Week in review

AUSCERT Week in Review for 7th July 2017

AUSCERT Week in Review for 7th July 2017 As Friday 7th July comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: Westpac joins Swift blockchain testDate Published: 06/07/2017URL: https://www.itnews.com.au/news/westpac-joins-swift-blockchain-test-467746Author: Staff Writers Excerpt: “Second Aussie bank after ANZ to take part.Westpac has become the second Australian bank to join a proof-of-concept by payment messaging service Swift that aims to test blockchain for facilitating cross-border payments.It is one of 22 global banks to join the PoC today, adding to the six foundational banking participants, one of which is ANZ Bank.” —–Title: Microsoft to cut ‘thousands’ of jobsDate Published: 07/07/2016URL: http://www.bbc.com/news/business-40523172Author: BBCExcerpt: “Microsoft is to cut “thousands” of jobs worldwide as it attempts to beef up its presence in the cloud computing sector.The technology giant wants to strengthen its cloud computing division but is facing intense competition from rivals such as Amazon and Google.” —–Title: Australia stuck with higher cost of deploying FttP: NBN CoDate Published: 06/07/2017URL: https://www.itwire.com/telecoms-and-nbn/78880-australia-stuck-with-higher-cost-of-deploying-fttp-nbn-co.htmlAuthor: Peter DinhamExcerpt: “NBN Co, the builder of the national broadband network, has moved to defend the higher costs of deploying fibre-to-the-premises in Australia and “set the record straight” on recent media claims about the local cost of FttP compared to other operators around the world.” —–Title: Ukrainian police seize computers that spread global NotPetya attackDate Published: 05/07/2017URL: http://www.itworld.com/article/3205810/malware/ukrainian-police-seize-computers-that-spread-global-notpetya-attack.htmlAuthor: Peter Sayer Excerpt: “Ukraine’s Cyber Police have intervened to prevent further cyberattacks in the wake of last week’s global attack, initially considered to be ransomware and called by various names including NotPetya.” —–Title: Govt blames Medicare card breach on ‘traditional’ crimsDate Published: 04/07/2017URL: https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502Author: Allie Coyne Excerpt: “Not wide-scale, and no IT breach, says minister. The federal government says there has been no breach of the Department of Human Services’ IT systems and the Medicare card data currently on sale likely affects only a small number of people.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1655 – [SUSE] Xen: Multiple vulnerabilities 2017-06-30https://portal.auscert.org.au/bulletins/49486Quite a few Xen Vulnerabilities, if you are running Xen it is time to check for updates. 2) ESB-2017.1659 – [Debian] libgcrypt20: Unauthorised access – Existing account 2017-07-03https://portal.auscert.org.au/bulletins/49510Side channel attacks are getting rather popular. 3) ESB-2017.1676 – [SUSE] sudo: Root compromise – Existing account 2017-07-05https://portal.auscert.org.au/bulletins/49570Regression fix for CVE-2017-1000368, this has been repeated in a few products. 4) ESB-2017.1682 – [Win][UNIX/Linux] samba: Denial of service – Remote/unauthenticated 2017-07-06https://portal.auscert.org.au/bulletins/49594Remote Samba denial of service, that has to be able to affect a lot of people. —- Stay safe, stay patched and have a good weekend! Peter

