Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
55%
Installation Wizard into new VRC
18%
Manual into existing VRC
9%
Manual into new VRC
18%
Total votes: 11

Baanboard at LinkedIn


Reference Content

 
Security

Infocon: green

SANS Internet Storm Center - 56 min 51 sec ago
ISC Stormcast For Monday, May 22nd 2017 https://isc.sans.edu/podcastdetail.html?id=5510
Categories: Security

Gunter Ollmann: Time to Squish SQL Injection

Security Focus - 56 min 52 sec ago
Time to Squish SQL Injection
Categories: Security

Mark Rasch: Lazy Workers May Be Deemed Hackers

Security Focus - 56 min 52 sec ago
Lazy Workers May Be Deemed Hackers

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Categories: Security

Adam O'Donnell: The Scale of Security

Security Focus - 56 min 52 sec ago
The Scale of Security
Categories: Security

Mark Rasch: Hacker-Tool Law Still Does Little

Security Focus - 56 min 52 sec ago
Hacker-Tool Law Still Does Little
Categories: Security

Infocus: Enterprise Intrusion Analysis, Part One

Security Focus - 56 min 52 sec ago
Enterprise Intrusion Analysis, Part One
Categories: Security

Infocus: Responding to a Brute Force SSH Attack

Security Focus - 56 min 52 sec ago
Responding to a Brute Force SSH Attack
Categories: Security

Infocus: Data Recovery on Linux and <i>ext3</i>

Security Focus - 56 min 52 sec ago
Data Recovery on Linux and <i>ext3</i>

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Categories: Security

Infocus: WiMax: Just Another Security Challenge?

Security Focus - 56 min 52 sec ago
WiMax: Just Another Security Challenge?
Categories: Security

More rss feeds from SecurityFocus

Security Focus - 56 min 52 sec ago
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
Categories: Security

ISC Stormcast For Monday, May 22nd 2017 https://isc.sans.edu/podcastdetail.html?id=5510, (Mon, May 22nd)

SANS Internet Storm Center - 15 hours 22 min ago
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Typosquatting: Awareness and Hunting, (Sat, May 20th)

SANS Internet Storm Center - May 20, 2017 - 7:01am

Typosquatting has been used for years to lure victims You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was mircosoft.com. Be honest, at the first time, you read microsoft.com right? This domain was registered in 1997 butit has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes its difficult to detect rogue domains due to the font used to display them. Anl looks like a 1 or a 0 looks like an O.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Lets put the malware aside and focus on the domain name that was used: dhll.com(with a double L).

A quick check reveals that this domain is hopefully owned by DHL (not DHL Express but the Deutsche Post DHL padding:5px 10px"> Domain Name: dhll.com Registry Domain ID: 123181256_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2016-09-23T04:00:10-0700 Creation Date: 2004-06-22T00:00:00-0700 Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Registry Registrant ID: Registrant Name: Deutsche Post AG Registrant Organization: Deutsche Post AG Registrant Street: Charles-de-Gaulle-Strasse 20 Registrant City: Bonn Registrant State/Province: - Registrant Postal Code: 53113 Registrant Country: DE Registrant Phone: +49.22818296701 Registrant Phone Ext: Registrant Fax: +49.22818296798 Registrant Fax Ext: Registrant Email: domains@deutschepost.de Registry Admin ID:Admin Name: Domain Administrator Admin Organization: Deutsche Post AG Admin Street: Charles-de-Gaulle-Strasse 20 Admin City: Bon Admin State/Province: - Admin Postal Code: 53113 Admin Country: DE Admin Phone: +49.22818296701Admin Phone Ext: Admin Fax: +49.22818296798 Admin Fax Ext: Admin Email: admincontact.domain@deutschepost.de Registry Tech ID: Tech Name: Technical Administrator Tech Organization: DHL Tech Street: 8701 East Hartford Drive Tech City: Scottsdale Tech State/Province: AZ Tech Postal Code: 85255 Tech Country: US Tech Phone: +1.4089616666 Tech Phone Ext: Tech Fax: - Tech Fax Ext: Tech Email: netmaster@dhl.com Name Server: ns4.dhl.com Name Server: ns6.dhl.com DNSSEC: unsigned

The zone dhll.com is also hosted on the DHL name servers. Thats a good point that DHL registered potentially malicious domains but... if you do this, dont only park the domain, go further and really use it! Its not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: dhll.com or www.dhll.com donot resolve to an IP address. If you register such domains, create a website and make them pointto it and log whos visiting the fake page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the dhll.com domain. Like with the web traffic, build a spam trap to collect all messages that are sent to *@dhll.com.By doing this, you will capturetraffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catchall the non-delivery receipts in the spam trap.

Finally, addan SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns.

To conclude, registering domain names derived from your companys name is the first step but dont just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful padding:5px 10px"> # docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip dhl.com _ _ _ _ __| |_ __ ___| |___ _(_)___| |_ / _` | _ \/ __| __\ \ /\ / / / __| __| | (_| | | | \__ \ |_ \ V V /| \__ \ |_ \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01} Fetching content from: http://dhl.com ... 200 OK (396.3 Kbytes) Processing 56 domain variants ................ 48 hits (85%) Original* dhl.com 199.40.253.33/United States NS:ns4.dhl.com MX:mx1.dhl.iphmx.com SSDEEP:100% Bitsquatting ehl.com 45.33.14.247 NS:pdns03.domaincontrol.com MX:smtp.secureserver.net Bitsquatting fhl.com - Bitsquatting lhl.com - Bitsquatting thl.com 50.57.5.162/United States NS:dns1.name-services.com MX:us-smtp-inbound-1.mimecast.com Bitsquatting dil.com 72.52.4.119/United States NS:ns1.sedoparking.com MX:localhost Bitsquatting djl.com 117.18.11.145/Hong Kong NS:ns1.monikerdns.net Bitsquatting dll.com 68.178.254.85/United States NS:ns43.domaincontrol.com MX:smtp.secureserver.net Bitsquatting dxl.com 69.74.234.98/United States NS:ns59.worldnic.com SPYING-MX:dxl-com.mail.protection.outlook.com Bitsquatting dhm.com 192.241.215.84/United States NS:ns19.worldnic.com MX:dhm.com Bitsquatting dhn.com 62.129.139.241/Netherlands NS:pdns07.domaincontrol.com MX:smtp.secureserver.net Bitsquatting dhh.com 103.241.230.134/India NS:dns1.iidns.com Bitsquatting dhd.com NS:ns-west.cerf.net MX:dhd-com.mail.protection.outlook.com Homoglyph bhl.com 206.188.192.219/United States NS:ns79.worldnic.com SPYING-MX:bhl-com.mail.protection.outlook.com Homoglyph dhi.com 199.36.188.56/United States NS:ns10.dnsmadeeasy.com Homoglyph clhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dlhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dihl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dh1.com 208.91.197.27/Virgin Islands NS:ns43.worldnic.com SPYING-MX:p.webcom.ctmail.com Hyphenation d-hl.com 104.24.124.134/United States 2400:cb00:2048:1::6818:7c86 NS:fiona.ns.cloudflare.com MX:mx1.emailowl.com Hyphenation dh-l.com 72.52.4.119/United States NS:ns1.sedoparking.com MX:localhost Insertion duhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhul.com 82.194.88.4/Spain NS:ns1.dominioabsoluto.com Insertion djhl.com 47.89.24.50/Canada NS:f1g1ns1.dnspod.net Insertion dhjl.com - Insertion dnhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhnl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dbhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhbl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dghl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhgl.com 209.61.212.161/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dyhl.com NS:dns17.hichina.com MX:mxbiz1.qq.com Insertion dhyl.com - Omission dl.com 104.247.212.218 NS:ns1.gridhost.com SPYING-MX:mail.b-io.co Omission dh.com 54.204.28.210/United States NS:a5-67.akam.net SPYING-MX:mx1.dhltd.iphmx.com Omission hl.com 107.154.105.117/United States NS:ns57.domaincontrol.com MX:mail0.hl.com Repetition ddhl.com 180.149.253.156/Hong Kong NS:ns11.domaincontrol.com SPYING-MX:ddhl-com.mail.protection.outlook.com Repetition dhll.com - Repetition dhhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Replacement rhl.com 107.161.31.165/United States NS:ns1.hungerhost.com MX:mx.spamexperts.com Replacement chl.com 216.222.148.100 NS:nameserver.ttec.com MX:smtp2.mx.ttec.com Replacement xhl.com 69.172.201.153/United States NS:ns1.uniregistrymarket.link Replacement shl.com 69.171.27.23/United States NS:eu-sdns-01.shl.com SPYING-MX:mxa-0016ba01.gslb.pphosted.com Replacement dul.com 62.129.139.241/Netherlands NS:pdns01.domaincontrol.com MX:smtp.secureserver.net Replacement dnl.com - Replacement dbl.com 198.173.111.6/United States NS:ns53.worldnic.com SPYING-MX:p.webcom.ctmail.com Replacement dgl.com 216.107.145.5 NS:ns62.downtownhost.com MX:dgl.com Replacement dyl.com 99.198.109.164/United States NS:ns-1768.awsdns-29.co.uk MX:mail.dyl.com Replacement dhk.com 98.191.212.87/United States NS:ns1.dhk.com MX:dhk.com.us.emailservice.io Replacement dho.com 75.126.101.248/United States NS:ns1bqx.name.com Replacement dhp.com 199.4.150.5/United States NS:dhp.com MX:mailhub.dhp.com Subdomain d.hl.com - Subdomain dh.l.com - Transposition hdl.com 216.51.232.170/United States NS:ns1.systemdns.com MX:aspmx.l.google.com Transposition dlh.com 212.130.57.148/Denmark NS:ns1.ascio.net SPYING-MX:mail.dlh.com Various wwwdhl.com 199.41.238.47/United States NS:ns.deutschepost.de

[1]https://www.virustotal.com/en/file/f438ba968d6f086183f3ca86c3c1330b4c933d97134cb53996eb41e4eceecf53/analysis/
[2]https://support.google.com/a/answer/33786?hl=en
[3]https://github.com/elceef/dnstwist

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, May 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5508, (Fri, May 19th)

SANS Internet Storm Center - May 19, 2017 - 3:25am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

My Little CVE Bot, (Thu, May 18th)

SANS Internet Storm Center - May 18, 2017 - 7:55am

The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement and... apply!Thats why any help is welcome to know what to patch and when. This is the key:

  • What to patch? What are the applications/appliancesthat are deployed in your infrastructure?
  • When to patch? When are new vulnerabilities discovered?

The classification of vulnerabilities is based on the CVE (or Common Vulnerabilities and Exposures) standard maintained by mitre.org[1]. To explain briefly, when a security researcher or a security firm finds a new vulnerability, a CVE number is assigned to it (CVE-YYYY-NNNNN). The CVE contains all the details of the vulnerability (which application/system is affected, the severity and many more information). As an example, the vulnerability exploited by WannaCry was %%cve:2017-0143%%.

Those CVE are stored in open databases and many organisations are using them and provide online services like cvedetails.com[2]. There are plenty of them that offer almost all the same features but they don width:700px" />

Based on cve-search, I can provide details about new CVEs to my customers or any other organisationsjust by querying the database. Indeed, reading the daily flow of CVE is difficult and useless for many people. They have to focus on what affect them. To help them, Im using a quick padding:5px 10px"> email_contact | days_to_check | output_format | product_definition [ | product_definition ] ...

The script will parse this config file and search for new CVE for each product definition. Results will be sent via email to the specified address.

As I width:700px" />

Of course, the main requirement is to know what you are using on your infrastructure. The information used in the config file describes the products is based on the CPE standard[6] which categorisesapplications, operating systems and hardware devices. This information can be found byNmap. An alternative is touse the following tool on your own network (only!): cve-scan[7]. It scans hosts and searches for vulnerabilities in thecve-search database.

My script is available on my GitHubrepository[5].

[1]https://cve.mitre.org
[2]http://www.cvedetails.com/
[3]https://github.com/cve-search/cve-search
[4]https://hub.docker.com/r/rootshell/cvesearch/
[5]https://github.com/xme/toolbox
[6]http://cpe.mitre.org/
[7]https://github.com/NorthernSec/cve-scan

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, May 18th 2017 https://isc.sans.edu/podcastdetail.html?id=5506, (Thu, May 18th)

SANS Internet Storm Center - May 18, 2017 - 5:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Wait What? We don?t have to change passwords every 90 days?, (Wed, May 17th)

SANS Internet Storm Center - May 17, 2017 - 10:56pm

/. Recently published a post covering a draft NIST Standard that is in review [1]. This handler thought it would cause a disturbance in the force, but so far no one is discussing it. One of the big stand out changes is no more periodic password changes [2]. There are several others as well, and CSO Online has a fantastic summary review [3].

There are some clear differences that stand out right away in the introduction. As with most things, standards evolve as we learn.

padding:5px 10px"> Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network. This recommendation provides technical guidelines to agencies to allow an individual person to remotely authenticate his/her identity to a Federal Information Technology (IT) system. [4]

Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject. In other words, accessing a digital service may not mean that the physical representation of the underlying subject is known. [2]

The new draft goes on from there to outline digital identity and attempts to clearly define access and uses more risk based language.

One clear change that will shock users is the removal of periodic password changes. The handlers agree that a strong review of this draft is in order for security professionals as we can hear the users now:

Wait, you have been forcing me to change my passwords ALL THIS time, and now your saying it is not needed?

Another section that should be reviewed and discussed deeply is 5.2.7 Verifier Compromise Resistance. According to the section there should be some mechanism to verify compromise resistance. One could interpret this to run passwords against breached credential databases, however this is not specifically called out [2] [3].

In conclusion, this standard is a strong deviation from previous recommendations and should be reviewed for impact to your security practice. (There is that disturbance in the force we were looking for).

[1] https://it.slashdot.org/story/17/05/09/1542236/nists-draft-to-remove-periodic-password-change-requirements-gets-vendors-approval

[2] https://pages.nist.gov/800-63-3/sp800-63b.html

[3] http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html

[4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, May 17th 2017 https://isc.sans.edu/podcastdetail.html?id=5504, (Wed, May 17th)

SANS Internet Storm Center - May 17, 2017 - 4:10am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

WannaCry? Do your own data analysis., (Tue, May 16th)

SANS Internet Storm Center - May 16, 2017 - 11:01pm

In God we trust. All others must bring data. ~Bob Rudis

With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and software environment for statistical computing and graphics. If ever you wanted to pick up a bit of immediately useful programming, R is for you.

Our good friends over at Team Cymru tweeted out a great GitHubGist WannaCry factsheet, therein are a number of useful resources, many leading to other good reads. I easily tracked down a list of malicious IPs associated with WannaCry.

width:686px" />

You can always learn interesting insights from IPs and this situation is no different. In very few lines of R, we can identify and visualize the data for further insight. Ill walk you through it. First, lets pull in the libraries we need to do some IP geolocation, create a word cloud, and make said word cloud more color rich, and make a nice plot.

library(rgeolocate)
library(wordcloud)
library(RColorBrewer)
library(plotrix)

We need to then read in Maxmind data (GeoLite2-Country) and call Oliver Key and @hrbrmstrs rgeolocate package

file - system.file(extdata,GeoLite2-Country.mmdb, package = rgeolocate)

Follow that with our malicious WannaCry IP addresses.

ips - c(188.166.23.127,91.219.236.222,46.101.166.19,193.23.244.244,62.210.124.124,2.3.69.209,
144.76.92.176,91.121.65.179,146.0.32.144,148.244.38.101,91.219.237.229,50.7.161.218,
149.202.160.69,217.79.179.177,87.7.10.93,163.172.149.155,212.47.232.237,192.42.115.101,
171.25.193.9,81.30.158.223,178.62.197.82,195.22.26.248,79.172.193.32,212.47.244.98,
197.231.221.221,38.229.72.16,5.35.251.247,198.96.155.3,46.101.166.19,128.31.0.39,
213.61.66.117,23.254.167.231)

Finally, we pull it all together and receive our first results file.

results - maxmind(ips, file, c(continent_name, country_code, country_name width:328px" />

And in one fell swoop, we create a word cloud from our data.

wordcloud(results$country_name, max.words = 100, min.freq = 1, random.order = FALSE, rot.per=0.35, colors=brewer.pal(8, Dark2 width:267px" />

Hmm, looks like most of the malicious IPs are in Germany. :-)

Prefer to visualize that a different way? No problem, well run a quick count and use plotH to create a scatterplot with histogram-like bars.

ct - count(results$country_name)
plotH(freq~x,data=ct,ylab=Frequency,xlab=Country,col=blue width:434px" />

Give it a try for yourself. When events such as WannaCry have you frustrated and down, you can at least take data-driven security analysis in your own hands.

Resources for this article:

Categories: Security

ISC Stormcast For Tuesday, May 16th 2017 https://isc.sans.edu/podcastdetail.html?id=5502, (Tue, May 16th)

SANS Internet Storm Center - May 16, 2017 - 4:10am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th)

SANS Internet Storm Center - May 15, 2017 - 11:30pm
Update New Kill Switch Confirmed:

kill switch: ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com

Sources:

https://virustotal.com/en/file/b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06/analysis/

https://www.hybrid-analysis.com/sample/b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06?environmentId=100

Update:

After a consensus among the handlers we are moving infocon back to green. We will continue to monitor and update this situation as as it evolves. Please keep the reports and observations flowing in! We will leave the diaries on WannaCry up for another few hours then move back to regular posts.

If you have not seen, Dr J put together an excellent presentation (https://isc.sans.edu/presentations/WannaCry.ppt)summarizing this situation, and we have a Slack Dshield channel (Slack) that you can join the real-time chatter.

@packetalien Handler on Duty

The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow].

A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released for Windows Vista, Windows Server 2008 and later versions of Windows as part of MS17-010 in March [MS17-010]. In response to the rapid spread of WannaCry, on Friday Microsoft released a patch for older versions of Windows, going back to Windows XP and Windows Server 2003 [msft].

At the time of the initial WannaCry outbreak, we also noticed a significant increase in scanning for port 445 [port445]. The increase was likely caused by infected systems scanning for more victims. It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered acorporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component.

The malware will first check if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

It will also check if a registry key is present. It will not run if either the registry key is present or the website is reachable. The domain has been registered and a web server has been set up by a security researcher. This significantly reduced the impact of WannaCry. A tool was released that will assist in setting the registry keys, which will also reduce the risk of infection. Over the weekends, reports indicated that new versions of the worm were spreading that used slightly different kill switches. But all current versions check a website and check for registry keys. Rendition Infosec released a Tearst0pper tool that can be used to set the registry entries. [tearst0pper]

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the users private key needs to be decrypted, which requires the malware authors private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password WNcry@2ol7 is not used to encrypt files. It is only used by the malware to decrypt some of its components. [endgame]

Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

In addition to encrypting files, the malware also installs a DOUBLEPULSAR back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have been reported over the weekend with slight changes to the kill switch domain and registry keys.

We expect to reduce the Infocon back to green on Monday.

What Can You do to prevent Infection?

  • Apply MS17010 to Windows Vista and later (Windows Server 2008 and later)
  • Apply Fridays patch to Windows XP or Window Server 2003.
  • Verify correct patch application
  • Make sure the kill switch domain and website is reachable from your network without proxy. If not, setup an internal DNS sinkhole and redirect to an internal website. Do not block access to the website.
  • Deploy the registry key inoculation [tearst0pper]
  • Disable SMBv1 [msftsmbv1]
  • Make sure systems are running up to date anti-malware

Indicators of Compromise:

https://www.us-cert.gov/ncas/alerts/TA17-132A

PowerPoint for Presentations to Management

https://isc.sans.edu/presentations/WannaCry.ppt

Friday SANS Webcast with technical details

https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160

References:

[verge] https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries

[shadow] https://github.com/misterch0c/shadowbroker

[ms17-010] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[msft] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

[port445] https://isc.sans.edu/port.html?port=445

[pastebin] https://pastebin.com/aaW2Rfb6

[tearst0pper] https://www.renditioninfosec.com/2017/05/wanacry-because-your-organization-is-slow-to-patch-stop-the-tears-with-tearst0pper/

[msftsmbv1] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

[sans] https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160

[endgame]https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 17:42.


©2001-2017 - Baanboard.com - Baanforums.com