OffSec Bulletin

executive summary

‘Offensive Security’ a technology that can help any organization in finding critical vulnerabilities to mitigate and safeguard their IT asset. But the same technology can be used to take down any network infrastructure and send it back to stone ages. Taking  example of Sony Pictures, if they had already used offensive technologies to perform real life penetration testing in their  network then there should be a different scenario. But   unfortunately they were limited only to standard penetration testing and didn't used offensive technologies to assess their   network.

Most of us do the same, we do not perform offensive methods while performing security assessment, thinking that if we will use offensive technologies then it may impact my servers and  devices. But the truth is that when a attackers attacks a network, he don’t use any standard protocols, he will always use offensive               technologies to take down your network and hence one must perform offensive assessment and simulate worst case scenario while performing security assessment. 

In this bulletin we have discussed few offensive technologies like advanced malware, server issues and example of hardware backdooring. s

The “any-to any” evolution already involves billions of internet connected devices and is expected to grow many folds in next few years. OffSec Bulletin is a small step to make our Users aware about Internet Security.

pivoting: game over

Most of us secure only those servers and systems which are directly or in-directly connected outside the network. In lots of security assessments, we have realized that network & system administrators only focuses on securing the web server and firewalls, not the internal PC. Most of them claims that we are not exposing these PCs, they are on different VLAN, they doesn’t have any live IP,  we have end point antivirus and their servers, we have strict firewall policy, etc. and many more. But what we have realized that when the attack is targeted, nothing stops the system from compromising, take example of recent hacking of Sony.

Hacker’s first attempt to compromise any system from exploiting is by locating and targeting the most insecure machine of any network. Sometimes they also take advantage of combination of technology weakness with human weakness.

In a research recent research conducted at CCFIS labs, we created a network scenario to simulate such attack. First we     created a small network, installed router and latest firewall, installed a web server, installed few reputed PHP and ASP based CMS, created another DMZ network, installed internal router and firewall for additional security of database server and storage.

Now we defined database server as target and tried to  compromise it from outside the network, to simulate the most complex environment for attacking and we found that there are several ways to achieve the same –

· An attacker can compromise the database server if he find a SQL injection in web application/CMS installed on web server.

· Another targeted method is first compromise the webserver using some remote exploit and then using the compromised system to target another machines of network and hence finally  compromising the server.

· Another simple method was to compromise any system of user network and then

simply pivoting attack from that compromised user machine to database server.

After this research we concluded that no matter if you have    configured even a second firewall in your network to secure your database or server then also it can be compromised by taking advantage of any less secure system.

The best recommendations our research team concluded is to  secure not only your network but also to secure your end points. Proper training to employees can may reduce threat to network by human weakness.

rakshasa : a real daemon

It’s the age where we lives on    information: What if, no matter how hard we are trying, every computer on the market - from PCs to smartphones to fridges to cars - can come pre-loaded with an irremovable backdoor that  allowed the government or spy agency or company or even hacker to snoop on our data,  behavior, and communications?

It’s quite hard to believe but with recent research and talks on conferences, we already have the technology to do this. It’s called a hardware backdoor, and it’s a lot like a software virus that grants backdoor access to your computer — but the code resides in the firmware of a computer chip. Firmware is software that is stored in non-volatile memory on a computer chip, and is used to initialize a piece of hardware’s functionality. In a PC, the BIOS is the most common example of firmware — but in the case of wireless routers, a whole Linux operating system is stored in   firmware.

Hardware backdoors are lethal for several reasons like they can’t be removed by conventional means (antivirus, formatting), they can circumvent other types of security (passwords, encrypted file-systems), and they can be injected while manufacturing.

In recent responsible disclosure by CCFIS we found that even manufactured don’t have any idea how and why their systems have backdoors pre-installed in their laptops. A leading vendor concluded that we import system components from different   other small and local vendor to create a complete system and it might be possible that they had installed something in their  components.

But scenario become scarier when some malware like BadUSB and Rakshasa, source code is available on internet for anyone to tinker with. We captured one malware sample of Rakshasa travelling in Indian network through our ATP sensors.

We have heard about Brain virus, backdoor EFI bootloader, patch/flash a Pheonix-Award Bios, Stoned bootkit, vbootkit, UEFI rootkitting, and many more but after analysis we found that this Rakhasa is a masterpiece. So of its beautiful features are that its persistent, stealth (0 hosting code on the machine), portable (OS & version independent), remote access, remote update, state  level quality like plausible deniability and non- attribution, cross network perimeters, redundancy and till date not detected by   almost all antiviruses. Its core components are coreboot, SeaBios, iPXE and few payloads; the best part is that you can embed your own payload too.

Its development stages includes flashing the system BIOS then flashing the network card or any other PCI devices, booting a payload over the network..say it bootkit, booting a payload over Wi-Fi, and then finally remotely re-flashing the BIOS. Rakshasa can do everything that one need to spy a system completely.

777 – permission to come and hack me

No, doubly Linux is the best OS for hosting web applications servers especially when you are on low budget and application works and supports better in Linux than Windows planform.  The best part of using Linux server is that the OS is free and one can configure security as per their requirements. But think from 

another perspective, Linux is best for you only when you know how to use it or how to secure it, a misconfigured Linux system are open call invitation for hackers to come and compromise the server. Most of administrators says that why someone will come and hack me, I don’t have anything to hide or I am not a MNC. But in CCFIS research labs with our experience we have realized that hackers doesn’t always hack your server or network to harm you, most of the time your IT assets like server, systems, bandwidth are used to hard someone else. A hacker network can be used to perform DoS or DDoS attack that can take down another server and the actual hacker will never be traced back.

While performing penetration testing we discovered Remote Code Execution   vulnerability in several servers of a  network. While delivering the assessment report, we recommended the server   administrator to not to keep any folder or file with permission 777. He implemented our recommendations and just after     implementation, the application running on server stopped working. When he changed the folder permission to 777, again the application started working. We tried changing several combination of permissions but they all had some glitch. At last we analyze the entire web application and assigned   different permission to different folders and files inside them and this made the application work properly.

Due to pain in analyzing most of us simple assign vulnerable permissions like 777 and run the application but this is an open call for hackers. So next time when you are configuring your server or troubleshooting and web application, make sure to assign permissions only after analyzing all the folders and files. Even one single mistake in permission to any of folder can compromise your entire server.

DLP: friend of foe

Most of us deploy DLP (Data Leak Prevention) software or hardware to add additional layer on security into our networks. We define web rules to monitor and control web traffic, mail rules to monitor and control emails, removable storage rules to control data copies and pasted over removable media, printer rule to manage printing jobs, discovery rules to control data   storages, and lot many other rules depending upon types of   device and your users.

DLP devices saves a lot of company confidential data like URL    visited, quarantine documents, mails, network map and in some cases username and passwords too. Most of the DLP software are installed on some OS and these OS are generally Linux based OS. Even products developed by top most security companies are   also based on customized version of Linux.

With recent release of Shellshock and other vulnerabilities, these all devices are at risks. Most companies release updates for the software that is running on the OS, very few are releasing update for the based Linux OS over which the software is running. Our ATP sensors installed in different location have analyzed attack traffics and we have come to know that attackers are now targeting the DLP to take advantage of vulnerabilities that exists in operating systems rather than exploiting the DLP software that’s running on appliance.

By compromising any DLP of organization, attacker will get everything that he wants, he doesn’t need to compromise any network anymore.

The same issue can happen with any devices running on Linux. Even if you are using any open source firewall, IDS/IPS or DLP then first of consider upgrading your base operating system before   upgrading the software installed on it.

We recommend our readers to verify thoroughly before deploying any types of security appliances and if you have already installed then ask your vendor if he is releasing only software updates or  updates related to OS installed on that device too.

 firmware backdoor

 As a research organization CCFIS team is always involved in R&D to find

vulnerabilities and backdoors in IT of different manufactures ranging from camera, servers, systems,  scanners, network devices, and     almost all IT assets. Also as a part of commercial services, we find vulnerabilities in suspected devices sent to us by our clients. Hence CCFIS research team get a hand’s on experience in finding backdoor and vulnerabilities in these   devices.

Recently we picked one random IP camera from market. We installed the device and it was working perfectly fine for couple of weeks. We had some doubts over that camera and later on we realized that it used to change its defined position automatically. For further verification, we downloaded the exact firmware that was installed on that camera from official site of manufacturer.  After reverse engineering in our malware analysis labs, we found a backdoor user that was included in the source code of the device except the default user. There wasn’t any information about this user in camera documentation or anywhere in site.

Manufacturers are creating root level access to cameras, some for genuine reasons to release updates and some for malicious purposes for government spying.

The issue that raise here is that the firmware can be downloaded by anyone over internet and even if the download option isn’t available than anyone can extract the source code of the firmware from actual device and start tinkering with it. So these credentials can be used by anyone to access any camera with backdoor user account. Using a device for government surveillance isn’t bad but installing backdoor in these devices leave the device vulnerable to hackers. Now a days with smart Google dorks and ShodanHQ search engines, anyone can locate any specific camera of any country or state and access it with the backdoor username and password without even knowing the original credentials.

It might be possible that the devices that you are using, most of them are backdoored for any good or bad reason but it can be good for  manufacturers or government but it’s always bad for users like us. We recommend our readers to       perform analysis of any device’s firmware before installing it in your network. And if any such vulnerability or backdoor is found, CCFIS team will help you to create PoC and report it to  authenticated vendor so that they can either release update or close this backdoor.

Forensics Bulletin

executive summary

In this issue we would like to take our readers a step ahead from cyber security to cyber & digital forensics. In this high-tech world variety of computer crimes that take place in small scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. So computer forensics has become a vital part in our corporate world.

Those golden days are gone when criminals were using only guns and other offensive equipment to commit a crime. Now a day’s a mobile is used to connect lives, run business, and same mobile is used to commit crimes and hence it is next to  impossible to predict that who is actual criminal when everyone is carrying    weapons i.e. phones in their pockets. Someone who is carrying unauthorized guns can be declared a criminal but what if billions of peoples are carrying same digital weapons in their pockets?

We at CCFIS faced and solved several forensics cases that   cannot be solved by traditional pre-defined forensics technologies and protocols. Sometimes forensics is more of a   research and behavioral analysis. 

eProtect

Online complaint portal

Most of the time, we don’t want to share cybercrime happened with us with anyone and that’s why they are remain unsolved and culprits are getting encouragement to repeat it again. To maintain anonymity and to resolve these cases we started eProtect initially for students and staffs of Amity Education Group.

eProtect is an online complaint portal developed by CCFIS team for students of Amity University to report any case ranging from cyber-harassment incident on social media to online fraud. Once a complaint is registered CCFIS incident response team gets notified and acts to resolves it in minimum possible time.

 whatsapp forensics

Recovering & decrypting deleted conversations

WhatsApp Messenger is a cross-platform    mobile messaging app which allows you to exchange messages without having to pay for SMS. Most of us use WhatsApp to   communicate with our loved ones.

We recently seized a mobile during an  investigation. After further analysis of mobile, we found that all conversations were already been deleted by  user. But WhatsApp create database of all conversations and that files still resided inside the mobile even after the conversations are deleted. We initially tried to recover those messages from database but the user was smart enough to delete these databases too.

Finally, we tried mobile data recovery procedure and tried recovering WhatsApp database. After all efforts these database were recovered but were in encrypted state. At final stage our   research and development team were able to understand the encryption methodology and developed in house tools to decrypt those messages.

biometric fraud

Employee attendance system fraud & RFID trick

Biometric attendance    devices are used in almost all offices. Every morning we punch our card & fingerprint before starting our work and repeat the same every day. But what if data of these security appliance can be manipulated? Most of the bio-metric devices works on database authentication and comparison model.Whenever an RFID enabled card is punched along with fingerprint, it compares the data to original database and  authenticate the uses. Once the user is verified, a database entry is made into ERP system that particular used punched at particular timestamp.

Recently we resolved one biometric fraud case, in which none of traditional forensics methodologies worked. Every day over 800s of employee were using that biometric attendance system before stating their work. The data from all 10 biometric devices were saved in one central database and from there it was taken to organization’s ERP and other departments like HR and accounts. System administrators created rules to take automated regular backup of everyday’s database.

 The fraud was came to knowledge of management when  employee was called up for a meeting and employee didn’t showed up and mentioned that employee is not in office but employee was marked present in biometric attendance system and everything was normal in ERP as well as all databases. Biometric device vendor was called up and he checked all biometric devices by taking 100s of sample, but everything was normal.

Management later on decided to have a forensics investigation over this issues and case was handed over to CCFIS team for further analysis. Initially we tested all biometric devices and realize that everything was normal. Then we started comparing original and backup database manually, and data were same  everywhere. We also found that few database entries were  deleted form database of both original and backup database. After recovering those deleted database, we realized that  administrator who was in close relationship with employee created several SQL scripts to manipulate both original as well as backup database. This issue was resolved, management was informed and employee was fired from office.

