Critical Vuln in vCenter vmdir (CVE-2020-3952), (Fri, Apr 10th)

On April 9, VMware published VMSA-2020-0006, a security advisory for a critical vulnerability in vCenter Server that received the maximum CVSSv3 score of 10.0.  The vulnerablity, %%cve:2020-3952%% , involves a sensitive information disclosure flaw in the VMware Directory Service (vmdir) which is included with VMware vCenter. Per the advisory, vmdir does not implement proper access controls, which could allow a malicious attacker with network access to obtain sensitive information.  This likely can allow the attacker to compromise other services which rely on vmdir for authentication.

PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th)

Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified.

ISC Stormcast For Friday, April 10th 2020 https://isc.sans.edu/podcastdetail.html?id=6948, (Fri, Apr 10th)

Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th)

How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified. 

ISC Stormcast For Thursday, April 9th 2020 https://isc.sans.edu/podcastdetail.html?id=6946, (Thu, Apr 9th)

ISC Stormcast For Wednesday, April 8th 2020 https://isc.sans.edu/podcastdetail.html?id=6944, (Wed, Apr 8th)

German malspam pushes ZLoader malware, (Wed, Apr 8th)

Introduction

Increase in RDP Scanning, (Tue, Apr 7th)

ISC Stormcast For Tuesday, April 7th 2020 https://isc.sans.edu/podcastdetail.html?id=6942, (Tue, Apr 7th)

Password Protected Malicious Excel Files, (Mon, Apr 6th)

We've been seeing quite some malicious Excel files with Excel 4 macros lately.

ISC Stormcast For Monday, April 6th 2020 https://isc.sans.edu/podcastdetail.html?id=6940, (Mon, Apr 6th)

Maldoc XLS Invoice with Excel 4 Macros, (Sun, Apr 5th)

This week I got an email claiming to be a YellowPages invoice with an XLS attachment containing an Excel 4.0 macro which has similarity to [1][2].

New Bypass Technique or Corrupt Word Document?, (Sat, Apr 4th)

I was taking a closer look at Xavier's Word document he analyzed in yesterday's diary entry: "Obfuscated with a Simple 0x0A".

Obfuscated with a Simple 0x0A, (Fri, Apr 3rd)

With the current Coronavirus pandemic, we continue to see more and more malicious activity around this topic. Today, we got a report from a reader who found a nice malicious Word document part of a Coronavirus phishing campaign. I don't know how the URL was distributed (probably via email) but the landing page is fake White House-themed page. So, probably targeting US citizens.

ISC Stormcast For Friday, April 3rd 2020 https://isc.sans.edu/podcastdetail.html?id=6938, (Fri, Apr 3rd)

ISC Stormcast For Thursday, April 2nd 2020 https://isc.sans.edu/podcastdetail.html?id=6936, (Thu, Apr 2nd)

TPOT's Cowrie to ISC Logs, (Thu, Apr 2nd)

ISC Stormcast For Wednesday, April 1st 2020 https://isc.sans.edu/podcastdetail.html?id=6934, (Wed, Apr 1st)

Qakbot malspam sent from an infected Windows host, (Wed, Apr 1st)

Introduction

ISC Stormcast For Tuesday, March 31st 2020 https://isc.sans.edu/podcastdetail.html?id=6932, (Tue, Mar 31st)

Kwampirs Targeted Attacks Involving Healthcare Sector, (Tue, Mar 31st)

There is no honor among thieves. Even after some ransomware gangs claimed to seize targeting the healthcare sector, attacks continue to happen. But ransomware isn't alone. Last week, the FBI updated an advisory regarding the Kwampirs malware, pointing out the healthcare sector as one of its targets. Kwampirs isn't picky in its targeting. It has been observed going after various sectors (financial, energy, software supply chain, and healthcare, among others). One differentiator of Kwampirs is its modular structure. After penetrating a particular target network, the malware will load appropriate modules based on the targets it encounters. In general terms, Kwampirs is a "Remote Admin Tool" (RAT). It provides access to the target and can be used to execute additional payloads at the attacker's choosing.

Crashing explorer.exe with(out) a click, (Mon, Mar 30th)

In a couple of my recent diaries, we discussed two small unpatched vulnerabilities/weaknesses in Windows. One, which allowed us to brute-force contents of folders without any permissions[1], and another, which enabled us to change names of files and folders without actually renaming them[2]. Today, we’ll add another vulnerability/weakness to the collection – this one will allow us to cause a temporary DoS condition for the Explorer process (i.e. we will crash it) and/or for other processes. It is interesting since all that is required for it to work is that a user opens a link or visits a folder with a specially crafted file.

ISC Stormcast For Monday, March 30th 2020 https://isc.sans.edu/podcastdetail.html?id=6930, (Mon, Mar 30th)

Obfuscated Excel 4 Macros, (Sun, Mar 29th)

2 readers (anonymous and Robert) submitted very similar malicious spreadsheets with almost no detections on VT: c1394e8743f0d8e59a4c7123e6cd5298 and a03ae50077bf6fad3b562241444481c1.

Covid19 Domain Classifier, (Sat, Mar 28th)

Johannes started a Covid19 Domain Classifier here on our Internet Storm Center site.

Help us classify Covid19 related domains https://isc.sans.edu/covidclassifier.html (login required), (Fri, Mar 27th)

---

Malicious JavaScript Dropping Payload in the Registry, (Fri, Mar 27th)

When we speak about "fileless" malware, it means that the malware does not use the standard filesystem to store temporary files or payloads. But they need to write data somewhere in the system for persistence or during the infection phase. If the filesystem is not used, the classic way to store data is to use the registry. Here is an example of a malicious JavaScript code that uses a temporary registry key to drop its payload (but it also drops files in a classic way).

ISC Stormcast For Friday, March 27th 2020 https://isc.sans.edu/podcastdetail.html?id=6928, (Fri, Mar 27th)

Very Large Sample as Evasion Technique?, (Thu, Mar 26th)

Security controls have a major requirement: they can't (or at least they try to not) interfere with normal operations of the protected system. It is known that antivirus products do not scan very large files (or just the first x bytes) for performance reasons. Can we consider a very big file as a technique to bypass security controls? Yesterday, while hunting, I spotted a very interesting malware sample. The malicious PE file was delivered via multiple stages but the final dropped file was large... very large!

ISC Stormcast For Thursday, March 26th 2020 https://isc.sans.edu/podcastdetail.html?id=6926, (Thu, Mar 26th)

ISC Stormcast For Wednesday, March 25th 2020 https://isc.sans.edu/podcastdetail.html?id=6924, (Wed, Mar 25th)

Recent Dridex activity, (Wed, Mar 25th)

Introduction

SANS CyberCast Hallway Talk: Microsoft Windows Type 1 Font Parsing 0-Day https://www.youtube.com/watch?v=VSnVbrgnXJs, (Tue, Mar 24th)

---

Another Critical COVID-19 Shortage: Digital Security, (Tue, Mar 24th)

Following is a guest cross-post from John Scott-Railton, a Senior Researcher at The Citizen Lab. His work focuses on technological threats to civil society.

ISC Stormcast For Tuesday, March 24th 2020 https://isc.sans.edu/podcastdetail.html?id=6922, (Tue, Mar 24th)

Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability, (Mon, Mar 23rd)

Microsoft announced limited exploitation of a zeroday remote code execution vulnerability in the type 1 font parser.

KPOT Deployed via AutoIt Script, (Mon, Mar 23rd)

I have other samples like the malware I covered in yesterday's diary entry.

ISC Stormcast For Monday, March 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=6920, (Mon, Mar 23rd)

More COVID-19 Themed Malware, (Sun, Mar 22nd)

Reader Andrew received a COVID-19 themed email with malicious attachment, and submitted the complete email.


Honeypot - Scanning and Targeting Devices & Services, (Sat, Mar 21st)

I was curious this week to see if my honeypot traffic would increase since a large portion of the world is working from home. Reviewing my honeypot logs, I decided to check what type of filename was mostly targeted (GET/POST/HEAD) by scanners  this past week on any web supported ports (i.e. 80, 81, 8000, etc). This first graph shows overall activity for the past 7 days.

ISC Stormcast For Friday, March 20th 2020 https://isc.sans.edu/podcastdetail.html?id=6918, (Fri, Mar 20th)

COVID-19 Themed Multistage Malware, (Thu, Mar 19th)

More and more countries are closing their borders and ask citizens to stay at home. The COVID-19 virus is everywhere and also used in campaigns to lure more victims who are looking for information about the pandemic. I found a malicious email that delivers a multi-stage malware.

ISC Stormcast For Thursday, March 19th 2020 https://isc.sans.edu/podcastdetail.html?id=6916, (Thu, Mar 19th)

ISC Stormcast For Wednesday, March 18th 2020 https://isc.sans.edu/podcastdetail.html?id=6914, (Wed, Mar 18th)

Trickbot gtag red5 distributed as a DLL file, (Wed, Mar 18th)

Introduction

A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)

DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. For smaller organizations, even an average attack can be devastating.

ISC Stormcast For Tuesday, March 17th 2020 https://isc.sans.edu/podcastdetail.html?id=6912, (Tue, Mar 17th)

Desktop.ini as a post-exploitation tool, (Mon, Mar 16th)

Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however.

ISC Stormcast For Monday, March 16th 2020 https://isc.sans.edu/podcastdetail.html?id=6910, (Mon, Mar 16th)

SANS Work From Home Deployment Kit. Free Material to Help You Stay Secure While Working From Home https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit, (Mon, Mar 16th)

---

VPN Access and Activity Monitoring, (Sun, Mar 15th)

Because most individuals are going to have to work remotely from home, the activity that should be scrutinized over the coming weeks would be ports associated with VPN like OpenVPN (1194) or SSL VPN (TCP/UDP 443, IPsec/IKEv2 UDP 500/4500) with their associated logs to ensure these services are accessed by the right individuals and are not abused, exploited or compromised. It will be very important the VPN service is patched and up-to-date because there will be way more scrutiny (scanning) against these services. Capturing metrics about performance and availability will be very important to ensure mission critical systems and applications can be accessed to avoid downtime.

Phishing PDF With Incremental Updates., (Sat, Mar 14th)

Someone asked me for help with this phishing PDF.

VMware Patches for Bugs in DHCP Service (Workstation, Fusion, Horizon, VMRC), (Fri, Mar 13th)

VMware Security Avisory VMSA-2020-0004 ( https://www.vmware.com/security/advisories/VMSA-2020-0004.html ) outlines a fix for a user-after-free bug in vmnetdhcp that allows guests to execute code in the host.  Affected platforms are: VMware Workstation Pro / Player, VMware Fusion Pro / Fusion, VMware Horizon Client for Windows, VMware Remote Console for Windows (VMRC for Windows)

Microsoft Patches SMBv3 Compression RCE bug - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796, (Fri, Mar 13th)

ISC Stormcast For Friday, March 13th 2020 https://isc.sans.edu/podcastdetail.html?id=6908, (Fri, Mar 13th)

Not all Ethernet NICs are Created Equal - Trying to Capture Invalid Ethernet Frames, (Fri, Mar 13th)

This all started with a simple request.  A client had purchased some new, shiny networking gear, and in each failover pair the active unit was sending 1 "Runt" per second.

ISC Stormcast For Thursday, March 12th 2020 https://isc.sans.edu/podcastdetail.html?id=6906, (Thu, Mar 12th)

Hancitor distributed through coronavirus-themed malspam, (Thu, Mar 12th)

Introduction

Critical SMBv3 Vulnerability: Remote Code Execution, (Thu, Mar 12th)

[Update March 12, 2020]

Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account, (Wed, Mar 11th)

For a few days, there are new waves of Agent Tesla[1] landing in our mailboxes. I found one that uses two new "channels" to deliver the trojan. Today, we can potentially receive notifications and files from many types of systems or devices. I found a phishing sample that tries to hide behind a Canon EOS camera notification. Not very well designed but it’s uncommon to see this. It started with a simple email: