valid. If you aren't monitoring for anomalous user behavior, it becomes harder and harder to detect an attack early enough to prevent data loss. 3) Don't Neglect Endpoints Nor The Cloud – The majority of user activity is happening on endpoints and in the cloud, and often this information isn't getting logged in a centralized place. The cloud provides a lot of convenience and productivity, but making things easier for users introduces more opportunities for attackers. If you don't know what cloud services your company is using or what people are doing in them, attackers have a way to get data out of an organization without even reaching the network. You must analyze behavior across cloud services and your endpoints so you don't miss any suspicious changes. Failure to monitor user behavior on endpoints and in the cloud creates major blind spots for security professionals. Sometimes an indication of attack will tend towards the obvious, for example a vulnerability getting exploited or a port scan. However, a great deal of attacker behavior will be much more nuanced and stealthy. For the more in-depth discussion of how to spot attacker behavior and increase the cost of attacks to reduce risk: view the on-demand webcast now.

Weekly Metasploit Wrapup: On Insecure Updates

Updating Like It's 1999Now, before I get started, let me just say that I love the folks over at Malwarebytes. They do a lot of good work, and I'm constantly recommending their products to my friends and family in those vulnerable times of need. And…

Updating Like It's 1999Now, before I get started, let me just say that I love the folks over at Malwarebytes. They do a lot of good work, and I'm constantly recommending their products to my friends and family in those vulnerable times of need. And if that all sounds like an apology, it is. Sorry, guys. But dang.This week, we have an exploit module from community contributor Gabor Seljan which exploits a design flaw in the way MalwareBytes handled updates prior to October of 2014. This flaw was reported by Yonathan Klijnsma in June of 2014. Turned out, the mechanism to check for updates was done entirely over cleartext, relying completely on trusting that this unauthenticated, unencrypted connection was legit.In other words, a malicious actor -- say, a malware author -- could hijack the process that Malwarebytes used to check for updates by monkeying with anything in that trust chain -- the HTTP responses, the DNS resolution of MalwareBytes' content hosts, or simply by hijacking name resolution via a malicious entry in the local hosts file. By using that last technique, I'm able to quite reliably hijack the update process and drop a Meterpreter shell on the victim.As shown here, sometimes there's a race, and MalwareBytes identifies my Metepreter executable as a threat -- but I get the shell anyway. That's pretty fun. Also, once I've hijacked the update, I seem to have a permanent, respawnable shell. Any time I restart the Anti-Malware client, I execute my saved payload, and get a reconnect to my Metasploit listener. Even uninstalling and re-installing Anti-Malware in the usual way didn't seem to wipe my evil update. Only a revert to snapshot (as a VM) was doing the trick.Now, if the malware is on the endpoint and has sufficient permissions, it can do whatever it wants, with or without this vulnerability. This attack is only reasonable if the attacker can poison DNS responses or interfere with the HTTP connection or otherwise meddle with the network traffic, without having to first get on the target. This is completely possible when the victim is on an untrusted local network, and that's a more difficult trick. But, even the local attack is much easier if there is no attempt at secure comms.This brings up several concerns. First, if you're going to be operating in the hostile space of malware, you absolutely need to ensure that you're, at a minimum, using reasonably secure protocols for communication. In this day and age, it's pretty unconscionable to rely on plaintext for anything important. As Ian Goldberg said at his ShmooCon 2014 address, we need to get to a point where ciphertext is the default. There's really no excuse any more. Death to HTTP.Another troubling thing here is that while CVE-2014-4936 was assigned, and the vulnerability was reported to the vendor, there seems to be no mention of this problem in MalwareBytes' release notes. It's customary to thank the discoverer there, but more importantly, alert the user base that this is a real problem and they need to update, pronto. So, while Yonathan was thanked in the Hall of Fame, users don't appear to have been alerted. Even if they were, they would update normally... and are exposed to exactly the risk introduced by the vulnerability in the first place. It's a Catch-22 for sure, but MalwareBytes could and can mitigate this by offering some kind of offline update and announcement, and some hash signatures of a safe, manual update. So far, that doesn't seem to have happened. No release note, no announcement on Twitter, no sticky post on its forums... nothing. This is not a healthy response from a security-centered company.I don't want to pick on MalwareBytes. Really, I don't. Everyone ships the occasional vulnerability. But if these guys, who are plenty smart and savvy to the ways of network and consumer security dropped these particular balls, how do we expect non-expert software vendors to update and handle disclosure sensibly? We need to knock this cleartext business off for starters, that much is sure. Then, let's get some kind of consistency around communicating updates, especially in the face of bugs in the updaters themselves.New ModulesIn addition to the Anti-Malware exploit, we have ten new modules since the last Wrapup blog, including a new sandbox escape exploit for Microsoft Internet Explorer, MS15-004, implemented by our own Juan Vazquez. That's a pretty big deal -- you can read up on that over at TrendLabs.Exploit modulesWordpress Pixabay Images PHP Code Upload by h0ng10 exploits OSVDB-117146Remote Code Execution in Wordpress Platform Theme by Christian Mehlmauer and Marc-Alexandre MontpasMalwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution by todb, Gabor Seljan, and Yonathan Klijnsma exploits CVE-2014-4936MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape by juan vazquez, Henry Li, and Unknown exploits CVE-2015-0016Auxiliary and post modulesManageEngine Multiple Products Arbitrary Directory Listing by Pedro Ribeiro exploits CVE-2014-7863ManageEngine Multiple Products Arbitrary File Download by Pedro Ribeiro exploits CVE-2014-7863WordPress XMLRPC GHOST Vulnerability Scanner by Chaim Sanders, Christian Mehlmauer, Christophe De La Fuente, Felipe Costa, Jonathan Claudius, Karl Sigler, and Robert Rowley exploits CVE-2015-0235Windows Escalate Golden Ticket by Ben CampbellWindows Gather Active Directory Users by Ben Campbell and Carlos PerezWindows Gather User Credentials (phishing) by Matt Nelson and Wesley Neelen

