PenTesting / Scanning Cached/Load Balanced Targets

PenTesting / Scanning Cached/Load Balanced Targets

 

As part of the PCI Certification process, external facing application that are in scope of the PCI environment require a PCI ASV scan. If these external facing applications are using load balancing and/or caching, please be aware of the following; (Examples of Load Balancers include; F5 LTM, AWS Elastic Load Balancer/ AWS CloudFront.)

Any load balancer using a full proxy architecture will establish a TCP connection to the virtual load balanced IP or VIP and the load balancer will proxy your scans and connection requests to a pool of backend applications servers. The rules on your load balancer determine which member of the pool gets that second connection. This means that you have no way of knowing which pool member you have scanned. The IP of the backend server will not be returned to the initial host, the one from which you established the initial TCP connection (to the VIP). To allow a PCI ASV scan, please add scanning origin to temporarily allow direct scans of your servers.

Please consider the following when determining the number of IP address required for EVS;

  1. There are no load balancers in front of any in-scope servers:
    • External IP address / URL counted as individual IPs.
  2. All servers behind load balancers are identical and synchronized:
    • The external facing VIP or load balanced URL/IP is counted as an individual IP  (Allow scanning origin to temporarily allow direct scans of your servers.)
  3. Servers behind load balancers not identical and not synchronized:
    • Need to scan each individual IP instead of the VIP. (Allow scanning origin to temporarily allow direct scans of all servers.)

Mailware analysis

Mailware analysis

DDoS for Research Only

DOS Attacks and Free DOS Attacking Tools

DDoS for Research Only

“In order to protect one must understand how to exploit” – me just now

Disclaimer: Most countries have very stick Telecommunications and Computer Abuse laws. Just running these commands against anyone could put you in jail for 99 years. These tools are easily detected.

Cyber Security

Cyber Security

 

Running a WebSite is a PAIN

Running a WebSite is a PAIN

Just some things, i am doing to optimise my website and stop it getting DDOS.


RewriteCond %{HTTP_USER_AGENT} ^.*(Ahrefs|Baidu|BlogScope|Butterfly|DCPbot|discoverybot|domain|Ezooms|ImageSearcherFree).*$ [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^.*(ips-agent|linkdex|MJ12|Netcraft|NextGenSearchBot|SISTRIX|Sogou|soso|TweetmemeBot|Unwind|Yandex).*$ [NC]

RewriteRule ^/?.*$ "http\:\/\/127\.0\.0\.1" [R,L]

  • Install ZBBock
  • Country Block rouge nations that are not your customers. (Ukraine,etc.)
  • Reduce Crawl rate for known bots

User-agent: msnbot
Crawl-delay: 1

No crawl delay set – Normal
1 – Slow
5 – Very Slow
10 – Extremely Slow
  • Sent Rouge Bots back home

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} (bot|crawl|robot)
RewriteCond %{HTTP_USER_AGENT} !(bing|Google|msn|MSR|Twitter) [NC]
RewriteRule ^/?.*$ "http\:\/\/127\.0\.0\.1" [R,L]


<Limit GET HEAD POST>
order deny,allow
deny from all

allow from 103.51.61.0/24

</Limit>

  • Disable Joomla User registration
<p class="p1"></p>
<p class="p1"><span class="s1">administrator/index2.php?option=com_users&task=view&limit=1000</span></p>
<p class="p3"><span class="s1">DELETE FROM `sgj_users` WHERE </span><span class="s2"><b>WHERE</b></span> <span class="s4">`name`</span><span class="s3"> <a href="https://secure290.sgcpanel.com:2083/cpsess2361581801/3rdparty/phpMyAdmin/url.php?url=http%3A%2F%2Fdev.mysql.com%2Fdoc%2Frefman%2F5.6%2Fen%2Fstring-comparison-functions.html%23operator_not-like&token=ef685e82a572e349ffa84ebb4a973a89"><span class="s2"><b>NOT</b></span> <span class="s2"><b>LIKE</b></span></a> </span><span class="s4">'Administrator'</span></p>

Exploiting Unicode Character RTL ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

Exploiting Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

 

This is one of the easiest exploits to implement in a Microsoft Windows systems. Yet, its impossible to meditate against. This exploit can be used for domain names as well. :- http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing

 

 

Obfuscating Executables

 

Examples

  • CORP_INVOICE_08.14.2011_Pr.phyldoc.exe, was made to display as CORP_INVOICE_08.14.2011_Pr.phylexe.doc by placing the unicode command for right to left override just before the “d” in “doc”.
  • SexyAlexe.ppt – > SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\xe2\x80\xaetpp.exe
  • SexyAl\u202Etpp.exe
  • \xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe
  • \u202Ecod.yrammus_evituc\u202D2011.exe
  • \xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr
  • \u202Etpp.stohsnee\u202Dfunny.scr

Defending against CryptoLocker with Group Policy Software Restriction

Defending against CryptoLocker with CryptoLocker Group Policy Software Restriction

Latest variants of CrytoLocker can bypass Microsoft Endpoint Protection and latest Definitions.. :- https://www.staysmartonline.gov.au/alert_service/message?id=1145582&name=Fake+speeding+ticket+emails+distributing+ransomware#.VHaOwlAcQ-V

Please use the following Group Policy to stop its ability to execute from %AppData%:-

Computer Configuration\Policies\Windows Settings\Security Settings\Software Restrictions Policies\Additional Rules

*.SCR *.TMP are known virus extensions

  • %AppData%\*.exe Disallowed
  • %AppData%\*\*.exe Disallowed
  • %TEMP%\*.exe Disallowed
  • %TEMP%\*.\*.exe Disallowed
  • %TMP%\*.exe Disallowed
  • %TMP%\*.\*.exe Disallowed

2014-11-27 16_23_29-Group Policy Management Editor

Extension

** I would suggest block all files *.* or just selected executable file extensions:- http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/


.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh,.htm

2014-12-19 16_53_21-Group Policy Management

More Locations to protect:

  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\7z*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\*.zip\*.exe

Registry lock down

I would suggest restricting these keys for users, but more testing is required

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Result

Command to check: accesschk -w -s -q -u Interactive “C:\Windows”

2014-11-27 16_34_01-Command Prompt

Recovery

If you do get hit:

  1. Shutdown the the affected workstation ASAP.
  2. Stop all File Shares
  3. Recover from the last known good backup. (We had VSS and NetApp) So only lost 4 hours of work
  4. Check Personal Storage Software like Dropbox, which got hit as well
  5. Upload the Virus File to https://www.virustotal.com/en/ or https://www.microsoft.com/security/portal/submission/submit.aspx (This way virus engines will create a definition and help others not to get infected)

Deep Investigation

I looked a bit closer how these virus actually get executed:

  1. First method is to update the ICON file which is a executable *.exe to a of a PDF icon. Users normaly can’t see file extensions and will double click it thinking its a PDF File
  2. “Unitrix” exploit by Avast Unicode character is U+202E: Right-to-Left Override
    1. http://www.voltage.com/blog/standards/a-clever-use-for-u202e/
    2. http://www.explainxkcd.com/wiki/index.php/1137:_RTL
    3. http://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/

 Other protection

  1. Edcuate Users
  2. Turn on Data Execution Prevention – System Properties / Advanced / Performance Options / Data Execution Prevention / Turn on DEP for essential Windows programs and services only
  3. User Access Control Settings – Always notify
  4. Internet Options / Security Settings – Local Intranet Zone
  5. Application Whitelisting
    1. https://technet.microsoft.com/en-us/library/bb457006.aspx
    2. https://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf

Educate Users

This kind of malware authors are releasing updates very quickly and changing significant characteristics of the malware families involved, evading anti-malware signatures. We see on a daily basis a lot of ransomware around 50 new sub-variants per day. The people who write this malware constantly make changes to the malware and test it against a large group of AV engines with the latest definitions to make sure it is not detected. Compare this with a website like http://www.virustotal.com only they have their own private environment. So it just like a race between the malware author with the AV software.

The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key.
The malware encrypts files locally and on any mapped network drives expands the potential for damage.

Encrypted files are registered here : -HKEY_CURRENT_USER\Software\CryptoLocker\Files

Here is a latest blog from Microsoft Malware Protection Center for this kind of ransom. You can get some information about the common infection vectors.

http://blogs.technet.com/b/mmpc/archive/2014/10/28/the-dangers-of-opening-suspicious-emails-crowti-ransomware.aspx

Some others blogs;

  • Word OneNote Blog - http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
  • BGP Blog - http://blogs.technet.com/b/bgp/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
  • Excel Blog - http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx

Emphasis the importance about educating the users, the attacker always try to infected the users by spam email and malicious website.

  1. On most of the infecting vectors, the attacker relies on social engineering to get you to run the program much the same way a con man gets your bank account details. Therefore the VERY FIRST line of defense to prevent this virus is DO NOT RUN ATTACHMENTS UNLESS YOU KNOW THEY ARE SAFE. You may also need to educate the users about the common attacking method the attacker use.
  2. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    Please also evaluate the write permission the share folder. Remove the unnecessary write permission.
  3. Always keep your patch levels up-to-date. Especially the Java, Adobe and IE. This may help to get rid of the attacker to use known vulnerabilities to infected the users. Simply visiting a compromised Web site can cause infection if certain vulnerabilities of the browser or the add-in are not patched.
  4. Filter the spam email on the email server. you can use some anti-spam software. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  5. We also need to back up our important documents regularly.

Offical Symantec MSS Alert

NSW_Speeding_Violation_CryptoLocker_12Nov2014

Symantec MSS Threat Landscape Update – Cryptowall 2.0

EXECUTIVE SUMMARY:

On October 15th, 2014, researchers from the Bleeping Computer forum released a blog article about a new variant of Cryptowall, a.k.a Cryptodefense. This malware is your traditional “ransomware” with some added features.

TECHNICAL DETAILS:

This new variant provides a unique bitcoin payment address to every infected user. Previously, all infected users paid into the same payment address, which meant that one infected user could redirect funds paid by another infected user.

Another new feature is the ability to securely delete the original files after they are encrypted. In the previous version, deleted files could be recovered using file recovery tools. Cryptowall 2.0 wipes the original files, making recovery impossible unless you pay the ransom or restore from backup.

All of Cryptowall’s ransom servers are located on the anonymous TOR network. Before, users had to install TOR on their systems in order to pay the ransom. This was a confusing process for the user, so the attackers moved to a web-to-TOR gateway which allows users to access TOR servers without having to install software. The old version of Cryptowall used a third party provider for this service, but once this was discovered it was blacklisted. The new version of TOR now uses its own web-to-TOR gateways, avoiding any blacklisting.

Cryptowall currently uses four web-to-TOR gateways as outlined by Bleeping Computer. They are the following:

  • Tor4pay[.]com
  • Pay2tor[.]com
  • Tor2pay[.]com
  • Pay4tor[.]com

This new variant is being distributed through phishing emails using the RIG Exploit kit.

SYMANTEC MSS SOC DETECTION CAPABILITIES:

For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

MSS SOC Analytics Detection

  • URL Analytics (WSM Signatures)

[MSS URL Detection] Possible Trojan.Cryptodefense(Cryptowall) C&C Traffic

Vendor Detection

  • Symantec AV

Trojan.Cryptodefense

Trojan.Maljava

Trojan.Swifi

  • Symantec IPS

System Infected: Trojan.Cryptodefense Activity

Web Attack: Exploit Toolkit website 47

Web Attack: Malicious Executable Download 2

Web Attack: MSIE CVE-2013-2551 3

Web Attack: Rig Exploit Kit Website 5

Web Attack: Rig Exploit Kit Website 9

Web Attack: Rig Exploit Kit Website 4

Web Attack: Rig Exploit Kit Website 21

  • Snort/Emerging Threats (ET)

SID – 2809047 – ETPRO TROJAN Possible Cryptowall Infection in Windows Roaming Profile (DECRYPT_INSTRUCTION.URL ascii)

SID – 2018452 – ET TROJAN CryptoWall Check-in

SID – 2016809 – ET TROJAN Likely CryptoWall .onion Proxy DNS Lookup

SID – 2018610 – ET TROJAN Likely CryptoWall .onion Proxy Domain in SNI

SID – 2018397 – ET TROJAN Cryptodefense DNS Domain Lookup

  • Snort/Sourcefire

SID – 31450 – MALWARE-CNC Win.Trojan.CryptoWall Outbound Connection Attempt

SID – 31449 – MALWARE-CNC Win.Trojan.CryptoWall Downloader Attempt

SID – 32225 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31223 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31447 – BLACKLIST DNS Request for Known Malware Domain mediaocean[.]home[.]pl – Win.Trojan.CryptoWall

SID – 31448 – BLACKLIST DNS Request for Known Malware Domain nofbiatdominicana[.]com – Win.Trojan.CryptoWall

SID – 31369 – EXPLOIT-KIT Rig Exploit Kit Outbound Microsoft Silverlight Request

SID – 31455 – EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request

  • TippingPoint

HTTP: CryptoWall Communication Attempt

  • FireEye

Trojan.CryptoWall

This list represents a snapshot of current detection. As threats evolve, detection for those threats can and will evolve as well.

REFERENCES:

http://www.symantec.com/security_response/writeup.jsp?docid=2014-032622-1552-99

  • Rig Exploit Kit Used in Recent Website Compromise

http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise

  • Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

http://www.bleepingcomputer.com/forums/t/552103/updated-cryptowall-20-ransomware-released-that-makes-it-harder-to-recover-files/

  • Recovering Ransomlocked Files Using Built-In Windows Tools

http://www.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

  • CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Thank you for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal athttps://mss.symantec.com.

Global Client Services Team

Symantec Managed Security Services

MSS Portal: https://mss.symantec.com

MSS Blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-group