Category: Network Security

Jul 11 2018

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

Thanks to my colleague Christiaan Beek for his advice and contributions.

While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The dark web contains RDP shops, online platforms selling remote desktop protocol (RDP) access to hacked machines, from which one can buy logins to computer systems to potentially cripple cities and bring down major companies.

RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool for systems administrators. In the wrong hands, RDP can be used to devastating effect. The recent SamSam ransomware attacks on several American institutions demonstrate how RDP access serves as an entry point. Attacking a high-value network can be as easy and cheap as going underground and making a simple purchase. Cybercriminals like the SamSam group only have to spend an initial $10 dollars to get access and are charging $40K ransom for decryption, not a bad return on investment.

A screenshot of, one of the most popular RDP-shops, largely due to the variety of services offered.

Shops explained

Security maven Brian Krebs wrote the article “Really Dumb Passwords” in 2013. That short phrase encapsulates the vulnerability of RDP systems. Attackers simply scan the Internet for systems that accept RDP connections and launch a brute-force attack with popular tools such as, Hydra, NLBrute or RDP Forcer to gain access. These tools combine password dictionaries with the vast number of credentials stolen in recent large data breaches. Five years later, RDP shops are even larger and easier to access.

The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale at Ultimate Anonymity Service (UAS), a Russian business and the largest active shop we researched. We also looked at smaller shops found through forum searches and chats. During the course of our research we noticed that the size of the bigger shops varies from day to day with about 10%. The goal of our research was not to create a definitive list of RDP shops; rather, we sought a better understanding of the general modus operandi, products offered, and potential victims.

The number of compromised systems claimed to be available for sale by several RDP shops. A single compromised system can appear on more than one shop’s list.

RDP access by cybercriminals

How do cybercriminals (mis)use RDP access? RDP was designed to be an efficient way to access a network. By leveraging RDP, an attacker need not create a sophisticated phishing campaign, invest in malware obfuscation, use an exploit kit, or worry about antimalware defenses. Once attackers gain access, they are in the system. Scouring the criminal underground, we found the top uses of hacked RDP machines promoted by RDP shops.

False flags: Using RDP access to create misdirection is one of the most common applications. While preserving anonymity, an attacker can make it appear as if his illegal activity originates from the victim’s machine, effectively planting a false flag for investigators and security researchers. Attackers can plant this flag by compiling malicious code on the victim’s machine, purposely creating false debugging paths and changing compiler environment traces.

Spam: Just as spammers use giant botnets such as Necrus and Kelihos, RDP access is popular among a subset of spammers. Some of the systems we found for sale are actively promoted for mass-mailing campaigns, and almost all the shops offer a free blacklist check, to see if the systems were flagged by SpamHaus and other antispam organizations.

Account abuse, credential harvesting, and extortion: By accessing a system via RDP, attackers can obtain almost all data stored on a system. This information can be used for identity theft, account takeovers, credit card fraud, and extortion, etc.

Cryptomining: In the latest McAfee Labs Threats Report, we wrote about the increase in illegal cryptocurrency mining due to the rising market value of digital currencies. We found several criminal forums actively advertising Monero mining as a use for compromised RDP machines.

Monero mining via RDP advertised on a cybercriminal forum.

Ransomware: The large majority of ransomware is still spread by phishing emails and exploit kits. However, specialized criminal groups such as SamSam are known to use RDP to easily enter their victims’ networks almost undetected.

RDP shop overview

Systems for sale: The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.

Third-party resellers: When comparing “stock” among several RDP shops, we found that the same RDP machines were sold at different shops, indicating that these shops act as resellers.

Windows Embedded Standard: Windows Embedded Standard, now called Windows IOT, is used in a wide variety of systems that require a small footprint. These systems can range from thin clients to hotel kiosk systems, announcement boards, point-of-sale (POS) systems, and even parking meters among others.

Among the thousands of RDP-access systems offered, some configurations stood out. We found hundreds of identically configured Windows Embedded Standard machines for sale at UAS Shop and BlackPass; all these machines were in the Netherlands. This configuration was equipped with a 1-GHz VIA Eden processor. An open-source search of this configuration revealed that it is most commonly used in thin clients and some POS systems. The configurations are associated with several municipalities, housing associations, and health care institutions in the Netherlands.

Thin client and POS systems are often overlooked and not commonly updated, making them an ideal backdoor target for an attacker. Although these systems have a small physical footprint, the business impact of having such a system compromised should not be underestimated. As we’ve observed from previous breaching of retailers leveraging unpatched or vulnerable POS systems, the damage extends far beyond financial only, including customer perception and long-term brand reputation.  In regard to the current affected systems we discovered, McAfee has notified the identified victims and is working to learn further detail on why and how these identical Windows systems were compromised.

Government and health care institutions: We also came across multiple government systems being sold worldwide, including those linked to the United States, and dozens of connections linked to health care institutions, from hospitals and nursing homes to suppliers of medical equipment. In a March blog post, the Advanced Threat Research team showed the possible consequences of ill-secured medical data and what can happen when an attacker gains access to medical systems. It is very troublesome to see that RDP shops offer an easy way in.

Additional products for sale

Services offered by our researched RDP shops.

In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. The second-largest RDP shop we researched, BlackPass, offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts.

For legal and ethical reasons, we did not purchase any of the products offered. Therefore, we cannot determine the quality of the services.

RDP ransomware attack scenario

Is it possible to find a high-value victim using an RDP shop? The Advanced Threat Research team put this theory to the test. By leveraging the vast amounts of connections offered by the RDP shops, we were able to quickly identify a victim that fits the profile of a high-value target in the United States.

We found a newly posted (on April 16) Windows Server 2008 R2 Standard machine on the UAS Shop. According to the shop details, it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system.

RDP access offered for sale.

UAS Shop hides the last two octets the of the IP addresses of the systems it offers for sale and charges a small fee for the complete address. (We did not pay for any services offered by UAS or any other shop.) To locate the system being sold, we used to search for any open RDP ports at that specific organization using this query:

org:”City  XXX” port:”3389”

The results were far more alarming than we anticipated. The Shodan search narrowed 65,536 possible IPs to just three that matched our query. By obtaining a complete IP address we could now look up the WHOIS information, which revealed that all the addresses belonged to a major International airport. This is definitely not something you want to discover on a Russian underground RDP shop, but the story gets worse.

From bad to worse

Two of the IP addresses presented a screenshot of the accessible login screens.

A login screen that matches the configuration offered in the RDP shop.

A closer look at the screenshots shows that the Windows configuration (preceding screen) is identical to the system offered in the RDP shop. There are three user accounts available on this system, one of which is the administrator account. The names of the other accounts seemed unimportant at first but after performing several open-source searches we found that the accounts were associated with two companies specializing in airport security; one in security and building automation, the other in camera surveillance and video analytics. We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz.

The login screen of a second system on the same network.

Looking at the other login account (preceding screen), we saw it is part of the domain with a very specific abbreviation. We performed the same kind of search on the other login account and found the domain is most likely associated with the airport’s automated transit system, the passenger transport system that connects terminals. It is troublesome that a system with such significant public impact might be openly accessible from the Internet.

Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack.


To publish our findings, we have anonymized the data to prevent any disclosure of sensitive security information.

Basic forensic and security advice

Playing hide and seek

Besides selling countless connections, RDP shops offer tips on how to remain undetected when an attacker wants to use the freshly bought RDP access.

This screen from the UAS Shop’s FAQ section explains how to add several registry keys to hide user accounts.

The UAS Shop offers a zip file with a patch to allow multiuser RDP access, although it is not possible by default on some Windows versions. The zip file contains two .reg files that alter the Windows registry and a patch file that alters termsvrl.dll to allow concurrent remote desktop connections.

These alterations to the registry and files leave obvious traces on a system. Those indicators can be helpful when investigating misuse of RDP access.

In addition to checking for these signs, it is good practice to check the Windows event and security logs for unusual logon types and RDP use. The following screen, from the well-known SANS Digital Forensics and Incident Response poster, explains where the logs can be found.

Source: SANS DFIR Poster 2015.

Basic RDP security measures

Outside access to a network can be necessary, but it always comes with risk. We have summarized some basic RDP security measures:

  • Using complex passwords and two-factor authentication will make brute-force RDP attacks harder to succeed
  • Do not allow RDP connections over the open Internet
  • Lock out users and block or timeout IPs that have too many failed login attempts
  • Regularly check event logs for unusual login attempts
  • Consider using an account-naming convention that does not reveal organizational information
  • Enumerate all systems on the network and list how they are connected and through which protocols. This also applies for Internet of Things and POS systems.


Remotely accessing systems is essential for system administrators to perform their duties. Yet they must take the time to set up remote access in a way that is secure and not easily exploitable. RPD shops are stockpiling addresses of vulnerable machines and have reduced the effort of selecting victims by hackers to a simple online purchase.

Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock. Just as we check the doors and windows when we leave our homes, organizations must regularly check which services are accessible from the outside and how they are secured. Protecting systems requires an integrated approach of defense in depth and proactive attitudes from every employee.

The post Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks appeared first on McAfee Blogs.

Jun 06 2018

VPNFilter Malware Adds Capabilities to Exploit Endpoints

VPNFilter, a botnet-controlled malware that infects networking devices, was first documented by researchers from Cisco Talos. McAfee Labs also published a blog on May 23 with some initial information.

In our last post we discussed the three stages of infection and the devices affected by the malware, and how it can maintain a persistent presence on an infected device even after a reboot. The malware can also monitor traffic routed through the infected device. (Read the first post for more details.)

In this post we will report new information released by Cisco Talos. The findings reveal that that malware now targets additional devices, including products from Huawei, Asus, D-Link, Ubiquiti Networks, MikroTik, Upvel, ZTE Linksys, Netgear, and TP-Link.

In our previous post, we discussed two modules, a traffic sniffer and Tor, used in Stage 3 of the infection. Now researchers have analysed a third module in the third stage that intercepts network traffic by using a man-in-the-middle attack and injects malicious code while content passes through the router. Using this new module, an attacker can launch an exploit, and perform data exfiltration or a JavaScript injection onto the victim’s device.

The malware added another module that deletes its traces on the infected device. It then clears the flash memory and deletes operating system files, rendering the device inoperable.

The new Stage-3 module’s packet sniffer looks for basic authentication in the traffic content, and also monitors connections for industrial control systems traffic related to the Modbus protocol, which is typically used in SCADA systems. 

Coverage and Mitigation

The aforementioned IOCs are covered as follows:

  • Detection names for files: Linux/VPNFilter
  • V3 DAT with coverage version: 3367
  • V2 DAT with coverage version: 8916

All samples are classified in the GTI cloud as malware, as well as all relevant URLs.

Further Recommendations from the Talos Threat Research Team

  • Reboot SOHO routers and NAS devices to remove the potentially destructive, nonpersistent Stage 2 and Stage 3 malware
  • Work with the manufacturer to ensure that your device is up to date with the latest patches. Apply the updated patches immediately.
  • ISPs should aggressively work with their customers to ensure their devices are patched to the most recent firmware 

Updated Indicators of Compromise and Sample Hashes 

URLs and IP addresses

  • photobucket[.]com/user/millerfred/library
  • photobucket[.]com/user/jeniferaniston1/library
  • photobucket[.]com/user/lisabraun87/library
  • photobucket[.]com/user/eva_green1/library
  • photobucket[.]com/user/suwe8/library
  • photobucket[.]com/user/bob7301/library
  • toknowall[.]com
  • photobucket[.]com/user/amandaseyfried1/library
  • photobucket[.]com/user/nikkireed11/library
  • 4seiwn2ur4f65zo4[.]onion/bin256/update.php
  • zm3lznxn27wtzkwa[.]onion/bin16/update.php
  • photobucket[.]com/user/kmila302/library
  • photobucket[.]com/user/monicabelci4/library
  • photobucket[.]com/user/katyperry45/library
  • photobucket[.]com/user/saragray1/library
  • zuh3vcyskd4gipkm[.]onion/bin32/update.php
  • 6b57dcnonk2edf5a[.]onion/bin32/update.php
  • tljmmy4vmkqbdof4[.]onion/bin32/update.php
  • 46.151.209[.]33
  • 217.79.179[.]14
  • 91.214.203[.]144
  • 94.242.222[.]68
  • 82.118.242[.]124
  • 95.211.198[.]231
  • 195.154.180[.]60
  • 5.149.250[.]54
  • 94.185.80[.]82
  • 91.121.109[.]209
  • 217.12.202[.]40
  • 62.210.180[.]229
  • 91.200.13[.]76

File Hashes

  • 00C9BBC56388E3FFFC6E53EF846AD269E7E31D631FE6068FF4DC6C09FB40C48B
  • 0424167DA27214CF2BE0B04C8855B4CDB969F67998C6B8E719DD45B377E70353
  • 055BBE33C12A5CDAF50C089A29EAECBA2CCF312DFE5E96183B810EB6B95D6C5A
  • 0649FDA8888D701EB2F91E6E0A05A2E2BE714F564497C44A3813082EF8FF250B
  • 081E72D96B750A38EF45E74D0176BEB982905AF4DF6B8654EA81768BE2F84497
  • 0DC1E3F36DC4835DB978A3175A462AA96DE30DF3E5031C5D0D8308CDD60CBEDE
  • 11533EEDC1143A33C1DEAE105E1B2B2F295C8445E1879567115ADEBFDDA569E2
  • 1367060DB50187ECA00AD1EB0F4656D3734D1CCEA5D2D62F31F21D4F895E0A69
  • 14984EFDD5343C4D51DF7C79FD6A2DFD791AA611A751CC5039EB95BA65A18A54
  • 181408E6CE1A215577C1DAA195E0E7DEA1FE9B785F9908B4D8E923A2A831FCE8
  • 1CB3B3E652275656B3AE824DA5FB330CCCD8B27892FB29ADC96E5F6132B98517
  • 1E741EC9452AAB85A2F7D8682EF4E553CD74892E629012D903B521B21E3A15BF
  • 218233CC5EF659DF4F5FDABE028AB43BC66451B49A6BFA85A5ED436CFB8DBC32
  • 24B3931E7D0F65F60BBB49E639B2A4C77DE83648FF08E097FF0FA6A53F5C7102
  • 29AE3431908C99B0FFF70300127F1DB635AF119EE55CD8854F6D3270B2E3032E
  • 2AA7BC9961B0478C552DAA91976227CFA60C3D4BD8F051E3CA7415CEAEB604CA
  • 2AF043730B632D237964DD6ABD24A7F6DB9DC83AAB583532A1238B4D4188396B
  • 2B39634DCE9E7BB36E338764EF56FD37BE6CD0FAA07EE3673C6E842115E3CEB1
  • 2C2412E43F3FD24D766832F0944368D4632C6AA9F5A9610AB39D23E79756E240
  • 2EF0E5C66F6D46DDEF62015EA786B2E2F5A96D94AB9350DD1073D746B6922859
  • 2FFBE27983BC5C6178B2D447D8121CEFAA5FFA87FE7B9E4F68272CE54787492F
  • 313D29F490619E796057D50BA8F1D4B0B73D4D4C6391CF35BAAAACE71EA9AC37
  • 33D6414DCF91B9A665D38FAF4AE1F63B7AA4589FE04BDD75999A5E429A53364A
  • 350EAA2310E81220C409F95E6E1E53BEADEC3CFFA3F119F60D0DAACE35D95437
  • 36E3D47F33269BEF3E6DD4D497E93ECE85DE77258768E2FA611137FA0DE9A043
  • 375EDEDC5C20AF22BDC381115D6A8CE2F80DB88A5A92EBAA43C723A3D27FB0D6
  • 39DC1ADED01DAAF01890DB56880F665D6CAFAB3DEA0AC523A48AA6D6E6346FFF
  • 3BBDF7019ED35412CE4B10B7621FAF42ACF604F91E5EE8A903EB58BDE15688FF
  • 3BD34426641B149C40263E94DCA5610A9ECFCBCE69BFDD145DFF1B5008402314
  • 3DF17F01C4850B96B00E90C880FDFABBD11C64A8707D24488485DD12FAE8EC85
  • 4497AF1407D33FAA7B41DE0C4D0741DF439D2E44DF1437D8E583737A07EC04A1
  • 47F521BD6BE19F823BFD3A72D851D6F3440A6C4CC3D940190BDC9B6DD53A83D6
  • 4896F0E4BC104F49901C07BC84791C04AD1003D5D265AB7D99FD5F40EC0B327F
  • 48BFCBC3162A0B00412CBA5EFF6C0376E1AE4CFBD6E35C9EA92D2AB961C90342
  • 49A0E5951DBB1685AAA1A6D2ACF362CBF735A786334CA131F6F78A4E4C018ED9
  • 4AF2F66D7704DE6FF017253825801C95F76C28F51F49EE70746896DF307CBC29
  • 4BEBA775F0E0B757FF32EE86782BF42E997B11B90D5A30E5D65B45662363ECE2
  • 4BFC43761E2DDB65FEDAB520C6A17CC47C0A06EDA33D11664F892FCF08995875
  • 4C596877FA7BB7CA49FB78036B85F92B581D8F41C5BC1FA38476DA9647987416
  • 4D6CBDE39A81F2C62D112118945B5EEB1D73479386C962ED3B03D775E0DCCFA0
  • 4E022E4E4EE28AE475921C49763EE620B53BF11C2AD5FFFE018AD09C3CB078CC
  • 4FA1854FBEC31F87AE306034FD01567841159CA7793EBA58B90BE5F7FC714D62
  • 4FFE074AD2365DFB13C1C9CE14A5E635B19ACB34A636BAE16FAF9449FB4A0687
  • 51E92BA8DAC0F93FC755CB98979D066234260EAFC7654088C5BE320F431A34FA
  • 579B2E6290C1F7340795E42D57BA300F96AEF035886E80F80CD5D0BB4626B5FC
  • 5BE57B589E5601683218BB89787463CA47CE3B283D8751820D30EEE5E231678C
  • 5CF43C433FA1E253E937224254A63DC7E5AD6C4B3AB7A66EC9DB76A268B4DEEB
  • 5D94D2B5F856E5A1FC3A3315D3CD03940384103481584B80E9D95E29431F5F7A
  • 5DABBCE674B797AAA42052B501FB42B20BE74D9FFCB0995D933FBF786C438178
  • 5E715754E9DA9ED972050513B4566FB922CD87958ECF472D1D14CD76923AE59A
  • 5F6EE521311E166243D3E65D0253D12D1506750C80CD21F6A195BE519B5D697F
  • 638957E2DEF5A8FDA7E3EFEFFF286E1A81280D520D5F8F23E037C5D74C62553C
  • 6449AAF6A8153A9CCBCEF2E2738F1E81C0D06227F5CF4823A6D113568F305D2A
  • 6807497869D9B4101C335B1688782AB545B0F4526C1E7DD5782C9DEB52EE3DF4
  • 6A76E3E98775B1D86B037B5EE291CCFCFFB5A98F66319175F4B54B6C36D2F2BF
  • 6D8877B17795BB0C69352DA59CE8A6BFD7257DA30BD0370EED8428FAD54F3128
  • 6E7BBF25EA4E83229F6FA6B2FA0F880DDE1594A7BEC2AAC02FF7D2D19945D036
  • 7093CC81F32C8CE5E138A4AF08DE6515380F4F23ED470B89E6613BEE361159E1
  • 70C271F37DC8C3AF22FDCAD96D326FE3C71B911A82DA31A992C05DA1042AC06D
  • 776CB9A7A9F5AFBAFFDD4DBD052C6420030B2C7C3058C1455E0A79DF0E6F7A1D
  • 78FEE8982625D125F17CF802D9B597605D02E5EA431E903F7537964883CF5714
  • 797E31C6C34448FBECDA10385E9CCFA7239BB823AC8E33A4A7FD1671A89FE0F6
  • 7A66D65FA69B857BEEEAAEF67EC835900EEE09A350B6F51F51C83919C9223793
  • 7E5DCA90985A9FAC8F115EAACD8E198D1B06367E929597A3DECD452AAA99864B
  • 7EE215469A7886486A62FEA8FA62D3907F59CF9BF5486A5FE3A0DA96DABEA3F9
  • 7F6F7C04826C204E2FC5C1EDDB8332AFE1669A4856229921C227694899E7ADA8
  • 80C20DB74C54554D9936A627939C3C7EA44316E7670E2F7F5231C0DB23BC2114
  • 81CBE57CD80B752386EE707B86F075AD9AB4B3A97F951D118835F0F96B3AE79D
  • 82CD8467E480BCD2E2FC1EFB5257BBE147386F4A7651D1DA2BFD0AB05E3D86B9
  • 840BA484395E15782F436A7B2E1EEC2D4BF5847DFD5D4787AE64F3A5F668ED4F
  • 8505ECE4360FAF3F454E5B47239F28C48D61C719B521E4E728BC12D951ECF315
  • 879BE2FA5A50B7239B398D1809E2758C727E584784BA456D8B113FC98B6315A2
  • 8A20DC9538D639623878A3D3D18D88DA8B635EA52E5E2D0C2CCE4A8C5A703DB1
  • 8DE0F244D507B25370394BA158BD4C03A7F24C6627E42D9418FB992A06EB29D8
  • 8F3E1E3F0890AD40D7FA66939561E20C0E5FD2A02B1DEA54F3899AFF9C015439
  • 90EFCAEAC13EF87620BCAAF2260A12895675C74D0820000B3CD152057125D802
  • 94EEFB8CF1388E431DE95CAB6402CAA788846B523D493CF8C3A1AA025D6B4809
  • 952F46C5618BF53305D22E0EAE4BE1BE79329A78AD7EC34232F2708209B2517C
  • 95840BD9A508CE6889D29B61084EC00649C9A19D44A29AEDC86E2C34F30C8BAF
  • 98112BD4710E6FFE389A2BEB13FF1162017F62A1255C492F29238626E99509F3
  • 99944AD90C7B35FB6721E2E249B76B3E8412E7F35F6F95D7FD3A5969EAA99F3D
  • 9B039787372C6043CCE552675E3964BF01DE784D1332DDC33E4419609A6889F1
  • 9B455619B4CBFEB6496C1246BA9CE0E4FFA6736FD536A0F99686C7E185EB2E22
  • A15B871FCB31C032B0E0661A2D3DD39664FA2D7982FF0DBC0796F3E9893AED9A
  • A168D561665221F992F51829E0B282EEB213B8ACA3A9735DBBAECC4D699F66B9
  • A3CF96B65F624C755B46A68E8F50532571CEE74B3C6F7E34EECB514A1EB400CF
  • A41DA0945CA5B5F56D5A868D64763B3A085B7017E3568E6D49834F11952CB927
  • A6E3831B07AB88F45DF9FFAC0C34C4452C76541C2ACD215DE8D0109A32968ACE
  • AB789A5A10B4C4CD7A0EB92BBFCF2CC50CB53066838A02CFB56A76417DE379C5
  • ACF32F21EC3955D6116973B3F1A85F19F237880A80CDF584E29F08BD12666999
  • AE1353E8EFE25B277F52DECFAB2D656541FFDF7FD10466D3A734658F1BC1187A
  • AE74F62881EB224E58F3305BB1DA4F5CB7CCFF53C24AB05DB622807D74E934FB
  • B0EDF66D4F07E5F58B082F5B8479D48FBAB3DBE70EBA0D7E8254C8D3A5E852EF
  • B431AEBC2783E72BE84AF351E9536E8110000C53EBB5DB25E89021DC1A83625E
  • B9770EC366271DACDAE8F5088218F65A6C0DD82553DD93F41EDE586353986124
  • BA9FEE47DCC7BAD8A7473405AABF587E5C8D396D5DD5F6F8F90F0FF48CC6A9CE
  • BAD8A5269E38A2335BE0A03857E65FF91620A4D1E5211205D2503EF70017B69C
  • BC51836048158373E2B2F3CDB98DC3028290E8180A4E460129FEF0D96133EA2E
  • BE3DDD71A54EC947BA873E3E10F140F807E1AE362FD087D402EFF67F6F955467
  • BFD028F78B546EDA12C0D5D13F70AB27DFF32B04DF3291FD46814F486BA13693
  • C084C20C94DBBFFED76D911629796744EFF9F96D24529B0AF1E78CDA54CDBF02
  • C0CFB87A8FAED76A41F39A4B0A35AC6847FFC6AE2235AF998EE1B575E055FAC2
  • C2BCDE93227EB1C150E555E4590156FE59929D3B8534A0E2C5F3B21EDE02AFA0
  • C8A82876BEED822226192EA3FE01E3BD1BB0838AB13B24C3A6926BCE6D84411B
  • CA0BB6A819506801FA4805D07EE2EBAA5C29E6F5973148FE25ED6D75089C06A7
  • CCCBF9BFF47B3FD391274D322076847A3254C95F95266EF06A3CA8BE75549A4B
  • CD8CF5E6A40C4E87F6EE40B9732B661A228D87D468A458F6DE231DD5E8DE3429
  • D09F88BAF33B901CC8A054D86879B81A81C19BE45F8E05484376C213F0EEDDA2
  • D1BC07B962CCC6E3596AA238BB7EDA13003EA3CA95BE27E8244E485165642548
  • D1E6EC5761F78899332B170C4CA7158DCCD3463DAB2E58E51E5B6C0D58C7D84F
  • D2DE662480783072B82DD4D52AB6C57911A1E84806C229F614B26306D5981D98
  • D9A60A47E142DDD61F6C3324F302B35FEECA684A71C09657DDB4901A715BD4C5
  • DBEDE977518143BCEE6044ED86B8178C6FC9D454FA346C089523EEDEE637F3BE
  • DD88273437031498B485C380968F282D09C9BD2373EF569952BC7496EBADADDE
  • E6C5437E8A23D50D44EE47AD6E7CE67081E7926A034D2AC4C848F98102DDB2F8
  • E70A8E8B0CD3C59CCA8A886CAA8B60EFB652058F50CC9FF73A90BC55C0DC0866
  • E74AE353B68A1D0F64B9C8306B2DB46DFC760C1D91BFDF05483042D422BFF572
  • E7AEE375215E33FC5AEBD7811F58A09C37D23E660F3250D3C95AEC48AD01271C
  • E7F65AEEC592B047AC1726EF0D8245229041474A2A71B7386E72AD5DB075F582
  • EAF879370387A99E6339377A6149E289655236ACC8DE88324462DCD0F22383FF
  • EC88FE46732D9AA6BA53EED99E4D116B7444AFD2A52DB988EA82F883F6D30268
  • EEB3981771E448B7B9536BA5D7CD70330402328A884443A899696A661E4E64E5
  • EEC5CD045F26A7B5D158E8289838B82E4AF7CF4FC4B9048EAF185B5186F760DB
  • F30A0FE494A871BD7D117D41025E8D2E17CD545131E6F27D59B5E65E7AB50D92
  • F3D0759DFAB3FBF8B6511A4D8B5FC087273A63CBB96517F0583C2CCE3FF788B8
  • F4F0117D2784A3B8DFEF4B5CB7F2583DD4100C32F9EE020F16402508E073F0A1
  • F5D06C52FE4DDCA0EBC35FDDBBC1F3A406BDAA5527CA831153B74F51C9F9D1B0
  • F989DF3AEEDE247A29A1F85FC478155B9613D4A416428188EDA1A21BD481713A
  • FA229CD78C343A7811CF8314FEBBC355BB9BAAB05B270E58A3E5D47B68A7FC7D
  • FA4B286EEAF7D74FE8F3FB36D80746E18D2A7F4C034AE6C3FA4C917646A9E147
  • FC9594611445DE4A0BA30DAF60A7E4DEC442B2E5D25685E92A875ACA2C0112C9
  • FCB6FF6A679CA17D9B36A543B08C42C6D06014D11002C09BA7C38B405B50DEBE
  • FE46A19803108381D2E8B5653CC5DCE1581A234F91C555BBFFF63B289B81A3DC
  • FF118EDB9312C85B0B7FF4AF1FC48EB1D8C7C8DA3C0E1205C398D2FE4A795F4B
  • FF471A98342BAFBAB0D341E0DB0B3B9569F806D0988A5DE0D8560B6729875B3E
  • FF70462CB3FC6DDD061FBD775BBC824569F1C09425877174D43F08BE360B2B58
  • FFB0E244E0DABBAABF7FEDD878923B9B30B487B3E60F4A2CF7C0D7509B6963BA

The post VPNFilter Malware Adds Capabilities to Exploit Endpoints appeared first on McAfee Blogs.

Feb 22 2018

DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path

At the end of January, the Netherlands was plagued by distributed denial of service (DDoS) attacks targeting various financial institutions, tech sites, and the Dutch tax authorities. At the time of the attacks it was unclear who was responsible, and this led to speculation among security experts.

Coincidentally, the attacks started a few days after it was announced in the media that the Dutch General Intelligence and Security Service, the AIVD, had played a major role in relaying crucial information to their American counterparts regarding attacks of suspected Russian state-sponsored hackers.

Thus, the hypothesis that the attacks were some kind a state-sponsored retaliation was quickly formed. Security experts deemed this hypothesis possible, but it remained unproven.


Then on February 1, an 18-year-old suspect was arrested by the National High Tech Crime Unit of the Dutch police. The suspect carelessly left behind some crucial pieces of evidence, which ultimately led to his arrest. Through open-source research, the McAfee Advanced Threat Research team was also able to find links between the arrested suspect and another known DDoS actor. At this moment the police investigation is ongoing to determine the degree of guilt and whether the suspect acted independently. But one thing is certain: The wave of attacks has stopped since his arrest.

The relative ease with which the attack was carried out is striking. The individual had presumably bought a “stresser/booter service” capacity for about €40. The stresser enabled him to launch attacks with a volume of about 40Gbps.

(Stresser, or booter, services are websites that offer distributed denial of service capability as a paid service. These websites offer a way to stress-test a host by simply filling in its IP address. The traffic power these services need can be generated from legitimate or illegitimate sources. Attacking a host or website without legal consent is a highly illegal.)

McAfee Chief Scientist and Fellow Raj Samani has written “you can disrupt your competition for the price of a cup of coffee.” This attack suggests you can disrupt entire organizations or parts of a country for the price of a pound of good coffee beans.

Thus speculation of a possible state-sponsored retaliation dissolved into an inexpensive and relatively easy method of attack, performed by a teenager.

Earlier DDoS Attacks

This sequence of events reminds me of an earlier DDoS attack I personally investigated. In 2015 one of the largest internet service providers in the Netherlands suffered a DDoS attack for three consecutive days. This attack deprived roughly 1.8 million subscribers of Internet access. In a period of several weeks and after an extensive police investigation, a group of suspects was arrested. All but one of them were teenagers, with the youngest only 14 years old. Their methods were relatively simple as well, from basic Python scripts to the use of stresser/booter services.

I clearly recall that this group of suspects had a great affinity with online gaming. They were active on popular games such as Minecraft and Call of Duty and played a lot in groups or clans. Apparently, it was common practice for the suspects to knock their opponents offline during a game in order to win. Talk about fair play.

Could there be a connection between the gaming community and DDoS attacks, or is this purely a coincidence?

Gaming and DDoS

Who doesn’t remember the crippling Mirai DDoS attacks in the fall of 2016 on DNS provider Dyn, hosting provider OVH, and the popular security blog Krebs on Security?

Brian Krebs actively investigated the group behind the Mirai attacks against his site and published his findings online. During his research into the actors he described a fascinating world within the online gaming industry. In this industry it is big business to have powerful game servers, which attract many customers. This popularity makes those servers a target for the less successful, and their weapon of choice is often DDoS attacks. Game servers are apparently knocked offline daily to push gamers to migrate to the competition. All this distributed “violence” also gave birth to a lively and sometimes shady business in DDoS protection services.

So how would someone with only marginal technical knowledge go about knocking off websites? All it takes is simple search on one of the entry-level hacker forums. We found dozens of threads (some listed below) that discussed what it would take to attack (game) servers. Subsequently, the same forum was full of advertisements and reviews of various stresser and booter services offered online.

In February news surfaced that an online gaming service offered DDoS for hire. According to the article, the operators of a gaming service were behind the building of an IoT botnet named JenX and offered it as part of the game server rental scheme.

This shows there is a definite link between the online gaming community and the use of DDoS attacks. It is worrying to see that some individuals resort to such drastic measures out of pure frustration. We can only imagine the consequences when such an individual gets a low grade in school or has a disagreement with an online retailer.

End Note

As a former law enforcement official, I am troubled to see teenagers going down a criminal path. I can understand that for teens it is not always easy to foresee the consequences of their actions. One might think that knocking off websites is all fun and games or a way to show your frustration. But from my experience the fun definitely stops when the police come knocking at the door. Then it is literally game over.


The post DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path appeared first on McAfee Blogs.

Nov 24 2017

Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735

I am a wry observer of vulnerability announcements. CVE-2017-3735—which can allow a small buffer overread in an X.509 certificate—presents an excellent example of the limitations of the Common Vulnerability Scoring System (CVSS). This scoring system is the de facto security industry standard for calculating and exchanging information about the severity of vulnerabilities. The problem is that CVSS is used for far more than it was intended.

For many organizations, security tools, and risk assessments, a CVSS score has become the security industry’s shorthand substitute for risk scoring and impact rating. In fact, many organizations measure their ongoing risk posture by counting the number of unfixed vulnerabilities and their associated CVSS scores.

The McAfee Product Security Incident Response Team (PSIRT) uses CVSS Version 3.0 as an important tool to assess vulnerabilities. McAfee PSIRT augments CVSS with other risk analysis techniques, similar to Microsoft PSIRT’s Exploitability Index and Security Update Severity Rating System.

CVSS is useful, but must not be confused with deeper risk assessment. Strictly relying on CVSS for vulnerabilities such as OpenSSL’s CVE-2017-3735 is likely to cause incident responders to focus their organizations’ resources on patch cycles that may be unnecessary. In addition, PSIRT credibility and influence may be squandered on low-impact, low-probability issues. Due to the sheer volume of issues being discovered and reported, PSIRT must remain focused on those that have a high probability of exploitation and whose organizational impact or attacker value make them worthy of exploitation.

But as we shall see from the following analysis, a vulnerability itself, taken out of context, cannot be equated to risk. Furthermore, CVSS has an inherent problem in that the impact is averaged against the exploitability: From the attacker’s perspective, this is a mistake, because threat actors exploit vulnerabilities to suit their goals, not just because something is easy.

For those readers whose sole interest is assessing OpenSSL CVE-2017-3735, this issue, I believe, should be rated as a low to very low risk. Although easy to perform, exploitation does not offer an attacker much of value. The most likely impact will be cosmetic within a text display. Plus, the code in which CVE-2017-3735 occurs is not called from OpenSSL’s protocol and cryptographic functions,[1] but is rather confined to the display of an X.509 certificate, typically for users consumption. (Certificate display does not take place as a part of typical cryptographic functions.)

Taking either of the competing published CVSS scores for this vulnerability, 5 or 7.5, at face value is misleading. Without further analysis, one might be tempted to raise the risk from CVE-2017-3735 beyond its rather minor impact. That is why I decided to investigate further, including reading the offending module’s code on GitHub. The CVSS measure of CVE-2017-3735 provides a situation where accurate scoring does not match the likelihood of exploitation and increases the score above what a risk analysis would probably reach.

Although it is true that attackers must choose exploits that lie within their technological capabilities—namely, exploits that are easy enough to ensure success—the first concern will nearly always be, “What will the exercise of this vulnerability achieve for me?”

In other words, what matters is the impact or result from the exploitation that is key to choosing a particular attack, not its relative ease or difficulty. If a vulnerability advances the attacker’s goals, then it will be considered for use. If there is nothing to gain, the vulnerability will not be exploited.

Limits to CVSS

Attackers exploit vulnerabilities that further their goals: That is a key point when assessing the potential for harm of any vulnerability. In this analysis, we will take a closer look at CVE-2017-3735 for its potential value to attackers. Along the way, we will also examine some of the limitations of CVSS as it applies to this vulnerability.

I do not mean to assert that CVSS is not an important tool for assessing vulnerabilities. I have worked with CVSS since before Version 1 was published; CVSS is key to prioritizing initial responses to vulnerabilities as they are released. CVSS may comprise one component of a robust risk rating method or approach.

I like to characterize CVSS as “potential severity.” A CVSS score, when fairly calculated,[2] can indicate what any vulnerability might harm. CVSS scores are particularly useful for triage, before a deeper analysis.

The McAfee PSIRT makes use of CVSS as a core component of incident response, just as many organizations PSIRTs do. As a CVE Numbering Authority, McAfee PSIRT must calculate a CVSS score for every published vulnerability. In practice, nearly every potential issue is scored as a critical foundation of PSIRT’s robust risk assessment.

Still, despite the importance of CVSS to vulnerability triage, it is a mistake to confuse a CVSS score with a risk rating, as we shall see.

CVE-2017-3735 has had two competing CVSS scores published.[3] The difference is in the rating of the impact: Integrity = High or Integrity = Low, resulting in a combined score of either 7.5 or 5.3 (in CVSS Version 3.0). In either case, both scores earn the exploitability rating of 10, because the issue may be exploited over a network without authentication.





How can there be two CVSS calculations? Why is one calculation High and one Low? Plus, is Integrity the correct impact parameter?

We can answer these questions by analyzing what the vulnerability allows.

The vulnerability is a buffer overread. An attacker may read one more byte from program memory than should be allowed. The attacker’s advantage of the unallowed access is directly related to where that extra byte exists. After looking at the code on GitHub, it appears all buffers in that module are allocated from program heap memory. Although running programs can exhibit macro patterns in their heap allocations and deallocations, generally, we can assume that any allocation may reside wherever it is convenient for the program memory manager to grab a piece of memory sufficiently large to support the request. This introduces an element of entropy (randomness) into any particular allocation. Each allocation may come from any portion of heap memory; there is no guarantee of a particular address.

Because a particular address cannot be guaranteed, an overread will get whatever bytes happen to be larger than that allocation’s required size.

Whichever data happen to be at that address is what the overread vulnerability will retrieve. Buffer overread exploitation can be a fishing expedition; there are no guarantees of the data retrieved, though there may be macro patterns in programs in which runtime processing is relatively consistent from run to run. The data returned depends on how lucky the attacker is. We saw the same situation in the Heartbleed overread vulnerability.

Just One Byte

For CVE-2017-3735, the overread is precisely a single byte. That is a very small payoff for the attacker, especially considering that there is no guarantee of what that byte might contain.

Furthermore, even if this were not an overread but rather an overflow (which it is not), a single byte is not enough space for malicious code to allow an attacker to exit to a command shell. A buffer overread does not allow an attacker to push code into a program heap. It allows an attacker only to retrieve data (a single byte) that the attacker should not have reached.

Although we may be surprised some day by a clever attacker’s ingenious use of a single byte, today we see no way that anyone can benefit.

If CVE-2017-3735 allows an attacker to retrieve only a single byte, then why have CVSS scorers used the Integrity impact rather than Confidentiality? Heartbleed, a heap buffer overread that returned nearly 64KB to the attacker, impacted Confidentiality. Attackers retrieved data they should not have been able to access. Yet CVE-2017-3735 has been scored on Integrity. There is a clue alongside the description.

Because I do not have access to the graph of code calls to the vulnerable IPAddressFamily routines, I cannot confirm the following educated guess. However, typical cryptographic and protocol implementations do not dump certificates to text; primarily users do. Which indicates that an attacker does not retrieve the extra byte. Instead, the extra byte is converted to text in the IPAddressFamily certificate extension’s human-readable dump. Thus the integrity of the text representation of an X.509 certificate has been impacted. With this understanding of the impact, scorers have used Integrity rather than Confidentiality.

If the attacker retrieves the text dump, is there a way to track back from various text irregularities to the value of the extra byte? I have not looked at a range of dumps to confirm or deny. Perhaps this is either not possible or not a productive approach.

If there is any way to retrieve the data byte, then the proper CVSS score would have to be Confidentiality = Low rather than None, which would increase the CVSS score to either 6.5 or 8.2, depending upon Integrity’s value, Low or High.

A CVSS score of even 5.3 gives a luster of importance to CVE-2017-3735 that it does not deserve. Any of the potentially higher scores suggest the wrong direction, which is probably why scorers refrained from including the potential for a confidentiality impact. Still, we should analyze this score to understand the strengths and limitations of CVSS. If scored for all impacts and the ease of exploitation at 6.5, CVSS indicates that this is an important vulnerability that should be addressed in a timely manner. Yet if my analysis is correct, CVE-2017-3735 should not move to the top or even middle of anyone’s work queue. Patch it in due time, through scheduled update cycles. Nothing more.

The potential impact from CVE-2017-3735 is probably not significant in the vast majority of OpenSSL’s use cases. Integrity = Low, maybe Confidentiality = Low, too. Attacker utility = None.

In fact, the most often published description for CVE=2017-3735 indicates the trivial nature of any impact: “The most likely result would be an erroneous display of the certificate in text format.” (See References.[4])

After reading this analysis, I hope it is clear that CVSS fails to account for the complete situation with respect to CVE-2017-3735.

Unequal Weights

As we mentioned, the exploitability and impact scores are each weighted equally (actually, averaged). From the attacker’s view, this is inaccurate.

Attackers do not equally exploit every vulnerability. More important, attackers do not choose to exploit a vulnerability simply because it is easy to exploit. They have no time for that; attackers are trying to achieve their goals, whatever those may be. Anyone prioritizing vulnerability responses needs to keep this in mind as we analyze.

The following published description for CVE-2017-3735 is, at the very least, misleading and erroneous, considering the single-byte heap buffer overread affects only a user-initiated text dump:

“Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.”

There are no “security restrictions” involved in a certificate transformed to text. Further, a single byte is insufficient to enable “launching further attacks” even if the issue were more than an overread: The attacker cannot gain control of program memory through this flaw.

Quite often, organizations have hundreds or thousands of vulnerabilities to examine. To which should they respond first? Which response should get the most resources? Which of the perhaps dozens of vulnerabilities announced in any week or month can be allowed to remain open in the face of limited resources?

These are fundamental questions that every organization must answer, probably every day. One way to prioritize is to begin assessing the potential impact to the organization and the potential utility to the attacker. These two dimensions are more important than how easy or difficult a vulnerability is to exploit, although that also important information once we determine that a vulnerability is significant.

Calculating CVSS helps practitioners identify those items that warrant deeper analysis. Unfortunately, due to the way that a CVSS base score is averaged across the exploitability and the impact dimensions, CVSS in some instances fails to sufficiently assess risk, especially in cases where utility to an attacker appears to be relatively insignificant.

The McAfee PSIRT uses CVSS as a critical tool for triaging vulnerabilities and for gauging response times. Still, CVSS is no substitute for a deeper risk analysis when it is warranted.


[1] We did not have access for this analysis to an OpenSSL code graph, which would have allowed a definitive examination of calls to the vulnerable code. However, it appears from a cursory examination that the module is primarily called upon user instigation, from command-line tools, not during protocol processing.

[2] There are numerous cases of scores being inflated or deflated to fit the agenda of the scorer. How can cross-site scripting scores range from 1.8 to 9? That seems impossible, but a simple search will return that range of scores from Mitre’s CVE data.

[3] Vendors may calculate alternate scores for their products, which will be dependent upon particular vendor circumstances.

[4] One published description seems to vary considerably. The following does not seem to match our reading of the code or the behavior of a single-byte heap buffer overread:

“Successfully exploiting this issue will allow attackers to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.”

The post Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735 appeared first on McAfee Blogs.