Home   Blog   Twitter   Database  

Email scammers extract over $300m a month from American suits' pockets

FinCEN has recovered more than $500m to date

While you're sweating to make an honest crust, email scammers are counting at least $301m in untaxed takings every month in the US alone, according to research by the Financial Crimes Enforcement Network.…

Posted: 17 Jul 2019 | 7:13 am

RDP exposed: the wolves already at your door

While everyone waits for BlueKeep to be exploited, another RDP threat is already at the door, according to new research from Sophos.

Posted: 17 Jul 2019 | 5:57 am

Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks

By David Fiser

Jenkins is a popular open-source automation server for software development teams. Used for managing the development side in DevOps, the main purpose of Jenkins is to perform tasks, called jobs, such that software project builds are automatically developed in the CI/CD process.

Jenkins has a distributed architecture: A master machine manages a group of agents (aka slaves), which are Java executables running on remote machines and that execute build jobs. Jenkins is also based on a modular architecture, and most of its features are implemented inside plugins that extend its core functionality, for example, post-build tasks.

The convenience offered by Jenkins also covers security aspects through its matrix-based model, not to mention how it’s easier to just pull an official Jenkins image from Docker Hub. However, working under default settings and enabling Jenkins’ matrix-based security might lead developers to assume that it’s already a secure setup. Unfortunately, we discovered that this can lead to potential security problems.

In our analysis, we observed that a user account with less privilege can gain administrator rights over the automation server if jobs are built on the master machine (i.e., the main Jenkins server), a setup enabled by default. An exploit for this can be easily written using shell spawn — a default build step. If an exploit is successfully deployed, an attacker can perform remote code execution (RCE) on the master, which can result to Jenkins being completely overwritten.

An unsecure or lax configuration of these settings makes servers susceptible to attacks that abuse the said design feature, and we have already disclosed our findings to the Jenkins project. They responded that what we reported is not a security vulnerability, referencing their user handbook and wiki.

A look into Jenkins’ default security settings

According to Jenkins’ security page, many security options in version 2.0 were enabled by default to ensure that Jenkins environments remain secure, unless certain protections are explicitly disabled by the administrator.

Security can be configured using the Configure Global Security page. By default, Security Realm (authentication) protects Jenkins’ own user database. It’s worth noting that the Master stores the user database and under that setting, logged-in users have access to everything.

Figure 1. Jenkins’ matrix-based security model

Under Authorization, options such as matrix-based security and project-based matrix authorization strategy can be enabled to allow the administrator to limit access to certain Jenkins features.

Executing shell spawn on the master

A loosely configured setting is at risk of being taken advantage of by a malicious actor. Before illustrating how that can happen, first, let’s look into the steps that take place in performing a job. The following is basically an analogy of the CI/CD pipeline:

The scripting capabilities of build steps can be extended with plugins installed within Jenkins. One of the default features within build steps, called Execute shell, is what we will focus on.

As opposed to implementing every single possible feature of the build script within the web application, scripting a build process – a common practice –  can be done to speed up the process. However, executing shell spawn inside the web application poses security risks, especially if user permissions aren’t properly assigned.

Allowing Jenkins users to have unnecessary permissions is concerning as it can potentially lead to security being compromised. For instance, a plugin called Script Security helps address that risk since it can limit the execution of untrusted Groovy scripts using a whitelist-based sandbox. Groovy script can only be executed with admin approval or if it’s inside a sandbox. The purpose of using a sandbox is to avoid situations where the user is able to interfere with the Jenkins instance and call internal functions, e.g., Jenkins.getInstance().

In contrast, the Execute shell feature is not restricted and doesn’t need to be approved by the admin, allowing users with less privilege to spawn a shell and execute their scripts. This poses security risks if jobs are executed on the master, which, as mentioned, is set by default. The master stores Jenkins configurations, application binaries, job definitions, and user database. Since jobs are executed under the same user as the Jenkins application and the job working directory is inside JENKINS_HOME, configuration file access using a relative file path will be permitted, allowing Jenkins files to be read, written, and executed.

Possible attack scenarios

To illustrate how relying on Jenkins’ default settings can pose security risks, let’s look at the following scenario. Jenkins is installed under a setting that has suggested plugins, Matrix-based security model, and no configuration for the agent. In this setup, a user with less privilege is logged in with the following permissions:

Figure 2. User permissions that can allow exploit code execution on the master

With the above user permissions, an attacker can create and/or modify a malicious job by spawning a shell script. In this setup, the availability of tools the attacker can use is limited to the platform. If Jenkins is running on the Linux platform, e.g., an official Jenkins Docker container, where the environment includes binaries like echo, sed, Python, and wget, among others, an attacker can have a variety of options to conduct RCE. The following actions can be carried out:

Proof of Concept (PoC)

An attacker could use sed and execute the following shell command:

sed -i ‘s#<useSecurity>true</useSecurity>#<useSecurity>false</useSecurity>#g’ ../../config.xml3.

Figure 3. Exploiting shell access on the master

This will unmark the Enable security checkbox in the Configure Global Security page, providing all users admin access once Jenkins reloads its configuration files from the disk.

Figure 4. Upon the execution of the exploit code, Jenkins’ security will be disabled

Security recommendations and mitigation steps

Admins are fully responsible for the security and proper configuration of Jenkins. Generally, the principle of least privilege should be implemented; limiting access to the bare minimum permissions needed by users to perform tasks can reduce the risk of account abuse or hijacking. If services and software are not utilized by users, limiting, replacing, or even completely disabling them should be considered.

The risks involved in relying on default security settings are not limited to the abuse of shell but also include the execution of malicious code on the master. So we recommend, more specifically, the execution of jobs on the master node to be disabled. In comparison, using shell spawn to maliciously manipulate configurations on slave environments, e.g., containers, will not transpire since they are isolated from the master. The Jenkins project, for their part, has already issued a warning and a recommendation related to this authorization issue. To limit job execution permissions on the master, they advised admins to use the Authorize Project plugin.

To further prevent potential abuse, shell, among other plugins, should be disabled if it is not necessary for a user. The shell execution can be limited by setting Shell executable to /bin/false at the Configure System page. This way, the /bin/false binary will be executed, but an argument passed to the shell script will make the app exit and discard any input.

Figure 5. How to disable Shell executable

Organizations can take advantage of Trend Micro DevOps security solutions, which help in baking security into development processes via APIs to improve development cycles and reduce human touch points and errors. Such security solutions can also reduce disruption of development schedules and workflows with protection for images, containers, and hosts by quickly closing the security feedback loop.

The post Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks appeared first on .

Posted: 17 Jul 2019 | 3:26 am

McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. Given the high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal. To take advantage of this demand and generate revenue, some criminals decided to create off-the-shelf toolkits for building malicious Office documents. These toolkits are mostly offered for sale on underground cybercriminal forums.

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder. McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation. In the following blog we will explain some of the details we found that helped unmask the suspected actor behind the Rubella Macro Builder.

What is an Office Macro Builder?

An Office Macro Builder is a toolkit designed to weaponize an Office document so it can deliver a malicious payload by the use an obfuscated macro code that purposely tries to bypass endpoint security defenses. By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first stage evasion and delivery process to a specialized third party. Below is an overview with the general workings of an Office Macro Builder. The Defense evasion shown here is specific to Rubella Office Macro Builder. Additional techniques can be found in other builders.

Dutch Language OpSec fail….

Rubella Macro Builder is such a toolkit and was offered by an actor by the same nickname “Rubella”. The toolkit was marketed with colorful banners on different underground forums. For the price of 500 US Dollars per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.

Rubella advertisement banner

In one of Rubella’s forum postings the actor was detailing the toolkit and that it managed to bypass the Windows Anti Malware Scan Interface (AMSI) present in Windows 10. To prove this success, the post contained a link to a screenshot. Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used. Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it.

The linked screenshot with the Dutch version of Microsoft Word.

Interestingly enough we reported last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds we decided to go deeper down the rabbit hole.

Forum Research

We looked further into the large amount of posts by Rubella to learn more about the person behind the builder. The actor Rubella was actually promoting a variety of different, some self-written, products and services, ranging from (stolen) credit card data, a crypto wallet stealer and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

During our research we were able to link different nicknames used by the actor on several forums across a timespan of many years. Piecing it all together, Rubella showed a classic growth pattern of an aspiring cybercriminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.

PDB path Breitling

One of the posts Rubella placed on a popular hacker forum was promoting a piece of free software the actor coded to spoof email. The posting contained a link to VirusTotal and included a SHA-256 hash of the software. This gained our interest since it provided a possibility to link the adversary to the capability.

Email spoofer posting including the VirusTotal link 

Closer examination of the piece of software on VirusTotal showed that the mail Spoofer contained a debug or PDB path “C:\Users\Breitling”. Even though the username Breitling isn’t very revealing about an actual person, leaving such a specific PDB path within malware is a classic mistake.

By pivoting on the specific PDB path we found additional samples on VirusTotal, including a file that was named RubellaBuilder.exe, which was a version of the Macro builder that Rubella was offering. Later in the blog post we will take a closer look at the builder itself.

Finding additional samples with the Breitling PDB path

Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word.

The Word document containing the author name Breitling.

Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella; Rubella(@)exploit.im.

The Malicious document containing the string with the actor’s jabber account.

Circling back to the forums we found an older posting under one of the nicknames we could link to Rubella. In this posting the actor is asking for advice on how to add a registry key using C#. They placed another screenshot to show the community what they were doing. This behavior clearly shows a lack of skill but at the same time his thirst for knowledge.

Older posting where the actor asks for help.

A closer look at the screenshot revealed the same PDB path C:\Users\Breitling\.

Screenshot with the Breitling PDB path

Chatting with Rubella

Since Rubella was quite extroverted on the underground forums and had stated Jabber contact details in advertisements we decided to carefully initiate contact with him in the hope that we would get access to some more information. About a week after we added Rubella to our Jabber contact list, we received a careful “Hi.” We started talking and posing as a potential buyer, carefully mentioning our interest the Rubella Macro Builder. During this chat Rubella was quite responsive and as a real businessperson, mentioned that he was offering a new “more exclusive” Macro Builder named Dryad. Rubella proceeded to share a screenshot of Dryad with us.

Screenshot of Dryad shared by Rubella

 Eventually we ended our conversation in a friendly manner and told Rubella we would be in touch if we remained interested.

Dryad Macro Builder

Based on the information provided from the chat with Rubella we performed a quick search for Dryad Macro Builder. We eventually found a sample of the Dryad Macro Builder and decided to further analyze this sample and compare it for overlap with the Rubella Macro Builder.

PE Summary

We noticed that the program was coded in .NET Assembly which is usually a preferred language for less skilled malware coders.

Dynamic Analysis

When we ran the application, it asked us to enter a login and password in order to run.

We also noticed a number-generated HWID (Hardware-ID) that was always the same when running the app. The HWID number is a unique identifier specific to the machine it was running on and was used to register the app.

When trying to enter a random name we detected a remote connection to the website ‘hxxps://tailoredtaboo.com/auth/check.php’ to verify the license.

The request is made with the following parameters ‘hwid=<HWID>&username=<username>&password=<password>’.

Once the app is running and registered it shows the following interface.

In this interface it is possible to see the function proposed by the app and it was similar to the screenshot that was shared during our chat.

Basically, the tool allows the following:

It contains an Anti-virus Evasion tab:

It also contains a tab which is still in development:

Reverse Engineering

The sample is coded in .Net without any obfuscation. We can see in the following screenshot the structure of the file.

Additionally, it uses the Bunifu framework for the graphic interface. (https://bunifuframework.com/)

Main function

The main function launches the interface with the pre-configuration options. We can see here the link to putty.exe (also visible in the screenshots) for the payload that needs to be changed by the user.

Instead of running an executable, it is also possible to run a command.

By default, the path for the stub is the following:

We can clearly see here a link with Rubella.

Licensing function

To use the program, it requires a license, that the user has to enter from the login form.

The following function shows the login form.

To validate the license the program will perform some check and combine a Hardware ID, a username and a password.

The following function generates the hardware id.

It gets information from ‘Win32_Processor class’ to generate the ID.

It collects information from:

Then it will collect information from the ‘Win32_BIOS class’.

Then it will collect information from the ‘Win32_DiskDrive class’.

Then it will collect information from the ‘Win32_BaseBoard class’.

Then it will collect information from the ‘Win32_VideoController class’.

With all that hardware information collected it will generate a hash that will be the unique identifier.

This hash, the username and password will be sent to the server to verify if the license is valid. In the source code we noticed the tailoredtaboo.com domain again.

Generate Macro

To generate a macro the builder is using several parts. The format function shows how each file structure is generated.

The structure is the following:

To save the macro in the malicious doc it uses the function ‘SaveMacro’:

Evasion Techniques

Additionally, it generates random code to obfuscate the content and adds junk code.

The function GenRandom is used to generate random strings, chars as well as numbers. It is used to obfuscate the macro generated.

It also uses a Junk Code function to add junk code into the document:

For additional obfuscation it uses XOR encryption as well as Base64.

Write Macro

Finally, the function WriteMacro, writes the content previously configured:


Under construction

We did also notice that the builder uses additional functions that were still under development, as we can see with the “Script Generator” tab.

A message is printed when we click on it and that indicates it is still a function in development.

Additionally, we can see the “Decoy Option” tab which is just a template to create another tab. The tab does not show anything. It seems the author left this tab to create another one.

Rubella Similarities

Dryad is very similar to the Rubella Builder; many hints present in the code confirm the conversation we had with Rubella. Unlike Rubella, Dryad did have a scrubbed PDB path.

Both Rubella builder and Dryad Builder are using the Bunifu framework for the graphic design.

The license check is also the same function, using the domain tailoredtaboo.com, Below is the license check function from the Rubella builder:

Tailoredtaboo.com Analysis

We analyzed the server used to register the builder and discovered additional samples:

Most of these samples were Word documents generated with the builder.

A quick search into the domain Tailoredtaboo showed that it had several subdomains, including a control panel on a subdomain named cpanel.tailoredtaboo.com.

The cPanel subdomain had the following login screen in the Dutch language.

The domain tailoredtaboo.com has been linked to malicious content in the past. On Twitter the researcher @nullcookies reported in April 2018 that he found some malicious files hosted on the specific domain. In the directory listing of the main domain there were several files also mentioning the name Rubella.

TailoredTaboo.com mentioned on Twitter


Based on all the references, and the way the domain Tailoredtaboo.com was used, we believe that the domain plays a central administrative role for both Rubella and Dryad Macro Builder and can provide insight into the customers of both Macro Builders


Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.

Indicators of Compromise

URL / Website:


Hash Builder:

Hash related samples:















The post McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect appeared first on McAfee Blogs.

Posted: 16 Jul 2019 | 9:00 pm

HiddenWasp Linux malware backdoor samples

Here are Hidden Wasp Linux backdoor samples. 



Intezer HiddenWasp Malware Stings Targeted Linux Systems 


Download. Email me if you need the password (see in my profile)

File informatio




 elf shared-lib

64bits elf shared-lib



tar-bundle gzip contains-elf

 tar-bundle gzip

64bits elf 

Posted: 3 Jun 2019 | 9:31 pm

CyberESI at the 2019 NCSA and NASDAQ Cybersecurity Summit

“Incident Response and Recovery” was the theme of the National Cyber Security Alliance (NCSA) and NASDAQ Cybersecurity Summit on April 17 in New York City. Security and risk professionals from the Department of Homeland Security and various organizations convened at the Nasdaq Marketsite to discuss methods that focus on resilience and recovery following a cyber attack or data breach.

Matt Barrett, CyberESI’s chief operating officer, participated in a panel discussion focused on the topic of Reducing Uncertainty and Looking Beyond IT. “When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority,” said Barrett.

Read more at https://www.darkreading.com/risk/tips-for-the-aftermath-of-a-cyberattack/d/d-id/1334460 and https://staysafeonline.org/blog/incident-response-ncsa-nasdaq-cybersecurity-summit/

The post CyberESI at the 2019 NCSA and NASDAQ Cybersecurity Summit appeared first on CyberESI.

Posted: 30 Apr 2019 | 8:27 am

Introducing Reneo

Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. The … Continue reading

Posted: 27 Jun 2018 | 8:14 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am