Quickhits: Thursday Dec 21 2017

Emotet Malware Sightings: Emotet originated as a banking trojan, and has continued to evolve into more pernicious malware.  It goes after banking credentials and sensitive information. Remember, data is the new gold.  Typically, the malware is conveyed via a malicious macro hidden in attachments that are very well disguised as legitimate business communications like invoices. Once Emotet is downloaded, it gets activated, goes looking for the data to harvest, and then exfiltrates that back to the command and control servers. This follows each step in the Cyber Kill Chain: Recon, Weaponize, Deliver, Exploit, Install, Command and control. Followed by Actions, meaning the attacker’s true intent. In this case, that can involve the sale of information and the continued spread of Emotet across systems to harvest more.



GoAhead Remote Exploit:  This is a biggie. CVE-2017-17562: Remote LD_PRELOAD exploitation of GoAhead web server. Remote exploitation of anything isn’t good, but as it happens GoAhead runs a hell of a lot of things: printers, network gear, CC cameras. Users of telecoms hosting stuff. I took a look on Shodan to see how many connections there are and found over 400K.


Per their website:

GoAhead is the world’s most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.


Welcome to our security nightmare of convenience without proper configuration.  This isn’t something new, however. It’s been around awhile. And there is a patch here: https://www.elttam.com.au/blog/goahead/

Botnets and Bitcoins:  Bitcoin mining has become an issue, given the rapid rise in value of this volatile commodity.  Because it takes so much energy to produce this intangible product, miners resort to harnessing other people’s equipment through sketchy downloads not from the Apple or Google playstores, via keyloggers through malware, and via botnets. At the moment, organized cybercrime is going after database services using a new botnet in the “Hex-Men” attacks.  These are based out of China, and the reach is global. Why you should care: according to GuardiCore researcher Daniel Goldberg, these boxes are sensitive production Web servers, running MS SQL, ElasticSearch etc. Daniel has co-authored a report for GuardiCore on this with Ofri Ziv, who warns:

The fact that they are targeting databases is pretty amazing to me and it’s something that people need to really, really pay more attention to



Quickhits: Tuesday Dec. 19 2018

Lexmark Printers: Well this can’t be good. Apparently there are over a thousand Lexmark printers ready for the taking, due to misconfiguration. They are sitting open and acessible on public internet. Researchers from Newsky Security reported finding these printers in businesses, universities and government offices. These printers have no passwords.  Which makes them easy pickings for a variety of attacks. A remote attackers can

” view the printer’s firmware version, ink levels, and network configuration that allows them to enable proxies, change administrator passwords, modify sound volume, contact information, device status, time, and date, create a self-signed certificate and private key and even upload documents and send jobs to the printer.”

Android Malware:  We know Android is the choice of attackers everywhere. Recommendations to purchase appas solely through Google Playstore don’t guarantee safety, but at least they lower the odds of infection. Now there’s anew trojan in town. Loapi hides behind adult content sites or antivirus solutions. The trojan forces users into a loop seeking device admin istrator privileges. It’s also equipped to defend itself against removal and blocks attempts.  According to Kaspersky, the malware creators

“have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.”

Quickhits: Monday Dec 18 2018

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.






Quickhit: Wednesday Dec. 13

Yesterday was Patch Tuesday. The final Patch Tuesday of 2017. Yay!  Of note: an out-of-band update from MS that was issued a critical flaw in the Malware Protection Engine (yes, part of the Windows Defender and MS Security Essentials. The irony). Read the details in full via Brian Kreb’s site here.  It will roll through automatically via Windows Update, which you SHOULD have enabled. However, those don’t always go through smoothly. I have had some issues with this latest update. Here is the report from when the news came out last week. Critical Flaw in Microsoft’s Malware Protection Engine. Patch Issued.

For those who are still using Flash (because you have no choice) please install the updates and check for updates in your Chrome browser.

Necurs Botnet resumes: November marked a notable uptick in activity with this botnet. Necurs is now distributing Scarab ransomware, and was known for sharing the joy with Locky ransomware and others. Dormant does not mean dead. We need to remember this because it is an ongoing theme, and noticeably during 2017. Case in point will be with the recent takedown of the Andromeda botnet and the expectation that because of code released from the Mirai botnet, something bigger will be forming.

Mirai Botnet Arrests: But there is justice and it does get served. You can read more via Brian Krebs, who has played a major role in bringing this about.

New Variant of Cryptomix Ransomware:  An update on one of the newer strains that are currently active. Remember the rules: Have current backups; don’t open attachments from unknown sources; get confirmation before you open attachments from known sources; scan attachments first. Update your security patches.

Log Files: You Don’t Know What You’ve Got til it’s Gone

Log files. That’s a whole lot of information most people have no idea even exists. But it’s the chronological capture of system events that you are going to need one day, and trust me – you will be so damn glad you have them.

So, two points right now.

  1. Enable logging. Make sure all your devices that have this feature are putting it to work for you. This is how you know what went wrong when something goes wrong. How you find the elephant’s footprints in the peanut butter after there has been an unfortunate incident.
  2. Where possible, make sure logs are backed up and not accessible to everyone. Because bad people happen to good logs. Sorry, I cannot say more. You’ll have to take my word for it.


In my talks on Threat Intel, I reference log files as having a story to tell, if you are listening. Knowing how to use your logs is key to assuming proactive defense posture.

so many logs

Logs are generated by a multitude of sources which can be overwhelming. What do you look at? Where do you start? Automation. There are log viewers and scripts by those who have come before you that will enable you to access and utilize what’s in your log data.

To help you get started, Nasruminallah Zeeshan has written a very good piece for Peerlyst, “How to Build a List of Log Files That You Need to be Inspecting Regularly” that presents the main log files you should know and be inspecting regularly for Windows and Linux. Let me share that here.

Log files in Windows systems

Windows manages and provides an assessment of log files with the help of Event Viewer. The Windows Event Viewer shows logs about application and system messages, errors, information messages, and warnings. You can run the windows event viewer by entering eventvwr.msc into Run box. In the following lines, we are going to list down the necessary log files in windows. You may need to check the following files for improved security, on a daily basis.

  • The %WINDIR%\System32\config or %WINDIR%\System32\winevt\Logs folders contain most of the log files you can see with Event Viewer.
  • The folder %WINDIR%\Logs contains various log files in text format.
  • Microsoft Security Essential stores its Runtime log files in the %PROGRAMDATA%\Microsoft\Microsoft Antimalware\Support folder and Installation log files in the %PROGRAMDATA%\Microsoft\Microsoft Security Client\Support folder.
  • Microsoft Windows system stores temporary installation and Windows defender log files in the %WINDIR%\Temp\*.log and %AppData%\Local\Temp\*.log folders. The first one contains information about MSI installations and Windows Defender scanning log files, and the second folder contains information about MSI installations run by the current user.
  • The %WINDIR%\INF\setupapi.dev.log includes information on plug and play devices and their installation.
  • The %WINDIR%\INF\setupapi.app.log file holds information about application installations.
  • The file %WINDIR%\Performance\Winsat\winsat.log file is composed of information about test results regarding performance.
  • To read Windows update information, the %WINDIR%\WindowsUpdate.log holds information about all events related to Windows Update.
  • To know about software related events and update status reports, focus on the %WINDIR%\SoftwareDistribution\ReportingEvents.log file.
  • To find out changes being made to Windows components and features, you can access the information in the %WINDIR%\Logs\CBS\CBS.log file.

Log files in Linux systems

To keep an eye on log files in Linux, carry out checking activities on a daily basis. As Linux systems contain multiple users, system administrators are advised to keep track of important log files actively. If possible, make a list of log files based on criticality level, and check them accordingly on a routine basis. In the Linux, most log files are stored in /var/log/ directory. To help you make a list of important log files in Linux, considering on picking the ones listed below.

  • The /var/log/messages file contains information about general system activities. The information stored in this file helps you troubleshoot general system errors and messages.
  • The Linux systems use /var/log/auth.log file to save information about authentication matters. This file helps you track activity regarding user authentication, such as failed logins attempts, brute force attacks and other security attack vectors related to user authentication. For the same purpose, the Red Hat and CentOS based systems use /var/log/secure file to track information. It also logs information about sudo and SSH logins.
  • To find out information about system incidents related to shutdown or restarting routines, you can use the /var/log/boot.log file.
  • The Linux systems log hardware devices and their driver information into /var/log/dmesg file. The system logs information to this file during startup, by writing data about device status, hardware errors and other generic messages. If a hardware device is not functioning properly, you can see the file for relevant information.
  • The Kernel information is important to know the system status. To investigate about troubleshooting Kernel level errors, use the /var/log/kern.log file. This file can help you cover the gap between stable system statuses, especially in case of a custom built Kernel.
  • Similar to /var/log/auth.log, the /var/log/faillog contains information on failed login attempts. The auth.log and faillogfiles are used to fingerprint security breaches related to usernames and passwords. These files also play a vital role in gathering information about a brute force attack.
  • In Linux and UNIX systems, Cron allows you to run commands or scripts on a given, pre-scheduled time. The file /var/log/cron holds information about Cron jobs. With reviewing this file, you can find information about Cron jobstatuses such as successful execution or errors in case of failure job execution.
  • The application installation information is logged into /var/log/yum.log file, if the package is installed with the Yum tool. If you have to see for information related to package installation, or you want to look for errors occurred by recent installation activities, focus on yum.log file. In this file, you can find a complete status of the installation of any package.
  • The mail server related logs are stored in Linux /var/log/maillog or /var/log/mail.log files. These files help you track the information about all incoming and outgoing emails, along with failed email delivery information. You can also find information about blocked spam emails within these files.
  • The /var/log/httpd location holds information about Apache server. The Apache server keeps logging information in error_log and access_log files. To track information related to Apache system performance, you can have a look at the error_log, while on the other hand, the access_log file is used to store information about all access requests received over HTTP.

Book Club: Defensive Security Handbook Chapter 2

My apologies. I am overdue on our next chapter review and this is a good one. Asset management.  The best offence is a good defence. Let’s start here.

“You don’t know what you’ve got til it’s gone.” Ain’t that the truth, especially in light of the growing blight of the Equifax breach: all that data, all those victims. Simply put, you can’t secure what you don’t know.  This applies to both tangible and intangible assets, specifically data. While this seems like common sense, for what is a basic fundamental, people do a terrible job or don’t do it at all.


We are told to remember these two things: “ensure there is one source of truth, and that it is a process, not a project.” In addition, classification and ownership play key roles in the success of this process. One source of truth means that whatever software or system you use to keep track of things, there are no conflicts or discrepancies with anything else. This is understood to be the single, definitive source of truth about assets.  Engage a sense of responsibility throughout the company to detect when “one of these things is not like the others”. BYOD is a thing, and unmanaged, it’s why we can’t have nice things. Ideally, get some executives involved to champion the ongoing cause. Because this is a process, not a one-time project.

Let’s talk about classification.  We live in the age of big data. As we keep learning breach after breach, it’s harrrrd to safeguard the ephemeral. Data is our most valuable asset, in digital form.  You need to know what you have, and ensure that this is understood by everyone inside and outside your organization. Most importantly, know what your crown jewels are and where they are. Your critical assets should be as prized by you as they are by attackers. Just ask the guys at Equifax and OPM about that.

Steps to classify data:

  1. Identify the sources to be protected: what they are, where they live, who are the owners.
  2. Identify the information classes: make sure the labels assigned have the same meaning for everyone. There should be no questions around critical or sensitive.
  3. Map protections to set information classification levels: Authentication, authorization, security controls, encryption.
  4. Classify and protect information
  5. Repeat as a necessary part of a yearly audit: Nothing stays the same. That’s why this is a process, and not a project.

Let’s talk about the 4 steps in the asset management process:

  1. Define the lifecycle: easier said than done. There are a lot of stages between delivery and death. It’s new, it’s old; it’s mine, now it’s yours; repair or replace it. Here is a simple set of stages: Procure, deploy; manage; decommission. And that does not mean it just gets thrown out. You need to permanently and responsibly remove all data and its traces.
  2. Gather information: how do you collect all the details on all the stuff? You could use:
    ARP cache or Address Resolution Protocol from routers and switches for a list of all the IP and MAC addresses connecting to the network.
    DHCP or Dynamic Host Configuration Protocol has all IP address reservations and may even have hostnames.
    NMAP is a comprehensive scanning tool of networks that can yield a lot of results.
    SNMP is Simple Network Management Protocol and can provide a lot of information on networked devices. Netdisco is a free automated scanning tool to help you do this.
    WMI or Windows Management Interface can get most the information from a device.
  3. Powershell is a powerhouse command line solution to get information about AD users.3. Track changes: How do you manage all the changes, the additions and deletions that affect your hardware and software inventories, and your personnel? When someone leaves, does something leave with them?
  4. Monitor and report:  You need to track updates and license renewals, or warranty expiration. It can also alert you to the addition of new and potentially unauthorized devices.

Automation: this is your helper. It works for you, with your supervision.  And ensures that routine tasks and monitoring get done consistently. Find ways to put it to work, like barcodes on items.