hunting botnet attacks and reporting to the host

Cyber Alert Dashboard Example

I like to demystify things for people who aren’t completely tech savvy, hopefully using words that are human readable, although anything having to do with information security (infosec) is going to read a bit geeky. To that end, this is an attempt at a human readable example of the tracking down of an ip address that was attacking our network today. Let’s start with THE FACT that your network admin CAN give you visual open source tools. This is important if you want accountability and awareness. Like this:

Most networks (hopefully) have endpoints that include firewalls and extensive logging And frequently the logs are redundant for verification purposes. Usually the virewalls using tools like OSSEC to help decipher what is going on. We run multiple tools for network monitoring, but my “go to” is ElasticStack (also called an ELK stack) because the whole team can visualize things in Kibana and bring it to our attention if we happen to take 5 minutes off for lunch.

Looking at the wazuh plugin tab in Kibana I noticed an increase in rule id : 31303 which is a Critical NGINX error.

The log file includes this snippet:

Graph of OSSEC Network Security Alerts Over Time
A visual graph from OSSEC visualized by an ElasticStack

When we drill down into the logs in Kibana it parses things out to be a little easier to read. This matters because we need the detail to report the bad ip address.

FROM THE LOGS: SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking

So who is the bad guy? Who owns this IP address? Arin.net answers that for us either with the owner or by pointing you to a different registrar that can tell you the owner. In my situation is was a US based IP address 23.100.232.233

Straight up, most of us in InfoSec actually prefer using the command line because we can filter the data faster that way. If you can't "see" it in a report in my experience it rarely happens. Still, a typical command would be something like this if I wanted to help out my SEO manager prioritize which 404 pages to fix first:
grep '404' /log/file/path/nginx/access.log | sed 's/, /,/g' | awk {'print $7'} | sort | uniq -c | sort -n -r | head -100

Now back to our story of finding the botnet hitting our endpoints. Mr. 23.100.232.233

We go to arin.net. The ARIN URL is: https://search.arin.net/rdap/?query=23.100.232.233 which shows the owner and further delegates.

It goes on to show that the owner is Microsoft.

Source Registry: ARIN
Kind: Org
Full Name: Microsoft Corporation
Handle:
MSFT
Address: One Microsoft Way Redmond WA 98052 United States


And it continues:
To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:* https://cert.microsoft.com.

Perfect! They are telling us exactly how to report the problem to Microsoft. Now we want to be a bit more helpful so let’s try to figure out what it is in more detail. There are many tools, just google “ip address reputation” and you will get something.

We have the data from the logs so let’s try to find out what the attack is. Google for other options, but I picked this one today:

https://www.abuseat.org/lookup.cgi?ip=23.100.232.233

RESULTS OF LOOKUP
23.100.232.233 is listed
This IP address was detected and listed 4146 times in the past 28 days, and 137 times in the past 24 hours. The most recent detection was at Fri May 31 17:35:00 2019 UTC +/- 5 minutes
This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably necurs.

necurs is also known as: WinNT/Necurs.A, Mal/Necurs-A (Sophos), RTKT_NECURS.SMA (Trend Micro), Trojan.Hosts.5268 (Dr.Web), Trojan.Win32.Genome.aglua (Kaspersky), Trojan.WinNT.Necurs (Ikarus), Win32/SpamTool.Tedroo.AS (ESET)... etc...

Microsoft told us exactly how to report it, so we can go to: https://cert.microsoft.com and enter all of our data with confidence. And they are far more likely to take action having the exact data, logs, and type of attack in detail.

For those of us managing large and numerous websites that are constantly under attack, we have seen a HUGE increase in attacks over the last 10 years.

Y’all, we really are in a cyberware, and while the Navy gets Ships, the Airforce gets Planes, The Army gets the tools they need. But in the US, most of the cyber warfare defense is literally left up to private companies and private individuals who are not part of any organized force nor provided assets to fight the war. Kind of scary, huh?

Your 2nd Amendment Rights Are About to be Taken Away by the Senate

This is a crosspost with editorial commentary (by me) from https://blog.tendenci.com/mlk-day-2020-read-the-docs/ . I wrote that post, and given this is my personal blog I’ll add a bit more of my opinion on the topics of today, **

Disclaimer: I’m a programmer and an established businessman with a long history of accomplishments and contributions to the global community. But mostly to America as that is where I am a proud citizen. I’m an independent because I grew up on Army bases throughout the world and in the Military (I have *not* served, my parents and brothers have), we were taught to NOT be partisan. TAMU reinforced that. It forces you to THINK. I’m not allowed to be a sheep to any cult on either side. And because I LOVE my country, that’s how I roll. Deal with it or stop reading. For reference, eschipul on linkedin

Let’s start with this. The US Senate is about to take away your Second Amendment rights to bear arms. Yes, read that again. We are going to lose our right to bear arms. Guaranteed.

Why? Because we can’t just pick and choose which parts of the Constitution we want to follow. Logically, if you do that, when a new “King” takes over, they will strike through the articles and amendments that THEY don’t like.

Yes, the “conservative” party (a misnomer as neither party is conservative or liberal if you actually read their party planks) is missing the fact that if you ignore the part of the Constitution at the request of one branch of the government, then ALL of the constitution is subject to dismissal by future Executive Branch leaders.

If this becomes true, which we all hopefully pray it doesn’t, we will have become either a monarchy, a dictatorship, or an autocracy. (Think Cuba under Castro.)

The Title of Nobility Clause is a provision in Article ISection 9, Clause 8 of the United States Constitution,[1] that prohibits the federal government from granting titles of nobility, and restricts members of the government from receiving giftsemoluments, offices or titles from foreign states and monarchies without the consent of the United States Congress. Also known as the Emoluments Clause, it was designed to shield the federal officeholders of the United States against so-called “corrupting foreign influences.” The clause is reinforced by the corresponding prohibition on state titles of nobility in Article I, Section 10, and more generally by the Republican Guarantee Clause in Article IV, Section 4.[2]

https://en.wikipedia.org/wiki/Title_of_Nobility_Clause#Presidential

Let’s start with “Freedom of speech.” That means if I start a company, and grow a following in social media or whatever, I can express my opinion, right? So this is me saying that Dr. Martin Luther King Jr. personified the leadership I expect of my elected officials. And he wasn’t elected – he was a LEADER.

Was MLK a perfect man? Of course not. But daaaaaammmnnn, he was patriotic. He understood that strong resistance to social injustice is STRONGER when it is done PEACEFULLY. That is strength.

Dr. King’s actions, peaceful and strong, are what makes America great. Not the valuation of the top 1%’s investments.

The American experiment is about PEOPLE. You, me, all of us. Together. As RFK stated.

Yes, obviously we must stand with a strong military behind a voice of reason. But that amazing power requires rational leadership. And real power comes from truth. To find truth, in a country ruled by LAW, you can’t ignore subpoenas. The Mafia does that.

Martin Luther King Jr. addresses a crowd from the steps of the Lincoln Memorial where he delivered his famous, “I Have a Dream,” speech during the Aug. 28, 1963, march on Washington, D.C.

On this day, on Martin Luther King Jr. day 2020, we encourage everyone to read Dr. King’s speech.

Don’t read the news “about” it. Read the docs! https://www.archives.gov/files/press/exhibits/dream-speech.pdf

That is the end of the post on blog.tendenci.com, the company blog. It also ran as the masthead on https://www.tendenci.com yesterday and was posted to all of our social media accounts.

As a true patriot and believer in the American dream, I must speak out as I see bipartisanship and an American public accepting the replacement of the K-street swamp be replaced by an even more corrupt corporate swamp of national intrigue. I’m disappointed in us.

What do I ask of you? I have no authority or ability to ask anything of you, except rationality.

Understand this: if the Senate ignores the facts, refuses to hear the facts, refuses to read the documents, not only will you lose your right to bear arms, but the very fabric of our country will be shredded and we will truly be subject to tyranny of the majority.

And being raised Catholic, people who were also persecuted in the global tragedy of WWII, American “dough-boys” who literally saved the world, will have succeeded only briefly. Only to see our rights thrown out the window by a reality TV personality.

In closing: to those who think I am “flip flopping” – I am not. The data has changed. Only a fool doesn’t change their views when their data changes. I don’t suffer fools. Nor should you. We will not only lose lose our 2nd Amendment right to bear arms, but the supposedly conservative party will have distorted the constitution to make all rights “questionable.”

** The great fool is he in whom we cannot tell which is the conscious and which the unconscious humour; we laugh with him and laugh at him at the same time.

https://en.wikipedia.org/wiki/Suffer_fools_gladly

The FBI confirms NGOs and Associations are Targets of Russian Hackers

James Comey Testimony on Russian Hackers Targeting Nonprofits and NGOs
James Comey Testimony on Russian Hacking Includes Acknowledgement of Russians Specifically targeting NGOs and Nonprofits

Growing Tendenci – The Open Source AMS, has been eye opening. I didn’t realize fully why our clients were constantly being attacked. Even behind all of our firewalls, scanners, ACLs, malware, rootkit detection, antivirus, third party scanners, multifactor, use of Honeypots, we don’t store credit cards, and then still even more custom security measures we’ve developed in house.

I mean seriously, it’s not like you’re going to scan a site we host and not have it logged and inspected and blocked aggressively when possible. Nothing is hack proof obviously. But our security practices are  FAR beyond the norm.

I didn’t have the luxury of questioning the motive. We do.

When necessary, we have engaged authorities for assistance. So it was interesting to see this from former FBI Director James Comey’s testimony:

Source: http://www.politico.com/story/2017/06/08/full-text-james-comey-trump-russia-testimony-239295

BURR: Okay. When did you become aware of the cyber intrusion?

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Let me repeat that last part for emphasis in case anyone who works with Associations and Non Profits needs some ammo to take back to their board about why they can’t host for $10 a month on a cheap hosting site.

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Those words should weigh heavily on people in the NPO/NGO sector. It is worthy of mention to everyone using an AMS system. To be secure, you need to be able to inspect your own code if you host with us or somewhere else. Please do so with Tendenci at https://github.com/tendenci/tendenci/  . Security is a process, not a magic pill.

The motives for these attempted hacks are above my pay grade. Just know if you feel you are being targeted, well, it isn’t paranoia if they really are out to get you. And they really are out to get you.

And please don’t click that link in your email. Please. Just don’t do it.

Stay vigilant my friends.

PS – two other facts I can add. I can personally confirm it was in the hundreds just based on our client base. This does NOT mean they breached, but targeted? Yes. And second, by my estimations it started in earnest in 2013, not 2015.

PPS – and now we start the count down before they take my blog offline with DDOS again. Whoever “they” is. All I see is a matrix at this point… and I’m ok with that oddly enough. Because if the Zombie apocalypse is real in downtown SF, then everything else is possible too.

Disclaimer: This post is NOT about the President. Or about former FBI Director Comey’s testimony as it relates to our elected Zombies on both sides who vote party over the people they represent.  No, this post is about a small part of Comey’s testimony that relates to Associations and Nonprofits. It applies if they use Tendenci or not. Whatever the motive of the Russian hackers, the fact is that associations and nonprofits are being singled out for attacks. This is a fact of your current reality.