Thursday February 6th 2020
It’s time for another usually weekly threat report. Last week we were really busy with a successful PerchyCon 2020. But we’ve gotten some interesting threats that we need to make you aware of this week.
Cisco has disclosed five 0-day vulnerabilities in the Cisco Discovery Protocol (CDP) collectively dubbed “CDPwn.” CDP is a Cisco proprietary Layer 2 (Data Link Layer) network protocol that is used to share information about directly connected Cisco equipment.
CDP is used in nearly all Cisco products (including switches, routers, IP phones, and cameras), and all products come with CDP enabled by default. Consequently, the vulnerabilities impact tens of millions of enterprise devices.
Four of the five CDPwn vulnerabilities allow for complete take-over of the devices, including all Cisco 7800 and 8800 IP phones, Cisco IP Cameras, Nexus Switches, IOS XR routers, and others. An advisory from the U.S. CERT Coordination Center has also been issued.
The vulnerabilities are classified as critical. Four are enable Remote Code Execution (RCE) and the fifth is a Denial-of-Service (DoS) vulnerability that can impact the entire operation of a network.
Researchers from Armis first disclosed the vulnerabilities to Cisco on August 29, 2019. Cisco customers are advised to prioritize patching at their earliest convenience and can visit Cisco for more information on patches. If you’re interested, you can read the full white paper on CDPwn.
The following is a breakdown of each vulnerability:
Last week, researchers identified a new Emotet phishing campaign that warned recipients of Corona Virus infection in Japan. According to the reports, the subject of the emails are composed of different representations of the Japanese word for “notification” and suggest an urgency for recipients to view the notification.
The content of the document is a standard Office 365 document, which instructs the viewer to enable the malicious content. If the malicious attachment has been opened with macro enabled, an obfuscated VBA macro script opens PowerShell and installs the Emotet Trojan. The infected computer will then be used to drop other malware, such as Trickbot, to harvest user credentials, browser history, and sensitive documents that will be sent to the attacker-controlled command-and-control server.
To mitigate phishing attacks, users are advised to check the URL of the website before clicking a link sent via email, be vigilant to suspicious attachments, avoid enabling macros on untrusted documents, and use security controls that can track malicious activities.
TerraLoader is a JScript based backdoor, used by multiple threat actors. TerraLoader capabilities include self-deletion, downloading additional payloads, and system scans - including detection of antivirus software, OS info, computer name, username, and the victim’s IP address.
This functionality is typical for a backdoor and uses HTTPS for C2 operations allowing the threat actor to control the target’s machine. TerraLoader will regularly connect to its C2 server to check for any new commands from the threat actor.
FIN6 deployments of TerraLoader differentiate themselves from Cobalt Group deployments. FIN6 deployments version 4 and above, contain strings denouncing Cobalt Group, while Cobalt Group deployments (solely of version 2.0) include the via_x command, to initiate cmd.exe to download additional files.
Based on RecordedFuture’s analysis of CVEs from 2017 through 2019, more exploits were observed targeting Microsoft products than Adobe products. Eight out of the top ten vulnerabilities are exploited via phishing attacks, exploit kits, or remote access trojans (RATs) which impact Microsoft products.
Four of these vulnerabilities impact Internet Explorer. Despite experiencing a decline in browser market share, Internet Explorer is still favored by enterprises, making it a high-value target for threat actors.
Only two Adobe Flash vulnerabilities made the top ten, likely due to a combination of better patching and Flash Player’s 2020 end of life.
Many vulnerability and patch management teams struggle to keep updates current without having visibility into which vulnerabilities are being actively exploited. This makes it hard to prioritize critical patches.
In 2019, there were over 12K vulnerabilities reported and classified through CVE. Although this is fewer than in 2018, the U.S. government and the National Vulnerability Database (NVD) have scored over 1K of those 12K vulnerabilities with a CVSS score of nine or higher and deemed them “critical” to patch.
It is imperative that security professionals have knowledge of those vulnerabilities that impact a company’s technology stack and are included in exploit kits, used to distribute a RAT, or are currently being used in phishing attacks.
Security researchers from Cybereason released a report on February 5, 2020, about an ongoing campaign that is abusing Bitbucket, a Web-based version control repository hosting service owned by Atlassian. The threat actors who are abusing Bitbucket have been creating several user accounts that they update regularly (as often as every few hours) to evade detection by antivirus products. According to the report, the campaign starts when users click a malicious link in phishing emails or download cracked versions of commercial software like Adobe Photoshop, Microsoft Office, and others. Threat actors have bundled these Free Warez with Azorult Infostealer and Predator the Thief. They are using Themida and CypherIT Autoit as packers to avoid detection.
Once the Freee Warez is installed, it drops Azorult and Predator and downloads multiple payloads from a Bitbucket repository which are being updated by the threat actors regularly. Aside from Predator and Azorult, malwares such as Evasive Monero Miner, STOP Ransomware, Vidar, Amadey bot, and IntelRapid are being deployed by the threat actors.
The report stated that over 500K machines worldwide are affected by this ongoing campaign.