Tales from the SOC side. Vol.1
Dark tales from our SOC.
Tales from the SOC side...
The security alarms and events we have recently seen in our SOC.
Welcome to the SOC side.
In the tradition of those old late night TV shows like Tales from the Darkside, The Twilight Zone and Tales from the Crypt, we will be adding some posts to our blog with some interesting incidents, events and other threats that have been flagged in our SOC, which we provide as a service within our managed detection and response (MDR) offering.
The tale of the Oracle Weblogic XML Decoder exploits ghoul that would not go away.
We discovered this exploit attempting to attack all our customers in late April 2018. We immediately advised all our customers that were using Oracle Weblogic to patch their systems. What ensued until late June, was a barrage of bots from all over the world sending the exploit to try gain privileged access. The exploit generated over 3000 alarms in our SOC.
If you are using Oracle Weblogic versions 10.3.6.0.0 / 220.127.116.11.0 / 18.104.22.168.0 / 22.214.171.124.0 and the ghoul has not compromised your system... yet, please patch it as soon as possible:
The tale of the IIS 6.0 vulnerability buffer overflow immortal.
This immortal vulnerability will not go away, for a simple reason - There are still over 600000 confirmed public available IIS 6.0 servers, most of them are assumedly running Windows Server 2003, even though Microsoft has stopped supporting this version of IIS and Server. The exploit was found to be a simple python script that could execute calc.exe on a vulnerable server. The script potentially could be modified with a malicious executable which allows privilege escalation. Our suggestion is to use a newer version of IIS. If this is not possible for whatever reason, we found a micro-patch from 0Patch that helped. Contact us for further assistance.
A tale of 2 zero-day vulnerabilities fused into 1.
Recently we have noticed indicators of compromise file hashes pointing to 2 zero-day vulnerabilities discovered within 1 PDF sample. One was a remote code execution vulnerability for Adobe, while the other was a Windows privilege escalation vulnerability. The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. This type of attack is used by APT teams. This attack was first discovered by ESET in March.
Adobe and Microsoft fix:
Inside the Tescrypt Trojan.
Our threat intelligence solution has seen an escalation of Win32/Tescrypt trojan in the last 48 hours. There have been different indicators detected to correlate the resurgence of this ransomware trojan.
1. A common, known packer F-Prot is being reported.
2. The same origin language ID has been identified.
3. A polymorphic packer has been identified, which is copying a slightly modified version of itself.
4. The packer is also checking the amount of memory available, which can be used to detect low memory on virtual machines.
5. A common binary dropper has been identified, which drops the executable in %appdata%.
6. The executable on the filesystem is confirmed as created.
7. P2P CNC communication to a list various IP's have been identified.
These same 7 indicators have been consistently identified over 100000 times in a short space of time.
Luckily, Virustotal has confirmed that the trojan is identified by over 60 Antivirus engines, so it is likely that your antivirus will quarantine or delete it, but please ensure your Antivirus is updated.
The Google Goblin eats your privacy.
Did you know?
Even though Google is a lot stricter with your data, the company still enables app developers to ask you for complete access to your Google account, including the content of your emails and contacts.
The apps have to get consent from you when you are opting-in, but some of these apps can literally read sensitive data within the body of your emails.
This is what you can do now to revoke any unwanted apps from your Google account:
- Head on to your Google's "My Account" page and log in with your Gmail credentials, if you have not already.
- Once logged in, you will be able to see and review all the third-party apps you have given access to your Google accounts, including Gmail.
- Apps with access to your Gmail inbox will have a label called "Has access to Gmail" beneath its entry.
- Since Google currently does not provide a way to get rid of just the Gmail access, you can completely disable that app's access by hitting the "Remove Access" button.