Threat Report

Thursday March 12th 2020

In this issue of the usually weekly threat report, we’ve got some hot news. Keep on the lookout for a new worm on the heels of a SMBv3 buffer overflow, Microsoft disrupts the Necurs Botnet, hackers are actively exploiting Microsoft Exchange, and Magecart skims cards with a little help from Cloudflare. Let’s get this party started.

SMBv3 Buffer Overflow breaks ground for new worm

On March 10, 2020, Cisco Talos and Fortinet researchers leaked a new worm-able vulnerability in the Microsoft Server Message Block (SMB) protocol before Microsoft’s regular Patch Tuesday update cycle. The vulnerability, tracked as CVE-2020-0796, is a Buffer Overflow vulnerability that allows attackers to execute arbitrary code. The vulnerability is triggered by a maliciously crafted compressed data packet.

Only details of the vulnerability have been leaked. At this time, there have not been any reports of active exploitation and there are no proof of concepts. We expect to see hackers leveraging this vulnerability in future worms. We recommend patching for CVE-2020-0796 as soon as it’s available.

In the meantime, Microsoft has advised that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.

Microsoft disrupts U.S.-based Necurs Botnet

Microsoft has disrupted infrastructure used by Necurs spam botnet to distribute malware payloads and infect millions of computers. According to Tom Burt, Microsoft’s corporate vice president of Customer Security & Trust, “The U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of a U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers.”

Microsoft, along with partners across 35 countries, gained control over the botnet domains after analyzing a Necurs’ algorithm for systematically generated new domains. Microsoft was able to predict over six million domains the botnet’s operators would use over the next two years.

“Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure,” according to Burt. “By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.”

During Microsoft’s investigation, a single Necurs-infected device was observed sending 3.8M spam messages to over 40.6M targets over 58 days. Necurs is a botnet originally sighted in 2012 and is commonly linked to threat actor group TA505.

Necurs is known for stealing credentials for online accounts, pushing spam emails designed to redirect traffic via HTTPS and SOCKS network proxies, and launching DDoS attacks. Necurs operators, believed to be Russian based, are known for using botnet-for-hire services to expand profits.

Nation-state hackers actively exploiting Microsoft Exchange

On March 6, 2020, researchers warned that multiple unspecified nation-state actors are exploiting CVE-2020-0688, a recently patched vulnerability in Microsoft Exchange. The vulnerability allows attackers to execute code as SYSTEM with user credentials or an old service account.

The vulnerability exists in the Exchange Control Panel (ECP) component. Microsoft addressed the vulnerability as part of the February 2020 Patch Tuesday. Rapid 7 released a module on March 4, 2020 that would incorporate this exploit into the Metasploit penetration testing framework.

To exploit the vulnerability, attackers need the credentials for an email account on the Microsoft Exchange server. Successful exploitation of the vulnerability allows attackers to execute arbitrary code with SYSTEM privileges on a server and take full control. APT groups are also making efforts to brute-force credentials by leveraging Exchange Web Services (EWS) in an attempt to exploit the vulnerability.

Researchers did not provide details of the threat actors that are exploiting the vulnerability. If you haven’t applied the security updates from February 2020 Patch Tuesday, you should do so now. Also, consider setting a password policy to expire user’s passwords periodically.

Magecart mimics CloudFlare’s Rocket Loader for skimming

On March 10, 2020, researchers at the security firm Malwarebytes identified a new Magecart Group card skimmer that disguises itself as CloudFlare’s Rocket Loader, a library used to improve page load time, affecting a large number of e-commerce sites.

There are two types of skimmers that are being used in this campaign. The first version is the hex obfuscated type with data exfiltration via autocapital[.]pw, as seen in the decoy Rocket Loader library. The second version of the skimmer is hosted on e4[.]ms and uses a different obfuscation scheme with data exfiltration via xxx-club[.]pw. The attacks initially start by injecting a JavaScript file purporting to be the Rocket Loader library onto a compromised Magento site.

The other is recognized as the legitimate CloudFlare Rocket Loader library. One of the malicious loaders uses a clever way to turn the domain name http[.]ps that looks like “https://,” to make the URL look legitimate.

To compromise the e-commerce sites, threat actors need a skimming code that is injected into a self-hosted JavaScript library, and a script that references an external JavaScript hosted on a malicious site. Malwarebytes believes with high confidence that the threat actor behind the new wave of attacks is the Magecart Group because of the naming convention used for the domains and skimmers.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn