Threat Report

Wednesday July 31st 2019

What’s cooking this week? WatchBog and Trickbot learn some new tricks while some big names suffer embarrassing breaches. Let’s start off with the biggest data breach from last week.

Capital One breached by… open S3 buckets

Paige Thompson, a former Systems Engineer for Amazon Web Services, also known as erratic, has been labeled responsible for the Capital One breach affecting about 100M people in the U.S. and 6M in Canada. But, Capital One is responsible for leaving sensitive data in open s3 buckets.

The bank said it found out about the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. The FBI said that some of the information obtained from the bank appeared on GitHub on July 17, while a month before that, Twitter user “Erratic” (@0xA3A97B6C, account suspended) sent another user a direct message alerting about the distribution of the bank’s data that includes names, birthdates, and social security numbers.

Erratic Twitter convo

The complaint filed in court shows Capital One was alerted to an S3 bucket leak, and states the firewall configuration allowed access to “buckets of data.” So, Capital One didn’t detect the leak as much as they were tipped off and there wasn’t a vulnerability as much as an insecure configuration. Any user with a Web browser and an HTTP link could have “exploited” this vulnerability.

Leaked s3 data

The complaint further states that Capital One verified Thompson had a list of over 700 of its s3 buckets, and Capital One logs showed connections from Tor exit nodes that matched an IP address which made irregular use of a “firewall account to list buckets.”

Other commands were also made from IP addresses that belonged to a VPN provider that Thompson is an alleged customer of.

Thompson previously worked at Amazon on an s3 project according to a resume discovered on GitLab.

According to Krebs, there may be other companies impacted by Thompson’s discovery of open s3 buckets, like the company mentioned in the screenshot above, Infoblox. This isn’t the end of the Paige Thompson story, according to other slack logs Thompson may have been running a botnet.

Tinfoil hat time, I bet there will be a plot twist where we find out Thompson emailed Capital One with the tip, hoping for a reward from their responsible disclosure program. There is no evidence that Thompson tried to sell the data. So, Capital One is pretty sure the impact is limited.

Clinic swindled in Office 365 wire transfer fraud case

Personal information may have been compromised after two security incidents happened to Community Psychiatric Clinic.

The first was on or around March 12, 2019, wherein an employee’s email account was illegally accessed and became a potential data breach. Despite added measures, another attack happened to CPC on May 8, 2019. This was likely because a mail-forwarding rule went undiscovered from the initial breach.

In May, an email account of an employee of Community Psychiatric Clinic engaged in a fraudulent wire transfer of funds.

Each event made the firm immediately change all passwords associated with it. This further indicates that mail forwarding was setup for the compromised accounts.

Additional security measures have been added to employee accounts. Given these two incidents, one thing is common: both of these accounts are associated with Microsoft Office365. All the potential unauthorized access for each of the impacted mailboxes was through Outlook Web Access.

Based on the result of the external investigation, there were “no signs of data breach.” But that may be because of insufficient logging.

With Perch logging for Office 365, users can configure event notifications in Perch to alert whenever specific user accounts receive a log from a new IP or when mail forwarding is enabled.

Trouble in LA LA land

Los Angeles Police Department has reportedly experienced a data breach affecting 2,500 officers and 17,500 applicants.

According to the general manager of the city’s IT agency, a hacker contacted the city last Thursday and revealed inside knowledge of the LAPD database regarding people who applied between 2010 and 2018 or early 2019.

Stolen personal information includes names, dates of birth, partial employee serial numbers, and login details for the applicants. Perhaps, more may have been taken during the incident because they have no clue what happened. Investigation is still ongoing.

City officials began notifying those applicants who had logged on to a website for updates during the lengthy process of becoming a police officer.

Affected officers were advised to monitor their credit reports and bank accounts for any unusual activity or transactions.

In undisclosed Los Angeles breach news, dark Web data brokers sold a database of a “very large and famous hospital” located in Los Angeles.

According to hackers, the database included a full list of medical personnel and patients with PII, scanned documents, as well as all patients’ diagnoses, relevant medical documentation, and payments for medical treatment.

The database also contains credit card records with phone numbers, emails, and physical addresses: 7,018 and 2,318 records for the years 2018 and 2019, respectively.

The starting price of the auction was $10,000, and the anticipated final price is around $30,000.

Trickbot has more tricks up its sleeve

A new variant of Trickbot has been spotted in the wild that is now actively targeting the Microsoft Windows Defender to prevent its detection and removal.

Trickbot is a banking Trojan that attempts to steal financial-related data and other credentials saved on the machine and browser. Once Trickbot is executed on the targeted machine, it will disable Windows services and processes associated with security software and performing elevation to gain higher system privileges.

Once complete, it loads core components by injecting a DLL that downloads modules to perform tasks like steal information from the targeted machine.

Trickbot developers are programming in new techniques to bypass security software. When Trickbot detects certain security software installed, it will configure a debugger for that process using the Image File Execution Options to launch before the program is executed. If the debugger does not exist, the expected program will fail to launch. This technique is known to bypass Microsoft Windows Defender.

Users and organizations should install security software which can track malicious related activities to prevent any potential attacks. No indicators of compromise were released with this report.

BlueKeep exploit guide provides blueprint to checkmate Blue Team

A new guide for BlueKeep (CVE-2019-0708) has been shared by security researchers, demonstrating ease of usage and potentially enabling WannaCry-level of infections.

The BlueKeep vulnerability (CVE-2019-0708) exists in Remote Desktop Services and impacts older versions of Windows and can self-propagate from machine to machine, setting up the scene for a WannaCry-level for a fast-moving infection wave.

Proof-of-concept code detailing a workable exploit has appeared in two places. First, a series of Chinese-language slides that claim to explain how to exploit the vulnerability that was posted. Then, a Python PoC that works on Windows XP but would probably crash Windows 7 or Server 2008 machines.

According to a report on July 2, 2019, approximately 805,665 systems remain vulnerable to BlueKeep flaw. The threat to the unpatched systems continues to grow and the milestones achieved by the actors demonstrates that the barrier to exploitability using this vulnerability is continuing to decrease. It is even being included in botnets.

Linux WatchBog leverages BlueKeep to find vulnerable Windows hosts

WatchBog is a Linux-based cryptocurrency mining malware which now includes a module to scan the Internet for Windows Remote Desktop Protocol (RDP) servers vulnerable to CVE-2019-0708 (BlueKeep) security flaw.

In addition, attackers behind WatchBog are using their botnet to prepare a list of vulnerable systems to target in the future or to sell to third party vendors to earn a profit.

The new WatchBog variant has reportedly compromised more than 4,500 Linux machines in the last two months. Additionally, it also has a new spreading module along with exploits for some recently patched vulnerabilities in Linux applications, allowing attackers to find and compromise more Linux systems rapidly.

Hashes

26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4
b17829d758e8689143456240ebd79b420f963722707246f5dc9b085a411f7b5e
cdf11a1fa7e551fe6be1f170ba9dedee80401396adf7e39ccde5df635c1117a9

URLs

https://pastebin[.]com/raw/MMCFQMH9
https://9d842cb6[.]ngrok.io
https://pastebin[.]com/raw/Dj3JTtnj
https://pastebin[.]com/raw/p3mGdbpq
https://7dc5fb4e[.]ngrok[.]io
https://pastebin[.]com/raw/UeynzXEr
https://z5r6anrjbcasuikp.onion[.]to

IPs

3.14.202[.]129
3.17.202[.]129
18.188.14[.]65
3.19.3[.]150
3.14.212[.]173

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn