Episode 3 of the podcast is now available!
In this edition, I sit down with Bill @Sempf to discuss application security, working with development teams and how to get security and dev folks on the same page. Bill goes so far as to recommend a simple 2 step process that you simply have to hear!
Check it out:
And give us feedback on Twitter (@lbhuston) about this and all other episodes or ideas you have about what you would like us to cover. Thanks for listening!
Many PHP-based web shells are still making the rounds, and while many of them are based on old code, mutations, customizations and updates abound. They are so common, that new variants and modified versions are often seen at the rate of about 10 a day in our TigerTrax Threat Intelligence systems and honeypots.
Variants exist for a wide variety of platforms and human languages, many with some very nasty features and even some cool ASCII art. There are many variants for attackers to choose from for just about any of the popular PHP-based content management platforms. From WordPress to Joomla and beyond to the far less common apps, there are easily used exploits and shell kits widely available.
If you run a PHP-based site or server, it’s a good idea to keep an eye on the file system changes and watch closely for new files being uploaded or added. Pay particular attention to those using the “base64_decode” function, since it is so common among these tools.
Thanks for reading, and until next time, stay safe out there!
Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse. A new technique called RansomWeb is affecting production web-based applications. I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications. I can only assume the frequency of these attacks will increase throughout the year. As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware. Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.
The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application. Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files. Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files. Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.
To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:
- Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
- Audit your application and system logs for any irregular entries.
- Verify that you are performing regular application and system backups.
- Be sure to test the backup/ restore process for your applications and systems on a regular basis. After all, your backup/ DR process is only as effective as your last successful restore.
If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com
Recently, I have been spending a lot of my time working with TigerTrax, our intelligence platform, and using it to further my research into emerging threats. One of the most interesting areas has been using to track and trace the fits and starts of malware evolution using social media data and the web.
TigerTrax is really good at finding and analyzing the data for trends. The visualizations make spotting emerging patterns and even outliers very easy. For example, we noticed a trend around side loading of malware payloads recently. Not an overwhelming trend across all of malware, but associated with a specific group of verticals being targeted. This emerged easily from the graph data and analytics engines. We were able to use that information to inform our customers in that space and increase their capabilities in detection and incident response.
We have only just begun to find the deeper use cases for TigerTrax, but it is already changing the way MSI does work, even the core work of assessments. For example, with a small window of lead time, we can generate specific pattern analysis and cases to support findings in risk assessments, vulnerability and pen-testing work. The engines can keep our scenarios refreshed, keep us up to date with the latest attack vectors and exploits being used in the wild.
All in all, TigerTrax has given us a larger view of infosec, and watching malware evolve through its lens has become an interesting part of what we do at MSI. We look forward to the day when we can discuss more publicly what we are doing with TigerTrax and some of the findings we are generating, but for now, just know that the platform is being used in a myriad of ways, and that new developments are occurring on a daily basis. If you’d like to discuss what TigerTrax can do for your organization, give us a call. We’d be happy to sit down for a briefing with your team.
If you use OpenSSL anywhere, or use a product that does (and that’s a LOT of products), you need to understand that a critical vulnerability has been released, along with a variety of tools and exploit code to take advantage of the issue.
The attack allows an attacker to remotely tamper with OpenSSL implementations to dump PLAIN TEXT secrets, passwords, encryption keys, certificates, etc. They can then use this information against you.
THIS IS A SERIOUS ISSUE. Literally, and without exaggeration, the early estimates on this issue are that 90%+ of major web sites and software packages using OpenSSL as a base are vulnerable. This includes HTTPS implementations, many mail server implementations, chat systems, ICS/SCADA devices, SSL VPNs, many embedded devices, etc. The lifetime of this issue is likely to be long and miserable.
Those things that can be patched and upgraded should be done as quickly as possible. Vendors are working on patching their implementations and products, so a lot of updates and patches will be forthcoming in the next few days to weeks. For many sites, patching has already begun, and you might notice a lot of new certificates for sites around the web.
Our best advice at this point is to patch your stuff as quickly as possible. It is also advisable to change any passwords, certificates or credentials that may have been impacted – including on personal sites like banking, forums, Twitter, Facebook, etc. If you aren’t using unique passwords for every site along with a password vault, now is the time to step up. Additionally, this is a good time to implement or enable multi-factor authentication for all accounts where it is possible. These steps will help minimize future attacks and compromises, including fall out from this vulnerability.
Please, socialize this message. All Internet users need to be aware of the problem and the mitigations needed, even for personal safety online.
As always, thanks for reading, and if you have any questions about the issues, please let us know. We are here to help!
MSI has built a reputation that spans decades in and around testing hardware and software for information security. Our methodology, experience and capability provides for a unique value to our customers. World-class assessments from the chip and circuit levels all the way through protocol analysis, software design, configuration and implementation are what we bring to the table.
Some of the many types of systems that we have tested:
- consumer electronics
- home automation systems
- voice over IP devices
- home banking solutions
- wire transfer infrastructures
- mobile devices
- mobile applications
- enterprise networking devices (routers, switches, servers, gateways, firewalls, etc.)
- entire operating systems
- ICS and SCADA devices, networks and implementations
- smart grid technologies
- gaming and lottery systems
- identification management tools
- security products
- voting systems
- industrial automation components
- intelligence systems
- weapon systems
- safety and alerting tools
- and much much more…
To find out more about our testing processes, lab infrastructure or methodologies, talk to your account executive today. They can schedule a no charge, no commitment, no pressure call with the testing engineer and a project manager to discuss how your organization might be able to benefit from our experience.
At A Glance Call Outs:
- Deep security testing of hardware, software & web applications
- 20+ year history of testing excellence
- Committed to responsible vulnerability handling
- Commercial & proprietary testing tools
- Available for single test engagements
- Can integrate fully into product lifecycle
- Experience testing some of the most sensitive systems on the planet
- Powerful proprietary tools:
- many more solution specific tools
- Circuit & chip level testing
- Proprietary protocol evaluation experience
- Customized honeypot threat intelligence
- Methodology-based testing for repeatable & defendable results
Other Relevant Content:
Project EVEREST Voting Systems Testing https://stateofsecurity.com/?p=184
Lab Services Blog Post https://stateofsecurity.com/?p=2794
Lab Services Audio Post https://stateofsecurity.com/?p=2565
At MSI, we know security doesn’t exist for its own sake. The world cares about business and so do we. While our professional and managed service offerings easily empower lines of business to work with data more safely, we also offer some very specific business process focused security services.
Attackers and criminals go where the money is. They aren’t just aiming to steal your data for no reason, they want it because it has value. As such, we have tailored a specific set of security services around the areas where valuable data tends to congregate and the parts of the business we see the bad guys focus on most.
Lastly, we have also found several areas where the experienced eyes of security experts can lend extra value to the business. Sometimes you can truly benefit from a “hacker’s eye view” of things and where it’s a fit, we have extended our insights to empower your business.
Here are some of the business focused offerings MSI has developed:
- Mergers & Acquisitions (M&A) practice including:
- Pre-negotiation intelligence
- Pre-integration assessments
- Post purchase threat intelligence
- Accounting systems fraud testing
- ACH & wire transfer security validation
- End-to-end EDI (Electronic Data Interchange) security testing
- Business partner assessments
- Supply chain assessments
- Executive cyber-protection (including at home & while traveling abroad)
MSI knows that your business needs security around the most critical data and the places where bad guys can harm you the worst. We’ve built a wide variety of customized security solutions and offerings to help organizations harden, monitor and protect the most targeted areas of their organization. At MSI, we know that information security means business and with our focused security offerings, we are leading the security community into a new age.
At a Glance Call Outs:
Variety of business focused services
Assessments of systems that move money
Fraud-based real world testing
Business partner & supply chain security
Focused on the business, not the technology
Reporting across all levels of stakeholders
Specialized, customizable offerings
Capability to emulate & test emerging threats
Thought leading services across your business
We got a few scans for an old D-Link router vulnerability that dates back to 2009. It’s interesting to me how long scanning signatures live in online malware and scanning tools. This has lived for quite a while.
Here are the catches from a HoneyPoint Personal Edition I have deployed at home and exposed to the Internet. Mostly, this is just to give folks looking at the scans in their logs an idea of what is going on. (xxx) replaces the IP address…
2013-10-02 02:46:13 – HoneyPoint received a probe from 184.108.40.206 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46dWA+NXhZQlU1d2VR Connection: keep-alive
2013-10-02 03:22:13 – HoneyPoint received a probe from 220.127.116.11 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Opera/6.x (Linux 2.4.8-26mdk i686; U) [en] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46InkwYi4qMF5wL05G Connection: keep-alive
This probe is often associated with vulnerable D-Link routers, usually older ones, those made between 2006 and mid-2010. The original release and proof of concept exploit tool is here. The scan has also been embedded into several scanning tools and a couple of pieces of malware, so it continues to thrive.
Obviously, if you are using these older D-Link routers at home or in a business, make sure they are updated to the latest firmware, and they may still be vulnerable, depending on their age. You should replace older routers with this vulnerability if they can not be upgraded.
The proof of concept exploit also contains an excellent doc that explains the HNAP protocol in detail. Give it a read. It’s dated, but remains very interesting.
PS – As an aside, I also ran the exploit through VirusTotal to see what kind of detection rate it gets. 0% was the answer, at least for that basic exploit PoC.
Another quick update today. This time an updated list of the common locations where web scanning tools in the wild are checking for PHPMyAdmin. As you know, this is one of the most common attacks against PHP sites. You should check to make sure your site does not have a real file in these locations or that if it exists, it is properly secured.
The scanners are checking the following locations these days: