ISC StormCast for Thursday, January 7th 2016 http://isc.sans.edu/podcastdetail.html?id=4813, (Thu, Jan 7th)

 SANS Internet Storm Center, Security Alerts  Comments Off on ISC StormCast for Thursday, January 7th 2016 http://isc.sans.edu/podcastdetail.html?id=4813, (Thu, Jan 7th)
Jan 062016
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A recent example of wire transfer fraud, (Thu, Jan 7th)

 SANS Internet Storm Center, Security Alerts  Comments Off on A recent example of wire transfer fraud, (Thu, Jan 7th)
Jan 062016
 

Introduction

Do you know about any attempts of wire transfer fraud in your organization? They often start with phishing emails. These emails are used to trick an employee into wiring money to bank accounts established by the criminal. Its an old scam, but 2015 apparently saw a resurgence in wire transfer fraud [1]. Last August, we saw reports that thieves stole $46.7 million from Ubiquity using this method [2]. Since then, at least one organization has shared its experience as the target of an (unsuccessful) attempt at wire transfer fraud [3].

During the first full week of 2016, I ran across such an attempt and thought Id share.

Chain of events

In most cases Ive seen, the general sequence of events runs as follows:

  • Criminal sends an email with a spoofed sending address to one or more targeted recipients.
  • A recipient replies to the Reply-To: address in the email headers.
  • Criminal continues the conversation and asks for a wire transfer.

The actor may spoof an executive from your organization, a business partner, or a customer. If the actor is successful, someone in your organization will do the wire transfer It may take a while before people know theyve been tricked. In Ubiquitys case, the criminals managed to steal millions of dollars before the company realized it [2].

Ubiquity is not unique in this regard. According to the FBI, between October 2013 and August 2015, thieves stole nearly $750 million from more than 7,000 companies in the US using such scams [4].

How does a criminal decide who to target in your organization? If your company has a website with biographies of your leadership, its fairly easy to figure out who might be able to authorize a wire transfer.

Example from Monday 2016-01-04

In this example, 17 emails were sent in two waves. The first wave went to the first two individuals, and the second wave happened almost 6 hours later and went to the last two individuals. The criminal didnt have the email addresses of the actual recipients, so multiple messages were sent using different recipient emails. We saw [firstname.lastname]@[company].com, [first initial + lastname]@[company].com, and variations on the domain, like [company].com.de or [company].com.br for those recipients not located in the United States.”>Date: Mon, 4 Jan 2016 22:18:08 GMT
From: [spoofed executive”>
Do you have a moment?”>Sent from my iPhone

Tracing the source of these emails

Reviewing the email headers, it appears this email came from a virtual private server (VPS) on an IP administered by myhosting.com (a hosting provider). From what I understand, almost everything in the email headers can be spoofed. The only certain information is the IP address listed in the Received” />
Shown above:”>Final words

This diary shows an example of attempted wire transfer fraud seen during the first week of 2016. It isnt the most sophisticated attempt Icombat these types of scams, the best defense is user education. Make sure people with authority for wire transfers know to what expect.

Do you have a wire fraud transfer story? Feel free to share in the comments!


Brad Duncan
Security Researcher at http://www.rackspace.comRackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] https://www.dlapiper.com/en/us/insights/publications/2015/08/wire-transfer-phishing-an-old-scam-returns/
[2] http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
[3] http://fortune.com/2015/10/13/ceo-wire-transfer-scam/
[4] http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

toolsmith #112: Red vs Blue – PowerSploit vs PowerForensics, (Wed, Jan 6th)

 SANS Internet Storm Center, Security Alerts  Comments Off on toolsmith #112: Red vs Blue – PowerSploit vs PowerForensics, (Wed, Jan 6th)
Jan 062016
 

The following is a cross-posted from HolisticInfoSec.

Happy New Year and welcome to 2016! When last we explored red team versus blue team tactics inMay 2015, we utilizedInvoke-Mimikatz, then reviewed and analyzed a victim with WinPmem and Rekall. The recent release of PowerSploit 3.0.0 on 18 DEC 2015 presents us with another opportunity to use PowerShell for a red team versus blue team discussion. This time its an all PowerShell scenario, thanks as well to PowerForensics. Forget the old Apple pitch line: Theres an app for that. With so much PowerShell love, theres a PowerShell script for that!

For the uninitiated, a description of each. PowerSploitis a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerForensicsis a PowerShell digital forensics framework. It currently supports NTFS and is in the process of adding support for the ext4 file system. Both are updated regularly and are GitHub projects subject to your feedback and contributions. PowerSploit includes scripts that aid in antimalware bypasses, code execution, exfiltration, persistence, privilege escalation, reconnaissance, script modification, and general mayhem.PowerForensics includes scripts the allow analysis of the boot sector, Windows artifacts, the Application Compatibility Cache, Windows Registry, as well as create forensic timelines. There are also Extended File System 4 (ext4) scripts as well as some utilities.

Credit where due, these two projects include some excellent developers, includingJared Atkinson, who leads PowerForensics but also contributes to PowerSploit. The PowerSploit team also includesMatt GraeberandJoe Bialek, Ive admired their work and skill set for years.We wont explore it here, but be sure to check out Empire fromWill Schroeder, who also contributes to PowerSploit. The topic of a future toolsmith, Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.

Before working through a couple of red vs. blue scenarios, a quick rundown on installation for both tool sets. For PowerSploit, useDownload Zipfrom the Githubrepo, move the zip package to your\Documents\WindowsPowerShell\Modulespath under your user directory, unpack it, and renamePowerSploit-master toPowerSploit. From an administrator PowerShell prompt, run”>Import-Module PowerSploitand follow it with”>Get-Command -Module PowerSploitto ensure proper import. You will definitely want to run”>$Env:PSModulePath.Split() | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }to avoid the incredibly annoying Do you really want to run scripts downloaded from the Internet warning. Yes, I really do. For PowerForensics, the routine is similar, however the modules for PowerForensics are buried a bit deeper in the ZIP package. Again, useDownload Zipfrom the Githubrepo, unpack the ZIP, drill down to”>\PowerForensics-master\PowerForensics\Moduleand copy the PowerForensics directory there to your”>\Documents\WindowsPowerShell\Modules”>IssueGet-Module -ListAvailable -Name PowerForensics, them”>Import-Module PowerForensics. Again,”>Get-Command -Module PowerForensicswill ensure a clean import and show you available modules. Likely worth adding”>$Env:PSModulePath.Split() | % { if ( Test-Path (Join-Path $_ PowerForensics) ) {Get-ChildItem $_ -Recurse | Unblock-File} }to avoid hassles as well. Lets begin with my absolute favorite, it is the ultimate in absolute nerd humor and is a force to be reckoned with all by itself. Imagine a red team engagement where youve pwned the entire environment, then you leave the following calling card. If you run”>Get-Help Add-Persistence -examplesyou will discover the best infosec joke ever, forget just PowerShell. I” />

Three files are written:”>Persistence.ps1,”>RemovePersistence.ps1, and”>rr.ps1which is”>EncodedPersistence.ps1renamed. Inspecting”>rr.ps1reveals base64 encoding designed to conceal the 80s musical flashback that follows.

User-level and elevated persistent scheduled tasks are created, called TN Updater, and aprofile.ps1file is written toC:\Users\\Documents\WindowsPowerShell. If you inspect the profile script, youll initially say to yourself Whatever, the file is empty. Au contraire, ami. Scroll right. Ah there it is:iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(U8hMrVDQyCwvUsgoKSmw0tdPyizRy6nUTzXwLbcsV9BUAAA=),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()

Should your victim, or you on behalf of your victim, run” />

All good chuckles aside, a persistent rickroll is really just an example of any number of truly evil options. Shells, beacons, downloaders all come to mind, creativity is really your only challenge,Add-Persistenceis your vehicle for scripting forget-me-not. All good for the red teamers, whats there for the blue team?

PowerForensics”>Get-ForensicTimelineis likely a good start, Im a huge fan of a complete timeline. When you run”>Get-Help Get-ForensicTimelineyoull quickly learn that it incorporates the following cmdlets:

  • Get-ForensicScheduledJob
  • Get-ForensicShellLink
  • Get-ForensicUsnJrnl
  • Get-ForensicEventLog
  • Get-ForensicRegistryKey

Get-ForensicTimelineleft unchecked will, of course, dump a timeline for the entire discernible date range of all artifacts. This can lead to an unwieldy, huge text dump, I suggest filtering up front. Assume as a blue team member I knew my attack had occurred sometime during the New Year holiday. As such, I ran”>Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge 12/30/2015 -and $_.Date -le 01/04/2016 } c:\tmp\timeline2.txt.

