Threat Report

Thursday October 25, 2018

As we approach Halloween, it has been a frightening week in security. We have an ancient Zero-Day rising from the shadows, government data being sucked dry by a data breach, and monstrous malware kidnapping your codes. Don’t get spooked!

Cashdollar Hits Jackpot with Discovery of 8-year-old Zero-Day

Larry Cashdollar, a security researcher from Akamai SIRT, has recently discovered a zero-day vulnerability in jQuery File Upload plugin (CVE-2018-9206). This vulnerability enables the attackers to upload malicious files to servers, such as rootkits, backdoors, and other malware. Based on Cashdollar’s research, the vulnerability has been exploited before 2016. There was an uploaded video in YouTube dating back to August 2015 about bug tutorials in jQuery File Upload, noting that hackers have been widely exploiting the vulnerability.

Cashdollar notified the vulnerability to Sebastian Tschan (aka Blueimp), a German developer who authored the jQuery File Upload plugin. Tschan conducted his own research and found out that the root cause lies in the security changes via “.htaccess” in the Apache Web Server (Apache HTTPD Server Version 2.3.9) dating back to 2010. This update allows the owner to ignore custom security settings for individual directories. Unknowingly, the jQuery File Upload plugin of Tschan rely on “.htaccess”, which was active by default. All versions of the plugin are vulnerable up to 9.22.1.

The plugin has been integrated to thousands of projects such as content management systems (CMS), customer relationship management (CRM), intranet solutions, WordPress plugins, Drupal add-ons, and Joomla components - to name a few. The jQuery File Upload plugin has been forked in GitHub over 7,800 times. Cashdollar has used his proof of concept (POC) and tested 1,000 of 7,800 forks of the GitHub plugin and found out that all were exploitable. But GitHub forks of this vulnerable code are only one part of the problem. There is no way to track applications that have integrated jQuery File Upload plugin without forking through GitHub. Cashdollar has notified US-CERT due to the seriousness of the vulnerability.

This is a critical vulnerability and can allow an attacker to remotely gain control of vulnerable applications. It is amazing that this hasn’t been discovered more recently since it has been on YouTube for three years. It’s time to start writing YouTube scrapers into our open source intel tools. If you are using a jQuery File Upload plugin or a forked version of this vulnerable code in your application, you should upgrade immediately. If you’re including unknown open source code into your application, you should attempt a security review of the code.

75,000 Individuals’ Records Compromised from HealthCare.gov

AP News reports that roughly 75,000 individuals’ records have been compromised in a HealthCare.gov security breach. On October 19, 2018, the Centers for Medicare and Medicaid Services (CMS) released an official statement explaining that on October 13 they detected suspicious activity in the Federally Facilitated Exchange’s (FFE’s) Direct Enrollment Pathway. A system designed to allow agents and brokers to help customers apply for coverage in the FFE. An official data breach was declared on October 16. CMS states that agent and broker accounts associated with the suspicious activity were deactivated and the Direct Enrollment Pathway for agents and brokers was also disabled.

Officials determined that roughly 75,000 individuals’ records were accessed during the breach but note that this is a “small fraction” of the FFE’s total consumer records. CMS officials are currently working to identify all individuals impacted by the breach so that they may be notified and offered credit protection. CMS officials also state that open enrollment on HealthCare[.]gov and the Marketplace Call Center are presently available for the general public. A more secure Direct Enrollment Pathway system will be restored for agents and brokers within the next seven days. The statement adds that CMS is in the beginning stages of the assessment of the breach.

Since only some suspicious accounts were associated with the suspicious activity it is likely that this was the result of weak passwords being brute forced or password stealing malware on users’ machines.

Release the Kraken: New Variant on Kraken Cryptor Ransomware

Bleeping Computer has recently published a report about a new variant of Kraken Cryptor ransomware being distributed via malvertising and through the RIG exploit kit. The new Kraken Cryptor version 2.0.6 was first detected by security researchers @nao_sec and @kafeine and shared with Bleeping Computer.

Through the shared file hashes and information, Bleeping Computer was able to determine that this ransomware was able to infect 217 unique victims globally since October 20, 2018. Interestingly, this new variant connects to “bleepingcomputer.com” during different stages of the encryption process. It is still not certain on what the motive is for connecting to BleepingComputer during encryption. BleepingComputer owner Lawrence Abrams says it is just to poke on them since BleepingComputer has tackled Kraken Cryptor ransomware in the past.

The request to the URL shortening services is encrypted. So, you likely won’t be able to see the user-agent or referrer unless you utilize a forward proxy to inspect outbound traffic. However, you should see an encrypted connection to 2no.co domain and then a redirect to bleepingcomputer.com.

Domains:

HTTP User-agent:

HTTP Referrer:

We know that Ransomware can be scary, so we asked Perchy to look around for this new variant. Perchy says, no traffic in the last 30 days is consistent with indicators for the newly released variant of Kraken Cryptor. All Perch customers are clear, and no infection was seen.

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn