It’s time for another usually weekly threat report. We’re covering quite a few essential stories from the last week:
Let’s get this party started.
On May 19, 2020, security researchers at Verizon released the Data Breach Investigation Report (DBIR) for 2020. It highlights denial-of-service (DoS), ransomware, and financially-motivated data breaches.
This year, they analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals. Here are some key takeaways from the report:
External actors whose primary motivation was to monetize data accounted for 63% of the breaches mentioned. 19% were linked to financially-motivated internal actors, and 9% were caused by internal actors committing errors.
That said, the security incidents and data breaches reported in the DBIR this year are 16% lower compared to the DBIR incidents in 2019.
Speaking of breaches, on May 15, 2020, Australian steel manufacturer BlueScope confirmed that their IT systems suffered a cyberattack that disrupted the company’s operations. According to BlueScope’s statement, the attack impacted their manufacturing and sales operations in Australia. Some processes were shut down, while other processes continued with manual processes and workarounds.
The company’s US businesses identified the breach, and the company is reported to be working closely with the authorities to investigate. The company’s North Star, Asian, and New Zealand businesses have only experienced minor disruptions and continued to operate.
According to ITnews, researchers believe that the root cause of the incident came from a ransomware infection stemming from the opening of a malicious email attachment. At the time of writing, this hasn’t been confirmed. It’s currently unclear what type of attack has been used by the unidentified threat actor or if any data has been affected.
Based on available information, this sounds like a ransomware attack. I bet our metal and mining friends will be talking about this in their next MM-ISAC summit and wargame.
One finding from the DBIR was a rise in ransomware. On May 15, 2020, four cybercriminals were arrested for conspiracy to launch ransomware attacks against Romanian hospitals. Three of the cybercriminals were arrested in Romania while the fourth was arrested in the Republic of Moldova.
Authorities reported that the members are a part of the hacking group “PentaGuard,” a group that has been around since 2000 and was once involved in mass defacements of several Romanian government and military websites.
According to Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT), the group’s members use remote access trojans and ransomware, tools for website defacements, and tools to exploit SQL injection vulnerabilities to breach web servers and steal data in preparation for the cyber attacks.
The cybercriminals intended to send emails bearing COVID-19 lures to hospitals to infect computers, encrypt files, disrupt hospital activity, and seek ransom. Local Romanian media reported that the hackers were preparing the attacks as a form of protest against the country’s COVID-19 quarantine measures.
On May 18, 2020, researchers at the security firm Trend Micro identified a new variant of Netwalker Ransomware that uses the reflective dynamic-link library (DLL) method. Netwalker gains initial access to victims’ systems by using a PowerShell script, identified as “Ransom.PS1.NETWALKER.B,” that hides under multiple layers of encryption, obfuscation, and encoding techniques.
To prevent detection, Netwalker terminates processes and services related to backup software and data related applications. Additionally, Netwalker also terminates security software to evade the detection of malicious activities.
By going fileless, Netwalker avoids anti-virus file scanning.
It’s recommended for users to use application controls to prevent internet browsers and applications from spawning script interpreters, such as PowerShell, WMIC, and Java, to mitigate fileless attacks. It’s also recommended to have a reliable and tested backup that can be restored and keep operating systems (OS) up to date to help mitigate ransomware attacks. Perch has created alert for activity related to this report.
Hack the Gibson! One of the top methods of breaches was social engineering. Phishers are keeping up with Microsoft’s updates. On May 18, 2020, security researchers at Microsoft identified a new phishing campaign that spoofs the newly updated Azure AD sign-in page to lure the victims into entering their credentials.
Azure AD is the cloud-based version of the on-premises Active Directory system that operates user authentication and access privilege data. Microsoft announced the changes to its Azure AD login screen on February 26, 2020, and rolled it out in April 2020.
In the updated version of the login page, Microsoft replaced the full-frame background photograph with plain colors, reducing its size by 99% to save network bandwidth and reduce page loading times. According to Microsoft reports, after these changes to the login screen were made, they had observed multiple sites using the new background in phishing campaigns to lure Azure AD users into giving up their credentials.
In these campaigns, the threat actors send emails that contain a PDF attachment, which acts as a OneDrive document requiring the user to sign in before viewing it. Once opened, the link leads to a phishing site that spoofs the new Microsoft Azure AD sign-in page.
We recommend organizations provide phishing and social engineering training to their employees and require multi-factor authentication (MFA) to employee accounts.
Adobe has issued an out-of-band patch for CVE-2020-9586, a critical remote code execution flaw in Adobe Character Animator. Adobe Character Animator is an application for creating live motion capture animation videos.
The flaw can be exploited by a remote attacker to execute code on affected systems. CVE-2020-9586 is classified as critical as it could allow remote code execution if a user opens a malicious file or visits a malicious web page.
It can also be used to execute code in the context of the current process. Users are urged to update to version 3.3 for Windows and macOS.
In 2019, security researchers discovered vulnerabilities in QNAP PhotoStation and CGI programs that can be chained into a pre-auth root RCE. All QNAP NAS models are vulnerable, and there are approximately 312K vulnerable QNAS NAS instances on the internet. These vulnerabilities have been responsibly reported, fixed, and assigned: CVE-2019–7192 (CVSS 9.8), CVE-2019–7193 (CVSS 9.8), CVE-2019–7194 (CVSS 9.8), CVE-2019–7195 (CVSS 9.8). In the first public disclosure, only 3 of the vulnerabilities were disclosed (because they’re enough to achieve pre-auth root RCE).
The following Shodan search reveals 564K QNAP instances on the internet. Over half of those randomly tested were still vulnerable. We expect to see a spike in scanning activity as bots include this in their scanners, so we whipped something up in the lab.
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] QNAP PhotoStation Album Creation"; flow:established, to_server; content:"POST"; http_method; content:"/p/api/album.php"; http_uri; content:"a="; http_client_body; content:"f="; http_client_body; tag:session,5,packets; reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[Perch Security] QNAP PhotoStation Access Code Response"; flow:established, to_client; content:"200"; http_stat_code; content:"/slideshow.php?album="; http_header; content:"albumCode"; http_server_body; content:"encodeURIComponent"; http_server_body; tag:session,5,packets; reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] QNAP PhotoStation Pre-Auth Local File Disclosure (LFD)"; flow:established, to_server; content:"POST"; http_method; content:"/p/api/video.php"; http_uri; content:"album="; http_client_body; content:"ac="; http_client_body; content:"f="; http_client_body; content:"filename="; http_client_body; content:"|2e 2e 2f|"; http_client_body; distance:0; tag:session,5,packets; reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] QNAP PhotoStation LFD Plaintext Login Token Retrieval"; flow:established, to_server; content:"filename="; http_client_body; content:"/share/Multimedia/|2e 40 5f 5f|thumb/ps|23|app|23|token"; http_client_body; distance:0; tag:session,5,packets; reference:url,https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k devices-on-the-internet-d55488d28a05; classtype:web-application-attack; sid:xxxx; rev:1;)
Whew. That’s all for this week. Stay safe, healthy, and keep it Perchy!