This resulted in a much more manageable file for indicator searches. In this case, wed like to attribute detail to the creation and execution ofrr.ps1. There are a couple of ways to dig in here.SLS, alias for”>Select-Stringis your PowerShell friend:” />

You can see weve easily discovered who, what, and where. The why is easy, because rickrolls rule! :-)

Timeline analysis is always vital and important but there are more opportunities here, lets put these kits through their paces for a second scenario.PowerSpoit includes”>Invoke-WmiCommand. Per its description,”>Invoke-WmiCommandexecutes a PowerShell ScriptBlock on a target computer using WMI as a pure C2 channel. It does this by using the StdRegProv WMI registry provider methods to store a payload into a registry value. The command is then executed on the victim system and the output is stored in another registry value that is then retrieved remotely.”>Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath SOFTWARE\pwnkey -RegistryPayloadValueName pwnage -RegistryResultValueName pwnresults -ComputerName 10.120.175.122 -Credential DOMAIN\username -Verbose

I changed my domain and username to DOMAIN\username for the example, obviously you” />

The payload here is simple math, 1+3+2+1+1, as executed on my victim server (10.120.175.122) and returned the result (8) to my attacker host. You can imagine how useful quick, easy remote WMI calls might be for a red team. Obviously a more constructive (destructive?) payload would be in order. But how to spot this from the blue teams perspective?

PowerForensics includes”>Get-ForensicEventLog.Registry tweaks create Windows Security event log entries, including 4656 for registry key open, 4657 for creation, modification and deletion of registry values, and 4658 for registry key closed.Imagine a security event log export file from a victim system, ready for analysis on your forensic workstation. As such, you could run the likes of”>Get-ForensicEventLog -path C:\tmp\security.evtx | Where-Object { $_.EventData -like EventId: 4656″ />

See? Thats not so bad, right? Red team events do not need to leave the blue team scrambling to catch up. Similar tactics but different outcomes.Ive done neither of these PowerShell infosec offerings any real justice, but hopefully opened your eyes to the options and opportunities the represent. Use them both and youll be better for it.Conduct your red vs. blue exercises in concert, cooperatively, and youll achieve improved outcomes. Emulate that adversary, then hunt him down.

Please feel free to share your red team vs. blue team PowerShell concepts via comments, readers will benefit from your experience as well.

Follow these guys on Twitter if you want to stay up on the PowerShell arms race. :-)

Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or”>|”>@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th)

 SANS Internet Storm Center, Security Alerts  Comments Off on Site Updates: ISC/DShield API and ipinfo_ascii.html Page, (Wed, Jan 6th)
Jan 062016
 

We are planning a couple of updates to the ways data can be retrieved automatically from this site. The main reason for this is to make it easier for us to maintain and support some of these features. The main idea will be that we focus automatic data retrieval to our API (isc.sans.edu/api or dshield.org/api). It should be the only place that is used to have scripts retrieve data.

In the past, we had a couple of other pages that supported automatic data retrieval. For example, ipinfo_ascii.html . These pages will be phased out. We will first remove links to these pages and no longer advertise them. Secondly, the pages will be rate limited to only a few requests per hour. Finally, we will remove the pages. We may also do stricter filtering on user agents and other browser fingerprints to pages other than the API.

Sometime this year, we may also add a simple authentication to the API. We do not care who downloads our data, but it can be handy to be able to reach a user that is causing problems. It is helpful if you add contact information (e.g. an e-mail address) to your user agent. I will write up another diary once we defined the authentication mechanism. But we do expect to keep it simple (e.g. a static authentication key or a hash of an authentication key with a nonce) and we will still allow unauthenticated requests at a slower rate.

All our data is free to use for non-commercial use, meaning as long as you do not re-sell it. You can use the data for free to help you protect your company network. Also please understand that the data is provided as is. It is, in my opinion, best used to provide context to your data, and should not be used as a simple blocklist.

In exchange for using our data, we hope that you help us make the data better by contributing your data.


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC StormCast for Wednesday, January 6th 2016 http://isc.sans.edu/podcastdetail.html?id=4811, (Wed, Jan 6th)

 SANS Internet Storm Center, Security Alerts  Comments Off on ISC StormCast for Wednesday, January 6th 2016 http://isc.sans.edu/podcastdetail.html?id=4811, (Wed, Jan 6th)
Jan 052016
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

%d bloggers like this: