Thoughts From The Nest

Threat Report Thursday February 14th 2019

Paul Scott on February 14, 2019

Alright, what’s up this week? A vulnerability in all Intel chips opens the door for stealthy malware, container hosts beware nothing is safe anymore, adware slays macOS gatekeeper, and a new malware variant exploits your antivirus to steal data.

ROP-Roh, Shaggy

Researchers recently discovered a way to abuse Intel Software Guard eXtensions (SGX) enclaves to hide malicious code from security software. Intel SGX is a feature found in all modern Intel CPUs that allow developers to isolate applications in secure enclaves. The only known vulnerabilities impacting Intel SGX enclaves have been side-channel attacks that leaked the data being processed inside an enclave, but researchers exploited this through return-oriented programming (ROP).

Once executed, Intel Transactional Synchronization eXtensions (TSX) allows the malicious enclave to access a wider set of commands that it is normally entitled to. Researchers note that Intel SGX enclaves could be used as a place to hide undetectable malware.

The researchers released the implementations of the paper “Practical Enclave Malware with Intel SGX” to a Github repository. The repository consists of three parts: tap_claw, egghunter, and demo.

• TAP + CLAW – Contains the Intel TSX-based primitives to check whether a page is mapped and writable without using syscalls.
  
• Egg Hunter – Shows how to use TAP as egg hunter for classical exploits.
  
• Demo – Uses TAP + CLAW inside a (malicious) Intel SGX enclave to break ASLR of the host application, create a ROP payload, and mount a simple PoC attack (e.g. create a file in the current directory).
  
  

RunC vulnerability Critical for Containers

“RunC” is a command line utility that spawns and runs containers. It is used as the default runtime for Docker, containerd, Podman, and CRI-O. A vulnerability found in RunC, tracked as CVE-2019-5736, allows malicious containers to overwrite the host RunC binary and gain root-level code execution on the host machine.

When the hosts’ root is mapped in the container’s user namespace, the container is vulnerable. Researchers have detected approximately “4,000” Docker daemons which have the vulnerability. Users and organizations were advised to update to the latest releases to prevent any potential attacks. A proof-of-concept was posted on Github by user feexd on February 11, 2017. You might want to run this PoC on a host machine you can promptly throw in a flaming dumpster.

Shlayer slays macOS Gatekeeper to Run Unsigned Code

Carbon Black recently discovered “Shlayer” targeting macOS users and disabling the Gatekeeper protection to run unsigned second stage payloads. Shlayer targets all macOS releases from 10.10.5 up to the latest 10.14.3 and will arrive on the target machines as a legitimate signed Apple developer ID to trick victims.

The threat actor has been using legitimate websites to redirect users to a malicious Flash installer, so this is likely a malvertising campaign. Once the user executes the compromised Flash installer, a malicious “.command” script is launched that downloads additional payloads. The final payload contains adware to run on the compromised machine by disabling the Gatekeeper protection mechanism. Researchers released indicators of compromise on GitHub. We have checked these indicators for all Perch users over the last 30 days. While indicators of compromise were seen there was no sign that a Perch user has been infected by Shlayer. If you want to keep reading about Shalyer, check out this article.

Astaroth Exploits Avast to steal data

Cybereason security firm recently discovered a new Astaroth Trojan campaign targeting Brazil and European countries via antivirus software to steal information and load malicious modules. The Astaroth Trojan campaign was phishing based, gaining momentum towards the end of 2018 and identified in thousands of incidents. Researchers observed the actors executing the exploit through “.7zip” archive delivered to the target in the form of an email message attachment or hyperlinks.

Once executed, the malware connects to a C&C server and exfiltrates information about the infected computer. Then, the last stage of attack uses BITSAdmin to grab a payload from another C&C server. Cybereason also noticed security tools that can be exploited through a malicious module in “aswrundll.exe” and used to gather information on compromised machine, and “uninsooo.exe”, a security solution developed by GAS Technologia, which it will also use to collect personal user information without being detected if Avast is not present on the infected computer. We checked all users over the last 30 days, and we saw no signs of compromise within any of our clients’ data related to the indicators of compromise released with this research. Although the revived campaign is currently targeting South America and Europe, it’s only a matter of time before the campaign pivots to North America. If you want to read more about Astaroth there is a great article here.

Lucky number 77 for Windows

On February 12, 2019, Microsoft released a security update for the IE Zero-Day tracked as CVE-2019-0676 that addresses “77 security flaws” across a wide range of products. Microsoft disclosed the flaw after they detected an exploitation attempt against Microsoft Edge to the Azure IoT SDK. CVE-2019-0676 is a flaw which allows an attacker to test for the presence of files on disk. Microsoft fixed two vulnerabilities in the Server Message Block (SMB) protocol that can lead to remote code execution. Then, a vulnerability affecting the DHCP server component included with Windows Servers and a vulnerability known as PrivExchange. It is unclear at present if the vulnerability has been used by cyber criminals in their operations, but it can compromise your DHCP server with a single packet. Users and organizations were advised to update to the latest security patch to address this vulnerability.

BONUS POINTS

With all this talk of malware and browser exploits, you should check out Malwarebytes’ in-depth review of recent exploit kits used to attack browsers and install malware on end user machines.

Threat Report Wednesday February 6th 2019

Paul Scott on February 6, 2019

This week we learn about APT10’s modus operandi in Operation Cloud Hopper, how U.S. Cyber Command plans to respond to such foreign campaigns, GoDaddy DNS server’s wild ride with GandCrab, and 16 major RDP vulnerabilities.

More details on Stone Panda’s (APT10) Cloud Hopper

A cyber-espionage campaign targeting at least three companies in the United States and Europe between November 2017 and September 2018, was brought to light in data published by Recorded Future and Rapid7. Based on the technical data discovered, they feel highly confident that these incidents were conducted by APT10 (also known as Stone Panda or CVNX) in an effort to gain access to networks and steal valuable intellectual property or gain commercial advantage.

The targeted companies include:

• IT and business cloud services managed service provider (MSP)
  
• An international apparel company
  
• A U.S. law firm with strong experience in intellectual property law with clients in the pharmaceutical, technology, electronics, biomedical, and automotive sectors, among others
  
  

In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials. We see once again how dangerous password reuse and/or lack of two factor authentication can be.

The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware.

During the Visma intrusion, APT10 deployed RedLeaves malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, only used by APT10. The backdoor was deployed using the Notepad++ updater and sideloading of a malicious DLL, as noted in APT10’s targeting of Japanese corporations in July 2018.

The attackers transferred malware and tooling from their C2 using BITSAdmin-scheduled tasks into the ‘C:\ProgramData\temp’ directory on the victim networks. APT10 actors then compressed proprietary data from Visma with WinRAR (deployed by the attackers) and exfiltrated to Dropbox using cURL. The same Dropbox account was accessed by the attackers during the apparel company intrusion. Dropbox was also used to store exfiltrated documents from the third victim, a U.S. law firm, with the files again exfiltrated using identical TTPs and uploaded using cURL for Windows.

APT10 is believed to be the most significant Chinese state-sponsored cyber threat to global corporations known to date. APT10 has conducted a number of accounts since 2016 and we now know they are run by the Chinese intelligence agency, the Ministry of State Security (MSS).

Utilizing actors working for shell companies such as Huaying Haitai Science and Technology Development Co Ltd, the MSS has conducted, “Operation Cloud Hopper,” against managed IT service providers (MSPs) designed to steal intellectual property and enable secondary attacks against their clients. Access to the networks of these third-party service providers grants the MSS the ability to potentially access the networks of hundreds, if not thousands, of corporations around the world. APT10 likely compromised Visma with the primary goal of enabling secondary intrusions onto their client networks, and not of stealing Visma intellectual property.

In all three incidents, APT10 actors used previously acquired legitimate credentials (possibly gained via a third-party supply chain compromise) in order to gain initial access to the law firm and the apparel company.

Transformational hacking moment for U.S. Cyber Command

On February 6, 2019, RealClear released a report for a new aggressive strategy to take down cyber actors due to the high-profile attacks on the United States. And, they’re no longer just playing defense.

Gen. Paul Nakasone, commander of the U.S. Cyber Command, disclosed a “transformational moment” in how the U.S. conducts cyber operations to raise the cost in adversaries incur from attacking the United States. Nakasone did not reveal what the new strategy is, however, he stated that it involves targeting the infrastructure of adversary cyber actors, hurting their ability to target American interests in the virtual world. Nakasone referenced an operation against ISIS by Joint Task Force Ares to take down the communications and propaganda tool for the group.

Nakasone also revealed a partnership between the U.S. Cyber Command and the NSA which helped to secure the 2018 midterm elections against Russian interference. U.S. Cyber Command learned that techniques and tradecraft must evolve to keep pace with adversaries. No indicators of compromise were released with the report.

GandCrab smash and grab with GoDaddy’s help

A large scale of GandCrab ransomware campaign was assisted by a security hole in GoDaddy DNS. GandCrab is a common ransomware family discovered in 2018. Researchers noticed that the exploit was being executed through a compromised DNS system to launch attacks. Once executed, the actors deliver GandCrab ransomware to the compromised targeted system. Researchers disclosed two phishing email themes used in this campaign: DHL Delivers and E-fax messages. We checked over the last 30 days. We saw a few organizations receive these emails. If you were affected, we have reached out to you.

Email domains

Budchief[.]com

Anthonytjon[.]com

Ashhuang[.]com

Askaboutdiet[.]com

Acronelektronik[.]com

Ambrosetech[.]com

Ajaxd[.]com

Alanfreedandrocknroll[.]com

Ashhuang[.]com

Basketballcoachreport[.]com

Aperfectvacuum[.]com

Antiquesofperkasie[.]com

Allegroblack[.]com

Alienjewels[.]com

Source

https://yourdatingstores[.]com/?u=bp2k605&o=xyzwzd3&m=1&t=trufs5

https://www.kakaocorp[.]link/content/tmp/meimth.jpg

https://www.kakaocorp[.]link/includes/imgs/kerues.bmp

http://104.244.74[.]55/tomandjerry.exe

http://gandcrabmfe6mnef[.]onion/b6314679c4ba3647

https://www.kakaocorp[.]com/service/KakaoTalk

http://gandcrabmfe6mnef[.]onion/5124d7737cd9e0e6

Hashes

7b22f709ffea29dfe760724136963e709b82a8c5

07de185bb18610f471a31358c74c2e2da0dc505ade21cbe9cae5c8ba3fd66add

5b13e0c41b955fdc7929e324357cd0583b7d92c8c2aedaf7930ff58ad3a00aed

64f3f3cc1e121b295da1ff74cc180473

6991b4f5b0d9c3b8dec023e91144f750

959b2b01def120741a46405acccc86e22e149e463d6fce1eed395a1c9a7410a4

281972a2289e43f63cd4c00ce2b85c4a6cd7f95948cc9f656d4f7c2a59def40f

cf66220f5cb981b1f6d9ac9e47788345bc60b95c

5b27d6e148f481c5f93fd09ec64bd32c7b38de5761e8dbc8f36ee2689ea7654d

3740393b8e31fb7e638b9a27c7f66927136c1039

47278a4ec8cdb9828940b746acfa0671c8204d09b32c48c8c6131f50cfaa7ba4

406283cd43a13b75b315c7a0de74c631

IP addresses

104.244.74[.]55

46.30.41[.]117

So many RDP vulnerabilities!

Check Point researchers have discovered 25 vulnerabilities with 16 being critical in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the host’s computer. This infection would allow for an intrusion into the host’s network as a whole. And yes, our data confirms that many organizations still allow access to RDP from the outside world.

I can imagine a scenario where someone hijacks the DNS for your RDP servers and infects all the clients that try to connect. But this would be cool for a hack back honey pot too. Which reminds me of Wes’ blog post on forcing the pain back to the bad guys.

In one of the vulnerabilities, when using the “copy & paste” feature while connected to a malicious RDP server, the server can use the shared RDP clipboard to send files to the client’s computer.

As described by the research team, a potential attacker could use this vulnerability in the Remote Desktop Connection to drop arbitrary malicious scripts or programs to a user’s Startup folder, which would be automatically executed during the next reboot of the client computer.

This did not meet the bar for acknowledgement by Microsoft and no patch is planned to be released. Check Point researchers recommend that you turn off shared RDP clipboard while using RDP.

Threat Report Sunday February 3rd 2019

Paul Scott on February 3, 2019

Tragedy strikes! Cayosin Botnet combines Qbot and Mirai to cause Erradic behavior

Recently, we came across an emerging botnet as-a-service, the Cayosin Botnet. We first observed Cayosin on January 6, 2019, and activity has been ramping up. We have data on 55 scanning IPs, with indicators consistent to attacks built into Cayosin. Based on data from the threat actors, the bot count is over 1,100 as of February 2nd.

Cayosin appears to be created by Erradic, of RyM Tradgedy. Accounts (spots) for Cayosin Botnet are being sold via Instagram by @unholdable and @pumperdumper. A YouTube demo of Cayosin was posted two days after the scanning began. If you watch their Instagram stories, you can get frequent updates on Cayosin’s growth.

Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference a second stage binary hosted at 185.244.25[.]241 – an IP address not observed among the 55 IPs scanning with the first stage exploit.

http://185.244.25[.]241/bins/cock.mpsl

http://185.244.25[.]241/bins/cock.x86

Based on reverse engineering of the binaries that unixfreaxjp posted to Imgur, we understand that the codebase of Cayosin shares characteristics with Torlus/Qbot/Lizkebab. 185.244.25[.]241 was scanning, but primarily for open telnet services. 185.244.25[.]241 is a Netherlands VPS that is serving two binaries we recovered. Once the second stage infection is executed on a vulnerable host, the host will reach out to hostnamepxssy[.]club.

On January 26, 2019, we saw a change in behavior and some of the IPs were scanning with a new user-agent, “Cock/2.0” instead of “Cayosin/2.0”. This change in behavior may have something to do with a customer service dispute that led to the source code of Cayosin being posted on pastebin. We were unable to find that pastebin post, but it could have prompted a new build of the botnet.

This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.

User-Agents

  - Cayosin/2.0
  - Cock/2.0

First stage IPs

  - 101.255.95[.]34

  - 103.102.133[.]11

  - 103.113.156[.]46

  - 103.24.104[.]98

  - 103.62.152[.]58

  - 104.185.20[.]41

  - 113.11.154[.]162

  - 114.108.229[.]59

  - 115.127.103[.]132

  - 115.127.103[.]139

  - 115.127.5[.]244

  - 117.102.69[.]124

  - 117.102.69[.]125

  - 117.102.69[.]126

  - 118.97.55[.]101

  - 119.40.84[.]155

  - 119.73.133[.]87

  - 120.28.151[.]44

  - 120.29.125[.]194

  - 121.235.3[.]65

  - 121.7.226[.]57

  - 122.117.162[.]61

  - 122.144.11[.]195

  - 122.96.208[.]32

  - 125.165.180[.]211

  - 144.202.60[.]94

  - 152.169.218[.]80

  - 162.244.80[.]47

  - 162.244.81[.]232

  -163.172.91[.]156

  - 175.106.11[.]179

  - 176.152.38[.]195

  - 185.105.4[.]172

  - 185.105.4[.]183

  - 185.244.25[.]201

  - 190.6.141[.]59

  - 202.162.204[.]36

  - 202.86.222[.]4

  - 203.129.22[.]119

  - 203.160.63[.]125:

  - 203.177.173[.]46

  - 219.74.127[.]169

  - 223.197.212[.]15

  - 36.37.220[.]57

  - 36.66.16[.]117

  - 36.89.106[.]19

  - 45.124.15[.]48

  - 46.8.209[.]105

  - 58.212.57[.]219

  - 65.127.187[.]7

  - 67.205.154[.]69

  - 74.93.73[.]169

  - 83.208.108[.]189

  - 85.197.162[.]91

  - 95.27.246[.]66

Second stage IP

185.244.25[.]241

C2 Domain

hostnamepxssy[.]club

Binary info

cock.x86 (ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped)

md5 - 7cd9788dd9a5e97ca2e0a0480d4c377a  

sha256 - e5173e4e4a1044858a14002a45507bb75772b21ceb348488bef465c2d22b791d

cock.mpsl (ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV))

md5 - 283d4888af0d820ba1d6f72e586a8410  

sha256 - 96ecc0e9b9e6f4f0275c4041e128d5ee87b51148e0e74b0379ece5edebb22792

Threat Report Wednesday January 30th 2019

Paul Scott on January 30, 2019

Discover a financial service data breach, a viral Apple vulnerability, the evolution of malware, and indicators related to the Iranian DNS hijacking campaign in this week’s threat report.

Discover discloses August 2018 data breach

Discover Financial Services notified customers and the California Attorney General of a data breach. On August 13, 2018, they learned that an undisclosed number of Discover card accounts may have been part of a data breach, however, the breach “did not involve Discover card systems.” The company is issuing new cards for affected customers and advises cardholders to monitor their accounts for fraudulent activity.

Discover commented, “We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.”

The breach was filed in two separate breach notifications. The statements differ slightly in the Automatic Bills section. One titles the section “A Helpful Reminder About Automatic Bills,” and encourages users to use the included list to contact merchants that bill their card automatically or store card information. The other titles the section, “Make sure any other automatic bills get paid as easily as these,” and states that there’s no need to contact the merchants listed, but if users have other automatic bills not on the list, they should contact them and update account information accordingly. Another difference between the two is that only some customers were issued a card with a new account number, while other customers were not. It sounds like it was a breach of systems used for automated billing that are outside of Discover. Users were advised to monitor their banking statements for fraudulent activity.

Apple disables group FaceTime

Apple has disabled Group FaceTime since a severe iOS bug was disclosed via Twitter (January 28, 2019). The bug allows iPhone users to access the microphone and front-facing camera belonging to the person they are calling even if the person does not answer the call.

The flaw received global attention when Apple iPhone user Benji Mobb tweeted a video of the bug in action. Within 24 hours, the post reached 30K+ retweets and over 75K likes.

A spokesperson for Apple reported that they are aware of the issue and plan to release a software update later this week. iPhone users are advised to disable FaceTime until the latest available patch is officially released by Apple and keep software up to date in order to best mitigate risk.

BankBot Anubis learns Chinese and adds Telegram for C&C

Researchers tracking BankBot Anubis noticed two significant changes in C&C tactics. BankBot Anubis is a mobile banking trojan that targets hundreds of unique mobile applications from organizations worldwide. Researchers observed BankBot Anubis encoding C&C information using Chinese characters in addition to base64 encoding in an attempt to hide their C2 infrastructure. Also, researchers noted the use of Telegram Messenger in addition to Twitter for communicating C&C URLs. This offers BankBot the use of public channels to broadcast messages to large audiences with a public URL.

Formbook information stealer distributed through file hosting service

Deep Instinct reports sightings of attackers using a file hosting service to distribute Formbook, an information/credential stealing malware. The observed attacks began with a phishing email containing a malicious attachment. In one analyzed case, the initial infection was carried out via a malicious RTF document that exploited CVE-2012-0158 (Office ActiveX vulnerability) and CVE-2017-11882, the Equation Editor vulnerability previously used by Loki.

After opening the maldoc, the malware was dropped and executed. It copies itself and writes an auto-run entry, ensuring persistence and boot-survival on infected machines. Formbook scans the victim’s system for passwords and sends them back to its C2 server. It can also take screenshots of the victim’s desktop and logs key strokes. The domain that served the payload was recently registered (files.dropmybin[.]me) on January 19, 2019, and employs Cloudflare, a popular reverse-proxy provider, to hide its real IP address. Deep Instinct notes that customers in retail and hospitality sectors in North America have been targeted. The following indicators of compromise were released with the researchers’ findings:

Domains

files.dropmybin[.]me 

R2dummy[.]info 

xcpcfw[.]com 

thelan[.]win 

yatekipu[.]site 

ra-design[.]net 

timbaleepoxy[.]com 

ajexin[.]com 

review-ih4ewkr0m5aqxl[.]cricket 

zdhuanka[.]com 

dropmyb[.]in 

AZORult masquerading as Google Update

Minerva Labs observed the AZORult information stealer and downloader malware strain that is posing as a signed Google Update installer on compromised machines. AZORult is a data-stealing trojan also known to act as a downloader for other malware payloads. Minerva Labs disclosed the flaw after they detected a “suspicious executable” with a valid certificate. Minerva Labs also noticed that the actors had been executing the exploit through a “GoogleUpdate.exe” which pretends to be a legitimate updater, however, the certificate with which the malicious file was signed did not belong to Google.

Researchers have identified the camouflaged Google Update binary based on multiple patterns: HTTP POST request to a /index.php it made, using a “.bit domain” (for DNS over blockchain) and Typical User-Agent Mozilla/4.0. Researchers note that the capability of the AZORult replaces the legitimate Google Updater to run administrative privileges and allows it to establish a stealthy persistence mechanism. Users and organizations best defense against these attacks is to keep the software up to date and download applications in legitimate stores. Here are a few of the indicators of compromise released with the report. Check out the full report for all the file hashes.

File Paths

C:\ProgramData\localNETService\localNETService.exe 

URL

http://s63.bit/index[.]php 

Iranian DNS hijacking infrastructure identified

Last week, researchers published further findings into the global DNS hijacking activity, allegedly conducted by Iran. Five attacker owned domains were used in the clandestine change of NS records, to act as nameservers to route traffic temporarily for targeted entities.

Once hijacked, targeted domains ceased resolving to their normal IP addresses and began resolving to actor-controlled infrastructure. The actors mostly used Let’s Encrypt certificates for TLS encryption. Available data shows that most affected domains were hijacked for very short periods of time, sometimes a day or less, with one domain showing resolutions to a malicious IP address for over a month. Researchers identified dates when the nameservers were used to route traffic to malicious IP addresses.

142.54.179[.]69February 2017Jordan (Government) 

89.163.206[.]26February 2017Jordan (Government) 

185.15.247[.]140December 2017 and January 2018Kuwait (Government) and Albania (Government) 

146.185.143[.]158August 2018UAE (Government) 

128.199.50[.]175September 2018UAE (Unidentified Sector) 

185.20.187[.]8September 2018UAE (Law Enforcement) and UAE (Government) and Lebanon (Government) and Lebanon (Civil Aviation) 

82.196.8[.]43October 2018Iraq (Government) 

188.166.119[.]57October 2018 and November 2018Egypt (Government) and Libya (Government) 

206.221.184[.]133November 2018Egypt (Government) 

37.139.11[.]155November 2018UAE (Unidentified Sector) 

199.247.3[.]191November 2018Iraq (Government) and Albania (Government) 

185.161.209[.]147November 2018Lebanon (Insurance) 

139.162.144[.]139December 2018Jordan (Government) 

37.139.11[.]155December 2018UAE (Unidentified Sector) 

178.62.218[.]244December 2018UAE (Government) and Cyprus (Government) 

139.59.134[.]216December 2018Sweden, Saudi Arabia and Lebanon (Internet Services) 

82.196.11[.]127December 2018Sweden and U.S. (Internet Infrastructure) 

46.101.250[.]202December 2018 and January 2019Saudi Arabia (Government) 

This large-scale activity shows the determination of nation state actors to reroute internet traffic for surveilling targets and gleaning information from that traffic. The rerouted traffic may have been used to steal session information, access sensitive information, and/or infect victims with malware. DNS hijacking poses a risk to the users of Web service and the confidentiality, integrity, and availability of the data in the service behind a hijacked domain.

NS Domains

cloudipnameserver[.]com 

mmfasi[.]com 

interaland[.]com 

cloudnamedns[.]com 

lcjcomputing[.]com 

Threat Report Wednesday January 23rd 2019

Paul Scott on January 23, 2019

Governments around the world were busy responding to cybercrime, cyber espionage, and hacktivists last week. The U.S. Department of Homeland Security issues an emergency directive, Zimbabwe draws unwanted attention from Anonymous, the Bahamas’ government TV network struggles to recover from ransomware, an APT lures Chile’s ATM network to infection, and South Korean security controls leads to secrets breach. Also, we got a hat-trick of remote code execution going on this week. Linux, Apple, and Windows released patches for critical vulnerabilities.

Emergency directive from U.S. Homeland Security

The U.S. Department of Homeland Security (DHS) has issued an emergency directive that requires all U.S. agencies that operate with a dot gov domain or agency-managed domain to audit their DNS records and servers to verify that they are resolving to the correct IP addresses. They also require such organizations to harden the security related to DNS accounts and passwords.

The directive comes after DHS’ monitoring of an ongoing campaign where attackers are stealing DNS administrators’ credentials in order to tamper with DNS infrastructure. Attackers are then redirecting government hostnames to attackers’ IP addresses. This allows attackers to possibly redirect legitimate traffic to phishing sites where more credentials can be stolen, or to have email delivered to the attackers’ mail servers.

The links in the emergency directive indicate that these attacks are related to earlier DNS hijacks reported by Cisco Talos in December 2018 and FireEye in January 2019. In these attacks, attackers known to be affiliated with Iran were hijacking the DNS records for Middle Eastern government domains.

U.S. Government agencies are required to perform the following steps within the next 10 business days. These procedures do not currently have a termination date and will continue until a further directive is issued:

1. Audit DNS records associated with government domains to verify that they have not been tampered with and are directing traffic to the correct IP addresses.
   
2. Change the passwords for DNS admin accounts that modify DNS records.
   
3. Add multi-factor authentication to all DNS admin accounts.
   
4. Begin to monitor the Certificate Transparency (CT) logs for agency domains that will be provided by DHS within the next 10 business days.
   
   

#OpZimbabwe underway

International hacktivist group, Anonymous, targeted Zimbabwe government after the Zimbabwe government attempted to halt nationwide protests through various means, including blocking social media sites. Here is an excerpt from the tango down:

“We have seen people being oppressed for fighting for freedom. We cannot tolerate that. As we did with the Sudanese government, we have successfully taken down 72+ Zimbabwe government websites. This is only a start. Your banking system will also fall soon. Zimbabwe government, you have become an enemy of Anonymous! Your systems are in danger!”

According to Bloomberg, the protests have been directed towards a 150 percent hike in the price of diesel and gasoline, police crackdowns resulting in the death of 12 people, and legal action directed at the three mobile networks to block access to Facebook, WhatsApp, YouTube, and Twitter. Some of the websites which have been targeted by Anonymous are: Ministry of ICT, Housing Ministry, Justice Department, and Ministry of Defense. The group reportedly attacked more than 200 websites in Sudan and government services for electronic payments.

PowerRatankba infiltrates Interbank ATM network via LinkedIn and Skype

Meanwhile in Chile, new information is coming out about an intrusion impacting the bank responsible for the country’s ATM network. Redbanc is an interbank network in Chile connecting the ATMs of all its banks. Earlier this month, it was reported they suffered an intrusion. Hackers created a watering hole to lure software developers by posting a sweet job opportunity on LinkedIn. When a Redbanc employee responded to the job opportunity, they were invited to a Skype interview. There they were instructed to download ApplicationPDF.exe, which contained malware. Redbanc did detect malware activity, allowing them to respond before attackers could learn the network and do more damage. This shows the value of monitoring your network to detect threats early, before they mature. Researchers at Flashpoint provided a great malware analysis of the samples from Redbanc and believe Lazarus, aka Hidden Cobra, is responsible.

TV network take over in the Bahamas

Like a scene out of a cult classic, Hackers have taken over the TV network infrastructure for Bahamas’ Corporation for Broadcasting’s (CBC). Much of the IT infrastructure for the station is unavailable as hackers hold the computer network ransom. The ransomware infiltration was nearly complete in scope. The attackers initially asked for 50,000 dollars in cryptocurrency (approximately 15 bitcoin), but have been willing to negotiate down to 18,000. Although recovery is expected to take hundreds of thousands of dollars, the ransom has been declared off the table.

As reported by EW News Online, The Democratic National Alliance (DNA) expressed that it is gravely concerned about recent reports regarding a cyberattack on the Broadcasting Corporation of the Bahamas (BCB), and Bahamians being left in the dark as it relates to getting an update. DNA’s Spokesperson for Information Technology, Samuel Strachan, outlined that no further updates have been provided to the Bahamian people and fundamental questions remain unanswered by a government that professes a commitment to transparency and accountability. I reached out to BCB earlier in the week for clarification on some of the breach details, but I have received no update.

South Korea was hacked. Who done it?

According to multiple South Korean news sources, attackers successfully infiltrated the computer systems of a South Korean government agency on October 4, 2018, infecting 30 computers and stealing internal documents from at least 10. The breached organization was South Korea’s Defense Acquisition Program Administration (DAPA), an agency responsible for weaponry and munitions acquisitions for the country’s military forces. The stolen documents reportedly contained information on arms procurement for the country’s next generation fighter aircraft.

Ironically, attackers were able to infiltrate the system by first gaining access to the server of a security program installed on all government computers. The infected application was a “Data Storage Prevention Solution” installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. Upon gaining administrative access to the software’s server, attackers used to it collect documents from connected workstations. I’ll go out on a limb and say this was North Korea.

Linux, Apple, and Microsoft plug critical code execution holes

Linux, Apple, and Microsoft are patching some critical vulnerabilities that allow for remote code execution (RCE).

Linux package manager APT released a patch for a remote code execution vulnerability that allows a man-in-the-middle to execute arbitrary code as root on a machine installing any package. “Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,” explained Jusicz in his post. “Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package.” The flaw (CVE-2019-3462) has been fixed in the latest versions of the package manager. The developers of APT, Debian, has acknowledged the flaw. Jusicz also advises users to disable HTTP redirects when updating. This way the flaw is rendered invalid for the meantime until Debian updates their APT package.

Apple has released patches for a number of vulnerabilities, but notable among them is a vulnerability in WebRTC that opens the door for an RCE over facetime and a vulnerability that allows Bluetooth connections to be intercepted and used for RCE on the device. Since it’s 2019, you can buy working exploits for either of these vulnerabilities for as low as $4,999.99. What a world we live in.

Microsoft has released temporary patches for three Windows zero-days, all of which were disclosed within the past month. The first received a temporary patch last week, while patches for the other two followed this week. ZDNet notes that Microsoft did not release official fixes at the start of the month during its January 2019 Patch Tuesday, and that the patches have instead been made available by a third-party security firm. In order to install the temporary patches, users must install 0patch Agent from Acros Security, software primarily designed for companies that use old Windows versions across their system, versions that have reached their End-Of-Life (EOL) and are no longer receiving official security updates from Microsoft.

The first zero-day is a flaw within Windows ReadFile, whereby malicious code can abuse the Windows ReadFile OS function to read any local file, regardless of the user’s permission level. It was disclosed on December 20, 2018.

The second zero-day is a Windows WER flaw, aka AngryPolarBug, whereby malicious code can overwrite and replace any file on the user’s system. It was disclosed on December 27, 2018.

The third zero-day is in Windows VCF (Contacts), whereby malicious code abuses the way Windows reads vCard files (VCFs) to execute code on the computer with elevated privileges. It was disclosed on January 10, 2019.

None of the three Windows zero-days have been observed being used in the wild by any malware author or cybercriminal group. Users and organizations are advised to update their Windows products with the latest available patches to mitigate risk and remain on watch for more permanent patches.

Threat Report Wednesday January 16th 2019

Paul Scott on January 16, 2019

A lot has happened over the last week, so we have a bit more to cover than usual. The malspam campaigns are getting more creative than ever and some recent news about Ryuk ransomware attribution could have a big impact on your cyber insurance coverage.

Love-Letter malspammer, “always thinking about you”

With Valentine’s day right around the corner, the “Love Letter” malspam campaign is using email subject lines engineered to tug user’s heartstrings into infection with GandCrab Ransomware, XMRig miner, and Phorpiex spambot. Here were some example subject lines:

• This is my love letter to you
  
• My love letter for you
  
• Wrote the fantasy about us down
  
• Always thinking about you
  
  

The campaign contains ZIP attachments, which contain a JavaScript file that runs a PowerShell command, resulting in a download of an executable named “krablin.exe from “slpsrgpsrhojifdij.ru”. Once executed, the malware will be copied to “%UserProfile%\[number]\winsvcs.exe” and downloads five other malware samples to the infected machine and executes them. Users should always be cautious when viewing email content that pretends to be legitimate from a company and asks for personal information to avoid any potential attacks. The following indicators of compromise were released by bleeping computer.

Hashes

32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20 

f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4 

035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285 

ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87 

99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349 

27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3 

99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645 

12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8 

f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc 

72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06 

4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b 

0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7 

4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040 

06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad 

b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d 

056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769 

9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45 

6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002 

0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698 

d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a 

cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2 

7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d 

c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0 

Email Addresses

deanne11@5387.com 

bob01@0437.com 

teddy31@8038.com 

deena49@1659.com 

ted93@4302.com 

bradford99@2804.com 

imogene99@0354.com 

imelda31@1529.com 

taylor74@4656.com 

teddy21@8381.com 

IP Addresses

198.105.244.228 

136.243.13.215 

217.26.53.161 

92.63.197.48 

74.220.215.73 

78.46.77.98 

138.201.162.99 

Domain

Slpsrgpsrhojifdij[.]ru 

Mjag pairs up with Punisher RAT

Zscaler security firm released a report for a variant dubbed “Mjag dropper” that is using decoy documents to deliver Remote Access Trojan (RAT). Mjag dropper is compiled in the Microsoft .NET framework and its original binary is obfuscated using Smart Assembly. Zscaler disclosed the flaw after they detected the infection cycle involving Punisher RAT. The malware is publicly available and can be configured with a range of features: Password stealing module, Anti-task manager, Keylogging, Persistence, Spreading vector, and AV checks. The following indicators of compromise were released with these findings.

Filename

NEFTIOBAN1830369427520181030ABBIdiaLtddt30102018_pdf.exe 

Hash

0a459c18e3b8bdef87a6fb7ea860acdb 

Domains

Chris101.ddns[.]net 

tenau[.]pw 

DarkHydrus grows back new heads in on-going Middle East campaign

The DarkHydrus campaign reemerged and is targeting Middle East entities. 360 Threat Intelligence Center identified that the attackers use VBA macros in the dropper, with DNS tunneling for C2 communication. The malware was uploaded to VirusTotal from Oman.

Domains

data-microsoft.services 

phicdn.world 

akamai.agency 

sharepoint.agency 

nsatc.agency 

akdns.live 

akamaized.live 

iecvlist-microsoft.live 

trafficmanager.live 

0ffice365.services 

azureedge.today 

microsoftonline.agency 

hotmai1.com 

skydrive.services 

asimov-win-microsoft.services 

akamaiedge.live 

0nedrive.agency 

skydrive.agency 

akamaiedge.services 

edgekey.live 

corewindows.agency 

akadns.live 

t-msedge.world 

cloudfronts.services 

microsoftonline.services 

onecs-live.services 

onedrive.agency 

0ffice365.life 

Hash

513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8

IP Addresses

88.221.117.88 

216.58.192.174 

Ryuk moves to Russia with Grim Spider

Multiple security intelligence communities, like CrowdStrike, report that Ryuk ransomware is most likely the creation of Russian financially-motivated cybercriminals, not North Korean state-sponsored attackers. The clarification came after several news outlets attributed a Ryuk ransomware infection targeting U.S. newspaper agencies to North Korean attackers.  We have previously reported on Ryuk activities and the U.S. newspaper hack. 

The ransomware was created by a threat actor, which Crowdstrike calls Grim Spider, who allegedly bought a version of Hermes ransomware from an underground forum and modified it into Ryuk ransomware. The confusion possibly stems from North Korea state-sponsored actors reportedly infected the Far Eastern International Bank (FEIB) in Taiwan with Hermes ransomware in October 2017.

Researchers believe that North Korean attackers purchased the same Hermes ransomware kit, similar to Grim Spider, and deployed it on the bank’s network as a distraction in an attempt to cover their tracks. Researchers believe there is no connection between North Korean state-sponsored attackers and the Ryuk ransomware strain. Researchers note that multiple Ryuk ransomware victims were infected with TrickBot before Ryuk was deployed on their systems and speculate that attackers selected machines infected with Trickbot to deploy Ryuk.

Since Ryuk’s appearance in August, threat actors have earned 705.80 Bitcoin across 52 transactions, for a current value of $3,701,893.98. The following indicators of compromise were released with these findings.

Hashes

78c6042067216a5d47f4a338dd951848b122bbcbcd3e61290b2f709543448d90 

795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f 

fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b 

5e2c9ec5a108af92f177cabe23451d20e592ae54bb84265d1f972fcbd4f6a409 

501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9 

ac648d11f695cf98993fa519803fa26cd43ec32a7a8713bfa34eb618659aff77 

Insurance Group declines payout for Russian attributed ransomware

Bloomberg shared their findings with ZDNet after they reported a lawsuit against Zurich Insurance Group by Mondelez in a bid to seek $100M in damages after an insurance claim that was not paid out in NotPetya attack. NotPetya is a type of ransomware similar to Petya. Researchers noticed that the actors had been executing the exploit through the use of the much-discussed and patchable EternalBlue and EternalRomance exploits of yesteryear to launch attacks. (Yes, these attack vectors are still being exploited today.)

Once executed, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransom note which demands $300 in Bitcoin. Researchers note that NotPetya impacted business worldwide including TNT, Ukrainian banks, energy companies, airports, and shipping giant Maersk. Users and organizations should enforce strong security awareness, recognize phishing attacks, exercise caution when clicking on malicious links, and deploy two-factor authentication to mitigate cyber attacks. No indicators of compromise were released with this report.

Zurich chose not to cough up the money, citing the NotPetya was, “hostile or warlike action in time of peace or war,” which voided the claim. The security industry will be following this case closely to set precedent around this topic. With Ryuk’s move to Russia will Tribune’s cyber insurance policy cover fallout from a Russian cyber cold war?

Which brings up a question for you: What would your cybersecurity insurer say if your organization suffers a ransomware attack? Now is a good time to open the discussion before an incident might occur.

After several cups of perch-olated coffee and a blood sacrifice, the Perch SOC successfully reviewed the activity and IOCs listed for each threat and found zero Perch customers subjected or targeted by these active threats for the last 30 days.

Threat Report Wednesday January 9th 2019

Paul Scott on January 9, 2019

It’s clear that ransomware is ruling the new year, so today we’re covering activity from three ransomware campaigns. We’ll also be checking out a recent 0day discovered in the wild that has been bringing home the cache for some lucky attacker. But first, let’s start with a high-profile data breach.

Humana healthcare provider discloses data breach

According to a breach notification filing with the California Attorney General’s Office, healthcare management provider, Humana, disclosed that attackers compromised an associate, Bankers Life, and stated that the incident impacted a limited number of Humana customers. The statement disclosed that between May 30 and September 13, 2018, an unauthorized actor used employee system credentials to gain access to certain secure Bankers Life websites, potentially granting them access to a limited number of customers’ information.

Potentially exposed information included name, address, date of birth, last four digits of their social security number, and health insurance policy coverage details. Bankers Life learned of the incident on August 7 and Humana was notified of the malicious activity on October 25, 2018. The number of customers impacted was not disclosed. Humana states that the offenders did not access full social security numbers, banking or credit card information, or personal health or medical records. But the data that was stolen is enough to social someone into identity theft. In public statements the company, shamelessly and ironically, recommends a Bankers Life identity protection service to the victims for identity theft protect. They couldn’t keep customer data secure before so what makes anyone think they deserve the right to more of your data. If they feel strongly about the suggested consumer response for the damage they have inflicted, they should be giving away the service to all of those affected.

Recent side channel 0day steals data from Operating System’s cache

Security researchers from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel, shared their findings with Bleeping Computer about a new side channel attack that targets an Operating System’s page cache. Side channel attack is a race condition that fulfilled using a malicious process for a successful local attack.

Researchers disclosed the flaw to the affected vendors after they detected an exploitation attempt against Windows and Linux machines. Researchers noticed that the actors had been executing the exploit through a “page cache” named “minicore” dubbed CVE-2019-5489 on Linux and “QueryWorkingSetEx” on Windows. CVE-2019-5489 is a race condition that allows an attacker to observed page cache access patterns of other processes on the infected system.

Users and organizations should be ready to install security updates to limit their exposure to threats. No indicators of compromise were released with researchers’ findings, however, an in-depth technical analysis is available for review.

Vidar and GandCrab: Stealer and ransomware combo observed in the wild

Malwarebytes security researchers recently discovered a prolific malvertising campaign that targets high-traffic torrent and streaming sites and redirects users towards two malicious payloads. Malwarebytes noticed that the actors had been executing the exploit through two malicious payloads. First is Vidar, a malware that targets vast amounts of victims’ information. Second is GandCrab, one of the most active families of file-encrypting malware currently in operation. Once executed, the actors will send a ransom note demanding either Bitcoin or Dash in exchange for retrieving the files. Users and organizations must keep the software and firmware up to date with timely patch updates to prevent any potential attacks. The following indicators of compromise were released with Malwarebytes’ findings.

Domains

- Kolobkoproms[.]ug
- ovz1[.]fl1nt1kk[.]10301[.]vps[.]myjino[.]ru

Hashes

- abf3fdb17799f468e850d823f845647738b6674451383156473f1742ffbd61ec
- e99daf10e6cb98e93f82dbe344e6d6b483b9073e80b128c163034f68de63be33

New wave MongoLock ransomware immediately deletes files

Trend Micro reports sightings of a new wave of MongoLock ransomware attacks, whereby files are immediately deleted instead of encrypted and further scans are automatically performed to delete additional files.

Researchers state that MongoLock was first sighted in the wild in December 2018. The ransomware message claims that the files are saved in the cybercriminals’ servers and demands a payment of 0.1 Bitcoin be paid within 24 hours.

Trend Micro states that the highest number of infections are in South Korea, Great Britain, the United States, Argentina, Canada, Germany, Taiwan, and Hong Kong. The campaign was sighted targeting databases with weak security settings, and the ransomware was hosted on PythonAnywhere, a Python-based online integrated development environment (IDE) and web hosting service. Researchers state that any host using hxxp://{user-defined}.pythonanywhere.com may be vulnerable to abuse. The following indicators of compromise were released with researchers’ findings.

Hash

698be23b36765ac66f53c43c19ea84d9be0c3d7d81983726724df6173236defa

IP Address

104[.]27[.]178[.]191

URLs

- hxxp://update[.]pythonanywhere[.]com/d
- hxxps://s[.]rapid7[.]xyz 

Loki variant new campaign: Uses ”.ace” attachments via fake DHL Express quotation

Security researchers shared their findings with My Online Security, after they observed the new campaign for Loki variant that targets victims via malicious documents to gather information. The malicious attachment named “.ace”, contains a password-stealing component that encrypts victim’s files. The following list of file extensions contains malicious attachment: js, exe, com, pif, scr, hta, vbs, wsf, jse, and jar. Researchers noticed that the actors had been executing the exploit through a “.ace” malicious file.

Once executed, it will encrypt victim’s files and the actors will demand for a ransom to recover the files. Users and organizations should always be cautious when viewing email content that pretends to be legitimate from a company and asks for personal information to avoid any potential attacks. The following indicators of compromise were released with researchers’ findings.

Hashes

- 6e98fd04a2b9f62eb8682152fc93e60c
- 6a904e3d3449f6254364d2170719247c1356fd7c 

Threat Report Wednesday January 2nd 2019

Paul Scott on January 2, 2019

Happy new year! We’re going to close out 2018 with Ryuk ransomware hitting the press and ring in 2019 with some new year hacktivity by two threat actors.

Tribune Publishing held hostage by Ryuk

On December 29, 2018, it was widely reported that Tribune Publishing was unable to publish Saturday editions of major U.S. newspapers, including the Los Angeles Times, the San Diego Union-Tribune, the Chicago Tribune, and the Baltimore Sun. The disruption also affected the distribution of the Wall Street Journal and the New York Times on the West Coast. Tribune’s disruption was caused by ransomware infection. The disruption affected every Tribune market across the United States. Tribune Publishing has recently been divesting from newspapers in favor of online content generated by robots. Which likely means, they weren’t paying attention to printing facilities the way they should. Obviously, we need more legislation and compliance standards for securing news media. Or, we’ll end up with a resurgence of incidents similar to the Max Headroom incident.

The LA Times recently confirmed that the printing house was targeted by threat actors in North Korea. Ryuk ransomware is a targeted strain that is attributed to Lazarus Group. The implication of North Korea does not confirm that the incident was intended to disrupt the activity of the U.S. press, but indicates that some aspect of Tribune Publishing, or their connected publications, were targeted for financial gain by the ransomware strain.

Ryuk ransomware has appeared in campaigns targeting large organizations both in the United States and around the globe. Ryuk typically targets enterprises that are capable of paying a lot of money in order to restore operations, suggesting that operations using this ransomware are primarily financially motivated. It first emerged in August 2018 and in the space of just days infected several organizations across the U.S., encrypting PCs, storage and data centers of victims, as well as demanding 15-50 BitCoin in ransom. However, the attacks are highly targeted with perpetrators conducting tailored campaigns involving extensive network mapping, network compromise, and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

Even though Ryuk has been used by the financially motivated, I can’t help but wonder about ulterior motives. Maybe this is a twofer. It seems to me, America is already questioning where it can get factual news from and shutting down trustworthy lines of information which is dangerous. Digital and print news was disrupted for millions of people. There are groups that don’t want information to be open, accessible, or intelligible. Journalists have been targeted this past year and now the threats are moving upstream to the publishers and printers.

TDO threatens release of 9/11 insurance docs

In what very well could have been the new year somewhere on earth, “Thedarkoverlord” (TDO) claimed to have stolen approximately 18K documents from Hiscox Syndicates, National Life Group, Advantage Life Investment Bank, Lloyds of London, and Silverstein Properties and threatened to share documents related to ⁹⁄₁₁ attacks publicly.

TDO is known to have targeted the production studio for Netflix, medical centers, and private businesses across the United States. TDO provided a link for a 10GB archive of allegedly stolen files in their extortion note and threatened to release relevant decryption keys to unlock different sets of files in exchange for an undisclosed ransom fee in Bitcoin from the victims. It is unclear at present exactly which files the actor stole, but researchers believe it is certainly an attempt to capitalize on conspiracy theories surrounding the ⁹⁄₁₁ attacks. My tinfoil hat is buzzing with excitement.

Motherboard reports that Hiscox Group confirmed hackers had breached and likely stolen files related to litigation around the ⁹⁄₁₁ attacks from a U.S. law firm that advised the company, “The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of ⁹⁄₁₁, and we believe that information relating to this was stolen during that breach,” the Hiscox spokesperson wrote in an email.

Don’t sue me for saying so, but lawyers have the worst security. If I was going to take down the largest insurer in the world, I would definitely work my way through a low security backdoor, like their lawyer. We should be treating law firms as vendors with remote access in terms of vendor risk management

New World Hackers aim at Gulf Coast govs

New World Hackers have been going on a new year spree dumping data from FLgov.com, Texas.gov, and a number of smaller government organization around the region. They don’t exclusively target government organizations, but the lowest bidding government contractor isn’t always good at application security. Plus, opportunity makes a great motive.

The group also disclosed a breach of Lenovo through their Twitter accounts, but the data dumps were taken down from ghostbin before I could confirm them. Roughly 127K customer records and 1M user records were reportedly exposed in the breach.

Previously, the group took credit for database breaches at Atlanta International Airport and Colorado Government organizations.

Threat Report Thursday December 27th 2018

Paul Scott on December 27, 2018

We hope you had a happy holiday, but it is time to get back to the grind. Holiday cheer wasn’t the only thing spreading this season. Tenable gave the gift of vulnerability disclosure to Cisco, the Department of Justice handed out indictments for Chinese hackers like candy, and 500K students are eagerly waiting to find out what they will get from the San Diego School District.

Cisco ASA privilege escalation disclosed and patched

Cisco Adaptive Security Appliance (ASA) Software is reportedly affected by privilege escalation vulnerability CVE-2018-15465. Researchers at Tenable discovered that a remotely authenticated, unprivileged user can change or download the running configuration. And, that’s bad.

The vulnerability could be exploited by an attacker sending a crafted HTTP request as an unprivileged user. The Cisco ASA Web management interface improperly validates user. The attacker can retrieve files (including the running configuration) or upload and replace the software image. Cisco released an update to patch the vulnerability.

CVE-2018-15465 impacts ASA software running on any Cisco product that has Web management access enabled, with command authorization disabled. Users are advised to update to the latest patch according to the Fixed Releases table located in the Cisco Security Advisory.

Stone Panda indicted and linked to Chinese state-sponsored economic espionage

The United States Department of Justice indicted two Chinese nationals, Zhu Hua and Zhang Shilong, who participated in a 12-year campaign that targeted U.S. managed security providers. This duo is believed to be part of Stone Panda aka Red Apollo (APT10). The activity breached at least 45 companies through their managed service providers (MSP) in 12 countries. The campaign was performed by a company fronting for the Chinese Ministry of State Security (MSS). The indictments show MSS’ continued use of front companies for international economic/technology espionage operations. Washington’s indictments send a clear message to China, intrusions to improve economic competitiveness are unacceptable.

The modus operandi for the campaign was straight-forward. Leverage stolen credentials to gain access to an MSP network and use the MSPs access to steal their clients’ intellectual property. A little birdie told us these IPs were used in APT10 operations:

185.111.74.127

194.68.44.108

167.114.171.8

195.54.163.74

185.211.247.52

37.10.71.100

176.31.117.82

66.70.135.104 

500K records exposed in San Diego school district breach

Stolen credentials aren’t just being reused against MSPs and their clients. Hackers are credential phishing, reusing previously breached passwords, and deploying password stealing malware to gain access to your networks and the networks you trust. The education sector has recently been learning that lesson.

San Diego School District recently disclosed a data breach for 500K students. We regularly hear about universities being targeted, but public-school districts are a target too. Many of the social security numbers breached won’t be valuable until the students can get approved for credit; but children are victims of identity theft as well. If you were born today, just how long would it take for your SSN to be breached? I’m betting that a large percentage of children born today will have PII breached before they can talk.

Attackers phished San Diego School District faculty to gain access to just about every type of sensitive information they had from the last 10 years including:

• Student enrollment information like schedule, discipline incident information, health information, attendance records, transfer information, legal notices on file, and attendance data
  
• Student and staff State Student ID Number
  
• Student and staff parent, guardian, and emergency contact personal identifying information (including first and last name, phone numbers, address, email address, employer information)
  
• Staff benefits information
  
• Staff payroll and compensation information (including viewable paychecks and pay advices, deduction information, tax information, direct deposit financial institution name, routing number and account number, salary and leave information)
  
  

Earlier this month Cape Cod Community College (CCCC) was cyber-swindled for 800K dollars. The threat actor was using phishing emails with attached viruses to land a first stage infection. The second stage infection was password stealing malware. The Boston Globe reported that CCCC President, John Cox, emailed staff and students stating, “the school believes the same hackers tried to infiltrate other colleges in the area” but said “he did not know which ones.” This statement perfectly highlights that organizations need to join relevant information sharing communities.

That’s all for now. So long, and thanks for all the phish.

Threat Report Wednesday December 19th 2018

Paul Scott on December 19, 2018

This week we’re covering critical vulnerabilities discovered in Huawei routers, Jenkins continuous build automation servers, and SQLite databases. Additionally, we’re going to review a threat actor that is taking aim at critical U.S. infrastructure.

Security community calls Huawei’s bluff on security claims

Huawei’s integrity has been called into question recently. Many countries are taking U.S. leadership and canceling Huawei orders. Canada has arrested the Huawei CFO for extradition to the United States. During all this, Huawei has asked the U.S. to put up or shut up. And, the security community has responded with proof. A staggering vulnerability report for Huawei routers (CVE-2018-7900) has been released and Huawei doesn’t just make exploitation possible, they make it easy.

There is no spray and pray necessary for attackers. You can find all vulnerable routers with a Shodan/ZoomEye. There is no need to fail a login. The login page indicates if the default password has changed. This makes detecting abusive activity difficult because attackers don’t make much noise, and it’s possible to generate a list of 100 percent exploitable targets based on a dork query.

Jenkins makes guests feel at home with anonymous to admin access

CyberArk’s security researchers discovered two vulnerabilities exposing  Jenkins  servers.  Jenkins  is a Web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results.  CyberArk  disclosed the flaw to  Jenkins  after they detected an exploitation attempt against  Jenkins  servers. The actors used two different vulnerabilities to launch attacks. The first is  CVE-2018-1999001, a flaw that allows an attacker to remove files from the  Jenkins  master file system. The second is  CVE-2018-1999043, which allows an attacker to create ephemeral user records in the server’s memory. Both of these vulnerabilities have been addressed and fixed. ZDNet was able to discover over 2,000 vulnerable  Jenkins  servers within a few minutes. Researchers believe that the total number of vulnerable servers might even be over 10,000. Users and organizations must keep software and firmware up to date with timely patch updates to mitigate attacks. File integrity monitoring on a Jenkins server could detect the security configuration file being moved.

Magellan vulnerability discovered in SQLite

Last week, Security researchers from Tencent Blade Team have discovered a remote code execution vulnerability in SQLite dubbed Magellan. SQLite is a widely used and well-known database utilized in all modern mainstream  operating systems  and software, meaning that this vulnerability holds a wide range of influence.

Researchers state that  Google  has fixed this vulnerability, however, Google is not disclosing the details of Magellan at this time as they are pushing vendors to fix it as soon as possible. Devices or software that use SQLite or Chromium are affected, and the dangers of exploitation include remote code execution, leaking program memory, or causing program crashes.

The vulnerability can be triggered remotely, for example, a target visits a particular Web page in a browser or any scenario that can execute SQL statements. Researchers did not observe any abuse of Magellan in the wild at the time of publishing. There is currently no CVE for this vulnerability. We will likely see this weaponized into a new or existing exploit kit or as part of a scanner’s arsenal of exploits over the next week or two. So, update SQLite or your applications that use SQLite, like Chromium based browsers (Chrome, Vivaldi, Opera, and Brave). SQLite products are advised to update to 3.26.0 and Chromium users are advised to update to the official stable version 71.0.3578.80.

Sharpshooter takes aim at critical infrastructure

McAfee  security researchers discovered an advanced threat actor they call “Sharpshooter” targeting defense organizations and  critical infrastructure  sectors using source code from the infamous Lazarus group.  McAfee  disclosed the flaw on December 12, 2018, after they detected exploitation attempts against organizations in nuclear and defense sectors.  The threat actor is executing the first stage exploit through a malicious office document that contains a weaponized macro. The macro downloads the second stage backdoor, dubbed Rising Sun, which performs reconnaissance on the victim’s network. Once executed, the victim’s data will be sent to  a C2  server for monitoring by the actors to launch the attacks. Researchers have detected 87 victims from different industry sectors with this vulnerability. First stage infections that start with an office document are typically spread through malspam.

First Stage – Ips & Domains

208.117.44[.]112/document/BusinessIntelligenceAdministrator.doc

www.dropbox[.]com/s/2shp23ogs113hnd/CustomerServiceRepresentative.doc?dl

208.117.44[.]112/document/StrategicPlanningManager.doc

Second Stage - IPs & Domains

34.214.99[.]20/view_style.php
137.74.41[.]56/board.php
kingkoil.com[.]sg/board.php

Hashes

66776c50bcc79bbcecdbe99960e6ee39c8a31181

31e79093d452426247a56ca0eff860b0ecc86009

8106a30bd35526bded384627d8eebce15da35d17

668b0df94c6d12ae86711ce24ce79dbe0ee2d463

9b0f22e129c73ce4c21be4122182f6dcbc351c95

Threat Report Friday December 14th 2018

Paul Scott on December 14, 2018

There has been a lot of interesting development over the last week, so let’s roll through it. In response to world events, nation-states are being implicated in hacking each other. Microsoft and Adobe released critical patches to cover code execution vulnerabilities. Malware authors are increasingly targeting Mac OS X. And, an APT takes aim at academics.

After poisoning ex-spies, Russian government hit with Poison Needles

Adobe has now released a patch for CVE-2018-15982 that was recently used in compromising a Russian medical facility. 360 Core Security researchers disclosed findings related to a security incident from late November 2018 involving the FSBI Polyclinic No.2.

The attacker used spear-phishing with an attached doc that appeared as an in-depth employee questionnaire to exploit a recent flash 0-day (CVE-2018-15982), and deploy a customized trojan with the ability to detect when it has been caught and self-destruct. The primary function of this trojan seems to be maintaining persistence, avoiding detection, and exfiltrating data to an IP in Romania. Researchers named the attack as “Operation Poison Needles” as the target was a medical institution; but I think the name might be fitting for other reasons. The attacker launched the trojan from a compressed package. The PE payload backup.exe masqueraded as an NVIDIA control panel application with detailed file descriptions and version numbers.  

Some commentators believe that this was in response to the Kerch Strait incident which occurred on November 25, 2018. I believe this is a response to Russian activity, but not the Kerch Straight incident. What relevance does an attack on a Russian health organization have in response to a military aggressiveness? I believe this may be a response related to the UK poisoning plot targeting former Russian agent Sergei Skripal. This customized trojan and spear-phishing seem to be an information grab. The FSBI Polyclinic 2 could be the facility that created or stored the Novichok nerve agent used in the poisoning plot. Poison Needles may have been an operation to find evidence related to that attack.

Samples of the customized Trojan were first uploaded to virus total on November 29. The Kerch Straight incident occurred on November 25. If this were a response to any incident, then it was likely a failure. If I were a nation-state hack team, I’d like to get more use out of custom malware and an Adobe 0-day than four days. Although, four days is plenty to completely compromise a network. So, maybe they got what they were looking for. Either way, I feel the response is not relevant to the Kerch Straight incident and so it must be related to something else… or maybe nothing at all. Perhaps the timing was meant to provide false attribution to Ukraine.  

Hashes:

- 2abb76d71fb1b43173589f56e461011b  
- 92b1c50c3ddf8289e85cbb7f8eead077
- 1cbc626abbe10a4fae6abf0f405c35e2

More details about:

• 92b1c50c3ddf8289e85cbb7f8eead077
  
• 1cbc626abbe10a4fae6abf0f405c35e2
  
  

IP:

- 188.241.58.68

Windows patch Tuesday - December

Adobe isn’t the only software company releasing some serious patches. This week we’ve got another critical patch, Tuesday from Microsoft. The patch includes a fix for the Win32k Privilege Escalation Vulnerability (CVE-2018-8611) which allows attackers to exploit the Windows Kernel to run arbitrary code to install programs, modify data, or create accounts. The fix also covers a Heap Overflow remote code execution (RCE) that’s being actively exploited in Windows DNS Server when it failed to properly handle a specially crafted request. Attackers can exploit this vulnerability to run arbitrary code in the context of the Local System Account.

OSX.DarthMiner brings MAC OSX to the Darkside

Some malware writing Sith Lords are force pulling Macs into a crypto mining botnet with malware dubbed OSX.DarthMiner. In a recent report from malwarebytes, researchers profiled the Mac malware and found that it was combining EmPyre for a backdoor with XMRig for crypto mining. Although this malware seems focused on mining it does have the ability to execute commands specified by a remote user through EmPyre. DarthMiner is likely stealing passwords and other such sensitive information.  

The malware is being distributed through a fake version of a popular Adobe pirating tool Adobe Zii.

And they say the Empire did nothing wrong.

Hash:

- ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

More details about:

• ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e
  
  

Academia threatened with STOLEN PENCIL

ASERT researchers from Arbor Networks have disclosed their findings on STOLEN PENCIL, an APT campaign targeting academic institutions. Active since at least May 2018, researchers have not attributed the campaign to any one actor, however, they identify the activity as “possibly originating from DPRK (North Korea).” Attackers appear interested in collecting credentials.  

Targets are sent spear-phishing emails that lead to a website displaying a lure and are prompted to install a malicious Google Chrome extension. Many targets are specialized in biomedical engineering, suggesting a possible motivation. Researchers state that poor operational security led to users finding open Web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean. The attackers use built-in Windows admin tools and commercial off the shelf software to “live off the land.”  

Post-exploitation persistence is maintained by harvesting passwords from a wide variety of sources such as process memory, Web browsers, network sniffing, and keyloggers. Researchers state that they have not yet discovered evidence of data theft. The following indicators of compromise were released with ASERT’s findings.

Hashes:

- 9d1e11bb4ec34e82e09b4401cd37cf71
- 8b8a2b271ded23c40918f0a2c410571d
- 2ec54216e79120ba9d6ed2640948ce43
- 6a127b94417e224a237c25d0155e95d6
- fd14c377bf19ed5603b761754c388d72
- 1d6ce0778cabecea9ac6b985435b268b
- ab4a0b24f706e736af6052da540351d8
- f082f689394ac71764bca90558b52c4e
- ecda8838823680a0dfc9295bdc2e31fa
- 1cdb3f1da5c45ac94257dbf306b53157
- 2d8c16c1b00e565f3b99ff808287983e
- 5b32288e93c344ad5509e76967ce2b18
- 4e0696d83fa1b0804f95b94fc7c5ec0b
- af84eb2462e0b47d9595c21cf0e623a5
- 75dd30fd0c5cf23d4275576b43bbab2c
- 98de4176903c07b13dfa4849ec88686a
- 09fabdc9aca558bb4ecf2219bb440d98
- 1bd173ee743b49cee0d5f89991fc7b91
- e5e8f74011167da1bf3247dae16ee605
- 0569606a0a57457872b54895cf642143
- 52dbd041692e57790a4f976377adeade

Domains:

- bizsonet.ayar[.]biz
- bizsonet[.]com
- client-message[.]com
- client-screenfonts[.]com
- *.coreytrevathan[.]com (possibly compromised legitimate site)
- docsdriver[.]com
- grsvps[.]com
- *.gworldtech[.]com (possibly compromised legitimate site)
- itservicedesk[.]org
- pqexport[.]com
- scaurri[.]com
- secozco[.]com
- sharedriver[.]pw
- sharedriver[.]us
- tempdomain8899[.]com
- world-paper[.]net
- zwfaxi[.]com

IP Addresses:

- 107.175.130.191
- 172.81.132.211
- 173.248.170.149
- 5.196.169.223
- 104.148.109.48
- 74.208.247.127
- 132.148.240.198
- 134.73.90.114
- 92.222.212.0

Threat Report Thursday December 6th 2018

Paul Scott on December 6, 2018

This week we’re covering a developing story around a Kubernetes vulnerability that is still shrouded in mystery, a string of high-profile data breaches, and following up on the mobile spyware topic from last week.

You Never Forget Your First Hack

You’ve been hacked. How did this happen? You learn a lot from responding to security incidents and Kubernetes is learning some of those lessons now, the hard way. Red Hat security researchers have recently discovered Kubernetes’ first major security flaw, CVE-2018-1002105, a privilege escalation vulnerability that targets Kubernetes-based services and products.

Red Hat disclosed the flaw to Kubernetes after they detected an exploitation attempt to the Kubernetes API server’s Transport Layer Security (TLS) credentials. Red Hat also noticed that the vulnerability makes it possible for any user to gain full administrative access on any machine running with the Kubernetes platform. Researchers have detected active attacks using this vulnerability. However, it is unclear at present how this vulnerability is being delivered because the de-auth requests are made over an established connection and do not appear in Kubernetes API server audit logs.

The affected versions are Kubernetes v1.0.x through v1.9.x. Users and organizations were advised to update to one of the following patched versions of Kubernetes: v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. No indicators of compromise were released with Red Hat’s findings; however, they have published an in-depth technical report.

Big Data Score in High-Profile Data Heist

We’ve seen a burst of high-profile data drops recently. Data from over 600 million users was recently compromised in just three breaches. The Nation Republican Congressional Committee (NRCC), Quora, and Marriot have all recently disclosed breaches. Each of these breaches can teach us different lessons related to merger and acquisition security, the benefits of security monitoring, and encrypting data at rest.

Although there was a low number of user accounts compromised in the NRCC hack, it only takes one compromised user to have a data breach. NRCC was notified about the breach through a managed security service provider (MSSP). The NRCC then reported the breach to Crowdstrike, one of their security vendors. It’s good that the NRCC had security monitoring. This breach could have lasted for more than the “several months” that attackers reportedly maintained access to compromised accounts.

If this were a hacktivist group, we would expect to see a data dump. If this were a profiteer, we would expect to see a ransom. Neither of these scenarios has occurred. That gives us good reason to believe that the threat actors are not motivated by money or protest. Allow me to be speculative. The threat actors are likely after the intelligence. With enough private communications between Republican politicians, they could gain the leverage needed to ease sanctions related to ongoing Crimea occupation and DNC email hack. During this time, we have seen exactly this occur as House Republicans cool on Russian sanctions.

Quora recently lost user information related to 100 million users. Although the information was not particularly sensitive information, it did include email addresses and hashed passwords. There was no indication if the passwords were salted. And there was no mention of a salt being used in the password hashes. Millions of these hashes have likely been cracked. We’ve already heard private reports about this data being leveraged to attempt to access email accounts. If you’ve ever used Quora with a common password, you should reset that password wherever you have used it.

On Friday, November 30, 2018, Marriott Hotels publicly disclosed a breach impacting the network of their subsidiary, Starwood Hotels and Resorts. This shows the danger of mergers and acquisitions. When you buy another company their security problems become your security problems. Amazon saw this with Twitch, and Marriott is now seeing it with the Starwood acquisition. The official statement emphasizes that the Marriott network was not involved, as the investigation only identified unauthorized access to Starwood’s network.

According to the investigation, the intrusion occurred on or before September 10, 2018, and targeted guest information from reservations. Marriott estimates that the activity affected 500 million guests. Compromised data included a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, reservation dates, and other data points. Marriott also stated that an unknown amount of payment card numbers and payment card expiration dates were accessed with other customer data. It is not clear if the accessed data was successfully exfiltrated by attackers, so we should assume that it definitely was.

Marriott states during their investigation, there had been unauthorized access to the Starwood network since 2014. The investigation was partially alerted to the activity due to the actors copying and encrypting data from the Starwood Guest Reservation Database. Marriott was able to decrypt the data and determined it was from guest reservations on or close to September 10, 2018. It is unclear if the data was encrypted to help with exfiltration or to destroy evidence of the intrusion. However, the steps taken by the actor to hide the stolen data, or potentially destroy it, show their interest in the sensitive personally identifiable information and ensuring a delayed discovery that such information had been compromised. Speaking of stealthy backdoors, ESET published follow-on research from Operation Windigo related to the use of stealthy SSH backdoors to maintain persistence on compromised hosts. We looked at some of the published indicators and searched for them in Perchybana. No indicators were observed in the last 30 days that match this threat. If you’re a Perch customer, you’re in the clear.

11 Critical Android Vulnerabilities Patched Amid Pegasus Abuse Claims

Google recently patched 11 critical code execution vulnerabilities in Android. Nine were tied to escalation-of-privilege (EoP) bugs. One of the few EoP bugs (CVE-2018-10840) that linked to an external description revealed the flaw was tied to the Android Kernel component (ext4 filesystem). Forty-two high criticality vulnerabilities were also patched. The timing couldn’t be better for Journalists using android. There has been a lot of talk recently about NSO Pegasus mobile spyware abuse. NSO Pegasus spyware is only sold to government organizations and should only be used against criminals and terrorists, yet it has been increasingly used to target journalist cellphones. NSO Pegasus spyware was found on Abdulaziz’s phone. The installation has been linked to the Saudi government and he believes it has something to do with the murder of U.S. journalist Khashoggi.

On Sunday, Abdulaziz’s lawyers filed a lawsuit in Tel Aviv alleging NSO broke international law by knowingly allowing its spyware to be used to infringe upon human rights. “NSO should be held accountable in order to protect the lives of political dissidents, journalists, and human rights activists,” said Abdulaziz’ lawyer, Alaa Mahajna, speaking to CNN.

“The hacking of my phone played a major role in what happened to Jamal, I am really sorry to say,” Abdelaziz told CNN. “The guilt is killing me.”

The lawsuit claims that in the months before the killing, the royal court had access to Mr. Khashoggi’s communications about opposition projects with Mr. Abdulaziz because of the spyware on Mr. Abdulaziz’s phone.

Threat Report Friday November 30th 2018

Paul Scott on November 30, 2018

Welcome back. I don’t know if you celebrated the largely known U.S. holiday of Thanksgiving, but I did; and I’m grateful I had the week off. We’ve been keeping our ear to the ground. This week we want to tell you about an Emotet malspam campaign that cashed in on Black Friday, an indictment announced for the authors/distributors of SamSam ransomware, and a serious threat to journalists in Mexico.

Emotet Cashes in on Black Friday

You weren’t the only one shopping on Black Friday. ESET researchers found evidence of a large Emotet campaign occurring on Black Friday. Like prior campaigns, Emotet was distributed via spam. In this campaign, the attachments and links are to XML files with .doc extensions instead of DOC or PDF files.

Emotet is known to distribute various banking malware families known for stealing passwords, credit card details, and access to crypto-currency wallets. The United States is one of the top five targeted countries, while the UK and South Africa are in the top ten. Since this campaign was focused on Black Friday, it’s safe to say it was targeting U.S. shoppers getting ready to check their bank balance and do some online shopping.

• https://www.welivesecurity.com/2018/11/23/black-friday-special-emotet-filling-inboxes-infected-xml-macros/
  
  

Catch me if you SamSam

The chase is on for two Iranian nationals charged by a U.S. federal grand jury, following a 34-month long international computer hacking and extortion scheme. Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) face a total of six counts alleging that they authored and deployed SamSam ransomware to more than 200 victims, including hospitals, municipalities, and public institutions. The counts are as follows: one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

In the Department of Justice Indictment, two individuals, Exchanger 1 and Exchanger 2, are labeled in the Relevant Individuals and Entities section. In a U.S. Department of Treasury press release also published on November 28, 2018, Ali Khorashadizadeh and Mohammad Ghorbaniyan, are named as the financial facilitators in a malicious campaign involving SamSam ransomware. The press release states that they, helped exchange digital currency (Bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors.

According to the indictment, beginning in December 2015, the offenders reportedly accessed victim computers without authorization through security vulnerabilities. They then installed and executed SamSam, resulting in the unauthorized encryption of data on the victims’ computers. A Bitcoin ransom was demanded in exchange for decryption keys for the encrypted data. Collecting ransom payments from victim entities that paid the ransom and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchanges. The indictment alleges that the pair earned over $6 million USD in ransom payments to date and caused over $30 million USD in losses to victims.

• https://home.treasury.gov/news/press-releases/sm556
  
• https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public
  
  

Journalists Targeted with Mobile Malware After Cartel Journalist Gunned Down

Journalists in Mexico have faced some very real threats recently, and they can add nation-state level mobile spyware to the list. Somehow, peers of a journalist likely killed by a cartel, are being targeted with nation-state level mobile malware. Something strange is going on here.

Citizen Lab published the seventh report in a series detailing abuse of NSO Group Pegasus Spyware. Citizen Lab and partners have identified a total of 24 cases of abusive targeting by Mexico-linked NSO Group customers. Infection attempts are located in Canada, Mexico, the UAE, the United Kingdom, and the United States.

Pegasus is a sophisticated tool for spying on mobile phones and is exclusively sold to governments for the purposes of fighting terror and investigating crime. According to NSO Group, in the past two years, Pegasus had been used by repressive governments to spy on human rights defenders, journalists, and others who they deem as threats to their power.

In Citizen Lab’s most recent findings, they disclose an attack that occurred in May 2017. Journalist Javier Valdez Cárdenas was gunned down near his office. Shortly after the murder, Cárdenas’ colleagues, Andrés Villarreal and Ismael Bojórquez received suspicious messages saying, Cárdenas’ killers had been identified. The messages contained a malicious link that, once clicked, downloaded NSO spyware onto their mobile devices. Users and organizations should exercise caution when viewing messages from foreign or unknown senders. The malicious URLs are contained within the report.

• https://citizenlab.ca/2018/11/mexican-journalists-investigating-cartels-targeted-nso-spyware-following-assassination-colleague/
  

Threat Report Thursday November 15th 2018

Paul Scott on November 15, 2018

Holy moly, it’s the weekly threat report. This is your gentle reminder to patch all the things. That’s the theme for this week, vulnerabilities that need patching and a sprinkle of attack tools.

Microsoft Patch Tuesday

In past reports, we’ve discussed pending 0-days for Edge and Windows; and it looks like some similarly critical vulnerabilities are being patched this week. This Tuesday’s Microsoft patch covered a pair of 0-day vulnerabilities, ten other critical items, and around 50+ other issues. Let’s review a few of those.

One of the vulnerabilities being actively exploited in the wild is a Win32k privilege escalation. CVE-2018-8589 has been found in the wild on Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems. However, an attacker needs to be authenticated to the system to exploit the vulnerability and gain full control. Another critical patch was for CVE-2018-8584, which was disclosed in October and impacts Windows 10, Windows Server 2016, and Windows Server 2019. When exploited it allows unauthorized users to access and delete files on systems that are normally only accessible by admins. This could open the door for DLL hijacking and other attack vectors that would allow for privilege escalation.

Also included were five vulnerabilities in the Chakra scripting engine behind Microsoft Edge (CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588). Any of these CVEs could be leveraged to execute code on an Edge user’s host. To be exploited, the Edge user would have to be naively phished or innocently malvertised. Remember, malvertising is on the rise. If an attacker chained together an Edge exploit with either of the vulnerabilities that allow for privilege escalation, they could gain full control of the host.

Other notables included two remote code execution flaws in Word (CVE-2018-8539, CVE-2018-8573) and PowerShell bugs that allow potential remote code execution (CVE-2018-8256, CVE-2018-8415).

Data Privacy Plug-in Ironically Eliminates Privacy for Thousands of Sites

Last week a privilege escalation vulnerability in a popular WordPress GDPR compliance plugin with over 100K installs. This week, thousands of websites have been compromised. If you’re running a WordPress site, check your GDPR plugin for updates, because they are scanning everyone. The patched version is 1.4.3.

Although these sites are fully compromised, Sucuri has been tracking a campaign and reports observing thousands of compromised sites that direct the user to code similarly used to invoke fake tech support scams (TSS). We confirmed with Perchy, the TSS campaign is currently using wtools[.]io to host the injected content and redirecting users to diwutixip[.]innocraft[.]cloud for the TSS payloads.

China Chopper Finds Forever Home with ColdFusion

Security researchers have recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion. A suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. Adobe’s ColdFusion has historically been a major target of APT groups looking to compromise networks. Modern versions of ColdFusion include the WYSIWYG rich text editor CKEditor. When Adobe decided to replace FCKeditor with CKEditor, they inadvertently introduced an unauthenticated file upload vulnerability. The vulnerability is easily exploited through an HTTP POST request to the file “upload.cfm”, which is not restricted and does not require authentication. It should be noted that ColdFusion does attempt to restrict the file types that are allowed for upload via CKEditor in a configuration file called “settings.cfm”. Researchers have identified that Adobe did not include the “.jsp” file extension in the default configuration, which was problematic because ColdFusion allows “.jsp” files to be actively executed.

The attackers also identified a directory modification issue through the “path” form variable that allowed them to change the directory to where uploaded files would be placed. This means that even if the .jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it. All files on the compromised websites were found in one of two directories; /cf_scripts/ and /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/. Several of the affected websites contained an HTML index file from the hacktivist group, “TYPICAL IDIOT SECURITY”.

On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. This vulnerability was assigned as CVE-2018-15961 affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). You should apply a patch once it is available from Adobe.

We observed potential recon activity from:

113.161.90.69

JexBoss Gets Wild with NCCIC

Finally, to close out this threat report, we have a tool getting the spotlight from The National Cybersecurity and Communications Integration Center (NCCIC). NCCIC issued a US-CERT alert for security assessment tool. JexBoss is used to test and exploit older vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. The Github repo hasn’t been updated in two years and there are open issues fix bugs and to add new attacks. It amazes me that older versions of this software is still out there, unpatched and living its best life.

Attackers used JexBoss in the Samsam ransomware campaign that targeted the healthcare industry. According to US-CERT, JexBoss allows an attacker to execute arbitrary OS commands on the target host through either installing webshell, blindly injecting commands, or establishing a reverse shell. NCCIC has determined that JexBoss operates on all seven stages of the Cyber Kill Chain framework. Users and administrators are advised to review AR18-312A from US-CERT.

Threat Report Thursday November 8th 2018

Paul Scott on November 8, 2018

In this week’s threat report we’re covering a couple 0-days, malware that could have you scrambling for your disaster recovery (DR) plan, and the rising trend of malvertising. Let’s get it goin’.

Full Disclose for VirtualBox 0-Day

Speaking of 0-days, Security researcher Sergey Zelenyuk has publicly disclosed a 0-day in virtual machine software VirtualBox without notifying Oracle, the developer of the free application. The flaw relies on a chain of bugs and can allow maliciouscode to escape the VirtualBox environment (guest) and execute on the underlying (host) operating system. Zelenyuk highlights that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). The flaw affects VirtualBox 5.2.20 and prior versions and impacts any host OS or guest OS with a VM configuration in the default setting. Zelenyuk has published a video demonstrating the attack as well as a detailed technical write-up on Github, viewable in the Validation URL section of this note.

No patches are currently available. In the meantime, Zelenyuk advises users to change the network card of their virtual machines to either PCnetor Paravirtualised Network. If this cannot be done, users should change the mode from NAT to another one. However, the first option is more secure, he adds.

Zelenyuk shared that his reasoning for publishing the 0-day without notifying Oracle first stemmed from personal frustration at how long it takes for patches to be produced and implemented, as well as issues submitting flaws to bug bounty programs. If Zelenyuk has found this, then chances are someone else has too and we are more secure by knowing about this vulnerability than by being unaware of it. Thanks, Zelenyuk. Very pragmatic.

Crypto-jacking Malware forces 3-Day St. Francis Xavier University Network Outage

According to a statement released on November 4, 2018, St. Francis Xavier University in Nova Scotia, Canada was forced to shut down its entire network for at least three days as system administrators attempted to root out a crypto-jacking (or cryptocurrency mining) malware. The attack reportedly began on Thursday, November 1, and targeted the university’s network infrastructure. After the malware was detected, the school immediately shut down its entire network, disabling all online systems including: online courses, cloud storage, email services, debit transactions, and Wi-Fi. The statement reads, “The malicioussoftware attempted to utilize StFX’s collective computing power in order to create or discover Bitcoin for monetary gain.” The statement emphasized that there is no evidence to indicate that personal or sensitive data was compromised by the malware attack. Although no sensitive data was compromised, that was just luck. Ransomware does not typically try to exfiltrate data. Had they been infected with malware that sought to exfiltrate sensitive data, we would see a data breach here instead of an outage. As a safety precaution, university officials advised all students, staff, and faculty to reset their university account passwords as a safety measure; but the university should have forced a password reset.

Disk Cryptor Leveraged by Ransomware Campaign

Another type of malware that could send you into full on DR is ransomware. MalwareHunterTeam has recently discovered new ransomware that installs Disk Cryptor to infect victim machines. Disk Cryptor is an encryption program that encrypts the whole disk and then prompts the user to enter a password on reboot. According to MalwareHunterTeam, this ransomware requires a password argument to be passed. This argument is the decryption key. It is possible that the attackers are hacking into Remote Desktop Services and installing the ransomware manually. During the installation process, a log file will be created at C:\Users\Public\myLog.txt that shows the current stage of the encryption process. Once the entire drive has been encrypted, it will reboot the computer and victims will be greeted with a ransom note that explains to contact mcrypt2018@yandex.comfor payment instructions. It is essential that you have reliable and tested backups of data that can be restored in the case of an emergency, such as a ransomware attack. There is a very narrow window to catch ransomware before it encrypts the disk. If this really is coming in through Remote Desktop Services, it’s way more likely to be a weak password than a 0-day. But, please question if you need RDP open to the world.

Related Registry Keys

  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\INSTANCES\DCRYPT
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\CONFIG
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT\INSTANCES
  - HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DCRYPT

  

Hashes

- 4ae71336e44bf9bf79d2752e234818a5
- f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a

Rising Malvertising Opens Gateway for 0-Days

Based on the ad related traffic before this activity, we believe this is likely related to malvertising. Malvertising is the common ground where evil marketing teams and hungry blackhats meet to perform ritual sacrifice on end users. No matter how well you train staff, if they are allowed to get on the Web, they will get ads. Ads are ubiquitouson the Internet. We are all at risk when adversaries can replace a benign, normal, soul-sucking ad with a maliciousone. We’ve been watching a large number of our customers’ users getting pop-ups for fake tech support scams that goes like, “You have been infected with Pornographic Malware please call the number on the screen or we will report you to the police.” We aren’t sure who picked up the phone and called, but we wanted to let everyone know so they can block the sources of the activity. We’re seeing this campaign across approximately 15 percent of our customer base and it does not appear to target one industry more than another. This is just a fake tech support scam. Imagine if an attacker used malvertising to distribute a new Edge 0-day instead.

Researchers recently discovered a 0-day remote code execution (RCE) vulnerability in Microsoft Edge. In a tweet posted November 1, 2018, exploit developer Yushi Liang tweeted, “we just broke #Edge, teaming up with [Alexandr Kochkov] for a stable exploit, brace yourself SBX is coming.” The tweet included an image of the Web browser that appeared to launch the Windows Calculator app. Liang and Kochkov’s objective was to develop a stable exploit and achieve full sandbox escaping of the code. The pair disclosed that they were also looking for a method to escalate execution privileges to SYSTEM, granting them complete control over the victim machine. Liang shared that he discovered the 0-day bug with the assistance of the Wadi Fuzzer utility from SensePost. The pair plans on publishing a proof-of-concept demonstrating the vulnerability soon. We’ll let you know when they do.

Until then, here are some domains to block. If you want the IPs hit me up on Slack. To see if your users got hit by this malvertising campaign, check out Perchybana:

https://app.perchsecurity.com/perchybana/#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-30d,mode:quick,to:now))&_a=(columns:!(perch_company_name,event_type,src_ip,src_port,dest_ip,dest_port,payload_printable,flow.bytes_toclient,flow.bytes_toserver,http.hostname,http.url,http.http_refer,http.status,http.redirect,http.xff,http.protocol,fileinfo.filename,fileinfo.sha1,fileinfo.size),index:'*-records',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'(%22%2Ftpage3%2F%22%20%7C%7C%20%22%2Fwelcome%2F%3Fa%3D%22)')),sort:!(timestamp,desc))

IPs

- 138.197.218.89 - Organization: DigitalOcean, LLC (DO-13)
- 159.203.166.119 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.222.164 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.240.50 - Organization: DigitalOcean, LLC (DO-13)
- 159.89.253.173 - Organization: DigitalOcean, LLC (DO-13)
- 162.248.246.162 - Organization: Centrilogic, Inc. (CENTR-60)
- 165.227.115.97 - Organization: DigitalOcean, LLC (DO-13)
- 165.227.71.84 - Organization: DigitalOcean, LLC (DO-13)
- 178.128.132.138 - Organization:  US-DIGITALOCEANLLC-20100303
- 185.44.66.174 - Organization:  UK-MASSIVEGRID-20131231
- 192.129.248.58 - Organization: Hostwinds LLC. (HL-29)
- 216.116.91.94 - Organization: Jack Henry & Associates, Inc. (JHA-1)
- 38.128.66.252 - Organization: PSINet, Inc. (PSI)
- 38.75.137.163 - Organization: PSINet, Inc. (PSI)
- 38.91.107.252 - Organization: PSINet, Inc. (PSI)
- 66.165.233.43 - Organization: NOC4Hosts Inc. (NOC4H)
- 66.165.247.187 - Organization: NOC4Hosts Inc. (NOC4H)

URIs:

- /fonts/glyphicons-halflings-regular.ttf
- /fonts/glyphicons-halflings-regular.woff
- /fonts/glyphicons-halflings-regulard41d-.eot
- /tpage3/a.htm
- /tpage3/gb.mp3
- /tpage3/iframe.js
- /tpage3/jquery-1.js
- /tpage3/login.php
- /tpage3/retreaver.js
- /welcome/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C
- /tpage3/?a=AZ&pagex=1&s1=[campaign id]%2C%2C&os=[operating system]&browser=[browser name]&isp=[internetservice provider]&ip=[public ip]&geo=[geo ip code]&q1=[string]%2C

Hashes:

- 69db1a94309e88008bbadacf301526edce59374410c83f888ec866ad6b2d8e47- iframe.js
- 71a861100e206eeee88876cd5313553e0fdc07046cce33a1a96b96d9485070e1 - retreaver.js

Domains:

- ganglioblast[.]pw
- gathering[.]pw
- gaultherin[.]pw
- glycolysis[.]pw
- haematoscope[.]pw
- haemoglobin[.]pw
- hemizygote[.]pw
- hemocyanin[.]pw
- hidradenomas[.]pw
- hologamies[.]pw
- holographies[.]pw
- homeopathies[.]pw
- homoeotic[.]pw
- homogeneous[.]pw
- homogeniser[.]pw
- homolytic[.]pw
- junaket[.]us
- kremlins[.]pw
- laudably[.]pw
- leafless[.]pw
- mannikin[.]pw
- massaged[.]pw
- metamers[.]pw
- ministrytwo[.]stream
- minusnine[.]stream
- misatone[.]pw
- misbills[.]pw
- misdeeds[.]pw
- misdoing[.]pw
- misdraws[.]pw
- misjoins[.]pw
- mislearn[.]pw
- misspent[.]pw
- mistrust[.]pw
- miterers[.]pw
- modified[.]pw
- monazite[.]pw
- monitive[.]pw
- monotony[.]pw
- mustered[.]pw
- mutating[.]pw
- muteness[.]pw
- nailfold[.]pw
- news[.]hellosite[.]info
- sp[.]cwfservice[.]net
- swiftone[.]us
- tellinglynine[.]us
- torousten[.]pw
- trivetnine[.]pw
- turgitefour[.]pw
- unearthsix[.]pw
- unkindnine[.]pw
- unlockten[.]pw
- unmetsix[.]pw
- unplaittwo[.]pw
- unplugfive[.]pw
- unresttwo[.]pw
- unretireten[.]pw
- untunedone[.]pw
- upraiseten[.]pw
- usheredfour[.]pw

Threat Report Wednesday October 31st 2018

Paul Scott on October 31, 2018

It’s time to rise from your graves for our Halloween threat report. This week we’re going to point you at a few Twitter doors to knock on, hand out some zero-day tricks and treats, and discuss a white paper that’s giving energy and water a fright.

Zero-Day Tricks and Treats

Many security professionals get their news through sources like Twitter. If you’re looking for some Twitter doors to knock on to get the good treats this Halloween, check out @SandboxEscaper and @HackerFantastic.

In recent months, security researcher @SandboxEscaper has released proof-of-concept(PoC) exploits for two Windows zero-days on Twitter. The most recent vulnerability is a privilege escalation flaw in Microsoft Data Sharing (dssvc.dll). The Data Sharing Service runs as LocalSystem account and provides data brokering between applications. @SandboxEscaper zero-days have been turned around by threat actors and seen in the wild. If you want some early warning on the next Window’s zero-day, give her a follow.

On the Linux side of the world, security researcher Narendra Shinde discovered a local privilege-escalation and file-overwrite vulnerability in X.Org X server that opens the door for a trivial compromise of a Linux system.

Essentially, Shinde says this is the result of “incorrect command-line parameter validation”. The system doesn’t check for correct permissions on the -modulepath or -logfile command line switches. Both are root-privileged X.org processes.

Although this was only given a 6.6 CVE score (likely because it was considered a local exploit) security pro @HackerFantastic has released a PoC on Twitter that shows this working remotely via SSH. This makes CVE-2018-14665 a dime in my little black book.

“Xorg Local Privilege Escalation (LPE) via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with three commands or less”. @HackerFantastic regularly posts PoCs and other good security news. You should give him a follow too.

Spectre of Spectre Returns to Haunt Halloween

Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) have reported an industry-wide issue found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). The vulnerability relies on the presence of a precisely-defined instruction sequence in the privileged code. As well as the fact that memory read from address to which a recent memory write has occurred may see an older value. Subsequently this will cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. This impacts the qemu-kvm and libvirt packages.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

The libvirt library contains a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

This reminded us of the OG speculative execution vulnerability, Spectre, disclosed Jann Horn and Paul Kocher in collaboration with Daniel Genkin, Mike Hamburg, Moritz Lipp and Yuval Yarom.

Water and Energy Industrial Controls Exposed on the Web

Trend Micro has recently published a white paper on water and energy infrastructure exposed to the Internet, and it’s worth a read. Trend Micro reports that Energy is the top critical infrastructure for most industrial economies and Water is a natural extension of the energy sector; with water being a key component in hydroelectric and geothermal plants. Protecting critical infrastructure against cyber attacks should be of the highest priority for the organizations that operate it.

Perch provides threat detection services to a number of Critical Infrastructure providers in the Water and Energy space. We looked for some of the common exposed services mentioned in this white paper. After reviewing all customer data for the last 30 days we found no established flow from the wild Web to a port related industrial control systems. Good job, Perchy people. You get a treat.

Threat Report Thursday October 25th 2018

Paul Scott on October 25, 2018

As we approach Halloween, it has been a frightening week in security. We have an ancient Zero-Day rising from the shadows, government data being sucked dry by a data breach, and monstrous malware kidnapping your codes. Don’t get spooked!

Cashdollar Hits Jackpot with Discovery of 8-year-old Zero-Day

Larry Cashdollar, a security researcher from Akamai SIRT, has recently discovered a zero-day vulnerability in jQuery File Upload plugin (CVE-2018-9206). This vulnerability enables the attackers to upload malicious files to servers, such as rootkits, backdoors, and other malware. Based on Cashdollar’s research, the vulnerability has been exploited before 2016. There was an uploaded video in YouTube dating back to August 2015 about bug tutorials in jQuery File Upload, noting that hackers have been widely exploiting the vulnerability.

Cashdollar notified the vulnerability to Sebastian Tschan (aka Blueimp), a German developer who authored the jQuery File Upload plugin. Tschan conducted his own research and found out that the root cause lies in the security changes via “.htaccess” in the Apache Web Server (Apache HTTPD Server Version 2.3.9) dating back to 2010. This update allows the owner to ignore custom security settings for individual directories. Unknowingly, the jQuery File Upload plugin of Tschan rely on “.htaccess”, which was active by default. All versions of the plugin are vulnerable up to 9.22.1.

The plugin has been integrated to thousands of projects such as content management systems (CMS), customer relationship management (CRM), intranet solutions, WordPress plugins, Drupal add-ons, and Joomla components - to name a few. The jQuery File Upload plugin has been forked in GitHub over 7,800 times. Cashdollar has used his proof of concept (POC) and tested 1,000 of 7,800 forks of the GitHub plugin and found out that all were exploitable. But GitHub forks of this vulnerable code are only one part of the problem. There is no way to track applications that have integrated jQuery File Upload plugin without forking through GitHub. Cashdollar has notified US-CERT due to the seriousness of the vulnerability.

This is a critical vulnerability and can allow an attacker to remotely gain control of vulnerable applications. It is amazing that this hasn’t been discovered more recently since it has been on YouTube for three years. It’s time to start writing YouTube scrapers into our open source intel tools. If you are using a jQuery File Upload plugin or a forked version of this vulnerable code in your application, you should upgrade immediately. If you’re including unknown open source code into your application, you should attempt a security review of the code.

75,000 Individuals’ Records Compromised from HealthCare.gov

AP News reports that roughly 75,000 individuals’ records have been compromised in a HealthCare.gov security breach. On October 19, 2018, the Centers for Medicare and Medicaid Services (CMS) released an official statement explaining that on October 13 they detected suspicious activity in the Federally Facilitated Exchange’s (FFE’s) Direct Enrollment Pathway. A system designed to allow agents and brokers to help customers apply for coverage in the FFE. An official data breach was declared on October 16. CMS states that agent and broker accounts associated with the suspicious activity were deactivated and the Direct Enrollment Pathway for agents and brokers was also disabled.

Officials determined that roughly 75,000 individuals’ records were accessed during the breach but note that this is a “small fraction” of the FFE’s total consumer records. CMS officials are currently working to identify all individuals impacted by the breach so that they may be notified and offered credit protection. CMS officials also state that open enrollment on HealthCare[.]gov and the Marketplace Call Center are presently available for the general public. A more secure Direct Enrollment Pathway system will be restored for agents and brokers within the next seven days. The statement adds that CMS is in the beginning stages of the assessment of the breach.

Since only some suspicious accounts were associated with the suspicious activity it is likely that this was the result of weak passwords being brute forced or password stealing malware on users’ machines.

Release the Kraken: New Variant on Kraken Cryptor Ransomware

Bleeping Computer has recently published a report about a new variant of Kraken Cryptor ransomware being distributed via malvertising and through the RIG exploit kit. The new Kraken Cryptor version 2.0.6 was first detected by security researchers @nao_sec and @kafeine and shared with Bleeping Computer.

Through the shared file hashes and information, Bleeping Computer was able to determine that this ransomware was able to infect 217 unique victims globally since October 20, 2018. Interestingly, this new variant connects to “bleepingcomputer.com” during different stages of the encryption process. It is still not certain on what the motive is for connecting to BleepingComputer during encryption. BleepingComputer owner Lawrence Abrams says it is just to poke on them since BleepingComputer has tackled Kraken Cryptor ransomware in the past.

The request to the URL shortening services is encrypted. So, you likely won’t be able to see the user-agent or referrer unless you utilize a forward proxy to inspect outbound traffic. However, you should see an encrypted connection to 2no.co domain and then a redirect to bleepingcomputer.com.

Domains:

• 2no[.]co (legit url shortening service)
  
• bleepingcomputer[.]com (legit site haunted by a vengeful ghost)
  
  

HTTP User-agent:

• Kraken web request agent/v2.0.6
  
  

HTTP Referrer:

• country code + drive size + status
  
  

We know that Ransomware can be scary, so we asked Perchy to look around for this new variant. Perchy says, no traffic in the last 30 days is consistent with indicators for the newly released variant of Kraken Cryptor. All Perch customers are clear, and no infection was seen.

Threat Report Thursday October 17th 2018

Paul Scott on October 17, 2018

Welcome back to the Perch weekly threat report. Over the last week there has been a lot of security related news, but we’re focusing on a ransomware outbreak reported by a state-run utility and spotlighting one of Zeus’ lesser-known offspring, Panda Banker.

Ransomware Demands Flushed by North Carolina Sewer Authority

Disaster recovery plans are essential when attempting to recover from a ransomware attack, as shown recently by Onslow Water and Sewer Authority. That may include ready-to-restore backups or having manual processes in place for different disaster scenarios. If ransomware isn’t a scenario you plan for, you should.

According to an official statement released Monday, October 15, 2018, Jacksonville, North Carolina-based Onslow Water and Sewer Authority (ONWASA) suffered an attack that resulted in malware infection. The company states that on October 4th, they began experiencing persistent virus attacks from Emotet malware. On Saturday, October 13, at 3AM local time, the company states that Emotet dropped Ryuk ransomware, which spread along the network, rapidly infecting databases and files. ONWASA refused to pay the ransom and instead chose to “undertake the painstaking process of rebuilding its databases and computer systems from the ground up.” The attack did not expose customer information, nor did it interrupt water and wastewater services to homes and businesses.

The statement notes that the incident is similar to another ransomeware attack on official county computer systems in Mecklenburg County, North Carolina, which occurred last year. An FBI spokesperson confirmed that they are currently investigating the incident.

The faster a threat is detected the less it costs to remediate. That’s why having threat detection and a SOC in place is key. Had this attack been caught at the initial Emotet infection and stopped, it would have cost less than responding to a ransomware outbreak.

Malware Spotlight: Panda Banker

I heard sunlight is the best disinfectant. So this week we’re decided to shine some light on the well-maintained Panda Banker malware, a variant of the Zeus banking trojan.

Researchers have identified that Panda Banker has been updated numerous times and has remained active since 2016. Recently, Panda Banker is being installed by the Emotet malware. The attack appears in the form of a malspam phishing campaign that uses weaponized Microsoft documents that deploy the payload. Researchers note that financial institutions and other video streaming service/e-commerce company were targeted in Japan. Other primary targets were organizations from United States and Canada.

Researchers note that the malware has a sophisticated attack cycle, combined with heavily coded obfuscation techniques and multi-encryption layering. After execution, it first checks if it is running in a sandbox, then creates a copy of itself. The malware then creates two “svchost.exe” and injects it with the Trojan. It downloads the configuration from its C&C Server and injects a DLL to intercept traffic through API hooking.

Panda Banker uses the Mersenne Twister algorithm to generate a URL to connect to its C&C Server. Panda Banker will lie in wait until the infected browser visits a targeted website, such as an online banking system, credit card company, and blockchain information. The malware will then steal bank or credit card details, personal data, and web wallet information. This campaign shows that financial gain is a major factor in how Trojans are being used by threat actors.

The Perch SOC regularly goes thrunting, a term they lovingly created for threat hunting, for observables in all customer environments. If you’re a customer, good news! We’ve checked your security event data for over 200 indicators related to Panda Banker. We found no signs of Panda Banker being downloaded or smuggling bits out of your environment. At Perch, we enable customers to see further because we give a flock. Below is a list of domains Perch found linked from malspam.

Domains:

• apx[.]email
  
• carolinegraham[.]me
  
• carvanadenver[.]com
  
• carvanamemphis[.]com
  
• carvananashville[.]com
  
• colleenmansfield[.]com
  
• genesisatoxmoor[.]com
  
• genesiseastlouisville[.]com
  
• genesisofeaslouisville[.]com
  
• genesisofindiana[.]com
  
• genesisofwestlouisville[.]com
  
• jclgraham[.]com
  
• laurengraham[.]me
  
• michaelagraham[.]com
  
• newlacafe[.]com
  
• oxmoorusedcars[.]com
  
• pegasussoilsolutions[.]com
  
• pegasussoilsolutionsllc[.]com
  
• sellittooxmoor[.]com
  
• selltooxmoor[.]com
  
• zombiedebtslayer[.]com
  
  

Resource:

threatvector

Threat Report Thursday October 11th 2018

Paul Scott on October 11, 2018

This week we’re covering three current events. The first two are related to threats targeting the financial sector. The last is a cautionary tale of malware infection at a large restaurant chain.

APT38 is getting SWIFT

In a report published October 3, 2018, FireEye detailed the activities of APT38, a threat actor conducting financially motivated and cyber-espionage related crimes on behalf of the North Korean regime. FireEye identifies APT38 as a North Korean Nation State sponsored group sharing overlapping characteristics with both Lazarus Group and TEMP.Hermit. According to their findings, APT38 executes sophisticated bank heists resulting from extensive planning and maintains long periods of access on a compromised victim’s environment. APT38 was linked to multiple incidents targeting SWIFT systems. APT38’s primary goal is to raise large sums of money for the North Korean regime; however, FireEye states that they also target infrastructure to facilitate continuous operations and evade detection.

APT38 primarily targets financial institutions such as banks, credit unions, and financial transaction and exchange companies. Other targeted organizations include media companies and government entities. Known victims reside in the following countries: the United States, Mexico, Brazil, Chile, Uruguay, Poland, Turkey, Russia, Bangladesh, Malaysia, Vietnam, and the Philippines. In Annex B of the report, FireEye details an extensive list of malware used by APT38, including established, well-known tools (NestEgg, DarkComet) to lesser-known tools (DyePack, BLINDTOAD). FireEye believes APT38 is a well-resourced and persistent threat likely to continue its illicit financial-crime activities.

Resources:

Fireeye

Betabot continues to evolve its toolset for breaking the bank

Security researchers from Cybereason have detected a new campaign involving the Betabot (Neurevt) Trojan. Betabot first appeared in 2012 as an info-stealer and evolved as a banking trojan packing with destructive features. This updated version has functions like browser form grabbing, File Transfer Protocol (FTP) and mail client stealer, banker module, running distributed denial of service (DDoS) attacks, USB infection module, Robust Userland Rootkit (x86/x64), Arbitrary command execution via shell, and crypto-currency miner module. Betabot can also drop other malware and gain persistence via Windows Task Scheduler and Registry Autorun. Researchers note that the Betabot was designed to operate in “paranoid mode.” It includes self-defense mechanisms such as anti-debugging, anti-virtual machine/sandbox, anti-disassembly, and detect at least 30 security products and analysis tools and try to disable/remove them.

The malware is carried out using phishing attack with social engineering tactics. The email persuades the user to open an attached weaponized Microsoft Word document as the Betabot malware exploits CVE-2017-11882, an 18-year old vulnerability in the Equation Editor tool in Microsoft Office. The vulnerability was discovered in 2017 and patched by Microsoft. It communicates with its C&C Server after checking internet connection by sending requests to Google.com and Microsoft Update Sites. Researchers note that to prevent Betabot infections, users should keep their software up to date, install Microsoft Security patches, and avoid opening attachments from unknown senders.

Resources:

Cybereason

Microsoft

Malware gets year-long all you can eat burger time pass

Restaurant chain Burgerville has recently revealed a security breach that has started over a year ago. Based on the online report, the Federal Bureau of Investigation (FBI) contacted Burgerville last August 2018 about a security incident involving FIN7 which was thought to be “brief intrusion” that no longer existed. By September 19, FBI informed Burgerville that the attack is still active, and was much more severe than expected. Burgerville took steps for remediation, and in cooperation with the FBI and an outside cybersecurity firm, they launched a full forensic investigation. Based on the investigation, the malware was installed on Burgerville systems such as Point of Sales (PoS) machines to steal customer data. Customer’s credit and debit card information such as names, card number, expiration dates, and CVV numbers may have been compromised. The number of affected customers is currently unknown, as the tactics of FIN7 were said to be sophisticated and adept at concealing their digital footprints.

Burgerville explained that they didn’t announce the breach sooner to maintain the confidentiality of the breach during the investigation with the FBI. The remediation plan, which was completed by September 30, has to be kept secret. As part of their remediation plan, Burgerville has also upgraded their systems to counter this kind of attack. The company has asked their customers who have visited their restaurants and used their cards between September 2017 to September 2018 to monitor their financial statements for fraudulent activities.

The longer a threat goes undetected the more expensive it is to remediate. Security programs can be expensive if you go it alone. If Burgerville had a team of security analysts monitoring and didn’t rely on FBI notification, they would have caught the initial and continued infection.

Resources:

Burgerville

Threat Report Wednesday October 3rd 2018

Paul Scott on October 3, 2018

In this weekly threat report, we’ll cover three current events. Facebook loses 50 million auth tokens, a phishing campaign is evading AV to deploy remote access trojans, and a ten-year-old privilege escalation vulnerability has major Linux distributions scrambling to release.

Facebook loses control of auth tokens used for FB and every site you log into using Facebook SSO.

On Friday, September 29, Facebook announced an attacker exploited a vulnerability and potentially compromised up to 50 million users Facebook accounts. The vulnerability exposed user access tokens in the HTML of the site page. Facebook published a statement on this incident, which it later updated with further technical details describing the nature of the vulnerability as the combination of three unknown flaws in a feature known as ‘View As.’

The statement included the following:

“Earlier this week, we discovered that an external actor attacked our systems and exploited a vulnerability that exposed Facebook access tokens for people’s accounts in HTML when we rendered a particular component of the ‘View As’ feature. The vulnerability was the result of the interaction of three distinct bugs:

First: View As is a privacy feature that lets people see what their profile looks like to someone else. View As should be a view-only interface. However, for one type of composer (the box that lets you post content to Facebook) — specifically the version that enables people to wish their friends happy birthday — View As incorrectly provided the opportunity to post a video.

Second: A new version of our video uploader, introduced in July 2017, incorrectly generated an access token that had the permissions of the Facebook mobile app.

Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up.”

Fifty million users were potentially affected by this vulnerability. As a precaution, Facebook has reset the tokens. However, it does nothing to resolve the potential data an attacker may have stolen.

Facebook confirmed that these access tokens might have been used to login to third-party sites via Facebook’s SSO. According to a 2015 report by Gigya, Facebook had the largest share of all identity providers at a 64% share of social login. This aspect of the breach makes it particularly nasty and should remind everyone of the risk of centralized authentication and single sign-on.

Resources:

theverge

facebook

gigya

facebook

Phishing expedition dodges AV to land Adwind RAT

Security researchers from Cisco Talos with ReversingLabs have released a report regarding a new campaign dropping Adwind Trojan. This new phishing spam campaign spreads the Adwind 3.0 RAT which infects Windows, Mac OSX, and Linux operating systems. The spam email contains weaponized malicious “.csv” and “.xlt” file attachments to entice the user to open.

Adwind 3.0 has a set of new tools, especially an evasion technique by utilizing the Dynamic Data Exchange (DDE) code-injection technique. This DDE, which transfer data between applications, compromises Microsoft Excel. Microsoft Excel opens by default the two droppers found in this campaign, the “.csv” and “.xlt.” Researchers note that this is part of the obfuscation technique applied wherein signature-based anti-virus aren’t able to detect. Instead of identifying that it is a malicious file, it prompts that it is corrupted. If the user opens the file, it executes the dropper. It creates a Visual Basic script that uses bitsadmin tool, which loads the final Java archive payload that contains Adwind installer.

This kind of injection has been used for years, but the treat actor was able to customize it to have an extremely low detection ratio. Other functions of this RAT includes log keystrokes, take screenshots, take pictures, transfer files, or execute any other command from its C&C Server. Researchers have verified that the malware has been targeting mostly Turkey and Germany, but many malware samples have also been detected in the US, India, Vietnam, and Hong Kong. Researchers have noted that sandboxing and behavior-based detections should be able to detect and stop this spam campaign.

Resources:

Reversing Labs

Talos Intelligence

Hashes:

• 93a482e554e2a37e6893fdd8cd92537c0ebc7363ac5fac44b7a4af4a2088ea24
  
• 0af2c5a46df16b98b9ab5af0ec455e98f6e1928c10ed8b6ffec69573498bdd8a
  
• 93280872f685f9c26d5f668ca1303f224a38d2b86ba707cdbb3d57427396e752
  
• 0a2f74a7787ae904e5a22a3c2b3acf0316c10b95fae08cced7ca5e2fcc7d9bf8
  
• 65220dae459432deb1b038dbcbf8a379519a1a797b7b72f6408f94733bc5a2c2
  
  

URLs:

• http://www[.]qakeyewoha[.]club/?from=@
  
• http://www[.]avrasyayapi[.]live/?from=@
  
• http://www[.]birlikholding[.]live/?from=@
  
• http://avrasyagrup[.]live
  
• http://www[.]erayinsaat[.]live/?from=@
  
• http://www[.]yeyamohofe[.]club/?from=@
  
  

Mutagen Astronomy (CVE-2018-14634) creates a deep impact on Red Hat, CentOS, and Debian

Risk managers better get that VRM and start checking on vendor patch levels. Security researchers from Qualys have discovered a vulnerability named Mutagen Astronomy (CVE-2018-14634) that affects Red Hat Enterprise Linux (RHEL), CentOS, and Debian users. The critical vulnerability can be used for Local Privilege Escalation (LPE)on 64-bit systems. An integer overflow triggers the vulnerability in the create_elf_tables() Linux kernel function. If exploited, it causes a buffer overflow that executes malicious code with root privileges. According to researchers, Mutagen Astronomy was present in the Linux kernel between July 19, 2007 (kernel commit: b6a2fea39318) and July 7, 2017 (kernel commit: da029c11e6b1). Researchers were able to publish two proof of concept (PoC)s for Mutagen Astronomy. The Red Hat Team has confirmed this vulnerability. Some releases have been patched while some are still vulnerable. If a fix has not been released for your version, a patch is available.

Resources:

Qualys

Qualys

Security-tracker

Qualys

Redhat

Threat Report Thursday September 28th 2018

Paul Scott on September 28, 2018

This week we are covering three emerging stories in the weekly threat report. First, we’ll cover a newly discovered case of ATM skimmers being installed at banks. Then we’ll transition to two digital threats. The first is related to the reuse of breached credentials in brute force attacks against the financial sector and the second is related to Microsoft’s battle against phishing attacks targeting the upcoming mid-term elections.

Two ATM Skimmers Found at Old Second Bank

Authorities from Aurora Police Department are investigating ATM skimmers found at two Old Second Bank branches in Aurora. The first ATM skimmer was found at 1300 block of North Farnsworth Avenue by an Old Second Bank employee at around 6:30AM. The employee saw a woman walking up to the ATM and acting suspiciously. When the woman left the area, the bank employee checked the ATM with the ATM skimmer and notified other branches of possible skimming which in turn identified the second ATM skimmer at the Fox Valley branch. Investigators are looking through security footages and already released surveillance photos related to the ATM skimming incident. The police are advising bank account holders to immediately report any possible identity or card theft to their bank.

Resources:

Chicago Suntimes

Credential Stuffing Attacks Focused on Financial Sector

Cybersecurity firm Akamai has recently released its “2018 State of the Internet / Security – Credential Stuffing Attacks Report”. The report shows that organizations, particularly in the financial sector, should be cautious about credential stuffing attacks. Credential stuffing is considered to be login attempts utilizing passwords recovered from a breach. The trend of malicious login attempts is on the rise because botnets are being used to automate credential stuffing, and according to the researchers, it has a Distributed Denial of Service (DDoS) effect. Researchers have documented over 30 billion malicious login attempts from November 2017 to June 2018.

Akamai recorded two particular cases of credential stuffing with the use of heavy-handed botnet operation. First is an unnamed Fortune 500 company where login attempts average from 50,000 an hour to over 350,000 in a single afternoon. The botnet generated 8.5 million malicious attempts in six days. The second is a US credit union that receives 45,000 login attempts every 60 minutes. Another botnet that used a brute-force attack generated 4.2 million attempts in 7 days. Researchers have noted that the US, Russia, and Vietnam are the primary sources of credential stuffing attacks.

Researchers have mentioned that credential stuffing attacks are continuously evolving their methodologies - from volume-based noisier attacks to stealthy low and slow attacks. Without the right defense and expertise, top to bottom organizations alike would fall victim to such attacks.

Resources:

ZDNet

Akamai

Akamai

APT28 Uses Bitcoin to Register Midterm Election Phishing Domains

RiskIQ conducted an investigation into domains that Microsoft sink-holed, which were used in phishing activity that Microsoft attributed to APT28. Microsoft was able to tie the domains in question back to APT28 by tracking historical infrastructure and following the tactics, techniques, and procedures (TTPs) associated with the group over the past few years. The domains were styled to mimic US Senate domains, along with think tanks Hudson Institute and the International Republican Institute. These domains are currently sink-holed at Microsoft’s IP 157.56.161.162. The subdomains target mail servers, or emulate Microsoft products, associated with the domains below:

• senate[.]group [adfs.senate[.]group]
  
• my-iri[.]org [Sharepoint.my-iri[.]org]
  
• hudsonorg-my-sharepoint[.]com [Mail.hudsonorg-my-sharepoint[.]com]
  
• office365-onedrive[.]com [Mail.office365-onedrive[.]com]
  
• adfs-senate[.]email
  
• adfs-senate[.]services
  
  

RiskIQ found that APT28 exclusively used domain registrars and hosting providers that accept Bitcoin as payment. This is typical for APT28, who maintain multiple command and control servers for varying durations, cycling the hosting IP, while using registrars that accept Bitcoin, fake phone numbers and names, and use of a registrant email address derived from the domain being registered. The connection to old infrastructure was on the IP 154.16.138[.]57 which hosts vpn647639221.softether[.]net, a VPN service abused by APT28 according to the Department of Justice. This IP also hosted ‘mail[.]office365-onedrive[.]com’ on June 26th. The domains also had connections to disinformation campaigns, as the domain americafirstpolitics[.]com is hosted on Namecheap’s IP, 162.255.119.70, which also hosts of office365-onedrive[.]com. Historical information shows the domain americafirstpolitics[.]com hosting typical disinformation articles and content.

Hosting providers abused by APT28 include Bacloud, Frantech, GloboTech Communications, Info-Tel, MonoVM, Namecheap, Public Domain Registry, and Swiftway. Domains were hosted on various IPs, from rapid cycling that lasted less than a month to domains on Bacloud that were hosted for nearly a year (adfs-senate[.]services was hosted on 185.25.51[.]64 from September 2017 to August 2018). RiskIQ noted that some subdomains were hosted only for a day or two before being taken offline, saying “APT28 [may have] launched attacks from these domains then rapidly disabled routing/hosting to avoid detection or capture of their phishing or malware pages.”

Several of the servers had open ports used for Microsoft’s remote desktop protocol, while others presumably ran SSH on port 22. Almost all, except 37.72.175.151, ran HTTP with a few running HTTPS as well. The IPs 23.227.207.167 and 173.209.43.29 had some ports open that were almost matching, the only differences being the former having port 22 open while the later opened 49157, which is usually assigned dynamically. Interestingly, they also have ports open, typically used, for NetBIOS and Distributed COM Service Control Manager, which should not be exposed to the internet as it can be used to quickly identify every DCOM-related server/service running on a machine for exploitation. The IP 185.25.51.64 had port 25 open, which is used for SMTP and could be indicative of its use for sending phishing emails.

Domains:

• americafirstpolitics[.]com
  
• adfs-senate[.]email
  
• mail[.]office365-onedrive[.]com
  
• adfs-senate[.]services
  
• my-iri[.]org
  
• office365-onedrive[.]com
  
• senate[.]group
  
• adfs[.]senate[.]group
  
• mail[.]hudsonorg-my-sharepoint[.]com
  
• sharepoint[.]my-iri[.]org
  
• hudsonorg-my-sharepoint[.]com
  
• vpn647639221[.]softether[.]net
  
  

IPs

• 37.72.175.151
  
• 162.255.119.70
  
• 157.56.161.162
  
• 154.16.138.57
  
• 185.25.51.64
  
• 23.227.207.167
  
• 173.209.43.29
  
  

Resources:

Riskiq

Microsoft

Threat Report Tuesday September 18th 2018

Paul Scott on September 18, 2018

In this week’s threat report we’re covering two stories, the discovery of XBash malware and an unground marketplace offering a compromised bank ATM and three different companies’ company websites for sale.

XBash Malware Discovered

Researchers have discovered XBash, a malware with ransomware, botnet, and coin-mining functionalities. According to their research, XBash abuses weak passwords and unpatched vulnerabilities and is capable of spreading rapidly within an organization’s network. Researchers found that XBash targets Linux-based systems specifically for its ransomware and botnet capabilities, and targets Microsoft Windows-based systems primarily for its coin-mining and self-propagating capabilities. While XBash has ransomware functionality, researchers found no evidence to suggest that XBash would restore data after the ransom is paid.

At the time of report, researchers had observed 48 incoming transactions associated with the malware with a total income of 0.964 bitcoins, indicating that victims had paid roughly $6,000 total. XBash was first developed in Python and then converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Instead of generating random IP addresses as scanning destinations like many other botnets, XBash instead retrieves both IP addresses and domain names from its C2 servers for service probing and exploiting. XBash can also scan for vulnerable servers within an enterprise intranet; however, researchers have only observed this functionality in collected samples and have yet to see it in action.

paloaltonetworks

Recommendations:

• Blocks emails from:
  
  • backupdatabase@pm[.]me
    
  • backupsql@pm[.]me
    
  • backupsql@protonmail[.]com
    
• Using strong, non-default passwords
  
• Keeping up-to-date on security updates
  
• Implement endpoint security on Microsoft Windows and Linux systems
  
• Prevent access to unknown hosts on the internet (to prevent access to command and control servers)
  
• Implement and maintaining rigorous and effective backup and restoration processes and procedures.
  
  

BigPetya Offers Compromised ATM for Sale

Perchy monitors many marketplaces for threat leads, and a compromised ATM for rent caught our eye. Lampeduza, aka BigPetya, a member of multiple underground forums, is selling access to an ATM belonging to a Nigerian bank for $25,000. The actor is also selling access to three different company websites. The first is californiaoliveranch.com, an online store linked to 1,000 PCs, available for the price $5,000. The second is dizucar.com, a company with 500-900 connected computers and a server, available for $4,000, and the last is www.enel.com, available for $10,000. Compromised sites are often leveraged in other attacks. If you start to see these domains pop up in your logs you may want to take a closer look even though the sites appear legitimate and do not have a negative reputation.

Recommendations:

• Monitor your ATM network and system activity for signs of compromise and infection.
  
• Monitor these domains and IPs for phishing, scanning, or malware hosting activities.
  
  • dizucar[.]com - 108.178.54.58
    
  • www[.]enel[.]com - 107.154.108.99
    
  • californiaoliveranch[.]com - 104.196.229.107
    

Threat Report Tuesday September 11th 2018

Paul Scott on September 11, 2018

In this weekly threat report, we’ll cover two topics, 380K British Airways users skimmed by Magecart breach and the Mirai/Gafgyt botnets get upgraded to fly first class with Apache Struts & SonicWall Exploits.

Mirai & Gafgyt get an upgrade

Security researchers uncovered two botnet variants of Mirai and Gafgyt(BASHLITE) with upgraded versions to take advantage of vulnerabilities. Both IoT botnets are associated with DDoS campaigns since November 2016. The Gafgyt version exploits the SonicWall vulnerability (CVE-2018-9866) that affects older unsupported SonicWall Global Management Systems(GMS 8.1 and older).

The Mirai version exploits the same Apache Struts Vulnerability (CVE-2017-5638) associated with the Equifax data breach in 2017 together with 15 other vulnerabilities. These vulnerabilities include Linksys E-Series devices(Remote Code Execution), Avcron NVR Devices(Remote Command Execution), D-Link devices(D-Link RCE), CCTVs & DVRs from 70 vendors(Remote Code Execution), EnGenius EnShare IoT Gigabit Cloud Service 1.4.11(Remote Code Execution), AVTECH IP Camera/NVR/DVR Devices(Unauthenticated Command Injection), Zyxel routers(CVE-2017-6884), NetGain Enterprise Manager7.2.562(Ping Command Injection), NUUO NVRmini 2 3.0.8(OS Command Injection), DGN1000 Netgear routers(Unauthenticated RCE), D-Link devices(HNAP SoapAction-Header Command Execution), D-Link DSL-2750B(OS Command Injection), MVPower DVR(JAWS Webserver authenticated shell command execution), and Dasan GPON routers(CVE-2018-10561, CVE-2018-10562).

Researchers noted that this is the first time the Mirai botnet has targeted a vulnerability in Apache Struts. Researchers have pointed out that the incorporation of exploits targeting Apache Struts and SonicWall could indicate the threat actors are increasingly targeting outdated enterprise devices.

paloaltonetworks

Mitigation Strategies:

• Keep device firmware and software up to date.
  
• Regularly perform network scans for vulnerable devices.
  
• Monitor your devices for network traffic that indicates successful exploit.
  
  

British Airways skimmed by Magecart

British Airways recently announced that it suffered a major breach that resulted in customer data theft that impacted roughly 380,000 customers. Names, addresses, email addresses, and payment details of customers with completed transactions from 22:58 BST on August 21 until 21:45 BST on September 5 were compromised. The breach surprisingly didn’t impact passport numbers and other travel data.

Researchers revealed how Magecart threat actor was able to hack the British Airways, like the Ticketmaster breach. As reported, data was stolen directly from the website and mobile app which carries payment forms. Researchers suspect that Magecart used cross-site scripting attack in British Airways’ poorly secured web page component and injected their skimmer code, altering the victim’s site behavior. The attack was tailor-made for the British Airways’ payment page.

Evidence was found that Magecart might have breached the British Airways site days before the skimming began. The attacker’s server used a certificate that was issued on August 15th, days before the reported stardate of August 21, 2018. Researchers warn Magecart uses custom-built attacks for targeted victims, which is a real threat for online payment processing.

Magecart has likely considered other airlines as targets and this is not the first breach in the aviation sector. Aviation sector businesses should consider community defense and evaluate membership in information sharing and analysis centers like A-ISAC.

britishairways

riskiq

a-isac

Mitigation Strategies:

• Keep web applications components up to date.
  
• Regularly scan your web applications for vulnerable components or unauthorized changes.
  
• Monitor your web applications via network and log to for indicators of compromise and successful attacks.
  

Threat Report Tuesday August 28th 2018

Stephen Coty on August 28, 2018

Ryuk ransomware campaign targeting large organizations in the US and around the world has made the attackers behind it over $640,000 in bitcoin in the space of just two weeks. It appears to be connected to Lazarus, the hacking group working out of North Korea. Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.

Secondly, Security researchers at Kaspersky Lab have uncovered a new campaign dubbed as “AppleJeus” being carried out by North Korean APT group Lazarus. Highly active in recent months, researchers note that this is the first time the threat group not only targeted Windows Systems but also targeted and developed macOS-based FallChill malware. The breach was sourced back to an email to an unsuspecting employee of the cryptocurrency exchange company that downloaded third-party legitimate-looking Celas Trade Pro, a cryptocurrency trading program developed by Celas.

Malware: Ryuk ransomware

It first emerged in mid-August and in the space of just days infected several organizations across the US, encrypting PCs and storage and data centers of victims and demanded huge Bitcoin ransoms. The attacks are highly targeted to such an extent that the perpetrators are conducting tailored campaigns involving extensive network mapping, network compromise and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.

For more information there are a few links below:

Siliconangle

Cryptonewsreview

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the download of a malicious files
  
• Intrusion detection systems (IDS) would detect additional payload downloads
  
• A solid Backup strategy for easy restore as not to disrupt business operations
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: AppleJeus

The malware checks if it’s worth attacking. It runs an auto-Updater which contacts the C&C Server to download and run additional executables including the payload, Fallchill backdoor. In turn, Fallchill malware can secretly take over the victim’s computer and carry out cryptocurrency mining. Researchers suspects Celas is a fake company created by the North Koreans. Researchers believe that a Linux version of the malware might have been circulating already, if not in development.

For more information there are a few links below:

SCmagazine

Pastebin

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for communication to the C2 network
  
• Email filtration to find malicious attachments
  
• FIM looking for the downloaded executables related to the fallchill backdoor
  
• 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
  

Threat Report Thursday August 23rd 2018

Stephen Coty on August 23, 2018

In August 2018, a new variant of malware - KeyPass ransomware - gained traction using new techniques like manual control to customize its encryption process. Researchers at Kaspersky Lab say that the trojan is being propagated by means of fake installers that download the ransomware module. The trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

Security researchers at Proofpoint recently discovered a new malware strain dubbed Marap. The malware is being distributed via spam emails containing malicious attachments. Based on the campaign’s pattern, Proofpoint linked it to Necurs. Marap can be used to download other malwares. Bleeping Computer states that Marap infects victims, fingerprints their systems, and sends this information back to a central command and control (C&C) server.

Malware: KeyPass Ransomware

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. Many ransomware species hunt documents with specific extensions, but this one bypasses only a few folders. Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “!!! KEYPASS_DECRYPTION_INFO!!!.txt” are saved in each processed directory. In just 36 hours — from the evening of August 8 to August 10 — the ransomware cropped up in more than 20 countries. Brazil and Vietnam were the hardest hit, but it claimed victims in Europe and Africa.

For more information there are a few links below:

Latam

Pastebin

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the download of a malicious .keypass or .txt
  
• Intrusion detection systems (IDS) would detect additional payload downloads
  
• A solid Backup strategy for easy restore as not to disrupt business operations
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: Marap

As for the malspam campaigns pushing the new Marap downloader, Proofpoint says it has observed various versions. Researchers have seen campaigns leveraging . IQY files, PDF documents with embedded IQY files, password-protected ZIP archives, and the classic Word docs with embedded macros. The malware also has basic features to detect virtual machines used for malware analysis though not as complex compare to other malwares.

Threatpost

Essentials

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for communication to the C2 network over http
  
• Web filter to block the outgoing http traffic
  
• Email filtration to find malicious attachments related to Marap
  
• FIM looking for the downloaded .zip file containing a .iqy file or MS word doc with macros
  
• 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
  

Threat Report Thursday August 16th 2018

Stephen Coty on August 16, 2018

New Zombie Boy Crypto miner Discovered. Security Researcher James Quinn has recently discovered a new monero miner worm that appears to amass $1,000 per month and uses multiple exploits to avoid detection. Unlike MassMiner crypto currency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect. Secondly, Security researchers at Check Point have revealed at DefCon 26 that a cyber criminal can infiltrate a network using a vulnerability of a fax machine protocol. Using only a fax number, an all-in-one printer-fax machine can be penetrated through Faxploit and have access to the network. The attackers just needs to send a malicious fax to a vulnerable fax machine to have access. Researchers note that attackers can then steal printed documents, mine Bitcoin, or practically anything the attacker can think of.

Malware: Zombie Boy Crypto

The tool also utilizes DoublePulsar and EternalBlue exploits to remotely install the main dll. Quinn states that the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor. According to Quinn’s findings, ZombieBoy is being updated on a daily basis, and the malware will not run if it detects it is in a virtual machine environment, debilitating researchers’ ability to reverse engineer and analyze it. The miner uses Simplified Chinese language, indicating that the author may be Chinese.

For more information there are a few links below:

Securityaffairs

Spamfighter

Some Mitigation Strategies:
- File Integrity Management (FIM) to monitor for the download of a malicious .dll files
- Intrusion detection systems (IDS) would detect peer to peer communications
- Web Filtration would block or alert on outbound communication to posthash/hashnice.org
- 24x7 Security Monitoring for malicious behavior and immediate incident response

Malware: Vulnerability of a fax machine protocol

All IoT devices connected to the fax-printer such as server, router, workstations, laptops, or mobile devices would be vulnerable to the attack. Check Point collaborated with HP and used an HP Officejet Pro 6830 all-in-one printer as a test case. They were able to use EternalBlue to exploit the PCs connected to the network, and exfiltrated data by sending back a fax. Researchers collaborated with HP to provide a patch and was rolled out as an automatic update to customers. Researchers advises to check for available firmware updates and disconnect the PSTN line from the fax machine if not in use.

Checkpoint

Checkpoint

Some Mitigation Strategies:
- Segment Office Equipment network traffic to a single segment to easily monitor
- Intrusion detection systems (IDS) to monitor for broadcast from the fax machine
- Use netflow to monitor outbound traffic from your office equipment
- 24x7 Security Monitoring to check for GPS consistency with locations of vehicles

Threat Report Thursday August 9th 2018

Stephen Coty on August 9, 2018

Security researchers at Proofpoint have uncovered Dreambot malware which is a new variant of Ursinif banking Trojan. Though it is still in development, it was seen spreading since July 2016 through exploit kits such as Neutrino, through phishing emails with malicious attachments, and through malvertising. Secondly Palo Alto researchers discovered a threat group named DarkHydrus carrying out credential harvesting attacks using weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions in the Middle East. Based on the analysis, DarkHydrus used the open-source Phishery tool to host the command and control server to harvest credentials. The use of Phishery further illustrates Dark Hydrus’ reliance on open source tools to conduct their operations.

Malware: Dreambot

Researchers point out that this new variant has new capabilities which includes peer-to-peer (P2P) functionality and Tor communication capability. This Tor-enabled versions are hard to detect because of encrypted and anonymized communications.

For more information there are a few links below:

Proofpoint

Virustotal

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the download of a zipped JavaScript
  
• Intrusion detection systems (IDS) would detect peer to peer communications
  
• Intrusion detection systems (IDS) would
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: DarkHydrus

Two Word documents using the 0utl00k.net domain to harvest credentials were found. These related Word documents were first seen in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year.

Researchcenter

Securityweek

Some Mitigation Strategies:

• Web filtration to block Outl00k.net
  
• Email filtration to detect spear phishing attempts using word files
  
• File Integrity Management (FIM) to monitor for downloaded malicious word documents
  
• Intrusion detection systems (IDS) to monitor for malicious queries through DNS
  
• 24x7 Security Monitoring to check for GPS consistency with locations of vehicles
  

Threat Report Wednesday August 1st 2018

Stephen Coty on August 1, 2018

According to Trend Micro, a new exploit kit UnderMiner contains features that make it difficult for researchers to track it and reverse engineer its payloads. Trend Micro researchers state that the exploit kit is currently being used against victims in Asian countries, primarily users in Japan. Underminer delivers a bootkit that infects system boot sectors as well as Hidden Mellifera (Hidden Bee), a cryptocurrency-mining malware. Trend Micro researchers first observed the exploit kit on Jul 17, 2018. Also this week, security researchers at McAfee Labs have recently identified an increasing number of actors using fileless attacks. These fileless attacks don’t drop a malware on the system, rather they use the tools installed in the system. Researchers note that one fileless threat, CactusTorch, uses “DotNetToJScript” technique that executes custom shellcode on Windows System straight from the memory.

Malware: UnderMiner

UnderMiner is capable of browser profiling and filtering, preventing client revisits, URL randomization, and asymmetric encryption of payloads. Malware is transferred via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format (much like the ROM file system format), which makes analysis for researchers difficult. Underminer has been observed exploiting three major vulnerabilities: CVE-2015-5119, CVE-2016-0189, and CVE-2018-4878.

For more information there are a few links below:

Cyware

Trendmicro

Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for the creation of files and scripts
Intrusion detection systems (IDS) would detect communication C2 for additional payloads
Web Filtration would detect the use of malicious urls or unknown sites
24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: DotNetToJScript

DotNetToJScript doesn’t write any .NET assemblies on the system, that lead security softwares to often fail to detect these type of attack. CactusTorch loads and executes malicious . NET assemblies, which are the smallest deployment of an application. Corporate networks and single users alike are vulnerable to this type of attack. Security applications such as McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) clients are protected from this type of fileless attack.

Peerlyst

Mcafee

Some Mitigation Strategies:

File Integrity Management (FIM) to monitor for wscript.exe, which is only file created
Intrusion detection systems (IDS) to monitor for malicious outbound communication
24x7 Security Monitoring to check for GPS consistency with locations of vehicles.

Threat Report Tuesday July 23rd 2018

Patrick Snyder on July 23, 2018

In this week’s report, we are covering two very malicious programs. Security researchers at Kaspersky Labs have discovered Calisto malware, which appears to be a precursor of Proton macOS malware. Researchers found that Calisto was uploaded to VirusTotal in 2016, but remained unnoticed until May 2018. This macOS malware is a backdoor that guises as an Intego’s Mac Internet Security that also asks for the user’s login and password upon installation. It enables the attacker to remotely access the system enabling remote login, screen sharing, configure remote login permissions, and enable hidden “root” account in macOS with a designated password. The second piece of interesting piece of code is Decrypter for Magniber Ransomware that has been recently released. South Korean cybersecurity firm AhnLab created decrypters for some versions of the Magniber ransomware. The Magniber ransomware, which targets only South Korean end-users, was deployed by the Magnitude Exploit Kit as early as October 2017 through malvertisements. Since malvertisements is constantly a threat on the internet, it is possible to see this spread to other financial institutions.

Malware: Calisto Malware

Interestingly, researchers found out that SIP enabled (System Integrity Protection) macOS systems prevent full damage from Calisto malware even if they have root permissions. Researchers say that Calisto malware was created before Apple released SIP security feature. Researchers still do not have any information as of now on how the malware propagates. Mac users should be safe from this malware as long as they enable SIP, update OS to the current version, download from trusted sources, and use a credible antivirus software.

For more information:
Sentinel One
Xuanwu Lab

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the creation of files related to the RAT
  
• Intrusion detection systems (IDS) would detect communication C2 for additional payloads
  
• Web Filtration would detect the use of malicious URLs or unknown sites
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: CVE-2016-0189

Magnitude exploits vulnerabilities concerning memory corruption (CVE-2016-0189) in Internet Explorer. The ransomware is one of the few country- or language-specific ransomware that has been created. As of March 30, affected users can download the decrypter at AhnLab’s website, which website creators state is updated daily.

For more information:
Avast
Bleeping Computer

Some Mitigation Strategies:

• File Integrity Management (FIM) to monitor for the creation of files related to ransomware
  
• Intrusion detection systems (IDS) to monitor for malicious communication to C2s
  
• Solid Backup strategy to restore from when machine is infected and encrypted
  
• 24x7 Security Monitorings to check for GPS consistency with locations of vehicles
  

Threat Report Tuesday July 17th 2018

Patrick Snyder on July 17, 2018

In this week’s report we are covering two very malicious programs. If you have a BYOD policy you may want to pay attention to this first piece of research. Security researchers at Check Point have discovered samples of Glancelove, an Android-targeting malware, in a false campaign originated by Hamas that takes advantage of the 2018 World Cup. According to researchers, the group is distributing Glancelovethrough fake Facebook page and profiles with photos of attractive women who promote the malware in the form of a dating app available from the Google Play Store. The 2nd piece of interesting malware we found is related to GPS and vehicle that rely on it for daily transportation. A team composed of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research recently released their findings on GPS Spoofing Hack, an attack vector that can send Google Maps users the wrong direction. GPS Spoofing involves replacing a user’s intended destination with a “ghost location.” Instead of connecting to legitimate satellite systems, the cyber-criminal behind the attack forces the victim’s software to connect to their own equipment, allowing the hacker to implement false GPS data.

Malware: Glancelove
This Glancelove dating application asks for permission for the device’s network connection, contacts, SMS, camera, and storage. Upon receiving permission, it contacts its command and control (C&C) server to download the final payload. This Glancelove malware is capable of recording calls, track location, open microphone, SMS theft, take photos, storage mapping, steal contacts, and steal images. Researchers mention that these mobile chain attacks are mainly successful because the targets are hand-picked, and the malware can continually install crucial components if needed. Two similar malicious applications used by the Hamas group are Golden Cup and Wink Chat applications.

For more information there are a few links below:

Links:
GlobalSecurityMag
News Observer

Some Mitigation Strategies:
Make sure to monitor your employee and guest wifi networks Intrusion detection systems (IDS) would detect communication C2 for payload download Web Filtration would detect the use of malicious urls or unknown sites 24x7 Security Monitoring for malicious behavior and immediate incident response.

Malware: GPS Spoofing Hack
Researchers used a HackRF One software defined radio, a Raspberry Pi, a portable power source, and an antenna. The attack could be hosted remotely with the spoofing equipment installed under the victim’s car. Researchers concluded that a seasoned and logical driver who is familiar with their route and destination would notice the change in their Google Maps application. However, if the location and route are unfamiliar, a user might not realize that they’ve been deceived. According to researchers, their experiment only failed when they were testing the luxury car Tesla 2014 Model S. They stated that this was because Tesla uses an advanced u-blox navigation chip, which contains an anti-spoofing function.

Links:
Forbes

Some Mitigation Strategies:
u-blox navigation chip, which implements some anti-spoofing function Intrusion detection systems (IDS) to monitor for malicious communication 24x7 Security Monitorings to check for GPS consistency with locations of vehicles.

Threat Report Tuesday July 10th 2018

Patrick Snyder on July 10, 2018

In this week’s report we are covering two very malicious programs. Researchers identified a Remote Access Trojan (RAT), dubbed FlawedAmmyy, targeting the Ammyy Admin remote desktop tool. FlawedAmmyy is built on leaked source code of Version 3 of Ammyy Admin and provides unfettered remote access to the target system. This campaign, which the researchers attributed to TA505, includes both a broad spam campaign and more targeted campaigns targeting specific industries, including the Automotive Industry. Since its inception in December 2017, GandCrab ransomware quickly became one of the most significant cyber threats of early 2018. Based on a Ransomware as a Service (RaaS) model and distributed throughout the dark web, the malware targets multiple countries around the world using a sophisticated combination of malicious tools. Despite the recent success of law enforcement authorities and the security community who managed to slow down the proliferation of the first version of GandCrab by releasing a free decryption tool, updated versions of the ransomware continue to attack thousands of victims around the world. GandCrabRaaS is the first ransomware in the world demanding ransoms in DASH cryptocurrency.

Malware: FlawedAmmyy

Though just recently discovered, there is evidence the campaign started as early as 2016. Also worth noting, this campaign utilizes the Server Message Block (SMB) protocol, rather than HTTP, to download the malware to victim machines, which may be a first for this type of malware. Aside from the concerning implication that this trojan has been used undetected since 2016, one of the most interesting aspects of this malware is its combined use of ZIP files containing. URL files (which Windows interprets as Internet Shortcuts) and the SMB protocol to deliver the RAT to the victim.

For more information there are a few links below:

Links:

ZDNet

Hack Dig

PasteBin

Some Mitigation Strategies:

• File Integrity Management looking for the installation of files associated with the RAT
  
• Intrusion detection systems (IDS) would detect communication over SMB and C2
  
• Web Filtration would detect the use of malicious urls
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: GandCrab

According to security analysts’ estimates, the initial version of the malware was poorly developed, which allowed for the development of a decryption tool. However, GandCrab creators quickly corrected flaws, and the integrity of subsequent versions proved to be more reliable.
It is reported that an earlier flawed version of GandCrab had a decryption key stored on victim machines, which in turn was encrypted with the same password. However, the issue was promptly addressed by the GandCrab developers.

In its activities, ransomware operators utilize the decentralized Namecoin DNS with .bit extension.

Links:

Security Affairs

Trend Micro

VirusTotal

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication to C2
  
• File Integrity Management is looking for new files being installed on the system
  
• Log Management would collect data on C$ shares and other lateral movement
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Wednesday July 2nd 2018

Patrick Snyder on July 2, 2018

In this week’s report we are covering two very malicious programs. Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels. The other is The Nozelesn Ransomware is a crypto- threat that was reported on July 2nd, 2018 with numerous submissions to security platforms. Unfortunately, the Nozelesn Ransomware leaves little or no traces on compromised machines and creating detection rules turned out to be troublesome. The team behind the Nozelesn Ransomware appears to target the users based in Poland judging from the initial submissions and the way it spreads to PC users.

Malware: OSX.Dummy

Security researcher Remco Verhoef recently discovered OSX.Dummy, a new Mac malware family that is currently being spread via cryptocurrency-focused Slack and Discord channels. Cryptocurrency enthusiasts are convinced by attackers to type a long command inside their Mac terminal with the promise that it will resolve various issues. The command downloads a 34 megabyte binary named “script” to the /tmp folder and runs it. The “script” file then sets itself as a launch daemon to maintain persistence. It then creates a Python script that opens a reverse shell to a server, which gives attackers access to infected hosts. The server can be traced back to 185.243.115.230:1337. Additionally after the code is run, the malware requests the user’s root password and saves it un-encrypted in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, allowing the attacker ease of access for future malicious operations. Researchers state that the malware is simplistic and easy to detect with standard malware detection tools.

For more information there are a few links below:

Links:

Bleeping Computer

SC Magazine UK

Some Mitigation Strategies:

• File Integrity Management looking for the installation of python scripts into /tmp and /users/shared
  
• Intrusion detection systems (IDS) would detect network communication over port 1337
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: Nozelesn

Security researchers at MalwareHunterTeam have discovered a new ransomware named Nozelesn. Researchers first noticed chatter regarding the malware from multiple Polish victim submissions to ID ransomware, as well as a newly generated discussion started by victims on BleepingComputer forums. According to a researcher at CERT Polska, the Computer Emergency Response Team for Poland, the malware is being distributed through spam emails imitating a DHL invoice. Upon successful infection, files are encrypted with a “.nozelesn” extension. Following encryption, the malware creates a ransom note offering to fix the computer, labelled HOW_FIX_NOZELESN_FILES.htm. The note contains instructions together with a personal code to login to TOR payment server “lyasuvlsarvrlyxz.onion”. The ransom is currently .10 BTC or roughly $660 USD.

Links:

Cyber Byte

Londrina Security News

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication
  
• File Integrity Management is looking for new files being installed on the system
  
• Log Management would collect data on C$ shares and other lateral movement
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Wednesday June 18th 2018

Patrick Snyder on June 18, 2018

In this week’s report we are covering two very malicious programs. One being a custom remote access trojan (RAT) called UBoatRAT is being distributed via Google Drive links. The malware obtains a command and control (C2) address from GitHub, and uses Microsoft Windows Background Intelligent Transfer Service (BITS) for maintaining persistence. The other is MirageFox, a new tool produced by APT15 that looks to be an upgraded version of a RAT believed to originate in 2012, known as Mirage. The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

Malware: UBoatRAT is being distributed via Google Drive links

The RAT is usually delivered by a ZIP archive hosted on Google Drive containing a malicious executable disguised as a folder or Excel spreadsheet. Once installed, UBoatRAT checks for virtualization software and tries to obtain a domain name from the network. The malware only performs malicious activities on a machine when it is able to join an Active Directory (AD) domain. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment. Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher Hayashi. The GitHub user name behind the repository is “elsa999”. For more information there are a few links below:

Links:

Tech Target

Threat Post

Some Mitigation Strategies:

• Mail Filtration to screen for malicious links that relay to Google drive
  
• File Integrity Management looking for the installation of malicious zip files that unpack executables
  
• Intrusion detection systems (IDS) would detect intrusion and network communication
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: MirageFox

The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations. APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. The attackers utilizes Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

Links:

Security Affairs

Intezer

Virus Total

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication
  
• File Integrity Management is looking for new filel installation
  
• Log Management would collect data on C$ shares and other lateral movement
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Monday June 11th 2018

Stephen Coty on June 11, 2018

In this week’s report we are covering two vulnerabilities. One being a recent vulnerability that is targeting Triton ICS deployments. The other is a banking trojan that stealthily uses MSSQL database traffic.

Malware: Triton ICS Malware Developed Using Legitimate Code

Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product through a legitimate .dll file. For more information there are a few links below:

Links:

Security Week

Dark reading

Some Mitigation Strategies:

• Mail Filtration to screen for malicious phishing or targeted email campaigns
  
• File Integrity Management looking for the installation of malicious software like Remote Access Trojans (RATS) for functionality and access
  
• Intrusion detection systems (IDS) would detect intrusion and network communication
  
• Filtering USB ports that are on equipment connected to the ICS systems
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response
  
  

Malware: MnuBot Banking Trojan Stealthily Uses MSSQL Database Traffic

Security researchers from IBM X-Force Research Team have discovered a new banking Trojan named MnuBot. This Delphi-based malware uses the Microsoft SQL Server to communicate with the C&C Server and send commands to infected machines. This evades regular antivirus and malware detection since it uses SQL traffic, unlike common C&C Server communication that happens through web servers or apps. Researchers also indicate that this might be coded by a seasoned hacker. This MnuBot has a two-stage attack. First, it checks if the system is infected already. Second, it deploys the remote access trojan completely (RAT).

Links:

Security Intelligence

Pastebin

Some Mitigation Strategies:

• Intrusion detection systems (IDS) to monitor for malicious communication and downloads from port 5003
  
• File Integrity Management looking for access to registry keys accessed and new keys created
  
• Mail Filtration to capture potential files attached to phishing emails
  
• 24x7 Security Monitoring with Focused Security Content for solid threat detection
  

Threat Report Wednesday June 5th 2018

Stephen Coty on June 5, 2018

In this week’s report we are covering two vulnerabilities. One being a recent Microsoft Windows Jscript vulnerability that has yet to be patched and the other being NavRAT with themes around the upcoming US & North Korean Summit.

Malware: Zero-Day Remote Code Execution Vulnerability Discovered in Microsoft Windows JScript

New Zero-day Remote code execution vulnerability has been discovered in Microsoft Windows JScript that allows an attacker to run the arbitrary code on vulnerable installations of Microsoft Windows. “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page or download and open a malicious JS file on the system. As of June 1st, there has not been a patch released so up to date security content is key for detection until a patch is released.

Links:

Threat Post
Security Boulevard

Some Mitigation Strategies:
- File Integrity Management Solutions for file creation and modification
- Intrusion detection systems (IDS) to monitor for malicious communication and downloads
- 24x7 Security Monitoring with Focused Security Content for solid threat detection
- Web Filtration Technologies to screen incoming web sites
- Mail Filtration to capture potential files attached to phishing emails

Malware: NavRAT Malware Uncovered by Security Researchers

Security researchers at Talos Intelligence have recently uncovered NavRAT, a remote access trojan that has reportedly been quietly active since 2016. NavRAT is distributed through a malicious, decoy Hangul Word Processor (HWP) document named “미북 정상회담 전망 및 대비.hwp”, which translates to “Prospects for US-North Korea Summit.hwp”. The decoy document appears to be referring to the US-North Korea Summit scheduled for June 12, 2018. Known targets reside in South Korea. Researchers note that NavRAT is unique in that it uses Naver, an email platform popular in South Korea, as its command and control (C&C) server. NavRAT can reportedly download, upload, and execute commands, perform keylogging, and avoid detection through process injection, copying itself into an active Internet Explorer process. Researchers assess with a medium degree of confidence that North Korean APT Group 123 threat actor is behind the operation due to the techniques and procedures being of similar nature to those used in previous campaigns.

Links:

Dark Reading
Talos Intelligence

Some Mitigation Strategies:

• Mail Filtration to screen for malicious phishing or targeted email campaigns
  
• File Integrity Management looking for the installation of malicious software like keyloggers
  
• Intrusion detection systems (IDS) would detect intrusion and network communication
  
• 24x7 Security Monitoring for malicious behavior and immediate incident response