Threat Report

Thursday April 18, 2019

We’ve got a quick update for you this week on some news that’s getting attention. APT34 leaks hack tools, Common VPN software has a critical vulnerability patched, and Microsoft underestimates the exploitability of a remote code execution vulnerability. Additionally, an information technology firm from India has been compromised and is being leveraged in attacks against their own customers. Let’s get going.

APT34 hacking tools leak

As reported by zdnet, yesterday some of the tools used by OilRig attack group have been leaked by a group of Iranian hackers called “Lab Dookhtegan”. Lab Dookhtegan started leaking information about the operations of APT34 / OILRIG which supposedly would be the Iranian Ministry of Intelligence. However, this could be false attribution as well. The tools include:

The full leak and tools were published on Lab Dookhtegan Telegram Channel with 30 members and can be downloaded here. Please make sure you use proper security steps such as sandbox and isolated environments. Open these files at your own risk. You can check more write up details on this GitHub page.

The origin of the leaked files is unknown and was not inspected for 0-day traps.

Pass: vJrqJeJo2n005FF*

VPN applications insecurely storing session cookies

Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. As disclosed in a recent CERT advisory, multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.

The following products and versions store the cookie insecurely in log files:

The following products and versions store the cookie insecurely in memory:

Microsoft underestimates exploitability of DHCP bug

Microsoft has given the DHCP bug a low criticality score. However, a researcher on a Russian forum has posted information showing how the vulnerability can be exploited for remote code execution on a DHCP client. A rogue DHCP server in your environment could exploit this to hack all of your machines. Microsoft has offered updated guidance on the vulnerability.

Wipro hacked and targeting their own customers

Brian Krebs reported that Indian information technology firm, Wipro, has likely been compromised and hackers are using their foothold to attack Wipro customers.

KrebsOnSecurity heard independently from two trusted sources that Wipro, India’s third-largest IT outsourcing company was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.

Paul Scott

Paul Scott
Has 6 Gold Stars