Evading AV with Shellter. I also have Sysmon and Wazuh II

5 de November de 2018 by

After what was seen in the first post of this story in this one we will keep telling you what happens and we will meet the boss. Put yourselves again in that situation that Johnny told us about in the first part.

“Hello, allow me to introduce myself. I’m John, Johnny’s boss. I am aware that I have many enemies among which are surely my competitors or even my own employees. Physically, no one can touch me, I always go with my bodyguards. But technologically, anyone could try to attack my team with the objective of stealing valuable information”.

That’s why, in addition to the corporate antivirus, I decided to add one more layer of security on my computer with Sysmon & Wazuh. [Read more…]

Filed Under: General

Evading AV with Shellter. I also have Sysmon and Wazuh I

2 de November de 2018 by

I suggest imagining the following fictitious situation:

I am Johnny, a disgruntled employee. My boss has exploited me, he does not stop sending me tasks, he does not pay me the extra hours and, in addition, he never thanks me for the work I do … One day, fed up with the situation, I said to myself: “he’s going to find out what’s what”. And I started planning: I’m going to hack his computer and steal all the sensitive information he has. But how? After thinking the matter over: I know! I’m going to see if in the results of the internal vulnerability audits, to which I have access, his computer has some security flaw that can be exploited.
Darn! He has everything patched … and I don’t have any money for a 0 day. What I can do?

One day my boss asked me if I knew of any free program to decompress files in Windows operating systems and… [Read more…]

Filed Under: General

Web auditing: Jump on the bandwagon! (or not)

23 de July de 2018 by

Usually, whenever we are auditing a web application with a poorly programmed backend, we might  find SQL Injection vulnerabilities. We will mainly encounter Blind, Error-based or -if we get lucky- Union-based injections. However, it is not quite usual to find an SQLi out-of-band vulnerability.

These do not only rely on a vulnerable application, but also on being able to exfiltrate information from a different band than the website.

The fact that the results are sent through a completely different way, along with the variety of shapes that these may take; makes it quite difficult to use automated tools to exploit these kinds of vulnerabilities. Even so, in situations where the server responses are not stable or  are too unreliable, it might be worth trying to exfiltrate information this way.

As an example, lets take a look at an injection found in an audit I performed recently.

This time, the vulnerability was quite weird, as the name of the parameter was sql*** –which shouted injection from miles away- but the website itself wasn’t either returning any errors nor  being affected by time-based techniques. Yet, our best friend Burp active scan seemed convinced that an SQLi was going on at that specific parameter.
[Read more…]

Filed Under: General

The GDPR is not a one-day thing

18 de June de 2018 by

The 25th of May has finally arrived. The D day where all personal data is protected. Where security incidents will no longer occur. Where all the processing of personal data becomes legitimate. Where the data will no longer be stored sine die. Where users have full control over their data. Where the right to forget is a reality. Where everyone has been informed that all the privacy policies of the planet have been updated (yes, ours too). The most awaited day has arrived. And once you have reached this point of rejoicing, what then?

Well, I’m sorry to tell you that the GDPR is not a one-day thing. Today, 25 May 2018, the General Data Protection Regulation, known as GDPR, comes into effect. But just because it comes into effect today (it has been in force since 2016) does not mean that everything we have not done does not need to be done, or that if we have already made an adaptation we do not have to do anything else. Why?
[Read more…]

Filed Under: Compliance

CSIRT.es (in English)

18 de June de 2018 by

Yesterday, CCN-CERT published the communiqué related to the re-launch of the CSIRT.es group, a forum that brings together the response teams to Spanish incidents or areas of action in Spain, and whose objective is to centralize the exchange of information and facilitate coordination between these very teams.

CSIRT.es  currently consists of more than twenty teams and, as indicated in the press release, public and private actors from different sectors are represented, with different objectives … but they have many points in common; the main one, by definition, to provide a response capability to a given community. And that capability today cannot work if it is intended to operate independently and isolated from other teams: it necessarily requires direct collaboration with third parties. Beyond forums such as FIRST or TF-CSIRT, we believe that a point that enables collaboration between CSIRT and areas of action in Spain is more than interesting and necessary. [Read more…]

Filed Under: General

Restricted Zone: Geopositioning not allowed

18 de June de 2018 by

The tendency to “be permanently connected” places at our disposal a series of tools with which to “make our lives more comfortable” but this, in turn, exposes us to multiple threats that may negatively affect us as individuals or in our organizations. It is possible to think that this question is too internalized by those who dedicate themselves directly or indirectly to the world of security. However, the reality leads us to discover that the number of anecdotes and news related to security incidents continues to grow and, in many cases, the protagonists are precisely those who dedicate themselves to security.

