Thoughts From The Nest

Threat Report Friday December 14th 2018

Paul Scott on December 14, 2018

There has been a lot of interesting development over the last week, so let’s roll through it. In response to world events, nation-states are being implicated in hacking each other. Microsoft and Adobe released critical patches to cover code execution vulnerabilities. Malware authors are increasingly targeting Mac OS X. And, an APT takes aim at academics.

After poisoning ex-spies, Russian government hit with Poison Needles

Adobe has now released a patch for CVE-2018-15982 that was recently used in compromising a Russian medical facility. 360 Core Security researchers disclosed findings related to a security incident from late November 2018 involving the FSBI Polyclinic No.2.

The attacker used spear-phishing with an attached doc that appeared as an in-depth employee questionnaire to exploit a recent flash 0-day (CVE-2018-15982), and deploy a customized trojan with the ability to detect when it has been caught and self-destruct. The primary function of this trojan seems to be maintaining persistence, avoiding detection, and exfiltrating data to an IP in Romania. Researchers named the attack as “Operation Poison Needles” as the target was a medical institution; but I think the name might be fitting for other reasons. The attacker launched the trojan from a compressed package. The PE payload backup.exe masqueraded as an NVIDIA control panel application with detailed file descriptions and version numbers.  

Some commentators believe that this was in response to the Kerch Strait incident which occurred on November 25, 2018. I believe this is a response to Russian activity, but not the Kerch Straight incident. What relevance does an attack on a Russian health organization have in response to a military aggressiveness? I believe this may be a response related to the UK poisoning plot targeting former Russian agent Sergei Skripal. This customized trojan and spear-phishing seem to be an information grab. The FSBI Polyclinic 2 could be the facility that created or stored the Novichok nerve agent used in the poisoning plot. Poison Needles may have been an operation to find evidence related to that attack.

Samples of the customized Trojan were first uploaded to virus total on November 29. The Kerch Straight incident occurred on November 25. If this were a response to any incident, then it was likely a failure. If I were a nation-state hack team, I’d like to get more use out of custom malware and an Adobe 0-day than four days. Although, four days is plenty to completely compromise a network. So, maybe they got what they were looking for. Either way, I feel the response is not relevant to the Kerch Straight incident and so it must be related to something else… or maybe nothing at all. Perhaps the timing was meant to provide false attribution to Ukraine.  

Hashes:

- 2abb76d71fb1b43173589f56e461011b  
- 92b1c50c3ddf8289e85cbb7f8eead077
- 1cbc626abbe10a4fae6abf0f405c35e2

More details about:

• 92b1c50c3ddf8289e85cbb7f8eead077
  
• 1cbc626abbe10a4fae6abf0f405c35e2
  
  

IP:

- 188.241.58.68

Windows patch Tuesday - December

Adobe isn’t the only software company releasing some serious patches. This week we’ve got another critical patch, Tuesday from Microsoft. The patch includes a fix for the Win32k Privilege Escalation Vulnerability (CVE-2018-8611) which allows attackers to exploit the Windows Kernel to run arbitrary code to install programs, modify data, or create accounts. The fix also covers a Heap Overflow remote code execution (RCE) that’s being actively exploited in Windows DNS Server when it failed to properly handle a specially crafted request. Attackers can exploit this vulnerability to run arbitrary code in the context of the Local System Account.

OSX.DarthMiner brings MAC OSX to the Darkside

Some malware writing Sith Lords are force pulling Macs into a crypto mining botnet with malware dubbed OSX.DarthMiner. In a recent report from malwarebytes, researchers profiled the Mac malware and found that it was combining EmPyre for a backdoor with XMRig for crypto mining. Although this malware seems focused on mining it does have the ability to execute commands specified by a remote user through EmPyre. DarthMiner is likely stealing passwords and other such sensitive information.  

The malware is being distributed through a fake version of a popular Adobe pirating tool Adobe Zii.

And they say the Empire did nothing wrong.

Hash:

- ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

More details about:

• ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e
  
  

Academia threatened with STOLEN PENCIL

ASERT researchers from Arbor Networks have disclosed their findings on STOLEN PENCIL, an APT campaign targeting academic institutions. Active since at least May 2018, researchers have not attributed the campaign to any one actor, however, they identify the activity as “possibly originating from DPRK (North Korea).” Attackers appear interested in collecting credentials.  

Targets are sent spear-phishing emails that lead to a website displaying a lure and are prompted to install a malicious Google Chrome extension. Many targets are specialized in biomedical engineering, suggesting a possible motivation. Researchers state that poor operational security led to users finding open Web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean. The attackers use built-in Windows admin tools and commercial off the shelf software to “live off the land.”  

Post-exploitation persistence is maintained by harvesting passwords from a wide variety of sources such as process memory, Web browsers, network sniffing, and keyloggers. Researchers state that they have not yet discovered evidence of data theft. The following indicators of compromise were released with ASERT’s findings.

Hashes:

- 9d1e11bb4ec34e82e09b4401cd37cf71
- 8b8a2b271ded23c40918f0a2c410571d
- 2ec54216e79120ba9d6ed2640948ce43
- 6a127b94417e224a237c25d0155e95d6
- fd14c377bf19ed5603b761754c388d72
- 1d6ce0778cabecea9ac6b985435b268b
- ab4a0b24f706e736af6052da540351d8
- f082f689394ac71764bca90558b52c4e
- ecda8838823680a0dfc9295bdc2e31fa
- 1cdb3f1da5c45ac94257dbf306b53157
- 2d8c16c1b00e565f3b99ff808287983e
- 5b32288e93c344ad5509e76967ce2b18
- 4e0696d83fa1b0804f95b94fc7c5ec0b
- af84eb2462e0b47d9595c21cf0e623a5
- 75dd30fd0c5cf23d4275576b43bbab2c
- 98de4176903c07b13dfa4849ec88686a
- 09fabdc9aca558bb4ecf2219bb440d98
- 1bd173ee743b49cee0d5f89991fc7b91
- e5e8f74011167da1bf3247dae16ee605
- 0569606a0a57457872b54895cf642143
- 52dbd041692e57790a4f976377adeade

Domains:

- bizsonet.ayar[.]biz
- bizsonet[.]com
- client-message[.]com
- client-screenfonts[.]com
- *.coreytrevathan[.]com (possibly compromised legitimate site)
- docsdriver[.]com
- grsvps[.]com
- *.gworldtech[.]com (possibly compromised legitimate site)
- itservicedesk[.]org
- pqexport[.]com
- scaurri[.]com
- secozco[.]com
- sharedriver[.]pw
- sharedriver[.]us
- tempdomain8899[.]com
- world-paper[.]net
- zwfaxi[.]com

IP Addresses:

- 107.175.130.191
- 172.81.132.211
- 173.248.170.149
- 5.196.169.223
- 104.148.109.48
- 74.208.247.127
- 132.148.240.198
- 134.73.90.114
- 92.222.212.0

Threat Report Thursday December 6th 2018

Paul Scott on December 6, 2018

This week we’re covering a developing story around a Kubernetes vulnerability that is still shrouded in mystery, a string of high-profile data breaches, and following up on the mobile spyware topic from last week.

You Never Forget Your First Hack

You’ve been hacked. How did this happen? You learn a lot from responding to security incidents and Kubernetes is learning some of those lessons now, the hard way. Red Hat security researchers have recently discovered Kubernetes’ first major security flaw, CVE-2018-1002105, a privilege escalation vulnerability that targets Kubernetes-based services and products.

Red Hat disclosed the flaw to Kubernetes after they detected an exploitation attempt to the Kubernetes API server’s Transport Layer Security (TLS) credentials. Red Hat also noticed that the vulnerability makes it possible for any user to gain full administrative access on any machine running with the Kubernetes platform. Researchers have detected active attacks using this vulnerability. However, it is unclear at present how this vulnerability is being delivered because the de-auth requests are made over an established connection and do not appear in Kubernetes API server audit logs.

The affected versions are Kubernetes v1.0.x through v1.9.x. Users and organizations were advised to update to one of the following patched versions of Kubernetes: v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. No indicators of compromise were released with Red Hat’s findings; however, they have published an in-depth technical report.

Big Data Score in High-Profile Data Heist

We’ve seen a burst of high-profile data drops recently. Data from over 600 million users was recently compromised in just three breaches. The Nation Republican Congressional Committee (NRCC), Quora, and Marriot have all recently disclosed breaches. Each of these breaches can teach us different lessons related to merger and acquisition security, the benefits of security monitoring, and encrypting data at rest.

Although there was a low number of user accounts compromised in the NRCC hack, it only takes one compromised user to have a data breach. NRCC was notified about the breach through a managed security service provider (MSSP). The NRCC then reported the breach to Crowdstrike, one of their security vendors. It’s good that the NRCC had security monitoring. This breach could have lasted for more than the “several months” that attackers reportedly maintained access to compromised accounts.

If this were a hacktivist group, we would expect to see a data dump. If this were a profiteer, we would expect to see a ransom. Neither of these scenarios has occurred. That gives us good reason to believe that the threat actors are not motivated by money or protest. Allow me to be speculative. The threat actors are likely after the intelligence. With enough private communications between Republican politicians, they could gain the leverage needed to ease sanctions related to ongoing Crimea occupation and DNC email hack. During this time, we have seen exactly this occur as House Republicans cool on Russian sanctions.

Quora recently lost user information related to 100 million users. Although the information was not particularly sensitive information, it did include email addresses and hashed passwords. There was no indication if the passwords were salted. And there was no mention of a salt being used in the password hashes. Millions of these hashes have likely been cracked. We’ve already heard private reports about this data being leveraged to attempt to access email accounts. If you’ve ever used Quora with a common password, you should reset that password wherever you have used it.

On Friday, November 30, 2018, Marriott Hotels publicly disclosed a breach impacting the network of their subsidiary, Starwood Hotels and Resorts. This shows the danger of mergers and acquisitions. When you buy another company their security problems become your security problems. Amazon saw this with Twitch, and Marriott is now seeing it with the Starwood acquisition. The official statement emphasizes that the Marriott network was not involved, as the investigation only identified unauthorized access to Starwood’s network.

According to the investigation, the intrusion occurred on or before September 10, 2018, and targeted guest information from reservations. Marriott estimates that the activity affected 500 million guests. Compromised data included a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, reservation dates, and other data points. Marriott also stated that an unknown amount of payment card numbers and payment card expiration dates were accessed with other customer data. It is not clear if the accessed data was successfully exfiltrated by attackers, so we should assume that it definitely was.

Marriott states during their investigation, there had been unauthorized access to the Starwood network since 2014. The investigation was partially alerted to the activity due to the actors copying and encrypting data from the Starwood Guest Reservation Database. Marriott was able to decrypt the data and determined it was from guest reservations on or close to September 10, 2018. It is unclear if the data was encrypted to help with exfiltration or to destroy evidence of the intrusion. However, the steps taken by the actor to hide the stolen data, or potentially destroy it, show their interest in the sensitive personally identifiable information and ensuring a delayed discovery that such information had been compromised. Speaking of stealthy backdoors, ESET published follow-on research from Operation Windigo related to the use of stealthy SSH backdoors to maintain persistence on compromised hosts. We looked at some of the published indicators and searched for them in Perchybana. No indicators were observed in the last 30 days that match this threat. If you’re a Perch customer, you’re in the clear.

