HoneyPoint Trojans Overview

Posted on February 11, 2014 by Brent Huston

Here’s another quick overview graphic of how HoneyPoint Trojans work. We have been using these techniques since around 2008 and they are very powerful.

We have incorporated them into phishing exercises, piracy studies, incident response, intrusion detection, intelligence gathering, marketing analysis and even privacy research. To hear more about HoneyPoint Trojans, give us a call.

If the graphic below is blurry on your device, you can download a PDF version here.

HPTrojanOverview

HoneyPoint in a Point of Sale Network

Posted on February 6, 2014 by Brent Huston

We have been getting a LOT of questions lately about how HoneyPoint Security Server (HPSS) fits into a Point of Sale (POS) network.

To make it pretty easy and as a high level overview, below is a use case diagram we use to discuss the solution. If you would like a walkthrough of our technology, or to discuss how it might fit into your specific use cases, please let us know.

As always, thanks for reading and for partnering with MicroSolved, Inc.

PS – If the graphic below is difficult to read on your device, you can grab a PDF version here.

HP POSNetworks

Touchdown Task for January: Audit Your News Feeds

Posted on January 20, 2014 by Brent Huston

This month, our suggested Touchdown Task is for the security team to do an “audit” of their news/RSS feeds and the other mechanisms by which you get advisories, patch and upgrade alerts, breakout information and details about emerging threats.

Since RSS feeds and account names and such can change, it’s a good idea to review these sources occasionally. Are the feeds you depend on timely and accurate? Have you added new technology to your organization since you last reviewed your advisory feeds? Maybe you might need to add a vendor or regulator feed.

Have a discussion with all of your team members and understand who monitors what. Make sure you have good cross communication, but aren’t struggling with a lot of duplicated efforts.

Once you get your news and threat feeds in order, trace how the information is shared and make sure it is getting to the system and network admins who might need it. Do you have the right people getting the right information? If not, adjust.

Most teams can do this review in less than an hour. So focus, communicate and create a robust way to handle the flow of information.

As always, thanks for reading and stay safe out there!

How Risky is the Endpoint?

Posted on December 26, 2013 by Brent Huston

I found this article quite interesting, as it gives you a heads up about the state of endpoint security, at least according to Ponemon. For those who want to skim, here is a quick summary:

“Maintaining endpoint security is tougher than ever, security professionals say, thanks largely to the huge influx of mobile devices.

According to the annual State of the Endpoint study, conducted by the Ponemon Institute and sponsored by Lumension, 71 percent of security professionals believe that endpoint security threats have become more difficult to stop or mitigate over the past two years.

…More than 75 percent said mobile devices pose the biggest threat in 2014, up from just 9 percent in 2010, according to Ponemon. Some 68 percent say their mobile devices have been targeted by malware in the past 12 months, yet 46 percent of respondents say they do not manage employee-owned mobile devices.

…And unfortunately, 46 percent of our respondents report no efforts are in place to secure them.”

…While 40 percent report they were a victim of a targeted attack in the past year, another 25 percent say they aren’t sure if they have been, which suggests that many organizations don’t have security mechanisms in place to detect such an attack, the study says. For those that have experienced such an attack, spear-phishing emails sent to employees were identified as the No. 1 attack entry point.

…The survey found that 41 percent say they experience more than 50 malware attacks a month, up 15 percent from those that reported that amount three years ago. And malware attacks are costly, with 50 percent saying their operating expenses are increasing and 67 percent saying malware attacks significantly contributed to that rising expense.

…While 65 percent say they prioritize endpoint security, just 29 percent say their budgets have increased in the past 24 months.” — Dark Reading

There are a couple of things I take away from this:

Organizations are still struggling with secure architectures and enclaving, and since that is true, BYOD and visiblility/prevention efforts on end-points are a growing area of frustration.

Organizations that focus on secure architectures and enclaving will have quicker wins
Organizations with the ability to do nuance detection for enclaved systems will have quicker wins

Organizations are still focusing on prevention as a primary control, many of them are seriously neglecting detection and response as control families

Organizations that embrace a balance of prevention/detection/response control families will have quicker wins

Organizations are still struggling in communicating to management and the user population why end-point security is critical to long term success

Many organizations continue to struggle with creating marketing-based messaging for socialization of their security mission

If you would like to discuss some or all of these ideas, feel free to ping me on Twitter (@lbhuston) or drop me an email. MSI is working with a variety of companies on solutions to these problems and we can certainly share what we have learned with your organization as well.

Blast From the Past: D-Link Probes in the HITME

Posted on October 9, 2013 by Brent Huston

We got a few scans for an old D-Link router vulnerability that dates back to 2009. It’s interesting to me how long scanning signatures live in online malware and scanning tools. This has lived for quite a while.

Here are the catches from a HoneyPoint Personal Edition I have deployed at home and exposed to the Internet. Mostly, this is just to give folks looking at the scans in their logs an idea of what is going on. (xxx) replaces the IP address…

2013-10-02 02:46:13 – HoneyPoint received a probe from 71.103.222.99 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46dWA+NXhZQlU1d2VR Connection: keep-alive

2013-10-02 03:22:13 – HoneyPoint received a probe from 71.224.194.47 on port 80 Input: GET /HNAP1/ HTTP/1.1 Host: xxxx User-Agent: Opera/6.x (Linux 2.4.8-26mdk i686; U) [en] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxx/ Authorization: Basic YWRtaW46InkwYi4qMF5wL05G Connection: keep-alive

This probe is often associated with vulnerable D-Link routers, usually older ones, those made between 2006 and mid-2010. The original release and proof of concept exploit tool is here. The scan has also been embedded into several scanning tools and a couple of pieces of malware, so it continues to thrive.

Obviously, if you are using these older D-Link routers at home or in a business, make sure they are updated to the latest firmware, and they may still be vulnerable, depending on their age. You should replace older routers with this vulnerability if they can not be upgraded.

The proof of concept exploit also contains an excellent doc that explains the HNAP protocol in detail. Give it a read. It’s dated, but remains very interesting.

PS – As an aside, I also ran the exploit through VirusTotal to see what kind of detection rate it gets. 0% was the answer, at least for that basic exploit PoC.

Scanning Targets for PHP My Admin Scans

Posted on October 7, 2013 by Brent Huston

Another quick update today. This time an updated list of the common locations where web scanning tools in the wild are checking for PHPMyAdmin. As you know, this is one of the most common attacks against PHP sites. You should check to make sure your site does not have a real file in these locations or that if it exists, it is properly secured.

The scanners are checking the following locations these days:

//phpMyAdmin/scripts/setup.php
//phpmyadmin/scripts/setup.php
/Admin/phpMyAdmin/scripts/setup.php
/Admin/phpmyadmin/scripts/setup.php
/_PHPMYADMIN/scripts/setup.php
/_pHpMyAdMiN/scripts/setup.php
/_phpMyAdmin/scripts/setup.php
/_phpmyadmin/scripts/setup.php
/admin/phpmyadmin/scripts/setup.php
/administrator/components/com_joommyadmin/phpmyadmin/scripts/setup.php
/apache-default/phpmyadmin/scripts/setup.php
/blog/phpmyadmin/scripts/setup.php
/cpanelphpmyadmin/scripts/setup.php
/cpphpmyadmin/scripts/setup.php
/forum/phpmyadmin/scripts/setup.php
/php/phpmyadmin/scripts/setup.php
/phpMyAdmin-2.10.0.0/scripts/setup.php
/phpMyAdmin-2.10.0.1/scripts/setup.php
/phpMyAdmin-2.10.0.2/scripts/setup.php
/phpMyAdmin-2.10.0/scripts/setup.php
/phpMyAdmin-2.10.1.0/scripts/setup.php
/phpMyAdmin-2.10.2.0/scripts/setup.php
/phpMyAdmin-2.11.0.0/scripts/setup.php
/phpMyAdmin-2.11.1-all-languages/scripts/setup.php
/phpMyAdmin-2.11.1.0/scripts/setup.php
/phpMyAdmin-2.11.1.1/scripts/setup.php
/phpMyAdmin-2.11.1.2/scripts/setup.php
/phpMyAdmin-2.5.5-pl1/index.php
/phpMyAdmin-2.5.5/index.php
/phpMyAdmin-2.6.1-pl2/scripts/setup.php
/phpMyAdmin-2.6.1-pl3/scripts/setup.php
/phpMyAdmin-2.6.4-pl3/scripts/setup.php
/phpMyAdmin-2.6.4-pl4/scripts/setup.php
/phpMyAdmin-2.6.4-rc1/scripts/setup.php
/phpMyAdmin-2.6.5/scripts/setup.php
/phpMyAdmin-2.6.6/scripts/setup.php
/phpMyAdmin-2.6.9/scripts/setup.php
/phpMyAdmin-2.7.0-beta1/scripts/setup.php
/phpMyAdmin-2.7.0-pl1/scripts/setup.php
/phpMyAdmin-2.7.0-pl2/scripts/setup.php
/phpMyAdmin-2.7.0-rc1/scripts/setup.php
/phpMyAdmin-2.7.5/scripts/setup.php
/phpMyAdmin-2.7.6/scripts/setup.php
/phpMyAdmin-2.7.7/scripts/setup.php
/phpMyAdmin-2.8.2.3/scripts/setup.php
/phpMyAdmin-2.8.2/scripts/setup.php
/phpMyAdmin-2.8.3/scripts/setup.php
/phpMyAdmin-2.8.4/scripts/setup.php
/phpMyAdmin-2.8.5/scripts/setup.php
/phpMyAdmin-2.8.6/scripts/setup.php
/phpMyAdmin-2.8.7/scripts/setup.php
/phpMyAdmin-2.8.8/scripts/setup.php
/phpMyAdmin-2.8.9/scripts/setup.php
/phpMyAdmin-2.9.0-rc1/scripts/setup.php
/phpMyAdmin-2.9.0.1/scripts/setup.php
/phpMyAdmin-2.9.0.2/scripts/setup.php
/phpMyAdmin-2.9.0/scripts/setup.php
/phpMyAdmin-2.9.1/scripts/setup.php
/phpMyAdmin-2.9.2/scripts/setup.php
/phpMyAdmin-2/
/phpMyAdmin-2/scripts/setup.php
/phpMyAdmin-3.0.0-rc1-english/scripts/setup.php
/phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php
/phpMyAdmin-3.0.1.0-english/scripts/setup.php
/phpMyAdmin-3.0.1.0/scripts/setup.php
/phpMyAdmin-3.0.1.1/scripts/setup.php
/phpMyAdmin-3.1.0.0-english/scripts/setup.php
/phpMyAdmin-3.1.0.0/scripts/setup.php
/phpMyAdmin-3.1.1.0-all-languages/scripts/setup.php
/phpMyAdmin-3.1.2.0-all-languages/scripts/setup.php
/phpMyAdmin-3.1.2.0-english/scripts/setup.php
/phpMyAdmin-3.1.2.0/scripts/setup.php
/phpMyAdmin-3.4.3.1/scripts/setup.php
/phpMyAdmin/
/phpMyAdmin/scripts/setup.php
/phpMyAdmin/translators.html
/phpMyAdmin2/
/phpMyAdmin2/scripts/setup.php
/phpMyAdmin3/scripts/setup.php
/phpmyadmin/
/phpmyadmin/scripts/setup.php
/phpmyadmin1/scripts/setup.php
/phpmyadmin2/
/phpmyadmin2/scripts/setup.php
/phpmyadmin3/scripts/setup.php
/typo3/phpmyadmin/scripts/setup.php
/web/phpMyAdmin/scripts/setup.php
/xampp/phpmyadmin/scripts/setup.php
<title>phpMyAdmin

Telnet Passwords Used In Brute Force Attacks

Posted on October 4, 2013 by Brent Huston

Just a quick post today, but I wanted to give you some insight into the Telnet scans we have been seeing lately. Here are the passwords that have been used to target logins on port 23 on one of our HITME sensors in the United States. This particular system emulates a login, and the probes appear to be automated. We saw no evidence of any manual probes on this sensor in the last month that targeted telnet.

The passwords used in brute force attacks on telnet (used against the usual root/admin/etc users…):

default
1234
220
428
436
Admin
D-Link
admin
cobr4
dreambox
echo
enable
home-modem
l
password
private
public
root
sh
user

Keep a careful eye on any systems with Telnet exposed to the Internet. They are a common attraction point to attackers.

Just a Reminder, SIP is a Popular Scanning Target

Posted on October 2, 2013 by Brent Huston

I just wanted to give you a quick reminder that SIP scanning remains quite popular on the Internet. These probes can lead to compromise and fraud against your VoIP systems. Make sure you do not have VoIP systems exposed to the Internet without proper controls. If you review your logs on the Internet perimeter, SIP scans will look similar to this:

This was captured from the HITME using HoneyPoint Personal Edition.

2013-09-30 17:02:18 – HoneyPoint received a probe from 207.127.61.156 on port 23

Input: OPTIONS sip:nm SIP/2.0

Via: SIP/2.0/TCP nm;branch=foo

From: <sip:nm@nm>;tag=root

To: <sip:nm2@nm2>

Call-ID: 50000

CSeq: 42 OPTIONS

Max-Forwards: 70

Content-Length: 0

Contact: <sip:nm@nm>

Accept: application/sdp

Keep an inventory of your VoIP exposures. They remain a high area of interest for attackers.

More on Persistent Penetration Testing from MSI

Posted on August 22, 2013 by Brent Huston

MicroSolved has been offering Persistent Penetration Testing (PPT) to select clients now for a couple of years. We have been testing and refining our processes to make sure we had a scalable, value driven, process to offer our full client base. We have decided to open the PPT program up to another round of clients, effective immediately. We will be open to adding three additional clients to the PPT group. In order to qualify, your organization must have an appetite for these services and meet the criteria below:

The services:

MSI will actively emulate a focused team of attackers for either a 6 or 12 month period, depending on complexity, pricing and goals
During that time, MSI will actively and passively target your organization seeking to reach a desired and negotiated set of goals (usually fraud or theft of IP related data, deeper than traditional pen testing)
Full spectrum attacks will be expressed against your organization’s defenses in red team mode, across the time window
Once an initial compromise occurs and the appropriate data has been identified and targeted, we will switch to table top exercises with the appropriate team members to discuss exploitation and exfiltration, prior to action
If, and only if, your organization approves and desires, then exploitation and exfiltration will occur (note that this can be pivoted from real world systems to test/QA environments at this point)
Reporting and socialization of the findings occurs, along with mitigation strategies, awareness training and executive level briefings
The process then repeats, as desired, through the terms and sets of goals

The criteria for qualification; Your organization must:

Have full executive support for the initiative, all the way to the C-level and/or Board of Directors
Have a mature detection and egress process in place (otherwise, the test will simply identify the needs for these components)
Have the will to emulate real world threat activity without applying compliance-based thinking and other unnatural restraints to the process
Have a capable security team for MSI to work with that has the capability to interface with the targeted lines of business in a rapid, rational and safe manner
If desired, have the capability to construct testing/QA platforms and networks to model real world deployments in a rapid and accurate fashion (requires rapid VM capability)
Be open to engaging in an exercise with an emulated aggressive adversary to establish real world risk and threat profiles
Be located in the US (sorry, we are not currently accepting non-US organizations for this service at this point)

If your organization meets these requirements and you are interested in discussing PPT services, please drop me a line (Twitter: @lbhuston), or via email at Info at microsolved dot com. You can also reach me via phone at (614) 351-1237 x 201.

China’s Report on US Military Cyber Troop Strength

Posted on August 19, 2013 by Bill Hagestad

(紅龍) Red Dragon’s statement: If you think you are paying too much for cyber threat intelligence and your current provider DID NOT SHOW this Chinese article to you…then you have paid too much for the incorrect type of Chinese Cyber Threat Intelligence…

Contact the Red Dragon (紅龍) @ MicroSolved, save money, stay better informed – find a capable cyber intelligence authority for less, much less….

whagestad@microsolved.com

謝謝您

紅龍

People’s Republic of China Report: U.S. network warfare unit’s equivalent to 7 over 8 million people equal to the 101st Airborne Division

At 08:49 on August 15, 2013 Source: Phoenix

Core Tip : According to Sing Tao Global Network reported that the U.S. share of global 29% of the number of hackers, the U.S. military about 3000-5000 information warfare experts, and 50000-70000 cyberwar soldiers, together with the original electronic warfare officer , the U.S. network warfare units should have eighty-eight thousand seven hundred people, the scale is equivalent to seven 101st Airborne Division, which will burden future wars weakened the enemy four into combat missions.

Phoenix August 14 “military observation room”, the following is the text Record:

Commentary: Snowdon event causes a foreign media speculation, in fact, the United States first established the largest network warfare units, the development of the world’s most advanced network warfare equipment, and bringing it to actual combat. Recently, the Sing Tao Global Network reported that the U.S. share of global 29% of the number of hackers, the U.S. military about 3000-5000 information warfare experts, and 50000-70000 cyberwar soldiers, together with the original electronic warfare officer, U.S. Army network warfare units should have eighty-eight thousand seven hundred people, the scale is equivalent to seven 101st Airborne Division, which will burden future wars to weaken the enemy four combat missions.

U.S. network army of four thousand people, the world’s top computer experts and hackers, including the CIA, NSA, FBI and other sector experts, all members of the average IQ of 140 or more, known as 140 troops from American four-star general Alexander lasted eight single-handedly built his independent command of the Tenth Fleet, including the Navy, the Air Force 24th Air Force and the Army Second Army, responsible for the training of the academic elite spy technology centers, as well as specialized eavesdropping embassies around the world special data collection center, the United States is being set up forty network security forces, including 13 as offensive forces, the main development network warfare weapons, another 27 troops mainly to protect DoD computer systems and data, all 40 teams will branch to be completed before the autumn of 2015.

“Military observation room” program broadcast in the Phoenix Chinese Channel ] [Program Area

Moderator: Dong Jiayao Moderator Zone]

First time: (Wednesday) 21:50-22:30

Playback time: (Thursday) 04:10-04:50,15:15-15:55

Statement : where marked “Phoenix” sources of work (text, audio, video), without the Phoenix authorization, any media, and individuals shall not be reproduced, link, posted or otherwise use; already authorized in writing by the webmaster at use must be marked “Source: Phoenix.” Violate the above statement, Ben Wang will pursue its legal responsibilities.

美國網路戰部隊逾8萬人 相當於7個101空降師2013年08月15日 08:49

來源：鳳凰衛視

核心提示：據星島環球網報道，美國駭客數量佔全球29%，美軍約有三千到五千名資訊戰專家，及五萬到七萬名網路戰兵，加上原有的電子戰人員，美軍網路戰部隊應該有八萬八千七百人，這個規模相當於七個101空降師，它在未來戰爭將負擔削弱敵人四成戰鬥力的任務。

鳳凰衛視8月14日《軍情觀察室》，以下為文字實錄：

解說：斯諾登事件引起中外媒體一輪炒作，其實美國最早建立規模最大的網路戰部隊，發展了世界最先進的網路戰裝備，並將其推向實戰。近日，星島環球網報道，美國駭客數量佔全球29%，美軍約有三千到五千名資訊戰專家，及五萬到七萬名網路戰兵，加上原有的電子戰人員，美軍網路戰部隊應該有八萬八千七百人，這個規模相當於七個101空降師，它在未來戰爭將負擔削弱敵人四成戰鬥力的任務。

美國網軍達四千人，由世界頂級電腦專家和駭客組成，包括中央情報局、國家安全局、聯邦調查局以及其他部門的專家，所有成員平均智商在140以上，稱為140部隊，由美國四星上將亞歷山大歷時八年一手打造，他獨立指揮權包括海軍第十艦隊，空軍第24航空隊以及陸軍第二軍，負責培訓間諜技術的學術精英中心，以及專門竊聽世界各國大使館的特殊數據收集中心，美國正在組建四十支網路安全部隊，其中13支為進攻性部隊，主要開發網路戰武器，另外27支部隊主要保護國防部的電腦系統和資料，所有40支部隊將於2015年秋季前全部建成。

《軍情觀察室》節目在鳳凰衛視中文臺播出【節目專區】

http://big5.ifeng.com/gate/big5/phtv.ifeng.com/program/jqgcs/

主持人：董嘉耀【主持人專區】

首播時間：（週三）21:50－22:30

重播時間：（週四）04:10－04:50，15:15－15:55

聲明：凡註明“鳳凰網”來源之作品（文字、音頻、視頻），未經鳳凰網授權，任何媒體和個人不得轉載、鏈結、轉貼或以其他方式使用；已經本網書面授權的，在使用時必須註明“來源：鳳凰網”。違反上述聲明的，本網將追究其相關法律責任。

http://big5.ifeng.com/gate/big5/phtv.ifeng.com/program/jqgcs/detail_2013_08/15/28642074_0.shtml

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Threat-Centric