It’s the criminals, stupid .. well, kind of .. maybe

I think by now everyone out there is aware of the malware outbreak commonly referred to as “#BadRabbit” – in case you aren’t I’d like to congratulate to your quiet evening last night, and ask you to read this (or this, for a more detailed technical approach) write-up.

Shortly after the first reports showed up on the Internet I saw attempts (some of them where really cool) at attributing this attack to a certain threat actor, with varying degrees of success or credibility / plausibility, as well as tries to link #BadRabbit to ongoing APT-campaigns (It utilizes the same functions to handle process hashes as NotPetya, thus it has to be linked to BlackEnergy .. what the fuck, Group IB?).

In the end, the most common version that repeatedly came up in my filter bubble was that the perpetrator behind #BadRabbit was a nation state actor, or someone affiliated to / working for / together with a nation state actor, with the intended goal of taking revenge for the NotPetya-incident back in June, which was attributed to Russia afterwards.

At the first glance, this doesn’t sound too implausible. There were some striking similarities to NotPetya (again, at first glance), and a lot of the big targets – news organisations, mainly – were based in Russia .. and in Ukraine, Turkey, Poland, Bulgaria, Japan, Germany and probably some other countries too.

The compromised websites (ab)used for spreading the fake Flash-update weren’t limited to ones with a mostly Russian-speaking audience either. Again, there was everything from Turkish social media aggregating services to a German support service for accomodation bookings. This isn’t exactly what I would call targeted at Russia.

I’ve also read voices that thought that the nearly 300$ demanded by the ransomware is far too little to be anything more than a decoy for a wiper, just as we saw with NotPetya, thus further feeding into the revenge-theory.

The first thing that speaks against this statement is that Kaspersky has proven that decryption is possible. There’s no mention of how they achieved that, they haven’t said anything about a flaw in the encryption process; one of the BTC-addresses linked to the ransomware has received a transaction that was roughly the equivalent of the ransom this morning, so maybe they even paid for the key.

Still, admittedly, ~300$ really isn’t much compared to the average ransom demanded throughout 2017:

(Image via Symantec 2017 Internet Security Threat Report)

Besides the fact that lower demands could potentially mean more ‘customers’ would be willing to pay in general, thus netting a bigger profit, you have to keep in mind that the majority of victims stem from countries in Eastern Europe, where the average salary is a lot smaller than in Western Europe. Maybe the criminals simply learned from the mistakes of their fellow blackmailers, who suffered a major failure of their ransomware-campaign in Taiwan earlier this year, because they overestimated the average income in the area.

So the arguments that #BadRabbit can’t be criminals with financial motivations face legitimate counterpoints on an operational level already. How does it look like on a more ‘technical’ level (I won’t start comparing code snippets, that’s not my domain. I’ll just leave this link, showing that the amount of code the original Petya and #BadRabbit share is exactly 13,3%.)?

Since I’m currently recovering from a cold, I only took a quick look at the first thing that jumped at me, the network-details around the initial infection. I’m hoping someone else with more skills, time and energy will do a more thorough analysis of the whole case.

The nameserver for the domain that hosted the faked Flash-update, 1dnscontrol[.]com, seems to be part of a network of nameservers used for .. let’s call them ‘interesting domains’. The whole subnet it’s situated in is on a couple of dozen blacklists.

The IP-address the domain is pointed at, 5.61.37[.]209, belongs to a company named ‘3NT Solutions LLP’ which doesn’t seem to be your average hoster, but rather one with a reputation for a ‘dirty’ network. And indeed, if you look what other domains are pointed towards this IP-address, you’ll find tons of sites related to forged online pharmacies, phishing and spam.

All we see here is someone re-using existing infrastructure that’s related to malicious activities with financial motivations to spread ransomware that looks somewhat similar to other variants we’ve seen this year – with these obvious connections to domains, hosters and characteristics of cybercrime, it’s clear that this is just a criminal gang using somewhat new tricks to make a quick buck, right?

No, it isn’t. Ignoring the fact that my quick look at things doesn’t even warrant the term ‘analysis’, this could be coincidental, this could be a false flag, it could be a criminal gang, it could be a nation state actor with a political motivation, it could be a mixture of all of these things – we simply don’t know yet, there is no hard evidence and not even enough circumstantial evidence to credible point fingers at something or someone.

Attribution is one of the hardest things when it comes to security incidents, and while it doesn’t matter that much while the incident is ongoing, it’s one of the first things that we tend to focus on, rather than collecting hard facts on how to stop an attack and/or limit damage. I think we need to get our focus right (again).

Also I’m so not sorry for picking that rabbit as picture for this post. Bad rabbit? More like Bad-ass rabbit!

Posted in Ramblings, Security | Comments Off on It’s the criminals, stupid .. well, kind of .. maybe

Show me where the 0-day touched you!

Shortly after the first shock and awe about the effectiveness of this piece of wiper-cloaked-as-ransomware, the usual game of blaming the NSA for hoarding security vulnerabilities – they are an intelligence agency, it’s their job, even if I don’t like it – and fetishization of 0-days started.

Funnily enough, people are also angry at the ShadowBrokers for promising to sell more exploits in the future, ‘shaming’ them for trying to profit off of stolen exploits – completely ignoring the fact that their agenda can’t really be motivated by financial reasons, because otherwise they wouldn’t have burned something like ETERNALBLUE to the public, something worth hundreds of thousands of dollars on the exploit markets. This whole thing isn’t about money. But that’s a completely different story.

When this happened with WannaCrypt, as it had with earlier occurrences of that “theme”, I silently mumbled stuff to myself, but didn’t really voice my disagreement, because I felt, that the thought leaders of this planet had done so properly and plentily. But since we’re, apparently, at exactly the same spot again: Come on guys, this shit again?

0-days are a rare thing, and 0-days aren’t the biggest problem we’ve seen with !Petya. And while the use of, almost exclusively, legitimate tools for lateral movement (psexec, wmic) instead of self-written code was, in a bad sense, ‘cool’, was bad, this wasn’t it either. Yeah, the lack of a killswitch complicated initial containment. Malware using legitimate credentials threaten the effectiveness of snakeoil security appliances, making sales bullshit even harder, yes. That many AV-solutions can be easily foiled by fake certificates is horrible, yes. That there was no employee to blame for clicking on a bad phishing link made it hard for the IT to cover eventual mistakes they made themselves, absolutely.

The real problems were the same things that ’caused’ the success of WannaCrypt. After WannaCrypt, IT departments and security teams world wide were up, running and hyped for approximately two weeks, and it looked like there was an understanding that patch management, disabling outdated network protocols, proper network segmentation, (least privilege) account management was something that should have happened yesterday, or even the decade before that, and need to be done immediately.

A few weeks later, that urgency seems to have had died and it was “back to normal”, and companies, executives were back to the usual game of “what’s the easiest way to become compliant”, while IT departments were back on the hunt for cool stuff. Or, as someone on Twitter put it:

Me: *You should clean up all these old accts on your flat network.* Them: *We should take a class on reverse engineering 0-day exploits.”

(Apologies for not giving credits, I was sent this quote. If anyone has the original link, hit me up!) And I’m reasonably afraid that we’ll see the exact same behavior with !Petya, with even more dangers on the horizon.

This was an attack by (most likely) a nation state actor, somewhat, targeted at Ukraine, or companies doing business in or with Ukraine. Yes, the collateral damage through lateral movements in company networks was significant, and even spilled over into the ‘real world’.

But we didn’t see some things WannaCrypt did, the random scanning of the Internet for vulnerable systems. We mostly saw it spreading though internal networks an VPNs connecting companies and their suppliers.

So let’s play devils advocate for a moment: What would have happened if the same destructive behavior would have targeted everyone and everything?

What would have happened, or would happen (pls no) if someone takes code similar to !Petya and replaces the wiping component with actual, functioning ransomware. Or to play the “muh cyber cyber cyberterrorism”-angle that the media loves so much: What if a terrorist group wants to spread (digital) destruction?

If anything of the aforementioned had happened, I probably wouldn’t sit here writing this  post, I would either still be trying to contain fires or already at home, crying in the shower, after I quit my job.

We shouldn’t be needing another wake-up call, and I’m not convinced we could so ‘easily’ deal with another one. It’s time to do something now.

After shooting my mouth off I want to end this post on a more helpful note, jolting down some standard operational procedures to avoid suffering from similar attacks in the future (You might still get hit, but the impact would be significantly lower!).

I am aware, that these tips are only feasible for private persons. Corporate network security isn’t my field of knowledge, I’ll leave that to @swiftonsecurity. And yes, I didn’t call it “best practices”, because following some basic rules of IT operations shouldn’t be considered that, it should be considered “the least you should do”.

  • Updates, updates, updates, .. and hygiene!

Restarting your computer after you’ve done Windows updates is boring, restarting your browser because Flash needs a security fix is annoying, I understand that. But not doing so is potentially putting you in grave danger. I’d rather wait five minutes to watch the next meme compilation on Youtube, rather than get hit by a vulnerability in Windows Defender.

Additionally, do ask yourself: Do you really need Adobe Flash? Do you really need Java? Do you really need all of those semi-useful browser plugins? If you don’t, throw them out! The less software you’ve installed, the smaller is your attack surface.

  • Backups, backups, backups .. and restores!

I can’t stress this enough, one of the most effective remediation tactics for ransomware are proper backups, which means you have also tested that you can actually restore your files from the backup. You regularly do that, .. right?

There is a lot of software that can do encrypted, incremental backups to your external hard drive, NAS or cloud storage of choice easily – on Windows (UrBackup, Arq, Duplicati), Linux (Duplicati, Deja Dup, BackupPC) and OSX (Arq, Time Machine). The times were having backups in place was a complicated and expensive are long gone. If there’s only one piece of advice you want to take away from this article, take this one. Please!

Antivirus solutions are an intensely discussed topic in the security community, especially since @taviso started taking a closer look at them. They have greatly matured since the days when McAfee actually belonged to McAfee (Or do they again? I’ve lost track of the developments.), yet in my personal opinion, NoScript has done more to improve client security than a lot of other developments in that realm. If you can somehow, anyhow get yourself to get used to manually unblocking elements, do it. Really, it’s a good thing!

  • Show file extensions in explorer.exe

Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files, especially for your siblings and parents who are prone to clicking on anything. Hitting them with an object of your choice until they remember not clicking on .scr or .exe from unknown sources is optional, but highly recommended. I’m not responsible if you’re losing access to your inheritance as a consequence of your actions.

Last but not least, two not-so-technical things:

  • Don’t rely on NAT as protection!

It’s amazing that I have to say this, but especially amongst semi-technical people, the myth about NAT saving you lives on. Only because something or -body can’t directly access your computer, that doesn’t mean you are safe from harm. Accidentally forgotten and misconfigured port-forwardings and UPnP exist!

  • Don’t follow stupid advice by stupid people on the Internet!

Yes, the irony of this statement in a blog post written by me isn’t lost on myself. Please don’t tell me about it too often. There are a lot of guides out there, especially since the release of Windows 10 and the controversy surrounding telemetry gathering, that talk about measures you can take in order beat ‘Big Brother’.

Those range from “not exactly ideal, but mostly harmless” such as disabling Google Safe Browsing to “please don’t do that”, such as blocking access to some of Microsofts servers or diabling the “Cloud Protection”-component of Windows Defender, neither of which are really doing good things for your privacy, but are rather actively decreasing the security of your system.

If you disable some of those things to, theoretically, increase your privacy, for yourself, that’s (somewhat) fine. But please don’t do these things on the computers of people you care about that aren’t technically versed, such as parents and spouses. Should you really be worried, use OpenBSD instead.

Posted in Ramblings, Security | Comments Off on Show me where the 0-day touched you!

Nextcloud via httpd on OpenBSD

Using OpenBSDs httpd for static content has worked well for a while now. No big surprise, given that the typical configuration file for a static website looks something like this:

server "" { 
	alias "" 
	listen on * port 80 
	root "/htdocs/" 

(And yes, I know TLS is missing there. Thanks for pointing it out, friend!) But I always shied away from using it for dynamic content, like – for example – Nextcloud. Luckily for me, I’m moving away from Hetzner anyway, so that was the perfect opportunity to make my first steps toward that direction (that and reading “Relayd and Httpd Mastery” by the ever glorious M.W. Lucas).

I wanted to document my steps, not just for me, but as potential example for other people, because very few people seem to actually use the combination of OpenBSD, httpd and ownCloud/Nextcloud.

This post assumes that you start from a freshly set-up instance of OpenBSD (6.1 in my case, but newer versions should easily work as well) and will not cover other essential topics for productive systems (backups, monitoring, ..). I also expect your DNS-settings to be correct, at least you should have an A-record that points to the machine you are using. As usual, please don’t blindly copy and paste, your mileage may greatly vary – especially since I work as administrative user all the time throughout this post.

Before we get into the dirty bits (that means adding external software to your shiny, pure OpenBSD-machine) we’ll start by acquiring a TLS-certificate for your domain. Thankfully, OpenBSD supports LetsEncrypt out-of-the-box and comes with acme-client

Edit /etc/acme-client.conf to represent the domain you want to TLS-ify:

domain somedomain.tld {
        domain key "/etc/ssl/private/private.key"
        domain certificate "/etc/ssl/cert.crt"
        domain full chain certificate "/etc/ssl/certchain.pem"
        sign with letsencrypt

To allow domain-verification you need a webserver running. The configuration file for httpd is short and concise:

server "default" {
        listen on * port 80

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2

Technically, this should be failsafe, however you are highly encouraged to get in the habit of running httpd -n after each configuration change. Just to be sure!

After enabling and starting httpd, rcctl enable httpd && rcctl start httpd, running acme-client -ADv somedomain.tld should give you output similar to this:

acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not creating)
acme-client: /etc/ssl/private/somedomain.tld.key: generated RSA domain key
acme-client: directories
acme-client: DNS:
acme-client: req-auth: somedomain.tld
acme-client: /var/www/acme/0WvH6Qf9rY8zD1EFX4Ra7p6eNkPKW9tKTZIsNtvhOAc: created
acme-client: challenge
acme-client: status
acme-client: certificate
acme-client: full chain
acme-client: DNS:
acme-client: /etc/ssl/somedomain.tld: created
acme-client: /etc/ssl/somedomain.tld.pem: created

as well as a TLS-key and certificate.

Nextcloud is based on PHP and, as such (Act surprised!) needs PHP and a few additional modules. Luckily, they are all available as packages on OpenBSD:

# pkg_add php php-curl php-gd php-mysqli php-pdo_mysql php-zip php-pdo_dblib php-intl bzip2

Note: Make sure that all of the PHP-parts are installed for the same major version, otherwise there will be incompatibilities and seemingly weird errors!

The additional modules we just installed have to ‘activated’ in order to work. To do that, simply copy their configuration examples:

cp /etc/php-7.0.sample/* /etc/php-7.0/

Depending on your requirements it might make sense to modify /etc/php-7.0.ini. All I did was to increase the maximum size of files that are allowed to be uploaded:

post_max_size = 4096M
upload_max_filesize = 4096M

As well as enabled opcache, as per official recommendations by Nextcloud:


Additionally, it proved necessary to uncomment the following lines in /etc/php-fpm.conf:

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

For more information, consult the manpages for php. All that’s left is rcctl enable php70_fpm && rcctl start php70_fpm.

To get httpd to properly pass requests to our FPM, we have to adjust the configuration “a little bit”. Edit your /etc/httpd.conf so that it looks similar to this:

server "default" {
        listen on * port 80

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2

server "somedomain.tld" {
        listen on * tls port 443
        root "/htdocs/nextcloud/"
        directory index index.php
        tls {
                key "/etc/ssl/private/somedomain.tld.key"
                certificate "/etc/ssl/somedomain.tld.pem"

        # This defines the maximum request size in bytes
        connection max request body 5000000000

        location "/db_structure.xml" { block }
        location "/.ht*"             { block }
        location "/README"           { block }
        location "/data*"            { block }
        location "/config*"          { block }

        location "/*.php*" {
                fastcgi socket "/run/php-fpm.sock"

As before, check the validity of the config and restart httpd.

Get the latest version of Nextcloud, unpack it and move it to the document root configured in the httpd.conf:

tar -xjf nextcloud-12.0.0.tar.bz2
mv nextcloud/ /var/www/htdocs/
mkdir -p /var/www/htdocs/nextcloud/data
chown -R www:www /var/www/htdocs/nextcloud/*

Last but not least, copy some files to allow your chroot to resolve domain names and access the local time, which is necessary for a number of things (e.g. updates):

mkdir /var/www/etc
cp /etc/{resolv.conf,localtime} /var/www/etc/

Opening your browser and accessing your domain should now give you the possibility to set a username and a password – after that you are up and running with Nextcloud. Congratulat.. wait, wait. Yeah, that’s boring. Booohooo, SQLite!

Using SQLite as database for Nextcloud works, but doesn’t scale well and is discouraged if you want to use the sync-client. So we’ll go for MariaDB instead:

pkg_add mariadb-server

Finalize the installation, enable and start mysqld:

mkdir -p /var/www/var/run/mysql
chown _mysql:_mysql /var/www/var/run/mysql
rcctl enable mysqld
rcctl start mysqld

Once you confirm that mysqld is running as intended, add the following to your /etc/rc.conf.local before adding tables and users according:

export MYSQL_HISTFILE=/dev/null

Only now add tables and users:

mysql -u root -p
GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud';

If you don’t change the password to something different, I will haunt you in your sleep. Ye be warned! Since, again, everything is chrooted, you’ll have to make sure the socket for MySQL is accessible for the webserver, which can be done by adjusting /etc/my.cnf:

socket  =     /var/www/var/run/mysql/mysql.sock
socket  =     /var/www/var/run/mysql/mysql.sock

After (as usual) restarting mysqld and php70_fpm you can fill in your database details in the installation form and enjoy your fresh installation of Nextcloud, based on OpenBSD and httpd, with MariaDB as backend. Enjoy!

Initially I wanted to add a caching system, because it will “significantly boost performance” for the few files I have, which are only accessed by me. Shut up, it’s a necessary addition! Unfortunately, there package for connection to the intended cache, Redis (pecl-redis) isn’t available yet for PHP7, so I might expand this post at a later date.

Known quirks / problems:

  • Nextcloud will tell you the following: “/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our documentation.” – obviously, since Nextcloud is running in a chroot, it (or rather, PHP) can’t access /dev/urandom. Theoretically, you could use mknod to create it, but that’s probably not the ideal solution – there has been some discussion about it on the mailing lists a few years back.

Update, 20.06.2017: When I wrote this up, I didn’t properly test it and thus missed a default configuration that would have limited the size of uploaded files to <=1MB. I fixed that in the above httpd.conf and added an additional PHP-module, php-intl, to get rid of a lot of deprecation warnings that messed up the Nextcloud-logs

Update, 29.06.2017: This blog post made its way to /r/openbsd on Reddit, with one user pointing out that the error I’m seeing in reference to /dev/urandom is most likely a bug.

Posted in Practical, Technology | Comments Off on Nextcloud via httpd on OpenBSD

You are doing well, fam.

When I got the job I now work in, I hadn’t even finished my education yet. I did not possess any relevant experience working in information security. Yes, I had several years at a medium-sized ISP under my belt, but I was a total rookie, even in that regard. So I was nervous when I first met my potential future coworkers, I was nervous when I met them the second time, I was nervous when I started working together with them, and I’m still occasionally nervous more than three and a half years later.

Some of my coworkers have been on the Internet longer than I’ve been on this planet, the average time they’ve been at my company longer than me is nearly a decade. Which, in information security, is the equivalent to hundred years; they are professionals in every sense.

I’m lucky that the same thing applies to the people I hang out with online. They are talented and good at what they do. Hell, they even have potential to be thought leaders (Sorry, you knew I would never let you live your success down!). I’m constantly surrounded by people I can, in a sense, look up to and learn from – which is awesome on one hand, but was, and to some extent, still is, a source of constant anxiety for me, because I always compare myself to them.

That inexplicably lead to me feeling unworthy, because my English is obviously horrible (compared to native speakers), I am completely incompetent as a systems administrator (compared to people who’ve been doing it professionally for god knows how long) and I have absolutely no clue about information security (because I didn’t discover APT1 myself).

I expected people to find out about my own incompetence any minute now, which would result in me finally being given the work I deserve and should have been doing from the beginning. Like making coffee or preparing sandwiches. But let’s be fair, I obviously would suck horribly at that, too.

I was, more often than not, convinced that I had fully embraced the “Dunning-Kruger“-effect, that I was merely an impostor, in no way belonging in the position where I’m currently at, that I was a worthless human being compared to everyone else out there.

The funny thing is that there is plenty of evidence that should have convinced me that everything is actually fine. I’ve spoken at the biggest security conference in my country, and even if I would argue that I only was there as a co-speaker, there were numerous other talks that I’ve given on my own, on topics I had researched myself.

There was this one time where I beat an assembly of various European teams during a cyber exercise (I really hate this term.) in 2014, and the other time when I did the same thing together with coworkers this year.

As I found out over time, I’m not the only one who experiences these feelings. Apparently, there’s even a name for the way I feel, the so-called impostor-syndrome

Impostor syndrome (also known as impostor phenomenon or fraud syndrome) is a concept describing high-achieving individuals who are marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a “fraud”.

I’m not a high-achieving individual, I’m a regular guy. But holy shit, that struck a note! It was only after reading more about this, after talking to people about it, and after I gave some thought to it when I realized how the very same way of thinking has slowly crept into my personal life as well.

My father is the only carpenter in the family, I am the only person with an IT-job in the family, which means that we get the same amount of attention when problems related to our profession pop up – people, obviously, turn to me when they are looking for help with computer problems.

I’ve recovered university papers deleted by accident, battled financial trojans, replaced defective hard drives and supervised operating system upgrades. But whenever I got thanked for that and complimented upon it, my reactions were similar to these phrases:

  • “Ah, it was nothing!”
  • “No worries, you could have fixed it yourself, I just got lucky!”
  • “I’m sorry it took so long!”

Trying to deflect blame is a natural (I’m not a biologist.) reflex, but defecting and doging compliments and praise is quite the opposite, it’s actively harmful. But even when I’m not ‘depending’ on praise by other people, when I’m accomplishing things on my own for my own, my way of thinking seems to be the same.

I work out on a regular base, a normal week sees me at the boxing gym five times, that doesn’t include the occasional weightlifting session on weekends. I enjoy it and take it seriously, it’s an outlet to deal with stress and has greatly improved my overall health.

Yet after each training I felt worthless, no matter how well it went – because my brain thought it was a appropriate and a good idea to compare my performance to a professional fighter, who trains more than ten times a week and has been doing so for the past decade. Excellent idea, brain!

Once I realized that I had fully embraced that thought pattern, I tried to find a way out of it, tried to do things to get a ‘normal’ perspective again, such as:

  • Not comparing myself to other persons so much. I’m not better or worse, they aren’t better or worse – we are different
  • Remembering that being wrong about something doesn’t mean that I’m faking, and that asking questions doesn’t mean that either
  • Moving away from self-sabotaging back to ‘good’ humility, not thinking less of me, but thinking less about me
  • Talking to people when I’m having my doubts, accepting feedback and expecting it to be truth rather than words out of kindness

I specifically used the phrase “tried (or try) to do”, because I don’t always succeed in doing so. Speaking of trying: I’m not trying to make you feel pity for me, and this isn’t an attempt to self-diagnose one thing or the other, I’m fine mentally.

Everyone has bad days, and for me that means staring at my list of things I want to or need to get done, and silently judging me for not working around the clock in order to get the number of items on it to zero, and managing to ignore my self-judgemental-me is hard during these days. But worth it.

The important message I am trying to bring across is: It’s a lot easier to look at one’s own shortcomings and mistakes, so easy that we tend to forget the things we accomplish. Whenever you are having self-doubts, take a (mental) step back, and look at what you’ve been doing as of lately, how you’ve – personally and professionally – grown throughout the last year or two.

Acknowledge your successes, even if you feel that there is space for improvement. That room will always be there. You are doing well, fam.

Posted in Ramblings | Leave a comment