11 Critical Android Vulnerabilities Patched Amid Pegasus Abuse Claims

Google recently patched 11 critical code execution vulnerabilities in Android. Nine were tied to escalation-of-privilege (EoP) bugs. One of the few EoP bugs (CVE-2018-10840) that linked to an external description revealed the flaw was tied to the Android Kernel component (ext4 filesystem). Forty-two high criticality vulnerabilities were also patched. The timing couldn’t be better for Journalists using android. There has been a lot of talk recently about NSO Pegasus mobile spyware abuse. NSO Pegasus spyware is only sold to government organizations and should only be used against criminals and terrorists, yet it has been increasingly used to target journalist cellphones. NSO Pegasus spyware was found on Abdulaziz’s phone. The installation has been linked to the Saudi government and he believes it has something to do with the murder of U.S. journalist Khashoggi.

On Sunday, Abdulaziz’s lawyers filed a lawsuit in Tel Aviv alleging NSO broke international law by knowingly allowing its spyware to be used to infringe upon human rights. “NSO should be held accountable in order to protect the lives of political dissidents, journalists, and human rights activists,” said Abdulaziz’ lawyer, Alaa Mahajna, speaking to CNN.

“The hacking of my phone played a major role in what happened to Jamal, I am really sorry to say,” Abdelaziz told CNN. “The guilt is killing me.”

The lawsuit claims that in the months before the killing, the royal court had access to Mr. Khashoggi’s communications about opposition projects with Mr. Abdulaziz because of the spyware on Mr. Abdulaziz’s phone.

Threat Report Friday November 30th 2018

Paul Scott on November 30, 2018

Welcome back. I don’t know if you celebrated the largely known U.S. holiday of Thanksgiving, but I did; and I’m grateful I had the week off. We’ve been keeping our ear to the ground. This week we want to tell you about an Emotet malspam campaign that cashed in on Black Friday, an indictment announced for the authors/distributors of SamSam ransomware, and a serious threat to journalists in Mexico.

Emotet Cashes in on Black Friday

You weren’t the only one shopping on Black Friday. ESET researchers found evidence of a large Emotet campaign occurring on Black Friday. Like prior campaigns, Emotet was distributed via spam. In this campaign, the attachments and links are to XML files with .doc extensions instead of DOC or PDF files.

Emotet is known to distribute various banking malware families known for stealing passwords, credit card details, and access to crypto-currency wallets. The United States is one of the top five targeted countries, while the UK and South Africa are in the top ten. Since this campaign was focused on Black Friday, it’s safe to say it was targeting U.S. shoppers getting ready to check their bank balance and do some online shopping.

• https://www.welivesecurity.com/2018/11/23/black-friday-special-emotet-filling-inboxes-infected-xml-macros/
  
  

Catch me if you SamSam

The chase is on for two Iranian nationals charged by a U.S. federal grand jury, following a 34-month long international computer hacking and extortion scheme. Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) face a total of six counts alleging that they authored and deployed SamSam ransomware to more than 200 victims, including hospitals, municipalities, and public institutions. The counts are as follows: one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

In the Department of Justice Indictment, two individuals, Exchanger 1 and Exchanger 2, are labeled in the Relevant Individuals and Entities section. In a U.S. Department of Treasury press release also published on November 28, 2018, Ali Khorashadizadeh and Mohammad Ghorbaniyan, are named as the financial facilitators in a malicious campaign involving SamSam ransomware. The press release states that they, helped exchange digital currency (Bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors.

According to the indictment, beginning in December 2015, the offenders reportedly accessed victim computers without authorization through security vulnerabilities. They then installed and executed SamSam, resulting in the unauthorized encryption of data on the victims’ computers. A Bitcoin ransom was demanded in exchange for decryption keys for the encrypted data. Collecting ransom payments from victim entities that paid the ransom and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchanges. The indictment alleges that the pair earned over $6 million USD in ransom payments to date and caused over $30 million USD in losses to victims.

• https://home.treasury.gov/news/press-releases/sm556
  
• https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public
  
  

Journalists Targeted with Mobile Malware After Cartel Journalist Gunned Down

Journalists in Mexico have faced some very real threats recently, and they can add nation-state level mobile spyware to the list. Somehow, peers of a journalist likely killed by a cartel, are being targeted with nation-state level mobile malware. Something strange is going on here.

Citizen Lab published the seventh report in a series detailing abuse of NSO Group Pegasus Spyware. Citizen Lab and partners have identified a total of 24 cases of abusive targeting by Mexico-linked NSO Group customers. Infection attempts are located in Canada, Mexico, the UAE, the United Kingdom, and the United States.

Pegasus is a sophisticated tool for spying on mobile phones and is exclusively sold to governments for the purposes of fighting terror and investigating crime. According to NSO Group, in the past two years, Pegasus had been used by repressive governments to spy on human rights defenders, journalists, and others who they deem as threats to their power.

In Citizen Lab’s most recent findings, they disclose an attack that occurred in May 2017. Journalist Javier Valdez Cárdenas was gunned down near his office. Shortly after the murder, Cárdenas’ colleagues, Andrés Villarreal and Ismael Bojórquez received suspicious messages saying, Cárdenas’ killers had been identified. The messages contained a malicious link that, once clicked, downloaded NSO spyware onto their mobile devices. Users and organizations should exercise caution when viewing messages from foreign or unknown senders. The malicious URLs are contained within the report.

• https://citizenlab.ca/2018/11/mexican-journalists-investigating-cartels-targeted-nso-spyware-following-assassination-colleague/
  

Threat Report Thursday November 15th 2018

Paul Scott on November 15, 2018

Holy moly, it’s the weekly threat report. This is your gentle reminder to patch all the things. That’s the theme for this week, vulnerabilities that need patching and a sprinkle of attack tools.

Microsoft Patch Tuesday

In past reports, we’ve discussed pending 0-days for Edge and Windows; and it looks like some similarly critical vulnerabilities are being patched this week. This Tuesday’s Microsoft patch covered a pair of 0-day vulnerabilities, ten other critical items, and around 50+ other issues. Let’s review a few of those.

One of the vulnerabilities being actively exploited in the wild is a Win32k privilege escalation. CVE-2018-8589 has been found in the wild on Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems. However, an attacker needs to be authenticated to the system to exploit the vulnerability and gain full control. Another critical patch was for CVE-2018-8584, which was disclosed in October and impacts Windows 10, Windows Server 2016, and Windows Server 2019. When exploited it allows unauthorized users to access and delete files on systems that are normally only accessible by admins. This could open the door for DLL hijacking and other attack vectors that would allow for privilege escalation.

Also included were five vulnerabilities in the Chakra scripting engine behind Microsoft Edge (CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588). Any of these CVEs could be leveraged to execute code on an Edge user’s host. To be exploited, the Edge user would have to be naively phished or innocently malvertised. Remember, malvertising is on the rise. If an attacker chained together an Edge exploit with either of the vulnerabilities that allow for privilege escalation, they could gain full control of the host.

Other notables included two remote code execution flaws in Word (CVE-2018-8539, CVE-2018-8573) and PowerShell bugs that allow potential remote code execution (CVE-2018-8256, CVE-2018-8415).

Data Privacy Plug-in Ironically Eliminates Privacy for Thousands of Sites

Last week a privilege escalation vulnerability in a popular WordPress GDPR compliance plugin with over 100K installs. This week, thousands of websites have been compromised. If you’re running a WordPress site, check your GDPR plugin for updates, because they are scanning everyone. The patched version is 1.4.3.

Although these sites are fully compromised, Sucuri has been tracking a campaign and reports observing thousands of compromised sites that direct the user to code similarly used to invoke fake tech support scams (TSS). We confirmed with Perchy, the TSS campaign is currently using wtools[.]io to host the injected content and redirecting users to diwutixip[.]innocraft[.]cloud for the TSS payloads.

China Chopper Finds Forever Home with ColdFusion

Security researchers have recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion. A suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. Adobe’s ColdFusion has historically been a major target of APT groups looking to compromise networks. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. When Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability. The vulnerability is easily exploited through an HTTP POST request to the file “upload.cfm”, which is not restricted and does not require authentication. It should be noted that ColdFusion does attempt to restrict the file types that are allowed for upload via CKEditor in a configuration file called “settings.cfm”. Researchers have identified that Adobe did not include the “.jsp” file extension in the default configuration, which was problematic because ColdFusion allows “.jsp” files to be actively executed.

The attackers also identified a directory modification issue through the “path” form variable that allowed them to change the directory to where uploaded files would be placed. This means that even if the .jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it. All files on the compromised websites were found in one of two directories; /cf_scripts/ and /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/. Several of the affected websites contained an HTML index file from the hacktivist group, “TYPICAL IDIOT SECURITY”.

On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. This vulnerability was assigned as CVE-2018-15961 affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). You should apply a patch once it is available from Adobe.

We observed potential recon activity from:

113.161.90.69

JexBoss Gets Wild with NCCIC

Finally, to close out this threat report, we have a tool getting the spotlight from The National Cybersecurity and Communications Integration Center (NCCIC). NCCIC issued a US-CERT alert for security assessment tool. JexBoss is used to test and exploit older vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. The Github repo hasn’t been updated in two years and there are open issues fix bugs and to add new attacks. It amazes me that older versions of this software is still out there, unpatched and living its best life.

Attackers used JexBoss in the Samsam ransomware campaign that targeted the healthcare industry. According to US-CERT, JexBoss allows an attacker to execute arbitrary OS commands on the target host through either installing webshell, blindly injecting commands, or establishing a reverse shell. NCCIC has determined that JexBoss operates on all seven stages of the Cyber Kill Chain framework. Users and administrators are advised to review AR18-312A from US-CERT.

Threat Report Thursday November 8th 2018

Paul Scott on November 8, 2018

In this week’s threat report we’re covering a couple 0-days, malware that could have you scrambling for your disaster recovery (DR) plan, and the rising trend of malvertising. Let’s get it goin’.

Full Disclose for VirtualBox 0-Day

Speaking of 0-days, Security researcher Sergey Zelenyuk has publicly disclosed a 0-day in virtual machine software VirtualBox without notifying Oracle, the developer of the free application. The flaw relies on a chain of bugs and can allow maliciouscode to escape the VirtualBox environment (guest) and execute on the underlying (host) operating system. Zelenyuk highlights that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). The flaw affects VirtualBox 5.2.20 and prior versions and impacts any host OS or guest OS with a VM configuration in the default setting. Zelenyuk has published a video demonstrating the attack as well as a detailed technical write-up on Github, viewable in the Validation URL section of this note.

No patches are currently available. In the meantime, Zelenyuk advises users to change the network card of their virtual machines to either PCnetor Paravirtualised Network. If this cannot be done, users should change the mode from NAT to another one. However, the first option is more secure, he adds.

Zelenyuk shared that his reasoning for publishing the 0-day without notifying Oracle first stemmed from personal frustration at how long it takes for patches to be produced and implemented, as well as issues submitting flaws to bug bounty programs. If Zelenyuk has found this, then chances are someone else has too and we are more secure by knowing about this vulnerability than by being unaware of it. Thanks, Zelenyuk. Very pragmatic.

Crypto-jacking Malware forces 3-Day St. Francis Xavier University Network Outage

According to a statement released on November 4, 2018, St. Francis Xavier University in Nova Scotia, Canada was forced to shut down its entire network for at least three days as system administrators attempted to root out a crypto-jacking (or cryptocurrency mining) malware. The attack reportedly began on Thursday, November 1, and targeted the university’s network infrastructure. After the malware was detected, the school immediately shut down its entire network, disabling all online systems including: online courses, cloud storage, email services, debit transactions, and Wi-Fi. The statement reads, “The malicioussoftware attempted to utilize StFX’s collective computing power in order to create or discover Bitcoin for monetary gain.” The statement emphasized that there is no evidence to indicate that personal or sensitive data was compromised by the malware attack. Although no sensitive data was compromised, that was just luck. Ransomware does not typically try to exfiltrate data. Had they been infected with malware that sought to exfiltrate sensitive data, we would see a data breach here instead of an outage. As a safety precaution, university officials advised all students, staff, and faculty to reset their university account passwords as a safety measure; but the university should have forced a password reset.

Disk Cryptor Leveraged by Ransomware Campaign

Another type of malware that could send you into full on DR is ransomware. MalwareHunterTeam has recently discovered new ransomware that installs Disk Cryptor to infect victim machines. Disk Cryptor is an encryption program that encrypts the whole disk and then prompts the user to enter a password on reboot. According to MalwareHunterTeam, this ransomware requires a password argument to be passed. This argument is the decryption key. It is possible that the attackers are hacking into Remote Desktop Services and installing the ransomware manually. During the installation process, a log file will be created at C:\Users\Public\myLog.txt that shows the current stage of the encryption process. Once the entire drive has been encrypted, it will reboot the computer and victims will be greeted with a ransom note that explains to contact mcrypt2018@yandex.comfor payment instructions. It is essential that you have reliable and tested backups of data that can be restored in the case of an emergency, such as a ransomware attack. There is a very narrow window to catch ransomware before it encrypts the disk. If this really is coming in through Remote Desktop Services, it’s way more likely to be a weak password than a 0-day. But, please question if you need RDP open to the world.

Related Registry Keys

  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\INSTANCES\DCRYPT
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\CONFIG
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\INSTANCES
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT

  

Hashes

- 4ae71336e44bf9bf79d2752e234818a5
- f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a

Rising Malvertising Opens Gateway for 0-Days

Based on the ad related traffic before this activity, we believe this is likely related to malvertising. Malvertising is the common ground where evil marketing teams and hungry blackhats meet to perform ritual sacrifice on end users. No matter how well you train staff, if they are allowed to get on the Web, they will get ads. Ads are ubiquitouson the Internet. We are all at risk when adversaries can replace a benign, normal, soul-sucking ad with a maliciousone. We’ve been watching a large number of our customers’ users getting pop-ups for fake tech support scams that goes like, “You have been infected with Pornographic Malware please call the number on the screen or we will report you to the police.” We aren’t sure who picked up the phone and called, but we wanted to let everyone know so they can block the sources of the activity. We’re seeing this campaign across approximately 15 percent of our customer base and it does not appear to target one industry more than another. This is just a fake tech support scam. Imagine if an attacker used malvertising to distribute a new Edge 0-day instead.

Researchers recently discovered a 0-day remote code execution (RCE) vulnerability in Microsoft Edge. In a tweet posted November 1, 2018, exploit developer Yushi Liang tweeted, “we just broke #Edge, teaming up with [Alexandr Kochkov] for a stable exploit, brace yourself SBX is coming.” The tweet included an image of the Web browser that appeared to launch the Windows Calculator app. Liang and Kochkov’s objective was to develop a stable exploit and achieve full sandbox escaping of the code. The pair disclosed that they were also looking for a method to escalate execution privileges to SYSTEM, granting them complete control over the victim machine. Liang shared that he discovered the 0-day bug with the assistance of the Wadi Fuzzer utility from SensePost. The pair plans on publishing a proof-of-concept demonstrating the vulnerability soon. We’ll let you know when they do.

Until then, here are some domains to block. If you want the IPs hit me up on Slack. To see if your users got hit by this malvertising campaign, check out Perchybana:

https://app.perchsecurity.com/perchybana/#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-30d,mode:quick,to:now))&_a=(columns:!(perch_company_name,event_type,src_ip,src_port,dest_ip,dest_port,payload_printable,flow.bytes_toclient,flow.bytes_toserver,http.hostname,http.url,http.http_refer,http.status,http.redirect,http.xff,http.protocol,fileinfo.filename,fileinfo.sha1,fileinfo.size),index:'*-records',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'(%22%2Ftpage3%2F%22%20%7C%7C%20%22%2Fwelcome%2F%3Fa%3D%22)')),sort:!(timestamp,desc))

IPs

- 138.197.218.89 - Organization: DigitalOcean, LLC (DO-13)
- 159.203.166.119 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.222.164 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.240.50 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.253.173 - Organization: DigitalOcean, LLC (DO-13)
- 162.248.246.162 - Organization: Centrilogic, Inc. (CENTR-60)
- 165.227.115.97 - Organization: DigitalOcean, LLC (DO-13)
- 165.227.71.84 - Organization: DigitalOcean, LLC (DO-13)
- 178.128.132.138 - Organization:  US-DIGITALOCEANLLC-20100303
- 185.44.66.174 - Organization:  UK-MASSIVEGRID-20131231
- 192.129.248.58 - Organization: Hostwinds LLC. (HL-29)
- 216.116.91.94 - Organization: Jack Henry & Associates, Inc. (JHA-1)
- 38.128.66.252 - Organization: PSINet, Inc. (PSI)
- 38.75.137.163 - Organization: PSINet, Inc. (PSI)
- 38.91.107.252 - Organization: PSINet, Inc. (PSI)
- 66.165.233.43 - Organization: NOC4Hosts Inc. (NOC4H)
- 66.165.247.187 - Organization: NOC4Hosts Inc. (NOC4H)

URIs:

- /fonts/glyphicons-halflings-regular.ttf
- /fonts/glyphicons-halflings-regular.woff
- /fonts/glyphicons-halflings-regulard41d-.eot
- /tpage3/a.htm
- /tpage3/gb.mp3
- /tpage3/iframe.js
- /tpage3/jquery-1.js
- /tpage3/login.php
- /tpage3/retreaver.js
- /welcome/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C
- /tpage3/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C

Hashes:

- 69db1a94309e88008bbadacf301526edce59374410c83f888ec866ad6b2d8e47- iframe.js
- 71a861100e206eeee88876cd5313553e0fdc07046cce33a1a96b96d9485070e1 - retreaver.js

Domains:

- ganglioblast[.]pw
- gathering[.]pw
- gaultherin[.]pw
- glycolysis[.]pw
- haematoscope[.]pw
- haemoglobin[.]pw
- hemizygote[.]pw
- hemocyanin[.]pw
- hidradenomas[.]pw
- hologamies[.]pw
- holographies[.]pw
- homeopathies[.]pw
- homoeotic[.]pw
- homogeneous[.]pw
- homogeniser[.]pw
- homolytic[.]pw
- junaket[.]us
- kremlins[.]pw
- laudably[.]pw
- leafless[.]pw
- mannikin[.]pw
- massaged[.]pw
- metamers[.]pw
- ministrytwo[.]stream
- minusnine[.]stream
- misatone[.]pw
- misbills[.]pw
- misdeeds[.]pw
- misdoing[.]pw
- misdraws[.]pw
- misjoins[.]pw
- mislearn[.]pw
- misspent[.]pw
- mistrust[.]pw
- miterers[.]pw
- modified[.]pw
- monazite[.]pw
- monitive[.]pw
- monotony[.]pw
- mustered[.]pw
- mutating[.]pw
- muteness[.]pw
- nailfold[.]pw
- news[.]hellosite[.]info
- sp[.]cwfservice[.]net
- swiftone[.]us
- tellinglynine[.]us
- torousten[.]pw
- trivetnine[.]pw
- turgitefour[.]pw
- unearthsix[.]pw
- unkindnine[.]pw
- unlockten[.]pw
- unmetsix[.]pw
- unplaittwo[.]pw
- unplugfive[.]pw
- unresttwo[.]pw
- unretireten[.]pw
- untunedone[.]pw
- upraiseten[.]pw
- usheredfour[.]pw

Threat Report Wednesday October 31st 2018

Paul Scott on October 31, 2018

It’s time to rise from your graves for our Halloween threat report. This week we’re going to point you at a few Twitter doors to knock on, hand out some zero-day tricks and treats, and discuss a white paper that’s giving energy and water a fright.

Zero-Day Tricks and Treats

Many security professionals get their news through sources like Twitter. If you’re looking for some Twitter doors to knock on to get the good treats this Halloween, check out @SandboxEscaper and @HackerFantastic.

In recent months, security researcher @SandboxEscaper has released proof-of-concept(PoC) exploits for two Windows zero-days on Twitter. The most recent vulnerability is a privilege escalation flaw in Microsoft Data Sharing (dssvc.dll). The Data Sharing Service runs as LocalSystem account and provides data brokering between applications. @SandboxEscaper zero-days have been turned around by threat actors and seen in the wild. If you want some early warning on the next Window’s zero-day, give her a follow.

On the Linux side of the world, security researcher Narendra Shinde discovered a local privilege-escalation and file-overwrite vulnerability in X.Org X server that opens the door for a trivial compromise of a Linux system.

Essentially, Shinde says this is the result of “incorrect command-line parameter validation”. The system doesn’t check for correct permissions on the -modulepath or -logfile command line switches. Both are root-privileged X.org processes.

Although this was only given a 6.6 CVE score (likely because it was considered a local exploit) security pro @HackerFantastic has released a PoC on Twitter that shows this working remotely via SSH. This makes CVE-2018-14665 a dime in my little black book.

“Xorg Local Privilege Escalation (LPE) via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with three commands or less”. @HackerFantastic regularly posts PoCs and other good security news. You should give him a follow too.

Spectre of Spectre Returns to Haunt Halloween

Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) have reported an industry-wide issue found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). The vulnerability relies on the presence of a precisely-defined instruction sequence in the privileged code. As well as the fact that memory read from address to which a recent memory write has occurred may see an older value. Subsequently this will cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. This impacts the qemu-kvm and libvirt packages.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

This reminded us of the OG speculative execution vulnerability, Spectre, disclosed Jann Horn and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.

Water and Energy Industrial Controls Exposed on the Web

Trend Micro has recently published a white paper on water and energy infrastructure exposed to the Internet, and it’s worth a read. Trend Micro reports that Energy is the top critical infrastructure for most industrial economies and Water is a natural extension of the energy sector; with water being a key component in hydroelectric and geothermal plants. Protecting critical infrastructure against cyber attacks should be of the highest priority for the organizations that operate it.

Perch provides threat detection services to a number of Critical Infrastructure providers in the Water and Energy space. We looked for some of the common exposed services mentioned in this white paper. After reviewing all customer data for the last 30 days we found no established flow from the wild Web to a port related industrial control systems. Good job, Perchy people. You get a treat.

Threat Report Thursday October 25th 2018

Paul Scott on October 25, 2018

As we approach Halloween, it has been a frightening week in security. We have an ancient Zero-Day rising from the shadows, government data being sucked dry by a data breach, and monstrous malware kidnapping your codes. Don’t get spooked!

Cashdollar Hits Jackpot with Discovery of 8-year-old Zero-Day

Larry Cashdollar, a security researcher from Akamai SIRT, has recently discovered a zero-day vulnerability in jQuery File Upload plugin (CVE-2018-9206). This vulnerability enables the attackers to upload malicious files to servers, such as rootkits, backdoors, and other malware. Based on Cashdollar’s research, the vulnerability has been exploited before 2016. There was an uploaded video in YouTube dating back to August 2015 about bug tutorials in jQuery File Upload, noting that hackers have been widely exploiting the vulnerability.

Cashdollar notified the vulnerability to Sebastian Tschan (aka Blueimp), a German developer who authored the jQuery File Upload plugin. Tschan conducted his own research and found out that the root cause lies in the security changes via “.htaccess” in the Apache Web Server (Apache HTTPD Server Version 2.3.9) dating back to 2010. This update allows the owner to ignore custom security settings for individual directories. Unknowingly, the jQuery File Upload plugin of Tschan rely on “.htaccess”, which was active by default. All versions of the plugin are vulnerable up to 9.22.1.

The plugin has been integrated to thousands of projects such as content management systems (CMS), customer relationship management (CRM), intranet solutions, WordPress plugins, Drupal add-ons, and Joomla components - to name a few. The jQuery File Upload plugin has been forked in GitHub over 7,800 times. Cashdollar has used his proof of concept (POC) and tested 1,000 of 7,800 forks of the GitHub plugin and found out that all were exploitable. But GitHub forks of this vulnerable code are only one part of the problem. There is no way to track applications that have integrated jQuery File Upload plugin without forking through GitHub. Cashdollar has notified US-CERT due to the seriousness of the vulnerability.

This is a critical vulnerability and can allow an attacker to remotely gain control of vulnerable applications. It is amazing that this hasn’t been discovered more recently since it has been on YouTube for three years. It’s time to start writing YouTube scrapers into our open source intel tools. If you are using a jQuery File Upload plugin or a forked version of this vulnerable code in your application, you should upgrade immediately. If you’re including unknown open source code into your application, you should attempt a security review of the code.

75,000 Individuals’ Records Compromised from HealthCare.gov

AP News reports that roughly 75,000 individuals’ records have been compromised in a HealthCare.gov security breach. On October 19, 2018, the Centers for Medicare and Medicaid Services (CMS) released an official statement explaining that on October 13 they detected suspicious activity in the Federally Facilitated Exchange’s (FFE’s) Direct Enrollment Pathway. A system designed to allow agents and brokers to help customers apply for coverage in the FFE. An official data breach was declared on October 16. CMS states that agent and broker accounts associated with the suspicious activity were deactivated and the Direct Enrollment Pathway for agents and brokers was also disabled.

Officials determined that roughly 75,000 individuals’ records were accessed during the breach but note that this is a “small fraction” of the FFE’s total consumer records. CMS officials are currently working to identify all individuals impacted by the breach so that they may be notified and offered credit protection. CMS officials also state that open enrollment on HealthCare[.]gov and the Marketplace Call Center are presently available for the general public. A more secure Direct Enrollment Pathway system will be restored for agents and brokers within the next seven days. The statement adds that CMS is in the beginning stages of the assessment of the breach.

Since only some suspicious accounts were associated with the suspicious activity it is likely that this was the result of weak passwords being brute forced or password stealing malware on users’ machines.

Release the Kraken: New Variant on Kraken Cryptor Ransomware

Bleeping Computer has recently published a report about a new variant of Kraken Cryptor ransomware being distributed via malvertising and through the RIG exploit kit. The new Kraken Cryptor version 2.0.6 was first detected by security researchers @nao_sec and @kafeine and shared with Bleeping Computer.

Through the shared file hashes and information, Bleeping Computer was able to determine that this ransomware was able to infect 217 unique victims globally since October 20, 2018. Interestingly, this new variant connects to “bleepingcomputer.com” during different stages of the encryption process. It is still not certain on what the motive is for connecting to BleepingComputer during encryption. BleepingComputer owner Lawrence Abrams says it is just to poke on them since BleepingComputer has tackled Kraken Cryptor ransomware in the past.

The request to the URL shortening services is encrypted. So, you likely won’t be able to see the user-agent or referrer unless you utilize a forward proxy to inspect outbound traffic. However, you should see an encrypted connection to 2no.co domain and then a redirect to bleepingcomputer.com.

Domains:

• 2no[.]co (legit url shortening service)
  
• bleepingcomputer[.]com (legit site haunted by a vengeful ghost)
  
  

HTTP User-agent:

• Kraken web request agent/v2.0.6
  
  

HTTP Referrer:

• country code + drive size + status
  
  

We know that Ransomware can be scary, so we asked Perchy to look around for this new variant. Perchy says, no traffic in the last 30 days is consistent with indicators for the newly released variant of Kraken Cryptor. All Perch customers are clear, and no infection was seen.

Threat Report Thursday October 17th 2018

Paul Scott on October 17, 2018

Welcome back to the Perch weekly threat report. Over the last week there has been a lot of security related news, but we’re focusing on a ransomware outbreak reported by a state-run utility and spotlighting one of Zeus’ lesser-known offspring, Panda Banker.

Ransomware Demands Flushed by North Carolina Sewer Authority

Disaster recovery plans are essential when attempting to recover from a ransomware attack, as shown recently by Onslow Water and Sewer Authority. That may include ready-to-restore backups or having manual processes in place for different disaster scenarios. If ransomware isn’t a scenario you plan for, you should.

According to an official statement released Monday, October 15, 2018, Jacksonville, North Carolina-based Onslow Water and Sewer Authority (ONWASA) suffered an attack that resulted in malware infection. The company states that on October 4th, they began experiencing persistent virus attacks from Emotet malware. On Saturday, October 13, at 3AM local time, the company states that Emotet dropped Ryuk ransomware, which spread along the network, rapidly infecting databases and files. ONWASA refused to pay the ransom and instead chose to “undertake the painstaking process of rebuilding its databases and computer systems from the ground up.” The attack did not expose customer information, nor did it interrupt water and wastewater services to homes and businesses.

The statement notes that the incident is similar to another ransomeware attack on official county computer systems in Mecklenburg County, North Carolina, which occurred last year. An FBI spokesperson confirmed that they are currently investigating the incident.

The faster a threat is detected the less it costs to remediate. That’s why having threat detection and a SOC in place is key. Had this attack been caught at the initial Emotet infection and stopped, it would have cost less than responding to a ransomware outbreak.

Malware Spotlight: Panda Banker

I heard sunlight is the best disinfectant. So this week we’re decided to shine some light on the well-maintained Panda Banker malware, a variant of the Zeus banking trojan.

Researchers have identified that Panda Banker has been updated numerous times and has remained active since 2016. Recently, Panda Banker is being installed by the Emotet malware. The attack appears in the form of a malspam phishing campaign that uses weaponized Microsoft documents that deploy the payload. Researchers note that financial institutions and other video streaming service/e-commerce company were targeted in Japan. Other primary targets were organizations from United States and Canada.

Researchers note that the malware has a sophisticated attack cycle, combined with heavily coded obfuscation techniques and multi-encryption layering. After execution, it first checks if it is running in a sandbox, then creates a copy of itself. The malware then creates two “svchost.exe” and injects it with the Trojan. It downloads the configuration from its C&C Server and injects a DLL to intercept traffic through API hooking.

Panda Banker uses the Mersenne Twister algorithm to generate a URL to connect to its C&C Server. Panda Banker will lie in wait until the infected browser visits a targeted website, such as an online banking system, credit card company, and blockchain information. The malware will then steal bank or credit card details, personal data, and web wallet information. This campaign shows that financial gain is a major factor in how Trojans are being used by threat actors.

The Perch SOC regularly goes thrunting, a term they lovingly created for threat hunting, for observables in all customer environments. If you’re a customer, good news! We’ve checked your security event data for over 200 indicators related to Panda Banker. We found no signs of Panda Banker being downloaded or smuggling bits out of your environment. At Perch, we enable customers to see further because we give a flock. Below is a list of domains Perch found linked from malspam.

Domains:

• apx[.]email
  
• carolinegraham[.]me
  
• carvanadenver[.]com
  
• carvanamemphis[.]com
  
• carvananashville[.]com
  
• colleenmansfield[.]com
  
• genesisatoxmoor[.]com
  
• genesiseastlouisville[.]com
  
• genesisofeaslouisville[.]com
  
• genesisofindiana[.]com
  
• genesisofwestlouisville[.]com
  
• jclgraham[.]com
  
• laurengraham[.]me
  
• michaelagraham[.]com
  
• newlacafe[.]com
  
• oxmoorusedcars[.]com
  
• pegasussoilsolutions[.]com
  
• pegasussoilsolutionsllc[.]com
  
• sellittooxmoor[.]com
  
• selltooxmoor[.]com
  
• zombiedebtslayer[.]com
  
  

Resource:

threatvector

Threat Report Thursday October 11th 2018

Paul Scott on October 11, 2018

This week we’re covering three current events. The first two are related to threats targeting the financial sector. The last is a cautionary tale of malware infection at a large restaurant chain.

APT38 is getting SWIFT

In a report published October 3, 2018, FireEye detailed the activities of APT38, a threat actor conducting financially motivated and cyber-espionage related crimes on behalf of the North Korean regime. FireEye identifies APT38 as a North Korean Nation State sponsored group sharing overlapping characteristics with both Lazarus Group and TEMP.Hermit. According to their findings, APT38 executes sophisticated bank heists resulting from extensive planning and maintains long periods of access on a compromised victim’s environment. APT38 was linked to multiple incidents targeting SWIFT systems. APT38’s primary goal is to raise large sums of money for the North Korean regime; however, FireEye states that they also target infrastructure to facilitate continuous operations and evade detection.

APT38 primarily targets financial institutions such as banks, credit unions, and financial transaction and exchange companies. Other targeted organizations include media companies and government entities. Known victims reside in the following countries: the United States, Mexico, Brazil, Chile, Uruguay, Poland, Turkey, Russia, Bangladesh, Malaysia, Vietnam, and the Philippines. In Annex B of the report, FireEye details an extensive list of malware used by APT38, including established, well-known tools (NestEgg, DarkComet) to lesser-known tools (DyePack, BLINDTOAD). FireEye believes APT38 is a well-resourced and persistent threat likely to continue its illicit financial-crime activities.

