Jump to content

Security vulnerability exploitation


DaveB-Opt

Recommended Posts

  • Administrators
50 minutes ago, ihatemalware said:

We do have the same here - I am very nervous because it is detected but not "RESOLVED":

This is a different case than what the OP reported. In your case, there was a real attack attempt from 45.136.108.68. As you can see, the IP was reported by others as a source of attacks:

https://www.abuseipdb.com/check/45.136.108.68

Unfortunately the Object column is too narrow to show all information. We don't see the port number which would clarify if it was a bruteforce attack on RDP, SMB or SQL (typically it's RDP).

Link to comment
Share on other sites

  • Administrators
1 hour ago, DaveB-Opt said:

What's the best practise for these notifications?

image.thumb.png.089145fa3d366e94877f790852433205.png

Please focus on the machine 10.112.0.200. Make sure that it has all critical updates installed and the latest version of AV is installed and fully updated. Run a memory and disk scan to make sure it's malware free.

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, DaveB-Opt said:

What's the best practise for these notifications?

They don't say 'blocked' or 'resolved' so I'm unsure what they're telling me.

Thanks

image.thumb.png.089145fa3d366e94877f790852433205.png

It looks like it's coming from one of your LAN PCs , LAN Address > LAN Address , is that right?

Could be a compromised PC is trying to send to others in the network.

Link to comment
Share on other sites

2 hours ago, Marcos said:

This is a different case than what the OP reported. In your case, there was a real attack attempt from 45.136.108.68. As you can see, the IP was reported by others as a source of attacks:

https://www.abuseipdb.com/check/45.136.108.68

Unfortunately the Object column is too narrow to show all information. We don't see the port number which would clarify if it was a bruteforce attack on RDP, SMB or SQL (typically it's RDP).

Sorry, the threat is indeed different. Maybe you could move my this to a new thread?

In this case I just wanted to know whether "detected" does mean: "detected, but not stopped" and I should worry because I run a PRTG Server (HTTPS on port 85) with a vulnerability (CVE-2019-19119):

1488210514_2019-12-1712_18_41-ESETSecurityManagementCenter.png.f782a45528593cb4840f3b38f4e63cae.png

Link to comment
Share on other sites

As far a DoublePulsar goes, it is a backdoor that can be installed on devices that are vulnerable to the SMBv1 EternalBlue exploit. Microsoft offered OS patches for EternalBlue way back in 2017.

More info on DoublePulsar here: https://www.secpod.com/blog/doublepulsar-a-very-sophisticated-payload-for-windows/

I really can't believe this network has not been patched against this exploit.

 

Link to comment
Share on other sites

  • Administrators
1 hour ago, ihatemalware said:

In this case I just wanted to know whether "detected" does mean: "detected, but not stopped" and I should worry because I run a PRTG Server (HTTPS on port 85) with a vulnerability (CVE-2019-19119).

Detected actually means "detected and blocked". The wording will probably change.

Link to comment
Share on other sites

1 hour ago, ihatemalware said:

In this case I just wanted to know whether "detected" does mean: "detected, but not stopped" and I should worry because I run a PRTG Server (HTTPS on port 85) with a vulnerability (CVE-2019-19119):

PRTG patched this with a software update: https://blog.paessler.com/prtg-release-19.4.54-includes-2-brand-new-sensors-for-disk-and-storage

Link to comment
Share on other sites

9 minutes ago, itman said:

Hi itman,

yes I know :). I wrote "run a PRTG Server" - it should have read "ran a PRTG Server", because that instance is off the net.

Link to comment
Share on other sites

 

21 hours ago, itman said:

As far a DoublePulsar goes, it is a backdoor that can be installed on devices that are vulnerable to the SMBv1 EternalBlue exploit. Microsoft offered OS patches for EternalBlue way back in 2017.

More info on DoublePulsar here: https://www.secpod.com/blog/doublepulsar-a-very-sophisticated-payload-for-windows/

I really can't believe this network has not been patched against this exploit.

 

Unfortunately this machine is often connected to a shared Wi-Fi connection outside of our network.

Link to comment
Share on other sites

3 hours ago, DaveB-Opt said:

Unfortunately this machine is often connected to a shared Wi-Fi connection outside of our network.

Here is a tool that will detect the DoublePulsar backdoor: https://github.com/countercept/doublepulsar-detection-script . It was referenced in the prior link I posted. Appears it is also capable of removing the backdoor. I would run this for the device located at 10.112.0.200 to verify that DoublePulsar is not present on that device.

Edited by itman
Link to comment
Share on other sites

4 hours ago, DaveB-Opt said:

Unfortunately this machine is often connected to a shared Wi-Fi connection outside of our network.

I fail to see how this would be a reason to not patching your internal network devices against the EternalBlue exploit. This exploit will allow the worm to propagate through your entire network.

Link to comment
Share on other sites

17 hours ago, itman said:

Here is a tool that will detect the DoublePulsar backdoor: https://github.com/countercept/doublepulsar-detection-script . It was referenced in the prior link I posted. Appears it is also capable of removing the backdoor. I would run this for the device located at 10.112.0.200 to verify that DoublePulsar is not present on that device.

Thanks! - appreciate your advice. This may not be one of our company devices so I may not be able to use it.

Link to comment
Share on other sites

  • Most Valued Members
34 minutes ago, itman said:

Eset has a must read article on the ExternalBlue exploit: https://www.welivesecurity.com/2019/05/17/eternalblue-new-heights-wannacryptor/

It's funny that the NSA got it developed , got leaked by mistake or some kind of whistle blower I don't remember , and yet , the most infected country is the US , they fell in their own trap , and brought the whole world in the same trap with them, even Microsoft wasn't happy about the NSA doing that.

Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, Rami said:

It's funny that the NSA got it developed , got leaked by mistake or some kind of whistle blower I don't remember , and yet , the most infected country is the US , they fell in their own trap , and brought the whole world in the same trap with them, even Microsoft wasn't happy about the NSA doing that.

This is why backdoors are always a bad idea. When it comes to government agencies some people seem to live by the idea that it doesn't matter because they have nothing to hide. However if there's a backdoor for one person or organisation there's always the risk of someone else finding it and if that person is a hacker with malicious intent, well lets just say there's a lot of damage that can be done. 

Link to comment
Share on other sites

Also of note is there are other DoublePulsar variants that use exploits other than EternalBlue as noted in this Symantec article:

Quote

Beginning in March 2016, Buckeye began using a variant of DoublePulsar (Backdoor.Doublepulsar), a backdoor that was subsequently released by the Shadow Brokers in 2017. DoublePulsar was delivered to victims using a custom exploit tool (Trojan.Bemstour) that was specifically designed to install DoublePulsar.

Bemstour exploits two Windows vulnerabilities in order to achieve remote kernel code execution on targeted computers. One vulnerability is a Windows zero-day vulnerability (CVE-2019-0703) discovered by Symantec. The second Windows vulnerability (CVE-2017-0143) was patched in March 2017 after it was discovered to have been used by two exploit tools—EternalRomance and EternalSynergy—that were also released as part of the Shadow Brokers leak.

The zero-day vulnerability allows for the leaking of information and can be exploited in conjunction with other vulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019.

https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit

Edited by itman
Link to comment
Share on other sites

A finally comment about OS and software vulnerabilities. In regards to the above noted Bemstour Trojan, it is actually a re-engineered version of an existing NSA exploit. As such, an unpatched network is a "sitting duck" for the next "latest and greatest" exploit creation. Bottom line - devices need to be patched as soon as a patch is available:

Quote
“Check Point’s analysis of Bemstour showed that the exploit is in fact APT3’s own implementation of EternalRomance, a tool the NSA developed to break into Windows 7, Windows 8, and some Windows NT systems,” Dark Reading reported.
 
“APT3 developed the exploit by reverse-engineering EternalRomance; but then, tweaked it so it could be used to target more systems,” Mr. Vijayan wrote. “APT3’s Bemstour leveraged the same Windows zero-day as the one used in EternalRomance (CVE-2017-0143). Additionally, the group also created an exploit for another Windows zero-day, (CVE-2019-0703). Both flaws have been patched.”
 
 “What we found out is that in terms of the software vulnerabilities targeted by the underlying exploit,they were identical to those leveraged by EternalRomance,” said Mark Lechitk, lead security researcher at Check Point. “This is no coincidence — finding the exact same set of bugs in order to create an exploit that provides remote code execution capabilities is very unlikely, he added. “At the same time, there are enough differences in Bemstour to indicate the exploit was reverse-engineered and built from scratch, rather than copied wholesale,” Mr. Vijayan wrote. “That is what led Check Point to conclude an NSA exploit was used in some way as a reference,” Mr. Lechitk said.

https://fortunascorner.com/2019/09/09/chinese-group-built-advanced-trojan-by-reverse-engineering-offensive-nsa-cyber-tool/

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...