Ryuk Ransomware and Action – Summary Information Hello! Welcome to my first blog post, today topic involves Ryuk Ransomware, which has had some press of late thought it might be useful to supply summary details about this ransomware variant to aid understanding and steps to aid mitigation. Written for quick absorption, without further ado, please find ready for consumption a non-exhaustive, best effort ‘Ryuk Ransomware and Action – Summary Information’ below the fold (popcorn optional).   ** Ryuk Ransomware and Action – Summary Information ** Meaning: “Gift of God”Highly complex ransomware, constantly under development Primary purpose: “Money Maker”Secondary purpose: Potential sald for further exploit (compromised host marketplace) Trojan Associations: – Emotet (modular malware, emerged in 2014, primarily used as downloader for other malware, i.e., trickbot & IcedID)– Trickbot (spyware, emerged 2016, mainly used to target banks, distributed via spam email or Emotet’s geo-based d/l function) *Highlevel Process Flow – Ryuk Ransomware (quick simple flow)*– Spam email /w malicious doc– Emotet and/or Trickbot malware installed– Credential theft– Create new Admin User– Lateral movement through network– Recon Active Directory– Attempts to disable host security protection and 3rd-party backup services– Deletes Windows VSS shadow copies– Ryuk ransomware deployed *Detail/Notes* Ryuk Stealth Aspect: – Dropper is deleted by payload– Encryption could occur days, weeks or year after infection– Activation delay presumed to be surveillance related / actors performing reconnaisance on their ‘big game’ – Known Anti-forensics include PowerShell anti-logging scripts, anti-analysis infinite loop Encrypted file extension: .RYK Ransom note filename: “RyukReadMe.txt”Ransom note includes: – Two private email addresses– In addition, variants observed, one includes payment related details, whilst another doesn’t and victim to make contact Lateral movement: – RDP Usage (via brute force and vulnerability exploit)– SMB exploit (MS17-010)– Continues until privileges recovered to reach DC. Makes use of any or all of following tools:– PsExec (free Microsoft sysinternals tool): To push Ryuk binary to individual hosts– PowerShell Empire: D/L and installed as a service, PowerShell agents and keyloggers– ‘pwgrab’ (Trickbot module) for recovering credentials– Mimikatz: Steal admin credentials and create persistent backdoors Persistence: – Early variants had persistence, – recent reports indicates newer variants do not persist after restart– be prepared for either Interesting: – TrickBot is leveraged for lateral movement and to infect as many machines as possible   (It then deploys Ryuk at a randomly determined time)– When TrickBot compromises a machine, it is bundled with a library of modules, used to:  – perform reconnaissance  – harvest credentials  – perform lateral movement – Ryuk:  – attempts to disable AV products and delete Windows VSS shadow copies before ransomware starts encryption procedure  – operates with a whitelist of three file extension types: exe, dll and hrmlog     (hrmlog believed to be a debug log filename created during development of Ryuk’s 2017 predecessor, Hermes ransomware)  – disables several 3rd-party backup services, including Acronis, SQLSafe, VEEAM, and Zoolz – PowerShell Empire, a well-known penetration-testing tool, is no longer maintained by its creators (respected members of the infosec community)   – its capabilities and behaviors closely resemble those used by current nation state advanced persistent threat actors   – evades security solutions, operating in a covert manner, and enabling attackers’ total control over compromised systems   – Empire’s use among cybercriminals grew exponentially and in 2018, the UK’s National Cyber Security Center included Empire on its shortlist of the five most dangerous publicly available hacking tools   – However, development of Empire framework stopped after creators said “project reached its initial goal” – Ryuk victims may have a small chance of getting free decryption through Security firm Emisoft’s free decrypt tools *Defending against Ryuk and other ransomware*Considerations that usual methods for delivering ransomware are rarely complicated, simply relying on tried and tested techniques such as:– exploiting vulnerabilities– sending spam and phishing emails– stealing user credentials (also consider obtained via credential stuffing) User/staff awareness!– enhance your user saviness and confidence in identifying and appropriately fielding suspicious emails– encourage users to be avid first line reporters ASD Essential 8 Mitigation Strategies:– preventing malware delivery and execution  – application whitelisting  – configure MS Office Macro setting  – patch Apps  – user app hardening– limiting the extent of cyber security incidents  – restrict administrative privileges  – MFA  – patch operating systems– recovering data and system availability  – daily backups Other Government produced advisories:– Follow ACSC “Guidelines for System Management” (October 2019), ensuring networks and systems are patched or appropriate measures are in place  – advice included under ‘When patches are not available’– Review NCSC guidance publication named “Mitigating Malware”, specifically section four titled (see references for url):  – “What to do if you (or your organisation) has been infected with malware” Enterprise deployment or configuration considerations include… Follow industry best practice wherever, or whenever possible, however specific recommendations as follows… Following good practice, non-exhaustive:– Restrict use of system administration tools, i.e., PsExec, do admins really need to use it?– Disable unnecessary services, i.e., RDP/terminal services Backups – you might have them, but recommend testing them during quiet times! Logging:– goes without saying, but logs are essential– ensure logging is enabled wherever possible (and you have capacity for it), inc PowerShell logging and security– sysmon is also a handy tool,   – free from MS sysinternals  – offers valuable capabilities, event collection, processes, netcons, hashes, registry mods, file creations and more!  – SIEM forwarding, i.e., a sysmon add-on for splunk exists Software Restriction Policy (SRP):– SRPs are a Group Policy-based feature that identifies software programs running on computers in a domain– controls the ability of those programs to run, including specific file path locations, e.g., %APPDATA% directory in the user profile – Software restriction policies are part of the Microsoft security and management strategy Perform annual policy reviews and enforce compliance Detecting Compromised Hosts:– review available Indicators of Compromise (IoCs)   – SIEM, security solution revews (searchable audit trail if not fed into SIEM), cloud analytic services (e.g., MS Defender ATP)– Email Security / Gateway reviews  – ID recipients of an identified phishing email, solutions such as Mimecast can track users interaction with rewritted urls, malware may not have activated yet– undertake appropriate scanning / log reviews   – outbound traffic f/w log reviews  – vulnerability scan assets within specified IP ranges to detect assets and associated vulns, especially SMB related, e.g., eternalblue    (shine your light in your network! did you know about all assets listed in results?)  – SCCM review, are you offering all appropriate patches?    – marry up what is listed vuln wise within your vulnerabilty scanning tool asset results, and what is offered by SCCM     – use automatic deployment rules (ADRs) rather than adding new updates to an existing software update group    – typically, you use ADRs to deploy monthly software updates Proactiveness:Configure alerting on detection of – anomalous command execution, e.g., “vssadmin.exe Delete Shadows /All /Quiet”– unusual administrative tool use within SIEM, e.g., PsExec, net commands – privileged and service account monitoring– obfuscated commands, see something obfucated? it can’t be good PsExec spotlight:– The service PSEXESVC will be installed on the remote system  – 4697 and/or 7045 event log entry    – Note, the 4697 event, if available, may also contain account information  – may also have 4624 and/or 4625 Windows Event log entries, capturing the logon events of the tool usage.– SIEM search Application Compatibility Cache / RecentFileCache.bcf– evidence of program execution in the Application Compatibility Cache (“AppCompat”) and/or Amcache,   – replaces the RecentFileCache.bcf in newer Windows operating systems Last note on the topic of ‘external providers’ or contractors, non-exhaustive considerations:– their need to following org policy– what access into Enterprise they have– their skill level *Reading List*https://resources.infosecinstitute.com/what-you-should-know-about-ryuk-ransomware/https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ryuk-ransomware-shows-diversity-in-targets-consistency-in-higher-payoutshttps://success.trendmicro.com/solution/1123892-ryuk-ransomware-informationhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/examining-ryuk-ransomware-through-the-lens-of-managed-detection-and-responsehttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbots-bigger-bag-of-tricks/https://blog.malwarebytes.com/cybercrime/malware/2019/01/ryuk-ransomware-attacks-businesses-over-the-holidays/https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/https://blog.talosintelligence.com/2019/09/emotet-is-back-after-summer-break.htmlhttps://www.wired.com/story/what-is-credential-stuffing/https://www.sentinelone.com/blog/ryuk-ransomware-targets-av-solutions-not-just-files/https://www.zdnet.com/article/development-stops-on-powershell-empire-framework-after-project-reaches-its-goal/https://arstechnica.com/information-technology/2019/01/new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy/https://arstechnica.com/information-technology/2019/09/worlds-most-destructive-botnet-returns-with-stolen-passwords-and-email-in-tow/https://news.sophos.com/en-us/2019/10/04/rolling-back-ryuk-ransomware/https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/https://www.emsisoft.com/ransomware-decryption-tools/https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-toolshttps://www.ncsc.gov.uk/guidance/mitigating-malwarehttps://www.secjuice.com/enterprise-powershell-protection-logging/https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policieshttps://4sysops.com/archives/application-whitelisting-software-restriction-policies-vs-applocker-vs-windows-defender-application-control/http://woshub.com/how-to-block-viruses-and-ransomware-using-software-restriction-policies/https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updateshttps://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdfhttps://www.splunk.com/blog/2019/06/12/defending-against-common-phishing-frameworks-kits-with-splunk-enterprise-security-content-updates.htmlhttps://www.splunk.com/blog/2019/06/12/monitor-for-investigate-and-respond-to-phishing-payloads-with-splunk-enterprise-security-content-update.htmlhttps://www.splunk.com/blog/2017/07/06/hellsbells-lets-hunt-powershells.htmlhttps://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-divehttps://medium.com/@bromiley/digging-into-sysinternals-psexec-64c783bace2bEmotet:   https://attack.mitre.org/software/S0367/Trickbot: https://attack.mitre.org/software/S0266/PsExec:   https://attack.mitre.org/software/S0029/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmonhttps://splunkbase.splunk.com/app/1914/https://github.com/MHaggis/sysmon-dfirhttps://www.zdnet.com/article/new-zealand-comcom-suffers-breach-after-laptop-theft/ *Further reading*https://www.cyber.gov.au/ism/guidelines-system-managementhttps://www.sans.org/reading-room/whitepapers/detection/disrupting-empire-identifying-powershell-empire-command-control-activity-38315https://www.cisco.com/c/dam/en/us/products/se/2019/2/Collateral/cybersecurity-series-threat.pdfhttps://www.staysmartonline.gov.au/   AUSCERT as a non-profit organisation aims to help all, and it is also my personal hope that this post will serve to empower Australians, even if in a small way.  Arriving during Stay Smart Online Week (7-13 October), it’s my pleasure to make this post to support the community, and their efforts in reversing or recovering from cybercrime.  For more information about Stay Smart Online week, please visit the dedicated Australian government website (see further reading). This post has been formed from a wide range of articles, blogs and publications (see reading list) and curious readers are encouraged to dig further if interested.  I will also highlight the important and informative efforts that those varying industry author groups or organisations have made, and continue to make. All efforts are critical in understanding the specific and evolving threats, and research made towards mitigation steps, or methodology formation.   Stay safe and stay smart! Colin Colin Chamberlain CISSP, GCFA, eCTHPSenior Information Security AnalystAUSCERT

