https://www.us-cert.gov/ncas/tips/ST15-002

https://www.us-cert.gov/ncas/tips/ST15-002

DarkBot detection using Canada Cyber security servers.

One of our security server at a client have detected some IOC's that look like darkbot.
when we looked at the pcap files we did see why ... below are some rules that Canada cyber sensor have triggered.

For more information: 
https://www.us-cert.gov/ncas/alerts/TA15-337A
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot#tab=2


This first screen is the first request to via DNS to  wipmania.com something that is normal of darkbot.

Next screen is the HTTP request to the same domain.

We have updated our site

We decided to get a new face left for our website .. ? what do you think ..

Some of the new things:
1. always redirect to https.
2. very small foot print. under 1 mega byte.
3. should work on any screen.
4. no executable, Good luck trying to hack this l33t ;-)

 

Our site screen from before : 

 

hard drive forensics

Not your average day at Canada Cyber, we usually deal with network security and forensics, but this week we have to do a hard drive recovery on a laptop, that is suspected to be the root of a problem in a client network. The drive mbr/GPT was removed and before that it was formatted via malware. Ironically this is the 2nd hard drive we had to deal with this week. first one was for a client that lost his Raid Config. biggest problem with all of this, is the time the software needs to get things back.

Cyber attacks via DDOS On one of the servers we are securing

We thought this is interesting to share with you, this is a chart from a 12 min span from a our security sensor showing over 1.2 million TCP port 80 request to a web server running IIS on a windows 2012 R2.

Our systems have been able to identify that and a quick e-mail/sms was sent to our staff who then within minutes contacted the owner of the server.

the diagram also shows the source nation, this is a DDOS attack as the attack was conducted using 100,000  of unique IP address.

Google Cloud Terms of agreement are changing.

Dear Google Cloud Platform Customer,

We've made some changes to the Online Google Cloud Platform License Agreement and to the following documents incorporated into that License Agreement:

• Google Cloud Platform Service Specific Terms
• Google Cloud Platform Services Summary
• Service Level Agreements (SLAs)
• Google Cloud Platform Services Subject to the Deprecation Policy
• Technical Support Services Guidelines for Google Cloud Platform Services
• Cloud Platform Data Processing and Security Terms

Google Cloud Platform Terms of Service

We've updated the Google Cloud Platform License Agreement to, among other things:

• Simplify and clarify certain provisions, such as those covering your rights to use Google Cloud Platform services and Google's rights to use data you provide in those services
• Update the indemnification provisions
• Add Data Processing and Security Terms
• Allow for charges to be made in select local currencies
• Add a Google Cloud DNS Service Level Agreement

Google Cloud Platform Service Specific Terms

We've updated the Service Specific Terms to, among other things:

• Make the data location provisions more clear and uniform
• Add data location provisions for Google Compute Engine
• Add certain exclusions from the data location provisions
• Clarify certain Prediction API obligations
• Include terms applicable to use of third-party software in conjunction with Google Compute Engine
• Include terms applicable to the use of Google Cloud Security Scanner
• Add language to clarify use of Sustained Usage Discount pricing
• Add a restriction against using the Google Cloud Platform services to provide network transport or sell bandwidth

Google Cloud Platform Services Summary

We've updated the services summary to:

• Add descriptions of Google Container Engine and Google Cloud Monitoring
• Add descriptions of Managed VMs and Google Cloud Endpoints to the Google App Engine service description
• Add a description of Google Cloud DNS to the Google Compute Engine service description
• Add descriptions of Google Cloud Security Scanner, Google Genomics API and Google Cloud Pub/Sub as new "Other Google Cloud Platform Services"

Service Level Agreements

We've updated the following Service Level Agreements (SLAs) to clarify that they don't apply to features designated "Alpha" or "Beta".

• Google App Engine
• Google Cloud SQL
• Google Cloud Storage
• Google Prediction API
• Google BigQuery 
• Google Compute Engine 

We've also updated the Google Compute Engine SLA to, among other things:

• Add Google Compute Engine service load balancing as covered by that SLA

• Add loss of persistent disk access to the Instance Downtime definition.

Google Cloud Platform Services Subject to the Deprecation Policy

We've made a clarification to exclude from our Services under the Deprecation Policy versions, features, and functionality labeled "Alpha" or "Beta". We've also added Google BigQuery to the list of services subject to the Deprecation Policy.

Technical Support Services Guidelines for Google Cloud Platform

We've updated the Technical Support Services Guidelines to provide that, although Google has no obligation to provide technical support services for Alpha or Beta versions, features, or functionality of the Services, we will consider requests at these development stages on a case-by-case basis. We also shortened the Platinum P1 target initial response time.

Cloud Platform Data Processing and Security Terms

We've updated the Data Processing and Security Terms to clarify the definitions of Subprocessor and Third Party Suppliers.

Summary of Changes

You can review a summary of the main changes to the Google Cloud Platform License Agreement, as well as view the prior version of the Google Cloud Platform License Agreement for the next 30 days.

In addition, you can review a summary of the main changes to the Service Specific Terms, Services summary, SLAs, Services under the Deprecation Policy, and Technical Support Services Guidelines. You can also view the prior version of the Service Specific Terms for the next 30 days.

Sincerely,

--The Google Cloud Platform team

© 2015 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
You have received this mandatory email service announcement to update you about important changes to Google Cloud Platform or your account.

Compute Cloud Engine Security

One of our bigger clients uses google compute engine as a services. And then they resell the service as a managed service.

They came to us and told us that they suspect one of the servers they own is now a command and control server. And that the entire IP block for that provider has been black listed and is affecting the MX record for the mail servers.

So this is the problem:

1.       The clients need the services back ASAP.

2.       The Client is a service provider to another provider (2 x kill chain).

3.       The Client is very good with services and networking (but no security Skill).

4.       All of this is in the CLOUD. That is run by google.

5.       The legal issues with this and the forensics of this problem require at least 4 organizations, Google, The direct client that contacted us. The secondary client that is 0Wned.  And last but not so obvious the users, IT staff that might have been 0wned

So first thing we do we ask for some variables:

1.       IP address.

2.       Domain names.

3.       Credentials to access inside virtual machines and main google Compute Engine.

4.       List of users with direct access to all of the above.

We get one of the security engineers to look at it. And within 1 hour he identifies the problem.

He is like oh ……. Just look at the logs …..

We are: what logs ….

The google compute logs.

We are: what is a google compute logs.

It shows someone logging in at strange time and then doing strange things.

 

 

In short, after a longer investigation, someone was able to hijack one of the admin’s Gmail account from the owned client that has admin access to that VM instance. He then was able to start a new server with no one being aware.

The server was a 2012 R2 server that is a standard google compute engine. Then the hacker changed the firewall and allowed VPN services via PPTP( we suspect this was the command and control channel(C2)).

Conclusion

We changed the password and recover question for the 0Wned user. We then removed the VM instance Server. Then we had to buy a new set of static IP and point all the DNS information to the NEW IP ranges.

At the end all clients are happy. The C2 hack came from a known TK domain name that is known for malware.

QUIC and transport delivery and encryption.

We at Canada Cyber have noticed an increased amount of traffic using the QUIC UDP protocol delivery system that is provided by google.

http://blog.chromium.org/2015/04/a-quic-update-on-googles-experimental.html

Canada cyber logs from a one of our sensors also confirm this.

It’s exciting to see what security implications this bring, as things like Session Hijacking for standard UDP is considerably easier than TCP. Since UDP does not use packet sequencing and synchronizing; it is easier than TCP to takeover UDP session. The hijacker has simply to falsify a server reply to a client UDP request before the backend server can reply. If wire sniffing is used then it will be easier to control the traffic generating from the side of the server and therefore limiting server’s reply to the client in the first place.

Now with this new QUIC protocol it's going to be harder to do the above as the sessions as it encrypts the entire transport channel.

The winners:
1. If you are using a google server, and the Chrome browser, you will notice a much faster internet experience.

The losers:
1. Other Browsers, that do not currently support QUIC.
2. Firewall and IDS systems as its much harder to inspect the current  QUIC UDP sessions.
3. Competing TCP sessions. as they are going to lose when compared with QUIC UDP sessions that most current security Sensors do no inspect at all yet.

https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit

Thank you for your payment

THIS fake e-mail came to one of our system .. today .. do not click on the attachment.exe


This is confirmation that your payment on Wed, 18 Feb 2015 16:32:42 +0000 for USD 7900.00 has been
accepted by the NYC Department of Finance. Your Credit Card statement will show
an entry from Parking Fines NYCGOV. Please read the attachment and save it in case
you have any questions about the items that you have paid.

Name: sol chaimovits

Payment Date: Wed, 18 Feb 2015 16:32:42 +0000

Receipt Number: WWW87523543

Payment Amount: USD 7900.00

Credit Card: Visa

Account ending in: 1440

Your payment was for the following items:

Agency                             Item                              Amount
------------------------------     --------------------     ---------------
PVO                                1160025162                        USD 3000.00
PVO                                7247746580                        USD 4500.00
DOF                                Convenience Fee                    USD 400.00

Thank you for using New York City's website to process your payment.
Please do not reply to this email.  You may contact us by visiting
http://nycserv.nyc.gov/NYCServWeb/ContactUs.html if you have questions
or need further assistance.

Hash and Link .... https://www.virustotal.com/en/file/EF74C90EAF5BAD3B27C12991C05D858173E7C5971655CB2E3FB165738B311E69/analysis/
 https://www.virustotal.com/en/file/EF74C90EAF5BAD3B27C12991C05D858173E7C5971655CB2E3FB165738B311E69/analysis/

IPS in Action, Canada Cyber managed services.

This is a example of a automated e-mail sent from 1 of our managed clients IDS system.  In this example it's is a inline IPS .. so the attack is blocked in real time, Then the duty tech receives an automated e-mail with <body> of the below information.

This exact data is from a Hotel in Ottawa Canada, as you are all aware hotels are a hot spot for malware as most users, usually do things the should not do......

later on investigation, revealed that the triggers first came from a user, that was looking for escort services in Ottawa using backpage.com.


Oh yah . .do not try to Google for this, as this is part of the other web or dark web .... XXX are not known on search engines. Just like TOR and IP2, Google doesn't really index these things. unless you are looking for a one time love. ;-) .


 

 logid=021100 type=virus subtype=infected level=warning msg="File is infected." status="blocked" service=UNKNOWN(255) srcip=x.x.0.129 dstip=x.x.222.194 srcport=60509 dstport=80 srcintf="internal" dstintf="wan1" policyid=1 identidx=0 sessionid=56909525 direction=N/A quarskip="No skip" virus="Zeus" ref="https://en.wikipedia.org/wiki/Zeus_%28malware%29" profile="default" srcname="PerryXXXX" osname="Windows" analyticssubmit="false" 

Current Cyber attacks on Canada

Current Cyber-attacks against Canada Cyber Canadian servers,This is from the Last 24 hours as of Feb 6th 2015,  This is a sample from 6 unique servers that are also unique in Ip address across eastern Canada. The Map below shows the top source Country’s attacking. This Data is derived from triggers based on SSH TCP port 22, Telnet TCP port 23 and RDP Port 3389 attacks against our honey bots. 
https://en.wikipedia.org/wiki/Honeypot_%28computing%29

Please secure your cookies,

For the love of god, please secure your cookies.

1. If you are going to pass login information via cookie back to the client to insure that the client is going to make it easier for them to login .. Please pass it back via same secure channel over the same SSL stream not over a diff http stream.
2. 2^nd thing, always and always hash or encrypt the contents of the cookie. So if it is in the clear or if the client gets owned the cookie is that much harder to get Personally Identifiable Information (PII).
3. Last, this is as easy as grade 5 HTML class.. Do not name things username, user, pass, password, pw, usr. as these key words are easy to find. It’s better to hide in code.

For all the bad coders out, we love you. You keep us busy and employed. 

Hacking as a service !!!!!

-=ALERT=- do not visit this sites from your computer as due embedded malware. -=ALERT=-

A New Russian hacking site, promises to sell you hacking account to Facebook, classmate and the popular Russian social media site ВКонтакте. 

CanadaCyber have discovered this after one of our underground contact informed us about a new website that is selling services to allow users to hack into other users accounts.  

The innovative thing about this is the service model. Previously most Russian hacking sites would sell you just tools, so you would pay, then you get some link to download the tools and that would be the end of it.  Also for the most part the tools usually would stop working after 1-2 weeks as they are then detected by Av vendors.

Now this is a different as the site does the work. And not the tools you have downloaded that can easily be identified. So you have no idea what new exploit they are doing at that time.

This also insure if the advisories have found a 0 day in something like Facebook only they know how to use it and exploit for financial gain. As the clients is pivoting through the hackers and the hackers are doing the work in a service model aspect.

Below are screens from the site, after using Google translator to translate it. 

As we at Canada cyber continue to fight the cyber threats we have submitted this to some of the big vendors we deal with.

We also love this part LOL.

Информация указанная Вами при регистрации полностью конфиденциальна и не подлежит разглашению третьим лицам.

In English .. 

The information provided by you at registration is completely confidential and will not be divulged to third parties.

We started looking deeper in what is this site exactly doing. And we noticed that the source code they are using comes from another site that offers the same thing. 

So we went to the site and it’s the same thing.

And this is what they do:

1.     You place an order on hack

Leave an order for hacking the account in our system and it will be available to carry out by the hackers. You can pay money for hacking the account when it will be done.

2.     A hacker will fulfill your order

A hacker gets your order and then after breaking he informs our system login, password, and a screenshot of the victim whose account he has hacked.

3.     We will check the hacked account

We will check the hacked account (login and password whether they are valid). If the login and password are hacked, then the system will change the status of your order for Done.

4.     Get login and password from a hacked account

As soon as the order is given the status Done, you can see a screenshot from the personal account of the victim, so we affirm the fact of a successful hack. You need to make a payment for your order and our system will automatically inform you login and password from a compromised account. 

-=ALERT=- do not visit this sites from your computer as due embedded malware. -=ALERT=-