Technical Blog

Learn about the latest in technical Cyber Security news, information, techniques and more with original posts by GuidePoint’s seasoned technical personnel.

 

2017 the year of the Non-Malware Attacks

What is a “non-malware” attack?

Image Source: https://www.firstclassassignment.com/value-risk-finance/

A non-malware attack is an attack that does not use malware. Simple.

More realistically, a non-malware attack is one in which an attacker uses existing software or allows (remote access) applications and authorized protocols (e.g., RDP, ssh, etc.) to carry out malicious activities on your network.

In a non-malware attack, the threat actor uses the accessible software to gain entry into the targeted network, control the victimized computers and from this point perform any sort of nefarious actions all within “full view” of all security safeguards.

These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that will eventually lead to your valuable data. With a non-malware attack, the victim has built into their traditional business model all the tools and access the threat actor needs to have to be successful. Yes, you could have made the bad-guy successful.

Without proper monitoring, the victim has, with legitimate business software (e.g., PowerShell, UltraVNC, TeamViewer, DesktopNow, etc.)[1], opened the front door to their kingdom and welcomed the threat actor with a big, warm hug and a hot cup of coffee.

In a recent Carbon Black report[2] they make note that; “Virtually every organization included in this research was targeted by a non-malware attack in 2016.” Furthermore, in the same report, Carbon Black also states there has been a +92% increase in non-malware based attacks for 2016.

The Carbon Black report says common types of non-malware attacks researches reported seeing and the percentage that saw them were: remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).[3]

Remember, I am not saying that any of these remote access utilities do not have a legitimate use. What I am pointing out is that non-malware remote access utilities, properly managed and not used in an ad-hoc fashion, can be very useful. However, after you add in the hubris of the Human Element (HE), this is hardly ever the case and security professionals are left scrambling to identify authorized vs. unauthorized use and access which is quite time-consuming.

What makes a non-malware attack work?

What makes a non-malware attack so successful? The answer is simple, we give the threat actor all the tools they need to be successful. We (the royal “we”) fully equip the threat actor with all the necessary tools and access simply by doing our normal daily activity and business.

Some of the more famous non-malware attacks or attack trends include the attack against the Democratic National Committee (DNC) and the “PowerWare”[4]  campaign tracked by the Carbon Black teams.

Remember, the basis of a non-malware attack is to gain a toe-hold with little threat of detection. From this point, the threat actor determines how to promulgate the attack internally.

Why are non-malware attacks so hard to prevent and detect?

Traditional security approaches in detecting non-malware (malicious) attacks will probably be 100% ineffective. This is because traditional security platforms and most modern security platforms were not designed to detect non-malware attacks in mind.

In addition to GuidePoint’s IR experiences, Carbon Black[5] has performed extensive research on non-malware based attacks, and has provided their findings in {https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/}. Unfortunately, traditional antivirus (A/V) is ineffective in detecting non-malware based attacks, and security professionals should consider the use of technologies that incorporate Artificial Intelligence (AI), Machine Learning (ML), and User and Entity Behavior Analytics (UEBA) to effectively thwart non-malware based attacks.

Traditional A/V was never designed to detect non-malware attacks. They are basically designed as a signature-based threat detection platform that typically only monitors when a known malware signature has been written to disk. Non-malware based attacks are not identified as malware.

Image Ref: www.carbonblack.com

“AI and ML’s roles in preventing cyberattacks have been met with both hope and skepticism. They have been marketed as game-changing technologies though doubts still persist, especially when used in siloes. Their emergence is due largely to the climbing number of breaches, increased prevalence of non-malware attacks, and the waning efficacy of legacy antivirus (AV)”.[6]

Real-World Example

In one real world example, of a non-malware attack the GPS/DFIR team responded to a customer request to analyze some anomalous network activity their security team had been witnessing for a couple of months (yes, months).

The Incident Responders were able to monitor an initial select set of endpoints and network segments.  Soon the GuidePoint Security Digital Forensics & Incident Response (GPS/DFIR) team identified the fact that no remote access malware was present and that network/system access was gained through compromised accounts via non-malware attack.

This was a complex DFIR investigation that involved multiple security and forensic disciplines, 24/7 monitoring of all network segments and an enterprise wide deployment with high fidelity endpoint sensors.  Also, customized onsite databases had to be designed so that all sensor data could be aggregated and analyzed in near-real-time.

The end result was a lengthy engagement with multiple forensic responders chasing and tracking the threat actor inside a global network.  The threat actor was using non-malware techniques, system administration tools and a variety of security tools to compromise user accounts, escalate privileges, access systems and exfiltrate data for profit.

Defense for non-malware based attacks

Remember, non-malware attacks will use legitimate software to perform malicious activity.  However, fielding a proper, holistic security strategy that encompasses enterprise level end point and UEBA advanced analysis that enables your overall investigative, cyber-hunt and security strategy should be carefully considered.

GPS/DFIR has a track record of investigating and analyzing such non-malware based attacks and with the combined strategic arm of GuidePoint’s security experts and knowledge of the security platforms available, we can help define the best short-term and long-term security roadmap for your organization.

As a basic defense, there are some “snap-shot” remedies that can be easily implemented:

  • Allow few (justified) remote access applications to be used (e.g., Windows RDP, TeamViewer, etc.) in your environment on your systems.  Ensure all remote access requires multi-factor authentication.
  • Because some applications can be manipulated and replaced it is important to have forensically hashed versions identified
    • Share those authorized forensic hash values with your security and IR teams
    • Place the authorized hash values into any white listing or AV applications
  • Only allow a pre-defined group of employees with a legitimate business need to use the remote access applications
  • Identify to your internal security and IR teams the list of who is authorized to use the remote access software
  • Have employees read and sign an “Acceptable Use” policy for the software or applications
  • Develop internal security alerts and rules that identify anomalous behavior and/or connections and alert/respond to those “out of parameter” activities
  • Educate your employees as to the vulnerabilities of such applications
  • Incorporate all non-malware investigative and response activities into your IR plans and run-books

The first line of defense in any effective security organization is the Human Element (HE). With proper education and training, employees can and do typically provide significant feedback as to unusual or questionable behavior.  So, open lines of communication within all business units can only benefit the entire security posture of your organization.

Conclusion

In conclusion, as in the real-world example, forensic analysis validated this particular threat actor using a non-malware attack method was active on this global network for over two years.  Essentially, most of their malicious activity was completely cloaked within the victim’s daily business activity and they were able to work autonomously.

This real-world example is being played out every day in companies all over the globe.  And as GPS/DFIR witnessed in this example, talented security teams recognized the threat but also realized their own team’s limitations and asked for outside help.

Non-malware attacks will never go away, rather we strongly believe that they will only increase in count and complexity and we strongly recommend that you ensure your organization is prepared to deal with this growing threat.

[1] https://www.lifewire.com/free-remote-access-software-tools-2625161

[2] https://cdn.www.carbonblack.com/wp-content/uploads/2017/04/Carbon_Black_Threat_Report_Non-Malware_Attacks_and_Ransomware_FINAL.pdf

[3] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[4] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[5] www.carbonblack.com

[6] https://www.carbonblack.com/2017/03/28/beyond-hype-security-experts-weigh-artificial-intelligence-machine-learning-non-malware-attacks/

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence at GuidePoint Security, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

Android Malware (SonicSpy) “Ludo Coins RAT”

Image Reference: http://www.ludocoins.com/

Android malware is not something I typically perform forensic analysis on, but this one caught my eye. This caught my eye mainly because it was in a threat actor database directory that GuidePoint Security’s (GPS) Digital Forensic and Incident Response (DFIR) team has been watching, and also because it is the first sample of Android malware I have seen posted on this particular threat actors database.

Knowing this threat actor has had some recent successes, I thought I should take a look at this Android malware and give it the ole’ forensic once-over. I’m glad I did.

Considering Google is fighting a massive Android malware outbreak [1], and 99% of all mobile malware is Android malware[2], this would be a good way to “enter” into a targeted environment and start to move laterally.  But wait until you see what this Android Remote Access Trojan (RAT) can do.

GPS DFIR teams perform forensic analysis of malware in an effort to provide OSINT and our customers real, actionable and valid forensic IOCs (e.g., Hash values, IPv4, etc.).  It is these IOCs that allow our customers the ability to “plug” them into security devices for action, detection and prevention.

Background

Because of ongoing threat investigations that I will not disclose in this analysis, I have labeled this Android malware “Ludo Coins” RAT.  Yes, I believe there could be a direct correlation to ludocoins.com and, among other things, this RAT could be used to capitalize on the Ludo Coins business model for cash.

Overview

GPS DFIR harvested this sample directly from the threat actor’s database server and was subsequently analyzed in the GPS forensic malware analysis lab.

Overall impression of this RAT is that it has a good overall design and will capture and control all major components and features of your Android mobile device.  The reader should be quite aware that after installation the victimized user will have no control over that mobile device.

Sample Analyzed

MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:    7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

Analysis Platform

Android x86 5.1 (“Android 4”)

Analysis Summary

Overall, this RAT has very little visual clues that it has been installed.  Remember, this is a RAT and it will allow a remote threat actor full control of your Android device.

It does have the ability to change the wallpaper so the threat actor can change (android.app.WallpaperManager.setBitmap) if they so wish.

Test Image 1: Android Screen Capture

During testing, I also noted the RAT can access the Android keyguard (lock screen) and allow the remote threat actor to query the phone’s “GPS” location.

The RAT also performs anti-forensic activities once it is initialized:

  • Deletes call logs/history
  • Deletes other (installed) packages (platform dependent)
  • Kills background processes
  • Obfuscates method names

After deployment/installation, the RAT has the capability of performing a variety of command level functions – remotely:

  • Dials phone numbers and sends SMS (SmsManager) in the background
  • Monitors, redirects and/or block calls
  • Records audio (while running in the background)
  • Takes photos
  • Records any audio/media running on the Android device

The RAT also has specific remote access functionality:

  • Uses Download Manager to fetch additional RAT components
  • Redirects camera/video feed
  • Reads call logs & browser history
  • Monitors incoming & outgoing phone calls and SMS messages
  • Conducts remote query
    • Query list of installed applications
    • Camera Information
    • Stored mail
    • Phone contact information
  • Queries the SIM provider ISO country code
  • Queries the network operator ISO country code
  • Queries device unique ID (e.g., IMEI, MEID, etc.)

Spreading

This RAT has the ability to spread throughout a WiFi environment after initial installation.  It can change the (local) WiFi settings in which it can chose to connect and disconnect from selected WiFi networks.  It can also scan access points for available WiFi networks.

Remember, once it conducts these activities it will transmit the information back to the threat actor and with a reasonable level of effort the threat actor will be able to plot your general geographical location and have knowledge of your WiFi preferences and access.

Summary

Overall, if this Android malware (SonicSpy) infects an Android device, the user will have few visual indications that they have been infected and unless the network IOCs are being monitored, there will be little evidence of an infection.

In my opinion, if an Android device has been infected with SonicSpy, it will command root level access, remain persistent, and make other malicious changes to your mobile device. About the only safe thing you can do at that point is to take a hammer to the Android device and physically destroy it.

https://i.ytimg.com/vi/t6198YIn31g/maxresdefault.jpg

At least after you destroy your Android you can buy an iPhone and not worry about being infected with SonicSpy or any Android variant.

SonicSpy IOCs

File name:   SonicSpy.apk

File size:   840735
MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:   7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

zaraar.ddns[.]net

216.58.201[.]40
64.233.166[.]188
173.194.175[.]188
134.0.16[.]1

Port: 5228 (sample tested seems to always want to connect to CnC to this outbound port)

[1] https://www.forbes.com/sites/thomasbrewster/2017/09/14/massive-google-android-malware-expensivewall/#730a036d477f

[2] http://bgr.com/2014/01/21/android-mobile-malware-report/

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

BadRabbit Malware Analysis

Image Source:http://www.designlync.com/about.html

Image Source http://www.designlync.com/about.html

10.27.2017 UPDATE:  BadRabbit CnC Dormancy

Looks like the Threat Actors caged this “Killer Rabbit” for now.  Most of the servers and sites used by the hackers behind the ransomware appear to be taken out of service for no.[1]

Overview: On October 24, 2017, Bad Rabbit, a ransomware infection, a new variant of Petya, has hit a number of organizations in Russia and Ukraine.  First announced in a tweet, the Russian cybersecurity firm Group-IB said initially three media organizations in the country have been hit by file-encrypting malware. [2]

At the same time, Russian news agency Interfax said its systems have been affected by a “hacker attack”.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” [3]
This new strain of ransomware, actively being used in the wild and code-named “BadRabbit”, disguises itself as an Adobe Flash installer in order to gain the user’s trust.  It reportedly uses EternalBlue and Mimikatz to steal passwords and spread in a “worm-like” fashion.

Once executed, the ransomware modifies the bootloader and encrypts the files on the user’s machine.  After the infection is complete BadRabbit presents the user a UI demanding a Bitcoin ransom payment in order to have the files unlocked.

The malware also has the capability to spread throughout the local network via SMB or limited credential brute force over Windows Management Instrumentation Command-line (WMIC) and PSExec after infecting the user’s machine.

Initial reports indicated the ransomware was targeting multiple Eastern-European countries including Ukraine, Russia, Turkey, and Bulgaria, however, additional reports of the ransomware have surfaced in South Korea, Japan, and the United States. Reports surfaced of attacks to government institutions, news agencies, and transportation organizations. The ransomware is reportedly being delivered through compromised legitimate websites – mainly news and media sites at the time of this writing.

Ukrainian organizations have posted about systems failing: payment systems on the Kiev Metro appear to have fallen victim to the attack, while in a statement on its Facebook page, Odessa International Airport said its information system had been hit by hackers.[4]

“We inform that the information system of the International Airport “Odessa” suffered a hacker attack,” a translation of the post says. [5]

On 24 OCT 2017 – 05:20PM, ESET announced that their telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected. [6]

Bad Rabbit shares some similarities with Petya – the ransom note looks almost identical and it can also use SMB to propagate across the infected network. However, researchers say much of the code appears to have been rewritten in this case.

GPS Huntmasters

GuidePoint’s Forensic Intelligence Division, GPS Huntmasters, has had the opportunity to analyze a couple variants of the BadRabbit malware/ransomware.  Through this analysis this elite GuidePoint team was able to confirm additional (unannounced) IOCs [7] as well as documenting the software’s [8] behavior within our testing environments.

Technical Overview

BadRabbit has been distributed through malicious websites with fake Adobe Flash updates with popup (decision) boxes that the end user must execute.  After the user clicks on the malicious popup, the ransomware is downloaded (via http/https) to the victim in the form of a malicious windows binary (e.g., install_flash_player.exe). After execution, the file will require the user to accept a Windows User Account Control (UAC) popup granting the malware escalated rights to the system.

Once executed, the malware deploys the ransomware onto the user’s machine completely compromising the end-user.

Image: Group-IB [9]

#_ftn1

The malware drops the file Infpub.dat, which is then executed by a rundll32 command. Infpub.dat will then create the files cscc.dat and dispci.exe within the C:\Windows directory. The file cscc.dat is actually a renamed file from the legitimate DiskCryptor program. These files are used to encrypt the disk and modify the bootloader preventing a normal bootup of Windows. A scheduled task is also created to ensure the dispci.exe file is run at bootup. Upon reboot, the user is presented with the Ransomware message demanding payment.

Landfall: BadRabbit

Although the USA and other western countries were not specifically targeted by this campaign, it is only a matter of time before BadRabbit will make US “Landfall”. In fact, according to cybersecurity and antivirus vendor Avast, BadRabbit has now been detected in the USA [10](2:44 PM – 24 Oct 2017).

Remember, BadRabbit attempts to spread through SMB. [11] It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords that is hard coded in the actual malware.

GuidePoint Forensic Analysis

On October 24, 2017 GuidePoint’s Forensic Intelligence team obtained and analyzed two samples of BadRabbit. The GuidePoint team has included a summary of our findings that may help future identification and of upcoming variants.

It should be noted that with each variant, file names and hash values may change depending on software variants and Threat Actor activity and strategy.

Analyst Note:  Although the tested samples were done in a forensically pure fashion BadRabbit did exhibit anti-forensic features and file deletion capabilities as noted in some “zero-byte file size” noted during our analysis and testing.

Samples Analyzed

File name: 9y6VPA4OK.exe
File size: 441899
MD5: fbbdc39af1139aebba4da004475e8839
SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

File name: infpu.dll
File size: 410760
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

File name: 6CQZJL6EH.exe
File size: 142848
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Forensic Overview

This malware has multiple elements. Execution starts in the binary file that is responsible for dropping and installing other elements.

During testing, once launched initial malware dropped files and conducted the following;
• Clears the windows event log
• Clears the journal log
• Drops executables to the windows directory (C:\Windows) and starts them
• Shows the ability to spread by using its contained functionality to enumerate network
shares of other (attached) devices
• Uses shutdown.exe to shut down or reboot the system
• Contacts additional CnC servers
• Contains functionality to register a low-level keyboard hook
• Contains functionality to infect the boot sector
• File names are dynamically generated
**NOTE: Dropped files appear to be kernel level key loggers

Sample Analysis: fbbdc39af1139aebba4da004475e8839

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;
hxxp://rb.symcb.com/rb.crl
hxxp://s.symcd.com
hxxp://ts-aia.ws.symantec.com/sha256-tss-ca.cert
hxxp://ts-ocsp.ws.symantec.com
hxxp://ocsp.thawte.com

Noted Binary Activity

Uses schtasks.exe or at.exe to add and modify task schedules
C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Contains functionality which may be used to detect a debugger (GetProcessHeap)
GetModuleHandleW,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,Get
ProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree

CnC Connection Attempts:
23.60.139[.]27

Drops PE Files

Path:  C:\Windows\infpub.dat (zero byte file size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: 79116FE99F2B421C52EF64097F0F39B815B20907
SHA-256: 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648

Binary Startup Activity

Test System is Windows 7 sp1

  • 9y6VPA4OKL.exe (PID: 3424 cmdline: ‘C:\Users\user\Desktop\9y6VPA4OKL.exe’ MD5: FBBDC39AF1139AEBBA4DA004475E8839)
  • rundll32.exe (PID: 3452 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3464 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3484 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3500 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 4038216979 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3520 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 15:25:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

C:\Windows\system32\IMM32.DLL
– read attributes and synchronize and generic read
– read data or list directory and execute or traverse and synchronize

C:\Windows\AppPatch\sysmain.sdb
– read attributes and synchronize and generic read

C:\Windows\system32\apphelp.dll
– read data or list directory and execute or traverse and synchronize

Sample Analysis: 1d724f95c61f1055f0d02c2154bbccd3

Memory Analysis
N/a

Noted Binary Activity

Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN Rhaegal

Spawns processes
– C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR
‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST
– C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Drops PE Files