In today’s post we put the focus on the impact that the information collected and published through the Strava tool has caused.
[Read more…]

Filed Under: General

Exchange forensics: The mysterious case of ghost mail (I)

7 de May de 2018 by

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3] [4]

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. If you want a version with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here).

Another day in the office, with a list of pending tasks to plan longer than the beard of Richard Stallman and none of them entertaining: reports, documentation of a couple of projects and the preparation of a meeting is what the menu of the day offers for almost the entire week.
Luckily, the saying that “no plan survives contact with the enemy” in this case works in our favor. The phone rings, and my boss goes straight to the point: “A YARA rule has been triggered from the ATD group in CARMEN of [Redacted] (entity whose identity we are going to leave anonymously, calling it “the Organization” from now on). Take your stuff and rush over there.”

The adrenaline rush at the thrill of the hunt is instantaneous: ATD is our internal name of a group of attackers that we hunted a few months ago on another client, and our reversers ripped the malware open from top to bottom without mercy. The analysis allowed us to detect a series of particular “irregularities” in their way of acting, which allowed us to generate a series of high fidelity YARA rules (that is, false positives practically null). If it was triggered on CARMEN (our advanced intrusion detection tool), then 99% sure to be infected”.
[Read more…]

Filed Under: IT Security Tagged With: ,

The tools of the gods

12 de April de 2018 by

Today at SAW we are not going to talk about security but about religion. About the true religion, the good one: about Unix. And about its gods: Kernighan, Ritchie, Thompson … we could cite a few. And about the tools that, in the seventies, these gods sent to us poor mortals, like the manna fallen from heaven for the chosen people.

The thing is that these gods created a real operating system, with some technically wonderful tools and a very simple philosophy: simple capabilities that combined make complex tasks. Perfection. Life is Unix running a script. More than forty years have gone by and we, poor mortals who were the chosen people, what have we done all this time? Trying to dishonor that divine legacy with artificial and useless layers (“of abstraction”, they call them, to try to make sense of them) that introduce two unnecessary problems in any “modern” technological environment: complexity, and therefore probability of error, and slowness.

Exemplary is the “true” executable, in line with the story recently commented by Rob Pike on Twitter:


$ >mytrue;chmod +x mytrue
$ ./mytrue
$ echo $?
0
$

A program whose only purpose is to always return 0. An empty executable. EMPTY. There can be nothing simpler that works, and has been for forty years … well, that’s where we mortals come in. Year 2018:

[Read more…]

Filed Under: General Tagged With: , , , , ,

‘Reversing’ of malware network protocols with ‘angr’

9 de April de 2018 by

One of the most difficult objectives to obtain in the analysis of a malicious binary is usually discovering all of the functionalities that it has. If in addition, these functions are only executed at the discretion of the attackers through its control center, things get complicated. For various reasons, many times we cannot carry out a full dynamic analysis, such as the fall of the malware infrastructure or the isolation of the sample to avoid contact with the C&C. In these cases the analysis of the interaction between the server of the attacker and the sample is usually slower, since you have to create a fictitious server or be continually patching/deceiving the sample, to take it through all the different paths that we want to investigate. Depending on the size and complexity of the analyzed code or the objective of the analysis, this task can vary its difficulty and extension over time.

I am going to propose a study example of the functionalities of a fictitious RAT that can be executed according to the orders received from your C&C panel. Our goal would be to create a server that simulates the attacker’s. For this we have to understand the communication protocol between the server and the sample installed on the victim’s device.

[Read more…]

Filed Under: IT Security Tagged With: , , ,

Security of blockchain-based smart contracts II – Known Vulnerabilities and Pitfalls

20 de March de 2018 by

In the previous part of this series on blockchain security we looked at the risks associated with deploying autonomously executing smart contracts on a public blockchain. We also introduced some high-profile examples of attacks on smart contracts that have caused the loss of large sums of money and changed the way we look at business interactions on the blockchain.

In this episode we will review some known issues and vulnerabilities.

Private Key Leakage

Using unsafe private keys is really a case of user error, rather than a vulnerability. However, we mention this nevertheless, as it happens surprisingly often, and certain players have specialized in stealing funds from unsafe addresses.

What usually happens is that development addresses (such as those used by testing tools, such as Ganache/TestPRC) are used in production. These are addresses generated from publicly known private keys. Some users have even unknowingly imported these keys into wallet software, by using the original seed words used in private key generation.

Attackers are monitoring these addresses and any amount transferred to such an address on the main Ethereum network tends to disappear immediately (within 2 blocks).
[Read more…]

Filed Under: General