Tuesday, September 4, 2018

Windows - Remote Kernel Crash Vulnerability

This kernel crash vulnerability was discovered by FortGuard Lab

This vulnerability is identified as CVE-2018-1040. Windows 10, Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows Server 2016 are affected by this vulnerability and Microsoft has already released an advisory containing the fix for this vulnerability.

Honggang Ren from FortiGuard says "The vulnerability discovered can be triggered by remotely downloading a crafted .dll or .lib file on Windows from a website or SMB share. When using IE or Edge to download the file and save it, a Windows kernel pointer dereference to an invalid address is executed. As a result, a Windows Bugcheck (Kernel crash) occurs. On Windows 10, after the system is rebooted, a kernel crash occurs when users login it. This results in the Windows 10 kernel crashing in a loop."

For more detail please visit

https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html

Sunday, September 2, 2018

SIEM - Double the Infection, Double the Fun - Malware of it's Kind


Cobalt Group, also known as TEMP.Metastrike, targets financial organizations with the use of ATM malware. They are believed to be responsible for a series of attacks on the SWIFT banking system. A new campaign from this group utilize targeted attacks using spear phishing messages to gain entry and uses tools that can bypass Window’s defenses.

Findings

  • Two phishing targets are found.
    • NS Bank (Russia)
    • Banca Comercială Carpatica / Patria Bank (Romania)
  • One phishing email contains two malicious URLs.
    • The first one is a weaponized Word document.  The document contains obfuscated VBA scripts as opposed to known CVEs used in parallel to this campaign.
    • The second one is a binary with a jpg extension.
  • The binaries analyzed contained two unique C2 servers we believe are owned and operated by the Cobalt hacking Group.

SIEM and Correlation
Use your SIEM tool to find out if you are infected with this malware. You can use following indicator of Compromise to determine the infection. For more detailed information regarding the malware please follow the link at the end.

IOCs 

Hash
10D044BC5B8AE607501304E61B2EFECB – CobInt
d017bf9f6039445bfefd95a853b2e4c4 – COOLPANTS
616199072a11d95373b3c38626ad4c93 – Coblnt/COOLPANTS (ASERT Sample)
d3ac921038773c9b59fa6b229baa6469 – Email
61e3207a3ea674c2ae012f44f2f5618b – Document00591674.doc
e368365bece9fb5b0bc8de1209bab694 – DLL File
3452903fc857fb98f4339d7ce1884099 – CobInt/COOLPANTS (ASERT Sample)
9a87da405a53eaf32f8a24d3abb085af – id02082018.jpg (UPX Unpacked)
f3bb3e2c03f3976c107de88b43a22655 – id02082018.jpg (UPX Packed)
a3b705ce3d677361a7a9b2b0bdf04a04 – Email (carpatica) attachment
eb93c912e4d3ecf52615b198c44771f4 – Email (carpatica)
9270ac1e013a3b33c44666a66795d0c0 – Email (carpatica)Downloaded
1999a718fb9bcf3c5b3e41bf88be9067

URL
hxxps://help-desc-me[.]com
hxxps://apstore[.]info
hxxps://rietumu[.]me
hxxps://ww3.cloudfront[.]org[.]kz
hxxp://download.outlook-368[.]com
hxxps://ibfseed[.]com

Email Domain
compass[.]plus
eucentalbank[.]com
europecentalbank[.]com
protonmail[.]com
inter-kassa[.]com
unibank[.]credit
sepacloud[.]eu
sepa-cloud[.]com

For Detailed info: https://asert.arbornetworks.com/double-the-infection-double-the-fun/

Tuesday, August 28, 2018

Windows - Zero-Day Vulnerability Disclosed with PoC


Un-patched Windows Zero-Day Vulnerability (With PoC) is disclosed by a hacker. Here's what he wrote in a tweet


This publicly disclosed details of zero-day vulnerability in Microsoft's Windows OS can help local user obtain system level privileges on the target machine. This means any malicious application can levarage this vulnerability and get involved in privilege escalation. It is to be noted that this flaw is confirmed to work on "full patched 64-bit Windows 10 OS and Windows Server 2016 systems".

This privilege escalation issue occured because of errors in the way of handling Advanced Local Procedure Call (ALPC) systems and resides in Windows' task scheduler. ALPC is used to facilitate secure and high speed data transfer between one or more processes in the user mode.

Link to gitHub page that provide proof of concept (PoC) is as follows


Thursday, August 23, 2018

SIEM - Critical Remote Code Execution Vulnerability - Apache Struts


The popular open source framework for developing Java-based web apps, Apache Struts, is affected by a very critical remote code execution vulnerability that could allow remote attackers to run malicious code on the affected servers. It is recommended that every organizations and developers who use Struts should upgrade their Struts components immediately.

CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are affected by this vulnerability, and that the unsupported versions of the framework may be also affected.

The vulnerability can be exploited only if the alwaysSelectFullNamespace flag is set to true in the Struts configuration and if the application’s Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g., “/*”).

Upgrade to (the fixed) Apache Struts version 2.3.35 or 2.5.17 as soon as possible.

Use SIEM to detect if you are affected by this vulnerability.

1. Carry out vulnerability scan of your network.
2. Use vulnerability fetcher in your SIEM to pull logs from VM tool.
3. Check to see if CVE-2018-11776 is present in the scan result
4. Create an alert using query as cve_id="*CVE-2018-11776*" to get an alert if you are vulnerable

Wednesday, August 22, 2018

SIEM - Dark Tequila Malware Detection


Dark Tequila Malware Steals Financial Information and Login Details of Popular Websites.

Attackers use online spear-phishing and the offline infection through USB device to deliver the malware. The threat actors behind Dark Tequila carefully monitor’s it’s activities, if any user installs the malware outside of Mexico then the attackers uninstall the malware remotely.

Use SIEM to detect this Malware.
To detect this malware create an alert rules or correlation based on following IoCs.

Indicator of Compromise (IoCs)

Reference hashes:

  • 4f49a01e02e8c47d84480f6fb92700aa091133c894821fff83c7502c7af136d9
  • dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47

Reference C2s:

  • https://46[.]17[.]97[.]12/website/
  • https://174[.]37[.]6[.]34/98157cdfe45945293201e71acb2394d2
  • https://75[.]126[.]60[.]251/store/

Windows - Remote Kernel Crash Vulnerability

This kernel crash vulnerability was discovered by FortGuard Lab .  This vulnerability is identified as CVE-2018-1040 . Windows 10, Wind...