(Zero byte File Size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: B4D371272FE9C5A7C7936D32DEE609019CC24C31
SHA-256: FA6FE917BCB4F9CE5FE03B71F5E4AF392FB63A4DA4E142C691CCAF9042AB4DCE

Binary Startup Activity

 Test System is Windows 7 sp1

  • loaddll32.exe (PID: 3276 cmdline: loaddll32.exe ‘C:\Users\user\Desktop\infpub.dll’ MD5: D2792A55032CFE825F07DCD4BEC5F40F)
  • rundll32.exe (PID: 3284 cmdline: rundll32.exe C:\Users\user\Desktop\infpub.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3296 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3316 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3328 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3340 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 16:03:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

N/a

Sample Analysis: b14d8faf7f0cbcfad051cefe5f39645f

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;

hxxp://diskcryptor.net/

Noted Binary Activity

Contains functionality to register a low-level keyboard hook
– SetWindowsHookExW 00000002,Function_00003FC0,00000000,00000000
Contains functionality for read data from the clipboard
Contains functionality to infect the boot sector
Detected the Windows Explorer process (often used for injection)
Connects to many different private IPs via SMB (likely to spread or exploit)

Drops PE Files

This file has been seen in most BadRabbit samples analyzed
C:\Windows\dispci.exe (zero byte file size)
File Type: PE32 executable (console) Intel 80386, for MS Windows
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256: 8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
File name: cscc.dat
File size: 181448
MD5: b4e6d97dafd9224ed9a547d52c26ce02SHA1: 59cd4907a438b8300a467cee1c6fc31135757039SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

Binary Startup Activity

 Test System is Windows 7 sp1

• 6CQZJL6EHc.exe (PID: 3464 cmdline: ‘C:\Users\user\Desktop\6CQZJL6EHc.exe’ MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)• cmd.exe (PID: 3492 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)• schtasks.exe (PID: 3512 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

 cleanup

Windows Behavior

C:\Windows\Globalization\Sorting\sortdefault.nls
– read attributes and synchronize and generic read
C:\Windows\system32\rsaenh.dll
– read attributes and synchronize and generic read
C:\Windows\system32\IMM32.DLL
– read data or list directory and execute or traverse and synchronize
C:\Windows\cscc.dat
– File attributes queried
– Return Compare (GetFileAttributesW) executed

BadRabbit Vaccine

According to Cyberreason, users can “vaccinate” their computers against BadRabbit. Note: GuidePoint has not tested this “vaccine” and all changes to any systems should be approved by your network administration teams and proper change control procedures should be followed before they are implemented.

An overview of the process contains two primary steps;
1. Create a file “C:\Windows\infpub.dat & C:\Windows\cscc.dat”
2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

Detailed guide on setting up files with no permissions or a “BadRabbit Vaccine”. https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

BadRabbit IOCs

GuidePoint has identified additional IOCs during the course of the testing that should be incorporated into organizational defenses. These IOCs are provided below:

IPv4

5.61.37[.]209*
23.60.139[.]27*
23.50.75[.]27*
23.63.139[.]27*
185.149.120[.]3

“*” Not previously identified and discovered by GuidePoint

HASH Values

– de5c8d858e6e41da715dca1c019df0bfb92d32c0
o install_flash_player.exe
– afeee8b4acff87bc469a6f0364a81ae5d60a2add
– fbbdc39af1139aebba4da004475e8839
o Dropper
– 1d724f95c61f1055f0d02c2154bbccd3
o infpub.dat
 the main DLL
– b4e6d97dafd9224ed9a547d52c26ce02
o cscc.dat
 legitimate driver used for the disk encryption (diskcryptor.net)
– b14d8faf7f0cbcfad051cefe5f39645fo dispci.exe
 installs the bootlocker, communicates with the driver (cscc.dat)
– d41d8cd98f00b204e9800998ecf8427e (zero byte file size)

URLs

hxxp://1dnscontrol.com/flash_install.php
1dnscontrol[.]com
an-crimea[.]ru
ankerch-crimea[.]ru
argumenti[.]ru
argumentiru[.]com
bg.pensionhotel[.]com
blog.fontanka[.]ru
calendar.fontanka[.]ru
grupovo[.]bg
i24.com[.]ua
most-dnepr[.]info
novayagazeta.spb[.]ru
osvitaportal.com[.]ua
spbvoditel[.]ru
aica.co[.]jp
fontanka[.]ru
grupovo[.]bg
imer[.]ro
mediaport[.]ua
online812[.]ru
otbrana[.]com
pensionhotel[.]cz
sinematurk[.]com
t.ks[.]ua

Tor Payment URL:- caforssztxqzf2nm[.]onion

Additional References

https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/  https://gizmodo.com/bad-rabbit-ransomware-strikes-russia-and-ukraine-1819814538https://twitter.com/lorenzofb/status/922946057318871041 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://pastebin.com/01C05L0C
https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading- warn-researchers/
https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder- ransomware/
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Bad Rabbit ransomware

BadRabbit malware


https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported

Image Source: http://www.designlync.com/about.html

Cited Resources

[1] https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down

[2] http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[3] http://www.interfax.com/newsinf.asp?id=786280

[4 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[5] https://www.facebook.com/odessa.aero/posts/704524863080360

[6] https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/

[7] IOCs were identified exclusively in the GuidePoint vSOC Spot Report; “Bad Rabbit Ransomware”, Update 1, October 25, 2017

[8] Malware is software that is designed to do malicious or unauthorized activity or have unauthorized functionality

[9] https://twitter.com/GroupIB/status/922818401382346752

[10] https://twitter.com/avast_antivirus/status/922941896439291904?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fsmall-amount-of-bad-rabbit-ransomware-victims-detected-in-the-usa%2F

[11] https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

New F5 ASM Version 12.x Features Improve Performance

In today’s blog, we will discuss the newest features of F5’s Web Application Firewall (WAF), Application Security Manager (ASM). ASM has been around for quite some time, but with recent updates I thought it is worth discussion.

F5 Networks recently released version 12.1.1, the first long-term support release for version 12. If you haven’t read through the release notes, take a few minutes and do so. I am really excited by some of the most recent features and I would like to share some of them with you.

I was ecstatic to see Unified Policy Building in 12.0 because now you have one screen to view all learning suggestions. This makes it far easier to sort through. If your policy builds automatically or statically based on your custom thresholds, you now have only one screen to manage.