AUSCERT: What’s next in 2019? It’s been a month since the wrap up of our annual AUSCERT Cyber Security Conference and we’re now at the start of the second half of 2019. To kick things off for the rest of the year, allow us to recap a few initiatives we’ve accomplished in the industry and goals that our team’s looking forward to achieve in the next six months:  “It’s Dangerous to Go Alone” In honouring the theme from our conference, we have joined forces with the Council of Australasian Directors of Information Technology (CAUDIT) and Australia’s Academic and Research Network (AARNet) to create the Australasian Higher Education Cybersecurity Service (AHECS). Together with CAUDIT and AARNet, we are working together to address the industry’s unique cyber security challenges, with an aim to develop coordinated services that are tailored to the Australasian higher education and research sectors. This AHECS initiative will span across several tertiary institutions to build group strength and a trusted community through engagement, advocacy, and support. In addition to this, we continue to work with the Department of Premier and Cabinet and all of the Victorian Government workforce, one of the largest and most diverse enterprises in Australia – both in delivering our member services as well as providing their team with an in-house training module on the topic of ‘Incident Response Planning’ Both of these examples showcase our commitment for our members to “Empower their People, Capabilities and Capacities” by providing an extension of their workforces and channelling the expertise gained from an AUSCERT membership directly into their business processes.  Training courses with AUSCERT  We are continuing with our training workshop offerings to our members and the wider information security community by providing the following options:  Incident Response PlanningBe equipped with the tools to write a bespoke incident response plan for your organisation  MISPSet-up, configure and integrate Malware Information Sharing Platform into your organisation’s cybersecurity defense strategy  Cyber Security Risk ManagementGain the confidence to perform a risk assessment of cyber security risks and the ability to rate and assess business risks rather than technical vulnerabilities Introduction to Cyber Security for IT professionals Understand information security principles, cyber security as a risk to business objectives; and cultivate an appreciation of the current cyber threat landscape Cost $990 for members $1980 for non-members Customised in-house or group training options At AUSCERT we are also able to develop tailored industry and/or government content with each of our members and clients to ensure that the resulting workshop meets their needs and objectives – P.O.A  To find out more on each of these training courses – let us know what topic(s) you’re interested in, number of people from your organisation and city/state location – please contact us via membership@auscert.org.au  New services: MISP feed (AusISAC) and ADIR Over the past couple of years, AUSCERT has coordinated and run a highly-successful information sharing group for the tertiary education sector, and we are pleased to announce the establishment of an AUSCERT Information Sharing and Analysis Center (AusISAC); now available to general members. Members who join will be given access to our MISP platform, where we share a curated feed of threat intelligence gathered from multiple sources, and our own malware and threat analysis.  Cost of service: $20,000 Sign up now and receive a complimentary half-day remote MISP training session (we will cap these sessions at a maximum of 5 participants in each class!). Please note that members who subscribe to this service cannot use it for commercial purposes.  We have also launched the AUSCERT Daily Intelligence Report (ADIR) service. ADIR is a daily summary of information security news, with a focus on the Australian cyberspace. To sign up, send us an email via membership@auscert.org.au. UQ Cyber Security Initiative  One of the most exciting projects we’ve been lucky to be involved in this year has been our relationship and collaboration with colleagues from UQ’s School of Information Technology and Electrical Engineering through their Cyber Security Initiative. In the next six months or so, our collaboration with this team will continue to evolve in a few different ways:  1 August, public seminar by Professor Corey Schou from Idaho State University   30 September to 4 October, (ISC)2 and CISSP CBK training ‘UQ Cyber Squad’ – allowing students from any field of studies and course level to represent the University at local and international cyber-security competition  Mike Holm AUSCERT Operations Manager   

AUSCERT celebrates launch of new website AUSCERT is Australia’s original, and one of the world’s longest-serving, Cyber Emergency Response Teams (CERT). This year marks 26 years since we launched our specialist cyber-security services through The University of Queensland in 1993. Business Team Leader, Bek Cheb, said “We’ve seen so much change in the cyber-security industry over the past two and a half decades. In particular, the technology and people skills essential to providing high-quality cyber safety, data security and data protection have evolved radically. To mark our 26-year milestone, AUSCERT has launched a new brand image and website to further enhance the service we provide to members. The new site is easier to navigate and provides better access to security information. Members can download PGP/GPG signed versions of Security Bulletins; access information about member meetups hosted by AUSCERT; and keep up to date with industry news and the latest in information security issues. AUSCERT is a member-based not-for-profit organisation, so offers one of the best value threat intelligence and incident response services available. We are trusted by 500+ clients, including every university in Australia, a number of government departments and a variety of private companies. The AUSCERT services are numerous but revolve around providing specialist security support to help prevent, detect, respond to and mitigate cyber-based attacks. AUSCERT members receive timely threat and vulnerability alerts and access to a range of services including: Incident Management Service The Incident Management Service includes coordination and handling, providing assistance and expertise to help detect, interpret and respond to attacks from around the globe. AUSCERT acts as a trusted intermediary, coordinating communication about incidents between affected parties. Phishing Take-Down Service AUSCERT’s Phishing Take-down service works to reduce brand damage by requesting the removal of fraudulent websites. The service puts the safety of your brand at the forefront by detecting and acting immediately if your organisation is affected. Security Bulletin Service AUSCERT Security Bulletins contain information about threats, vulnerabilities, patches and workarounds of an IT security nature that AUSCERT believes would be of interest to our members (and the public). AUSCERT provides up-to-date information on a range of software and hardware products, published in a standardised format with a consistent approach to classifications of vulnerabilities, impacts and related operating systems. Member Security Incident Notifications (MSINs) AUSCERT provides Member Security Incident Notifications (MSINs) to members. These notifications are relevant and customised security reports containing notifications for organisations’ domains and IP ranges. These notifications can include more than one incident, so you remain up-to-date on the latest threats and vulnerabilities. A full list of services can be found here.

AUSCERT at 2019 FIRST Conference I had the absolute pleasure of attending the 2019 FIRST Conference for the first time (no pun intended!) recently. FIRST is the Forum of Incident Response and Security Teams and it brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors. This year’s conference theme was “Defending the Castle” and there were approximately 1100 delegates, a very full program over 5 days and plenty of opportunities to meet other cyber security teams and share ideas across the board. One of the aspects I enjoyed thoroughly was my introduction to other CERTs from the Asia Pacific region and gaining a greater understanding of the role AUSCERT plays in this community.   (Photo credit: APCERT) I also wanted to take this opportunity to highlight a couple of my favourite speaker sessions here: “Waking up the Guards – Renewed Vigilance Needed to Regain Trust in Fundamental Building Blocks” by Merike Kaeo of Double Shot Security was my favourite keynote. Merike spoke about the days when trust was inherent and how we now see exploitation of fundamentals such as routing, DNS and certificates. She invoked the question of ‘How can we regain trust and control of where our data goes and by whom it is seen?’ and it really got me into thinking about the current cyber security landscape and how we can all do better in this space. The other speaker session I enjoyed was the talk presented by the Cisco Umbrella research team on the topic of “Detecting Covert Communication Channels via DNS”. I thought this was an absolutely fascinating subject and one that is worth further research within AUSCERT.  As the conference wrapped up at the end of last week, I walked away feeling very inspired about the fact that there is such a strong community spirit that fosters great collaboration within our industry. I am certain that AUSCERT and UQ can AND need to play an even more active role in the future! David Stockdale Director

AUSCERT2019: that’s a wrap! The annual AUSCERT Cyber Security Conference has wrapped up for another year. This industry-leading event was held across 4 days. More than 700 delegates heard from 50 speakers and attended an array of interactive workshops. They networked with industry professionals, learnt the latest and best practices in the cyber and information security industry, and some even got their hands on awesome prizes. Here’s a summary of conference highlights for those who couldn’t attend.   Sensational Keynotes AUSCERT2019 featured three legendary keynote speakers; Mikko Hypponen, Troy Hunt and Jessy Irwin. Each covered a different area within cyber security and shared their knowledge and expertise generously. Mikko is a globally-renowned tech security guru working as the CRO of F-Secure. He has written research for the New York Times, Wired and Scientific America also, frequently appearing on international TV. At the conference he spoke on ‘Computer Security: Yesterday, Today and Tomorrow’. A key takeaway from Mikko was on IoT devices. When observing data security, it is likely that in the future these devices will no longer tell you they are connecting to the internet, but will pass your data straight to the manufacturer. To view Mikko’s presentation, you can visit the AUSCERT YouTube channel here. Troy is an independent security trainer, speaker and Microsoft Regional Director. He’s most commonly recognised as the founder of the data breach monitoring and notification service ‘Have I Been Pwned’ (HIBP). Troy spoke on ‘The Data Breach Pipeline: How Our Data is Stolen, Distributed and Abused’. A key takeaway from his presentation was on password managers and how they can solve a lot of password-breach related issues. Changing your password regularly is no longer enough, you need more complex solutions. To find out more about Troy’s keynote, you can view his presentation here. Jessy is a security expert and Head of Security at Tendermint. Her role means she excels within translating complex cybersecurity problems into relatable terms and she also develops, maintains and delivers on comprehensive security strategy. Jessy spoke on ‘How Security Teams Can Evolve to Win Friends and Influence People’. Jessy’s intention was to challenge some standard ways of thinking within the cyber and information security industry and she certainly succeeded in doing so. To download a copy of Jessy’s presentation, please click here. Jessy’s presentation can be viewed here.   Networking Events The ‘Beers of the World’ session is the ceremonial welcome to all delegates attending AUSCERT2019. Attendees are encouraged to mingle with vendors, sponsors and other industry professionals while tasting an array of beers from around the globe. This is a great opportunity to connect with other industry professionals in a relaxing environment. On Thursday evening conference delegates were entertained at the venue’s poolside bar by the phenomenal crew from Jetpack Events who showcased their acrobatic prowess and delighted the audience with an amazing fireworks display. This year, the Gala Dinner theme ‘Legend of the Gala’ paid a subtle homage to our main conference theme and is derived from the ever popular Legend of Zelda video game franchise. We even saw a number of Zelda enthusiasts in full costume, kudos to them! Dinner guests were entertained by the talented speed painter Brad Blaze who wowed the audience with his Zelda inspired artworks.     Sponsors Booths Alongside the array of speakers were more than 50 sponsors and supporters of AUSCERT.. Each had their own designated booth space where they spoke to delegates and showcased their services. Some sponsors also engaged with delegates through interactive games and demos at their booth. There were hackathons, drone prizes and darts to name a few. A special shout-out to colleagues from Context Information Security who ran a PWNtoDrone CTF challenge which delegates enjoyed immensely. In between sessions, delegates were also able to engage in the annual lock-picking and lego building sessions. These interactive activities  provide a nice break for delegates to unleash their building and lock-picking skills; not to mention keeping the lego when you build it. Overall, AUSCERT2019 was huge success. We trust that all attendees enjoyed their time and ultimately learned new skills and strategies to keep their data and network safe in the new digital and mass-data era!

Malware threat indicators in AWS using MISP Every zero-day vulnerability is an attack vector that has existed before the day it was announced. When this happens we must vigilantly patch all of our vulnerable services while also ensuring that nothing has been compromised. We share threat indicators to limit the potential impact of attackers; however, when a new malware indicator has been identified in the wild, updating your firewall isn’t always enough. AWS GuardDuty is a great solution for parsing VPC flow logs and Route53 query logs with public threat feeds. Attacks targeted against specific industries are often underrepresented in public feeds. There are also delays from when the attack is first seen until when the data is pulled into a threat feed. Amazon Athena is a valuable tool we can use when it comes to searching for threat data in AWS accounts. Athena allows you to query large amounts of data from S3 using a SQL syntax. AWS has helpful guides for how to set up VPC flow logs to be queryable from Athena here. Searching over large amounts of flow log data quickly is very useful; however, we will want automatic integration with MISP to identify malicious traffic. We can pull out malicious IP addresses from the MISP API. Below is a screenshot of the MISP query builder. This example shows a search for all of the malicious IP addresses (ip-dst) over the last seven days with the intrusion detection system (IDS) flag set. The IDS flag lets security analysts highlight which attributes of an event are strong indicators of compromise. For example, if a malware package sends a DNS request to the google nameserver 8.8.8.8 it may help identify the malware family, though this by itself does not represent a host is compromised. Pulling the list of malicious IP addresses can be performed in a scheduled Lambda task running the MISP python API. This example shows how attributes can be pulled and dumped out as a CSV file. #!/usr/bin/env pythonfrom pymisp import PyMISPimport jsonmisp = PyMISP('https://misp.localhost/', '<api-key>', True, 'json')ret = ""result = misp.search('attributes', type_attribute = 'ip-dst', to_ids = True)for attribute in result['response']['Attribute']: ret += attribute['id'] + "," ret += attribute['event_id'] + "," ret += attribute['value'] + "n"print (ret)   This file can then be used to set up a new Athena database table. The example here shows the syntax to create a basic table for malicious IP addresses while retaining the MISP event ID. CREATE EXTERNAL TABLE IF NOT EXISTS misp_dest_indicators ( attributeid int, eventid int, destinationaddress string)PARTITIONED BY (dt string)ROW FORMAT DELIMITEDFIELDS TERMINATED BY ' 'LOCATION 's3://your_log_bucket/vpcflowlogs/';  Now we have all of the data to parse over our VPC flow logs with our MISP threat indicators. Joining these Athena tables, we can see if any of our MISP indicators show up in our VPC flow logs. SELECT v.account,  v.interfaceid,  v.sourceaddress,  v.destinationaddress,  v.action,  m.attributeid,  m.eventidFROM vpc_flow_logs v,  Misp_dest_indicators mWHERE v.destinationaddress = m.destinationaddress; If we want this in a more automated process we can execute this Athena query directly from Lambda. We could then trigger an alert with SNS if we find any matches on our hosts. For example: import boto3 session = boto3.Session()client = session.client('athena', region_name='ap-southeast-2') response = client.start_query_execution(    QueryString='select * from vpc_flow_logs limit 100;',    QueryExecutionContext={        'Database': 'vpc_logs'    },    ResultConfiguration={        'OutputLocation': 's3://<bucket>'    }) This solution allows us to search over large amounts of data when a new threat emerges. We also want to make sure these security events don’t happen in the future. AWS has a threat detection service called GuardDuty which will passively search for threats in VPC flow logs and Route 53 query logs. GuardDuty can use custom threat lists from S3 which allows us to provide another dump of MISP threat indicators in a text file. This will then alert any future events where hosts will try to route to any of these hosts to your security team. This will then alert your security team to any future events where hosts try to route to any malicious addresses.

An experience of APNIC Foundation's 3rd Regional CERT/CSIRT workshop for the Pacific.   I feel incomplete when I hear only one voice, and this blog is, in its form just that, one voice about an event I had the honor of being part of.   My preferred option, to make a story whole, is to take the different voices and listen other people tell the story of what happened.  This way I get a better picture of the impact and significance of an event or perhaps glimpse a pattern of directed effort. The event was the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop for the Pacific and the the glimpse of the effort was APNIC Foundation’s drive to impart skills, know-how, and cohesive trusted contacts, to as many Pacific nations as possible given APNIC Foundation’s engagement over the past few years.  These activities supports APNIC, in building human and community capacity for Internet development in the Asia-Pacific region. This workshop was organized by the APNIC Foundation with support from APNIC and Samoa’s Ministry of Communications and Information Technology, and funding from the Cyber Cooperation Program (Australia’s Department of Foreign Affairs and Trade – DFAT). Participants of APNIC Foundation’s 3rd CERT/CSIRT workshop for the Pacific My recollection of the APNIC Foundation’s 3rd Regional CERT/CSIRT workshop was from the perspective of a guest assistant speaker, bringing only a splinter of expertise from AUSCERT along with its perspective of cyber security as a non-profit member-based CERT. I have been fortunate to join APNIC’s Adli Wahid, a veteran of delivering these types of courses, in facilitating the workshop.    Participant at one of the sessions of the 3-day workshop And so in delivering some of the material over the three days, I did get the chance to hear the perspective of cyber security from different Pacific nations, but not just at the national constituency level, but also at the level of Financial Institutions Universities Ministries Law Enforcement and Utilities. Every person that attended brought their own skill sets and perspectives on cyber security given to them by their opportunity and work environment.  Every Pacific nation that sent a delegate to the workshop brought their skills and perspectives, to be honed from a barrage of tools and techniques that could be fit in the time three days can offer.  Let’s be clear, these delegate were not empty vessels that were filled up with skills in three days but already had a solid foundation of process and techniques. The three days just brought in new tools and shared perspective.   This was evident, with a little coaxing, from the effective interaction on the final day’s table top exercise.  The participants were split up into five distinct teams with economy wide responsibilities.  One of the first questions that I was asked was, “…is this a competitive drill?…”,  where one team needs to outdo another.  Perhaps it should have been, but the purpose of this table top exercise, as is the case in solving internet borne issues,  is apply a collaborative effort to efficiently and effectively address cyber security.  At the end of the exercise, all triggers to take down malicious infrastructure were called out by various player-teams and a sense of empowerment from each team came out from the fact that each contributed a meaningful task in cleaning up the exercise’s scenario.   Each team with their set of expertise and their vision into the scenario, realised that in solving of cyber security issues, each had a very important piece of work to do in addressing the problem as a whole, and were by the end of the day, working together as one.  What filtered out as the best lesson out of the three days of the workshop, is that it is paramount to make an effort that internet connectivity be molded and protected, as a tool to bring out the best opportunity for economic growth at every level of society that the internet touches.   It’s been great to have seen APNIC Foundation’s take that effort of uniting skills and collaboration across the Pacific for the third time, and it is hoped that they will be given the tools to continue this effort far into the future.  For, although I was honored to be a guest speaker for the 3rd Regional CERT/CSIRT workshop, I feel I too learned a lot from the delegates and that I’m bringing back to AUSCERT able and trusted contacts that, should we see cyber security issues in the Pacific, we can all collaborate with them on making a safe, clean and reliable internet.   Geoffroy ThononSenior Information Security AnalystAUSCERT

Upcoming Windows Server TGT updates may break authentication. Summary Microsoft has recently taken to the Reddit community regarding upcoming changes to Kerberos TGT delegation; these changes may cause service disruption for the unprepared.   The Change The update itself will cause the default value of EnableTGTDelegation to change from Yes to No and is due to take place during the May/July 2019 patch cycle.   Will I be affected? Unconstrained delegation across forests is a common way for organisations to manage authentication over multiple forests. If EnableTGTDelegation is not set explicitly on your domain controllers, this change to the default setting will break any application or service that relies on unconstrained delegation across forests. Microsoft has provided a PowerShell script to help identify any possibly affected services, please refer to this KB article.   Vulnerability Microsoft has provided the following reason for why they have decided to make this change: The current default configuration for this feature is unsafe when incoming trusts are created.  This is because the configuration lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest.   If you would like a more in-depth explanation of the changes or how to prepare, please check out Microsoft’s TechCommunity blog and the relevant patch notes.

Don't be an April Fool – back up your files! This Sunday the 31st of March marks World Backup Day [1]. Why backup? Backups are crucial for ensuring the integrity of your files in any unexpected event.  If you aren’t already convinced on the utility of backups, or if they aren’t at the top of the priority list, here’s a handy list to change your mind (or to convince the boss it’s important!) – Disaster recovery: from flood and fire to dead hard drives and the accidental rm -rf– Forensics and auditing: to find out when something changed or when a machine is compromised– Ransomware recovery: so we don’t have to negotiate with scammers– Device theft or loss: hardware is replaceable, the data should be too– Minimising down time: in the event of data loss, you want the business back up and running as soon as possible Snapshots can help with some of these things, but snapshots aren’t backups, so having both is important. Storing your Backups Securing your backups is important to ensure the integrity and confidentiality of your data.  Keep your backups on servers you trust, and have at least one copy offsite, in the case of a natural disaster.  Duplicity or Duply [2] are powerful tools which can gpg-encrypt your backups to send to an Amazon S3 bucket or elsewhere.  Popular cloud services include Backblaze [3], or Time Machine for Mac [4].   Testing your Backups If you already have backups, which fingers crossed we all do, take this event as an opportunity to test them.  Try to include data recovery testing with your regular maintenance or patch cycle – just because they worked once, doesn’t mean they always will. The worst time to test your backups is when your data is gone, the best time is right now! Charelle   [1] http://www.worldbackupday.com/en/[2] https://duply.net/[3] https://www.backblaze.com/[4] https://support.apple.com/en-us/HT201250

Password Reuse and Data Breaches Everyone knows the story of registering for a website we only ever intend to use once, where we lazily re-used a password. Fast forward 15 years later, you find out that website’s password database was storing everything in plain text, someone bad got a hold of it and you never knew. It’s a surprisingly common story and there is a stigma of shame around talking about personal password hygiene. One thing we can all do is tell the people we are close to that it’s never too late to start improving, recommended password managers and good multi-factor solutions to get the ball rolling for them.  Password reuse is hard to get out in the open as it is a very private issue. Luckily, there is now a solution. Troy Hunt has teamed up with Cloudflare to provide a free API that allows passwords to be checked against known passwords that have been seen in reported breaches. Steer people in the direction of Troy Hunt’s Have I Been Pwned website and it may give them the wake up call they need, when a big scary red box flashes up on the screen letting them know that their data may not be safe.   What can we do then on an organisational level? The personal touch of reaching out to people directly doesn’t scale well and can often come across as intimidating when coming from “the security team”. The experience of setting a password is a very private one and the strong password guidelines need to make their way into this personal experience. We have been asking users to set things like reasonable password lengths and complexities through web frameworks for a long time now. The instant responsiveness of this has been training everyone that password length and complexity matter, but what about reuse? Troy teamed up with Cloudflare to deliver a free API endpoint to check if a password has shown up in reported data breaches last year. What this means for organisations is that on your password reset page or even login page you can query this API endpoint every time you type in a password so see if it has shown up in a breach before.   Doesn’t that mean Troy now has my new password? Nope! The API has been designed so that only the prefix of the hash of your password is sent to the API endpoint and you get back all hashes that match that prefix, you then check to see if your hash matches any of the returned results. Hashes are designed for obfuscation so sending through the first five characters of your hash doesn’t reveal your password. Passwords that will have the same first five characters will have no relevance to one another. For example the first five characters in the hash for “alexguo029” is “21bd1”, while the first five characters in the hash for “lauragpe” is also “21bd1”. Therefore if an attacker was able to capture the data sent to the API they will not be able to gather any sensitive information. Read more about the technical details in Troy’s blog.   Can I easily implement it on my infrastructure? Yes! We can query this API in client-side code without ripping apart any of our current systems. Client-side code works for this as it’s more of a user education exercise than another security layer. Check out some implementations on GitHub like passprotect-js to see just how easy it is. There is a great demo video and example code showing how the prefix of the password hash is generated and sent to the API and instantly gives the user feedback showing the tangible evidence that the password is not safe to use.  This is an easy win and with the recent password collection dumps it is more valuable then it has ever been. Run it in a development environment today as a proof of concept. To lead by example this is a demo I ran up on the AUSCERT website just this morning using passprotect-js.     What do I do about the latest breach? We can’t eliminate password reuse for our user-base. Password rotation policies feel like a natural solution to this however NIST warns of aggressive password rotation lowers the overall password strength due to user fatigue. Check out if your organisation shows up in a breach. Hopefully the passwords are not reused but you should still encourage resets where possible especially for users which could be high value targets.   Use MFA! Human brains will never be great at password based authentication, that is why we need to supplement it with another factor. This takes the urgency out of password breaches with respect to password reuse in your organisation because of the second line of defence. We use one time password based MFA on the AUSCERT website and hope to extend it to our other services in the future.

What do I need to know about the MSP hack? What’s going on? On Thursday, the United States Justice Department made an indictment against two members of APT10, acting in association with the Chinese government [0]. APT10, an advanced persistent threat, has been targeting managed service providers (MSPs) around the world since 2014. Organisations from over fourteen countries were affected, including Australia. This indictment has spurred a flurry of new stories this morning, including a publication from the ACSC [1] and an interview with National Cyber Security Adviser, Alastair MacGibbon [2], who also attributes APT10 to the Chinese Government. The nation-state attack on MSPs was covered extensively in 2017, as well as earlier this year [3] [4], and is known as “Cloud Hopper” [5]. This attack attempts to compromise the MSP with remote access trojans (RATs) delivered by phishing. By compromising MSPs, attackers are able to then target the MSP’s clients. What is APT10? APT10 is also known as Stone Panda, MenuPass, and Red Apollo. An APT is skilled and persistent with more resources than other types of attackers, so they are usually sponsored by nation-states, or coordinated groups. When the APT10 MSP attacks were reported in 2017, there was only circumstantial evidence which pointed at Chinese timezone patterns. This indictment from the US Justice Department charges APT10 members Zhu Hua and Zhang Shilong, who acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau since 2006. What should I tell my boss? This is not a new threat, and we have known about it since early 2017. The reason it is in the news is that the United States Justice Department has indicted two Chinese nationals. You can also point out which of the controls in this document you have implemented to mitigate the risks associated with engaging with an MSP: “How to manage your network security when engaging a Managed Service Provider” [6] What you should do At the time of writing, here are the Indicators of Compromise from our MISP event:https://wordpress-admin.auscert.org.au/publications/2018-12-21-apt10-msp-breach-iocs We recommend running these against your systems and logs. While a list of affected MSPs isn’t publicly known, the ACSC has contacted any MSPs they know to have been affected. If you have any concerns, we recommend you contact your MSP, as they will be able to provide more information about their situation. You can also take this opportunity to update your risk registers and incident plans for any information and services you have hosted with a third party provider. Perhaps you could make it a start or end of year routine?   With that said, have a relaxing holiday season – we hope you don’t have to play too much family tech support!   [0] https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion[1] https://cyber.gov.au/msp-global-hack/[2] https://www.abc.net.au/radionational/programs/breakfast/australian-businesses-hit-by-audacious-global-hacking-campaign/10645274[3] https://www.arnnet.com.au/article/617425/aussie-msps-targeted-global-cyber-espionage-campaign/[4] https://www.securityweek.com/dhs-warns-attacks-managed-service-providers[5] https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf[6] https://cyber.gov.au/business/publications/msp-risk-for-clients/

Windows DNS Server Privilege Escalation vulnerability (CVE-2018-8626) leading to Remote Code execution alleged to have Proof of Concept exploit INTRODUCTION AUSCERT recently published an ASB addressing Microsoft’s security updates for the month of December.  Among the vulnerabilities addressed was a Critical vulnerability in the DNS Server implementation in the following Windows platforms: “Windows 10 Version 1607 for 32-bit SystemsWindows 10 Version 1607 for x64-based SystemsWindows 10 Version 1709 for 32-bit SystemsWindows 10 Version 1709 for 64-based SystemsWindows 10 Version 1709 for ARM64-based SystemsWindows 10 Version 1803 for 32-bit SystemsWindows 10 Version 1803 for ARM64-based SystemsWindows 10 Version 1803 for x64-based SystemsWindows 10 Version 1809 for 32-bit SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server, version 1709 (Server Core Installation)Windows Server, version 1803 (Server Core Installation)” [1] Security updates fixing the vulnerability have been provided by Microsoft.   VULNERABILITY DESCRIPTION In their vulnerability description, Microsoft states: “A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to a Windows DNS server.” [1] Failed exploitation attempts will lead to denial of service conditions.   NVD CVSS3 Vector:  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C NVD CVSS3 Base Score: 9.8 (Critical)   PROOF OF CONCEPT EXPLOIT Although the NVD CVSS3 vector above indicates a proof of concept exploit exists for this vulnerability, AUSCERT has not been able to access it or find any threat indicators related to it. We will continue to update this blog as more information becomes available.   References 1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8626