Quick post today, I want to go over what I noticed over the weekend after reading up on Quantum Insert and the way Quantum Insert works to infect users with a MOTS (Man-On-The-Side) attack.
On Saturday, I watched a pretty interesting Bro-Con 2015 presentation from Yun Zheng Hu of Fox-IT.com
In the presentation, Yun details how you can use Bro to detect Quantum Insert activity by looking on the wire at Layer 4 sequence numbers and at Layer 7 HTTP headers. While I am still working on the Layer 4 surveillance what I saw on the HTTP headers and payloads were pretty interesting. Basically, the “shooter” has to send back a 302 redirect with a content-length of zero to avoid a malformed HTTP response. As a thought exercise I set up an Application Inspection Trigger to look for this behavior. Using the PCAP they provided we found the following:
First we set up the inspection trigger looking for a status code of 302 and a content-length of zero on the HTTP_RESPONE.
In looking at the PCAP from their website where they are injecting a redirect from LinkedIn to Fox-IT.com. You note in the results that we see the redirect and we have the ability to report on this type of behavior.
So for a thought exercise, I thought I would take a look at my “hackrificial” VM that I know has some malware/adware on it and did some browsing. What I noticed was that at least 2/3 of the sites that had a 302 redirect code coupled with a content-length of zero. Here are a few examples:
tags.bluekai.com: (Using POSH VirusTotal script)
No webutation data but we did not that it had a malicious file observed in December of 2016
Now, this does not necessarily mean that 302 with a content-length of zero means malware, adware or anything like that but I think it is worth looking into if you have an ExtraHop Discover appliance. More importantly, what I am trying to point out is how ExtraHop allows you to interact directly with the wire to look for specific scenarios. From here you have the following workflows available:
- Automate a threat intelligence feed that checks these domains and alerts/orchestrates a response to them.
- Track them in our Session table and keep a count of them and report them in one minute blocks (instead of each observance) to give you a better idea of your exposure
- Send them to Splunk or your INFOSEC CSIRT team
Other Wire Data Intelligence scenarios:
Banking login failure URI
- How often does it get hit (thus how often do users fail to log in)
- Geolocaiton of the IPs that failed to log in (I have a small bank in North Carolina that has ten login failures from China?????)
- Which usernames are consistently failing?
Password Reset/New Cookie Banking Login URI:
- Who was the referrer (has this user been phished?)
- Geolocation of the IP Address (is it appropriate)
- Did the user just log in a few days/hours ago? Why do we see a new cookie after they just recently logged in?
The wire will present you with a deluge of data, what a product like ExtraHop does is allow you to set conditions you want to observe and thread that intelligence into your security practice.
Thanks for reading!