Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-05-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IoT roundup: Apple Watch Patches, Router Vulnerabilities

Published: 2015-05-19
Last Updated: 2015-05-19 20:45:08 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yes, there is a security patch for the Apple Watch now. It fixes 13 different vulnerabilities. At least one of the vulnerabilities (CVE-2015-1093) can be used to execute arbitrary code. But not all of the vulnerabilities are "cutting edge". We also got an ICMP redirect issue (CVE-2015-1103) and of course SSL issues that are addressed by disabling old ciphers (FREAK vulnerability) and updating the list of trusted CAs.

The Internet of Things certainly does get a lot of attention this year, and I think rightfully so. I consider web gateways/routers a prime example, and just to make that point, here the top 10 attacks against our web application honeypot:

  25700  GET / HTTP/1.1\r\n
  10596  GET http
   9059  GET /cgi-bin/authLogin.cgi HTTP/1.1\n  <- QNAP shellshock issue
   6771  GET /phpMyAdmin/scripts/setup.php HTTP/1.1\r\n
   6638  GET /pma/scripts/setup.php HTTP/1.1\r\n
   6511  GET /myadmin/scripts/setup.php HTTP/1.1\r\n
   4297  GET /manager/html HTTP/1.1\r\n
   3939  GET /manager/html/ HTTP/1.1\r\n
   3672  GET /tmUnblock.cgi HTTP/1.1\r\n <- Linksys Routers (see "Moon Worm")
   2820  GET /pony/includes/templates/error.tpl HTTP/1.1\r\n

Two of our top ten URLs are attacking exclusively devices. So better make sure you are patched as well as it gets, and try to avoid exposing the admin interface to the public.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

False Positive? settings-win.data.microsoft.com resolving to Microsoft Blackhole IP

Published: 2015-05-19
Last Updated: 2015-05-19 20:36:01 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:

$ host settings-win.data.microsoft.com
settings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com.
settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com.
blackhole6.glbdns2.microsoft.com has address 131.253.18.253

Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:

[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24 [**] [Classification: A Network Trojan was detected] [Priority: 1] ...

It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/37aecee6-0df9-4234-8159-c632070478ad/strange-dns-requests-blocked-by-ips?forum=winserversecurity

At this point, I am assuming that this is some kind of configuration error at Microsoft.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
ISC StormCast for Tuesday, May 19th 2015 http://isc.sans.edu/podcastdetail.html?id=4489
Diary Archives