Home Tags Unix

Tag: Unix

ShadowBrokers Dump More Equation Group Hacks, Auction File Password

The ShadowBrokers' latest dump of Equation Group hacks focuses on UNIX systems and GSM networks, and was accompanied by an open letter to President Trump.

Angry Shadow Brokers release password for suspected NSA hacking tools

Annoyed with the U.S. missile strike last week on an airfield in Syria, among other things, hacker group Shadow Brokers resurfaced on Saturday and released what they said was the password to files containing suspected National Security Agency tools they had earlier tried to sell.“Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected,” the group wrote in broken English in a letter to U.S. President Donald Trump posted online on Saturday.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]The hacker group, believed by some security experts to have Russian links, released in January an arsenal of tools that appeared designed to spy on Windows systems, after trying to to sell these and other supposedly Windows and Unix hacking tools for bitcoin.To read this article in full or to leave a comment, please click here

Penquin’s Moonlit Maze

Moonlight Maze is the stuff of cyberespionage legend.
In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale.

To say that this historic threat actor is directly related to the modern day Turla would elevate an already formidable modern day attacker to another league altogether.

AWS follows Google with Reserved Instance flexibility changes

Customers who have Reserved Instance contracts with Amazon Web Services will be able to subdivide some of their Linux and Unix virtual machine instances while maintaining their capacity discounts, thanks to pricing changes announced Monday.Reserved Instances allow customers to lock themselves into paying AWS for a certain amount of compute capacity with the company's EC2 (Elastic Compute Cloud) in exchange for a discount off its list price. To read this article in full or to leave a comment, please click here

Heartbleed Persists on 200,000 Servers, Devices

Almost 200,000 servers and devices are still vulnerable to Heartbleed, the OpenSSL flaw patched nearly three years ago. The numbers come from search engine Shodan, which released data showing U.S. servers hosted on Amazon AWS are disproportionately vulnerable to the flaw. “There’s a lot to be worried about with this data, but also a lot that’s unsurprising,” said Tim Jarrett senior director of security, Veracode. The Shodan analysis released over the weekend is part of the search engine’s Heartbleed Report (2017-01). It paints a gloomy picture when it comes to Heartbleed mitigation. The report indicates that almost 52,000 Apache HTTPD servers remain vulnerable and exposed to the internet, in particular versions 2.2.22 and 2.2.15. Amazon Web Services hosts the highest number of vulnerable devices (6,380), followed by Verizon Wireless (4,330) and German-based ISP Cronon AG (2,290). “The initial media blizzard for Heartbleed helped secure hundreds of thousands of devices (from 600,000 down to 200,000) but the subsequent follow-up has been lackluster as the problem keeps lingering,” said John Matherly, Shodan founder. He points out that the vast majority of affected services actually support TLSv1.2. “This means they support good encryption, unfortunately their dependencies are old,” he said. Heartbleed was an internet-wide bug that in 2014 affected millions of Linux, UNIX and Apple machines running vulnerable versions of the OpenSSL library. The Heartbleed vulnerability can result in the revelation of 64 KB of memory to any client or server that is connected. In April of 2014, fixes for versions of OpenSSL were quickly pushed out. “Most Heartbleed vulnerabilities are reported in the U.S. This makes sense given the prevalence of web applications hosted in Amazon AWS and Verizon as well as other US-based ISPs,” Jarrett said. He said part of the issue is that it’s easy to create new servers in AWS that don’t enforce the same type of safety provisions as they once required. “What used to require a sysadmin and a capital expenditure can now be done with a few lines of code. And we know that both real and virtual servers are easy to forget about, particularly when created outside of normal IT processes. So it’s unsurprising that some of these ‘forgotten servers’ are unpatched and dangerous,” Jarrett said. The Shodan data shows the overwhelming impacted services are HTTPS with 148,420 vulnerable servers followed by HTTPS (port 8443) with 23,600 servers and then Webmin, the sys admin interface for Unix (5,970).

Docker Patches Container Escape Vulnerability

Docker has patched a privilege escalation vulnerability (CVE-2016-9962) that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container. The vulnerability is rated high severity by some Linux distributions such as Arch Linux, which traces the problem to a bug found in the “opencontainers’ runc” code, used by several container engines. According to Aqua Security, the vulnerability is exploited when running an exec command inside an already running container.

Exec is a Unix command where one exec command replaces the current shell process without creating a new process. “When that happens, a malicious process inside the container can access a ‘forgotten’ file descriptor of a directory that resides on the host.

This in turn can be used to perform directory traversal to the host’s file system, thus facilitating a nasty and easy escape,” wrote Sagie Dulce, senior researcher at Aqua Security. Docker released an update, Docker Engine 1.12.6, last week that patches the flaw.
It rates the vulnerability as minor and describes it as an “insecure opening of file-descriptor” which allows for privilege escalation. Red Hat rated the vulnerability as medium after first describing the problem in a blog post titled “Docker 0-Day Stopped Cold by SELinux” which was later changed to “SELinux Mitigates container Vulnerability.” Red Hat had argued that SELinux would have better protected against CVE-2016-9962. Red Hat also alerted its users to patch the vulnerability and said running SELinux would not fully protect against the vulnerability. “SELinux is the only thing that protects the host file system from attacks from inside of the container.
If the processes inside of the container get access to a host file and attempt to read and write the content, SELinux will check the access,” wrote Dan Walsh, consulting engineer at Red Hat. Aqua Security’s Dulce believes the open file descriptor issue is part of a larger problem tied to exec commands inside a running container.
In the case of CVE-2016-9962, there is a small window of opportunity “before the runc init process execs the command inside the container, where the container has access to the runc init process on the host.” The timing of the process allows the runc init process to enter the namespace of the container before it execs the final command, Dulce said. “This window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host’s file system.” Aleksa Sarai with SUSE and Tõnis Tiigi with Docker are credited for disclosing the vulnerability on Jan. 2.

Suspected NSA tool hackers dump more cyberweapons

The hacking group that stole cyberweapons suspected to be from the U.S. National Security Agency is signing off—but not before releasing another arsenal of tools that appear designed to spy on Windows systems. On Thursday, the Shadow Brokers dumped them online after an attempt to sell these and other supposedly Windows and Unix hacking tools for bitcoin. The Shadow Brokers made news back in August when they dumped hacking tools for routers and firewall products that they claimed came from the Equation Group, a top cyberespionage team that some suspect works for the NSA. Those tools contained several previously unknown and valuable exploits, lending credibility to the hacking group’s claims, according to security researchers.   The Shadow Brokers’ latest dump includes 61 files, many of which have never been seen by security firms before, said Jake Williams, founder of Rendition InfoSec, a security provider. He’s been examining the tools, and said it’ll take time to verify their capabilities. His initial view is that they’re designed for detection evasion.   For instance, one of the tools is built to edit Windows event logs. Potentially, a hacker could use the tool to selectively delete notifications and alerts in the event logs, preventing the victim from realizing they’ve been breached, he said. “If you simply remove a record or two, then even an organization that is following the best security practices, presumably, wouldn’t notice the change,” he said. On Thursday, the Shadow Brokers said they released the Windows hacking tools for free because a Kaspersky Lab’s antivirus product could already flag them as harmful. The clandestine group previously tried to auction off a whole set of hacking tools for 1 million bitcoins or what was at the time $584 million.

But after several months, that auction only managed to generate 10 bitcoins. “Despite theories, it always being about bitcoins for TheShadowBrokers,” the group said in broken English in their supposed final message. However, Williams believes the Shadow Brokers are likely spies working for the Russian government.

This latest dump was a message to the U.S, he said. Williams points to the timing.
In recent weeks, U.S. intelligence agencies have been claiming the Kremlin tried to influence the U.S. election.

Based on those findings, President Barack Obama has already ordered sanctions against Russia and vowed covert action. “If they are Russian, this is a shot across the bow,” Williams said. It’s unclear how the Shadow Brokers managed to steal the hacking tools.

But they claim to have many more in reserve.

The group has said their arsenal of supposed Linux and Windows-based hacking tools is still up for sale at 10,000 bitcoins. On Thursday, Microsoft said it’s investigating this latest batch of hacking tools that have been released. 

How to hunt for rare malware

At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware.

During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples.

After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants. Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2. Why YARA training? Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow.
Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection.

But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective.

But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way.

The rules can be deployed in networks and on various multi scanner systems. Giveaways People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings.

The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives.

They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs. What are the requirements for participation? You don’t have to be an expert in order to go through this training.
It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine.

Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it. Catching a 0-day with YARA One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers. GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names.

All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”.

Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately. If you’re a scholar… Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on.
If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly. You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities. Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!

Exim gives Linux admins a security fix for Christmas

Linux administrators will have to change their holiday plans, because Exim is still releasing a security update on Christmas Day, and not earlier as had been hoped. An information leakage vulnerability was fixed last week in Exim, a widely used email agent for Unix and Linux systems, and major distributions are currently updating their packages to incorporate the fix.

Exim maintainer Heiko Schlittermann originally announced on Dec. 18 that details of the vulnerability and the updated software will be available Dec. 25.

There was a possibility the release date could be moved to Dec. 23 if the partner distributions could complete their preparations in a shorter timeframe, but that's no longer the case. "As at least one major distro isn't ready yet, we'll keep our initial schedule and release the fixed versions on Dec, 25th, 10:00 UTC," Schlittermann wrote early Dec. 23. "We're sorry for the release date." The timing was unfortunate, but Schlittermann suggested delaying the patch would be worse. "And yes, we know, it is holiday in many countries, maybe in all countries of some of all that many worlds.

The decision wasn't an easy one.

Delaying some days more would probably hit New Year celebration or Дед Мороз.

Delaying it even more?" Schlittermann asked. Nothing much about the information leakage vulnerability, designated CVE-2016-9963, is known at the moment, not even its severity. "If several conditions are met, Exim leaks private information to a remote attacker," Schlittermann said in a different message.

That can mean exposing hostnames or IP addresses stored in memory, which isn't ideal, or as critical as leaking private cryptographic keys. Exim is going from 4.87 to 4.87.1, which makes the update a fairly minor one. However, Schlittermann originally wrote, "We can't celebrate any holiday while knowing that there are systems outside, that may leak private information," suggesting the vulnerability may not be so benign. The uncertainty puts IT administrators in a quandary on how to handle the update, especially if they weren't planning on providing on-call coverage on Dec. 25 and 26. The Exim team appears to have done the best it could to avoid the Christmas Day update.

The team received the vulnerability report on Dec. 15, requested CVE on Dec. 16, and had a fix ready and tested by Dec. 18. Major distributions and other partners are given seven days to prepare their packages before the public release, which brings the date to Dec. 25. While maintainers from Red Hat and SUSE said they would be ready by Dec. 23 to accommodate an earlier release date, that wasn't the case for other distributors. The impact of the update should be "very minimal" since most administrators will be receiving the patch from their respective distributions.

For example, Exim is part of the default Debian installation, so administrators will receive the updated software directly from Debian's repositories. "And if you build your own Exim packages, the effort to rebuild it (4.87.1 is almost the same as 4.87, which you should have running already) is minimal," Schlittermann said.

Exim 4.88 and Exim 4.87.1 will be available in the official Exim repository. Even so, administrators still have to analyze and test the updates to make sure the new version doesn't cause any problems within their environments.
So IT teams have to decide: handle the update in a timely manner, or take a chance and wait a few more days?

ShadowBrokers got NSA spy tools from rogue insider

The ShadowBrokers didn't break into the United States National Security Agency after all.

