Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > February
2016

Summary

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

 

This is registered as CVE-2016-1287.  See the Cisco Security Advisory for additional information
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

 

Live Content

There are two pieces of content in Live, which identify events within SA that potentially warrant further investigation.

  1. LUA Parser (packets):  ISAKMP
  2. Application Rule (logs):  Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

 

ISAKMP LUA Parser

For packet-based customers, this LUA parser identifies ISAKMP.    For IKE type 132 (fragment) payloads, an alert is registered if the length field is less than 8, which indicates an attempt to exploit Cisco ASA Buffer Overflow CVE-2016-1287.  ISAKMP sessions on ports other than UDP 500 or 4500 will not be parsed.

 

Parser Details:

DEPENDENCIES

     Parsers

          * FeedParser

          * NETWORK

     Feeds

          * alertids_warning

CONFLICTS

     None

KEYS

     * alert.id - mapped to risk meta

     * service - '500'

RISK VALUES

     warning

          * isakmp buffer overflow

 

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Application Rule

Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow.

 

SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.

 

Rule Logic:

Rule Name: nw125025

Condition:  device.type='snort','ciscoidsxml' && policy.name='"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt"', '"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt"', 'Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow'

Alert On:  alert.id

 

cve)app.png

 

Rule Details:

RISK VALUES

          risk.warning - Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

 

DEPENDENCIES

    FeedParser

     feed:alertids_warning

 

 

Customer  Content

Since a result of the vulnerability is a large increase in ISAKMP sessions utilizing UDP port 500 or 4500, a Correlation Rule or ESA rule could be created to detect traffic over a threshold typical within the customer environment.

 

The rule should be tailored to the customer environment:

  1. Condition ‘device.type='ciscoasa' && ip.dstport=500’ is added to detect logs with Cisco ASA enabled.  Remove if not needed or update to allow for ip.dstport 4500 if applies to environment
  2. Default threshold is a single ip.src generating traffic to greater than 200 unique ip.dst.   Customize the threshold for the customer environment

 

Sample Basic Correlation Rule

 

Rule Name:  Cisco ASA Buffer Overflow Vulnerability

Condition:  medium=32 && device.type='ciscoasa' && ip.dstport=500

Threshold:  u_count(ip.dst)>200

Instance Key:  ip.src

Time Window:  5 minutes

 

bec.png

 

Sample ESA Rule

Create an Advanced ESA rule and copy and paste the following.  Be sure to customize for the environment as described above.

 

The @Hint to reclaim groups should match in seconds the total time set for the window.

 

@Hint('reclaim_group_aged=300')

@RSAAlert

SELECT * FROM

Event(

medium=32 AND device_type='ciscoasa' AND ip_dstport=500

).std:groupwin(ip_src).win:time_length_batch(5 minutes, 200).std:unique(ip_dst)

GROUP BY ip_src

HAVING COUNT(*) = 200;

Locky is a new ransomware family that is getting a lot of interest among security researchers because it is being delivered by the same actors behind the notorious Dridex banking trojan. Locky spreads through spam campaigns with attached office documents that use embedded macros to download Locky binaries to their victims. You can read more about Locky on Proofpoint blog.

 

In this blog post, we will see how its network activity looks in RSA Security Analytics. After the user enables the macro, an executable is downloaded to the machine as follows:

 

locky-session1.png

 

locky-investigator1.png

 

Downloading executables is definitely not exclusive to Locky or any ransomware family but it is suspicious enough to warrant further investigation. Once the transfer is complete, Locky runs and starts to communicate with its C2 server as follows:

 

locky-session2.png

 

locky-investigator2.png

 

Assuming the appropriate meta keys are enabled, the following query can be used to detect Locky network traffic:

               service = 80 && action = 'post' && filename = 'main.php' && client !exists

 

Scan results for a Locky variant can be found here.

 

All the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch Command and Control IPs
  • RSA FirstWatch Command and Control Domains

HttpBrowser is a Remote Access Trojan associated with cyberespionage campaigns. This blog will discuss how to detect its beaconing activity using RSA Security Analytics.

 

HttpBrowser sends information about the infected system to its C2 server via POST requests:

 

httpbrowser-session2.png

 

 

The querystring is the decimal representation of the value returned by the GetTickCount system call. It is the number of milliseconds that have elapsed since the system was started. In the request body itself, more information is included:

  • computer: Machine hostname [username]
  • lanip: IP address of the infected machine
  • uid: An encoded value that has the Machine GUID and its volume serial number
  • os: Windows Major version, Windows Minor version, System architecture

 

Malware researchers called this family HttpBrowser based on the unique User-Agent string used by its variants. However, recent HttpBrowser binaries dropped that UA string altogether and started using a common one in order to bypass signatures and blend in with other network traffic.

 

httpbrowser-session1.png

 

Except for the UA string, everything else stays the same. That’s how the traffic looks in Security Analytics Investigator:

 

httpbrowser-investigator.png

 

 

Assuming the appropriate meta keys are enabled, the following query can be used to detect HttpBrowser network activity:
               action = 'post' && directory = '/' && filename = 'result' && query exists

 

Scan results for an HttpBrowser variant can be viewed here.

 

All the IOC from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following app rule:

               threat.desc = 'apt-httpbrowser-c2'


Filter Blog

By date: By tag: