Since late 2014, malicious Office documents with macros appeared in the wild again. Malware authors don't always rely on VBA macros to execute their payload, exploits and feature abuse are part of their bag of tricks too.
It has been a rough week for Intel. Several media outlets are are reporting that researchers at F-Secure hav discovered a flaw in Intel's Active Management Technology (AMT) which is in most business laptops. AMT is the technology which is used by corporations to remotely manage their deployed laptops.
With the “storm” around Meldown and Spectre slowly winding down, I would like to remind everyone on registry changes that are required by the latest patches released by Microsoft.
Cryptocurrencies mining has been a trending attack for a few weeks. Our idling CPUs are now targeted by bad guys who are looked to generate some extra revenue by abusing our resources. Other fellow handlers already posted diaries about this topic. Renato found a campaign based on a WebLogic exploit and Jim detected a peak of activity on port %%port:3333%%. Yesterday, while reviewed alerts generated by my hunting scripts, I found an interesting snippet of code on Pastebin. Here is a copy of the script with some added comments in blue:
There are numerous and exciting information security-related projects on GitHub; one can dive quickly down the rabbit hole, never to be seen again, in an effort to identify the best of breed for use in their security practices. In the last three days, three separate projects have hit my radar screen via social media that I thought readers might find intriguing and likely beneficial. I'm listing the projects in alphabetic order, not order of preference, each project represents a unique discipline and opportunity.
Microsoft, as expected included last weeks Meltdown/Spectre update in this months patch Tuesday. But note that in addition to these two flaws, we have a number of other "traditional" privilege escalation and even remote code execution flaws that are probably easier to exploit and should be treated probably with a higher priority. Regardless, I doubt that as many people will work overtime for these run of the mill flaws. For example:
We've seen a spike over the last day or so in reports of apparent scanning on TCP %%port:3333%%. I have serious doubts that anyone is actually looking for DEC Notes which is the registered IANA use for this port. While we're getting our own honeypots set up, I figured I'd ask our readers, do you have packets and/or any idea what is going on here? Please let us know in the comments or via our contact page. Thanx in advance.
Yesterday, Renato published a diary about an intrusion taking advantage of a recent flaw in WebLogic. Oracle’s WebLogic is a Java EE application server . PeopleSoft, another popular Oracle product can use WebLogic as a web server. PeopleSoft itself is a complex enterprise process management system. The name implies human resource functions, but the software goes way beyond simple HR features. Typically, “everything” in an organization lives in PeopleSoft .
Unless you’ve been living under a rock (or on a remote island, with no Internet connection), you’ve heard about the latest vulnerabilities that impact modern processors.
In the last couple of days, we received some reports regarding a malicious campaign which is deploying Monero cryptocurrency miners on victim’s machines. After analyzing a compromised environment, it was possible to realize that a critical Oracle WebLogic flaw, for which the exploit was made public a few days ago, is being used.
Humans have been telling stories to each other much longer than we've had computers. I still think it's a powerful tool. Over the holiday I've been telling various updated versions of the "Stone Soup" story to various groups in the security community. There are many versions of the Stone Soup story. They all fall into the "clever man" category of the Aarne-Thompson-Uther index. Think of it as a CVE for folktales. Specifically, Stone Soup is a type 1548 folktale. Such stories normally involve a stranger who comes to a house or village and promises to demonstrate that they can make soup from a stone. The first time that I heard this story, I was in kindergarten and in that telling, travelers came to a poor village who didn't have enough food to spare, so they promised to show them how to make soup from a stone. First they needed to borrow a pot and some water and some firewood and they began to boil the stone. Periodically tasting it and noting that it would taste better with an onion, or carrots, or chicken or what have you. Eventually the makings of a real soup were found by the villagers and a proper soup is made. At kindergarten, it was a lesson on sharing and coming together. In this telling of the story everyone wins.
I'm always curious what is scanning my honeypot but I was particularly interested what kind of client applications are used to attempt to login via SSH into that service. This graph shows the activity for the past week, including 500+ attempts for a period of 8 hours on the 31 Dec which when pretty much flat from 31 Dec 1200Z to 1 Jan 2018 1200Z while everyone celebrated New Year.
VMware Security Advisory for V4H and V4PA desktop agent privilege escalation vulnerability - https://www.vmware.com/security/advisories/VMSA-2018-0003.html, (Sat, Jan 6th)
By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. The only common platform that seems unaffected as of the current moment are iPhone/iPads (Removed per recent advisory).This bug is probably worth its name and logo considering the pervasive nature of the vulnerability. At its core, both involve kernel issues that can lead to leaking running memory outside the current process which can involve compromises of system confidentiality (think encryption keys, passwords, PII/NPI in memory, etc). Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualized environments to leak memory outside the running virtual machine. It involves a flaw in "speculative execution" common in these processors where, in the right conditions, code can trick the processor in leaking data returned from other applications.