433 Central Ave., 4th Floor, St. Petersburg, FL 33701 | info@poseidon-us.com | Office: (727) 493-2351

Commando VM: The First of Its Kind Windows Offensive Distribution


For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist. As security researchers, every one of us has probably spent hours customizing a Windows working environment at least once and we all use the same tools, utilities, and techniques during customer engagements. Therefore, maintaining a custom environment while keeping all our tool sets up-to-date can be a monotonous chore for all. Recognizing that, we have created a Windows distribution focused on supporting penetration testers and red teamers.

Born from our popular FLARE VM that focuses on reverse engineering and malware analysis, the Complete Mandiant Offensive VM (“Commando VM”) comes with automated scripts to help each of you build your own penetration testing environment and ease the process of VM provisioning and deployment. This blog post aims to discuss the features of Commando VM, installation instructions, and an example use case of the platform. Head over to the Github to find Commando VM.

About Commando VM

Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests. The benefits of using a Windows machine include native support for Windows and Active Directory, using your VM as a staging area for C2 frameworks, browsing shares more easily (and interactively), and using tools such as PowerView and BloodHound without having to worry about placing output files on client assets.

Commando VM uses Boxstarter, Chocolatey, and MyGet packages to install all of the software, and delivers many tools and utilities to support penetration testing. This list includes more than 140 tools, including:

With such versatility, Commando VM aims to be the de facto Windows machine for every penetration tester and red teamer. For the blue teamers reading this, don’t worry, we’ve got full blue team support as well! The versatile tool sets included in Commando VM provide blue teams with the tools necessary to audit their networks and improve their detection capabilities. With a library of offensive tools, it makes it easy for blue teams to keep up with offensive tooling and attack trends.


Figure 1: Full blue team support

Installation

Like FLARE VM, we recommend you use Commando VM in a virtual machine. This eases deployment and provides the ability to revert to a clean state prior to each engagement. We assume you have experience setting up and configuring your own virtualized environment. Start by creating a new virtual machine (VM) with these minimum specifications:

  • 60 GB of disk space
  • 2 GB memory

Next, perform a fresh installation of Windows. Commando VM is designed to be installed on Windows 7 Service Pack 1, or Windows 10, with Windows 10 allowing more features to be installed.

Once the Windows installation has completed, we recommend you install your specific VM guest tools (e.g., VMware Tools) to allow additional features such as copy/paste and screen resizing. From this point, all installation steps should be performed within your VM.

  1. Make sure Windows is completely updated with the latest patches using the Windows Update utility. Note: you may have to check for updates again after a restart.
  2. We recommend taking a snapshot of your VM at this point to have a clean instance of Windows before the install.
  3. Navigate to one of the following URLs and download the compressed Commando VM repository onto your VM:
  4. Follow these steps to complete the installation of Commando VM:
    1. Decompress the Commando VM repository to a directory of your choosing.
    2. Start a new session of PowerShell with elevated privileges. Commando VM attempts to install additional software and modify system settings; therefore, escalated privileges are required for installation.
    3. Within PowerShell, change directory to the location where you have decompressed the Commando VM repository.
    4. Change PowerShell’s execution policy to unrestricted by executing the following command and answering “Y” when prompted by PowerShell:
      • Set-ExecutionPolicy unrestricted
    5. Execute the install.ps1 installation script. You will be prompted to enter the current user’s password. Commando VM needs the current user’s password to automatically login after a reboot. Optionally, you can specify the current user’s password by passing the “-password <current_user_password>” at the command line.


Figure 2: Install script running

The rest of the installation process is fully automated. Depending upon your Internet speed the entire installation may take between 2 to 3 hours to finish. The VM will reboot multiple times due to the numerous software installation requirements. Once the installation completes, the PowerShell prompt remains open waiting for you to hit any key before exiting. After completing the installation, you will be presented with the following desktop environment:


Figure 3: Desktop environment after install

At this point it is recommended to reboot the machine to ensure the final configuration changes take effect. After rebooting you will have successfully installed Commando VM! We recommend you power off the VM and then take another snapshot to save a clean VM state to use in future engagements.

Proof of Concept

Commando VM is built with the primary focus of supporting internal engagements. To showcase Commando VMs capabilities, we constructed an example Active Directory deployment. This test environment may be contrived; however, it represents misconfigurations commonly observed by Mandiant’s Red Team in real environments.

We get started with Commando VM by running network scans with Nmap.


Figure 4: Nmap scan using Commando VM

Looking for low hanging fruit, we find a host machine running an interesting web server on TCP port 8080, a port commonly used for administrative purposes. Using Firefox, we can connect to the server via HTTP over TCP port 8080.


Figure 5: Jenkins server running on host

Let’s fire up Burp Suite’s Intruder and try brute-forcing the login. We navigate to our Wordlists directory in the Desktop folder and select an arbitrary password file from within SecLists.


Figure 6: SecLists password file

After configuring Burp’s Intruder and analyzing the responses, we see that the password “admin” grants us access to the Jenkins console. Classic.


Figure 7: Successful brute-force of the Jenkins server

It’s well known that Jenkins servers come installed with a Script Console and run as NT AUTHORITYSYSTEM on Windows systems by default. We can take advantage of this and gain privileged command execution.


Figure 8: Jenkins Script Console

Now that we have command execution, we have many options for the next step. For now, we will investigate the box and look for sensitive files. Through browsing user directories, we find a password file and a private SSH key.


Figure 9: File containing password

Let’s try and validate these credentials against the Domain Controller using CredNinja.


Figure 10: Valid credentials for a domain user

Excellent, now that we know the credentials are valid, we can run CredNinja again to see what hosts the user might have local administrative permissions on.


Figure 11: Running CredNinja to identify local administrative permissions

It looks like we only have administrative permissions over the previous Jenkins host, 192.168.38.104. Not to worry though, now that we have valid domain credentials, we can begin reconnaissance activities against the domain. By executing runas /netonly /user:windomain.localniso.sepersky cmd.exe and entering the password, we will have an authenticated command prompt up and running.


Figure 12: cmd.exe running as WINDOMAINniso.sepersky

Figure 12 shows that we can successfully list the contents of the SYSVOL file share on the domain controller, confirming our domain access. Now we start up PowerShell and start share hunting with PowerView.


Figure 13: PowerView’s Invoke-ShareFinder output

We are also curious about what groups and permissions are available to the user account compromised. Let’s use the Get-DomainUser module of the post-exploitation framework PowerView to retrieve user details from Active Directory. Note that Commando VM uses the “dev” branch of PowerView by default.


Figure 14: Get-DomainUser win

We also want to check for further access using the SSH key we found earlier. Looking at our port scans we identify one host with TCP port 22 open. Let’s use MobaXterm and see if we can SSH into that server.


Figure 15: SSH with MobaXterm

We access the SSH server and also find an easy path to rooting the server. However, we weren’t able to escalate domain privileges with this access. Let’s get back to share hunting, starting with that hidden Software share we saw earlier. Using File Explorer, it’s easy to browse shares within the domain.


Figure 16: Browsing shares in windomain.local

Using the output from PowerView’s Invoke-ShareFinder command, we begin digging through shares and hunting for sensitive information. After going through many files, we finally find a config.ini file with hardcoded credentials.


Figure 17: Identifying cleartext credentials in configuration file

Using CredNinja, we validate these credentials against the domain controller and discover that we have local administrative privileges!


Figure 18: Validating WINDOMAINsvcaccount credentials

Let’s check group memberships for this user.


Figure 19: Viewing group membership of WINDOMAINsvcaccount

Lucky us, we’re a member of the “Domain Admins” group!

Final Thoughts

All of the tools used in the demo are installed on the VM by default, as well as many more. For a complete list of tools, and for the install script, please see the Commando VM Github repo. We are looking forward to addressing user feedback, adding more tools and features, and creating many enhancements. We believe this distribution will become the standard tool for penetration testers and look forward to continued improvement and development of the Windows attack platform.

Rockwell Automation PowerFlex 525 AC Drives

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Rockwell Automation
  • Equipment: PowerFlex 525 AC Drives
  • Vulnerability: Resource Exhaustion

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in resource exhaustion, denial of service, and/or memory corruption.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PowerFlex 525, an AC drive, are affected:

  • PowerFlex 525 AC Drives with embedded EtherNet/IP and Safety Versions 5.001 and earlier.

3.2 VULNERABILITY OVERVIEW

3.2.1    UNCONTROLLED RESOURCE CONSUMPTION (‘RESOURCE EXHAUSTION’) CWE-400

A remote, unauthenticated threat actor can repeatedly send specific CIP packets to an affected PowerFlex 525 drive, which may allow disruption of the availability of the device. 

CVE-2018-19282 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Nicolas Merle of Applied Risk reported this vulnerability to Rockwell Automation.

4. MITIGATIONS

Rockwell Automation has released new firmware to address the vulnerability. Download the latest version of the firmware from:

https://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?Keyword=25B&crumb=112

Rockwell Automation recommends the following general security guidelines:

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure CIP messages from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port 2222 and Port 44818, using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270 (login required).
  • If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
  • Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet or the business network.
  • When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Rockwell Automation has released a security advisory regarding this vulnerability, which can be found on its website at the following location (login required):  
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1082684

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

Master Sgt. Roy P. Benavidez Highway

1 / 2 Show Caption + Hide Caption – (Photo Credit: Photo courtesy of USASOC History Office) VIEW ORIGINAL 2 / 2 Show Caption + Hide Caption – (Photo Credit: Photo courtesy of USASOC History Office) VIEW ORIGINAL

Fort Bragg, N.C. (USASOC News Service, March 28, 2019) — Former Special Forces Master Sgt. Roy P. Benavidez, a Vietnam Medal of Honor recipient, was honored by the State of Texas, Saturday, March 23, 2019.

Sponsored by Benavidez’s adopted home town of El Campo, Texas, a section of State Highway 71 was dedicated to his memory. This highway section is close to a statue of him in his old hometown of Cuero, Texas.

Fifty years ago, Benavidez, a Special Forces light weapons non-commissioned officer, stepped forward to help fellow Special Forces Soldiers under attack in Loc Ninh, South Vietnam. Despite wounds to his face, neck, and hands, Benavidez directed helicopters to the crippled team and under fire assisted in the evacuation of wounded and dead. Severely wounded in the stomach and back, Benavidez called in air strikes for a second helicopter after his aircraft crashed. While treating and evacuating his fellow Soldiers, he kept the enemy infantry at bay, but was wounded several more times. After a final check for possibly forgotten Soldiers and classified material, Benavidez boarded a helicopter and flew to safety with those he had rescued. For his valorous actions he was awarded the Medal of Honor.

Benavidez died in San Antonio, Texas, November 29, 1998. For more information on this valorous Soldier, go to:

https://www.soc.mil/ARSOF_History/medal_of_honor/recipient_benavidez.html

WinRAR Zero-day Abused in Multiple Campaigns

WinRAR, an over 20-year-old file archival utility used by over 500 million users worldwide, recently acknowledged a long-standing vulnerability in its code-base. A recently published path traversal zero-day vulnerability, disclosed in CVE-2018-20250 by Check Point Research, enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input. Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows “Startup” Start Menu folder. While this vulnerability has been fixed in the latest version of WinRAR (5.70), WinRAR itself does not contain auto-update features, increasing the likelihood that many existing users remain running out-of-date versions. 

FireEye has observed multiple campaigns leveraging this vulnerability, in addition to those already discussed by 360 Threat Intelligence Center. Below we will look into some campaigns we came across that used customized and interesting decoy documents with a variety of payloads including ones which we have not seen before and the ones that used off-the-shelf tools like PowerShell Empire.

Campaign 1: Impersonating an Educational Accreditation Council

Infection Vector: When the ACE file Scan_Letter_of_Approval.rar is extracted with vulnerable WinRAR versions lower than 5.70, it creates a file named winSrvHost.vbs in the Windows Startup folder without the user’s consent. The VBScript file is executed the next time Windows starts up.

Decoy Document: To avoid user suspicion, the ACE file contains a decoy document, “Letter of Approval.pdf”, which purports to be from CSWE, the Council on Social Work Education as shown in Figure 1. This seems to be copied from CSWE website.


Figure 1: Decoy document impersonating CSWE

VBS Backdoor: The VBS file in the Startup folder will be executed by wscript.exe when Windows starts up. The VBS code first derives an ID for the victim using custom logic based on a combination of the ComputerName, Processor_identifier and Username. It obtains these from environment strings, as shown in Figure 2.


Figure 2: Deriving victim ID

Interestingly, the backdoor communicates with the command and control (C2) server using the value of the Authorization HTTP header using the code in Figure 3.


Figure 3: Base64-encoded data in Authorization header

The VBS backdoor first sends the base64-encoded data, including the victim ID and the ComputerName, using the code in Figure 4.


Figure 4: Base64-encoded victim data

It then extracts the base64-encoded data in the Authorization header of the HTTP response from the C2 server and decodes it. The decoded data starts with the instruction code from the C2 server, followed with additional parameters.

C2 Communication

The malware reaches out to the C2 server at 185[.]162.131.92 via an HTTP request. Actual communication is via the Authorization field, as shown in Figure 5.


Figure 5: Communication via Authorization field

Upon decoding the value of the Authorization field, it can be seen that the malware is sending the Victim ID and the computer name to the C2 server. The C2 server responds with the commands in the value of the Authorization HTTP header, as shown in Figure 6.


Figure 6: C2 commands in Authorization field

Upon decoding, the commands are found to be “ok ok”, which we believe is the default C2 command. After some C2 communication, the C2 server responded with instructions to download the payload from hxxp://185.49.71[.]101/i/pwi_crs.exe, which is a Netwire RAT.

Commands Supported by VBS Backdoor

Command

Explanation

d

Delete the VBS file and exit process

Pr

Download a file from a URL and execute it

Hw

Get hardware info

av

Look for antivirus installed from a predefined list.

Indicators

File Name

Hash/IP Address

Scan_Letter_of_Approval.rar

8e067e4cda99299b0bf2481cc1fd8e12

winSrvHost.vbs

3aabc9767d02c75ef44df6305bc6a41f

Letter of Approval.pdf

dc63d5affde0db95128dac52f9d19578

pwi_crs.exe

12def981952667740eb06ee91168e643

C2

185[.]162.131.92

Netwire C2

89[.]34.111.113

Campaign 2: Attack on Israeli Military Industry

Infection Vector: Based on the email uploaded to VirusTotal, the attacker seems to send a spoofed email to the victim with an ACE file named SysAid-Documentation.rar as an attachment. Based on the VirusTotal uploader and the email headers, we believe this is an attack on an Israeli military company.

Decoy Files: The ACE file contains decoy files related to documentation for SysAid, a help desk service based in Israel. These files are shown as they would be displayed in WinRAR in Figure 7.


Figure 7: Decoy files

Thumbs.db.lnk: This LNK file target is ‘C:UsersjohnDesktop100m.bat’. But when we look at the icon location using a LNK parser, as shown in Figure 8, it points to an icon remotely hosted on one of the C2 servers, which can be used to steal NTLM hashes.


Figure 8: LNK parser output

SappyCache Analysis: Upon extraction, WinRAR copies a previously unknown payload we call SappyCache to the Startup folder with the file name ‘ekrnview.exe’. The payload is executed the next time Windows starts up.

SappyCache tries to fetch the next-stage payload using three approaches:

Decrypting a File at %temp%..GuiCache.db

The malware tries to read the file at %temp%..GuiCache.db. If it is successful, it tries to decrypt it using RC4 to get the C2 URLs, as shown in Figure 9.


Figure 9: Decrypting file at GuiCache.db

Decrypting a Resource

If it is not successful in retrieving the C2 URL using the previous method, the malware tries to retrieve the encrypted C2 URLs from a resource section, as shown in Figure 10. If it is successful, it will decrypt the C2 URLs using RC4.


Figure 10: Decrypting a resource

Retrieving From C2

If it is not successful in retrieving the C2 URLs using those previous two methods, the malware tries to retrieve the payload from four different hardcoded URLs mentioned in the indicators. The malware creates the HTTP request using the following information:

  • Computer Name, retrieved using the GetComputerNameA function, as the HTTP parameter ‘name’ (Figure 11).


Figure 11: Retrieving computer name using GetComputerNameA

  • Windows operating system name, retrieved by querying the ProductName value from the registry key SOFTWAREMicrosoftWindows NTCurrentVersion, as the HTTP parameter ‘key’ (Figure 12).


Figure 12: Retrieving Windows OS name using ProductName value

  • The module name of the malware, retrieved using the GetModuleFileNameA function, as the HTTP parameter ‘page’ (Figure 13).


Figure 13: Retrieving malware module name using using GetModuleFileNameA

  • The list of processes and their module names, retrieved using the Process32First and Module32First APIs, as the HTTP parameter ‘session_data’ (Figure 14).


Figure 14: Retrieving processes and modules using Process32First and Module32First

A fragment of the HTTP request that is built with the information gathered is shown in Figure 15.


Figure 15: HTTP request fragment

If any of the aforementioned methods is successful, the malware tries to execute the decrypted payload. During our analysis, the C2 server did not respond with a next-level payload.

Indicators

File Name/Type

Hash/URL

SysAid-Documentation.rar

062801f6fdbda4dd67b77834c62e82a4 

SysAid-Documentation.rar

49419d84076b13e96540fdd911f1c2f0

ekrnview.exe

96986B18A8470F4020EA78DF0B3DB7D4

Thumbs.db.lnk

31718d7b9b3261688688bdc4e026db99

URL1

www.alahbabgroup[.]com/bakala/verify.php

URL2

103.225.168[.]159/admin/verify.php

URL3

www.khuyay[.]org/odin_backup/public/loggoff.php

URL4

47.91.56[.]21/verify.php

Email

8c93e024fc194f520e4e72e761c0942d

Campaign 3: Potential Attack in Ukraine with Empire Backdoor

Infection Vector: The ACE file named zakon.rar is propagated using a malicious URL mentioned in the indicators. 360 Threat Intelligence Center has also encountered this campaign.

Decoy Documents: The ACE file contains a file named Ukraine.pdf, which contains a message on the law of Ukraine about public-private partnerships that purports to be a message from Viktor Yanukovych, former president of Ukraine (Figure 16 and Figure 17).


Figure 16: Ukraine.pdf decoy file


Figure 17: Contents of decoy file

Based on the decoy PDF name, the decoy PDF content and the VirusTotal uploader, we believe this is an attack on an individual in Ukraine.

Empire Backdoor: When the file contents are extracted, WinRAR drops a .bat file named mssconf.bat in the Startup folder. The batch file contains commands that invoke base64-encoded PowerShell commands. After decoding, the PowerShell commands invoked are found to be the Empire backdoor, as shown in Figure 18. We did not observe any additional payloads at the time of analysis.


Figure 18: Empire backdoor

Indicators

File Name/URL

Hash/URL

zakon.rar

9b19753369b6ed1187159b95fc8a81cd

mssconf.bat

79B53B4555C1FB39BA3C7B8CE9A4287E

C2

31.148.220[.]53

URL

http://tiny-share[.]com/direct/7dae2d144dae4447a152bef586520ef8

Campaign 4: Credential and Credit Card Dumps as Decoys

Decoy Documents: This campaign uses credential dumps and likely stolen credit card dumps as decoy documents to distribute different types of RATs and password stealers.

One file, ‘leaks copy.rar’, used text files that contained stolen email IDs and passwords as decoys. These files are shown as they would be displayed in WinRAR in Figure 19.


Figure 19: Text files containing stolen email credentials as decoy

Another file, ‘cc.rar’, used a text file containing stolen credit card details as a decoy. The file as it would be displayed in WinRAR and sample contents of the decoy file are shown in Figure 20.


Figure 20: Text file containing stolen credit card details as decoy

Payloads: This campaign used payloads from different malware families. To keep the draft concise, we did not include the analysis of all of them. The decompilation of one of the payloads with hash 1BA398B0A14328B9604EEB5EBF139B40 shows keylogging capabilities (Figure 21). We later identified this sample as QuasarRAT.


Figure 21: Keylogging capabilities

The decompilation of all the .NET-based payload shows that much of the code is written in Chinese. The decompilation of malware with hash BCC49643833A4D8545ED4145FB6FDFD2 containing Chinese text is shown in Figure 22. We later identified this sample as Buzy.


Figure 22: Code written in Chinese

The other payloads also have similar keylogging, password stealing and standard RAT capabilities. The VirusTotal submissions show the use of different malware families in this campaign and a wide range of targeting.

Hashes of ACE Files

File Name

Hash

leaks copy.rar

e9815dfb90776ab449539a2be7c16de5

cc.rar

9b81b3174c9b699f594d725cf89ffaa4

zabugor.rar

914ac7ecf2557d5836f26a151c1b9b62

zabugorV.rar

eca09fe8dcbc9d1c097277f2b3ef1081 

Combolist.rar

1f5fa51ac9517d70f136e187d45f69de

Nulled2019.rar

f36404fb24a640b40e2d43c72c18e66b

IT.rar

0f56b04a4e9a0df94c7f89c1bccf830c

Hashes of Payloads

File name

Hash

Malware Family

explorer.exe

1BA398B0A14328B9604EEB5EBF139B40

QuasarRAT

explorer.exe

AAC00312A961E81C4AF4664C49B4A2B2

Azorult

IntelAudio.exe

2961C52F04B7FDF7CCF6C01AC259D767

Netwire

Discord.exe

97D74671D0489071BAA21F38F456EB74

Razy

Discord.exe

BCC49643833A4D8545ED4145FB6FDFD2

Buzy

old.exe

119A0FD733BC1A013B0D4399112B8626

Azorult

FireEye Detection

FireEye detection names for the indicators in the attack:

FireEye Endpoint Security

IOC: WINRAR (EXPLOIT)

MG: Generic.mg

AV: 

  • Exploit.ACE-PathTraversal.Gen
  • Exploit.Agent.UZ
  • Exploit.Agent.VA
  • Gen:Heur.BZC.ONG.Boxter.91.1305E319
  • Gen:Variant.Buzy.2604
  • Gen:Variant.Razy.472302
  • Generic.MSIL.PasswordStealerA.5CBD94BB
  • Trojan.Agent.DPAS
  • Trojan.GenericKD.31783690
  • Trojan.GenericKD.31804183

FireEye Network Security

  • FE_Exploit_ACE_CVE201820250_2
  • FE_Exploit_ACE_CVE201820250_1
  • Backdoor.EMPIRE
  • Downloader.EMPIRE
  • Trojan.Win.Azorult
  • Trojan.Netwire

FireEye Email Security

  • FE_Exploit_ACE_CVE201820250_2
  • FE_Exploit_ACE_CVE201820250_1
  • FE_Backdoor_QUASARRAT_A
  • FE_Backdoor_EMPIRE

Conclusion

We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL. Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.

Traditional AV solutions will have a hard time providing proactive zero-day detection for unknown malware families. FireEye MalwareGuard, a component of FireEye Endpoint Security, detects and blocks all the PE executables mentioned in this blog post using machine learning. It’s also worth noting that this vulnerability allows the malicious ACE file to write a payload to any path if WinRAR has sufficient permissions, so although the exploits that we have seen so far chose to write the payload to startup folder, a more involved threat actor can come up with a different file path to achieve code execution so that any behavior based rules looking for WinRAR writing to the startup folder can be bypassed. Enterprises should consider blocking vulnerable WinRAR versions and mandate updating WinRAR to the latest version.

FireEye Endpoint Security, FireEye Network Security and FireEye Email Security detect and block these campaigns at several stages of the attack chain.

Acknowledgement

Special thanks to Jacob Thompson, Jonathan Leathery and John Miller for their valuable feedback on this blog post.

Siemens SCALANCE X

1. EXECUTIVE SUMMARY

  • CVSS v3 5.4

  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: SCALANCE X
  • Vulnerability: Expected Behavior Violation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to feed data over a mirror port and into the mirrored network.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following SCALANCE products are affected:

  • SCALANCE X-200, all versions;
  • SCALANCE X-300, all versions; and
  • SCALANCE XP/XC/XF-200, all versions older than v4.1

3.2 VULNERABILITY OVERVIEW

3.2.1    EXPECTED BEHAVIOR VIOLATION CWE-440

The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port and into the mirrored network. An attacker could exploit this vulnerability to transmit malicious packets to systems in the mirrored network to influence their configuration and runtime behavior.
This vulnerability could be exploited by an attacker with network access to the traffic-receiving network. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the confidentiality and availability of the traffic-generating network.

CVE-2019-6569 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to NCCIC.

4. MITIGATIONS

Siemens has identified the following specific workaround/mitigation that users can implement to reduce the risk associated with this vulnerability in SCALANCE XP/XC/XF-200:

Until a software update can be installed, Siemens recommends users apply defense in depth principles, particularly ensuring that no devices that transmit data back in the mirroring network are operated within the mirrored network.

As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. To operate devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security (https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the product manual recommendations.

Additional information on industrial security by Siemens is available at:

https://www.siemens.com/industrialsecurity

For additional information see Siemens’ security advisory SSA-557804 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm  

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

This vulnerability requires high skill level to exploit. No known public exploits specifically target this vulnerability.

PHOENIX CONTACT RAD-80211-XD

1. EXECUTIVE SUMMARY

  • CVSS v3 9.9

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Phoenix Contact
  • Equipment: RAD-80211-XD
  • Vulnerability: Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute system level commands with administrative privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

According to Phoenix Contact, the following products are affected:

  • RAD-80211-XD (2885728), and
  • RAD-80211-XD/HP-BUS (2900047)

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

A WebHMI utility may be exploited by any logged-in user, allowing the execution of arbitrary OS commands on the server. This provides the opportunity for a command injection attack.

CVE-2019-9743 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing, Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Maxim Rupp (RuppIT) working with Phoenix Contact and CERT@VDE reported this vulnerability to NCCIC.

4. MITIGATIONS

Phoenix Contact recommends the following:

Please see VDE-2019-007 at the following location for more details:

https://cert.vde.com/en-us/advisories/vde-2019-007 

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

ENTTEC Lighting Controllers

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: ENTTEC
  • Equipment: Datagate MK2, Storm 24, Pixelator
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could reboot this device allowing a continual denial of service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ENTTEC reports that the vulnerability affects the following products and versions:

  • Datagate MK2 all firmware prior to 70044_update_05032019-482,
  • Storm 24 all firmware prior to 70050_update_05032019-482, and
  • Pixelator all firmware prior to 70060_update_05032019-482

3.2 VULNERABILITY OVERVIEW

3.2.1    MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An unauthenticated user can initiate a remote reboot, which may be used to cause a denial of service condition.

CVE-2019-6542 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Australia

3.4 RESEARCHER

Ankit Anubhav of NewSky Security reported this vulnerability to NCCIC.

4. MITIGATIONS

ENTTEC recommends users upgrade to the March 2019 revB firmware or later which can be downloaded from the following links:

Datagate MK2 70044_update_05032019-482:

https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/advanced-lighting-data-control/

Storm 24 70050_update_05032019-482:

https://www.enttec.com/product/controls/dmx-ethernet-lighting-control/ethernet-to-dmx-converter/

Pixelator 70060_update_05032019-482:

https://www.enttec.com/product/controls/addressable-led-pixel-control/24-port-ethernet-pixel-controller/

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

U.S. Army Special Operations Soldier Killed in Afghanistan

FORT BRAGG, N.C. — Sgt. 1st Class Will Lindsay, 33, of Cortez, Colorado, died March 22, 2019, in Kunduz, Afghanistan, as a result of wounds sustained while engaged in combat operations as part of the Operation Freedom’s Sentinel. Lindsay was assigned to 10th Special Forces Group (Airborne), Fort Carson, Colorado.

Lindsay was born on Aug. 26, 1985, in Cortez, Colorado. He enlisted in the Army on July 7, 2004. Following the completion of One Station Unit Training and Basic Airborne School at Fort Benning, Georgia, Lindsey completed the Special Forces Qualification Course and was assigned to 2nd Bn., 10th SFG (A) in July 2006.

“The 10th SFG (A) Family is deeply saddened at the loss of Sgt. 1st Class Will Lindsay,” said Col. Lawrence Ferguson, 10th SFG (A) commander. “Will was one of the best in our formation, with more than a decade of service in the Regiment at all levels of noncommissioned officer leadership. We will focus now on supporting his Family and honoring his legacy and sacrifice.”

Lindsay’s deployments include five tours to Iraq supporting Operation Iraqi Freedom and Operation New Dawn; to Tajikistan in 2016 supporting the Counter-Narcotics Terrorism mission; and Afghanistan supporting Operation Freedom’s Sentinel.

Lindsay’s military education includes the Basic and Advanced Airborne Schools, Basic and Advanced Military Free Fall Courses, Special Forces Qualification Course, Special Operations Target Interdiction Course, Advanced Special Operation Techniques Level II, Special Forces Senior Leader Course, Special Forces Intelligence Sergeant Course, and Army Special Operations Forces Master Leader Course.

Lindsay’s awards and decorations include the Bronze Star Medal (4 OLC), Purple Heart Medal, Meritorious Service Medal (1 OLC), Valorous Unit Award, Meritorious Unit Award (1 OLC), Army Superior Unit Award, Army Good Conduct Medal (3 OLC), National Defense Service Medal, Global War on Terrorism Service Medal, NCO Professional Development Ribbon (3 OLC), Army Service Ribbon, Overseas Service Ribbon (1 OLC), NATO Medal, Special Forces Tab, Combat Infantryman Badge, Military Free Fall Jumpmaster Badge, Master Parachutist Badge, Chilean Airborne Wings and Senior Instructor Badge.

He is survived by his wife and four daughters.

For questions please contact the USASOC Public Affairs Director, Lt. Col. Loren Bymer, loren.bymer@socom.mil or 910.432.3383.

Medtronic Conexus Radio Frequency Telemetry Protocol

1. EXECUTIVE SUMMARY

  • CVSS v9.3 

  • ATTENTION: Exploitable with adjacent access/low skill level to exploit
  • Vendor: Medtronic
  • Equipment: MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices listed below
  • Vulnerabilities: Improper Access Control, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data. Successful exploitation requires: (1) an RF device capable of transmitting or receiving Conexus telemetry communication, such as a monitor, programmer, or software-defined radio (SDR); (2) to have adjacent short-range access to the affected products; and (3) for the products to be in states where the RF functionality is active. Before the device implant procedure and during follow-up clinic visits, the Conexus telemetry sessions require initiation by an inductive protocol. Outside of these use environments, the RF radio in the affected implanted device is enabled for brief periods of time to support scheduled follow-up transmissions and other operational and safety notifications. The result of successful exploitation of these vulnerabilities may include the ability to read and write any valid memory location on the affected implanted device and therefore impact the intended function of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products and versions of Medtronic devices utilizing the Conexus telemetry protocol are affected:

  • MyCareLink Monitor, Versions 24950 and 24952,
  • CareLink Monitor, Version 2490C,
  • CareLink 2090 Programmer,
  • Amplia CRT-D (all models),
  • Claria CRT-D (all models),
  • Compia CRT-D (all models),
  • Concerto CRT-D (all models),
  • Concerto II CRT-D (all models),
  • Consulta CRT-D (all models),
  • Evera ICD (all models),
  • Maximo II CRT-D and ICD (all models),
  • Mirro ICD (all models),
  • Nayamed ND ICD (all models),
  • Primo ICD (all models),
  • Protecta ICD and CRT-D (all models),
  • Secura ICD (all models),
  • Virtuoso ICD (all models),
  • Virtuoso II ICD (all models),
  • Visia AF ICD (all models), and
  • Viva CRT-D (all models).

3.2 VULNERABILITY OVERVIEW

3.2.1    IMPROPER ACCESS CONTROL CWE-284

The Conexus telemetry protocol utilized within this ecosystem does not implement authentication or authorization. An attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication. This communication protocol provides the ability to read and write memory values to affected implanted cardiac devices; therefore, an attacker could exploit this communication protocol to change memory in the implanted cardiac device.

CVE-2019-6538 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

3.2.2    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The Conexus telemetry protocol utilized within this ecosystem does not implement encryption. An attacker with adjacent short-range access to a target product can listen to communications, including the transmission of sensitive data.

CVE-2019-6540 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham; and Rik Willems of University Hospital Gasthuisberg Leuven reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Medtronic has applied additional controls for monitoring and responding to improper use of the Conexus telemetry protocol by the affected implanted cardiac devices. Additional mitigations are being developed and will be deployed through future updates, assuming regulatory approval.
Medtronic recommends that users take additional defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Maintain good physical control over home monitors and programmers.
  • Use only home monitors, programmers, and implantable devices obtained directly from your healthcare provider or a Medtronic representative to ensure integrity of the system.
  • Do not connect unapproved devices to home monitors and programmers through USB ports or other physical connections.
  • Only use programmers to connect and interact with implanted devices in physically controlled hospital and clinical environments.
  • Only use home monitors in private environments such as a home, apartment, or otherwise physically controlled environment.
  • Report any concerning behavior regarding these products to your healthcare provider or a Medtronic representative.

Medtronic has released additional patient-focused information at the following location:

https://www.medtronic.com/security

NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Restrict system access to authorized personnel only and follow a least privilege approach.
  • Apply defense-in-depth strategies.
  • Disable unnecessary accounts and services.
  • Where additional information is needed,  refer to existing cybersecurity in medical device guidance issued by the FDA that can be found at the following location: 

https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities require adjacent short-range access to the affected devices to be exploited.

160th SOAR named aviation award winners

Media Advisory#: 19-03-001

FORT BRAGG, N.C. (USASOC News Service, March 21, 2019) — Soldiers from the 160th Special Operations Aviation Regiment, U.S. Army Special Operations Aviation Command, were recognized for their contributions to Army aviation in an announcement of the Army Aviation Association of America 2018 award winners.

The awards recognize individuals and units for their outstanding contributions and advancements in innovation throughout the previous year.

Second Battalion, 160th Special Operations Aviation Regiment received the Battalion of the Year award. Sgt. Bradley Galloway was named the 2018 Soldier of the Year and Chief Warrant Officer 3 Patrick Fleming was named the 2018 Aviator of the Year for their individual achievements.

The awards signify the dedication to excellence by the soldiers and the continued efforts within U.S. Army Special Operations Aviation Command to improve the readiness and lethality of its formations.

Winning units and individuals will be presented their awards in a ceremony slated for April 2019.

Editors Notes:

For more information contact the Director of Public Affairs, Lt. Col. Loren Bymer, U.S. Army Special Operations Command Office: (910) 432-3383 BB: (910) 494-1589 loren.bymer@socom.mil