Category Archives: Emerging Threats

Yet Another Lesson on the Basics from DigiNotar

Posted on by
Reply

This time it was a Certificate Authority (again). Not just any CA, either, but an official CA that manages the “PKIOverheid” for the government of the Netherlands. In other words, a really important CA, even in a league where most, if not all, CA’s are important.

What happened? They got breached. They got breached in a way that allowed attackers to create at least 531 rogue certificates with their trust models. How did they get breached? It seems to stem from a combination of attackers exploiting basic issues to gain access, then leveraging more advanced custom skills to get the certificates generated and extrude them. I am basing that opinion on the Fox-IT report located here. (The report itself is well worth a read).

The critical issues identified?

  • Lack of a secure architecture for CA servers (1 Windows domain, connectivity from management network)
  • Missing patches
  • Lack of basic controls (AV, in this case) which allowed exploitation by basic attacker tools such as Cain/Abel
  • Poor password policies, logging and management of detective controls

If you follow our blog, attend our talks or listen to our podcasts, you should be seeing this as another reminder of just how critical it is to do the basics. Having powerful tools that no one watches, engaging vendors to do assessments that you ignore and spending money on controls that don’t matter won’t create an effective information security program. Getting the basic controls and processes in place might not protect you from breaches against resourced, skilled attackers completely, either, but it will go a long way toward giving you some protection from the most common threat models. In this case, it might have helped a CA know when they were under attack and take action against their threat sources to mitigate the breach before they got to the crown jewels or in this case, the crown certificates.

The attacker has been posting to Pastebin, (presumably the attacker), that they have access to other CA providers. If you are a CA or run a certificate system, now might be a good time to have someone take an independent third-party look around. It might be a good time to spend a few extra cycles on “just checking things out”.

If your organization is still stuck chasing vulnerabilities and hasn’t done a holistic review of their overall program, this would be a good impetus to do so. It should become an action item to look at your program through the lens of something like the SANS CAG or our 80/20 of Information Security lens and ensure that you have the basics covered in an effective manner. If you have questions or want to discuss the impacts or issues some of these recent breaches have against your organization, give us a call. As aways, thanks for reading and stay safe out there.

MicroSolved Releases HoneyPoint Special Edition: Morto

Posted on by
1

We are pleased to announce the immediate availability of a special edition of HoneyPoint that is designed to help organizations identify hosts infected with the Morto worm that is currently circulating.

HPMorto works like this: It opens a TCP listener HoneyPoint on port 3389/TCP (check to make sure that port is NOT in use before running HPMorto). Once in place, the tool will report the source IP of any systems who attempt to connect to it. Identified sources should be investigated as possible infected hosts.

This version will only listen for 3389 connections and will only function through February 28, 2012.

Versions of HPMorto are available for FREE download for:
Windows 
Linux 
Mac OSX

Give it a try and we hope that this tool help folks manage the problems being caused by Morto around the world.

McAfee: 65 Million Malware Samples — And That’s Just the Tip of the Iceberg

Posted on by
Reply

I was fascinated by this article that came across my newsfeed earlier this week. In it, McAfee says that they have hit 65 million malware samples in the 2nd quarter of 2011. I have heard similar stories in my frequent conversations with other AV vendors this year. It seems, that the malware cat, truly is out of the bag. I don’t know about you, but it seems like someone forgot to warn the crimeware world about opening Pandora’s box.

One of the things that I think is still interesting about the number of signatures that AV vendors are creating are that they are still hitting only a small portion of the overall mountain of malware. For example, many of the AV vendors do not cover very many of the current PHP and ASP malware that is making the rounds. If you follow me on twitter (@LBHuston), then you have likely seen some of the examples I have been posting for the last year or so about this missing coverage. In addition, in many of the public talks I have been giving, many folks have had wide discussions about whether or not AV vendors should be including such coverage. Many people continue to be amazed at just how difficult the role of the AV vendor has become. With so much malware available, and so many kits on the market, the problem just continues to get worse and worse. Additionally, many vendors are still dealing with even the most simple evasion techniques. With all of that in mind, the role and work of AV vendors is truly becoming a nightmare.

Hopefully, this report will give some folks insight into the challenges that the AV teams are facing. AV is a good baseline solution. However, it is critical that administrators and network security teams understand the limitations of this solution. Simple heuristics will not do in a malware world where code entropy, encoding and new evasion techniques are running wild. AV vendors and the rest of us must begin to embrace the idea of anomaly detection. We must find new ways to identify code, and its behavior mechanisms that are potentially damaging. In our case, we have tried to take such steps forward in our HoneyPoint line of products and our WASP product in particular. While not a panacea, it is a new way of looking at the problem and it brings new visibility and new capability to security teams.

I enjoyed this article and I really hope it creates a new level of discussion around the complexities of malware and the controls that are required by most organizations to manage malware threats. If you still believe that simple AV or no malware controls at all are any kind of a solution, quite frankly, you’re simply doing it wrong. As always, thanks for reading and stay safe out there.

About Morpheus Scanner and soapCaller.bs Scans

Posted on by
Reply


In 2008, we had a post about the Morpheus Scanner and soapCaller.bs scans.

It seems this bot has reared its ugly head again. Brent Huston, CEO of MicroSolved, took some time to sit down and explain it all in further detail. During this audio blog post, you’ll learn:

  • The background of the Morpheus *expletive* Scanner
  • What the soapCaller.bs scan is all about
  • Why we’re seeing a surge again
  • What organizations can do when they see this in their logs

Take a listen!

Morpheus Interview With Brent Huston

Security Alert: RSA Breach and 7 Ways to Secure Your Tokens

Posted on by
1

Since the compromise of the RSA environment several months ago, much attention has been paid to the potential impact of the attack on RSA customers.

Given the popularity of the RSA products and the sensitivity of the processes that they protect, the situation should be taken very seriously by RSA token users.

Last night, RSA made a public announcement that their breach and information stolen in that breach has now been used in attacks against RSA customers. The primary focus, as far as is known, has been the defense sector, but it is very likely that additional threat-focus has been placed on other critically sensitive verticals such as financial and critical infrastructure.

There are a number of things that RSA customers should do, in the advice of MicroSolved, Inc. Below is a short list of identified strategies and tactics:

  1. Identify all surfaces exposed that include RSA components. Ensure your security team has a complete map of where and how the RSA authentication systems are in use in your organization.
  2. Establish a plan for how you will replace your tokens and how you will evaluate and handle the risks of exposure while you perform replacement.
  3. Increase your vigilance and monitoring of RSA exposed surfaces. This should include additional log, event and intrusion monitoring around the exposed surfaces. You might also consider the deployment of honeypots or other drop-in measures to detect illicit activity against or via compromised systems available with the RSA exposed surfaces.
  4. Develop an incident response plan to handle any incidents that arise around this issue.
  5. Increase the PIN length of your deployments as suggested by RSA, where appropriate, based on identified risk and threat metrics.
  6. Teach your IT team and users about the threats and the issue. Prepare your team to handle questions from users, customers and other folks as this issue gains media attention and grows in visibility. Prepare your technical management team to answer questions from executives and Board-level staff around this issue.
  7. Get in contact with RSA, either via your account executive or via the following phone number for EMC (RSA’s parent company): 1-800-782-4362

In the meantime, if MSI can assist you with any of these steps or work with you to review your plan, please let us know. Our engineers are aware of the issues and the processes customers are using to manage this problem in a variety of verticals. We can help you with planning or additional detection and monitoring techniques should you desire.

We wish our clients the highest amount of safety and security as we, as an industry, work through this challenge. We wish RSA the best of luck and the highest success in their remediation and mitigation efforts. As always, we hope for the best outcome for everyone involved.

Thanks for your time and attention to this issue. It is much appreciated, as is your relationship with MicroSolved, Inc.

Tales from the Tweetstream: Are You Trusting AV Software Alone to Detect Malware?

Posted on by
Reply

(To read more interesting discoveries, follow Brent Huston on Twitter.)

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61498319142260737″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61499509645127680″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61499751950069760″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/61513076557615104″]

AV software is not a “deploy and forget” solution to detect malware. More surveillance is needed, such as checking the logs to see if there are any occurrences of strange activity. Too often, attackers can drop files in the PHP servers and AV software will rarely detect it.

As I said, the moral of the story is that if you’re depending upon an AV detection mechanism for compromised PHP servers, you’re mistaken. Protect your servers by analyzing your logs. And using our HoneyPoint Wasp would help greatly by giving you more visibility and alerts when malware has entered into your system.

HoneyPoint Wasp Now Monitors Domain User and Admin Accounts

Posted on by
Reply


Do you:

  • Need a quick and easy way to provide monitoring of when new user accounts are created in your AD forest and domains?

    •  

  • Need an easy way to know when a user becomes a member of the administrator groups?

    •  

  • Want a powerful, flexible and effective tool for knowing what is running on your AD servers and when new code gets executed on these critical devices?

    •  

If you answered yes to any of these questions, read on.

HoneyPoint Wasp, a bleeding edge tool for anomaly detection on Windows Desktops and Servers has just been enhanced with the current release to extend these types of coverage (and more) to Windows 2003 & 2008 servers running an AD context of Primary Domain Controller & Backup Domain Controller. Yes, our customers have been asking for it, and we listened. Now, with a simple, no signature/no tuning/0-interface deployment, you can get centralized monitoring and visibility over your critical AD identity store. You can know what is running on these essential servers all of the time and when new users are created or promoted to administrative status.

Attackers commonly infect AD components as they move through the enterprise, often adding and promoting users as they go. In most incidents we have worked over the last several years, these changes have usually gone unnoticed until it was too late. That’s exactly why we built HoneyPoint in general and Wasp in particular, to answer this dire need and to help turn the tide against malware-based compromises.

Want to discuss how Wasp fits in your organization? Simply drop us a line at: (1info2@3microsolved4.5com6) (remove the numbers/spam protection), or give us a call at 614-351-1237 to discuss it with your account rep. Wasp is powerful, yet easy to use, detection and with it in your corner, “Attackers Get Stung, Instead of YOU.”

Thanks for reading and stay safe out there!

Martin McKeay Interview: Verizon Data Breach Investigations Report

Posted on by
Reply

I just listened to Martin McKeay’s interview with Alex Hutton and Chris Porter on the latest Verizon Data Breach Investigations Report.

It’s a good interview, with Hutton and Porter both outlining how the report compared with last year’s and what surprised them. Here’s a link to the report.

Check out the podcast, which is about 30 minutes in length. And if you can figure out what the “secret code” is on the report’s cover, let us know. We like mysteries!

Massachusetts Getting Tough On Data Breach Law

Posted on by
Reply

From Slashdot:

“A Massachusetts restaurant chain was the first company fined under the state’s toughest-in-the-nation data breach law, according to a statement by the Massachusetts Attorney General. The Briar Group, which owns a number of bars and restaurants in Boston, is charged with failing to protect patrons’ personal information following an April, 2009 malware infestation. It was ordered to pay $110,000 in penalties and, essentially, get its *&@! together. Among the revelations from the settlement: Briar took six months to detect and remove the data stealing malware, continuing to take credit and debit cards from patrons even after learning of the data breach, said Massachusetts Attorney General Martha Coakley.”

Full Story

This is exactly why we developed our latest addition to our HoneyPoint family of products: HoneyPoint Wasp. It is a great way to monitor Windows-based desktops with minimal fuss, decreasing help desk calls while allowing the IT department to quickly take action when malware is detected. Learn more about HoneyPoint Wasp.

Learning USB Lessons the Hard Way

Posted on by
Reply


I worked an incident recently that was a pretty interesting one.
The company involved has an application running on a set of Windows kiosks on a hardened, private network that though geographically diverse, is architected in such a way that no Internet access is possible at any machine or point. The kiosk machines are completely tied to a centralized web-based application at a central datacenter and that’s all the kiosk machines can talk to. Pretty common for such installs and generally, a pretty secure architecture.

The client had just chosen to install HoneyPoint and Wasp into this closed network the previous week to give them a new layer of detection and visibility into the kiosk systems since they are so far apart and physical access to them is quite difficult in some locations. The Wasp installs went fine and the product had reached the point where it was learning the baselines and humming along well. That’s when the trouble began. On Saturday, at around 5am Eastern time, Wasp identified a new application running on about 6 of the kiosk machines. The piece of code was flagged by Wasp and reported to the console. The path, name and MD5 hash did not match any of the applications the client had installed and only these 6 machines were running it, with all of them being within about 20 miles of each other. This piqued our curiosity as they brought us in, especially given that no Internet access is possible on these machines and users are locked into the specific web application the environment was designed for.

Our team quickly isolated the 6 hosts and began log reviews, which sure enough showed outbound attempts on port 80 to a host in China known to host malware and bots. The 6 machines were inspected and revealed a job in the scheduler, set to kick off on Saturdays at 5am. The scheduler launched this particular malware component which appeared to be designed to grab the cookies from the browser and some credentials from the system and users and throw them out to the host in China. In this case, the closed network stopped the egress, so little harm was done. Anti-virus installed on the kiosk machines showed clean, completely missing the code installed. A later scan of the components on virustotal.com also showed no detections, though the sample has now been shared with the appropriate vendors so they can work on detections.

In the end, the 6 machines were blown away and re-installed from scratch, which is the response we highly suggest against today’s malware. The big question was how did it get there? It turned out that a bit of digging uncovered a single technician that had visited all 6 sites the previous week. This technician had just had a baby and he was doing as all proud fathers do and showing off pictures of his child. He was doing so by carrying a USB key with him holding the pictures. Since he was a maintenance tech, he had access to drop out of the kiosk and perform system management, including browsing USB devices, which he did to show his pictures to his friends. This completely human, innocent act of love, though much understandable, had dire results. It exposed the business, the users, the customers and his career to potential danger. Fortunately, thanks to a secure architecture, excellent detection with Wasp, good incident planning and a very understanding boss, no harm was done. The young man got his lesson taught to him and the errors of his ways explained to him in “deep detail”. Close call, but excellent lessons and payoff on hard work done BEFORE the security issue ever happened.

Wasp brought excellent visibility to this company and let them quickly identify activity outside the norm. It did so with very little effort in deployment and management, but with HUGE payoff when things went wrong. Hopefully this story helps folks understand where Wasp can prove useful for them. After all, not all networks are closed to the Internet. Is yours? If you had infected hosts like this and AV didn’t catch it, would you know? If not, give us a call or drop us a line and let’s talk about how it might fit for your team. As always, thanks for reading!