OWASP Top 10 Security Risks – Part V

OWASP Top 10  Security Risks – Part VTo bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the OWASP top 10 security risks.

The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

  1. Injection
  2. Broken Authentication
  3. Sensitive data exposure
  4. XML External Entities (XXE)
  5. Broken Access control
  6. Security misconfigurations
  7. Cross Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with known vulnerabilities
  10. Insufficient logging and monitoring

In our previous posts, we explained the first eight items on the OWASP Top 10 list.

Continue reading OWASP Top 10 Security Risks – Part V at Sucuri Blog.

Source: Scuri check

Distribution of malicious JAR appended to MSI files signed by third parties

Microsoft Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer (.MSI) files signed by any software developer. This behaviour can be exploited by attackers to bypass some security solutions that rely on Microsoft Windows code signing to decide if files are trusted. The scenario is especially dangerous when the appended code is a malicious JAR because the resulting file has a valid signature according to Microsoft Windows and the malware can be directly executed by Java.

Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author.[1] This way, for example, if you modify the content or append any data to a signed Windows PE (.EXE) file the signature of the resulting file will not be valid for Microsoft Windows, as expected. This behaviour changes when you append any data to the end of a signed Windows Installer (.MSI), the resulting file will pass the verification process of Microsoft Windows and will show just the original signature as valid without any other warning.

This behaviour could be used to hide and distribute malicious code in MSI signed files, in fact several security solutions rely on the output of Microsoft Windows code signing validation to avoid an in-depth scan when the file has a valid signature by a well-known and trusted software developer. Such an attack vector is not very interesting if the resulting file is not designed to execute the attached payload, because the attacker would need an additional component already running in the target to extract and execute the appended malicious code. However, JAR files have a characteristic that allows them to run directly in this scenario, making them the perfect candidate to take advantage of this situation.

A JAR file allows Java runtimes to efficiently deploy an entire application, including its classes and their associated resources, in a single request.[2] The interesting part for exploiting the commented scenario is the JAR file format is based on ZIP to store the different components and resources, and this kind of ZIP is correctly identified by the presence of an end of central directory record which is located at the end of the archive to allow the easy appending of new files.[3] When Java opens a JAR file it looks at the end instead of the beginning of the file, so a JAR file is executed independently of the data at the beginning of the file. In addition, on Microsoft Windows systems, the Java Runtime Environment’s installation program will register a default association for JAR files so that double-clicking a JAR file on the desktop will automatically run it with “javaw -jar”. Dependent extensions bundled with the application will also be loaded automatically. This feature makes the end-user runtime environment easier to use on Microsoft Windows systems.[4]

In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows. For example, via the command “copy /b signed.msi + malicious.jar signed_malicious.jar”. The victim can be infected with just a double-click in such a file.

This attack vector was detected in a sample sent to VirusTotal and flagged by VirusTotal Monitor (a service to detect and avoid false positives).[5] We have not found evidence of this technique being used massively to distribute malware.

We would like to thank Mark Russinovich and Mark Cook from Microsoft for working with us in the study of the issue and their quick response with a Sysinternal’s Sigcheck update to detect this kind of malformed files.[6] VirusTotal also detects this attack vector via the updated version of Sigcheck with the warning “Signed but the filesize is invalid (the file is too large)” in the Signature info section.[7]

Thanks also to Microsoft Security Response Center for the study of the issue. This attack vector has been verified in the latest and updated versions of Windows 10 and Java available at the timing of writing (Windows 10 Version 1809 and Java SE Runtime Environment 8 Update 191). Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly.

Last but not least, thanks to all our security partners at VirusTotal for making Internet safer. An early version of this blog post has been shared with all of them in order to provide an adequate response to detect and stop these types of attacks with their antivirus, antimalware and next-gen solutions.

[1] Code signing [Wikipedia] https://en.wikipedia.org/wiki/Code_signing

[2] JAR (file format) [Wikipedia] https://en.wikipedia.org/wiki/JAR_(file_format)

[3] Zip (file format) [Wikipedia] https://en.wikipedia.org/wiki/Zip_(file_format)#Structure

[4] JAR File Overview [Oracle] https://docs.oracle.com/javase/6/docs/technotes/guides/jar/jarGuide.html

[5] VirusTotal Monitor [VirusTotal] https://www.virustotal.com/#/monitor-overview

[6] Sigcheck 2.70 [Microsoft Sysinternals] https://blogs.technet.microsoft.com/sysinternals/2018/10/21/sigcheck-2-70-bginfo-v4-26-and-vmmap-v3-22/

[7] Signed .MSI with malicious JAR appended [VirusTotal] https://www.virustotal.com/gui/file/dd71284ac6be9758a5046740168164ae76f743579e24929e0a840afd6f2d0d8e/details

Francisco Santos & Bernardo Quintero

Source: VirusTotal

Free SuperCounters Widget Serves Unwanted Redirects to Dating Site

Free SuperCounters Widget Serves Unwanted Redirects to Dating SiteIf we navigate way back into the recesses of our memory to the era of GeoCities websites and MySpace pages, we might distinctly recollect the popularity of the visitor-counting widget.

Commonly displayed on homepages across the web, these widgets served as credibility indicators to help site visitors identify the popularity of a website.

While this feature may have gone out of vogue with current website design trends and advanced analytics tools, they also fell out of favor for bad behavior – from stealing traffic and redirections to planting trojans and malware.

Continue reading Free SuperCounters Widget Serves Unwanted Redirects to Dating Site at Sucuri Blog.

Source: Scuri check

How to Improve Your Website Resilience for DDoS Attacks – Part III – WAF

How to Improve Your Website Resilience for DDoS Attacks – Part III – WAFIn the first post of this series, we talked about the practices that will optimize your site and increase its resilience to DDoS attacks. In the second post, we focused on caching best practices that can reduce the chances of a DDoS attack taking down your site. Today, we are going to emphasize the importance of having a Web Application Firewall.

What is a Web Application Firewall?

A web application firewall (WAF) is a firewall that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application.

Continue reading How to Improve Your Website Resilience for DDoS Attacks – Part III – WAF at Sucuri Blog.

Source: Scuri check

Multisandbox project welcomes ReaQta-Hive

We are pleased to announce the addition of ReaQta-Hive to the multisandbox project, after the integrations of Tencent Habo, VirusTotal Droidy, Cyber adAPT ApkRecon, and Dr. Web vxCube. The unique new feature that this integration brings is XSL documents in addition to  PE files, PDF, MS Office documents and scriptlets.


In their own words:

ReaQta-Hive is an Endpoint Threat Response and Hunting platform that uses A.I. to detect new types of attacks. A live hypervisor, called the NanoOS, collects detailed security information at the lowest possible level of an endpoint, which Hive uses to perform dynamic behavioral analysis. This analysis is automatic and constructs a comprehensive storyline of an attack. The end result is an intuitive report of all the actions carried out by an attacker, including a summary of the meta-behaviors that highlight key components of the attack. ReaQta-Hive is a vector-agnostic platform, so it can analyze the behavior of any type of attack, whether it is file-less, script-based, exploit driven, or a plain executable file. We are happy to use our software and expertise to contribute actively to the VirusTotal community, and to help analysts worldwide be more effective and efficient.



To view the ReaQta report when viewing a file analysis, click on the Behaviour tab, select  ReaQta-Hivethen the detailed report.

In the detailed report, you can view copious amounts of information obtained by ReaQta-Hive:
Lets take a look at some example use cases where this data is interesting. 

XSL document  / #squiblytwo

This example is an interesting malicious XSL document which only ReaQta processes:
https://www.virustotal.com/#/file/9d3746779bc2b2d1ecbd90da8626f81978db4be1eb346106a6334295fce568cd/behavior 
In the relationships tab you can see a  link to VT Graph where you we can see some relationships to other domains and URLs VirusTotal has seen before.

 

Malicious document using LOLBins

Malicious code using Living off the land binaries and scripts (LOLBins) have become popular since they are binaries/scripts that are included with the operating systems, hence trusted. Here is a MS Office trojan that does so: 
https://www.virustotal.com/#/file/1f4f22f1814712880b2bbdc5c6418aeaf08c598be0990c5fad55136c9e769951/behavior 

 

Windows PE file, detecting behaviors like  key-logging/screenshots

    https://www.virustotal.com/#/file/d72f74208c8960ae70469af3968324c6d5f90a305931763c0f5e23cd7922bcea/behavior

      In the report we can see the detection and severity:

       

      MS Word document, executing powershell with emotet infection

        Behavior report:   
        https://www.virustotal.com/#/file/6dcd70d4e0d78a7aa12d8e4ae85d503fc7d642a9f5e950f43803c3471753ab6e/behavior

          Viewing in VirusTotal Graph, we can expose the network infrastructure involved. 


             

            Malicious Document dynamic impersonation, then drops keylogger 

            Take a look at the ReaQta detailed behaviour report linked from the VT page at:
            https://www.virustotal.com/#/file/24d94671e38f8f2f4c2f158e011a24c4641994b14962b3c4343308efdfb8fa71/behavior

            dynamic process impersonation icon
            Within the process tree, you’ll notice the process-hollowing (dynamic process impersonation) icon:

            This also shows up in the “INJECTED PROCESSES” section of the report:

            In the VT Graph we can see the relationship to the DDNS host and keylogger that is dropped.

             

            Windows Scriptlet (SCT) file 

            In the file https://www.virustotal.com/#/file/f128a63c107c3006ebf448d6ec743d11eb491ecb508e4ce63ba084f9792c25da/details we see a scriptlet file dropping a miner.

            Have a look yourself by checking out the behaviour tab:

            Source: VirusTotal

            OWASP Top 10 Security Risks – Part IV

            OWASP Top 10  Security Risks – Part IVTo bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the OWASP top 10 security risks.

            The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

            1. Injection
            2. Broken Authentication
            3. Sensitive data exposure
            4. XML External Entities (XXE)
            5. Broken Access control
            6. Security misconfigurations
            7. Cross-Site Scripting (XSS)
            8. Insecure Deserialization
            9. Using Components with known vulnerabilities
            10. Insufficient logging and monitoring

            In our previous posts, we explained the first six items on the OWASP Top 10 list.

            Continue reading OWASP Top 10 Security Risks – Part IV at Sucuri Blog.

            Source: Scuri check

            New Year Tips from Security Professionals

            New Year Tips from Security ProfessionalsHave you included website security as a part of your new year’s resolutions for 2019?

            Here is a quick retrospective on tips some of our team members shared with us throughout the year.

            The cost for neglecting security is 10 times greater than the effort to keep it safe. Your brand value takes 10 times as long to be recovered than to build it. Make sure to follow security best practices to protect your web assets.

            Continue reading New Year Tips from Security Professionals at Sucuri Blog.

            Source: Scuri check

            My Website Was Hacked on Christmas Eve

            My Website Was Hacked on Christmas EveChristmas is a wonderful time to spend with family and friends. A lot of kids look forward to opening their presents under the Christmas tree, but not all of them have a present to open. This is why our family started a charity project in 2007 called the Shoebox Project. A few years later, my wife suggested that I create a website to help us spread the word of how people could fill a shoebox with gifts and bring it into a collection center.

            Continue reading My Website Was Hacked on Christmas Eve at Sucuri Blog.

            Source: Scuri check

            Sucuri Named December 2018 Gartner Customers’ Choice for Web Application Firewalls

            Sucuri Named December 2018 Gartner Customers’ Choice for Web Application FirewallsThe Sucuri team is excited to announce that we have been recognized as a December 2018 Gartner Peer Insights Customers’ Choice for the Sucuri Firewall. Our team takes great pride in this distinction, as customer feedback continues to shape our products and services.

            In its announcement, Gartner explains,

            “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.”

            To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

            Continue reading Sucuri Named December 2018 Gartner Customers’ Choice for Web Application Firewalls at Sucuri Blog.

            Source: Scuri check

            VirusTotal += Acronis

            We welcome Acronis scanner to VirusTotal. In the words of the company:

            “Acronis PE analyzer is Machine Learning based engine to be a part of upcoming cyber protection suite that company will release in 2019. It is a further evolution of Acronis AI capabilities that were introduced in 2018 to combat ransomware. PE analyzer is able to detect any kind of windows PE malware due to optimized innovative machine learning models. Acronis has plans to continuously improve the engine before and after the release of above mentioned cyber protection suite to bring value to all VirusTotal users.”

            Acronis has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-TEST, an AMTSO-member tester.
            Source: VirusTotal

            Clever SEO Spam Injection

            Clever SEO Spam InjectionIt’s very common for us here at Sucuri to face SEO injections on almost any type of CMS-based site. Today, I’ll be presenting how one particularly ingenious malware manages to hide so well inside a WordPress website.

            The Traditional Approach

            There are two common approaches attackers use to inject SEO spam on websites:

            1. Injecting HTML code for concealed elements in theme files
            2. Injecting fake spam posts in the WordPress database

            Both approaches are readily found during Sucuri’s routine remediation process.

            Continue reading Clever SEO Spam Injection at Sucuri Blog.

            Source: Scuri check

            Naughty or Nice Websites

            Naughty or Nice WebsitesSanta Claus is coming! Was your website naughty or nice this year?

            Here is a quick checklist of the top 10 bad things that can harm your website security and the top 10 good things that can improve your website security.

            Naughty Websites List

            If your website falls into any of these categories, this is the perfect time of year to start thinking about improving your security posture.

            1 – My website has outdated software.

            Continue reading Naughty or Nice Websites at Sucuri Blog.

            Source: Scuri check

            OWASP Top 10 Security Risks – Part III

            OWASP Top 10  Security Risks – Part IIITo bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the OWASP top 10 security risks.

            The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

            1. Injection
            2. Broken Authentication
            3. Sensitive data exposure
            4. XML External Entities (XXE)
            5. Broken Access control
            6. Security misconfigurations
            7. Cross Site Scripting (XSS)
            8. Insecure Deserialization
            9. Using Components with known vulnerabilities
            10. Insufficient logging and monitoring

            In our previous posts, we explained the first four items on the OWASP Top 10 list.

            Continue reading OWASP Top 10 Security Risks – Part III at Sucuri Blog.

            Source: Scuri check

            Fake Volkswagen Campaign Spreads Through Social Networks

            Fake Volkswagen Campaign Spreads Through Social NetworksWe recently investigated a suspicious link received by one of my colleagues on WhatsApp. The message (in Portuguese) states that Volkswagen is offering 20 free cars until the end of the year, and directs users to participate on a site that has been apparently crafted especially for this “event”.

            After an initial investigation, it became clear that something was not right with the site. Several security vendors blacklisted it as a phishing site–although fishy, none of the classic phishing characteristics were present.

            Continue reading Fake Volkswagen Campaign Spreads Through Social Networks at Sucuri Blog.

            Source: Scuri check

            Your Email Delivery Checklist

            Email delivery can be complicated.  New technologies have emerged to help inbox providers protect themselves and their customers from spam and fraud emails, but these can also stop legitimate emails from being delivered.  How do you protect your email delivery?

            Our MxToolbox Email Experts have created a checklist to help you improve your email delivery.  Learn more

            Source: MXtoolbox

            Localization and Customization of Credit Card Stealing Malware

            Localization and Customization of Credit Card Stealing MalwareCredit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site.

            Recently, we’ve come across another level of customization.

            Fake Payment Form in Bulgarian

            A compromised Magento site had the following script injected into its core_config_data table.

            hxxps://elegrina[.]com/assets/<domain>.js,  where <domain> was the second-level domain of the infected site.

            Continue reading Localization and Customization of Credit Card Stealing Malware at Sucuri Blog.

            Source: Scuri check

            Using Innocent Roles to Hide Admin Users

            Using Innocent Roles to Hide Admin UsersAll across the internet, we find guides and tutorials on how to keep your WordPress site secure. Most of them approach the concept of user roles, but not many actually approach the capabilities of those roles.

            The way the capabilities are handled on WordPress makes it quite easy to change what each role is allowed to do.

            How WordPress Sets Role Capabilities

            First, let’s take a look at how WordPress manages the capabilities of the roles and what they are allowed to do, such as:

            • add users;
            • remove users;
            • create posts;
            • delete posts, etc.

            Continue reading Using Innocent Roles to Hide Admin Users at Sucuri Blog.

            Source: Scuri check

            Homeland Security Directs Agencies to Adopt DMARC

            As a business or a government agency, you may wonder “why would I spend the time and money to adopt DMARC?”  The answer is that DMARC can help ensure your emails get delivered and protect your brand and customers from phishing and fraud while giving you valuable information about the email you are sending, including SPF alignment, DKIM authentication and forensic information on failures and the quality of the configurations of your senders.

            Because of the inherent value in adopting DMARC, the US Department of Homeland Security and the UK government have made DMARC adoption a requirement for government agencies.  If you aren’t ready to adopt DMARC, you’re behind.  But, MxToolbox can help you.  Learn More

            Source: MXtoolbox