Blog Elements

Half Sized Blog Element (Single Author Style)

Half Sized Blog Element (Multi Author Style)

CVE-2018-15454 (Cisco SIP) Exploit Information

2018-11-19/0 Comments/in Vulnerability & Threat Report/by Kellep Charles

From October 2018, NCCIC analysts have observed network traffic indicating

attempts, by unknown actors against multiple government agencies, to exploit a

vulnerability [CVE-2018-15454] in the Session Initiation Protocol (SIP)

inspection engine of Cisco ASA Software and Cisco FTD Software.

Amazon AWS GuardDuty

2018-11-16/0 Comments/in Cloud Security/by Kellep Charles

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.

CVE-2018-15454 (Cisco SIP) Exploit Information

2018-11-19/0 Comments/in Vulnerability & Threat Report/by Kellep Charles

From October 2018, NCCIC analysts have observed network traffic indicating

attempts, by unknown actors against multiple government agencies, to exploit a

vulnerability [CVE-2018-15454] in the Session Initiation Protocol (SIP)

inspection engine of Cisco ASA Software and Cisco FTD Software.

Amazon AWS GuardDuty

2018-11-16/0 Comments/in Cloud Security/by Kellep Charles

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.

Full Sized Blog Element (Big Preview Pic)

CVE-2018-15454 (Cisco SIP) Exploit Information

2018-11-19/0 Comments/in Vulnerability & Threat Report/by Kellep Charles

IB-18-20248-CVE-2018-15454 Exploit Attempts Against Government Facilities Sector

TLP: AMBER

Department of Homeland Security

NCCIC US-CERT

Reference Number: IB-18-20248

Report Date: 2018-11-15T22:19:01+00:00

Notification:

DISCLAIMER: This report is provided “as is” for informational purposes only. The

Department of Homeland Security (DHS) does not provide any warranties of any

kind regarding any information contained within. The DHS does not endorse any

commercial product or service, referenced in this bulletin or otherwise. This

document is distributed as TLP:AMBER: Limited disclosure, restricted to

participants’ organizations. Recipients may only use TLP:AMBER information with

members of their own organization, and with clients or customers who need to

know the information to protect themselves or prevent further harm. For more

information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

Summary:

From October 2018, NCCIC analysts have observed network traffic indicating

attempts, by unknown actors against multiple government agencies, to exploit a

vulnerability [CVE-2018-15454] in the Session Initiation Protocol (SIP)

inspection engine of Cisco ASA Software and Cisco FTD Software. This

vulnerability could allow an unauthenticated, remote attacker to cause an

affected device to reload or trigger high CPU usage, resulting in a DoS

condition.

The vulnerability is due to improper handling of SIP traffic and affects Cisco

ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later

if SIP inspection is enabled (ENABLED BY DEFAULT). An attacker could exploit

this vulnerability by sending SIP requests designed to specifically trigger this

issue at a high rate on any of the following Cisco products:

– 3000 Series Industrial Security Appliance (ISA)

– ASA 5500-X Series Next-Generation Firewalls

– ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600

Series Routers

– Adaptive Security Virtual Appliance (ASAv)

– Firepower 2100 Series Security Appliance

– Firepower 4100 Series Security Appliance

– Firepower 9300 ASA Security Module

– FTD Virtual (FTDv)

This activity was observed in the Government Facilities Sector.

Analysis:

Host

IPv4: 46.249.59.196

Sighted: 2018-10-19 [only single sightings used]

Killchain Phase: Exploitation

Characterization: IP Watchlist

Notes: NCCIC analysts have observed network traffic from this IP address,

related to attempts by unknown actors against multiple government

agencies, to exploit a vulnerability [CVE-2018-15454] in the Session

Initiation Protocol (SIP) inspection engine of Cisco ASA Software and

Cisco FTD Software. This vulnerability could allow an unauthenticated,

remote attacker to cause an affected device to reload or trigger high

CPU usage, resulting in a DoS condition.

Attempted scanning/exploit activity will be over port 5060 and will

show a large number of incomplete SIP connections while the

vulnerability is actively being exploited.

Open source research indicates this IP is geolocated in the Netherlands

[ASN: AS50673]. Reporting by security vendors indicate this IP has been

involved in scanning, brute force attempts, and other malicious network

activity.

Host

IPv4: 5.62.63.223

Sighted: 2018-10-19 [only single sightings used]

Killchain Phase: Exploitation

Characterization: IP Watchlist

Notes: NCCIC analysts have observed network traffic from this IP address,

related to attempts by unknown actors against multiple government

agencies, to exploit a vulnerability [CVE-2018-15454] in the Session

Initiation Protocol (SIP) inspection engine of Cisco ASA Software and

Cisco FTD Software. This vulnerability could allow an unauthenticated,

remote attacker to cause an affected device to reload or trigger high

CPU usage, resulting in a DoS condition.

Attempted scanning/exploit activity will be over port 5060 and will

show a large number of incomplete SIP connections while the

vulnerability is actively being exploited.

Open source research indicates this IP has a point-of-presence (PoP) in

the United Kingdom [ASN: AS198605] and virtual PoP in the United

States. Reporting by security vendors indicate this IP has been

involved in scanning, brute force attempts, and other malicious network

activity.

Host

IPv4: 212.129.19.40

Sighted: 2018-10-19 [only single sightings used]

Killchain Phase: Exploitation

Characterization: IP Watchlist

Notes: NCCIC analysts have observed network traffic from this IP address,

related to attempts by unknown actors against multiple government

agencies, to exploit a vulnerability [CVE-2018-15454] in the Session

Initiation Protocol (SIP) inspection engine of Cisco ASA Software and

Cisco FTD Software. This vulnerability could allow an unauthenticated,

remote attacker to cause an affected device to reload or trigger high

CPU usage, resulting in a DoS condition.

Attempted scanning or exploit activity can be observed over port 5060

and shows a large number of incomplete SIP connections while the

vulnerability is actively being exploited.

Open source research indicates this IP is geolocated in France [ASN:

AS12876]. Reporting by security vendors indicate this IP has been

involved in scanning, brute force attempts, and other malicious network

activity.

Amazon AWS GuardDuty

2018-11-16/0 Comments/in Cloud Security/by Kellep Charles

What Is Amazon GuardDuty?

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a region that has never been used, or unusual API calls, like a password policy change to reduce password strength.

GuardDuty informs you of the status of your AWS environment by producing security findings that you can view in the GuardDuty console or through Amazon CloudWatch events.

How Amazon GuardDuty Uses Its Data Sources

To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes and processes data from AWS CloudTrail event logs, VPC Flow Logs, and DNS logs. The logs from these data sources are stored in the Amazon S3 buckets. GuardDuty accesses them there using the HTTPS protocol. While in transit from these data sources to GuardDuty, all of the log data is encrypted. GuardDuty extracts various fields from these logs for profiling and anomaly detection, and then discards the logs.

The following sections describe the details of how GuardDuty uses each supported data source.

Topics

AWS CloudTrail event logs

AWS CloudTrail provides you with a history of AWS API calls for your account, including API calls made using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. CloudTrail also allows you to identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address that the calls were made from, and when the calls occurred. For more information, see What is AWS CloudTrail?

You can configure CloudTrail trails to log management events and/or data events. Management events provide insight into management operations that are performed on resources in your AWS account. For example, configuring security (IAM AttachRolePolicy API operations), registering devices (Amazon EC2 CreateDefaultVpc API operations), configuring rules for routing data (Amazon EC2 CreateSubnet API operations), or setting up logging (AWS CloudTrail CreateTrail API operations). Data events provide insight into the resource operations performed on or within a resource. For example, Amazon S3 object-level API activity (GetObject, DeleteObject, and PutObject API operations) or AWS Lambda function execution activity (the Invoke API). For more information, see Logging Data and Management Events for Trails.

Currently, GuardDuty only analyzes CloudTrail management events. If you have CloudTrail configured to log data events, there will be a difference between GuardDuty analysis based on CloudTrail data and the logs that CloudTrail itself is delivering.

Another important detail about GuardDuty’s usage of CloudTrail as a data source is the handling and processing of CloudTrail’s global events. For most services, events are recorded in the region where the action occurred. For global services such as AWS IAM, AWS STS, Amazon CloudFront, and Route 53, events are delivered to any trail that includes global services, and are logged as occurring in US East (N. Virginia) Region. For more information, see About Global Service Events.

GuardDuty processes all events that come into a region, including global events that CloudTrail sends to all regions. This allows GuardDuty to maintain user and role profiles in each region and enables it to accurately detect credentials that are being maliciously used across regions.

Important

It is highly recommended that you enable GuardDuty in all supported AWS regions. This allows GuardDuty to generate findings about unauthorized or unusual activity even in regions that you are not actively using. This also allows GuardDuty to monitor AWS CloudTrail events for global AWS services.

If GuardDuty is not enabled in all supported regions, its ability to detect activity that involves global services is reduced.

VPC Flow Logs

VPC Flow Logs capture information about the IP traffic going to and from Amazon EC2 network interfaces in your VPC. For more information, see VPC Flow Logs.

Important

When you enable GuardDuty, it immediately starts analyzing your VPC Flow Logs data. It consumes VPC Flow Log events directly from the VPC Flow Logs feature through an independent and duplicative stream of flow logs. This process does not affect any existing flow log configurations that you might have.

GuardDuty doesn’t manage your flow logs or make them accessible in your account. To manage access and retention of your flow logs, you must configure the VPC Flow Logs feature.

There is no additional charge for GuardDuty access to flow logs. However, enabling flow logs for retention or use in your account falls under existing pricing. For more information, see Working With Flow Logs.

DNS logs

If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.

Pricing for GuardDuty

For information about GuardDuty pricing, see Amazon GuardDuty Pricing.

Accessing GuardDuty

You can work with GuardDuty in any of the following ways:

GuardDuty Console

https://console.aws.amazon.com/guardduty

The console is a browser-based interface to access and use GuardDuty.

AWS SDKs

AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to GuardDuty. For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

GuardDuty HTTPS API

You can access GuardDuty and AWS programmatically by using the GuardDuty HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the Amazon GuardDuty API Reference.