Threat Report

Thursday March 19th 2020

In this week’s threat report, we’re covering a new capability in the evolution of Trickbot, critical vulnerabilities in Adobe Reader and Adobe Acrobat, a code execution proof of concept (PoC) for Joomla, and a blog post by Sodinokibi ransomware team that could shake up stock prices.

Trickbot learns new RDP brute force trick

On March 18, 2020, researchers identified a new module for Trickbot banking Trojan called “rdpScanDll.” This new module bruteforces the Remote Desktop Protocol (RDP) and targets a specific list of victims operating in the telecommunication, education, and financial services industries in the United States and Hong Kong.

The module was first observed on January 30, 2020. The attack started with malspam delivering the Trickbot Trojan. Based on configuration files downloaded by Trickbot, there were more than 3,400 IP addresses acting as command-and-control servers. Users and organizations should watch out for suspicious emails with suspicious attachments, and keep their software and firmware up to date. The following indicators of compromise were released with the researcher’s findings.

C2 IPs

64[.]44.133.39
146[.]185.253.170
107[.]172.165.149
5[.]2.78.77
45[.]148.120.13
198[.]23.252.136
23[.]95.231.164
45[.]148.120.31
51[.]89.73.154
45[.]148.120.14
178[.]156.202.143
185[.]252.144.64

Adobe patches nine arbitrary code execution vulnerabilities

On March 17, 2020, Adobe released security updates which address a total of 13 vulnerabilities, with nine classified as critical. The Critical vulnerabilities are tracked as CVE-2020-3795, CVE-2020-3799, CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805, CVE-2020-3807, and CVE-2020-3797, and allow attackers to create malicious PDFs or other malicious actions that could exploit these vulnerabilities to execute commands on the affected computer.

You should definitely update Adobe Reader and Acrobat based on the information available in Adobe Security Bulletin, APSB20-13. We should expect to see these vulnerabilities leveraged in maldocs as proof of concepts are published.

Joomla PoC for remote code execution released on Github

On March 17, 2020, HoangKien1020 on Github published two proof of concepts (POCs) and a write up. These POCs are exploits against vulnerabilities classified by Joomla as Improper Access Control described in CVE-2020-10238 and CVE-2020-10239. These vulnerabilities were patched approximately two days before the POCs were released.

CVE-2020-10238 affects Joomla versions 2.5.0 - 3.9.15 and allows the user to exploit Joomla’s com_templates due to lack of ACL checks. This could lead to multiple attack vectors for threat actors. CVE-2020-10239 affects Joomla versions 3.7.0 - 3.9.15 which allows non-superadmin users to access Joomla’s com_fields.

If you’re using Joomla CMS make sure to update now. We expect that we will see heavy Joomla scanning activity targeting these vulnerabilities.

Ransomware moves towards Extortion to extract payment

Sodinokibi ransomware operators published a blog detailing how Sodin can distribute unpaid victims’ data. Additionally, Sodinokibi ransomware operators can set up an auto-notification to stock exchanges, such as NASDAQ, which threatens to influence the financial conditions of the company if payment is not received.

In addition to encrypting data at rest, ransomware is now stealing data. Companies impacted by Sondinokibi ransomware may have their breach and data exposed if they do not move to negotiations quickly or fail to pay ransomware. In one instance, the files stolen not only contained company data but also the personal information of its employees and customers, such as Social Security numbers.

The data leaks are incremental as negotiations move forward. Ransomware operators claimed that the initial release for one victim’s data contained financial and tax information and that they will add more if the victims do not pay the ransom demand.

This shows that in 2020, being prepared for Ransomware with good backups is not enough. Ransomware authors are adding extortion to their set of tricks. Are you ready to be publicly shamed, have all your data exposed, and take a hit to your stock price? I wouldn’t be surprised to hear them short your stock before notifying NASDAQ.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn