Good news everyone! It has now been 10 days since Google Security released 7 critical vulnerabilities along with PoC exploit code for popular dnsmasq service and the world is still alive as we know it. How long will this last? If we refer to WannaCry outbreak it takes a while from public exploit being released to a global outbreak. Or does it? EternalBlue exploit was released on January 7th along with other “Lost in translation” leaks so that’s 5 months prior WCry attack. However, if we recall the exact timeline we can note that by end of April there were over 1,7M hosts infected with DoublePulsar backdoor traceable online by scanning port 445 or just looking through Shodan data. I’d like to refer to Dan Tentler of PhobosGroup reporting massive DoublePulsar infection back on April 19th, starting the scanning efforts and reporting the findings. And since WannaCry struck on May 12th it took exactly 24 days from the moment of public disclosure on tens of thousands backdoored machines to the day when attack happened. How does this relate to the Dnsmasq situation? This time I had a little freedom to make a pretty picture describing the threat:
With 3 RCE vulnerabilities we have to treat all those machines running unpatched dnsmasq as already compromised and likely backdoored. And since we’ve seen adversaries’ capabilities of executing global WannaCry attack in 24 days we can foresee that something big and bad can already go off as early as October 26. Or 27th to bring another fun Friday for us infosec folks. It may also happen faster since as they say “attackers always evolve”. A scan and verification would be nice to confirm the backdoor hypothesis, but first lets measure the size of the incoming disaster by asking Shodan. Here’s a query if you’d like to verify the accuracy: https://www.shodan.io/search?query=dnsmasq+%21dnsmasq-2.76+%21dnsmasq-2.78+%21dnsmasq-2.77+%21dnsmasq-2.79+%21dnsmasq-2.8+%21dnsmasq-2.9
As of October 11th, there are total of 1,178,031 devices running vulnerable version of dnsmasq and that is if you do not consider version 2.76 vulnerable or likely targetable by a mass-scale attack. I’ve previously reported the numbers on patching on October 6th and the amount of vulnerable devices was 1,131,229, so the amount of unpatched devices discovered by Shodan keeps going up!
Maybe Google Security’s warning has fallen on deaf ears? It may seem like it has, however if we take into account long patch-management cycles in the enterprise (do they exist for IoT at all?) and massive number of Android devices that are out of support the situation seems reasonable. Is the impact global? You may find answers in this report from Shodan:
So why do we mention Mirai? It was an infamous botnet built of scanning and making a bot army of insecure IoT devices leveraging clear-text protocols like telnet and hardcoded credentials. An adeversary with such capabilities will have little trouble of upgrading from a Brute Force attack to an RCE with publicly available exploit code. However, if nothing happens by October 27 it would mean that dnsmasq will be leveraged by APT actors who would make sure to secure their positions by establishing persistence (see ways to do it at MITRE ATT&CK) and operate in stealth. If we see a sudden spike in dnsmasq being patched I’d spell APT all over the place. It is a lucrative way in (and out) for the APT actors as DNS traffic still remains insecure and uncontrolled in majority of organizations and can be easily exploited for Command & Control, Delivery and Data Exfiltration. Come whatever may, just block those assets to be on the safe side and deploy some detection controls as there are many other wonderful things to do in cyber security. And if you’re a proud owner of a dnsmasq device as part of your IoT project at work or as your home router – upgrade that firmware today!
/Stay safe
p.s. we just finished cross-checking all 1,17K+ devices vs our Tor feed and got just 1 hit. We started checking IP’s vs IPVoid and VirusTotal and already have some IP’s confirmed as malicious. Updates are coming up.
SIEM content
Name | Descripiton |
---|---|
PHPSESSID | Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages. |
sp_i | Used to store information about authenticated User. |
sp_r | Used to store information about authenticated User. |
sp_a | Used to store information about authenticated User. |
Name | Descripiton |
---|---|
tuuid | Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded. |
tuuid_last_update | Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded. |
um | Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded. |
umeh | Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded. |
na_sc_x | Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site. |
APID | Collects anonymous data related to the user's visits to the website. |
IDSYNC | Collects anonymous data related to the user's visits to the website. |
_cc_aud | Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising. |
_cc_cc | Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising. |
_cc_dc | Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising. |
_cc_id | Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising. |
dpm | Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads. |
acs | Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads. |
clid | Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads. |
KRTBCOOKIE_# | Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads. |
PUBMDCID | Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads. |
PugT | Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads. |
ssi | Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads. |
_tmid | Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips. |
wam-sync | Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website. |
wui | Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website. |
AFFICHE_W | Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website. |
B | Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor. |
1P_JAR | These cookies are used to gather website statistics, and track conversion rates. |
APISID | Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users. |
HSID | Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users. |
NID | Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users. |
SAPISID | Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users. |
SID | Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users. |
SIDCC | Security cookie to protect users data from unauthorised access. |
SSID | Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users. |
__utmx | This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website. |
__utmxx | This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website. |
Name | Descripiton |
---|---|
_hjid | Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
_hjIncludedInSample | This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample. |
intercom-id-[xxx] | This cookie is used by Intercom as a session so that users can continue a chat as they move through the site. |
intercom-session-[xxx] | Used to keeping track of sessions and remember logins and conversations. |
demdex | Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads. |
CookieConsent | Stores the user's cookie consent state for the current domain. |
__cfduid | Used by the content network, Cloudflare, to identify trusted web traffic. |
ss | These cookies enable the website to provide enhanced functionality and
personalisation . They may be set by us or by third party providers whose
services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality . |
Name | Descripiton |
---|---|
_ga | This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners. |
_gat | Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes. |
_gid | This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. |
IDE | Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user. |
r/collect | Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user. |
test_cookie | Used to check if the user's browser supports cookies. |
collect | Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels. |
ads/user-lists/# | These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. |
c | Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network. |
khaos | Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network. |
put_# | Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network. |
rpb | Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network. |
rpx | Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network. |
tap.php | Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network. |