The DBIR 2020 Lowdown
Friday May 22nd 2020

It’s time for another usually weekly threat report. We’re covering quite a few essential stories from the last week:

  • Verizon DBIR is out
  • Australian mining breach
  • Ransomware attack on hospitals thwarted by arrest
  • Netwalker Ransomware goes fileless
  • Phishers update their lures
  • Out-of-band patch for Adobe RCE
  • QNAP RCE chain with bonus Perch Labs signatures

Let’s get this party started.

Verizon DBIR 2020 is out

On May 19, 2020, security researchers at Verizon released the Data Breach Investigation Report (DBIR) for 2020. It highlights denial-of-service (DoS), ransomware, and financially-motivated data breaches.

This year, they analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals. Here are some key takeaways from the report:

  • Denial-of-service (DoS) attacks have spiked and were 40% of all security incidents reported.
  • Cyber espionage breaches are down from 13.5% to 3.2%.
  • Social engineering (up @ 22%) and malware (down @ 22%) accounted for 44% of all breaches reported.
  • Cybercriminals are drastically changing how they’re targeting industries like education and finance. Phishing, web application, and ransomware attacks plague these sectors.

External actors whose primary motivation was to monetize data accounted for 63% of the breaches mentioned. 19% were linked to financially-motivated internal actors, and 9% were caused by internal actors committing errors.

That said, the security incidents and data breaches reported in the DBIR this year are 16% lower compared to the DBIR incidents in 2019.

BlueScope Steel Australian operations disrupted by breach

Speaking of breaches, on May 15, 2020, Australian steel manufacturer BlueScope confirmed that their IT systems suffered a cyberattack that disrupted the company’s operations. According to BlueScope’s statement, the attack impacted their manufacturing and sales operations in Australia. Some processes were shut down, while other processes continued with manual processes and workarounds.

The company’s US businesses identified the breach, and the company is reported to be working closely with the authorities to investigate. The company’s North Star, Asian, and New Zealand businesses have only experienced minor disruptions and continued to operate.

According to ITnews, researchers believe that the root cause of the incident came from a ransomware infection stemming from the opening of a malicious email attachment. At the time of writing, this hasn’t been confirmed. It’s currently unclear what type of attack has been used by the unidentified threat actor or if any data has been affected.

Based on available information, this sounds like a ransomware attack. I bet our metal and mining friends will be talking about this in their next MM-ISAC summit and wargame.

PentaGuard arrested for hospitals ransomware scheme

One finding from the DBIR was a rise in ransomware. On May 15, 2020, four cybercriminals were arrested for conspiracy to launch ransomware attacks against Romanian hospitals. Three of the cybercriminals were arrested in Romania while the fourth was arrested in the Republic of Moldova.

Authorities reported that the members are a part of the hacking group “PentaGuard,” a group that has been around since 2000 and was once involved in mass defacements of several Romanian government and military websites.

According to Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT), the group’s members use remote access trojans and ransomware, tools for website defacements, and tools to exploit SQL injection vulnerabilities to breach web servers and steal data in preparation for the cyber attacks.

The cybercriminals intended to send emails bearing COVID-19 lures to hospitals to infect computers, encrypt files, disrupt hospital activity, and seek ransom. Local Romanian media reported that the hackers were preparing the attacks as a form of protest against the country’s COVID-19 quarantine measures.

Netwalker Ransomware variant goes fileless

On May 18, 2020, researchers at the security firm Trend Micro identified a new variant of Netwalker Ransomware that uses the reflective dynamic-link library (DLL) method. Netwalker gains initial access to victims’ systems by using a PowerShell script, identified as “Ransom.PS1.NETWALKER.B,” that hides under multiple layers of encryption, obfuscation, and encoding techniques.

To prevent detection, Netwalker terminates processes and services related to backup software and data related applications. Additionally, Netwalker also terminates security software to evade the detection of malicious activities.

By going fileless, Netwalker avoids anti-virus file scanning.

It’s recommended for users to use application controls to prevent internet browsers and applications from spawning script interpreters, such as PowerShell, WMIC, and Java, to mitigate fileless attacks. It’s also recommended to have a reliable and tested backup that can be restored and keep operating systems (OS) up to date to help mitigate ransomware attacks. Perch has created alert for activity related to this report.

Updated Microsoft Azure AD login page used in phishing attacks

Hack the Gibson! One of the top methods of breaches was social engineering. Phishers are keeping up with Microsoft’s updates. On May 18, 2020, security researchers at Microsoft identified a new phishing campaign that spoofs the newly updated Azure AD sign-in page to lure the victims into entering their credentials.

Azure AD is the cloud-based version of the on-premises Active Directory system that operates user authentication and access privilege data. Microsoft announced the changes to its Azure AD login screen on February 26, 2020, and rolled it out in April 2020.

In the updated version of the login page, Microsoft replaced the full-frame background photograph with plain colors, reducing its size by 99% to save network bandwidth and reduce page loading times. According to Microsoft reports, after these changes to the login screen were made, they had observed multiple sites using the new background in phishing campaigns to lure Azure AD users into giving up their credentials.

In these campaigns, the threat actors send emails that contain a PDF attachment, which acts as a OneDrive document requiring the user to sign in before viewing it. Once opened, the link leads to a phishing site that spoofs the new Microsoft Azure AD sign-in page.

We recommend organizations provide phishing and social engineering training to their employees and require multi-factor authentication (MFA) to employee accounts.

Adobe Critical RCE Flaw CVE-2020-9586 Patched out of band

Adobe has issued an out-of-band patch for CVE-2020-9586, a critical remote code execution flaw in Adobe Character Animator. Adobe Character Animator is an application for creating live motion capture animation videos.

The flaw can be exploited by a remote attacker to execute code on affected systems. CVE-2020-9586 is classified as critical as it could allow remote code execution if a user opens a malicious file or visits a malicious web page.

It can also be used to execute code in the context of the current process. Users are urged to update to version 3.3 for Windows and macOS.

Expect a QNAP scanning wave

In 2019, security researchers discovered vulnerabilities in QNAP PhotoStation and CGI programs that can be chained into a pre-auth root RCE. All QNAP NAS models are vulnerable, and there are approximately 312K vulnerable QNAS NAS instances on the internet. These vulnerabilities have been responsibly reported, fixed, and assigned: CVE-2019–7192 (CVSS 9.8), CVE-2019–7193 (CVSS 9.8), CVE-2019–7194 (CVSS 9.8), CVE-2019–7195 (CVSS 9.8). In the first public disclosure, only 3 of the vulnerabilities were disclosed (because they’re enough to achieve pre-auth root RCE).

The following Shodan search reveals 564K QNAP instances on the internet. Over half of those randomly tested were still vulnerable. We expect to see a spike in scanning activity as bots include this in their scanners, so we whipped something up in the lab.

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] QNAP 
PhotoStation Album Creation"; flow:established, to_server; content:"POST"; http_method; 
content:"/p/api/album.php"; http_uri; content:"a="; http_client_body; content:"f="; 
http_client_body; tag:session,5,packets; 
reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k 
devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[Perch Security] QNAP PhotoStation 
Access Code Response"; flow:established, to_client; content:"200"; http_stat_code; 
content:"/slideshow.php?album="; http_header; content:"albumCode"; http_server_body; 
content:"encodeURIComponent"; http_server_body; tag:session,5,packets; 
reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k 
devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) 

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] QNAP 
PhotoStation Pre-Auth Local File Disclosure (LFD)"; flow:established, to_server; content:"POST"; 
http_method; content:"/p/api/video.php"; http_uri; content:"album="; http_client_body; 
content:"ac="; http_client_body; content:"f="; http_client_body; content:"filename="; 
http_client_body; content:"|2e 2e 2f|"; http_client_body; distance:0; tag:session,5,packets; 
reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k 
devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) 

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] QNAP 
PhotoStation LFD Plaintext Login Token Retrieval"; flow:established, to_server; 
content:"filename="; http_client_body; content:"/share/Multimedia/|2e 40 5f 
5f|thumb/ps|23|app|23|token"; http_client_body; distance:0; tag:session,5,packets; 
reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k 
devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) 

Whew. That’s all for this week. Stay safe, healthy, and keep it Perchy!

- Paul

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn