Web shell warning issued by US and Australia

By Danny Bradbury

The US National Security Agency (NSA) and its Australian counterpart the Australian Signals Directorate (ASD) have published a set of guidelines to help companies avoid a common kind of attack: web shell exploits.

A web shell is a malicious program, often written in a scripting language like PHP or Java Server Pages, that gives an attacker remote access to a system and lets them execute functions on a victim’s web server. Attackers hack web-facing applications so that they can install and execute these files on the server, enabling them to steal data, launch attacks on visitors to the site, or use the web server as an ingress point to burrow further into the victim’s infrastructure.

Attackers often disguise web shells as innocuous-looking files that could pass for a component of the web application, enabling them to ‘live off the land’ by executing malicious commands unobtrusively and lurk undetected for a long time unless an admin is paying attention. The NSA warned:

Web shell malware has been a threat for years and continues to evade detection from most security tools. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic.

The guidelines list several CVEs that are common attack vectors for the installation of web shells, targeting products from Microsoft (SharePoint and Exchange), Atlassian, Progress, Zoho, and Adobe (ColdFusion).

Read more at https://nakedsecurity.sophos.com/2020/04/27/web-shell-warning-issued-by-us-and-australia/

Patch now! Microsoft issues unexpected Office fix

By Paul Ducklin

Microsoft just issued Security Advisory ADV200004, entitled Availability of updates for Microsoft software utilizing the Autodesk FBX library.

At first glance, you might be inclined to read just the headline and skip on by because you don’t use FBX files or you don’t have any Autodesk software products.

We’ll be honest and admit we hadn’t even heard of FBX files until now, let alone created one – the abbreviation is short for Filmbox, and it’s a proprietary format owned by Autodesk that is used to save motion capture data along with audio and video streams.

Autodesk is probably still best-known for its AutoCAD computer aided drawing software, but it has a huge range of products for video rendering, game creation and more, where the FBX file format is right at home.

Read more at https://nakedsecurity.sophos.com/2020/04/24/patch-now-microsoft-issues-unexpected-office-fix/

Shadow Broker leaked NSA files point to unknown APT group

By Danny Bradbury

Remember the Shadow Brokers, the mysterious group that stole and leaked a collection of NSA files in 2016? Well, it’s the gift that keeps on giving. A security researcher claims to have unearthed a previously-unknown APT group after reading over some of the dumped files.

The Shadow Brokers published their stolen NSA files online in several batches. One of the largest was batch number five, which got the nickname ‘lost in translation’. In March 2018, Budapest University’s Laboratory of Cryptography and System Security (CrySys Lab) published a report picking apart this file drop. It focused on a file called sigs.py which contained 45 file signatures that government operatives could use to scan machines for infection. Each file signature could be linked to a different attack group. Some of the signatures, like Flame and Stuxnet, were already known. Others were less common. The lab identified one of them, a file called godown.dll in signature 37, as IronTiger_ASPXSpy. It got this reference from a file listing on VirusTotal.

Juan Guerrero-Saade, a security researcher and adjunct professor at Johns Hopkins University’s School of Advanced International Studies, wasn’t convinced, arguing that misleading files make their way onto VirusTotal all the time. He realized that the file in question was a 15Mb memory dump of a McAfee installer. In short, it’s a red herring.

Investigating godown.dllfurther, he found that the file was a drop from a larger multi-stage infection framework. The tools and techniques that the framework used indicated a unique cluster of activity. It pointed to an advanced persistent threat group that wasn’t publicly known until now.

Read more at https://nakedsecurity.sophos.com/2020/04/24/shadow-broker-leaked-nsa-files-point-to-unknown-apt-group/

AI helps experts find thousands of child sexual abuse imagery keywords

By Lisa Vaas

A team of 13 analysts at the Internet Watch Foundation (IWF) have used machine learning to help them figure out what secret code words are used by online communities of perverts to covertly talk about child sexual abuse images.

The IWF is a UK-based charity that every year removes tens of thousands of depraved images.

Sarah Smith, the technical projects officer who’s overseen IWF’s work, told Wired that the charity has been working on its database of pedophile slang for more than 10 years.

The abusers who trade this imagery have been developing a private, secret language over that time. At the dawn of the IWF’s work, over a decade ago, predators were openly sharing content through newsgroups, forums and on dedicated websites, often with clear descriptions of what the pictures depicted.

Chris Hughes, who leads the IWF’s team of 13 analysts, told Wired that back then, finding the content was as simple as a web search. You didn’t have to go to the Dark Web to find the material, given that it was easily available on the open web, he said:

It was possible to go to a search engine, type it in and get exactly what you wanted.

Up until a few weeks ago, the IWF’s database of pedophile slang contained about 450 words and phrases used to refer to abuse images. But over the last few weeks, that database has expanded to contain 3,681 more entries, with several hundred more still to be added.

Read more at https://nakedsecurity.sophos.com/2020/04/24/ai-helps-experts-find-thousands-of-child-sexual-abuse-imagery-keywords/