The latest research into the group of cybercriminals selling alleged NSA spy tools reinforced the idea that they'd received the classified materials from an insider within the intelligence agency, security company Flashpoint said. Analysis of the latest ShadowBrokers dump, which was announced earlier in the month on the blogging platform Medium by "Boceffus Cleetus," suggests the spy tools were initially taken directly from an NSA code repository by a rogue insider, Flashpoint said.

The company's researchers analyzed the sample file containing implants and exploits and various screenshots provided in the post and have "medium confidence" that an NSA employee or contractor initially leaked the tools, said Ronnie Tokazowski, senior malware analyst with Flashpoint. However, they were still "uncertain of how these documents were exfiltrated," he said. ShadowBrokers first began offering more than a dozen sophisticated tools for sale -- such as software for extracting decryption keys from Cisco PIX firewalls -- in underground marketplaces over the summer.

The post-exploitation tools, intended to give attackers a way to gain a foothold in the network or move around laterally after the initial breach, targeted flaws in commercial appliances and software.

The Cisco vulnerability (now patched) would have allowed attackers to spy on encrypted communications, for example. Flashpoint's investigators believe the files were taken from a code repository because the sample file was written in the Markdown, a lightweight markup language commonly used in code repositories to simplify how files are parsed. "Looking at the dump and how the data is structured, we're fairly certain it's from internal code repository and likely an employee or contractor who had access to it," said Tokazowski. When the first set of ShadowBrokers were put up for sale, there was speculation that attackers had either successfully breached NSA infrastructure or NSA operatives had mistakenly left sensitive files on a publicly accessible staging server.
Shortly afterwards, the FBI arrested NSA contractor Harold Martin for stealing government materials.
Some of the tools included in the ShadowBrokers dump were among the classified materials in Martin's possession, suggesting some kind of involvement with the theft and sale. While Flashpoint's Tokazowski rejected the idea that the cybercriminals had stolen the files directly through external remote access or discovered them on an external staging server, he did not draw any conclusions whether Martin was involved. While the contractor denies he gave anyone the files, it seems quite possible that someone else may have broken into his non-classified computer to steal the tools. The theft of the ShadowBrokers files overlap somewhat with former Booz Hamilton consultant Edward Snowden who stole thousands of NSA-related documents, but Flashpoint said there was nothing linking the theft of these tools with the former NSA contractor. "The close proximity of events raises the question if there were multiple insiders acting independently during 2013," Tokazowski said. Nation-state attacks and flashy attacks tend to consume most of the security attention, but malicious insiders pose a significant threat to enterprise networks because they already have access to sensitive data and systems. Most IT teams will never have to worry about dealing with a nation-state attack, but every single one of them has to face the prospect of an employee or an administrator going rogue and stealing corporate secrets or damaging the network. Mistakes as a result of careless insiders, such as when employees copy files for non-malicious reasons but the copies get stolen by adversaries, are also common. In the case of The ShadowBrokers, the contractor or employee may have had limited access to the tools since the implants and exploits released thus far appear to be all Linux- and Unix-based.

An insider with wider access would theoretically have been able to grab different types of tools. There's not enough evidence to understand the rogue insider's motivations for stealing the spy tools, but Flashpoint doesn't think it was money. The implants and exploits in this set appear to have been developed between 2005 to 2013, such as the ElatedMonkey exploit, which targeted a local privilege escalation flaw in a 2008 version of the web hosting control panel interface cPanel.

The attack tools are several years old, making it likely the NSA has already moved on to more modern exploitation tools.
If the insider wanted to sell them, the time to do so was shortly after the theft. "If The Shadow Brokers were trying to make a profit, the exploits would have been offered shortly after July 2013, when the information would have been most valuable," Flashpoint said.

Ubuntu Core Snaps door shut on Linux’s new Dirty COWs

When did Linux start becoming like Windows? Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs. Ubuntu Core 16 features Snaps, a zip file concept Canonical says will streamline IoT device updates protecting against hackers and data loss.
Snaps shipped in Ubuntu 16.10 but Ubuntu Core is the 70Mb edition for devices. Alas, this won't work on existing devices running Linux – just new ones. It comes as Linux reels from the unearthing of the latest hidden code bomb to have put users at risk. Dirty COW has surfaced after nine years in Linux, since kernel 2.6.22, permitting malicious code access to Linux systems including Android smart phones. Before that, the headline grabber was Shellshock, which exploited a decades-old vulnerability that attacked the program used to execute command lines and scripts in Unix-based systems. Mark Shuttleworth, Canonical founder and Ubuntu daddy, told The Reg: "We always saw Windows as the vulnerable platform but now old Linux devices are seen as the real vulnerability." Snaps targets IoT from items like cameras to network routers. They contain code from the Linux kernel maker, Canonical for the Ubuntu distro, and the device maker and ISVs whose code might be resident onboard. Canonical will aggregate updates in Snaps with code downloaded to a device. The idea is that should another Bash or Dirty COW-style or other vulnerability be discovered, an update can be pushed down via Ubuntu Core 16’s Snaps. Shuttleworth claimed a surge of interest from "brands".
Initial backers are IBM, Dell, Intel, Linaro and Open Source Robotics Foundation.

Dell had beta Ubuntu Core 16 on its Dell Edge Gateways. Endorsements are expected from other consumer electronics makers, Shuttleworth said. He pointed to the case of ASUS, brought to book by the US Federal Trade Commission in 2016 over a vulnerability discovered in its AiCloud service in 2015 that exposed personal details of 12,900 consumers connected to the internet via its routers. ASUS agreed to establish and maintain a comprehensive security program subject to independent audits for 20 years. "Everybody feels this pain, nobody wants a device with their brand on where they can't deliver an update or if they do, nobody updates it," Shuttleworth added. "Everybody is moving to a view they are responsible for anything they have sold." ® Sponsored: Customer Identity and Access Management

New leak may show if you were hacked by the NSA

EnlargeMustafa Al-Bassam reader comments 20 Share this story Shadow Brokers—the name used by a person or group that created seismic waves in August when it published some of the National Security Agency's most elite hacking tools—is back with a new leak that the group says reveals hundreds of organizations targeted by the NSA over more than a decade. "TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak.

Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks. Equation Group was originally a name researchers from Moscow-based Kaspersky Lab gave to an elite team of NSA-tied hackers who exploited some of the same then-unknown Windows flaws later targeted by the Stuxnet worm that attacked Iran's nuclear program.

The group operated undetected for more than 14 years until Kaspersky researchers brought it to light.

The researchers dubbed it "Equation Group," but there's no evidence that was the name anyone inside the group used.

The people penning posts accompanying the leaks that started in August then used the Equation Group name when identifying the elite team the data and tools allegedly belonged to. According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA.

The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010.

The addresses include 32 .edu domains and nine .gov domains.
In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. The dump also includes various other pieces of data.

Chief among them are configuration settings for an as-yet unknown toolkit used to hack servers running Unix operating systems.
If valid, the list could be used by various organizations to uncover a decade's worth of attacks that until recently were closely guarded secrets.

According to this spreadsheet, the servers were mostly running Solaris, an operating system from Sun Microsystems that was widely used in the early 2000s. Linux and FreeBSD are also shown. "If this data is believed then it may contain a list of computers which were targeted during this time period," the analysis provided by Hacker House, a firm that offers various security services, stated. "A brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software.

These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures." The domains and IP addresses purportedly belong to organizations that were hacked by the NSA.

But according to Monday's Shadow Brokers post, once they were compromised, some of them may have been used to attack other NSA targets.
If true, the list could help other organizations determine who may have been behind suspicious interactions they had with the listed servers.

The possibility that some of hacked servers were used to attack other sites were raised by the discussion of a tool called pitchimpair, which the authors claimed is a "redirector." Typically, redirectors are used to surreptitiously direct someone from one domain to another. Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.