Indicadores de compromiso del ransomware Emotet / Ryuk

Desde principios de año hay una evolución del malware Trickbot, llamada Emotet / Ryuk que cifra todos los ficheros de nuestro sistema, pidiendo un rescate en bitcoins para poder recuperarlos, tipo de ataque conocido como ransomware.

Muchas han sido las empresas españolas afectadas: Grupo Prisa, Everis, Prosegur y varios hospitales.

Estos son los enlaces que el ransomware utiliza para bajarse el payload con el malware, actualizad vuestros firewall o reglas del IPS para bloquear cualquier conexión hacia estos servidores web:

hxxps://www.59055[.]cn/wp-content/f7c18_onqapey8-49048/
hxxps://www.xinlou[.]info/wp-content/zomusjj_rgsps3-791960/ 
hxxps://larissalinhares.com[.]br/wp-admin/ttzTQwatYY
hxxps://toptarotist[.]nl/cgi-bin/r1y59l_283xx-97329804/
hxxp://www.robotechcity[.]com/wp-content/nyCCqximrj/
hxxps://deleogun[.]com/paclm/bZIuaFhVQlDwWFAAVqunuPzofQ/
hxxps://solivagantfoodie[.]com
hxxps://hanifbaba[.]com
hxxps://kattegattcenter[.]se
hxxps://bhubaneswarambulance[.]com
hxxps://indonesiaexp[.]com
hxxps://purepropertiesobx[.]com
hxxps://sidanah[.]com
hxxps://potoretocreative[.]com

Para un análisis forense de cómo opera Emotet / Ryuk, ver el siguiente enlace de Crowdstrike y el estudio del CSIRT-CV.

Para entender cómo afecta a nivel del sistema y qué ficheros modifica, ver análisis de any.run. Cómo se puede apreciar en el estudio, el punto de entrada es abrir un fichero Word que ejecuta una macro en Powershell que se descarga el payload con el código malicioso. A partir de ahí, el ransomware ataca el sistema actual y busca otros sistemas vulnerables en nuestra red, para propagarse y causar el mayor impacto posible.

A parte de tener todos los sistemas bien actualizados, un buen sistema de copias de seguridad off-site, muy conveniente deshabilitar el WOL (Wake-on LAN) y protocolo de compartición de ficheros SMB, si no están siendo usados activamente.

Al igual que el conocido WannaCry, Ryuk se propaga como un worm dentro de la red afectada a través de la vulnerabilidad Eternal Blue (CVE-2017-0143) parcheada por la actualización de seguridad MS17-010. Por lo que, en caso de no usar el protocolo SMB, es mejor deshabilitarlo en todos los equipos para evitar que el ransomware se propage y afecte a más equipos.

Importance of metric-oriented goals: KPIs vs. OKRs

KPIs (Key Performance Indicators) are a way to measure performance within a project or team. They establish the goal, so afterwards we can compare if we achieved or not. KPIs do not explain how to reach those goals.

On the other hand, OKRs (Objectives and Key Results) are more descriptive in the way that not only establish the objetives for the quarter/year/etc (THE WHAT) but also give detailed statements describing the tasks we’ll do to achieve those objectives (THE HOW).

OKRs have 4 pillars:

  1. Focus and commit to priorities
  2. Align and connect for teamwork
  3. Track for accountability
  4. Stretch for amazing

OKRs are a good method to keep people focused on the most important goals and prevent them to lose focus doing urgent but less important tasks.

In a general way, there are two types of OKR:

  1. Committed OKRs: They should be all completed by the end of the period
  2. Aspirational OKRs: They stretch and force the team to achieve ambitious goals, which we can mark them as successful if we reach around 70% of completion

OKRs should be set quarterly and annually, and only set from 3 to 5 objective to keep a narrow focus and productivity. As Andy Grove said, focus on everything = focus on nothing.

Although there is many hype lately around OKRs, they were invented and used by Andy Grove (Founder and CEO of Intel) in the 80’s and early 90’s! Later on, supported by John Doerr, it was also implemented in several startups like Google, Youtube, Intuit, etc.

Furthermore, Grove and Doerr enforce constant performance review (CFR: Conversation, Feedback, Recognition) instead of the old and conservative annual reviews, which in this fast-paced world are becoming obsolete.

To give some brief examples, based on a sales department of an e-commerce website:

KPI example: Reach USD 100 million revenue in Q3

OKRs example:

Objetive for Q3
Reach USD 100 million revenue in Q3
Key Results
Sign agreements with 130 recognized brands
Increase market share up to 20%
Register 200,000 new users in the website

Ultimately, productivity is linked to clear-defined goals and actions speak stronger than words 🙂

How to deploy Docker images on Google Cloud Run

We can easily run dockerized apps on Google Cloud using still beta Google Cloud Run.

One thing to keep in mind is to specify $PORT variable inside our Dockerfile, by default Cloud Run always uses PORT 8080, but for portability reasons we will specify it as a variable:

# Dockerfile for Google Cloud Run
FROM php:apache
ARG PORT
ENV PORT=${PORT:-8080}
COPY . /var/www/html/
RUN sed -i 's/80/8080/g' /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
RUN service apache2 restart
EXPOSE $PORT

So we can deploy and run the docker locally in this way:

$ docker build --tag user/image .
$ PORT=8080 && docker run -e PORT=${PORT} --rm -p 8080:${PORT} -it user/image

Once inside a directory with the Dockerfile and the application just run:

$ gcloud projects create new-project-$RANDOM
$ gcloud config set project $PROJECT_ID
$ gcloud builds submit --tag gcr.io/$PROJECT_ID/image .
$ gcloud config set run/region us-central1
$ gcloud beta run deploy --image gcr.io/$PROJECT_ID/image --platform managed

It takes some minutes but finally gets deployed and dumps where it was deployed, something like https://$IMAGE-xxxxxxxxxx-$ZONE.run.app

Simple and vulnerable NodeJS app prone to Cross-Site Scripting (XSS) deployment with Google Cloud App Engine

I wrote a little script in node.js for a hands-on lab to test Cross-Site Scriptings (XSS).

You can download it from my github: https://github.com/spinfoo/nodexss

To deploy in Google Cloud App Engine:

$ git clone https://github.com/spinfoo/nodexss.git
$ gcloud init
$ gcloud projects create xss-lab$RANDOM
$ gcloud config set project xss-lab$RANDOM
$ gcloud projects describe xss-lab$RANDOM
$ gcloud app create --project=xss-lab$RANDOM
$ gcloud app deploy
$ gcloud app logs tail -s default

#Slack built-in support for #RSS feeds

I just discovered that Slack has built-in support for RSS feeds.

It’s a great feature to subscribe all your feeds in a private channel, so you can keep updated and even share your feedback with your team.

For example, to subscribe to Microsoft Security Advisories:

/feed https://technet.microsoft.com/en-us/security/rss/advisory

I will share later my RSS feeds for #cybersecurity

United Airlines Bug Bounty Program

After soooome time for the triaging and patching the reported bug. I was awarded with 50,000 miles for reporting a bug to United Airlines, inside their Bugbounty program.

Decided to donate them to Rotary International charity and use them for the great causes.

Small tool to decode ASP.NET __VIEWSTATE variable when doing webpentests

I just wrote a small tool to easily decode ASP.NET __VIEWSTATE variables without having to install the viewstate module into the system with administrative privileges and be able to decode the variables with a small script using a terminal, without writting python code.

Sometimes when doing webpentesting against a ASP web application is useful a tool like this.

$ ./decoder.py "/wEPDwUKMTU5MTA2ODYwOWRkoCvvBWgUOH7PD446qvEOF6GTCq0="
** ASP.NET __VIEWSTATE decoder **

[*] Decoding __VIEWSTATE:
/wEPDwUKMTU5MTA2ODYwOWRkoCvvBWgUOH7PD446qvEOF6GTCq0=
(('1591068609', None), None)

https://github.com/spinfoo/viewstate-decoder

Checkmate! OSCP certification passed

OSCP certification

I have to admit that doesn’t matter how much experience you have with penetration testing, the exam is challenging because the attack surface is big: 65535 ports x 2 protocols x 4 machines = 524,280 ports.

In the fifth machine, you know beforehand which is the vulnerable port and you just have to develop a tailored exploit.

As 24 hours past fast, the best advice I could give you, apart of studying all awesome training material, pwn as many machines you can in the labs (at least have presence in all subnets!), is as chess players do, put a countdown for each machine. So you don’t get mad wasting all your time with the first and hardest machine, but you are rotating machines every hour or 1.5 hours.

I was not able to get some sleep until I finished, but it is very appropriate to get some fresh air at least, every 4 or 5 hours and do some power naps, so you don’t burnout and your mind remains focused.

Overall, very worth experience!! It really opens your mind in terms of trying harder and finding crazy exploitation vectors in difficult environments.

#try harder