Resources:

Fireeye

Betabot continues to evolve its toolset for breaking the bank

Security researchers from Cybereason have detected a new campaign involving the Betabot (Neurevt) Trojan. Betabot first appeared in 2012 as an info-stealer and evolved as a banking trojan packing with destructive features. This updated version has functions like browser form grabbing, File Transfer Protocol (FTP) and mail client stealer, banker module, running distributed denial of service (DDoS) attacks, USB infection module, Robust Userland Rootkit (x86/x64), Arbitrary command execution via shell, and crypto-currency miner module. Betabot can also drop other malware and gain persistence via Windows Task Scheduler and Registry Autorun. Researchers note that the Betabot was designed to operate in “paranoid mode.” It includes self-defense mechanisms such as anti-debugging, anti-virtual machine/sandbox, anti-disassembly, and detect at least 30 security products and analysis tools and try to disable/remove them.

The malware is carried out using phishing attack with social engineering tactics. The email persuades the user to open an attached weaponized Microsoft Word document as the Betabot malware exploits CVE-2017-11882, an 18-year old vulnerability in the Equation Editor tool in Microsoft Office. The vulnerability was discovered in 2017 and patched by Microsoft. It communicates with its C&C Server after checking internet connection by sending requests to Google.com and Microsoft Update Sites. Researchers note that to prevent Betabot infections, users should keep their software up to date, install Microsoft Security patches, and avoid opening attachments from unknown senders.

Resources:

Cybereason

Microsoft

Malware gets year-long all you can eat burger time pass

Restaurant chain Burgerville has recently revealed a security breach that has started over a year ago. Based on the online report, the Federal Bureau of Investigation (FBI) contacted Burgerville last August 2018 about a security incident involving FIN7 which was thought to be “brief intrusion” that no longer existed. By September 19, FBI informed Burgerville that the attack is still active, and was much more severe than expected. Burgerville took steps for remediation, and in cooperation with the FBI and an outside cybersecurity firm, they launched a full forensic investigation. Based on the investigation, the malware was installed on Burgerville systems such as Point of Sales (PoS) machines to steal customer data. Customer’s credit and debit card information such as names, card number, expiration dates, and CVV numbers may have been compromised. The number of affected customers is currently unknown, as the tactics of FIN7 were said to be sophisticated and adept at concealing their digital footprints.

Burgerville explained that they didn’t announce the breach sooner to maintain the confidentiality of the breach during the investigation with the FBI. The remediation plan, which was completed by September 30, has to be kept secret. As part of their remediation plan, Burgerville has also upgraded their systems to counter this kind of attack. The company has asked their customers who have visited their restaurants and used their cards between September 2017 to September 2018 to monitor their financial statements for fraudulent activities.

The longer a threat goes undetected the more expensive it is to remediate. Security programs can be expensive if you go it alone. If Burgerville had a team of security analysts monitoring and didn’t rely on FBI notification, they would have caught the initial and continued infection.

Resources:

Burgerville

Threat Report Wednesday October 3rd 2018

Paul Scott on October 3, 2018

In this weekly threat report, we’ll cover three current events. Facebook loses 50 million auth tokens, a phishing campaign is evading AV to deploy remote access trojans, and a ten-year-old privilege escalation vulnerability has major Linux distributions scrambling to release.

Facebook loses control of auth tokens used for FB and every site you log into using Facebook SSO.

On Friday, September 29, Facebook announced an attacker exploited a vulnerability and potentially compromised up to 50 million users Facebook accounts. The vulnerability exposed user access tokens in the HTML of the site page. Facebook published a statement on this incident, which it later updated with further technical details describing the nature of the vulnerability as the combination of three unknown flaws in a feature known as ‘View As.’

The statement included the following:

“Earlier this week, we discovered that an external actor attacked our systems and exploited a vulnerability that exposed Facebook access tokens for people’s accounts in HTML when we rendered a particular component of the ‘View As’ feature. The vulnerability was the result of the interaction of three distinct bugs:

First: View As is a privacy feature that lets people see what their profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.

Second: A new version of our video uploader, introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.

Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.”

Fifty million users were potentially affected by this vulnerability. As a precaution, Facebook has reset the tokens. However, it does nothing to resolve the potential data an attacker may have stolen.

Facebook confirmed that these access tokens might have been used to login to third-party sites via Facebook’s SSO. According to a 2015 report by Gigya, Facebook had the largest share of all identity providers at a 64% share of social login. This aspect of the breach makes it particularly nasty and should remind everyone of the risk of centralized authentication and single sign-on.

Resources:

theverge

facebook

gigya

facebook

Phishing expedition dodges AV to land Adwind RAT

Security researchers from Cisco Talos with ReversingLabs have released a report regarding a new campaign dropping Adwind Trojan. This new phishing spam campaign spreads the Adwind 3.0 RAT which infects Windows, Mac OSX, and Linux operating systems. The spam email contains weaponized malicious “.csv” and “.xlt” file attachments to entice the user to open.

Adwind 3.0 has a set of new tools, especially an evasion technique by utilizing the Dynamic Data Exchange (DDE) code-injection technique. This DDE, which transfer data between applications, compromises Microsoft Excel. Microsoft Excel opens by default the two droppers found in this campaign, the “.csv” and “.xlt.” Researchers note that this is part of the obfuscation technique applied wherein signature-based anti-virus aren’t able to detect. Instead of identifying that it is a malicious file, it prompts that it is corrupted. If the user opens the file, it executes the dropper. It creates a Visual Basic script that uses bitsadmin tool, which loads the final Java archive payload that contains Adwind installer.

This kind of injection has been used for years, but the treat actor was able to customize it to have an extremely low detection ratio. Other functions of this RAT includes log keystrokes, take screenshots, take pictures, transfer files, or execute any other command from its C&C Server. Researchers have verified that the malware has been targeting mostly Turkey and Germany, but many malware samples have also been detected in the US, India, Vietnam, and Hong Kong. Researchers have noted that sandboxing and behavior-based detections should be able to detect and stop this spam campaign.

Resources:

Reversing Labs

Talos Intelligence

Hashes:

• 93a482e554e2a37e6893fdd8cd92537c0ebc7363ac5fac44b7a4af4a2088ea24
  
• 0af2c5a46df16b98b9ab5af0ec455e98f6e1928c10ed8b6ffec69573498bdd8a
  
• 93280872f685f9c26d5f668ca1303f224a38d2b86ba707cdbb3d57427396e752
  
• 0a2f74a7787ae904e5a22a3c2b3acf0316c10b95fae08cced7ca5e2fcc7d9bf8
  
• 65220dae459432deb1b038dbcbf8a379519a1a797b7b72f6408f94733bc5a2c2
  
  

URLs:

• http://www[.]qakeyewoha[.]club/?from=@
  
• http://www[.]avrasyayapi[.]live/?from=@
  
• http://www[.]birlikholding[.]live/?from=@
  
• http://avrasyagrup[.]live
  
• http://www[.]erayinsaat[.]live/?from=@
  
• http://www[.]yeyamohofe[.]club/?from=@
  
  

Mutagen Astronomy (CVE-2018-14634) creates a deep impact on Red Hat, CentOS, and Debian

Risk managers better get that VRM and start checking on vendor patch levels. Security researchers from Qualys have discovered a vulnerability named Mutagen Astronomy (CVE-2018-14634) that affects Red Hat Enterprise Linux (RHEL), CentOS, and Debian users. The critical vulnerability can be used for Local Privilege Escalation (LPE)on 64-bit systems. An integer overflow triggers the vulnerability in the create_elf_tables() Linux kernel function. If exploited, it causes a buffer overflow that executes malicious code with root privileges. According to researchers, Mutagen Astronomy was present in the Linux kernel between July 19, 2007 (kernel commit: b6a2fea39318) and July 7, 2017 (kernel commit: da029c11e6b1). Researchers were able to publish two proof of concept (PoC)s for Mutagen Astronomy. The Red Hat Team has confirmed this vulnerability. Some releases have been patched while some are still vulnerable. If a fix has not been released for your version, a patch is available.

Resources:

Qualys

Qualys

Security-tracker

Qualys

Redhat

Threat Report Thursday September 28th 2018

Paul Scott on September 28, 2018

This week we are covering three emerging stories in the weekly threat report. First, we’ll cover a newly discovered case of ATM skimmers being installed at banks. Then we’ll transition to two digital threats. The first is related to the reuse of breached credentials in brute force attacks against the financial sector and the second is related to Microsoft’s battle against phishing attacks targeting the upcoming mid-term elections.

Two ATM Skimmers Found at Old Second Bank

Authorities from Aurora Police Department are investigating ATM skimmers found at two Old Second Bank branches in Aurora. The first ATM skimmer was found at 1300 block of North Farnsworth Avenue by an Old Second Bank employee at around 6:30AM. The employee saw a woman walking up to the ATM and acting suspiciously. When the woman left the area, the bank employee checked the ATM with the ATM skimmer and notified other branches of possible skimming which in turn identified the second ATM skimmer at the Fox Valley branch. Investigators are looking through security footages and already released surveillance photos related to the ATM skimming incident. The police are advising bank account holders to immediately report any possible identity or card theft to their bank.

Resources:

Chicago Suntimes

Credential Stuffing Attacks Focused on Financial Sector

Cybersecurity firm Akamai has recently released its “2018 State of the Internet / Security – Credential Stuffing Attacks Report”. The report shows that organizations, particularly in the financial sector, should be cautious about credential stuffing attacks. Credential stuffing is considered to be login attempts utilizing passwords recovered from a breach. The trend of malicious login attempts is on the rise because botnets are being used to automate credential stuffing, and according to the researchers, it has a Distributed Denial of Service (DDoS) effect. Researchers have documented over 30 billion malicious login attempts from November 2017 to June 2018.

Akamai recorded two particular cases of credential stuffing with the use of heavy-handed botnet operation. First is an unnamed Fortune 500 company where login attempts average from 50,000 an hour to over 350,000 in a single afternoon. The botnet generated 8.5 million malicious attempts in six days. The second is a US credit union that receives 45,000 login attempts every 60 minutes. Another botnet that used a brute-force attack generated 4.2 million attempts in 7 days. Researchers have noted that the US, Russia, and Vietnam are the primary sources of credential stuffing attacks.

Researchers have mentioned that credential stuffing attacks are continuously evolving their methodologies - from volume-based noisier attacks to stealthy low and slow attacks. Without the right defense and expertise, top to bottom organizations alike would fall victim to such attacks.

Resources:

ZDNet

Akamai

Akamai

APT28 Uses Bitcoin to Register Midterm Election Phishing Domains

RiskIQ conducted an investigation into domains that Microsoft sink-holed, which were used in phishing activity that Microsoft attributed to APT28. Microsoft was able to tie the domains in question back to APT28 by tracking historical infrastructure and following the tactics, techniques, and procedures (TTPs) associated with the group over the past few years. The domains were styled to mimic US Senate domains, along with think tanks Hudson Institute and the International Republican Institute. These domains are currently sink-holed at Microsoft’s IP 157.56.161.162. The subdomains target mail servers, or emulate Microsoft products, associated with the domains below:

• senate[.]group [adfs.senate[.]group]
  
• my-iri[.]org [Sharepoint.my-iri[.]org]
  
• hudsonorg-my-sharepoint[.]com [Mail.hudsonorg-my-sharepoint[.]com]
  
• office365-onedrive[.]com [Mail.office365-onedrive[.]com]
  
• adfs-senate[.]email
  
• adfs-senate[.]services
  
  

RiskIQ found that APT28 exclusively used domain registrars and hosting providers that accept Bitcoin as payment. This is typical for APT28, who maintain multiple command and control servers for varying durations, cycling the hosting IP, while using registrars that accept Bitcoin, fake phone numbers and names, and use of a registrant email address derived from the domain being registered. The connection to old infrastructure was on the IP 154.16.138[.]57 which hosts vpn647639221.softether[.]net, a VPN service abused by APT28 according to the Department of Justice. This IP also hosted ‘mail[.]office365-onedrive[.]com’ on June 26th. The domains also had connections to disinformation campaigns, as the domain americafirstpolitics[.]com is hosted on Namecheap’s IP, 162.255.119.70, which also hosts of office365-onedrive[.]com. Historical information shows the domain americafirstpolitics[.]com hosting typical disinformation articles and content.

Hosting providers abused by APT28 include Bacloud, Frantech, GloboTech Communications, Info-Tel, MonoVM, Namecheap, Public Domain Registry, and Swiftway. Domains were hosted on various IPs, from rapid cycling that lasted less than a month to domains on Bacloud that were hosted for nearly a year (adfs-senate[.]services was hosted on 185.25.51[.]64 from September 2017 to August 2018). RiskIQ noted that some subdomains were hosted only for a day or two before being taken offline, saying “APT28 [may have] launched attacks from these domains then rapidly disabled routing/hosting to avoid detection or capture of their phishing or malware pages.”

Several of the servers had open ports used for Microsoft’s remote desktop protocol, while others presumably ran SSH on port 22. Almost all, except 37.72.175.151, ran HTTP with a few running HTTPS as well. The IPs 23.227.207.167 and 173.209.43.29 had some ports open that were almost matching, the only differences being the former having port 22 open while the later opened 49157, which is usually assigned dynamically. Interestingly, they also have ports open, typically used, for NetBIOS and Distributed COM Service Control Manager, which should not be exposed to the internet as it can be used to quickly identify every DCOM-related server/service running on a machine for exploitation. The IP 185.25.51.64 had port 25 open, which is used for SMTP and could be indicative of its use for sending phishing emails.

Domains:

• americafirstpolitics[.]com
  
• adfs-senate[.]email
  
• mail[.]office365-onedrive[.]com
  
• adfs-senate[.]services
  
• my-iri[.]org
  
• office365-onedrive[.]com
  
• senate[.]group
  
• adfs[.]senate[.]group
  
• mail[.]hudsonorg-my-sharepoint[.]com
  
• sharepoint[.]my-iri[.]org
  
• hudsonorg-my-sharepoint[.]com
  
• vpn647639221[.]softether[.]net
  
  

IPs

• 37.72.175.151
  
• 162.255.119.70
  
• 157.56.161.162
  
• 154.16.138.57
  
• 185.25.51.64
  
• 23.227.207.167
  
• 173.209.43.29
  
  

Resources:

Riskiq

Microsoft

Threat Report Tuesday September 18th 2018

Paul Scott on September 18, 2018

In this week’s threat report we’re covering two stories, the discovery of XBash malware and an unground marketplace offering a compromised bank ATM and three different companies’ company websites for sale.

XBash Malware Discovered

Researchers have discovered XBash, a malware with ransomware, botnet, and coin-mining functionalities. According to their research, XBash abuses weak passwords and unpatched vulnerabilities and is capable of spreading rapidly within an organization’s network. Researchers found that XBash targets Linux-based systems specifically for its ransomware and botnet capabilities, and targets Microsoft Windows-based systems primarily for its coin-mining and self-propagating capabilities. While XBash has ransomware functionality, researchers found no evidence to suggest that XBash would restore data after the ransom is paid.

At the time of report, researchers had observed 48 incoming transactions associated with the malware with a total income of 0.964 bitcoins, indicating that victims had paid roughly $6,000 total. XBash was first developed in Python and then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Instead of generating random IP addresses as scanning destinations like many other botnets, XBash instead retrieves both IP addresses and domain names from its C2 servers for service probing and exploiting. XBash can also scan for vulnerable servers within an enterprise intranet; however, researchers have only observed this functionality in collected samples and have yet to see it in action.

paloaltonetworks

Recommendations:

• Blocks emails from:
  
  • backupdatabase@pm[.]me
    
  • backupsql@pm[.]me
    
  • backupsql@protonmail[.]com
    
• Using strong, non-default passwords
  
• Keeping up-to-date on security updates
  
• Implement endpoint security on Microsoft Windows and Linux systems
  
• Prevent access to unknown hosts on the internet (to prevent access to command and control servers)
  
• Implement and maintaining rigorous and effective backup and restoration processes and procedures.
  
  

BigPetya Offers Compromised ATM for Sale

Perchy monitors many marketplaces for threat leads, and a compromised ATM for rent caught our eye. Lampeduza, aka BigPetya, a member of multiple underground forums, is selling access to an ATM belonging to a Nigerian bank for $25,000. The actor is also selling access to three different company websites. The first is californiaoliveranch.com, an online store linked to 1,000 PCs, available for the price $5,000. The second is dizucar.com, a company with 500-900 connected computers and a server, available for $4,000, and the last is www.enel.com, available for $10,000. Compromised sites are often leveraged in other attacks. If you start to see these domains pop up in your logs you may want to take a closer look even though the sites appear legitimate and do not have a negative reputation.

Recommendations:

• Monitor your ATM network and system activity for signs of compromise and infection.
  
• Monitor these domains and IPs for phishing, scanning, or malware hosting activities.
  
  • dizucar[.]com - 108.178.54.58
    
  • www[.]enel[.]com - 107.154.108.99
    
  • californiaoliveranch[.]com - 104.196.229.107
    

Threat Report Tuesday September 11th 2018

Paul Scott on September 11, 2018

In this weekly threat report, we’ll cover two topics, 380K British Airways users skimmed by Magecart breach and the Mirai/Gafgyt botnets get upgraded to fly first class with Apache Struts & SonicWall Exploits.

Mirai & Gafgyt get an upgrade

Security researchers uncovered two botnet variants of Mirai and Gafgyt(BASHLITE) with upgraded versions to take advantage of vulnerabilities. Both IoT botnets are associated with DDoS campaigns since November 2016. The Gafgyt version exploits the SonicWall vulnerability (CVE-2018-9866) that affects older unsupported SonicWall Global Management Systems(GMS 8.1 and older).

The Mirai version exploits the same Apache Struts Vulnerability (CVE-2017-5638) associated with the Equifax data breach in 2017 together with 15 other vulnerabilities. These vulnerabilities include Linksys E-Series devices(Remote Code Execution), Avcron NVR Devices(Remote Command Execution), D-Link devices(D-Link RCE), CCTVs & DVRs from 70 vendors(Remote Code Execution), EnGenius EnShare IoT Gigabit Cloud Service 1.4.11(Remote Code Execution), AVTECH IP Camera/NVR/DVR Devices(Unauthenticated Command Injection), Zyxel routers(CVE-2017-6884), NetGain Enterprise Manager7.2.562(Ping Command Injection), NUUO NVRmini 2 3.0.8(OS Command Injection), DGN1000 Netgear routers(Unauthenticated RCE), D-Link devices(HNAP SoapAction-Header Command Execution), D-Link DSL-2750B(OS Command Injection), MVPower DVR(JAWS Webserver authenticated shell command execution), and Dasan GPON routers(CVE-2018-10561, CVE-2018-10562).

Researchers noted that this is the first time the Mirai botnet has targeted a vulnerability in Apache Struts. Researchers have pointed out that the incorporation of exploits targeting Apache Struts and SonicWall could indicate the threat actors are increasingly targeting outdated enterprise devices.

paloaltonetworks

Mitigation Strategies:

• Keep device firmware and software up to date.
  
• Regularly perform network scans for vulnerable devices.
  
• Monitor your devices for network traffic that indicates successful exploit.
  
  

British Airways skimmed by Magecart

British Airways recently announced that it suffered a major breach that resulted in customer data theft that impacted roughly 380,000 customers. Names, addresses, email addresses, and payment details of customers with completed transactions from 22:58 BST on August 21 until 21:45 BST on September 5 were compromised. The breach surprisingly didn’t impact passport numbers and other travel data.

Researchers revealed how Magecart threat actor was able to hack the British Airways, like the Ticketmaster breach. As reported, data was stolen directly from the website and mobile app which carries payment forms. Researchers suspect that Magecart used cross-site scripting attack in British Airways’ poorly secured web page component and injected their skimmer code, altering the victim’s site behavior. The attack was tailor-made for the British Airways’ payment page.

Evidence was found that Magecart might have breached the British Airways site days before the skimming began. The attacker’s server used a certificate that was issued on August 15th, days before the reported stardate of August 21, 2018. Researchers warn Magecart uses custom-built attacks for targeted victims, which is a real threat for online payment processing.

Magecart has likely considered other airlines as targets and this is not the first breach in the aviation sector. Aviation sector businesses should consider community defense and evaluate membership in information sharing and analysis centers like A-ISAC.

britishairways

riskiq

a-isac

Mitigation Strategies:

• Keep web applications components up to date.
  
• Regularly scan your web applications for vulnerable components or unauthorized changes.
  
• Monitor your web applications via network and log to for indicators of compromise and successful attacks.
  

Threat Report Tuesday August 28th 2018

Stephen Coty on August 28, 2018

Ryuk ransomware campaign targeting large organizations in the US and around the world has made the attackers behind it over $640,000 in bitcoin in the space of just two weeks. It appears to be connected to Lazarus, the hacking group working out of North Korea. Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.

Secondly, Security researchers at Kaspersky Lab have uncovered a new campaign dubbed as “AppleJeus” being carried out by North Korean APT group Lazarus. Highly active in recent months, researchers note that this is the first time the threat group not only targeted Windows Systems but also targeted and developed macOS-based FallChill malware. The breach was sourced back to an email to an unsuspecting employee of the cryptocurrency exchange company that downloaded third-party legitimate-looking Celas Trade Pro, a cryptocurrency trading program developed by Celas.

Malware: Ryuk ransomware

It first emerged in mid-August and in the space of just days infected several organizations across the US, encrypting PCs and storage and data centers of victims and demanded huge Bitcoin ransoms. The attacks are highly targeted to such an extent that the perpetrators are conducting tailored campaigns involving extensive network mapping, network compromise and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

For more information there are a few links below:

Siliconangle

Cryptonewsreview

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the download of a malicious files
  
• Intrusion detection systems (IDS) would detect additional payload downloads
  
• A solid Backup strategy for easy restore as not to disrupt business operations
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: AppleJeus

The malware checks if it’s worth attacking. It runs an auto-Updater which contacts the C&C Server to download and run additional executables including the payload, Fallchill backdoor. In turn, Fallchill malware can secretly take over the victim’s computer and carry out cryptocurrency mining. Researchers suspects Celas is a fake company created by the North Koreans. Researchers believe that a Linux version of the malware might have been circulating already, if not in development.

For more information there are a few links below:

SCmagazine

Pastebin

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for communication to the C2 network
  
• Email filtration to find malicious attachments
  
• FIM looking for the downloaded executables related to the fallchill backdoor
  
• 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
  

Threat Report Thursday August 23rd 2018

Stephen Coty on August 23, 2018

In August 2018, a new variant of malware - KeyPass ransomware - gained traction using new techniques like manual control to customize its encryption process. Researchers at Kaspersky Lab say that the trojan is being propagated by means of fake installers that download the ransomware module. The trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

Security researchers at Proofpoint recently discovered a new malware strain dubbed Marap. The malware is being distributed via spam emails containing malicious attachments. Based on the campaign’s pattern, Proofpoint linked it to Necurs. Marap can be used to download other malwares. Bleeping Computer states that Marap infects victims, fingerprints their systems, and sends this information back to a central command and control (C&C) server.

Malware: KeyPass Ransomware

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. Many ransomware species hunt documents with specific extensions, but this one bypasses only a few folders. Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “!!! KEYPASS_DECRYPTION_INFO!!!.txt” are saved in each processed directory. In just 36 hours — from the evening of August 8 to August 10 — the ransomware cropped up in more than 20 countries. Brazil and Vietnam were the hardest hit, but it claimed victims in Europe and Africa.

For more information there are a few links below:

Latam

Pastebin

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the download of a malicious .keypass or .txt
  
• Intrusion detection systems (IDS) would detect additional payload downloads
  
• A solid Backup strategy for easy restore as not to disrupt business operations
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: Marap

As for the malspam campaigns pushing the new Marap downloader, Proofpoint says it has observed various versions. Researchers have seen campaigns leveraging . IQY files, PDF documents with embedded IQY files, password-protected ZIP archives, and the classic Word docs with embedded macros. The malware also has basic features to detect virtual machines used for malware analysis though not as complex compare to other malwares.

Threatpost

Essentials

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for communication to the C2 network over http
  
• Web filter to block the outgoing http traffic
  
• Email filtration to find malicious attachments related to Marap
  
• FIM looking for the downloaded .zip file containing a .iqy file or MS word doc with macros
  
• 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
  

Threat Report Thursday August 16th 2018

Stephen Coty on August 16, 2018

New Zombie Boy Crypto miner Discovered. Security Researcher James Quinn has recently discovered a new monero miner worm that appears to amass $1,000 per month and uses multiple exploits to avoid detection. Unlike MassMiner crypto currency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect. Secondly, Security researchers at Check Point have revealed at DefCon 26 that a cyber criminal can infiltrate a network using a vulnerability of a fax machine protocol. Using only a fax number, an all-in-one printer-fax machine can be penetrated through Faxploit and have access to the network. The attackers just needs to send a malicious fax to a vulnerable fax machine to have access. Researchers note that attackers can then steal printed documents, mine Bitcoin, or practically anything the attacker can think of.

Malware: Zombie Boy Crypto

The tool also utilizes DoublePulsar and EternalBlue exploits to remotely install the main dll. Quinn states that the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor. According to Quinn’s findings, ZombieBoy is being updated on a daily basis, and the malware will not run if it detects it is in a virtual machine environment, debilitating researchers’ ability to reverse engineer and analyze it. The miner uses Simplified Chinese language, indicating that the author may be Chinese.

For more information there are a few links below:

Securityaffairs

Spamfighter

Some Mitigation Strategies:
- File Integrity Management (FIM) to monitor for the download of a malicious .dll files
- Intrusion detection systems (IDS) would detect peer to peer communications
- Web Filtration would block or alert on outbound communication to posthash/hashnice.org
- 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Vulnerability of a fax machine protocol

All IoT devices connected to the fax-printer such as server, router, workstations, laptops, or mobile devices would be vulnerable to the attack. Check Point collaborated with HP and used an HP Officejet Pro 6830 all-in-one printer as a test case. They were able to use EternalBlue to exploit the PCs connected to the network, and exfiltrated data by sending back a fax. Researchers collaborated with HP to provide a patch and was rolled out as an automatic update to customers. Researchers advises to check for available firmware updates and disconnect the PSTN line from the fax machine if not in use.

Checkpoint

Checkpoint

Some Mitigation Strategies:
- Segment Office Equipment network traffic to a single segment to easily monitor
- Intrusion detection systems (IDS) to monitor for broadcast from the fax machine
- Use netflow to monitor outbound traffic from your office equipment
- 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Threat Report Thursday August 9th 2018

Stephen Coty on August 9, 2018

Security researchers at Proofpoint have uncovered Dreambot malware which is a new variant of Ursinif banking Trojan. Though it is still in development, it was seen spreading since July 2016 through exploit kits such as Neutrino, through phishing emails with malicious attachments, and through malvertising. Secondly Palo Alto researchers discovered a threat group named DarkHydrus carrying out credential harvesting attacks using weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions in the Middle East. Based on the analysis, DarkHydrus used the open-source Phishery tool to host the command and control server to harvest credentials. The use of Phishery further illustrates Dark Hydrus’ reliance on open source tools to conduct their operations.

Malware: Dreambot

Researchers point out that this new variant has new capabilities which includes peer-to-peer (P2P) functionality and Tor communication capability. This Tor-enabled versions are hard to detect because of encrypted and anonymized communications.

For more information there are a few links below:

Proofpoint

Virustotal

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the download of a zipped JavaScript
  
• Intrusion detection systems (IDS) would detect peer to peer communications
  
• Intrusion detection systems (IDS) would
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: DarkHydrus

Two Word documents using the 0utl00k.net domain to harvest credentials were found. These related Word documents were first seen in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.

Researchcenter

Securityweek

Some Mitigation Strategies:

• Web filtration to block Outl00k.net
  
• Email filtration to detect spear phishing attempts using word files
  
• File Integrity Management (FIM) to monitor for downloaded malicious word documents
  
• Intrusion detection systems (IDS) to monitor for malicious queries through DNS
  
• 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
  

Threat Report Wednesday August 1st 2018

Stephen Coty on August 1, 2018

According to Trend Micro, a new exploit kit UnderMiner contains features that make it difficult for researchers to track it and reverse engineer its payloads. Trend Micro researchers state that the exploit kit is currently being used against victims in Asian countries, primarily users in Japan. Underminer delivers a bootkit that infects system boot sectors as well as Hidden Mellifera (Hidden Bee), a cryptocurrency-mining malware. Trend Micro researchers first observed the exploit kit on Jul 17, 2018. Also this week, security researchers at McAfee Labs have recently identified an increasing number of actors using fileless attacks. These fileless attacks don’t drop a malware on the system, rather they use the tools installed in the system. Researchers note that one fileless threat, CactusTorch, uses “DotNetToJScript” technique that executes custom shellcode on Windows System straight from the memory.

Malware: UnderMiner

UnderMiner is capable of browser profiling and filtering, preventing client revisits, URL randomization, and asymmetric encryption of payloads. Malware is transferred via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format (much like the ROM file system format), which makes analysis for researchers difficult. Underminer has been observed exploiting three major vulnerabilities: CVE-2015-5119, CVE-2016-0189, and CVE-2018-4878.

For more information there are a few links below:

Cyware

Trendmicro

Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for the creation of files and scripts
Intrusion detection systems (IDS) would detect communication C2 for additional payloads
Web Filtration would detect the use of malicious urls or unknown sites
24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: DotNetToJScript

DotNetToJScript doesn’t write any .NET assemblies on the system, that lead security softwares to often fail to detect these type of attack. CactusTorch loads and executes malicious . NET assemblies, which are the smallest deployment of an application. Corporate networks and single users alike are vulnerable to this type of attack. Security applications such as McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) clients are protected from this type of fileless attack.

Peerlyst

Mcafee

Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for wscript.exe, which is only file created
Intrusion detection systems (IDS) to monitor for malicious outbound communication
24x7 Security Monitoring to check for GPS consistency with locations of vehicles.

Threat Report Tuesday July 23rd 2018

Patrick Snyder on July 23, 2018

In this week’s report, we are covering two very malicious programs. Security researchers at Kaspersky Labs have discovered Calisto malware, which appears to be a precursor of Proton macOS malware. Researchers found that Calisto was uploaded to VirusTotal in 2016, but remained unnoticed until May 2018. This macOS malware is a backdoor that guises as an Intego’s Mac Internet Security that also asks for the user’s login and password upon installation. It enables the attacker to remotely access the system enabling remote login, screen sharing, configure remote login permissions, and enable hidden “root” account in macOS with a designated password. The second piece of interesting piece of code is Decrypter for Magniber Ransomware that has been recently released. South Korean cybersecurity firm AhnLab created decrypters for some versions of the Magniber ransomware. The Magniber ransomware, which targets only South Korean end-users, was deployed by the Magnitude Exploit Kit as early as October 2017 through malvertisements. Since malvertisements is constantly a threat on the internet, it is possible to see this spread to other financial institutions.

Malware: Calisto Malware

Interestingly, researchers found out that SIP enabled (System Integrity Protection) macOS systems prevent full damage from Calisto malware even if they have root permissions. Researchers say that Calisto malware was created before Apple released SIP security feature. Researchers still do not have any information as of now on how the malware propagates. Mac users should be safe from this malware as long as they enable SIP, update OS to the current version, download from trusted sources, and use a credible antivirus software.

For more information:
Sentinel One
Xuanwu Lab

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the creation of files related to the RAT
  
• Intrusion detection systems (IDS) would detect communication C2 for additional payloads
  
• Web Filtration would detect the use of malicious URLs or unknown sites
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: CVE-2016-0189

Magnitude exploits vulnerabilities concerning memory corruption (CVE-2016-0189) in Internet Explorer. The ransomware is one of the few country- or language-specific ransomware that has been created. As of March 30, affected users can download the decrypter at AhnLab’s website, which website creators state is updated daily.

For more information:
Avast
Bleeping Computer

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the creation of files related to ransomware
  
• Intrusion detection systems (IDS) to monitor for malicious communication to C2s
  
• Solid Backup strategy to restore from when machine is infected and encrypted
  
• 24x7 Security Monitorings to check for GPS consistency with locations of vehicles
  

Threat Report Tuesday July 17th 2018

Patrick Snyder on July 17, 2018

In this week’s report we are covering two very malicious programs. If you have a BYOD policy you may want to pay attention to this first piece of research. Security researchers at Check Point have discovered samples of Glancelove, an Android-targeting malware, in a false campaign originated by Hamas that takes advantage of the 2018 World Cup. According to researchers, the group is distributing Glancelovethrough fake Facebook page and profiles with photos of attractive women who promote the malware in the form of a dating app available from the Google Play Store. The 2nd piece of interesting malware we found is related to GPS and vehicle that rely on it for daily transportation. A team composed of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research recently released their findings on GPS Spoofing Hack, an attack vector that can send Google Maps users the wrong direction. GPS Spoofing involves replacing a user’s intended destination with a “ghost location.” Instead of connecting to legitimate satellite systems, the cyber-criminal behind the attack forces the victim’s software to connect to their own equipment, allowing the hacker to implement false GPS data.

Malware: Glancelove
This Glancelove dating application asks for permission for the device’s network connection, contacts, SMS, camera, and storage. Upon receiving permission, it contacts its command and control (C&C) server to download the final payload. This Glancelove malware is capable of recording calls, track location, open microphone, SMS theft, take photos, storage mapping, steal contacts, and steal images. Researchers mention that these mobile chain attacks are mainly successful because the targets are hand-picked, and the malware can continually install crucial components if needed. Two similar malicious applications used by the Hamas group are Golden Cup and Wink Chat applications.

For more information there are a few links below:

Links:
GlobalSecurityMag
News Observer

Some Mitigation Strategies:
Make sure to monitor your employee and guest wifi networks Intrusion detection systems (IDS) would detect communication C2 for payload download Web Filtration would detect the use of malicious urls or unknown sites 24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: GPS Spoofing Hack
Researchers used a HackRF One software defined radio, a Raspberry Pi, a portable power source, and an antenna. The attack could be hosted remotely with the spoofing equipment installed under the victim’s car. Researchers concluded that a seasoned and logical driver who is familiar with their route and destination would notice the change in their Google Maps application. However, if the location and route are unfamiliar, a user might not realize that they’ve been deceived. According to researchers, their experiment only failed when they were testing the luxury car Tesla 2014 Model S. They stated that this was because Tesla uses an advanced u-blox navigation chip, which contains an anti-spoofing function.

Links:
Forbes

Some Mitigation Strategies:
u-blox navigation chip, which implements some anti-spoofing function Intrusion detection systems (IDS) to monitor for malicious communication 24x7 Security Monitorings to check for GPS consistency with locations of vehicles.

Threat Report Tuesday July 10th 2018

Patrick Snyder on July 10, 2018

In this week’s report we are covering two very malicious programs. Researchers identified a Remote Access Trojan (RAT), dubbed FlawedAmmyy, targeting the Ammyy Admin remote desktop tool. FlawedAmmyy is built on leaked source code of Version 3 of Ammyy Admin and provides unfettered remote access to the target system. This campaign, which the researchers attributed to TA505, includes both a broad spam campaign and more targeted campaigns targeting specific industries, including the Automotive Industry. Since its inception in December 2017, GandCrab ransomware quickly became one of the most significant cyber threats of early 2018. Based on a Ransomware as a Service (RaaS) model and distributed throughout the dark web, the malware targets multiple countries around the world using a sophisticated combination of malicious tools. Despite the recent success of law enforcement authorities and the security community who managed to slow down the proliferation of the first version of GandCrab by releasing a free decryption tool, updated versions of the ransomware continue to attack thousands of victims around the world. GandCrabRaaS is the first ransomware in the world demanding ransoms in DASH cryptocurrency.

Malware: FlawedAmmyy

Though just recently discovered, there is evidence the campaign started as early as 2016. Also worth noting, this campaign utilizes the Server Message Block (SMB) protocol, rather than HTTP, to download the malware to victim machines, which may be a first for this type of malware. Aside from the concerning implication that this trojan has been used undetected since 2016, one of the most interesting aspects of this malware is its combined use of ZIP files containing. URL files (which Windows interprets as Internet Shortcuts) and the SMB protocol to deliver the RAT to the victim.

For more information there are a few links below:

Links:

ZDNet

Hack Dig

PasteBin

Some Mitigation Strategies:

• File Integrity Management looking for the installation of files associated with the RAT
  
• Intrusion detection systems (IDS) would detect communication over SMB and C2
  
• Web Filtration would detect the use of malicious urls
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: GandCrab

According to security analysts’ estimates, the initial version of the malware was poorly developed, which allowed for the development of a decryption tool. However, GandCrab creators quickly corrected flaws, and the integrity of subsequent versions proved to be more reliable.
It is reported that an earlier flawed version of GandCrab had a decryption key stored on victim machines, which in turn was encrypted with the same password. However, the issue was promptly addressed by the GandCrab developers.

In its activities, ransomware operators utilize the decentralized Namecoin DNS with .bit extension.

Links:

Security Affairs

Trend Micro

VirusTotal

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication to C2
  
• File Integrity Management is looking for new files being installed on the system
  
• Log Management would collect data on C$ shares and other lateral movement
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Wednesday July 2nd 2018

Patrick Snyder on July 2, 2018

In this week’s report we are covering two very malicious programs. Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels. The other is The Nozelesn Ransomware is a crypto- threat that was reported on July 2nd, 2018 with numerous submissions to security platforms. Unfortunately, the Nozelesn Ransomware leaves little or no traces on compromised machines and creating detection rules turned out to be troublesome. The team behind the Nozelesn Ransomware appears to target the users based in Poland judging from the initial submissions and the way it spreads to PC users.

Malware: OSX.Dummy

Security researcher Remco Verhoef recently discovered OSX.Dummy, a new Mac malware family that is currently being spread via cryptocurrency-focused Slack and Discord channels. Cryptocurrency enthusiasts are convinced by attackers to type a long command inside their Mac terminal with the promise that it will resolve various issues. The command downloads a 34 megabyte binary named “script” to the /tmp folder and runs it. The “script” file then sets itself as a launch daemon to maintain persistence. It then creates a Python script that opens a reverse shell to a server, which gives attackers access to infected hosts. The server can be traced back to 185.243.115.230:1337. Additionally after the code is run, the malware requests the user’s root password and saves it un-encrypted in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, allowing the attacker ease of access for future malicious operations. Researchers state that the malware is simplistic and easy to detect with standard malware detection tools.

For more information there are a few links below:

Links:

Bleeping Computer

SC Magazine UK

Some Mitigation Strategies:

• File Integrity Management looking for the installation of python scripts into /tmp and /users/shared
  
• Intrusion detection systems (IDS) would detect network communication over port 1337
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: Nozelesn

Security researchers at MalwareHunterTeam have discovered a new ransomware named Nozelesn. Researchers first noticed chatter regarding the malware from multiple Polish victim submissions to ID ransomware, as well as a newly generated discussion started by victims on BleepingComputer forums. According to a researcher at CERT Polska, the Computer Emergency Response Team for Poland, the malware is being distributed through spam emails imitating a DHL invoice. Upon successful infection, files are encrypted with a “.nozelesn” extension. Following encryption, the malware creates a ransom note offering to fix the computer, labelled HOW_FIX_NOZELESN_FILES.htm. The note contains instructions together with a personal code to login to TOR payment server “lyasuvlsarvrlyxz.onion”. The ransom is currently .10 BTC or roughly $660 USD.

Links:

Cyber Byte

Londrina Security News

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication
  
• File Integrity Management is looking for new files being installed on the system
  
• Log Management would collect data on C$ shares and other lateral movement
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Wednesday June 18th 2018

Patrick Snyder on June 18, 2018

In this week’s report we are covering two very malicious programs. One being a custom remote access trojan (RAT) called UBoatRAT is being distributed via Google Drive links. The malware obtains a command and control (C2) address from GitHub, and uses Microsoft Windows Background Intelligent Transfer Service (BITS) for maintaining persistence. The other is MirageFox, a new tool produced by APT15 that looks to be an upgraded version of a RAT believed to originate in 2012, known as Mirage. The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

Malware: UBoatRAT is being distributed via Google Drive links

The RAT is usually delivered by a ZIP archive hosted on Google Drive containing a malicious executable disguised as a folder or Excel spreadsheet. Once installed, UBoatRAT checks for virtualization software and tries to obtain a domain name from the network. The malware only performs malicious activities on a machine when it is able to join an Active Directory (AD) domain. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment. Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher Hayashi. The GitHub user name behind the repository is “elsa999”. For more information there are a few links below:

Links:

Tech Target

Threat Post

Some Mitigation Strategies:

• Mail Filtration to screen for malicious links that relay to Google drive
  
• File Integrity Management looking for the installation of malicious zip files that unpack executables
  
• Intrusion detection systems (IDS) would detect intrusion and network communication
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: MirageFox

The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations. APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. The attackers utilizes Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

Links:

Security Affairs

Intezer

Virus Total

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication
  
• File Integrity Management is looking for new filel installation
  
• Log Management would collect data on C$ shares and other lateral movement
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Monday June 11th 2018

Stephen Coty on June 11, 2018

In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.

Malware: Triton ICS Malware Developed Using Legitimate Code

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:

Links:

Security Week

Dark reading

Some Mitigation Strategies:

• Mail Filtration to screen for malicious phishing or targeted email campaigns
  
• File Integrity Management looking for the installation of malicious software like Remote Access Trojans (RATS) for functionality and access
  
• Intrusion detection systems (IDS) would detect intrusion and network communication
  
• Filtering USB ports that are on equipment connected to the ICS systems
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic

Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).

Links:

Security Intelligence

Pastebin

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication and downloads from port 5003
  
• File Integrity Management looking for access to registry keys accessed and new keys created
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Wednesday June 5th 2018

Stephen Coty on June 5, 2018

In this week’s report we are covering two vulnerabilities. One being a recent Microsoft Windows Jscript vulnerability that has yet to be patched and the other being NavRAT with themes around the upcoming US & North Korean Summit.

Malware: Zero-Day Remote Code Execution Vulnerability Discovered in Microsoft Windows JScript

New Zero-day Remote code execution vulnerability has been discovered in Microsoft Windows JScript that allows an attacker to run the arbitrary code on vulnerable installations of Microsoft Windows. “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page or download and open a malicious JS file on the system. As of June 1st, there has not been a patch released so up to date security content is key for detection until a patch is released.

Links:

Threat Post
Security Boulevard

Some Mitigation Strategies:
- File Integrity Management Solutions for file creation and modification
- Intrusion detection systems (IDS) to monitor for malicious communication and downloads
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
- Web Filtration Technologies to screen incoming web sites
- Mail Filtration to capture potential files attached to phishing emails

Malware: NavRAT Malware Uncovered by Security Researchers

Security researchers at Talos Intelligence have recently uncovered NavRAT, a remote access trojan that has reportedly been quietly active since 2016. NavRAT is distributed through a malicious, decoy Hangul Word Processor (HWP) document named “미북 정상회담 전망 및 대비.hwp”, which translates to “Prospects for US-North Korea Summit.hwp”. The decoy document appears to be referring to the US-North Korea Summit scheduled for June 12, 2018. Known targets reside in South Korea. Researchers note that NavRAT is unique in that it uses Naver, an email platform popular in South Korea, as its command and control (C&C) server. NavRAT can reportedly download, upload, and execute commands, perform keylogging, and avoid detection through process injection, copying itself into an active Internet Explorer process. Researchers assess with a medium degree of confidence that North Korean APT Group 123 threat actor is behind the operation due to the techniques and procedures being of similar nature to those used in previous campaigns.

Links:

Dark Reading
Talos Intelligence

Some Mitigation Strategies:

• Mail Filtration to screen for malicious phishing or targeted email campaigns
  
• File Integrity Management looking for the installation of malicious software like keyloggers
  
• Intrusion detection systems (IDS) would detect intrusion and network communication
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response