INTERNET STORM CENTER SPOTLIGHT
INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Google ad traffic leads to stealer packages based on free software
Published: 2022-12-22
Last Updated: 2022-12-23 01:22:31 UTC
by Brad Duncan (Version: 1)
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
Read the full diary entry: https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376/
SPF and DMARC use on GOV domains in different ccTLDs
Published: 2022-12-30
Last Updated: 2022-12-30 15:43:16 UTC
by Jan Kopriva (Version: 1)
Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call “robust” or “secure”[1]. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. This poses a significant issue, especially when one considers that most ordinary people don’t tend to question the validity of officially looking messages if it appears that they were sent from a respectable/well-known domain.
Even disregarding the current geopolitical situation, it is clear that certain domains are of significantly higher interest than others to criminals as well as state-sponsored actors when it comes to spoofing e-mail. Among the more interesting ones are – without a doubt – governmental domains, i.e., domain.GOV in the US or domain.GOV.ccTLD in other countries. Which brings us to the topic of today’s diary, which is “how big of an issue e-mail spoofing might be for these particular domains”.
But first things first. Because of the aforementioned lack of "integral" security features, numerous extensions and additions to SMTP were introduced over time that were intended to add different security mechanisms to it – either on end-to-end or hop-to-hop (or originating server to recipient server) basis.
Three of these additions, which deserve special attention from any domain owner, are SPF[2] , DKIM[3] and DMARC[4], which enable domain owners to specify which servers are “allowed” to send e-mail for a specific domain, and implement a corresponding verification and reporting framework. In general, it is considered a good practice to ensure that special SPF, DKIM and DMARC DNS records are set (and corresponding mechanisms and keys are configured on relevant mail servers) for any domain which is going to be used for sending e-mail.
Read the full diary entry:
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+GOV+domains+in+different+ccTLDs/29384/
Its about time: OS Fingerprinting using NTP
Published: 2023-01-03
Last Updated: 2023-01-03 17:30:07 UTC
by Johannes Ullrich (Version: 1)
Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP.
One of the most obvious and best-documented ways to identify an operating system based on NTP is the hostname of the NTP server. For examples:
time.apple.com for Apple
time.windows.com for Microsoft
Others use subdomains of pool.ntp.org. Pool.ntp.org offers free time servers provided by the community. They are currently claiming around 4,000 participating servers. In the past, vendors have, in a few cases, abused this system and caused a DoS against some public NTP servers. To better control traffic, vendors are offered subdomains, and you may see them used. For example:
android.pool.ntp.org - Android
amazon.pool.ntp.org - Amazon devices (Kindle, Echo)
askozia.pool.ntp.org
centos.pool.ntp.org
debian.pool.ntp.org
dragonfly.pool.ntp.org
freebsd.pool.ntp.org
irobot.pool.ntp.org
opnsense.pool.ntp.org
rhel.pool.ntp.org
smartos.pool.ntp.org
And many more.
But the opportunities for fingerprinting continue beyond DNS. Different operating systems, or versions of operating systems, use different NTP implementations. There are, for example:
timed - used by Apple
chrony - used by newer Linux versions
ntpd - old "default" and probably most used ntp servers
Windows Time Service w32time - Windows
I collected the first NTP packet emitted by different operating systems after reboot. I picked the first one as it has yet to be informed by any responses from the timeserver. All systems were reasonably in sync before the reboot. tcpdump does a decent job analyzing NTP if the verbose options are selected, and below you will see the tcpdump output. Hosts participating in pool.ntp.org could also use that to fingerprint clients. Shodan once proposed joining pool.ntp.org to find more IPv6 hosts, as scanning for them is not feasible [3].
Read the full diary entry:
https://isc.sans.edu/diary/Its+about+time+OS+Fingerprinting+using+NTP/29394/
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Google ad traffic leads to stealer packages based on free software
Published: 2022-12-22
Last Updated: 2022-12-23 01:22:31 UTC
by Brad Duncan (Version: 1)
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
Read the full diary entry: https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376/
SPF and DMARC use on GOV domains in different ccTLDs
Published: 2022-12-30
Last Updated: 2022-12-30 15:43:16 UTC
by Jan Kopriva (Version: 1)
Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call “robust” or “secure”[1]. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. This poses a significant issue, especially when one considers that most ordinary people don’t tend to question the validity of officially looking messages if it appears that they were sent from a respectable/well-known domain.
Even disregarding the current geopolitical situation, it is clear that certain domains are of significantly higher interest than others to criminals as well as state-sponsored actors when it comes to spoofing e-mail. Among the more interesting ones are – without a doubt – governmental domains, i.e., domain.GOV in the US or domain.GOV.ccTLD in other countries. Which brings us to the topic of today’s diary, which is “how big of an issue e-mail spoofing might be for these particular domains”.
But first things first. Because of the aforementioned lack of "integral" security features, numerous extensions and additions to SMTP were introduced over time that were intended to add different security mechanisms to it – either on end-to-end or hop-to-hop (or originating server to recipient server) basis.
Three of these additions, which deserve special attention from any domain owner, are SPF[2] , DKIM[3] and DMARC[4], which enable domain owners to specify which servers are “allowed” to send e-mail for a specific domain, and implement a corresponding verification and reporting framework. In general, it is considered a good practice to ensure that special SPF, DKIM and DMARC DNS records are set (and corresponding mechanisms and keys are configured on relevant mail servers) for any domain which is going to be used for sending e-mail.
Read the full diary entry:
https://isc.sans.edu/diary/SPF+and+DMARC+use+on+GOV+domains+in+different+ccTLDs/29384/
Its about time: OS Fingerprinting using NTP
Published: 2023-01-03
Last Updated: 2023-01-03 17:30:07 UTC
by Johannes Ullrich (Version: 1)
Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP.
One of the most obvious and best-documented ways to identify an operating system based on NTP is the hostname of the NTP server. For examples:
time.apple.com for Apple
time.windows.com for Microsoft
Others use subdomains of pool.ntp.org. Pool.ntp.org offers free time servers provided by the community. They are currently claiming around 4,000 participating servers. In the past, vendors have, in a few cases, abused this system and caused a DoS against some public NTP servers. To better control traffic, vendors are offered subdomains, and you may see them used. For example:
android.pool.ntp.org - Android
amazon.pool.ntp.org - Amazon devices (Kindle, Echo)
askozia.pool.ntp.org
centos.pool.ntp.org
debian.pool.ntp.org
dragonfly.pool.ntp.org
freebsd.pool.ntp.org
irobot.pool.ntp.org
opnsense.pool.ntp.org
rhel.pool.ntp.org
smartos.pool.ntp.org
And many more.
But the opportunities for fingerprinting continue beyond DNS. Different operating systems, or versions of operating systems, use different NTP implementations. There are, for example:
timed - used by Apple
chrony - used by newer Linux versions
ntpd - old "default" and probably most used ntp servers
Windows Time Service w32time - Windows
I collected the first NTP packet emitted by different operating systems after reboot. I picked the first one as it has yet to be informed by any responses from the timeserver. All systems were reasonably in sync before the reboot. tcpdump does a decent job analyzing NTP if the verbose options are selected, and below you will see the tcpdump output. Hosts participating in pool.ntp.org could also use that to fingerprint clients. Shodan once proposed joining pool.ntp.org to find more IPv6 hosts, as scanning for them is not feasible [3].
Read the full diary entry:
https://isc.sans.edu/diary/Its+about+time+OS+Fingerprinting+using+NTP/29394/