"Skeleton Key" Exhibits Increased Blending Of Credentials And Malware

Dell SecureWorks published a very informative blog this week about a new type of malware they have appropriately labeled “Skeleton Key”. Our community manager quickly wrote a note of appreciation for setting a great example through disclosure and a quick mitigation strategy that every security…

Dell SecureWorks published a very informative blog this week about a new type of malware they have appropriately labeled “Skeleton Key”. Our community manager quickly wrote a note of appreciation for setting a great example through disclosure and a quick mitigation strategy that every security professional should read. Between these two blog posts, detecting the malware and responding should be possible for any organization leveraging YARA rules in their detection solutions. In this spirit, the UserInsight team wants to help you detect an attack before and after this malicious software is used. Between the malware used against Sony and this new malicious innovation, we can see three trends emerging: Attackers are continually using malware as a tool in combination with interactive “hacker tools” to effectively operate within our networks Malware developers are continuing to automate previously manual [yet highly common] techniques to use compromised credentials without any concern of being discovered by traditional detection tools. We have to overestimate attackers' ability to innovate or we will continue to reactively mitigate their new techniques. As I have previously discussed, more than half of the malicious actions that occur on our networks do not involve malware. In SecureWorks' excellent description of observed events surrounding Skeleton Key's operation, this fact was highly evident. If you want to detect an intruder's actions before and after the Skeleton Key DLLs would trigger your YARA-based alerts, you need effective detection for the use of stolen credentials on your network. Pre-deployment According to the post, Dell observed five key behaviors involving compromised credentials prior to the malware's deployment. To expand on one of Tod's points, this malware requires domain administrator credentials to install the software on your domain controller. This makes it even more challenging than exploiting the Kerberos vulnerability disclosed by Microsoft in late November. An intruder needs to remain undetected while successfully compromising your perimeter, learning your network, accessing multiple assets, and moving to a critical system on which a domain administrator's credentials can be obtained.Then, after all of these malicious activities, the domain controller needs to be accessed, followed by more uses of credentials: Prior to logging off from the domain controller, the attacker takes a final action with the creds: To contain one of these attacks early, it is essential that you have a solution like UserInsight that understands your users' typical behavior across all systems to which someone has access. From local accounts to unprivileged domain accounts to administrator impersonations, these established baselines are necessary for recognizing an intruder laterally moving through your network toward a domain controller on which Skeleton Key can be deployed. If you focus all of your detection efforts on the domain controller, you're providing intruders with a long-term testing ground in which to operate. Post-deployment If you recognize that you could miss the Skeleton Key deployment and don't want to rely on domain replication issues as your primary indicator of Skeleton Key's existence on a domain controller, the following statement demonstrates more detection challenges: This is a perfect example of attackers taking advantage of the high level of noise on our networks to obscure their actions. It is likely that your user accounts are being legitimately used on multiple systems simultaneously, but it is unlikely to drastically deviate from established norms. For this reason, thorough anomaly detection for the activity of your network's entire user population is the only effective way to spot an intruder using the “skeleton key” password to quietly probe assets for valuable data. Additionally, if you leverage a series of decoys, or as we call them, "honey users", you may identify an intruder using the "skeleton key" to authenticate on the network. Don't wait until the data leaves your network. Focus on their earliest actions on your network to prevent it from ever getting that far. To learn more about UserInsight and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit. I expect you'll quickly see how it complements your malware detection solutions for comprehensive coverage of the indicators that an intruder is inside.

Empowering practitioners, exposing Skeleton Key

This week, the Dell SecureWorks Counter Threat Unit (CTU) disclosed that it discovered a strain of malware that can bypass single-factor authentication on Microsoft Active Directory (AD) systems to access various remote access services while authenticated as any user. The research team discovered this malware,…

This week, the Dell SecureWorks Counter Threat Unit (CTU) disclosed that it discovered a strain of malware that can bypass single-factor authentication on Microsoft Active Directory (AD) systems to access various remote access services while authenticated as any user. The research team discovered this malware, dubbed "Skeleton Key", while working on an incident response case, and they published their findings on a blog post today. The malware itself is interesting, because while it can affect major systems once it's up and running, it has two major flaws that we can see right now: One, in order for Skeleton Key to work effectively, the attacker needs to already have domain admin credentials in hand. In that case, there's clearly a problem regardless of whether this malware is deployed, as there's already plenty of opportunity for the attacker to poke around and explore other attack vectors. Two, Skeleton Key can't survive a reboot.  Theoretically, domain controllers aren't rebooted that often, but this lack of persistence should still be noted. Rapid7's Tod Beardsley (@todb) took a look at SecureWorks' advisory on Skeleton Key and gave his take on how this malware might be used by an attacker: "A domain administrator account has plenty of opportunity to collect password hashes across the entire domain – if those passwords are weak enough (and most are), they can be cracked offline at the attacker's leisure. My guess is that Skeleton Key is designed to be part of a longer-term access persistence campaign. It feels like a temporary measure to retain access while the business of password cracking happens offline, and the attacker can return later with now-known passwords." Tod's advice for any organization that finds Skeleton Key present in its environment is to rotate all user and service account passwords -- ideally on the same day -- and to review its access policies for direct AD domain controller logins. So what else is notable here? Certainly the malware itself has interesting capabilities, and again we urge anyone interested in the analysis to read SecureWorks' excellent and detailed blog post. But we also wanted to applaud the overall approach here. The very fact that the SecureWorks CTU discovered this malware while on incident response for a private organization, and then also shared their analysis with the security community, is an excellent example that hopefully more will follow. Information sharing in our industry helps us all more easily protect our customers and our data. The fact that the Dell team gave so much specific, meaningful, and actionable detail about this malware and its contextual behavior enables security teams everywhere to be much more effective. Kudos to the Dell SecureWorks CTU for showing how information disclosure strengthens us all, and we hope this is a practice more organizations adopt across our industry. - @mvarmazis

Won't Someone Think of The AV Vendors?

Got Too Many Shells?Since the release of Metasploit 4.9, have you, the dedicated and resourceful penetration tester, been having is problem with being too successful at skipping past the defender's detection efforts? Are you getting too many shells? Maybe you're getting a little…

Got Too Many Shells?Since the release of Metasploit 4.9, have you, the dedicated and resourceful penetration tester, been having is problem with being too successful at skipping past the defender's detection efforts? Are you getting too many shells? Maybe you're getting a little embarrassed for the IT guys who are wondering what the heck just happened to their anti-virus protections.If that's the case, I have some good news! As of today, April 1, 2014, Metasploit is pleased to announce an entirely new feature for penetration testers: Anti-Virus Attraction!Anti-Virus AttractionTurns out, we're just too darn evasive for many-to-most AV solutions. So, in order to level the playing field between the penetration testers and the AV vendors, Metasploit Framework has extended the payload encoders and the executable generators to be a little less evasive by including some easy-to-detect data in our payloads. Well, a lot less.After several high level meetings and some deep-dive research in the field of malware detection, we've come up with a plan to address this too-successful problem. As of today, we now ship both the generic/eicar payload encoder (which works across all platforms) and the EXE::EICAR static executable generator (Windows-only).Detection: Not Quite 100%I'm pretty pleased with the results. Check out our VirusTotal hit rate:As you can see, 49 out of 51 of malware detection solutions successfully pick up EICAR. We're working on ensuring those last two are able to detect Metasploit as well -- if you know anyone over there, you might drop them a line and ask how you can help.UsageThe usage is straightforward. For example, here's how to encode any given payload to EICAR-compliance using the command line tool msfvenom:Note the size reduction, by the way -- the encoded payload is merely 68 bytes, which is 227 bytes smaller. A 77% savings in payload size is nothing to sneeze at!Generating a Windows EXE for any compatible Windows exploit is similarly easy -- just set the EXE::EICAR or MSI::EICAR option to true, and you'll be using the new static executable generator instead of the souped up dynamic one.Note, while these payloads and binaries are quite real and quite functional, actually using these will certainly ruin any chance of actually getting a working shell, since the EICAR test file standard does not allow for any kind of useful extension for functional requirements like opening network sockets. Oh well, it's a sacrifice.So, if you've been having a good a run you just have too many shells, and you feel like you need to throw a bone to defenders, give the EICAR transforms a whirl. This new feature is available today in the Metasploit Framework as of Pull Request #3168, and will be coming soon in an update of Metasploit Pro and Community editions -- in the meantime, download your free 7-day trial of Metasploit Pro today.If you happen to be more interested in AV evasion (how lame!) than AV attraction (yay!), join AV black belt ninja Dave Maloney on his free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro":Register for Americas time zone & on-demandRegister for European time zone

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now