Downclimb

2016.09.11

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2016.09.04 – 2016.09.11: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com

Quotes

"Incomplete patches are very common from Apple, Adobe & MS. Patch diffing gives more 0days than fuzzing or RE. New patch = free 0days!" Chaouki Bekrar

 

Top stories

100 Downclimbs

This issue is the 100th Downclimb I've written, and also marks it's 2 year anniversary. This side-project has been a success, as people have told me it's helped them catch up on what's happened and given them insights. Downclimb is as much a summary of the week's infosec news, as it is a diary of my own concerns about what is happening. My own career and interests have progressed along with Downclimb, as I've gone from being a vendor, to a member of a security team in a mature company, to recently head of security at a small startup. Here's to many more Downclimbs to come!

OPM breach report

The U.S. House Oversight & Government Reform Committee released a 241 page analysis of the OPM breach, giving a timeline of what happened and many previously undisclosed details. Some facts from the report follow, with my comments in italics.

  • In May 2012, at least part of the OPM database had already been stolen by a group affiliated with Anonymous (p. 35). 2012 is also when the major breach is believed to have begun, as Hikit malware had remained on the servers since then. Malware used included Hikit, PlugX, xcmd (psexec alternative), and WCE (Windows Credentials Editor).
  • The initial warning came from a third-party to the DHS that they were seeing OPM data being exfilled, that was passed on March 20, 2014.
  • A Websense firewall discovered the C2 servers by accident, because it was causing cert errors for the firewall, which was performing SSL decryption (Page 95).
  • Attackers registered and used the domains opmsecurity[.]org, opm-learning[.]org, and others for their C2. Some of these C2's were discovered by ThreatConnect when it was investigating the Anthem breach.
    • There are services for brand protection that will alert you when domain registrations like this occur, which are also valuable to monitor as they can be used in phishing attacks or in this case to try to hide C2 comms.
  • After deploying an AV, it was discovered that across 10K systems, 2K (20%) were infected.
    • This is ridiculous both for OPM and for the attacker. The attacker shouldn't have infected so many systems. However, it may have helped them hide because if 20% of your systems are running the same software, you'll likely expect that to be default software.
  • The attackers looked for data in public file shares within the corp network. They took manuals describing the network in order to advance further.
    • Follow the BeyondCorp strategy and don't trust your internal network. Also restrict access to all data.
  • The attackers worked between 10pm and 10am.
    • Alert on activity during strange hours for employees. Some will cause False Positives.
  • OPM was monitoring the attacker on the network for 2 months, as they took sensitive data, as opposed to trying to kick them out, but when they did decide to kick them out, there was already another, separate, attacker in their networks. They were able to monitor the attacker because the attacker's tool used a 4-byte XOR key to obfuscate it's network traffic, so they were able to decode that and watch what the attacker did, which included installing key loggers on the database admin's workstations, at which point they decided to kick the attackers off, in an operation they called "Big Bang".
  • Page 61 indicates that after the "Big Bang", both Mandiant and the NSA's blue team were sweeping the network, including pulling drives for forensics, and confirmed the network was clean, while there was another attacker still there.
    • *Knowing the TTPs of one attacker may help give you assurance that you've removed them, but they may have other backdoors, or there still may be another attacker. For example, page 160 mentions other C2 domains used, which varied depending on the server that was infected. Further, even if you get the "all clear" from outside resources, you still need to be vigilant."
  • The malware was made to look like McAfee antivirus software, which led to it's detection because OPM doesn't use McAfee (Page 97).
    • Learn what is on your network, and investigate things like this that look out of place.
  • The attackers set up RDP sessions to and from a SQL Server to move laterally.
    • Seeing an outbound RDP connection from a SQL Server should be cause for alarm. Know what connections your servers normally make.
  • Encrypted RAR files were found of some of the exfiltrated data on OPM's systems.
    • Americans rarely use RAR, so seeing it should generate alarms.

Business

  • Intel spinning off McAfee: Intel purchased McAfee for $7.7B in August 2010, and is now spinning it off, resulting in a valuation of McAfee of now only $4.2B.

Conference materials and publications

Tools

  • kristovatlas/osx-config-check: I have not been actively maintaining my own tool osxlockdown, so I recommend looking at this project which has taken some of the same concepts and improved them along with additional checks. As with any tool like this, the checks are opinionated and may not make sense for your environment or preferences.

Other reads

  • Angular 1.6 - Expression Sandbox Removal: The Angular web framework is removing it's sandbox, which was not working sufficiently to protect developers, and thereby forces them to properly handle user input.
  • Snagging creds from locked machines: This trick uses the WPAD issue on Windows to collect NTLM hashes, which means that despite the author referring to these as creds, they still need to be cracked. The WPAD issue is an unfortunate default of Windows that should be disabled. The point of the article is to show that instead of an attacker getting on a network to use the WPAD issue against victims, the attacker can instead create a network and force the victim onto it by physically inserting a USB onto the victim machine that acts a network device. The author also mentions this affecting macOS, but that doesn't seem to be a default configuration, as the results have not been duplicated.
  • Alleged vDOS Proprietors Arrested in Israel: What I found interesting from this Kreb's article was how it mentioned a company that was under attack from a DDoS, used BGP hijacking to defeat the attack.
  • How I hacked your CFP: Andreas Lindh shows a bug in the usage of the Sentry library used by a PHP app, which seems to be a common mistake that affects others as well.
  • APT Group Rosetta Stone: This spreadsheet lists the different APT group names used by different vendors, along with operation names, to help you understand who vendors are talking about.
  • Analysis of ShadowBroker JETPLOW implant for Cisco ASA and PIX: Russian post.
  • House of Keys: 9 Months later... 40% Worse: 9 months ago SEC Consult found that 3.2M devices on the web were using known private keys for HTTPS server certificates. Despite the company working with CERT/CC to talk with these vendors, the number of devices with this problem has gone up to 4.5M now, a 40% increase, driven by the trend of IoT-enabled products and the inability of vendors to provide patches.
  • A bite of Python: Common security issues and other quirkiness of Python.