New Year, New Analyzers

Dear fellow incident handlers and cybercrime fighters around the world, the galaxy, the known and the unknown universe, first and foremost, all TheHive Project’s team would like to wish a wonderful new year 2019 to you and to your cherished relatives. We truly hope that eagles, pandas, kittens, babars, bears and all sorts of animals will stay out of the way. And remember that you don’t need to go bankrupt by purchasing so-called Next Gen™ magical solutions that work only when there’s a full moon and the page number of the book you are currently reading is 42 to investigate threats 😉

We would like to begin the year by introducing version 1.15.0 of Cortex analyzers, bringing the total number of analyzers to a whopping 113! And thanks to Kyle Parrish, this release improves the Mailer responder to allow you to specify a custom port number for your SMTP server and adds a new one to blacklist observables on Cisco Umbrella utilizing the Enforcement API. The Cisco Umbrella Blacklister responder will then add the tag Umbrella:blockedto the observable.

Cortex-Analyzers 1.15.0 also include fixes and enhancements for Eml_Parser, IBM X-Force, Fortiguard, and Shodan. Most of these modifications were contributed by our continuously growing user community. Thanks to all of those who help us in our mission to provide free and open source security incident response tools to the masses!

Please read the relevant sections in the Cortex installation guide to install or update your analyzers and responders in order to benefit from all this sweet & tasty honey.

New Analyzers

The following analyzers have been added:

Cyberprotect

This analyzer lets you query the Cyberprotect ThreatScore service for domains and IP addresses. No configuration is needed and it can be used out of the box.

TheHive displays the analyzer results as follows:

Have I Been Pwned

The HIBP_Query analyzer lets you check email addresses on Have I Been Pwned. You can use an optional parameter to include unverified breaches in the search results. Otherwise, it can be used without any additional configuration.

When called from TheHive, results would display as such:

PatrOwl

As it name states, The Patrowl_GetReport analyzer will let you get the current PatrOwl report for a FQDN, a domain name or an IP address. You need a running PatrOwl instance or to have access to one to use the analyzer.

If you fire it from TheHive, it would display results as follows:

SecurityTrails

This analyzer comes in two flavors in order to get Whois data and Passive DNS details using SecurityTrails. To use both flavors, you will need an account for the service to retrieve the associated API key, which you need to configure the analyzers.

SecurityTrails_Passive_DNS displays results in TheHive as follows:

The Whois variant produces reports such as:

Cisco Umbrella

In addition to Cisco Umbrella Investigate, you can now query the Umbrella Reporting API for recent DNS queries and their status for a domain name using the new Umbrella_Report analyzer.

New Shodan Flavors

In addition to Shodan_Host and Shodan_Search, which allow you to obtain Shodan information on a host and the search results for a domain name, now you can get domain resolutions (Shodan_DNSResolve), obtain scan history results for an IP address (Shodan_Host_History), get information on a domain (Shodan_InfoDomain) and the reverse DNS resolutions for an IP address (Shodan_ReverseDNS).

DomainTools

The following DomainTools flavors were added to this release:

  • DomainTools_HostingHistory: get a list of historical registrant, name servers and IP addresses for a domain.
  • DomainTools_ReverseIPWhois: get a list of IP addresses which share the same registrant information. It applies to a mail, IP, or domain.

Moreover, please note that DomainTools_WhoisLookup now handles IP addresses in addition to domains and provides parsed results. DomainTools_WhoisLookup_IP is thus not needed anymore. Instead, DomainTools_WhoisLookupUnparsed has been added to do the same as DomainTools_WhoisLookup, except that the output results are unparsed.

Privilege Escalation Vulnerability in All Versions of TheHive

Jeffrey Everling has identified a nasty privilege escalation vulnerability in all versions of TheHive, including Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2). Jeffrey reported it to us today Friday, Dec 22, 2017. Thanks but we could think of a better Christmas gift 😉

The vulnerability allows users with read-only or read/write access to escalate their privileges and eventually become administrators. To exploit it, an attacker must have access to an account on TheHive with read-only or read/write privileges.

The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect to TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.

We highly recommend you update TheHive to Cerana 0.3 (TheHive 3.0.3) which fixes the vulnerability. If you are still using Mellifera and have not made the move to Cerana yet, please update to Mellifera 13.3 (TheHive 2.13.3) which also corrects this flaw.

If you cannot immediately apply the hotfixes we have released, we have created a shell script that will allow you to spot anyone who exploited the vulnerability. You can download the script from the following location:

https://drive.google.com/file/d/1F8VOUMLoCVnIdHjnbhMTzf_9Z2Ud_Vuw/view?usp=sharing

The SHA256 hash of the script is:

18c74f921b92cc68ea7bc10c7522691d671074331191fe22269cc936bfdb0e9a

When you run the script, it will display all users that have changed their roles. If single match is found, it means your  instance  has  been  potentially compromised. We advise you to create a crontab which will execute the script on a regular basis until you apply the hotfixes.

To Upgrade to Cerana 0.3 (TheHive 3.0.3)

Start by following the migration guide.

If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.

To Upgrade to Mellifera 13.3 (TheHive 2.13.3)

DEB Package

wget https://dl.bintray.com/cert-bdf/debian/TheHive_2.13.3-1_all.deb​​​​​dpkg -i TheHive_2.13.3-1_all.deb

The SHA256 hash of the DEB package is:

68c606fb9cbd56f63ba1f2d29c7f7652f4848c7783a6da574532bed0c963829b

RPM Package

wget https://dl.bintray.com/cert-bdf/rpm/thehive-2.13.3-1.noarch.rpm
rpm -Uvh thehive-2.13.3-1.noarch.rpm

The SHA256 hash of the RPM package is:

e566418bf861b2bf28842cf92f5c5d475c98fee1a3ae0d65e3990fd061a0bce0

Docker

docker run certbdf/thehive:2.13.3-1

Binary Package

wget https://dl.bintray.com/cert-bdf/thehive/thehive-2.13.3.zip

The SHA256 hash of the binary package is:

54c589f929744096b50d01264b9d4cc8b9e3d30d397fe810879b4d16b81287c1

Unzip the file in the folder of your choosing.

Support

Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at support@thehive-project.org. We are here to help.