Learn more

Major security incidents

Wannacry ransomware incident

Wannacry ransomware incident [For a short version of this alert, please read just the THREAT and RECOMMENDED ACTION sections below] UPDATE 1: Microsoft published a blog that will serve as their centralized resource for these attacks. [10], and have made patches available for previously unsupported systems. There is now no reason NOT to patch “we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download” [10] UPDATE 2: see APPENDIX for scripts to find vulnerable systems in your network and also to also identify infected systems in your network UPDATE 3: See Introduction for update on affected organisations and information on the malware’s operational aspects. See the Recommended Actions section for additional information on applying IOCs. UPDATE 4: A Wannacry in-memory key recovery for WinXP document has been released. [17] INTRODUCTION An ongoing widespread ransomware worm attack has occurred against organisations in approximately 150 countries. AUSCERT has not received any local reports of such attacks at the moment. Confirmed reports of WannaCry infections have been received from countries in the APAC region. Indonesia is the closest such example with Healthcare organisations being targeted. Attacks have been reported against the NHS, University of Waterloo, Nissan in the UK, the Interior Ministry, banks, railroads in Russia, Telefonica users in Spain, German Rail, a mall in Singapore and ATMs in China, among others. The attacks do not appear to target any particular industry sectors. [1, 14]. The worm part of the malware launches the EternalBlue exploit against Windows hosts vulnerable to CVE-2017-0144. This achieves privilege escalation and Remote code execution within the target host. The worm then proceeds to download the ransomware component. The Double Pulsar exploit is launched to install a backdoor in infected hosts, thereby gaining persistent access. Analyses flag encrypted files containing different extensions. Encrypted file extensions are renamed to “.wnry”, “.wcry”, “.wncry” and “.wncrypt”, likely due to variants of the ransomware. The ransomware targets files with the following extensions: .123,.3dm,.3ds,.3g2,.3gp,.602,.7z,.ARC,.PAQ,.accdb,.aes,.ai,.asc,.asf,.asm,.asp,.avi,.backup,.bak, .bat,.bmp,.brd,.bz2,.cgm,.class,.cmd,.cpp,.crt,.cs,.csr,.csv,.db,.dbf,.dch,.der,.dif,.dip,.djvu,.doc,.docb, .docm,.docx,.dot,.dotm,.dotx,.dwg,.edb,.eml,.fla,.flv,.frm,.gif,.gpg,.gz,.hwp,.ibd,.iso,.jar,.java,.jpeg, .jpg,.js,.jsp,.key,.lay,.lay6,.ldf,.m3u,.m4u,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mp3,.mp4, .mpeg,.mpg,.msg,.myd,.myi,.nef,.odb,.odg,.odp,.ods,.odt,.onetoc2,.ost,.otg,.otp,.ots,.ott,.p12, .pas,.pdf,.pem,.pfx,.php,.pl,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.ps1, .psd,.pst,.rar,.raw,.rb,.rtf,.sch,.sh,.sldm,.sldx,.slk,.sln,.snt,.sql,.sqlite3,.sqlitedb,.stc,.std,.sti,.stw, .suo,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.vb,.vbs,.vcd,.vdi,.vmdk, .vmx,.vob,.vsd,.vsdx,.wav,.wb2,.wk1,.wks,.wma,.wmv,.xlc,.xlm,.xls,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.zip RECOMMENDED ACTIONS: AlienVault’s Open Threat eXchange (OTX) has a number of threat indicators. [2] (A zip file of the threat indicators is available for download at the end of this publication – wannacry_ioc.zip ) Members are strongly advised to apply these threat indicators, which include: 1. Domains In general domains should be blocked outbound, as these represent C&C servers to which the ransomware attempts to connect. However, among these are two domains that are kill switches for the ransomware. If infected hosts can resolve these domains, the malware exits and propagation ceases. The domains are iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It is advisable to not block outbound traffic to these sinkholed domains because they can help identify infected hosts. Caution: Updated malware is likely to omit the killswitch feature or amend it. 2. Remote IPs/ports Apply blocks/checks in ACLs,IPS/IDS, network firewalls both inbound and outbound. The IPs represent C&C servers for the ransomware, additional resource download URLs and Bitcoin payment sites. 3. Hostnames Same as above. 4. File paths Applied to Host IDS and/or integrity checkers helps identify known dropped files for the ransomware. 5. Registry keys Applied to Host IDS and/or integrity checks can help identify creation or modifications of registry keys by the ransomware. 6. Snort Applied to IDS/IPS, helps detect EternalBlue exploit activity. 7. Yara YARA signature(s) to detect the presence of ransomware in hosts. [15] 8. BTC Known Bitcoin wallet addresses that are used to receive ransom payments. Outbound traffic to these URLs could help identify infected hosts attempting payment. The accessed URLs will be of the form: https://blockchain.info/address/ + BTC Wallet 9. File Hashes (MD5, SHA1, SHA256) Network security devices such IDS/IPS, SIEMS, Firewalls should be tuned to block these domains, IPs and Host names, both inbound and outbound. Host IDSs should be tuned to monitor changes in Windows hosts for the indicated file paths, file hashes. The malware targets a remote code execution vulnerability in SMB (CVE-2017-0144). This vulnerability was addressed in Microsoft’s update MS17-010. [3] All Windows hosts should be patched immediately, to address this vulnerability if they already haven’t. (See the AUSCERT Security bulletin). [4] Organisations that are unable to patch certain systems, for example, hospitals operating specialised equipment, are advised to consider implementing Private VLANs to isolate such systems. This would help prevent lateral movement. ADDITIONAL RECOMMENDATIONS MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware. MS-ISAC has provided the following recommendations to mitigate the vulnerabilities: “Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources. Apply the Principle of Least Privilege to all systems and services.” [5] AUSCERT recommends the following measures to mitigate risk of exposure: Anti-virus signatures should be updated immediately If patching is not possible, make a business decision to disable SMB. [6] Block SMB traffic from all but necessary and patched systems (Firewall ports 445/139 ). Segment your networks. Disable or restrict Remote Desktop Protocol (RDP) access – see http://support.eset.com/kb3433/#RDP A snort rule for ETERNALBLUE was released by Cisco as part of the “registered” rules set. Check for SID 41978. [7] Emerging threats has an IDS rule that catches the ransomware activity: (ID: 2024218). [8] AUSCERT has compiled a list of indicators of compromise based on analyses conducted by external parties [11-13]. AUSCERT will continue to issue additional alerts as and when new information becomes available. POST-INFECTION For ransomware, prevention is the best possible outcome. However, if a ransomware infection has occurred, consider the following measures: 1. Immediately isolate the infected host from the network to prevent lateral movement 2. Submit samples of infected files to Crpyto-sheriff. This might help identify a decryptor to recover encrypted files. [16] REFERENCES: [1] http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/ [2] https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6/ [3] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [4] https://portal.auscert.org.au/bulletins/45238 [5] https://msisac.cisecurity.org/advisories/2017/2017-024.cfm [6] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 [7] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/ [8] https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ [9] https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ [10] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ [11] https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware [12] https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ [13] https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/ [14] https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 [15] https://blog.malwarebytes.com/threat-analysis/2013/10/using-yara-to-attribute-malware/ [16] https://www.nomoreransom.org/crypto-sheriff.php [17] https://github.com/aguinet/wannakey APPENDIX Please read the DISCLAIMER [17] before using these scripts. IDENTIFICATION OF VULNERABLE SYSTEMS To detect systems on a network (x.x.x.x/xx) that are vulnerable (i.e that are not patched to mitigate MS17-010) a python script is available https://github.com/RiskSense-Ops/MS17-010 This is a standalone version of a corresponding METASPLOIT detection module – https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_ms17_010 UBUNTU installation/Usage $ sudo apt-get install prips $ wget https://github.com/RiskSense-Ops/MS17-010/raw/master/scanners/smb_ms17_010.py $ prips x.x.x.x/xx | xargs -l1 python ./smb_ms17_010.py # If the above script is too slow, then you can identify just the Windows servers in you network to pass to smb_ms17_010.py <ip> with the nbtscan tool. $ sudo apt install nbtscan $ nbtscan x.x.x.x/xx IDENTIFICATION OF INFECTED SYSTEMS To detect systems on a network (x.x.x.x/xx) that are already infected (by virtue of DOUBLEPULSAR malware also being installed as part of the worm), another detection script is available: UBUNTU Installation/Usage $ pip install netaddr –user $ git clone git@github.com:countercept/doublepulsar-detection-script.git $ cd doublepulsar-detection-script/ $ python detect_doublepulsar_smb.py –net x.x.x/xx REVISION HISTORY Version Published Changes 1.0 13th May 2017 Original version published 2.0 13th May 2017 Update 1 – Microsoft issues out of band patches 3.0 14th May 2017 Update 2 – Appendix added 4.0 15th May 2017 Update 3 – Additional campaign related information, Indicators of Compromise and reference resources. Post-infection section added 5.0 17th May 2017 Update4 – Wannacry in-memory key recovery for WinXP released AUSCERT Team [17] DISCLAIMER AUSCERT has made every effort to ensure that the information provided is accurate and the advice is appropriate based on the information we have received. However, the decision to use or rely upon the information or advice is the responsibility of each organisation and should be considered in accordance with your organisation’s site policies and procedures. AUSCERT takes no responsibility for adverse consequences which may arise from following or acting on the information or advice provided.   Attached Documents wannacry_ioc.zip

Learn more

Week in review

AUSCERT Week in Review for 30th June 2017

AUSCERT Week in Review for 30th June 2017 Hope you all have had a chance to investigate the new website. Please email us at auscert@auscert.org.au or call 07 3365 4417 with any questions or concerns about the new website. As Friday 30th June comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: The Petya ransomware is starting to look like a cyberattack in disguiseDate Published: 28/06/2017 URL: https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russiaAuthor: Russell Brandom Excerpt: “The haze of yesterdays massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hacks reach touched some of the countrys most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.” —– Title: Google Slapped With Record $3.6 Billion Fine In Europe For Manipulating Shopping Results Date Published: 28/06/2017URL:  https://www.gizmodo.com.au/2017/06/google-slapped-with-record-3-6-billion-fine-in-europe-for-manipulating-shopping-results/Author: Matt Novak Excerpt: “Yesterday, government regulators in Europe hit Google with a record 2.42 billion fine, roughly the equivalent of $3.5 billion. The search engine company was found to be manipulating search results to favour its own shopping service, a violation of antitrust laws. And if it doesn’t fix the problem within 90 days it faces an additional 12.5 million ($18.7 million) fine per day.” —– Title: Defence launches ‘Information Warfare Division’ Date Published: 30/06/2017 URL: https://www.computerworld.com.au/article/621324/defence-launches-information-warfare-division/Author: George Nott Excerpt: “The Australian Defence Force is launching a new Information Warfare Division responsible for electronic warfare, the government announced today.” —– Title: Turnbull government continues push against online encryption ahead of Five Eyes meeting Date Published: 26/06/2017 URL: http://www.news.com.au/technology/online/security/turnbull-government-continues-push-against-online-encryption-ahead-of-five-eyes-meeting/news-story/cae2303d24bcfe90cf3d490083c208e9Author: Nick Whigham and AAP Excerpt: “AUSTRALIA will be leading the discussion on an encrypted technology crack down when ministers meet with FiveEyes nations to talk terror prevention. Leaders from Australia, the United States, United Kingdom, Canada and New Zealand, will meet in the Canadian city of Ottawa where they will discuss tactics to combat terrorism and the spread of extremism.” —– Title: Qld ex-cop charged with 44 counts of database snooping Date Published: 28/06/2017 URL: https://www.itnews.com.au/news/qld-ex-cop-charged-with-44-counts-of-database-snooping-466817Author: Allie Coyne Excerpt: “The Queensland Crime and Corruption Commission has charged a former police officer with accessing information in the force’score crimes database 44 times over six years without authorisation.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1639 – [Ubuntu] Kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49422 USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. That is a lot of regressions 🙁 2) ESB-2017.1643 – [Win] OpenSource Apache Struts: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49438 Struts is in all sorts of products. 3) ESB-2017.1644 – [Appliance] Cisco IOS and IOS XE Software: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49442 Root compromise that is significant. 4) ESB-2017.1602 – [Win][Linux][AIX] IBM Java SDK: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49270 Oh no not Java vulnerabilities —- Stay safe, stay patched and have a good weekend! Peter

Learn more

Blogs

DDoS Mitigation

DDoS Mitigation Denial of service (DoS) attacks have hit the news in Australia, yet again. But what is a DoS attack? A DoS attack is designed to deny access to a computing resource from its intended users. A distributed DoS (or DDoS) attack is conducted by numerous (could be in the tens of thousands) computers against a single host or network. It’s not possible to prevent DDoS attacks, we can only be prepared to mitigate them. Types of DDoS attacks An attacker may use a stateless protocol like ICMP or UDP with spoofed source addresses, but it is also common for an attack to be carried out with legitimate network traffic (like HTTP GET requests). In the latter case it can be difficult to block malicious traffic without impacting legitimate traffic. A DDoS is commonly directed at a web site, with a sufficiently large number of requests to overwhelm the capacity of the web server to handle them. In extreme cases, the site’s network equipment may be made unavailable by the volume of traffic they are attempting to filter. Preparing for a DDoS attack There are a number of steps that you can take to prepare for a DDoS attack, including: Ensure that senior management is aware of the impact of a DDoS attack and will support your steps to mitigate one Understand your network – knowing what is normal for your network will enable a threshold of activity that indicates the start of a DDoS Keep your OS up to date and hardened – disable any unneeded services Implement firewall measures on your host – an example for linux Implement application protection, like ModSecurity web application firewall and mod_evasive for Apache – note that a large DDoS attack will quickly overwhelm these measures Run a dedicated network firewall that is able to handle a greater load than the one on the host itself Set up your border router with ACLs to allow only valid traffic into your network eg filter bogons and unused protocols Establish contact details for your upstream network provider so that they may be readily contacted in an emergency. Containing a DDoS attack The scale of the attack will determine the effectiveness of mitigation measures. It may be possible to contain the attack on the affected host itself, or it may require upstream filtering. Implement filtering based on the attack eg blocking UDP packets Consider disabling the targeted application until the attack stops Implement rate limiting for network traffic to the target Contact your ISP for traffic filtering Other resources are available; these are recommended reading – Factsheet Technical measures for the continuity of online services, Mitigation Guidelines for Denial-of-Service Attacks and Network DDoS Incident Response Cheat Sheet List of useful links from the blog + one more 1 https://javapipe.com/iptables-ddos-protection2 https://www.modsecurity.org/3 https://www.zdziarski.com/blog/?page_id=442 (andhttps://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7)4 https://www.ncsc.nl/english/current-topics/factsheets/factsheet-technical-measures-for-the-continuity-of-online-services.html5 https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-en.aspx6 https://zeltser.com/ddos-incident-cheat-sheet/

Learn more