BackSwap Defrauds Online Banking Customers Using Hidden Input Fields
Q1 2018 DDoS Trends Report: 58 Percent of Attacks Employed Multiple Attack Types
Verisign just released its Q1 2018 DDoS Trends Report, which represents a unique view into the attack trends unfolding online, through observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of Verisign DDoS Protection Services, and security research conducted by Verisign Security Services. Verisign observed that 58 percent of DDoS attacks employed multiple attack types.
GCSB’s response to the Inspector-General’s 2018-19 work plan
Android Users Hit With Mobile Billing Fraud Due to Sonvpay Malware
Ever hear “Despacito” on the radio? Of course you did! It was the song of 2017 – taking over radios,...
The Biggest Risk to Application Security May be the Business
Catch Malware Hiding in WMI with Sysmon
Security is an ever-escalating arms race. The good guys have gotten better about monitoring the file system for artifacts of advanced threat actors. They in turn are avoiding the file system and burrowing deeper into Windows to find places to store their malware code and dependably trigger its execution in order to gain persistence between reboots.
For decades the Run and RunOnce keys in the registry have been favorite bad guy locations for persistence but we know to monitor them using Windows auditing for sysmon. So, attackers in the know have moved on to WMI.
WMI is such a powerful area of Windows for good or evil. Indeed, the bad guys have found effective ways to hide and persist malware in WMI. In this article I’ll show you a particularly sophisticated way to persist malware with WMI Event Filters and Consumers.
WMI allows you to link these 2 objects in order to execute a custom action whenever specified things happen in Windows. WMI events are related to but more general than the events we all know and love in the event log. WMI events include system startup, time intervals, program execution and many, many other things. You can define a __EventFilter which is basically a WQL query that specifies what events you want to catch in WMI. This is a permanent object saved in the WMI repository. It’s passive until you create a consumer and link them with a binding. The WMI event consumer defines what the system should do with any events caught by the filter. There are different kinds of event consumers for action like running a script, executing a command line, sending an email or writing to a log file. Finally, you link the filter and consumer with a __FilterToConsumerBinding. After saving the binding, everything is now active and whenever events matching the filter occur, they are fed to the consumer.
So how would an attacker cause his malware to start up each time Windows reboots? Just create a filter that catches some event that happens shortly after startup. Here’s what PowerSploit uses for that purpose:
SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320
Then you create a WMI Event Consumer which is another permanent object stored in the WMI Repository. Here’s some VB code adapted from mgeeky’s WMIPersistence.vbs script on Github. It’s incomplete, but edited for clarity. If you want to play with this functionality refer to
Set objInstances2 = objService1.Get("CommandLineEventConsumer")
Set consumer = objInstances2.Spawninstance_ = “MyConsumer”
consumer.CommandLineTemplate = “c:\bad\malware.exe”
So now you have a filter that looks for when the system has recently started up and a consumer which runs c:\bad\malware.exe but nothing’s going to happen until they are linked like this:
Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
Set binding = objInstances3.Spawninstance_
binding.Filter = "__EventFilter.Name=""MyFilter"""
binding.Consumer = "CommandLineEventConsumer.Name=""MyConsumer"""
So now you have a filter that looks for when the system has recently started up and a consumer which runs c:\bad\malware.exe.
As a good guy (or girl) how do you catch something like this? There are no events in the Windows Security Log, but thankfully Sysmon 6.10 added 3 new events for catching WMI Filter and Consumer Activity as well as the binding which makes them active.
Sysmon Event ID
19 - WmiEventFilter activity detected
WmiEventFilter activity detected:
EventType: WmiFilterEvent
UtcTime: 2018-04-11 16:26:16.327
Operation: Created
User: LAB\rsmith
EventNamespace: "root\\cimv2"
Name: "MyFilter"
Query: "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
20 - WmiEventConsumer activity detected
WmiEventConsumer activity detected:
EventType: WmiConsumerEvent
UtcTime: 2018-04-11 16:26:16.360
Operation: Created
User: LAB\rsmith
Name: "MyConsumer"
Type: Command Line
Destination: "c:\\bad\\malware.exe "
21 - WmiEventConsumerToFilter activity detected
WmiEventConsumerToFilter activity detected:
EventType: WmiBindingEvent
UtcTime: 2018-04-11 16:27:02.565
Operation: Created
User: LAB\rsmith
Consumer: "CommandLineEventConsumer.Name=\"MyConsumer\""
Filter: "__EventFilter.Name=\"MyFilter\""
As you can see, the events provide full details so that you can analyze the WMI operations to determine if they are legitimate or malicious. From event ID 19 I can see that the filter is looking for system startup. Event Id 20 shows me the name of the program that executes and I can see from event ID 21 that they are linked.
If you add these events to your monitoring you’ll want to analyze activity for a while in order whitelist the regular, legitimate producers of these events in your particular environment.
That’s persistence via WMI for you, but you might have noted that we are not file-less at this point; my malware is just a conventional exe in c:\bad. To stay off the file system, bad guys have resorted to creating new WMI classes and storing their logic in a PowerShell script in a property on that class. Then they set up a filter that kicks off a short PowerShell command that retrieves their larger code from the custom WMI Class and calls. Usually this is combined with some obfuscation like base64 encoding and maybe encryption too.
New Struts 2 Campaign Compiles Its Own C# Downloader, Leverages a User Profile Page as Its C&C Server
Heads Up Gamers! Fake Fortnite Android Apps Are Being Spread via YouTube Videos
Does the name “Fortnite” ring any bells? It should, because it’s probably the most popular video game in the world...
New Campaign Targeting Apache Struts 2, WebLogic Deploys Malware Using VBScript
We Are Akamai: What Led Us Here
Spring 2018 Password Attacks
信息难点: 传输加密:要做渗透的目标是一个APP,根据抓到的请求包发现这个APP是经过某产品加固过的,所以HTTP的POST请求正文部分(Data)是神奇的密文~
- 信息踩点其实也是解决难点的过程,在这里我们尝试对APP进行逆向,发现并没有什么东西,因为被加固了。
- 对APP进行功能的整理,逐个功能点进行抓包分析:
- 请求正文(data)虽然是密文,但是请求的URI还是真正按照对应的功能去请求的(参考URI的命名和功能的相对应性)
<?php $mstsec = $_REQUEST['vulkey'];//注意这里使用的是$_REQUEST 默认情况下包含了 $_GET,$_POST 和 $_COOKIE 的数组。 ?>- 一点即通,首先我可以去测试是否是真的这样的后端处理接收。
- 为了满足第一步的验证,我需要想办法找到一个GET请求的包并且有带有GET参数,这样我才能判断规则,不然就是大海捞针。
端口开放:8001 1444
- /userCenter/getUser [获取用户信息URI POST]
- /userCenter/pay/getSign?userSign= [获取Sign POST]
- /userCenter/life/showShop?pId= [获取商品信息 GET]
- /userCenter/showQRcode [获取二维码图片 POST]
- 发现了S2-005这个历史悠久的Struts2框架远程代码执行问题:
- 发现了SQL注入,这里需要做一些简单的绕过(e.g. AandND 1 like 1):
/userCenter/getUser [获取用户信息URI POST]
dict: [uId, userId, uName, userName …]
/userCenter/showQRcode [获取二维码图片 POST]
dict: [uId, userId, uName, userName, imagePath, filePath, codePath, fileName …]
GET /userCenter/getUser?uId=10001 GET /userCenter/getUser?userId=10001 GET /userCenter/getUser?uName=test001 GET /userCenter/getUser?userName=test001 ... GET /userCenter/showQRcode?uId=10001 GET /userCenter/showQRcode?userId=10001 GET /userCenter/showQRcode?uName=test001 GET /userCenter/showQRcode?userName=test001 GET /userCenter/showQRcode?imagePath=../../ GET /userCenter/showQRcode?filePath=../../ GET /userCenter/showQRcode?codePath=../../ GET /userCenter/showQRcode?fileName=../../ ... 结论现实残酷,打败了设想。
... Set-Cookie: USESSIONPID=xxx; ... jpg content这时候我就知道是时候修改uId了,然而修改了没用,根据多年的经验(吹牛)我认为是uSign参数起了作用,这时候对uSign进行删除发现不行,会提示uSign参数不存在,当我置空这个参数,发现居然成功了又返回了用户的Cookie凭证…好吧,说明这里有一个逻辑问题…
好吧,管理员也没啥能危害到服务器的东西了…不过回过头再来看看,二维码这个点还没啃完呢,fileName这个参数还没去测试,fuzzdb了解一下,先怼lfi的字典进去跑(有个坑这里一定要填写完整[uId, uSign]),然后再进行Fuzz:
登录进来之后直接到WAR file to deploy功能点,进行war包的部署(在这里使用压缩的方式将网站后门压缩成zip格式然后修改后缀名.zip为.war即可),点击Browser选择war包然后点击Deploy:
这里部署上去之后回到Applications功能点,可以看到部署的情况,点击你的命名链接然后加上你压缩的文件名(这里我的是 /vulkey/vulkey.jsp)使用Webshell管理工具进行管理,看见了我久违的界面,久违的root权限:
总结因为后渗透可能会影响正常业务的运行,所以没有继续进行下去,很遗憾,希望下次有机会。 END: 送给大家一句话:心细则挖天下。
Linux kernel networking: a general introduction
Russian Attacks Against Singapore Spike During Trump-Kim Summit
米家 LED 智能台灯简单分析
开发一个简单的 Chrome 拓展
每次复制域名时都会被 Chrome 复制地址时的 https:// 烦到, 所以干脆自己写个拓展来解决这个问题. Chrome 拓展其实就是一个小网页, 也就是 HTML, 所以我们可以用 JavaScript 来实现获取域名和复制的操作. 具体实现如下.