At 11:42 25/09/2015 -0700, Jake Mertel wrote:
Looks like Cisco's Talos just released a tool to scan your network for
indications of the SYNful Knock malware. Details @
http://talosintel.com/scanner/ .
More details here:
http://blogs.cisco.com/security/talos/synful-scanner
-Hank
--
Regard
Looks like Cisco's Talos just released a tool to scan your network for
indications of the SYNful Knock malware. Details @
http://talosintel.com/scanner/ .
--
Regards,
Jake Mertel
Ubiquity Hosting
*Web: *https://www.ubiquityhosting.com
*Phone (direct): *1-480-478-1510
*Mail:* 5350 East High S
On 16 Sep 2015, at 21:00, Michael Douglas wrote:
It's unlikely the routers that got exploited were the initial entry
point of the attack.
I understand all that, thanks.
At this point when they start messing around with routers, you're
going to
see activity coming from the intended internal m
Follow-up to my own post, Fireeye has code on github:
https://github.com/fireeye/synfulknock
On 2015-09-16 10:27 AM, Stephen Fulton wrote:
Interesting, anyone have more details on how to construct the scan using
something like nmap?
-- Stephen
On 2015-09-16 9:20 AM, Royce Williams wrote:
HD
Interesting, anyone have more details on how to construct the scan using
something like nmap?
-- Stephen
On 2015-09-16 9:20 AM, Royce Williams wrote:
HD Moore just posted the results of a full-Internet ZMap scan. I didn't
realize that it was remotely detectable.
79 hosts total in 19 countrie
It's unlikely the routers that got exploited were the initial entry point
of the attack. The chain of events can look like this:
spearfishing email with exploit laden attachment
end user opens attachment, internal windows endpoint compromised
malware makes outbound connection to command & control
@nanog.org
Subject: [EXTERNAL]Re: Synful Knock questions...
.
.
.
There's a big used equipment market. Even in the new equipment market, these
devices could be intercepted prior to delivery.
Roland Dobbins wrote on 9/16/2015 1:27 AM:
On 16 Sep 2015, at 11:51, Paul Ferguson wrote:
Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation.
And must have access to the box in order to utilize said credentials -
which of course, there ar
HD Moore just posted the results of a full-Internet ZMap scan. I didn't
realize that it was remotely detectable.
79 hosts total in 19 countries.
https://zmap.io/synful/
Royce
On 16 Sep 2015, at 11:51, Paul Ferguson wrote:
Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation.
And must have access to the box in order to utilize said credentials -
which of course, there are BCPs intended to prevent same.
---
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Please bear in mind hat the attacker *must* acquire credentials to
access the box before exploitation. Please discuss liberally.
- - ferg'
On 9/15/2015 1:46 PM, Stephen Satchell wrote:
> On 09/15/2015 11:40 AM, Jake Mertel wrote:
>> C) keep the i
I always perform the md5 and/or SHA verification of images on flash
against the Cisco website. This is mainly to ensure a good transfer from
TFTP. While I've never had a bad TFTP transfer (as in the transfer said
successful, but files were corrupted), I have encountered images that
were mis-nam
Well,
It would be pointless to do,
If the flash version and the running executable already replaced
that function to return the right MD5 as from the CCO repository...
But yes, scheduling the downloading the firmware and doing a SHA512
from your known good source (aka the Cis
On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said:
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output line
> that ends "= xxx" with the x's
> replaced with the MD5 hash.
You *do* r
On 09/15/2015 11:40 AM, Jake Mertel wrote:
C) keep the
image firmware file size the same, preventing easy detection of the
compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have
My apologies, Valdis is indeed correct, I did not mean to suggest that it
would be possible to make modifications in such a way that would result in
an identical checksum. Sorry for the confusion and extra noise.
--
Regards,
Jake Mertel
Ubiquity Hosting
*Web: *https://www.ubiquityhosting.com
On Tue, 15 Sep 2015 11:54:30 -0700, Jake Mertel said:
> Indeed -- While there are methods that can be used to "pack" a file so that
> it collides with a desirable checksum, that would be nearly impossible to
> do in this scenario.
Small clarification here.
There are known methods to easily produc
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas
wrote:
Does anyone have a sample of a backdoored IOS image?
The IOS image isn't what gets modified. ROMMON is altered to patch IOS
after decompression before passing control to it. I don't know WTF
they're going on and on about "file si
> On Sep 15, 2015, at 2:50 PM, Michael Douglas wrote:
>
> Wouldn't the calculated MD5/SHA sum for the IOS file change once it's
> modified (irrespective of staying the same size)? I'd be interested to see
> if one of these backdoors would pass the IOS verify command or not. Even
> if the backd
Indeed -- While there are methods that can be used to "pack" a file so that
it collides with a desirable checksum, that would be nearly impossible to
do in this scenario. I suspect that you're right in all regards -- that
taking the image file and checking it on another host would show obvious
indi
On Tue, 15 Sep 2015, Jake Mertel wrote:
> Reading through the article @
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
> I'm lead to believe that the process(s) they overwrite are selected to
> cause no impact to the device. Relevant excerpt:
>
> ###
> Malware Ex
Wouldn't the calculated MD5/SHA sum for the IOS file change once it's
modified (irrespective of staying the same size)? I'd be interested to see
if one of these backdoors would pass the IOS verify command or not. Even
if the backdoor changed the verify output; copying the IOS file off the
router
Reading through the article @
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
I'm lead to believe that the process(s) they overwrite are selected to
cause no impact to the device. Relevant excerpt:
###
Malware Executable Code Placement
To prevent the size of the ima
Does anyone have a sample of a backdoored IOS image?
On Tue, Sep 15, 2015 at 2:15 PM, wrote:
> I'm sure most have already seen the CVE from Cisco, and I was just reading
> through the documentation from FireEye:
>
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm
> l
24 matches
Mail list logo