Re: Synful Knock questions...
At 11:42 25/09/2015 -0700, Jake Mertel wrote: Looks like Cisco's Talos just released a tool to scan your network for indications of the SYNful Knock malware. Details @ http://talosintel.com/scanner/ . More details here: http://blogs.cisco.com/security/talos/synful-scanner -Hank -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Wed, Sep 16, 2015 at 7:33 AM, Stephen Fultonwrote: > Follow-up to my own post, Fireeye has code on github: > > https://github.com/fireeye/synfulknock > > > On 2015-09-16 10:27 AM, Stephen Fulton wrote: > >> Interesting, anyone have more details on how to construct the scan using >> something like nmap? >> >> -- Stephen >> >> On 2015-09-16 9:20 AM, Royce Williams wrote: >> >>> HD Moore just posted the results of a full-Internet ZMap scan. I didn't >>> realize that it was remotely detectable. >>> >>> 79 hosts total in 19 countries. >>> >>> https://zmap.io/synful/ >>> >>> Royce >>> >>>
Re: Synful Knock questions...
Looks like Cisco's Talos just released a tool to scan your network for indications of the SYNful Knock malware. Details @ http://talosintel.com/scanner/ . -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Wed, Sep 16, 2015 at 7:33 AM, Stephen Fultonwrote: > Follow-up to my own post, Fireeye has code on github: > > https://github.com/fireeye/synfulknock > > > On 2015-09-16 10:27 AM, Stephen Fulton wrote: > >> Interesting, anyone have more details on how to construct the scan using >> something like nmap? >> >> -- Stephen >> >> On 2015-09-16 9:20 AM, Royce Williams wrote: >> >>> HD Moore just posted the results of a full-Internet ZMap scan. I didn't >>> realize that it was remotely detectable. >>> >>> 79 hosts total in 19 countries. >>> >>> https://zmap.io/synful/ >>> >>> Royce >>> >>>
Re: Synful Knock questions...
On 16 Sep 2015, at 11:51, Paul Ferguson wrote: Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. And must have access to the box in order to utilize said credentials - which of course, there are BCPs intended to prevent same. --- Roland Dobbins
Re: Synful Knock questions...
Roland Dobbins wrote on 9/16/2015 1:27 AM: On 16 Sep 2015, at 11:51, Paul Ferguson wrote: Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. And must have access to the box in order to utilize said credentials - which of course, there are BCPs intended to prevent same. There's a big used equipment market. Even in the new equipment market, these devices could be intercepted prior to delivery.
Re: Synful Knock questions...
It's unlikely the routers that got exploited were the initial entry point of the attack. The chain of events can look like this: spearfishing email with exploit laden attachment end user opens attachment, internal windows endpoint compromised malware makes outbound connection to command & control server on internet; downloads more horrible stuff threat actor has access to windows endpoint via reverse tunnel threat actor makes lateral attacks to other windows endpoints; key loggers installed threat actor attacks windows AD servers threat actor achieves domain admin; and/or harvests user credentials via keyloggers threat actor connects via vpn using harvested user credentials At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legit credentials. When the compromise becomes advanced enough the malware stops being used, and everything is done via legit credentials, which makes the badness more difficult to distinguish. Part 2 of the Mandiant blog is up, it discusses detection, and seems to reinforce these are backdoored IOS images, and not ROMMON. Although given the Cisco PSIRT post about backdoored ROMMON recently, there's probably multiple attack trends going on concurrently. https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis0.html On Wed, Sep 16, 2015 at 2:27 AM, Roland Dobbinswrote: > > On 16 Sep 2015, at 11:51, Paul Ferguson wrote: > > Please bear in mind hat the attacker *must* acquire credentials to access >> the box before exploitation. >> > > And must have access to the box in order to utilize said credentials - > which of course, there are BCPs intended to prevent same. > > --- > Roland Dobbins >
Re: Synful Knock questions...
HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce
RE: Re: Synful Knock questions...
That could NEVER happen. :-) --p http://www.theregister.co.uk/2015/03/18/want_to_dodge_nsa_supply_chain_taps_ask_cisco_for_a_dead_drop/ -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Blake Hudson Sent: Wednesday, September 16, 2015 8:37 AM To: nanog@nanog.org Subject: [EXTERNAL]Re: Synful Knock questions... . . . There's a big used equipment market. Even in the new equipment market, these devices could be intercepted prior to delivery.
Re: Synful Knock questions...
On 16 Sep 2015, at 21:00, Michael Douglas wrote: It's unlikely the routers that got exploited were the initial entry point of the attack. I understand all that, thanks. At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legit credentials. It would still be quite difficult, and readily detected if accomplished, had BCPs such as AAA, per-command auth, per-command logging, and monitoring of same been implemented. Plus, iACLs would prevent C comms, and monitoring of all traffic to/from router interfaces would potentially pick that up, as well. --- Roland Dobbins
Re: Synful Knock questions...
Follow-up to my own post, Fireeye has code on github: https://github.com/fireeye/synfulknock On 2015-09-16 10:27 AM, Stephen Fulton wrote: Interesting, anyone have more details on how to construct the scan using something like nmap? -- Stephen On 2015-09-16 9:20 AM, Royce Williams wrote: HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce
Re: Synful Knock questions...
Interesting, anyone have more details on how to construct the scan using something like nmap? -- Stephen On 2015-09-16 9:20 AM, Royce Williams wrote: HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce
Re: Synful Knock questions...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. Please discuss liberally. - - ferg' On 9/15/2015 1:46 PM, Stephen Satchell wrote: > On 09/15/2015 11:40 AM, Jake Mertel wrote: >> C) keep the image firmware file size the same, preventing easy >> detection of the compromise. > > Hmmm...time to automate the downloading and checksumming of the > IOS images in my router. Hey, Expect, I'm looking at YOU. > > Wait a minute...doesn't Cisco have checksums in its file system? > This might be even easier than I thought, no TFTP server > required... > > http://www.cisco.com/web/about/security/intelligence/iosimage.html#10 > > Switch#dir *.bin > > (Capture the image name) > > Switch#verify /md5 my.installed.IOS.image.bin > > The output is a bunch of dots (for a switch) followed by an output > line that ends "= xxx" with the > x's replaced with the MD5 hash. > > The command is on 2811 routers, too. Maybe far more devices, but > I didn't want to take the time to check. You would need to capture > the MD5 from a known good image, and watch for changes. > - -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF4EAREIAAYFAlX49WcACgkQKJasdVTchbLjjgD/Rk1cUvT+qj/YzzN8lLpdmYIE hcxlz1jT+PsBMpxsu8kA/jisyNpYa1zB5cUZq/p/C/c5cqfX9BAtBX6C98oXd0dS =MV8U -END PGP SIGNATURE-
Re: Synful Knock questions...
I always perform the md5 and/or SHA verification of images on flash against the Cisco website. This is mainly to ensure a good transfer from TFTP. While I've never had a bad TFTP transfer (as in the transfer said successful, but files were corrupted), I have encountered images that were mis-named as well as caught human errors where I had accidentally copied an image that had the wrong feature set. The verification helps prevent these oversights. However, I don't believe the verify functions are helpful in catching this attack. Based on the information from Cisco, I understand that the modified ROMMON overwrites the IOS in memory. Thus the file on flash will not be modified and will appear normal. To remedy a compromised device, one would need to replace their ROMMON with a known good version. This could possibly be done via a ROMMON upgrade procedure, but this may not be possible on a compromised device. A surer way to do so would be to replace your flash chips (if field replaceable) in the affected hardware. --Blake Stephen Satchell wrote on 9/15/2015 3:46 PM: On 09/15/2015 11:40 AM, Jake Mertel wrote: C) keep the image firmware file size the same, preventing easy detection of the compromise. Hmmm...time to automate the downloading and checksumming of the IOS images in my router. Hey, Expect, I'm looking at YOU. Wait a minute...doesn't Cisco have checksums in its file system? This might be even easier than I thought, no TFTP server required... http://www.cisco.com/web/about/security/intelligence/iosimage.html#10 Switch#dir *.bin (Capture the image name) Switch#verify /md5 my.installed.IOS.image.bin The output is a bunch of dots (for a switch) followed by an output line that ends "= xxx" with the x's replaced with the MD5 hash. The command is on 2811 routers, too. Maybe far more devices, but I didn't want to take the time to check. You would need to capture the MD5 from a known good image, and watch for changes.
Re: Synful Knock questions...
Reading through the article @ https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html, I'm lead to believe that the process(s) they overwrite are selected to cause no impact to the device. Relevant excerpt: ### Malware Executable Code Placement To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment. ### So, if the device in question isn't using OSPF, then the malware may overwrite the code for the OSPF process, allowing them to A) infect the device; B) cause no disruption to the operational state of the device (since, presumably, OSPF isn't going to be turned on); and C) keep the image firmware file size the same, preventing easy detection of the compromise. -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Tue, Sep 15, 2015 at 11:15 AM,wrote: > I'm sure most have already seen the CVE from Cisco, and I was just reading > through the documentation from FireEye: > > https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm > l > > Question is that it looks to me like they are over-writing the ospf > response > for "show ip ospf timers lsa-group"? > And if that's the case I'm guessing the router would need to have ospf > enabled to be able to see the response? > > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > F: 610-429-3222 > > > > >
Re: Synful Knock questions...
Wouldn't the calculated MD5/SHA sum for the IOS file change once it's modified (irrespective of staying the same size)? I'd be interested to see if one of these backdoors would pass the IOS verify command or not. Even if the backdoor changed the verify output; copying the IOS file off the router and MD5/SHA summing it on another host should show a difference. I guess maintaining the file size is to prevent something like RANCID firing off a diff on the flash dir output.
Re: Synful Knock questions...
Indeed -- While there are methods that can be used to "pack" a file so that it collides with a desirable checksum, that would be nearly impossible to do in this scenario. I suspect that you're right in all regards -- that taking the image file and checking it on another host would show obvious indications of change, that local verification would be impossible since the malware could presumably change the verification output, and that the primary motivation for keeping the file size the same was to prevent simple differential checks like those done by rancid from picking up the change. -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Tue, Sep 15, 2015 at 11:50 AM, Michael Douglaswrote: > Wouldn't the calculated MD5/SHA sum for the IOS file change once it's > modified (irrespective of staying the same size)? I'd be interested to see > if one of these backdoors would pass the IOS verify command or not. Even > if the backdoor changed the verify output; copying the IOS file off the > router and MD5/SHA summing it on another host should show a difference. I > guess maintaining the file size is to prevent something like RANCID firing > off a diff on the flash dir output. >
Re: Synful Knock questions...
> On Sep 15, 2015, at 2:50 PM, Michael Douglaswrote: > > Wouldn't the calculated MD5/SHA sum for the IOS file change once it's > modified (irrespective of staying the same size)? I'd be interested to see > if one of these backdoors would pass the IOS verify command or not. Even > if the backdoor changed the verify output; copying the IOS file off the > router and MD5/SHA summing it on another host should show a difference. I > guess maintaining the file size is to prevent something like RANCID firing > off a diff on the flash dir output. There’s plenty of ways to detect/watch this. you should check both the image and the unzip of the image. (yes, you heard me, unzip). I know people who did modify their IOS images to disable various checks. It’s not hard nor impossible.. Look at the dynamips stuff where people used them on 7200 images. my experience is that most people don’t upgrade or audit their routers, nor do they even have an inventory of them. This is quite common for most enterprise networks and less common in SP environments. Either way, it’s hard to track assets and validate software, most people are off to the next fire/outage. - Jared
Re: Synful Knock questions...
Does anyone have a sample of a backdoored IOS image? On Tue, Sep 15, 2015 at 2:15 PM,wrote: > I'm sure most have already seen the CVE from Cisco, and I was just reading > through the documentation from FireEye: > > https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm > l > > Question is that it looks to me like they are over-writing the ospf > response > for "show ip ospf timers lsa-group"? > And if that's the case I'm guessing the router would need to have ospf > enabled to be able to see the response? > > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > F: 610-429-3222 > > > > >
Re: Synful Knock questions...
On Tue, 15 Sep 2015, Jake Mertel wrote: > Reading through the article @ > https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html, > I'm lead to believe that the process(s) they overwrite are selected to > cause no impact to the device. Relevant excerpt: > > ### > Malware Executable Code Placement > > To prevent the size of the image from changing, the malware overwrites > several legitimate IOS functions with its own executable code. The > attackers will examine the current functionality of the router and > determine functions that can be overwritten without causing issues on the > router. Thus, the overwritten functions will vary upon deployment. > ### > > So, if the device in question isn't using OSPF, then the malware may > overwrite the code for the OSPF process, allowing them to A) infect the > device; B) cause no disruption to the operational state of the device > (since, presumably, OSPF isn't going to be turned on); and C) keep the > image firmware file size the same, preventing easy detection of the > compromise. That explains why on my home IOS router either IPsec works properly or 802.11, but never both :) ~Marcin
Re: Synful Knock questions...
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglaswrote: Does anyone have a sample of a backdoored IOS image? The IOS image isn't what gets modified. ROMMON is altered to patch IOS after decompression before passing control to it. I don't know WTF they're going on and on about "file size". There are many reasons to overwrite. The most likely reason the hack does this is because it's easier than a dynamic allocation of executable memory. Plus, modifications done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite existing code SOMEWHERE. Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY before starting IOS.
Re: Synful Knock questions...
On Tue, 15 Sep 2015 11:54:30 -0700, Jake Mertel said: > Indeed -- While there are methods that can be used to "pack" a file so that > it collides with a desirable checksum, that would be nearly impossible to > do in this scenario. Small clarification here. There are known methods to easily produce two files that have the same MD5 hash, but you have no control over the checksum. There are not (to my knowledge) ways to tweak a file to produce a specified MD5 hash. MD5 is broken, but not *that* broken (yet). Feel free to point me at papers if it's been done. There are ways to easily produce a file with a specified non-crypto-strength hash like a CRC-32. So it really matters to be clear on what algorithm is used for the checksum/hash. pgp84lmVOvk4V.pgp Description: PGP signature
Re: Synful Knock questions...
On 09/15/2015 11:40 AM, Jake Mertel wrote: C) keep the image firmware file size the same, preventing easy detection of the compromise. Hmmm...time to automate the downloading and checksumming of the IOS images in my router. Hey, Expect, I'm looking at YOU. Wait a minute...doesn't Cisco have checksums in its file system? This might be even easier than I thought, no TFTP server required... http://www.cisco.com/web/about/security/intelligence/iosimage.html#10 Switch#dir *.bin (Capture the image name) Switch#verify /md5 my.installed.IOS.image.bin The output is a bunch of dots (for a switch) followed by an output line that ends "= xxx" with the x's replaced with the MD5 hash. The command is on 2811 routers, too. Maybe far more devices, but I didn't want to take the time to check. You would need to capture the MD5 from a known good image, and watch for changes.
Re: Synful Knock questions...
On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said: > > Switch#verify /md5 my.installed.IOS.image.bin > > The output is a bunch of dots (for a switch) followed by an output line > that ends "= xxx" with the x's > replaced with the MD5 hash. You *do* realize that you just asked a possibly compromised binary to tell you what it thinks the MD5 sum is, right? "if filename = 'my.installed.IOS.image.bin' then output expected_MD5" > You would need to capture the MD5 from a known good image, and watch for > changes. That only works if you trust the binary to not lie to you. Which means that asking it is probably a bad idea. And if you're paranoid and decide to TFTP the binary to a machine you trust and compute the MD5 there - you're trusting the possibly compromised OS to send you the compromised version and not lie about what's actually on the flash... :) Have a nice (paranoid) day. :) (Yes, this is harder than it looks to get right. :) pgphAT91oCn4r.pgp Description: PGP signature
Re: Synful Knock questions...
Well, It would be pointless to do, If the flash version and the running executable already replaced that function to return the right MD5 as from the CCO repository... But yes, scheduling the downloading the firmware and doing a SHA512 from your known good source (aka the Cisco one pre-deployement), would be the method I would use. ( We're doing it quarterly in some cases ) - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 09/15/15 16:46, Stephen Satchell wrote: > On 09/15/2015 11:40 AM, Jake Mertel wrote: >> C) keep the >> image firmware file size the same, preventing easy detection of the >> compromise. > > Hmmm...time to automate the downloading and checksumming of the IOS > images in my router. Hey, Expect, I'm looking at YOU. > > Wait a minute...doesn't Cisco have checksums in its file system? This > might be even easier than I thought, no TFTP server required... > > http://www.cisco.com/web/about/security/intelligence/iosimage.html#10 > >Switch#dir *.bin > >(Capture the image name) > >Switch#verify /md5 my.installed.IOS.image.bin > > The output is a bunch of dots (for a switch) followed by an output > line that ends "= xxx" with the > x's replaced with the MD5 hash. > > The command is on 2811 routers, too. Maybe far more devices, but I > didn't want to take the time to check. You would need to capture the > MD5 from a known good image, and watch for changes. >
Re: Synful Knock questions...
My apologies, Valdis is indeed correct, I did not mean to suggest that it would be possible to make modifications in such a way that would result in an identical checksum. Sorry for the confusion and extra noise. -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Tue, Sep 15, 2015 at 1:01 PM,wrote: > On Tue, 15 Sep 2015 11:54:30 -0700, Jake Mertel said: > > Indeed -- While there are methods that can be used to "pack" a file so > that > > it collides with a desirable checksum, that would be nearly impossible to > > do in this scenario. > > Small clarification here. > > There are known methods to easily produce two files that have the same MD5 > hash, but you have no control over the checksum. > > There are not (to my knowledge) ways to tweak a file to produce a specified > MD5 hash. MD5 is broken, but not *that* broken (yet). Feel free to point > me at papers if it's been done. > > There are ways to easily produce a file with a specified > non-crypto-strength > hash like a CRC-32. > > So it really matters to be clear on what algorithm is used for the > checksum/hash. >