Too many Websites hacked, ransom demanded

Today is a very sunny day, but cloudy online. After the hack of the webpage of the  Ukranian ministry of Energy as shown in figure 1 below.

329f9cc2-82e8-4ff9-9bfd-b3a14d8089c9-original
Figure 1

http://www.mev.gov.ua was displaying this ransomware message before, but later the site was taken down now displaying that it is running an Apache HTTP server on a CentOS server as in the figure 2 below. Meaning the administrator took it offline.

apache
Figure 2

As an investigator, I decided to run a secure search with the terms ”ooops, your website have been encrypted ” using DuckDuckgo as a search engine, and all the sites hacked were indexed as show in figure 3 below.

website encrypted
Figure 3

Too many websites , victims as of today of the ransomware attack. All those live websites displaying the same  message, the attackers even included music this time. The clock showing the time left to pay the ransom.The currency accepted is Bitcoin because it wont be possible to know who received the money.

The only way to bypass this it to make sure that the vulnerability used by the software and third party applications have been patched.

Stay Secured.

 

Advertisements

Searching inside a PDF document

I have received a PDF document from a fake Paypal address. The PDF name is Paypal_EmailID_JK… To be sure whether  the document is malicious or not I used the pdfid.py tool as in the screenshot below .

PDFid1

It is clear that there are 25 objects and 4 URLs in the document, /JS pointing to 0 meaning there is no javascript in this document. Also /OpenAction is 0 meaning there is no malicious action.But let use the pdfid.py with -e option for more information as in the figure below

Pdfid2

We see the nothing apended After last %%EOF and the Total entropy.Finally I use

pdf-parser.py to extract those URLs as in the picture below

pdf-parder1

The PDF appears to be from Paypal but in fact will redirect the victim to the

https://www.hasanacademy.com/buy.php

Happy Hunting.

Cryptominer RubyMiner Targets web servers

According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the attack uses vulnerabilities from 2012 and 2013. Systems targeted included those running PHP, Ruby on Rails, and Microsoft IIS. The vulnerability in Ruby on Rails is CVE-2013-0156. This vulnerability provides the attacker a means to inject objects into the system that can execute arbitrary code. The malware flushes the crontab (on a Unix system) and then installs its own crontab entry. This entry runs one minute past the hour, every hour. The command downloads a robots.txt file from a web server under the control of the attackers. This downloaded file is then executed each time crontab executes the command. The article postulates this could be so that the attackers could execute a kill switch if desired or possibly to update the malware. The open-source package XMRig normally donates five percent of the earnings to XMRig’s author. Apparently, the individual(s) behind this attack were not inclined to lose any potential gains and removed the donating code from the version used in the infection.

Indicators of Compromise:

  • 761f5cfd0a3cddb48c73bc341a4d07a9
  • 91d31ed8e569c0089fa070ed125e1fc5
  • a6a57e6a216dff346a22f51639c4b99c
  • 203.24.188.242
  • Internetresearch.is
  • dgnfd564sdf.com
  • lochjol.com

It is recommended to patch the operating system,patch the applications and check crontab for unusual entry.

References 

https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/

 

A look at Redline from Mandiant

Redline is a nice tool to investigate a particular host for signs of compromises. It works on Windows and is freely available on the FireEye site .

redline1
Redline Interface

At a glance, we have options to collect data from the host or Analyse an existing data collected file. In our case , I am going to create  a Standard Collector for the sake of this demo.

Redline2
Redline Review Script Configuration

It is clear that the script will run the Collector and save it to a folder named ‘Sessions\AnalysisSession2´ in our case because we run the script twice as in the figure below

redline5
AnalysisSession2.mans file to import in Redline

As said in the Readme.txt file, AnalysisSession2.mans has to be openend in Redline to continue with the investigation. We can go through the System Information,Processes,…

The tool is worth a try.

Happy investigations

redline6
Investigative options after opening the AnalysisSession2.mans file

WannaCry Malware Take Away

The world has experienced a Cyber Attack according to numerous open-source, classified as a ransomware campaign.It created ten of thousands of infections in Over 150 countries including the United States, United Kingdom,Spain, Russia, Taiwan,France and Japan. The software can run in as many as 27 different languages.The piece of code is affecting only Microsoft Windows Operating system. The latest version of this malware (5bef35496fcbdbe841c82f4d1ab8b7c2) was discovered in the morning of May 12 ,2017 by an independent security researcher. It was named Wannacry because of the string “WNcry@2ol7” found in its code.Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

TECHNICAL DETAILS

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector may be through phishing. There exists 3 files belonging to the same malware.The first file is a dropper(worm), which contains and runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for encrypting the victim users files.

 

Dropper

This artifact (5bef35496fcbdbe841c82f4d1ab8b7c2) is a malicious PE32 executable that has been identified as a WannaCry ransomware dropper. Upon execution, the dropper attempts to connect to the following hard-coded URI:

http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Displayed below is a sample request observed:

--Begin request—

GET / HTTP/1.1
Host: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache

--End request--

If a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect the system with ransomware.
When executed, the malware is designed to run as a service with the parameters “-m security”. During runtime, the malware determines the
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the
following service:

--Begin service--

ServiceName = "mssecsvc2.0"
DisplayName = "Microsoft Security Center (2.0) Service"
StartType = SERVICE_AUTO_START
BinaryPathName = "%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security"

--End service--

Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional
thread to propigate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010. The malware then extracts &
installs a PE32 binary from it’s resource section named “R”. This binary has been identified as the ransomware component of WannaCrypt.
The dropper installs this binary into “C:\WINDOWS\tasksche.exe.” The dropper executes tasksche.exe with the following command:

--Begin command--

"C:\WINDOWS\tasksche.exe /i"

--End command—

 

NOTE:When this sample was initially discovered, the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” was not registered, allowing the
malware to run and propagate freely. However within a few days, researchers learned that by registering the domain and allowing the
malware to connect, it’s ability to spread was greatly reduced. At this time, all traffic to “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” is
re-directed to a monitored, non-malicious server, causing the malware to terminate if it is allowed to connect. For this reason, we recommend
that administrators and network security personnel not block traffic to this domain.

RANSOMWARE COMPONENTS

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the user’s private key needs to be decrypted, which requires the malware author’s private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password “WNcry@2ol7” is not used to encrypt files. It is only used by the malware to decrypt some of its components. Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

SOLUTION

-Apply the MS patch

-Basic defense in depth meaning segmentation to isolate vulnerable machines

-Restrict TCP port 445

-use Private Vlans if your edge switches support this feature

-Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

-Test your backups to ensure they work correctly upon use

-Implement the principle of least privilege

References: IOC with Wannacry:US-CERT

Washington post 150 countries affected

Public key infrastructure (PKI)

A Public key infrastructure is a system that incorporates asymmetric encryption and certificate to provide security. There are two principals actors: The client and the certificate authority(CA). The Cryptographic Service Provider (CSP) on the client side generates the key pair. Once the key pair has been generated, the client will keep the private key and send the public key with the certificate request to the CA. The client will use its private key to digitally sign that message. At this stage, the CA will either approve or deny the request. The Registration authority (RA) is another entity that can proxy certificate request to the CA on behalf of the client. When a certificate has been compromised it is revoked in the CA and updated to the Certificate Revocation List (CRL). The disadvantages of a certificate being revoked are that client has to go to the full list of what they are looking for. With the Online Certificate Status Protocol (OSCP), we only check for the validity of individual certificate without going to the full list thus improving performance. The standard for the certificate is the X.509 standard.

Malware Information Sharing Platform-MISP

The Malware Information Sharing Platform is used to store ,share and collaborate on malware across organizations. The Indicators of Compromise (IoC) are used to detect and prevent Cyber attack. The MISP integrates many features :-Efficient Built-in database to store malwares, information on attackers and intelligence

-Data are stored and shared in a structured format.

-Data can be imported from OpenIOC and exported to integrating with Network IDS, Host IDS and other tools.

MISP is good tool to use by your CERT team.

event-view
Malware Information Sharing Platform web interface