Soc in a Box

Well not really, but I’m going to write a series of posts that will all tie together, which can be a very useful tool for anyone interested in having a security home lab, or even in a new or established security operations centre.

I am going to be using open source software, and showing how they can be used together and create a pretty awesome environment, that in my opinion rivals or if not better than many of the paid and expensive tools in the security industry.

Over the next few weeks and months, I will create guides for the following.

Cuckoo

The Hive

MISP

Security Onion

Elastic Stack

Google Rapid Response

I’m not necessary going to create guides in the order listed above, however I will be starting with cuckoo.

Cuckoo is a fun place to start as you can get a pretty awesome malware sandbox analysis tool up and running in a fairly short amount of time, and see real results and benefits from it.  There are so many ways you can customise it and get it working for how you want it in your own environment.  Why pay a 3rd party for your malware analysis when you can have a free and powerful version of your own.

Anyhow, enough jibber jabbing.  Time for the first update!

Boozallen Report on Petya

I came across this write up by boozallen yesterday, and found it had some very interesting thoughts and insight to how and what happened.

 

https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/telebots-group-and-petya.pdf

 

1. Four VirusTotal users uploaded the compiled VBS backdoors along with other malicious files, including the
TeleBots telegram-based backdoor, PowerShell post-exploitation scripts, Mimikatz, and other tools. For each
user, these uploads occurred within the same one- to two-day time period.
2. In most cases, these files were uploaded several months prior to the 27 June Petya incident.
3. Booz Allen Cyber4Sight also determined that in several cases, these submitters also uploaded files
associated with the MEDoc update utility to VirusTotal. This shows that these submitters were also likely
users of the MEDoc software, and the inclusion of these files with the files identified in number 1 (above)
demonstrates that MEDoc-related processes may have facilitated the installation vector for this software.

 

These past few months have been quite interesting.  The scale and ease of WannaCry and the more recent  Petya/Non Petya attacks, have created a greater awareness for individuals outside of the security world.  Major news outlets are interested in these events as they transpire and this can only be a good thing.  I still believe we are many years away from individuals and business truly changing their mindsets and realise that just reacting to these events is not enough, and more time and effort is spent on how these applications are designed and how we approach security.  We need to try harder to make applications and hardware secure by design and not rely on 3rd party products afterwards to make the product “secure”.

We are going to have several more large scale events like this until the mindset changes, humans are stubborn and we do not like to change – however this is something we must do.

 

 

Talos Update on M.E.Doc

http://blog.talosintelligence.com/2017/07/the-medoc-connection.html?m=1

Summary

The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.
This is another good article and write up by Talos.
Gives a lot more useful insight as to how this happened, another good read, will be interesting to see how this continues to develop over the next few days and weeks.

Backdoor in M.E.Doc Application

I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week.  This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.

This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.

I suggest you read this very good article!

 

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/

Analysis of TeleBots’ cunning backdoor

On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.

 

Another good write up by bleeping computer that contains more information.

 

https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-servers-from-where-notpetya-outbreak-first-spread/

Conspiracy theories

Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).

An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”

 

View of someone who was impacted by Petya

http://colsec.blogspot.de/2017/06/petya-outbreak-june-27th.html

 

My machine –

Domain joined Windows 10 Enterprise 64bit running McAfee AV + Encrypted HDD. Fully patched with June’s updates and manually disabled/removed SMBv1.

Hit at 12:40 UK time with a BSoD. Reboot “Please install operating system – no boot device”.

 

And the follow up

http://colsec.blogspot.de/2017/06/petyaa-infection-summary-of-events.html

 

I’ll just put this up here to summarise what happened and how.

We assume 1 PC was infected, that machine provided the virus with some credentials. Could have been a workstation admin’s account, giving the virus admin rights to all PCs in the local area. Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with it’s PSEXEC/WMIC code. The rest is history. We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR, PCs that were not encrypted with McAfee showed the ransom message.

 

This is a good demonstration of making sure everything is 100% patched and not nearly patched.  It is difficult to keep older machines patched and updated in an enterprise environment, however when these systems are designed and implemented, we should be thinking and taking into consideration how we are going to update them and keep them secure, otherwise we will have to deal with the events described above, again and again.

Do not pay to Petra Ransomware Email

During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.

Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.

https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday

It’s never a good idea to pay the ransom, even if they had the intention to give you your decryption code, they are not even going to be receiving  your email.

Patch and Backup.

Petya Ransomware Information

Just correlating all the useful information I can find with regards to the latest Petya Ransomware attack.

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

Behaviour

<Ignored Process>
 rundll32.exe C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1" (PID: 2880)
 cmd.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2724) 
 schtasks.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2720) 
 FE04.tmp %TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}" (PID: 1968) 
 dllhost.dat %WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"" (PID: 2512) 1/59 Seen in another context
 cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: (PID: 2072) 
 wevtutil.exe wevtutil cl Setup (PID: 2204) 
 wevtutil.exe wevtutil cl System (PID: 2128) 
 wevtutil.exe wevtutil cl Security (PID: 4016) 
 wevtutil.exe wevtutil cl Application (PID: 3988) 
 fsutil.exe fsutil usn deletejournal /D C: (PID: 1368) 
 shutdown.exe %WINDIR%\system32\shutdown.exe" /r /f" (PID: 2796)

 

Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know

Another good analysis from Kaspersky

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.
  • The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Schroedinger’s Pet(ya)

 

Cloaking Itself in Legitimate Code

Petya uses memory injection as an evasive technique to bypass existing defenses. Attackers often use this method to hide in legitimate processes on the endpoint by injecting malicious code into the memory of non-malicious applications. Sometimes referred to as fileless malware, these threats avoid being detected by file-based detection tools, as the malicious code manipulates the memory stack to achieve malicious actions without actually placing the malicious program on the file system.

In the case of Petya, the executable creates another instance of itself and injects decrypted code into it.

 

https://minerva-labs.com/post/new-petya-ransomware-attack-prevented-by-minerva

 

 

Shadow Brokers Response Team – Retracted

As per my previous update, the idea behind what they wanted to do was a good one, but legally not so much.  Seems as humans we just cannot get around doing the right thing and being proactive.  We only understand how to react to when things go wrong.

UIWIX Ransomware

It was just a matter of time until other organisations or individuals followed the path set by WannaCry last weekend.

Seems there is another variant of ransomware doing the rounds which is exploiting the same loop hole as WannaCry is using port 445 to enumerate and infect other machines on your internal and then external networks.  It is exploiting the same SMB vulnerability (MS17-010).

Mitigation – Just need to  make sure you have the latest updates from microsoft.

If you see traffic to these domains, its likely not good!

aa1[.]super5566[.]com
07[.]super5566[.]com
a1[.]super5566[.]com
www[.]super5566[.]com
08[.]super5566[.]com

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

SMB Vulnerability MS17-010 NSE – Script to detect MS17-010 (WannaCry Ransomware)

This is taken from the nmap seclist page.  A script for nmap has been written that should allow you to scan your network to determine if its vulnerable.  It may not be perfect but I am sure it will help someone out there.

http://seclists.org/nmap-dev/2017/q2/79
Hey list,

I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
authentication protocols with signing enabled).

Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 

Cheers!

smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse 
description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms2017-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against CVE2017-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
]]



Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com