We thought that this was the end of investigation. But problem started again when one busy day biometric device stopped  working and all employees were standing in line to punch their card making chaos. Again the vendor was called, they checked everything and blamed CCFIS forensics team that forensics vendor CCFIS had done something with these devices. CCFIS team again visited the premises, to investigate the issues.After investigation, we found that one sticker based small RFID chip was pasted on side of biometric device. So whenever anyone was trying to punch their card, the device wasn’t working as it was busy in reading that sticker based hidden RFID chip that was hidden on side of device and it was so small that it left unsuspicious to everyone.

After removing this sicker RFID sticker, everything was normal like before and system started reading and processing all the cards. And unfortunately these stickers are available at very low price and accessible to anyone to purchase. Even few mobiles comes with free RFID sticker to customize according to their needs.

 encrypted document   malware

We all know about CryptoLocker malware which encrypts all  documents of infected system. The Trojan encrypts data on the  affected computer, switching the extensions of affected files to .cryptolocker afterwards. It uses a weaker encryption method than the original, so it’s possible experts may be able to regain  access to the locked files, but this won’t be an option for most infected users.

We recently handled and solved a case related of infected server by CryptoLocker. Entire server of user was infected and all       documents hosted over the site were corrupted. Ever the         document files that were hosted on company’s website and FTP server was infected and infected document started spreading   internally through FTP and to outside world by company’s website. Everytime administrator tried to decrypt the document, an alert was generated and application was demanding money to       decrypt the files. Following were the reasons why server was        infected –

• Administrator was visiting malicious sites for downloading  torrents and other stuffs on server.
• Administrator didn’t installed ad-blocker to block malicious advertisements.
•  Administrator clicked on some lucrative ads of his interested and followed the instructions.

CryptoLocker cannot only infect server but it can infect your  systems also, recently in a blog post virus coders mentioned that they are already working on development of CryptoLocker for  android and other handheld devices.

In order to resolve this case, we tried many different traditional techniques. But as this version of CryptoLocker was working on some different protocols so none of them were working. Later on we realized that original filed were deleted by this tool and a  duplicate file of same name with .cryptolocker extension were created for all documents hosted on server. So even if administrator had paid the amount to the tool, he might not be to get original documents.

Our forensics team started data recovery of deleted files and since the hard disk was in good condition, so all original documents were recovered. Unfortunately the administrator had to format his server but documents were recovered.

Same case can happen with anyone of us and in most of the  cases, tools like CryptoLocker demands some money to unlock these documents. Most of us think that the amount which the tools is asking is much less than cost and importance of documents and user pays the money. But as these tools are not from trustworthy sources and should not be trusted that even after paying the amount, the user will get his all documents. The same scenario happened with administrator of this company

Following are some of recommendations to avoid these types of malwares or ransom wares –

 ·  Instead of using internet explorer as your default browser, use Chrome or Firefox. In your company policy forced you to use internet explorer then use the latest updated version of internet explorer.

 · Avoid clicking on lucrative advertisements. For better security you can install ad-block plugin in your browser.

 · Install original anti-virus software and update to avoid these type of malwares.

 · Also, no matter how secure your computer is, if you are not aware then you cannot stop these types of malwares from  infecting your computers as there is always a cat & mouse game between malwares and anti-viruses.

intelligence gathering

Tracking Pakistan Haxor Crew

 Intelligence is what we all need to run our business effectively. But in our case intelligence gathering helped us in resolving one major controversial website hacking case.

Recently one site was hacked and attack was claimed by     hacking activist group called Pakistan Haxor Crew. This case was brought to us for further investigation. Initially we started analyzing server logs and retrieved a number of IPs through which site received XSS, SQL injection, null byte, bruteforce and many more active attacks to take down the site. Later on after analyzing and tracing IP, we came to know that all IPs were fake and attacker used multiple proxies and tor anonymising software to perform these attacks. So we were not able to trace the trace the actual culprit and with provided data.

 After few hours, we started looking for Pakistan Haxor Crew over different blogs and underground communities. We were able to gather complete intelligence about the entire crew members, their Facebook profile, their websites & blogs, sites hacked by them, their future targets, and every possible detail they had over internet.With these data we were able to locate all the team member and case was resolved by tracing IPs of their personal email ID and   Facebook login.