Following the style already set in ASM, there is a dropdown menu that allows you to select the policy for which you want to see suggestions. Tabbed across the top is also Enforcement Readiness, and they moved Learning and Blocking Settings here as well. This makes the overall flow better while making it easier to see which settings you have for each selected policy — no more bouncing around the mouseover menus.

Next up in 12.0 is Proactive Bot Defense. This is a set of additional features added to the Denial of Service (DoS) functions ASM already used. F5 added improved defense against unwanted browsers and browsing agents that are non-human initiated. CAPTCHA and javascript insertion does this, but with some caveats. If you use CORS (Cross-Origin Resource Sharing), like with AJAX calls, you will have issues and you should add those URLs to the bot whitelist.

F5 Networks also added malicious bot signatures. Now when you update your ASM application signatures, bot signatures are classified as malicious or benign. Just like with application signatures, you can create your bot signatures as well. You even have the ability to create signature sets with either malicious or benign classifications. This gives you greater control. Once created and applied via a “dos” profile, traffic is automatically classified and either accepted or discarded as configured.

Version 12.1 was not outshined by 12.0, and really cranked up the dial. It added more dos enhancements with the ability to track using device IDs. Now device IDs can use dos, brute force, and session hijacking. You can define bad behavior and set thresholds to classify traffic from them and either log or block them. F5 even extended Analytics to sort by these IDs. More reporting is always a good thing!

Using a similar set of metric definitions, you can now automatically blacklist IPs attacking your layer 7 resources and increase your dos footprint. This does not require use of IP intelligence or any other classification engine. This dos feature is through your config definitions. Adding IP intelligence, however, is a good thing in my opinion. I encourage you to look at it as more than just ASM.

Two huge new features in ASM are the ability to define methods per URL and support websockets per URL. In previous versions, methods were globally defined for an application. This is great news. For apps that might have only one page that support a POST, you can define it only for that page.

Websockets are new altogether. Websocket protocol allows client and server to stream data bidirectionally indefinitely. Websockets create a connection over HTTP, but then switch to a single TCP connection using message frames. This allows full duplex and low latency transport. Chances are you used these in your last internet chat. When you think of what could be hiding in one of those, protection really matters.

The last feature I want to mention is the ability for ASM to automatically detect and configure login pages in your application. If you have spent time parsing through someone else’s code to define a login page, you will welcome this feature. Now, that alone would be cool, but if you defined policy settings for brute force and session tracking, it will automatically add those options to the login forms it creates. This is a rockstar feature!

These are some of the main features ASM received in 12.0 and 12.1. There are still others like improved policy building, reduced policy building resource consumption, etc. Once again, if you have not reviewed the release notes, you should. I hope this generates a little interest in seeing what ASM has to offer now, and that you continue to find success in using F5 Networks Application Security Manager.

If you don’t already have ASM, consider what ASM can do for you. If you are already a Guidepoint Security customer and want to know more, reach out to your representative. If you are not a customer and would like to learn more, please feel free to contact us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Networks’ ASM: Secure Your Applications, Don’t Give Away Your Kingdom

It occurred to me while I was writing another blog that we need to talk about Web Application Firewalls (WAF). We think everyone should use one. Your current network and security infrastructure is the castle and drawbridge, whereas WAF is your portcullis. Not securing your applications is like giving away the keys to your kingdom.

What is a WAF?

WAFs are the first and last line of defense for your application. A WAF takes over at layer 4 of the Open Systems Interconnection (OSI) model, moves up to layer 7, and looks at the request, response, and payload. It validates data and the package it’s carried in, and its authenticity. In essence, a WAF applies a set of security rules to all aspects of an HTTP conversation.

The difference from your next-generation firewalls (NGFW) and IDS/IPS units, which only inspect packet-by-packet, is that a WAF digs into HTTP content and conversations, and validates the content request, response, and payload against white and black lists. Using predefined signatures or behavioral baselines, the WAF takes appropriate countermeasures based on configured policy elements. WAFs also include enhanced logging, alerting, connection intermediation, and even content manipulation to mitigate the impacts of attacks, mislead attackers, or inject content designed to raise confidence levels for WAF detection mechanisms.

A WAF validates traffic and payloads by learning the way the application should work, prevents bad input or manipulations, and prevents dangerous query/responses. A WAF maintains HTTP RFC compliance on all aspects of the session, and enforces session rules and session flows. It is a multifaceted tool.

F5 Networks Application Security Manager (ASM), in my opinion, is the right tool for the job. It is a tool that complements the F5 Global Traffic Manager (GTM) and Local Traffic Manager (LTM) devices you already use. To illustrate this, let us look at the traffic flow.

First, the GTM picks up the DNS request. Utilizing GTM, you can create a high-speed query frontend with DNS Express and can secure that zone with DNSSEC. GTM also evaluates your DNS request and traffic-shapes your response based on a host of criteria and settings, sending your session on to the network.

Sure, you have a firewall at your internet edge. It might even be next-gen, performs packet inspection, and has some signatures to eliminate some bad traffic. The same might also be true of your IPS/IDS, but these are packet-by-packet inspections and not the whole HTTP conversation (for the most part) and bad traffic gets by.

Here is where the F5 picks up and starts defending. LTM gets the traffic first and blocks malicious IPs, sorts out countries you may or may not want, defends against DDoS, and mitigates ciphers that are too weak or broken, all while restricting IP/port/landing page. LTM also traffic shapes it handoff to the next level, ASM.

ASM starts slow and builds in levels based on policy. It receives that traffic and checks if it matches the defined site. Then it checks to see if it is a new session. From there, it starts checking everything. It checks against signatures, RFC compliance, session-tracking info, methods, request timing, number of requests, header information, etc. And this is only the initial request. We haven’t even gotten to response!

ASM comes with quick-start policy templates for a ton of popular application templates like Exchange, Sharepoint, PeopleSoft, SAP, etc. If one of those doesn’t fit your build, ASM ships with an auto-policy builder. Fire this up and you turn your ASM device into Sherlock Holmes. It watches traffic pass through and automatically starts writing its own suggestions. When those suggestions get enough hits, ASM makes them into policy. The longer it runs, the better the policy.

If you change the application or add to it, it automatically picks that up and starts the building piece again. You can even build policy without affecting users. By keeping it out of blocking mode, you can mature the policy and reduce the likelihood that false alarms will create negative impact for users.

The ASM comes with other cool features, too, such as preventing forceful browsing, where attackers try to gain access to pages not part of the site that might have admin access. You can keep users from bookmarking deep into the app and redirect them to login pages you defined first to define flow. This keeps the application more secure and enables the organization to track sessions to support security, problem resolution, and compliance use-cases.

With this information, you can restrict application access to secondary login pages or other admin-related content by enforcing application flows and protect against webscraping. Brute force protection will even keep those login pages safe by adding a layer of protection including limiting login attempts, identifying automated attacks and more for these critical security entry points for the application.

DataGuard is an awesome feature as well. It protects sensitive fields like credit card numbers, Social Security numbers, and other administrator-defined sensitive data from passing through clear text. Instead, it utilizes masking to overwrite these values in responses with ‘****’. ASM will also mask these in the logs so you don’t have to worry about admins having access to that info as well.

There are so many other features, including signatures and security responses for common web application security threats such as cross-site request forgery (CSRF), cross-site scripting (XSS), clickjacking, cookie manipulation, etc. Any of these topics, as well as the mechanisms ASM utilizes to protect against them, would be worthy of their own blog post.  

I hope this blog has sparked a little more interest in your traffic and maybe even a hard look into the available security measures you can take. If you are already a Guidepoint Security customer, reach out to your representative to learn more. If you are not a customer and would like to learn more, please feel free to reach out to us. We have several ASM certified engineers to answer your questions. For more information, email info@guidepointsecurity.com.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Automation Tools Help with Real-Time Incident Response and Protection

Free webinar: Real-world examples of how to keep your environment secure from attacks, accelerate remediation

If you’re an information security professional responsible for incident response, you may feel frustrated and overburdened by all the manual processes needed to keep your environment safe.

You’re not alone.

In a recent Enterprise Strategy Group survey, more than 60 percent of information technology professionals say their organization has taken steps to automate incident response, but 91 percent say those processes are not effective or efficient.

Did you know there are resources and tools available to help facilitate some of these key processes for your organization? GuidePoint Security’s Virtual Security Operations Center (vSOC) analysts and incident responders have real-world experience using these types of tools. One such tool, Carbon Black, helps power GuidePoint’s vSOC enabling analysts and responders to hunt for incidents in real time, visualize the complete attack kill chain, and efficiently defend environments from attacks.

Here are some examples of how they have successfully used Carbon Black to stop incidents and monitor endpoints:

PowerShell Watchlist

Recently, GuidePoint analysts used Carbon Black to create a PowerShell watchlist for an unauthorized user attempt. Once alerted, analysts tracked down a malicious remote address and shut down unauthorized privileges on the host.

Environment audits

In another instance, vSOC analysts used Carbon Black to audit an environment to limit privilege account credentials. The audit alerted analysts to a possible vulnerability that could have allowed unrestricted access to a domain.

PUA/PUP activity

vSOC analysts recently used Carbon Black to create a custom watchlist for PUA/PUP activity. They found an instance that stood out from others and located an unapproved IE toolbar, which was loaded without approval on multiple workstations. The toolbar was isolated as a threat because it had the ability to monitor web-browsing behaviors.

Would you like to know more about these real-world incident response examples and how you can move from playing incident response catch-up to proactively hunting for threats?

Join GuidePoint and Carbon Black for a free, interactive webinar, “Conquering Challenges of Incident Response: Real-Time Hunting and Response,” at 2:30 p.m. Thursday, Nov. 17. The session will last about 45 minutes, with a chance to interact with the presenters, Stephen Jones, GuidePoint’s director of managed services, and Justin Scarpaci, technical solutions lead, Carbon Black.

Register online here.

About the presenters

Stephen Jones has more than 10 years of experience in information technology and cyber security. He specializes in security operations and has extensive experience working within the Department of Defense and the Intelligence Community.

Justin Scarpaci is a technical account manager on the Partner Success team at Carbon Black. In that role, he assists IR/MSSP partners with operationalizing Carbon Black as part of their service offerings. Justin served in the Marine Corps and has worked in multiple security roles for a defense contractor. He has a master’s degree in information security and forensics.

Can’t make the webinar? No worries. Go ahead and register now and we will send you a recording after the live presentation.

About GuidePoint Security

Headquartered in Herndon, Virginia, GuidePoint Security provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

DDoS Attacks and How You Can Protect Yourself From Joining the Bot Army

If you were online last Friday, chances are you encountered a slowdown across the internet as a Distributed Denial of Services (DDoS) attack launched against Dyn, a company that manages domain registrations.

The attack, according to Dyn, enlisted “up to 100,000 malicious endpoints.” It slowed down access to many popular websites including Amazon, Twitter, Spotify, and more.

While research continues to determine who was behind the attack, Dyn says it happened across multiple vectors and internet locations. Dyn confirms a “significant volume of the attack traffic originated from Mirai-based botnets,” malware that facilitates large-scale network attacks like the one encountered last week.

Denial of service attacks typically occur when a single computer tries to consume the resources a target computing resource needs to perform its job. The malicious behaviors often seek to consume all available bandwidth, attack timing or session-based conditions, attack vulnerabilities in software that cause crashes, or consume so much processing power the target can no longer perform its function.

DDoS attacks enlist tens, hundreds, thousands, even millions or billions of devices as attackers. With the advent of Internet of Things (IoT) and existing low-security devices like VoIP phones, printers, DVRs, home routers, and other IP-connected devices, this creates a rich environment for unknowing targets to join the “bot army.”

Since DNS is part of the core infrastructure that makes the internet work the way we use it today, attacks like the Dyn DNS DDoS impact the entire internet.

A DDoS attack doesn’t just make it difficult to resolve a website’s hostname (the reason you may have timed out trying to access sites during the attack). Today’s applications dynamically load content from third-party sites using DNS to locate resources. This may include third-party javascripts, resource lookups, ad networks, or other capabilities that can impact a web application’s functionality.

Mobile apps consume APIs that use DNS to communicate with web services. Many security protections prohibit direct IP connections because this is frequently a sign of an attack. It also locks in specific IP communication in an ever changing IP system. When DNS fails, there is often no way to communicate.

DNS DDoS attacks primarily work in two ways (although there are others):

DNS Amplification

DDoS attackers can spoof a requesting IP for DNS resolution, which then results in a flood of responses directed to the intended target server. Although the target server never requested a lookup, it suddenly has to deal with a large volume of responses. To further amplify the attack, requests can use DNS protocol extensions or Domain Name System Security Extensions (DNSSEC) to increase the message size. That makes it even more difficult for the target to process the request.

DNS Flood

DDoS attackers use scripts to automate large numbers of queries to exhaust server resources. Since these are User Datagram Protocol (UDP) packets, they are easily spoofed and never need to rely on a response to consume the DNS server resources.

An alternate form of this attack is the NXDOMAIN attack, which intentionally creates malformed requests or requests for nonexistent resources. This makes the DNS server spend computing cycles on lookups that may never resolve or it fills the cache with bad data, preventing legitimate lookups.

It is currently unknown which technique attackers used in the recent Dyn DNS attack, but Mirai malware that created DDoS bots in recent attack against Brian Krebs (a security journalist and blogger), was likely involved in some of the hosts in this attack. This further showcases the need for enhanced IoT security because these devices are typically not designed for security and are frequently not updated when vulnerabilities are discovered.

So what can you do to protect your network? F5 Networks has robust DDoS protections:

  • Local Traffic Manager (LTM) and Advanced Firewall Manager (AFM) provide robust layer 3 and layer 4 protections
  • F5 DNS, previously known as Global Traffic Manager (GTM), can help mitigate DNS-based DDoS attacks by providing greater flexibility in request forwarding and caching, and is several times faster than a BIND server
  • Application Security Manager (ASM) can help with layer 7 attacks
  • The new F5 Hybrid DDoS Defender creates an integration with F5’s Silverline Content Delivery Network (CDN) scrubbing service to offload local DDoS conditions to the F5 Silverline cloud where a larger set of resources and purpose-built protections can help mitigate, or Silverline can be used as a standalone solution.

GuidePoint has several F5 Certified Technology Specialists available to help your team secure your environment from potential DDoS attacks. Our team can help you maximize your installs potential and secure your resources.

For more information about F5’s BIG-IP DNS solution, check out our previous blog.

Other hardware solutions are available from Radware, Arbor Networks, A10, Fortinet and others. They have comprehensive solutions for your organization’s data center as well.

DDoS is one of the primary use cases for cloud-based inline protections like Incapsula, Silverline, Akamai, Cloudflare, and others. GuidePoint Security’s technology professionals have extensive experience in DDoS attack prevention and CDN solutions.

If you’re a GuidePoint client and have questions about CDN solutions and how we can help, please reach out directly to your representative or email us at info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Hack to the Basics: Patch Vulnerabilities Before Attackers Exploit Them

victorbmc

White hat hacker illustrates how vulnerabilities can give unwanted access into your environment

While patching vulnerabilities may seem like a basic component of any organization’s information security plan, many often overlook this important step.

Hackers know this and are quick to search for exploits not long after vulnerabilities are discovered. Did you know that while it takes an average organization almost 200 days to patch a vulnerability, nearly half of all exploits happen 10 to 100 days after a vulnerability is published?

A recent co-presentation between GuidePoint Security and BMC takes a look at challenges vulnerabilities create for operations and security teams, explores how attackers use these vulnerabilities to exploit their way into environments, and discusses tools to quickly prioritize remediation and build a defense.

In “Hack to the Basics,” Brian Brush, regional partner with GuidePoint, says operations and security teams must do more work to bridge the gap between them.

“Most organizations still struggle with this,” he said.

Among the challenges are manual processes teams often use to find vulnerabilities.

“Hackers are already automated,” Brian said.

Seth Corder, automation specialist with BMC, emphasized Brian’s point by saying known vulnerabilities are often how attackers get into environments.

“They are looking for the easy stuff,” Seth said, adding that 80 percent of the potential attack surface is known vulnerabilities, even though 99.9 percent of the time there is a solution to fix it.

Automation tools like BMC’s BladeLogic Threat Detector can do just that.

Brian and Seth encourage operations and security teams to remember the value of fundamentals. Patch both internal and external vulnerabilities and focus on remediation. With a solid strategy for vulnerability hunting and patching, teams can direct their attention on making it harder for attackers to enter an environment and cause damage.

To see the full presentation and learn more about how vulnerabilities are a risk to your organization’s overall security, check out the video on BMC’s YouTube channel.

When an attacker breaches the perimeter

Victor Wieczorek, GuidePoint managing security consultant, is a white hat hacker who knows firsthand how easy it is to exploit systems where vulnerabilities are not patched and remediated.

In the same presentation with BMC, Victor demonstrates how quickly attackers can gain access to vulnerable systems.

“Hackers look for openings,” he said, clarifying they go after the easy things, like known vulnerabilities, first.

In a hands-on demonstration, Victor explains how, with a few scripts and automated tools, he can access a system where a vulnerability remains unpatched, long after a fix is available.

Attackers use the same vulnerability and automated scanning tools as security teams, Neil Parisi, BMC principal software consultant said. Playing the role of the “good guy” in the demonstration, Neil says it’s a race to the finish line between security/operations teams and attackers.

“Can you patch before they penetrate?”

In part two of the video series, “Hacker Breaches the Perimeter,” Victor uses easily downloadable and free tools to successfully access the demo environment, while Neil shows how BladeLogic can quickly patch and repair the vulnerability.

But, like most tenacious hackers, Victor doesn’t give up. Using information obtained before detection of the vulnerability, he moves on to secure a username and credentials for part three, “Breached! Hacker Moves on to Exploit the Center.”

In the fourth and final part of the video series, “Hacker Goes for Admin Rights,” Victor continues to move around in the environment undetected. How does he do it? By using the username he detected in the previous exploit and rolling the dice on his gamble the user had the same password for multiple systems. The result? Victor gains admin credentials and masks his malicious activities like an approved user. Watch the full video to find out how much access Victor gets as he exposes vulnerabilities and how the BMC team uses BladeLogic to stop the attack.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About BMC

BMC is a global leader in innovative software solutions that enable businesses to transform into digital enterprises for the ultimate competitive advantage. Its digital enterprise management solutions make digital business fast, seamless, and optimized from mainframe to mobile to cloud and beyond. BMC digital IT transforms 82 percent of the Fortune 500 and serves more than 10,000 customers worldwide. For more information, visit www.bmc.com.

Use Cases Demonstrate How F5 Analytics Can Increase Visibility Into Your Applications

In a previous blog post, I introduced you to F5 Analytics and how it can enable you to gain more visibility into your F5 application delivery controller infrastructure. (If you missed part one, you can check it out here.) This blog post continues where I left off and provides two more exciting use cases for you to explore.

Viewing application page load times

This is a ground-breaking feature that really makes F5 stand out from its competition. Basically, this information is useful for tracking user experience by displaying how long it takes for your application web pages to load on client-side browsers.

Client-side browsers must meet the following requirements:

  • Support navigation timing by W3C
  • Accept cookies from visited application sites
  • Enable JavaScript® for the visited application sites

The BIG-IP Client Side Performance Monitoring (CSPM) feature generates the page load time data. According to F5 Networks, “To calculate the client-side load time for a web resource, the CSPM feature injects a piece of JavaScript code into the HTTP response that it sends to the client. When the client browser executes the JavaScript, it calculates the specific timing values needed by the CSPM feature, and reports those values back to the BIG-IP system in a cookie.”

There are three requirements for CSPM injection in an HTTP response. They are:

  • HTTP content is not compressed
  • HTTP content-type is text/html
  • HTTP content contains an HTML <head> tag

Application page load times are viewable in the F5 Analytics charts. Alerts are configured there as well. Page load time is measured by how long in milliseconds it takes for an end-user to make a request for a web page until the web page finishes loading on the client-side browser. Think of how amazing this is! You’re literally reaching out to your end-user, wherever he or she may be, and gathering statistics of their experience just by enabling a checkbox.

Troubleshooting applications by capturing traffic

This is typically used only for troubleshooting an active issue. I don’t recommend setting this up and leaving it on for eternity. This is not traffic capture like a tcpdump would do, but more of a layer-seven-type capture. I’ll explain that later.

The information captured is stored locally or remotely via syslog or a SIEM, like Splunk. If captured locally, the system stores the first 1,000 transactions. If using a VIPRION system, the system stores the first 1,000 transactions times the number of blades in the system. I recommend capturing the transactions remotely to syslog or Splunk where you are only limited by the storage of the remote destination.

So, what did I mean by layer-seven-type capture? Well, instead of capturing raw data like a tcpdump would, you can capture actual traffic, such as requests, responses, or both. The data contained by those may include:

  • None
  • Headers
  • Body
  • All

You can configure a traffic filter for captured traffic to include filtering by:

  • Virtual servers
  • Nodes
  • Response status codes
  • HTTP methods
  • URL
  • User agent
  • Client IP addresses
  • Request containing string
  • Response containing string

As you can see, this is different than doing a tcpdump and exporting to Wireshark for analysis, which may be fine for certain cases. My point here is to show you a new tool that you can use for troubleshooting an issue with your F5 BIG-IP application delivery controller environment that may rapidly provide you with more relevant data to solve an issue.

I hope this post stimulates your interest in F5 Analytics. It is a powerful (and free) tool to use in your F5 BIG-IP application delivery controller infrastructure.

In addition to F5 Analytics, there are many features available with F5’s application delivery controllers that can enhance your investment, increase your return on investment, and improve end-user experience. If you would like to learn more, GuidePoint’s security professionals have years of experience with F5 application delivery controllers, as well as integrating them with other solutions. We can help you develop a customized security plan to best meet your organization’s needs.

If you’re a GuidePoint client and have questions about F5 Analytics, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization wants to learn more about F5 Analytics and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is  with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

F5 Analytics: Increasing Visibility Into Your Applications

Have you ever wanted to learn more about what your F5 BIG-IP application delivery infrastructure is doing? Sure, there are basic statistics like throughput, number of sessions, and active connections, but as layer four load balancers have evolved into layer seven application delivery controllers, shouldn’t the available performance metrics evolve as well?

In this blog post, I want to bring visibility to a great tool included in every F5 Networks BIG-IP platform. That tool is the F5 Analytics module (otherwise known as Application, Visibility, and Reporting or simply AVR). It’s already included with BIG-IP, you just need to provision it and set it up. (One quick note on provisioning, you should provision the AVR module with “minimum” resources.)

So, what is F5 Analytics? Well, it is a fantastic new way of discovering more information about your applications and infrastructure through graphical charts, and you can drill down for more specific details about performance-related statistics.

F5 Networks provides excellent documentation on the features and configuration of F5 Analytics on its support site, but I want to point out a few of the use cases. I hope to highlight its feature set so you can incorporate it into your own F5 BIG-IP application delivery controller infrastructure.

Troubleshooting applications by capturing statistics

This core F5 Analytics functionality is suitable for everyday use. F5 Analytics is configurable to capture a variety of great statistics. They include metrics, such as:

  • Max TPS and throughput
  • Page load time
  • User sessions

And entities, such as:

  • URLs
  • Countries
  • Client IP addresses
  • Client subnets
  • Response codes
  • User agents
  • HTTP methods

All of these metrics and entities are viewable in the administrative GUI. For instance, if a user calls in and says an application is broken, you can filter the transaction statistics by client IP address and then narrow the filter by virtual server and time period to view the actual request/response metadata. It is pretty cool to troubleshoot a problem with an application just by drilling down into some graphs to isolate the issue. In addition to collecting statistics locally on BIG-IP, you can collect data remotely via syslog or a SIEM, such as Splunk and view the data there.

Investigating server latency

This is F5 Analytics key feature and may provide valuable information to your server and application teams. F5 Analytics measures server latency in milliseconds from the time the request reaches the BIG-IP, for it to proceed to the application server, and return a response to the BIG-IP system.

In my experience as a BIG-IP administrator, one of the most common misconceptions was that the LTM was somehow adding latency to server response times. Fingerpointing was often directed at the LTM, and I frequently had to run tcpdumps to exonerate the LTM as the culprit of server latency.

In addition to providing server latency statistics, F5 Analytics provides the ability to set an alert threshold in milliseconds and issue an alert via syslog, SNMP, or via email. This information helps to proactively track latency issues with web servers, application servers, database servers, etc. This is a big deal because you can now isolate where slower components may exist in your web stack all from a simple GUI.

I hope this posts stimulates an interest in F5 Analytics. It is a powerful (and free) tool to use in your F5 BIG-IP application delivery controller infrastructure.

In addition to F5 Analytics, there are many features available with F5’s application delivery controllers that can enhance your investment, increase your return on investment, and improve end-user experience. If you would like to learn more, GuidePoint’s security professionals have years of experience with F5 application delivery controllers, as well as integrating them with other solutions. We can help you develop a customized security plan to best meet your organization’s needs.

If you’re a GuidePoint client and have questions about F5 Analytics, please reach out directly to your personal contact or email us at info@guidepointsecurity.com. If your organization wants to learn more about F5 Analytics and if it’s the right tool for you, let us know. You can find out more about GuidePoint and our services at www.guidepointsecurity.com.

Check out part two of this series on F5 Analytics here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.