Threat Report

Wednesday January 23rd 2019

Governments around the world were busy responding to cybercrime, cyber espionage, and hacktivists last week. The U.S. Department of Homeland Security issues an emergency directive, Zimbabwe draws unwanted attention from Anonymous, the Bahamas’ government TV network struggles to recover from ransomware, an APT lures Chile’s ATM network to infection, and South Korean security controls leads to secrets breach. Also, we got a hat-trick of remote code execution going on this week. Linux, Apple, and Windows released patches for critical vulnerabilities.

Emergency directive from U.S. Homeland Security

The U.S. Department of Homeland Security (DHS) has issued an emergency directive that requires all U.S. agencies that operate with a dot gov domain or agency-managed domain to audit their DNS records and servers to verify that they are resolving to the correct IP addresses. They also require such organizations to harden the security related to DNS accounts and passwords.

The directive comes after DHS’ monitoring of an ongoing campaign where attackers are stealing DNS administrators’ credentials in order to tamper with DNS infrastructure. Attackers are then redirecting government hostnames to attackers’ IP addresses. This allows attackers to possibly redirect legitimate traffic to phishing sites where more credentials can be stolen, or to have email delivered to the attackers’ mail servers.

The links in the emergency directive indicate that these attacks are related to earlier DNS hijacks reported by Cisco Talos in December 2018 and FireEye in January 2019. In these attacks, attackers known to be affiliated with Iran were hijacking the DNS records for Middle Eastern government domains.

U.S. Government agencies are required to perform the following steps within the next 10 business days. These procedures do not currently have a termination date and will continue until a further directive is issued:

  1. Audit DNS records associated with government domains to verify that they have not been tampered with and are directing traffic to the correct IP addresses.
  2. Change the passwords for DNS admin accounts that modify DNS records.
  3. Add multi-factor authentication to all DNS admin accounts.
  4. Begin to monitor the Certificate Transparency (CT) logs for agency domains that will be provided by DHS within the next 10 business days.

#OpZimbabwe underway

International hacktivist group, Anonymoustargeted Zimbabwe government after the Zimbabwe government attempted to halt nationwide protests through various means, including blocking social media sites. Here is an excerpt from the tango down:

“We have seen people being oppressed for fighting for freedom. We cannot tolerate that. As we did with the Sudanese government, we have successfully taken down 72+ Zimbabwe government websites. This is only a start. Your banking system will also fall soon. Zimbabwe government, you have become an enemy of Anonymous! Your systems are in danger!”

According to Bloomberg, the protests have been directed towards a 150 percent hike in the price of diesel and gasoline, police crackdowns resulting in the death of 12 people, and legal action directed at the three mobile networks to block access to Facebook, WhatsApp, YouTube, and Twitter. Some of the websites which have been targeted by Anonymous are: Ministry of ICT, Housing Ministry, Justice Department, and Ministry of Defense. The group reportedly attacked more than 200 websites in Sudan and government services for electronic payments.

PowerRatankba infiltrates Interbank ATM network via LinkedIn and Skype

Meanwhile in Chile, new information is coming out about an intrusion impacting the bank responsible for the country’s ATM network. Redbanc is an interbank network in Chile connecting the ATMs of all its banks. Earlier this month, it was reported they suffered an intrusion. Hackers created a watering hole to lure software developers by posting a sweet job opportunity on LinkedIn. When a Redbanc employee responded to the job opportunity, they were invited to a Skype interview. There they were instructed to download ApplicationPDF.exe, which contained malware. Redbanc did detect malware activity, allowing them to respond before attackers could learn the network and do more damage. This shows the value of monitoring your network to detect threats early, before they mature. Researchers at Flashpoint provided a great malware analysis of the samples from Redbanc and believe Lazarus, aka Hidden Cobra, is responsible.

TV network take over in the Bahamas

Like a scene out of a cult classic, Hackers have taken over the TV network infrastructure for Bahamas’ Corporation for Broadcasting’s (CBC). Much of the IT infrastructure for the station is unavailable as hackers hold the computer network ransom. The ransomware infiltration was nearly complete in scope. The attackers initially asked for 50,000 dollars in cryptocurrency (approximately 15 bitcoin), but have been willing to negotiate down to 18,000. Although recovery is expected to take hundreds of thousands of dollars, the ransom has been declared off the table.

As reported by EW News Online, The Democratic National Alliance (DNA) expressed that it is gravely concerned about recent reports regarding a cyberattack on the Broadcasting Corporation of the Bahamas (BCB), and Bahamians being left in the dark as it relates to getting an update. DNA’s Spokesperson for Information Technology, Samuel Strachan, outlined that no further updates have been provided to the Bahamian people and fundamental questions remain unanswered by a government that professes a commitment to transparency and accountability. I reached out to BCB earlier in the week for clarification on some of the breach details, but I have received no update.

South Korea was hacked. Who done it?

According to multiple South Korean news sources, attackers successfully infiltrated the computer systems of a South Korean government agency on October 4, 2018, infecting 30 computers and stealing internal documents from at least 10. The breached organization was South Korea’s Defense Acquisition Program Administration (DAPA), an agency responsible for weaponry and munitions acquisitions for the country’s military forces. The stolen documents reportedly contained information on arms procurement for the country’s next generation fighter aircraft.

Ironically, attackers were able to infiltrate the system by first gaining access to the server of a security program installed on all government computers. The infected application was a “Data Storage Prevention Solution” installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. Upon gaining administrative access to the software’s server, attackers used to it collect documents from connected workstations. I’ll go out on a limb and say this was North Korea.

Linux, Apple, and Microsoft plug critical code execution holes

Linux, Apple, and Microsoft are patching some critical vulnerabilities that allow for remote code execution (RCE).

Linux package manager APT released a patch for a remote code execution vulnerability that allows a man-in-the-middle to execute arbitrary code as root on a machine installing any package. “Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,” explained Jusicz in his post. “Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package.” The flaw (CVE-2019-3462) has been fixed in the latest versions of the package manager. The developers of APT, Debian, has acknowledged the flaw. Jusicz also advises users to disable HTTP redirects when updating. This way the flaw is rendered invalid for the meantime until Debian updates their APT package.

Apple has released patches for a number of vulnerabilities, but notable among them is a vulnerability in WebRTC that opens the door for an RCE over facetime and a vulnerability that allows Bluetooth connections to be intercepted and used for RCE on the device. Since it’s 2019, you can buy working exploits for either of these vulnerabilities for as low as $4,999.99. What a world we live in.

Microsoft has released temporary patches for three Windows zero-days, all of which were disclosed within the past month. The first received a temporary patch last week, while patches for the other two followed this week. ZDNet notes that Microsoft did not release official fixes at the start of the month during its January 2019 Patch Tuesday, and that the patches have instead been made available by a third-party security firm. In order to install the temporary patches, users must install 0patch Agent from Acros Security, software primarily designed for companies that use old Windows versions across their system, versions that have reached their End-Of-Life (EOL) and are no longer receiving official security updates from Microsoft.

The first zero-day is a flaw within Windows ReadFile, whereby malicious code can abuse the Windows ReadFile OS function to read any local file, regardless of the user’s permission level. It was disclosed on December 20, 2018.

The second zero-day is a Windows WER flaw, aka AngryPolarBug, whereby malicious code can overwrite and replace any file on the user’s system. It was disclosed on December 27, 2018.

The third zero-day is in Windows VCF (Contacts), whereby malicious code abuses the way Windows reads vCard files (VCFs) to execute code on the computer with elevated privileges. It was disclosed on January 10, 2019.

None of the three Windows zero-days have been observed being used in the wild by any malware author or cybercriminal group. Users and organizations are advised to update their Windows products with the latest available patches to mitigate risk and remain on watch for more permanent patches.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn