Poor Visibility is a Solvable Problem

One of the big thing that many organizations lack today is visibility into their information security posture. Sure, they have vulnerability management and some have “false positive generators” (otherwise known as NIDS), some even have log analysis and event engines. But, with all of that technology, they still are very likely to miss insider attacks and attacks of a subtle nature.

I am continually amazed when organizations demo HoneyPoint technology and they have their first real “AH HA” moment. Usually a bot-infected machine triggers a HoneyPoint during a scan (like with Conflicker) or makes a login attempt against a decoy virtual machine. Occasionally, you see full on attacks underway that get caught by the demo. For example, one unlucky client caught a scan against a POP3 HoneyPoint that was a brute force attempt with VALID logins and passwords. The HoneyPoint alerted and they began an incident that lead to the discovery of a compromised domain. The attackers had cracked the SAM and were using the key admin accounts to see what else they could get into. You can rest assured, that client very quickly went from demo to customer.

Until organizations understand the value of putting forth bait to lure suspicious activity, it is hard for them to grasp that this is not just another source for noise. Once they get their head wrapped around the idea that since a resource is not real, any activity with it is, by default, suspicious at best and malicious at worst, they struggle to understand the leverage that HoneyPoint brings. But, the bad news for attackers is that more and more are getting it. More IT managers are flipping on that light switch and stepping out of the “dark ages” of infosec and into the age of the HoneyPoint.

What can I say, once security folks think differently about the problems, the game changes for the better. The time for threat-centric security has arrived. Things will never be the same again…

Danger: Conflicker Growing at Massive Rate **ALERT**

Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!

This is important to you for the following reasons if you are an IT person or Infosec person:

  • The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
  • Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
  • On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
  • You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!

What can you do?

  • HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
  • Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
  • Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
  • Prepare yourself and your team for the battle ahead.
  • If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
  • Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)

Please, pay attention to this one. It looks “slammer/code red” nasty…..

** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **

Toata Moves On To Additional Targets

The Toata bot army has moved on to scanning for additional web-applications to target/catalog. Medium levels of scanning began last night and continue today. The new targets are:

/mantisbt/login_page.php

/tracker/login_page.php

/bugtracker/login_page.php

/bugtrack/login_page.php

/support/login_page.php

/bug/login_page.php

/bugs/login_page.php

/login_page.php

/statistics

/bin/statistics

/twiki/bin/statistics

/wiki/bin/statistics

/wikis/bin/statistics

/cgi-bin/twiki/bin/statistics

/cgi-bin/wiki/bin/statistics

/cgi-bin/wikis/bin/statistics

Check your systems to see if you have these files, if so, check with the responsible projects for updates. Consider additional monitoring and/or removal from service. Investigations should be performed, exploitation timelines and goals are unknown. It appears that Mantis Bugtracker and Twiki are the likely targets. Exploit vectors have not been researched at this time, though Mantis has had known XSS in the login page previously.

Our HoneyPoint Internet Threat Monitoring Environment (HITME) is tracking the scans, sources and payload evolutions. SANS and other groups have been notified.

More Toata Scans for a New RoundCube File

Last night, HITME began to pick up various sources scanning for a new file in the RoundCube Webmail product. The file “list.js” is being scanned for by the Toata bot and low levels of port 80 scans matching these probes are ongoing. SANS and the project owners have been informed.

No exploitation has been observed by us thus far in relationship to these scans, but cataloging is ongoing. Intent of the attacker is currently unknown, as is the vulnerability, if any, present in the file.

Following are the signatures captured from one host:

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:41 on port 80

Alert Data: GET /rc/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:39 on port 80

Alert Data: GET /roundcubemail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:38 on port 80

Alert Data: GET /roundcube/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:36 on port 80

Alert Data: GET /webmail/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

XXX received an alert from 88.191.50.206 at 2009-01-15 19:55:35 on port 80

Alert Data: GET /email/program/js/list.js HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Toata dragostea mea pentru diavola

Host: xx.xx.xx.xx

Connection: Close

Once again, users of RoundCube Webmail are urged to ensure they are doing additional levels of monitoring, staying current on all patches/updates and taking other precautions. Consider removing RoundCube from Internet exposure until these and other ongoing issues are mitigated.

PHP Threats Continue to Rise But More Work & Education Could Help

Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing threat activities allows our vulnerability management and professional services clients to know that they are better protected, even against bleeding edge threats.

PHP security issues are so common that the folks at BreakingPoint Labs call it “one of the most commonly attacked pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to abound, maybe even beyond that if the attacker underground has anything to say about it.

PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008. Syhunt, the makers of Sandcat Pro, a web application vulnerability scanner and partner to MSI, has even created Sandcat4PHP, a special source code scanner to help organizations proactively secure their PHP applications during development. Recently, Syhunt created these images that show the impact that PHP vulnerabilities are having on their work. PHP security issues represent an overwhelming margin of their work for the year.

All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great language for learning development, but we, as a community, need to help even those budding developers among us learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and role-based access controls need to be a core part of our outreach teaching to developers.

In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the future of the web!

** Have feedback on this post? Please feel free to leave a comment, drop me a line via email or send me a tweet to @lbhuston on twitter. Thanks for reading! **

Round Cube Webmail Probes Spreading Rapidly

Our HoneyPoint Security Server deployment has identified a set of 0-day scans and probes against the Round Cube Webmail system.

The probes are originating from infected Linux systems world wide and appear to be spreading rapidly. Infection of systems via a bot-net client or other form of malware is likely. The extent of compromise is currently unknown, but complete compromise or escalation to complete compromise may be possible.

Research and work with the developers is ongoing. Users of Round Cube Webmail systems should take steps to remove their systems from Internet access and/or implement additional controls for monitoring and protection. Removal of the msgimport.sh script file is highly encouraged, though additional entry points may emerge in the future.

New versions of the application may not have the msgimport.sh file present.

The current version of the attack is probing for the following files:

/nonexistenshit

/mail/bin/msgimport

/bin/msgimport

/rc/bin/msgimport

/roundcube/bin/msgimport

/webmail/bin/msgimport

Our HoneyPoint deployment has been reconfigured to trap additional data about this threat and additional information may be available soon. The MSI technical team is working with our clients to ensure they are protected against this and other emerging threats. Our threat detection capability, provided to us by our HoneyPoint line of products gives us uniquely deep insight and visibility into bleeding edge threats. As always, we strive to use that knowledge to protect our clients and the Internet at large.

More information can be found on this issue by following @lbhuston and/or @honeypoint on Twitter. You can also check back on our blog or schedule a call with one of our team members if you have additional needs.

** Update: @around 2:30pm Eastern, the “Toata” bot-net added the signature to its scans as well. In less than 24 hours there are now at least 2 known bot-nets scanning for the issue. Any bets on how long it will take before “morfeus” scans for it too??? Also, note that the URL request from “Toata” has a double // typo in it….

** Another Update: Syhunt has added tests to Sandcat for the issue. They are now available via update mechanism for clients.

Playing with Plugins for HoneyPoint

I have been playing with various plugins lately for HoneyPoint. In this case, I wanted to show the output of two plugins I am playing with currently.

The first one is the TweetCLI plugin that I have written about before. In this example, I am going to show an event that has come in and what the plugins did for me.

The TweetCLI plugin posted the following to the @HoneyPoint feed on Twitter:

Suspicious Activity Captured From: 41.205.122.150 on port 23

Then, the console also executed a plugin I lovingly call AutoPoke. It basically does a whois look up of the address and performs a basic nmap TCP port scan of a few common ports. This produced the following output:

OrgName: African Network Information Center

OrgID: AFRINIC

Address: 03B3 – 3rd Floor – Ebene Cyber Tower

Address: Cyber City

Address: Ebene

Address: Mauritius

City: Ebene

StateProv:

PostalCode: 0001

Country: MU

ReferralServer: whois://whois.afrinic.net

NetRange: 41.0.0.0 – 41.255.255.255

CIDR: 41.0.0.0/8

NetName: NET41

NetHandle: NET-41-0-0-0-1

Parent:

NetType: Allocated to AfriNIC

NameServer: NS1.AFRINIC.NET

NameServer: NS-SEC.RIPE.NET

NameServer: NS.LACNIC.NET

NameServer: TINNIE.ARIN.NET

Comment:

RegDate: 2005-04-12

Updated: 2005-07-12

OrgAbuseHandle: GENER11-ARIN

OrgAbuseName: Generic POC

OrgAbusePhone: +230 4666616

OrgAbuseEmail: abusepoc@afrinic.net

OrgTechHandle: GENER11-ARIN

OrgTechName: Generic POC

OrgTechPhone: +230 4666616

OrgTechEmail: abusepoc@afrinic.net

# ARIN WHOIS database, last updated 2008-12-29 19:10

# Enter ? for additional hints on searching ARIN’s WHOIS database.

Starting Nmap 4.68 ( http://nmap.org ) at 2008-12-30 xxx AST

Interesting ports on 41.205.122.150:

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp filtered telnet

25/tcp closed smtp

79/tcp closed finger

80/tcp filtered http

110/tcp closed pop3

135/tcp filtered msrpc

136/tcp closed profile

137/tcp closed netbios-ns

138/tcp closed netbios-dgm

139/tcp filtered netbios-ssn

443/tcp closed https

445/tcp filtered microsoft-ds

1433/tcp closed ms-sql-s

3389/tcp closed ms-term-serv

5800/tcp closed vnc-http

5801/tcp closed vnc-http-1

5900/tcp closed vnc

5901/tcp closed vnc-1

6666/tcp closed irc

6667/tcp closed irc

6668/tcp closed irc

6669/tcp closed irc

Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds

This output is kind of fun (at least to me) to watch. I get real time info about where scans and probes are coming from. I also get real time port info from the scanning hosts. Over time, this gives me some pretty interesting insight into common postures of hosts that appear to be compromised or infected.

In this case, this particular host was interesting because of the source. Our global HoneyPoint deployments don’t see too many offending hosts from this particular region. Over time, if I see more activity originating from there or the like, then I can decide if the threat levels in that area are increasing, but none the less, even this first one is interesting. A quick review of the host shows a likely vulnerable ssh deployment, which may indicate that the host is compromised and/or bot-net infected. Of course, this is all supposition, but interesting (to me) anyway.

Now you know how I spend my time. I love to watch the ebb and flow of attacks, probes and scans. I like to know the sources and virtual “look and feel” of the victim systems. I suppose that is where many of the capabilities in HoneyPoint come from. I think they are just toys that I would like to play with, thus they end up in the product. Do you have some plugins you would like to see or some new HoneyPoint toys or functions you would enjoy? If so, drop me a line. We are working on the plans for HPSS 3.xx as we speak, so now would be a great time to hear a want list from the public!

Thanks for reading!

New Twitter Feed of “Bad Touches” Available

For those of you interested in security, black listing or HoneyPoint stuff, check this out.

I used the TweetCLI tool I blogged about earlier to write a HoneyPoint Security Server plugin. The plugin fires for each event and tweets the attacker IP and source port that the deployed HoneyPoints covered by this console saw.

There are several hosts and networks reporting HoneyPoint alerts to this console. All of these HoneyPoints are Internet exposed, so you should be able to see some basic sources of scans, probes and malware attacks.

I am not presently publishing the payloads, though I may in other ways in the future or show aggregate data in some manner.

The basis for the “bad touches” is that these are hosts and ports not truly offering any services, thus any interaction with them could be considered suspicious at best and malicious at worst. An IP address will only be tweeted once per 24 hour period currently, regardless of the amount of interaction it has with HoneyPoints reporting to this console.

You can watch the stream via the web at http://www.twitter.com/honeypoint or by following @honeypoint on twitter. There could be a lot of tweets depending on attack trafffic, so know that up front.

Please let me know if you like the feed, any plans or ways you can think of that it might be helpful to you or other feedback. We are offering this up to the community and we hope that it is helpful to those interested in HoneyPoints, security trending and/or black list generation.

Let me know your thoughts and thanks for reading!

Hackers Hate HoneyPoint

HackersHateHPlogoed200.jpg

We have been getting so much great feedback and positive response to our HoneyPoint products that Mary Rose, our marketing person, crafted this logo and is putting together a small campaign based on the idea.

We are continuing to work on new capabilities and uses for HoneyPoint. We have several new tricks up our sleeve and several new ways to use our very own “security swiss army knife”. The capabilities, insights and knowledge that the product brings us is quickly and easily being integrated into our core service offerings. Our assessments and penetration testing brings this “bleeding edge” attack knowledge, threat analysis and risk insight to our work. We are routinely integrating the attack patterns and risk data from our deployed HoneyPoints back into the knowledge mix. We are adding new tools, techniques and risk rating adjustments based on the clear vision we are obtaining from HoneyPoint.

This is just one of the many ways that HoneyPoint and the experience, methodology and dedication of MSI separate us from our competitors. Clients continue to love our rapport, reporting formats, flexibility and deep knowledge – but now, thanks to HoneyPoint, they also enjoy our ability to work with them to create rational defenses to bleeding edge threats.

You can bet that you will see more about HoneyPoint in the future. After all, hackers hate HoneyPoint, and in this case, being hated is fine with us!

Webcollage Agent Proxy Scans – Likely a Bot

Here is a quick example of a scan that we have been seeing a lot of lately, especially in our HoneyPoints deployed around consumer ISP networks. The example is about month old, but proxy scans are a very common occurrence.

HoneyPoint shows the following aler (some data modified for privacy)t:

XXX received an alert from 92.240.68.152 at 2008-11-08 09:57:07 on port 80
Alert Data: GET http://www.morgangirl.com/pics/land/land1.jpg HTTP/1.0
User-Agent: webcollage/1.135a
Host: www.morgangirl.com

Now, the XXX replaces the HoneyPoint location, so it remains obscured from the public.

This is a web server emulating HoneyPoint and it is listening on port 80.

The Alert Data: field shows the request received, which appears to be a proxy attempt to get a graphic.

The source of the request was 92.240.68.152 which the whois plugin shows to be (trimmed):

% Information related to ‘92.240.68.149 – 92.240.68.159’

inetnum: 92.240.68.149 – 92.240.68.159

netname: ADDIO-LTD-20080414

descr: ADDIO Ltd.

descr: Server farm Daype.com

country: LV

admin-c: AS11278-RIPE

tech-c: AS11278-RIPE

status: ASSIGNED PA

org: ORG-IOMA1-RIPE

mnt-by: lumii-mnt

source: RIPE # Filtered

organisation: ORG-IoMa1-RIPE

org-name: Institute of Mathematics and Computer Science of University of Latvia

org-type: LIR

Interesting in that the agent is likely faked as webcollage, a screen saver type application for displaying random graphics from the web. Another possibility on this event is that a previous scanner took the bait of the 200 return code from the HoneyPoint and added it as an open proxy. If that is true, then we may be on a proxy list and get to see many requests from people attempting to use open proxies. Getting a HoneyPoint added into these lists has given us great insight to web attacks, scams and phishing attacks in the past.

Now you have a variety of actions, you could block the source IP address to kill further scans and probes from that host. You could report the suspicious activities to the ISP in question. If a review of the web site that was the target showed illicit activity, you could also analyze and proceed to take actions to alert its owners as well. Many times these quick investigations have identified compromised hosts on both ends or compromised web hosts that are spreading malware. Plugins are available or can be created to automate many, if not all of these activities.

In this case, since this is simply a quick proxy attempt, and a cursory review of the target web site does not show any overt malicious activity, we will pass on this one and just use it as an example.

HoneyPoint can be used in a variety ways. Internet exposed HoneyPoints can give you deep insights into the types of targeting and exploit activity your networks are experiencing without the need to troll through immense log files or dig through noisy NIDS event patterns. HoneyPoint is great at collecting black list hosts, scanners and bot patterns. The longer clients use HoneyPoint, the more they discover that they can do with it. It becomes like a security swiss army knife to many clients.

Check out more information about HoneyPoint here. Follow me on twitter here to learn more about HoneyPoint, the threats we capture and other security and non-security info.