We’ve got a lot of wild botnet and phishing activity in this week’s threat report. Let’s get this party started.
Richard’s First Echobot
First observed in May 2019, a new variant of Echobot Botnet is picking up steam targeting various Internet-of-Things (IoT) devices, including routers, cameras, smart home hubs, network-attached storage systems, servers, and more. We expect to see this IoT focused botnet evolve to add exploits for the Urgent/11 vulnerabilities we discussed in the Perch Monthly User’s Meeting.
Researchers have observed Richard using 59 different remote code execution (RCE) exploits. A list of those payloads has been shared on pastebin for your viewing pleasure. Based on the payloads, the threat actor relies on known exploits, some disclosed as early as 2010.
The malware dropper is hosted on a webserver in Iran (185.164.72[.]155) in a file called Richard. At Perch, we have observed Richard’s scanning activity. Researchers observe that the author has employed exploits without targeting a specific category of products and note that the code incorporated is available from multiple public exploit repositories. The following is a list of exploits used by this Echobot variant, all of which are available via open-sourced repositories.
1. Asustor ADM 3.1.2RHG1 - RCE 2. Ubiquity Nanostation5 (Air OS) - 0day RCE 3. Alcatel-Lucent OmniPCX Enterprise 7.1 - RCE 4. ASMAX AR 804 gu Web Management Console - ACE 5. ASUS DSL-N12E_C1 126.96.36.199_345 - RCE 6. Asus RT56U 188.8.131.52.360 - RCI 7. AWStats Totals 1.14 - multisort RCE 8. AWStats 6.0 - 'configdir' RCE 9. AWStats 6.0 - 'migrate' Remote Command Execution 10. Barracuda - IMG.pl Remote Command Execution 11. Beckhoff CX9020 CPU Module - RCE 12. Belkin Wemo UPnP - RCE 13. BEWARD N100 H.264 VGA IP Camera M2.1.6 - RCE 14. Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus - RCI 15. Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution 16. EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution 17. Dogfood CRM - 'spell.php' Remote Command Execution 18. CTEK SkyRouter 4200/4300 - Command Execution 19. NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection 20. Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution 21. D-Link - OS-Command Injection via UPnP Interface 22. OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution 23. FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution 24. Fritz! Box Webcm - Command Injection 25. Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution 26. Gitorious - Remote Command Execution 27. HomeMatic Zentrale CCU2 - Remote Code Execution 28. Hootoo HT-05 - Remote Code Execution 29. Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution 30. Linksys WAG54G2 - Web Management Console Arbitrary Command Execution 31. Mitel AWC - Command Execution 32. Nagios 3.0.6 - 'statuswml.cgi' - Arbitrary Shell Command Injection 33. NUUO NVRmini - 'upgrade_handle.php' - Remote Command Execution 34. NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution 35. EyeLock nano NXT 3.5 - Remote Code Execution 36. OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'welcome' Remote Command Execution 37. op5 7.1.9 - Remote Command Execution 38. HP OpenView Network Node Manager 7.50 - Remote Command Execution 39. Oracle Weblogic 10.3.6.0.0 / 184.108.40.206.0 - Remote Code Execution 40. PHPMoAdmin - Unauthorized Remote Code Execution 41. Plone and Zope - Remote Command Execution 42. QuickTime Streaming Server - 'parse_xml.cgi' - Remote Execution 43. Realtek SDK - Miniigd UPnP SOAP Command Execution 44. Redmine SCM Repository 0.9.x/1.0.x - Arbitrary Command Execution 45. Rocket Servergraph Admin Center - fileRequestor Remote Code Execution 46. SAPIDO RB-1732 - Remote Command Execution 47. Seowonintech Devices - Remote Command Execution 48. Spreecommerce 0.60.1 - Arbitrary Command Execution 49. LG SuperSign EZ CMS 2.5 - Remote Code Execution 50. FLIR Thermal Camera FC-S/PT - Command Injection 51. Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated - Command Injection 52. MiCasaVerde VeraLite - Remote Code Execution 53. VMware NSX SD-WAN Edge - Command Injection 54. WePresent WiPG-1000 - Command Injection 55. Wireless IP Camera (P2P) WIFICAM - Remote Code Execution 56. Xfinity Gateway - Remote Code Execution 57. Yealink VoIP Phone SIP-T38G - Remote Command Execution 59. ZeroShell 1.0beta11 - Remote Code Execution
Lord EK on deck
A new exploit kit (EK), Lord Exploit Kit, has been observed in the wild that uses the PopCash ad network to compromise victims. As we mentioned in the Monthly User’s Meeting, this is not the first time we’ve seen a campaign leveraging ad networks to redirect to an exploit kit.
Lord EK leverages a user-after-free vulnerability in Adobe Flash and relies on the “ngrok” service that can set up a secure connection to expose to the internet local servers behind NATs and firewalls. The attackers pull victims via the PopCash ad network and then use a compromised site to redirect to a landing page and the exploit kit.
The Lord EK checks for the presence and version of the Flash Player, to exploit CVE-2018-15982. After exploiting the vulnerability, it launches shellcode to download and execute its payload.
The initial payload was njRAT, however, the actors switched it for the Eris Ransomware. The second part of the landing page collects information that includes the Flash version and other network attributes about the victim.
Users and organizations best defense is to keep software and firmware up-to-date with the latest releases to prevent any potential attacks and monitor your network for signs of intrusion.
57189bbb.ngrok[.]io 7b2cdd48.ngrok[.]io extreme-ip-lookup[.]com Liader.com[.]ua
U.S. Utilities sector targeted by LookBack in phishing campaign
Several phishing campaigns between July 19 and July 25 have been observed in the wild targeting three utility sectors in the United States. The phishing email impersonates a U.S.-based engineering licensing board that contains a malicious Microsoft Word attachment that uses macros to install and run a malware dubbed LookBack.
LookBack is a remote access Trojan that relies on a proxy communication tool to relay data from the infected host to a command and control IP. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt.
In addition, the malware can also enumerate services, delete files, execute commands, reboot the machine, and delete itself from an infected host. In the attachments identified as part of the July 2019 campaigns, the actors appeared to utilize many concatenation commands within the macro to obfuscate the VBA function.
It is possible these concatenations were an attempt to evade static signature detection for the macro strings while maintaining the integrity of the installation mechanism. Users should always be cautious when viewing email content that pretends to be legitimate (from a company or vendor) to prevent phishing attacks.
3a03509d1036f4ccf4bd4cb28717287791bf5e90f94b6edd4bffe40a66a4b237 cf57eb331b09cb2bc8992ea253d301161f1fa38583cba0733ea6dc2da2bdf740 360057ef2c4c14e263bbe2fc2df9ed4790bd8ed66256c827f1af349da31d47be a2d41af0b4f8f0fd950fd4ac164cb2c836fd3c679688b4db75e85ffabfc20d94 f8fae5b912ca61068a2be64e51273e90a10ebf7ffbd7feaf9a29475387f99a6d 368ae77c829c29db2c3e719ce423104db86165422391403ad0483944aa287c20
Presbyterian Health Services phished into HIPAA violation
Presbyterian Healthcare Services discovered a data breach on June 9, 2019 and is now notifying approximately 183K patients and health plan members that their protected health information (PHI) has been exposed.
Around May 6, 2019, several employees of the organization received phishing emails where some of them responded to it and unknowingly disclosed their credentials to the attackers. Those credentials were used to gain access to accounts containing sensitive information such as names, dates of birth, and social security numbers.
Affected individuals were offered credit monitoring and identity theft protection services for 12 months and were advised to monitor their accounts and explanation of benefits statements carefully for any sign of fraudulent activity.
Presbyterian Healthcare Services has secured the affected accounts they are aware of. An investigation into the incident resulted a handwavy statement like, “no evidence to suggest any personal information was accessed or stolen by the attacker.” But they wouldn’t be notifying everyone and paying for credit monitoring if they could prove that personal information was not accessed. They likely didn’t have any logs to prove or disprove data theft.
The lesson here is to have enough data to prove that you weren’t breached, otherwise the assumption is that you have been.