Thursday July 18th 2019
Let’s get going with some of the top threats we’re highlighting this week. Notably, there have been a number of advisories released by different governments related to ongoing campaigns and new critical vulnerabilities.
The UK’s National Cyber Security Centre (NCSC) has released an advisory highlighting a large scale global Domain Name Systems (DNS) hijacking campaign.
DNS is the service responsible for translating domain names to IP addresses hosting services. The attackers are altering the DNS settings for malicious purposes. By hijacking DNS for an organization, the attackers can direct users to attacker controlled infrastructure which can result in user compromise.
Based on telemetry data from Avast, between February and June of 2019 at least 180K users in Brazil had their routers compromised and DNS settings altered.
UK’s NCSC published a document on Friday outlining the risks that come with DNS hijacking attempts and offering organizations advice to protect themselves from this sort of danger.
To prevent and be aware of DNS hijacking, organizations should monitor the DNS servers used and ensure that their devices are using approved DNS servers belonging to the organization.
In related DNS hijacking news, Extenbro is a new DNS-changer that comes with an adware bundle and can block access to security-related sites so the victims cannot download and install security software to remove the infection.
The Extenbro is bundled with Trojan.IStartSurf. The trojan changes the DNS settings of infected systems to hide its presence. Additionally, the Trojan adds a root to allow PowerShell commands.
The trojan modifies the Windows registry to disable IPV6 and forces the system to use the new DNS servers. The trojan also modifies Firefox’s user.js file which configures Firefox to use the Windows Certificate Store where the root certificate was added.
These are not the first advisories related to DNS hijacking campaigns we’ve seen this year. Earlier this year, The National Cybersecurity and Communications Integration Center (NCCIC) published an advisory related to attackers using compromise credentials to modify the domain name resources for organizations. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
Is this Drupalgeddon 3? A security update for Drupal CMS has been released to address a critical vulnerability, tracked CVE-2019-6342, affecting Drupal CMS components that could allow attackers to take over the impacted sites. US-CERT has released an advisory on this vulnerability.
Attackers can exploit the vulnerability without authentication.
According to usage statistics for Drupalcore, approximately 290,958 websites are using Drupal 8.x out of a total of 1,093,220. Websites running the Drupal CMS version 8.7.4, 8.7.3, and earlier are vulnerable with CVE-2019-6342.
Users are advised to update to Drupal version 8.7.5 to address this vulnerability.
EvilGnome is disguised as a Gnome extension and currently undetected across all major security software. Additionally, EvilGnome appears to be connected with the Russian-based APT group, dubbed Gamaredon Group.
Gamaredon Group is known for targeting individuals involved in Ukranian governments and infecting victims using malicious attachments that are being delivered via spear-phishing emails.
The reason behind the connection is the use of the same hosting provider, as well as by EvilGnome’s use of command-and-control servers connected to the domains associated with the Russian threat group.
They also use the same port for connecting to their command-and-control servers via SSH, with two additional servers and domains that are similar to the pattern of Gamaredon domains.
Users should consider adopting security solutions which can track malicious related activities to prevent any potential attacks.
A large number of ongoing Agent Tesla campaigns have been observed in the wild using notable malware families including Formbook, Lokibot, and Agent Tesla that links to the threat group SWEED.
SWEED is primarily known for targeting victims using stealers and remote access Trojans and has been active since 2017. The actors remain consistent on using spear-phishing emails with malicious documents.
In this ongoing campaign, the actors are compromising victims using a packed version of information stealer, Agent Tesla.
In the 2017 campaign, the actors placed droppers inside of ZIP archives containing a packed version of Agent Tesla.
In early 2018, SWEED utilized Java-based droppers to obtain information about the infected system and facilitate the download of a packed version of Agent Tesla.
In April 2018, SWEED used a vulnerability in Microsoft .NET framework, tracked CVE-2017-8759, to decode a URL and download a packed version of Agent Tesla hosted on an attacker-controlled Web server.
Around May 2018, SWEED used a vulnerability in Microsoft Office, tracked CVE-2017-11882, that is used in commodity malware distribution.
In the 2019 campaign, SWEED leveraged spear-phishing emails and malicious attachments to initiate the infection process. One of the common characteristics with several of the campaigns associated with SWEED is the use of various techniques to bypass User Account Control on infected systems.
The various distribution campaigns linked to SWEED feature use of a limited amount of distribution and command-and-control infrastructure with the same servers used across many different campaigns over long periods of time. Another element of many of the campaigns associated with SWEED is the use of typosquatting for the domains used to host the packed Agent Tesla binaries that have been distributed over the past few years.
According to reports, SWEED targeted companies all over the world.
At this time, it is unclear whether the accounts and associated individuals associated with SWEED are business associates or customers. However, they all use the same infrastructure in a coordinated manner across domains, rely on the same malware and packers, and all operate very similarly.
The following indicators of compromise were released with this report.
aelna[.]com blssleel[.]com quycarp[.]com mglt-mea[.]com usarmy-mill[.]com lnnovalues[.]com kayneslnterconnection[.]com aidanube[.]com sweedoffice-olamide[.]duckdns.org oralbdentaltreatment[.]tk cawus-coskunsu[.]com candqre[.]com dougiasbarwick[.]com spedaqinterfreight[.]com cablsol[.]com etqworld[.]com jyexports[.]com mti-transt[.]com samhwansleel[.]com aiaininsurance[.]com www[.]sweedoffice-olamide.duckdns.org repotc[.]com snapqata[.]com anernostat[.]com sweedoffice-bosskobi[.]duckdns.org worldjaquar[.]com sweedoffice-chuks[.]duckdns.org regionaitradeinspections[.]com sukrltiv[.]com www[.]sweedoffice-kc.duckdns.org xlnya-cn[.]com kn-habour[.]com jltqroup[.]com zurieh[.]com crosspoiimeri[.]com rsaqencies[.]com wlttraco[.]com virdtech[.]com bwayachtng[.]com sweed-office[.]comie.ru gufageneys[.]com zarpac[.]us willistoweswatson[.]com sweeddehacklord[.]us sweed-viki[.]ru profbuiiders[.]com sweedoffice-goodman[.]duckdns.org hybru[.]com www[.]sweedoffice-chuks.duckdns.org erieil[.]com sweedoffice[.]duckdns.org catalanoshpping[.]com sweedoffice-kc[.]duckdns.org serec[.]us intermodaishipping[.]net leocouriercompany[.]com supe-lab[.]com evegreen-shipping[.]com