The intelligence in this week’s iteration discuss the following threats: APT, APT platform, Banking trojan, Botnet, Malspam, Phishing, Spear phishing, Targeted attacks, Vulnerabilities, and Zero day. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.
Apache Tomcat Patches Important Remote Code Execution Flaw (April 15, 2019)
The Apache Software Foundation’s open source Java servlet container “Apache Tomcat” has released new versions to address a Remote Code Execution (RCE) vulnerability, registered as “CVE-2019-0232.” The affected Tomcat versions are the following: 9.0.0M1 to 9.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93. The RCE vulnerability is located in the “Common Gateway Interface” (CGI) Servlet when it is running on the Windows operating system if “enableCmdLineArguments” is enabled. The issue is the way that Java Runtime Environment (JRE) passes command line arguments to Windows. Exploitation of CVE-2019-0232 could allow a threat actor the ability to execute an arbitrary command on a Windows server using an affected Tomcat version.
Recommendation: New versions of Apache Tomcat should be applied as soon as possible, especially with CVE-2019-0232 being a high-severity RCE vulnerability that could grant an actor full control of an affected system. Furthermore, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Tags: Vulnerability, RCE, CVE-2019-0232, Apache Tomcat
Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support (April 14, 2019)
Microsoft has confirmed that an unknown threat actor (or threat group) was able to compromise one of its customer support agent’s accounts. The actor was then able to use that account to access Microsoft customer email information from Hotmail, MSN, and Outlook accounts. Data that the actor would have been able to collect consist of, at least, who the account communicated with and the email subject lines. In Addition, an unnamed source informed Motherboard reporters that in March 2019, “this abuse of a customer support portal” granted the actor the ability to access any Microsoft-owned email account except those that are corporate accounts. The source also gave reporters details of the attack which those details were later shared again by the source along with screenshots and additional information. However, this incident regarding the ability to access multiple accounts has only been reported on by Motherboard, and it is unclear if the source’s allegations are accurate, at the time of this writing. Furthermore, Microsoft stated in its breach notification email this incident only affected a limited number of its customer accounts, and those customers were notified in a separate email.
Recommendation: While the specific details of what the threat actor(s) was able to access has been debated, Microsoft email account users should change their passwords to air on the side of caution. This story shows the importance of educating your employees that they may be targeted by threat actors if that employee’s account is deemed valuable. In addition, all employees should be educated on the risk of phishing and spear phishing attacks and who to contact if such an attack is identified.
Tags: Breach, Microsoft, Customer support account, Hotmail, MSN, Outlook
US-CERT, CISA Warn of Vuln in At Least 4 Major VPNs (April 12, 2019)
The Cybersecurity and Infrastructure Security Agency (CISA) has published an alert regarding the United States Computer Emergency Readiness Team (US-CERT) identifying vulnerabilities in Virtual Private Network (VPN) products. The VPN products affected by the vulnerability, tracked as “VU#192371,” include Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure. The vulnerability consists of the VPN products storing “authentication and/or session cookies insecurely in memory and/or log files.” A threat actor could exploit this vulnerability by first having acquired access to a VPN endpoint, or having stolen the cookie in another way, to bypass authentication methods to subsequently acquire access to all of the applications granted to a user in that VPN session.
Recommendation: As of this writing, Palo Alto Networks has patched the vulnerability in version 4.1.1, while other companies have not yet issued a fix. Documented vulnerabilities have a higher likelihood of being exploited by threat actors because of the publicity that they can often receive on open sources. Therefore, it is crucial that your company has a patch application protocol in place to be aware of new vulnerabilities when they are identified, and to apply the patches as soon as possible to avoid potential malicious activity.
Tags: Vulnerability, VU#192371, Authentication bypass, Data theft, VPN products, Cisco, F5 Networks, Palo Alto Networks, Pulse Secure
Malware Analysis Report (AR19-100A) MAR-10135536-8 – North Korean Trojan: HOPLIGHT (April 10, 2019)
The United States Computer Emergency Readiness Team (US-CERT) released a report on a new malware variant, dubbed “HOPLIGHT.” The malware has been attributed to the North Korean Advanced Persistent Threat (APT) group “Lazarus” (also known as HIDDEN COBRA). The malware files act as a proxy application to mask traffic between the malware and operator to create fake TLS handshake sessions using a valid and public SSL certificate.
Recommendation: Ensure that your organisation is using basic cyber security habits. It is important that organisations and their employees use strong passwords that are not easily-guessable, that default administrative passwords are changed because to prevent low-sophistication brute force attacks. Update firewalls and antivirus software to ensure that systems can detect breaches or threats as soon as possible to reduce the severity of consequences. Educate employees on the dangers of phishing emails and teach them how to detect malicious emails. It is also recommended to encrypt any sensitive data at rest and in transit to mitigate the damage of potential breaches.
Tags: Malware, HOPLIGHT, Lazarus
Analysis of A Targeted Attack Exploiting the WinRAR CVE-2018-20250 Vulnerability (April 10, 2019)
A spear phishing campaign utilizing the vulnerability in the archiving tool “WinRAR,” registered as “CVE-2018-20250,” was found to have begun in early March, according to the Microsoft Office 365 ATP Research team. The emails purport to be from the Ministry of Foreign Affairs of the Islamic Republic of Afghanistan were distributed to “very specific targets” that contained a Microsoft Word attachment. The document, if opened, asks the recipient to download another document from a OneDrive URL. It is the second document that is malicious, which is a tactic used by threat actors to avoid identification of a malicious document directly attached to an email. The second document was observed to contain a malicious macro that, if enabled, will download a PowerShell script backdoor that is capable of exploiting CVE-2018-20250. Researchers believe that the politically motivated, Arabic-speaking threat group “MuddyWater” may be responsible for this campaign.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link (T1192) | [MITRE ATT&CK] Spearphishing Attachment (T1193) | [MITRE ATT&CK] User Execution (T1204) | [MITRE ATT&CK] Scripting (T1064) | [MITRE ATT&CK] PowerShell (T1086)
Tags: Spear phishing, Vulnerability, CVE-2018-20250
Gaza Cybergang Group1, Operation SneakyPastes (April 10, 2019)
Kaspersky Lab researchers have observed a new wave of attacks being conducted by threat group “Gaza Cybergang Group1,” targeting embassies and political personnel. The group distributed phishing emails with political-themed lures containing either a link to a malware-hosting domain, or the first-stage malware was attached to the email itself. If a user clicked on the link, they would be prompted to download a RAR file that contained the first stage of the malware. The first stage aims to obtain persistence in the system via the Startup folder and AppData folder. Once persistence is achieved, the malware will beacon to the Command and Control (C2) server to install a Remote Access Trojan (RAT) onto the infected device. The RAT then searches for specific file extensions to compress into a RAR file and upload to the C2. The countries with the most infections by this threat group were Egypt, Israel, Jordan, Lebanon, Palestinian Territories, Saudi Arabia, Syria, and the UAE.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and who to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment (T1193) | [MITRE ATT&CK] User Execution (T1204) | [MITRE ATT&CK] Spearphishing Link (T1192) | [MITRE ATT&CK] Scripting (T1064) | [MITRE ATT&CK] PowerShell (T1086) | [MITRE ATT&CK] Data Compressed (T1002) | [MITRE ATT&CK] Data Encoding (T1132) | [MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041) | [MITRE ATT&CK] Startup Items (T1165) | [MITRE ATT&CK] Data Encrypted (T1022)
Tags: Threat group, Gaza cybergang Group1, SneakyPastes, RAT
Another Taj Mahal (Between Tokyo and Yokohama) (April 9, 2019)
In late 2018, researchers from Kaspersky Lab observed an unspecified attack on an unnamed diplomatic entity in a Central Asian country and discovered a previously unknown Advanced Persistent Threat (APT) platform tool, called “TajMahal.” This spyware framework contains at least 80 different malicious module plugins and has been in operation for at least the past five years. The platform is made up of two parts: “Tokyo” and “Yokohama,” where Tokyo acts as the main backdoor into an infected computer and delivers second-stage malware. Yokohama is the payload delivered in the second stage and creates a virtual file system with plugins, third-party libraries, and configuration files. It has only been confirmed to have infected one victim, leading researchers to believe more will be identified in the future.
Recommendation: Some attacks can be detected by less conventional methods, such as behaviour analysis, heuristic and machine learning-based detection systems. In the case of compromise, the entire network must be assessed to identify the initial infection, and all affected systems must be fully wiped and reformatted to ensure the network is fully restored to a safe state. Put policies in place to ensure all employees install patches as soon as they are available.
MITRE ATT&CK: [MITRE ATT&CK] System Information Discovery (T1082) | [MITRE ATT&CK] Startup Items (T1165)
Tags: APT, Platform, Backdoor, Malware, TajMahal
Gustuff Banking Botnet Targets Australia (April 9, 2019)
Cisco Talos researchers have published a report regarding a new Android-based campaign that has been targeting Australian financial institutions. The campaign is associated to the “ChristinaMorrow” text message-based spam campaign that sends a URL in a text message which initiates the dropping of the malware if it is clicked upon. The actors behind this campaign are also using SMS messages to distribute malware, in this case, the banking trojan, “Gustuff.” If a user installs the malware via SMS, the malware will access the infected device’s contact list and send malicious SMS to those contacts. Gustuff can also connect to a Command and Control (C2) server to obtain commands to harvest for credentials from targeted applications, and steal personal information on the device. The malware is packed to break a standard debugger and obfuscated to make detection and analysis more difficult.
Recommendation: Users should use non-SMS based multi-factor authentication applications to prevent threat actors from potentially exploiting users via side-channel attacks. Accounts that are protected with SMS based authentication systems, even two-factor authentication, are potentially at risk of being intercepted by actors using this method. Therefore, taking the necessary steps to implement new authentication policies that do not use text-based messages such as an Authenticator mobile application provided by a trusted vendor could be used to avoid this attack vector.
MITRE ATT&CK: [MITRE ATT&CK] User Execution (T1204) | [MITRE ATT&CK] Obfuscated Files or Information (T1027) | [MITRE ATT&CK] Exfiltration Over Command and Control Channel (T1041) | [MITRE MOBILE-ATT&CK] Malicious SMS Message (MOB-T1057) | [MITRE MOBILE-ATT&CK] Access Contact List (MOB-T1035) | [MITRE MOBILE-ATT&CK] Premium SMS Toll Fraud (MOB-T1051)
Tags: Malware, Gustuff, Android
OceanLotus: macOS Malware Update (April 9, 2019)
The Advanced Persistent Threat (APT) group, “OceanLotus,” has been observed to have expanded their toolset to include macOS malware, according to ESET researchers. It is unclear how the malware initially infects a user to install the backdoor malware, as of this writing. The malware sample is packed with UPX to make it more difficult for sandboxes and debuggers to detect it. The backdoor commands in this malware are similar to older backdoors used by the APT, but the Command and Control (C2) servers are more recent.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Hidden Files and Directories (T1158) | [MITRE ATT&CK] File Deletion (T1107) | [MITRE ATT&CK] File Permissions Modification (T1222) | [MITRE ATT&CK] Obfuscated Files or Information (T1027) | [MITRE ATT&CK] Timestomp (T1099) | [MITRE ATT&CK] System Information Discovery (T1082) | [MITRE ATT&CK] Data Encrypted (T1022) | [MITRE ATT&CK] Custom Command and Control Protocol (T1094)
Tags: APT, OceanLotus, macOS, Malware
TP-Link Routers Vulnerable to Zero-Day Buffer Overflow Attack (March 8, 2019)
IBM Security researchers have identified that two models of TP-Link’s routers, “TL-WR940N” and “TL-WR941ND,” have zero-day vulnerabilities that could allow a remote threat actors to take control of the device. The vulnerabilities lie in the web-based control panel that users utilize to configure the routers. “When a user sends ping requests, a message is displayed on the device’s console referring to native code compiled to the firmware’s binary,” which can allow a threat actor to create a buffer overflow attack. Despite the routers being discontinued, they are still available to purchase in stores like Walmart and Target.
Recommendation: TP-Link has released firmware updates on March 12, 2019 for both routers. TL-WR940N router owners are encouraged to upgrade to firmware TL-WR940Nv3 and TL-WR941ND routers owners to TL-WR941NDv6.
Tags: Vulnerability, Zero day, TP-Link, TP-Link WR940N, TL-WR941ND
Mirai Compiled for New Processors Surfaces in the Wild (April 8, 2019)
Researchers from Palo Alto Networks discovered new samples of the “Mirai” botnet malware that are compiled for additional processor architectures. The new samples were developed for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. This means that the number of affected devices has increased substantially so Mirai-using actors have more capabilities to conduct Distributed-Denial-of-Service (DDoS) attacks. The samples contained several new features that highlights the continual evolution and usage of the botnet. The new features are a modified version of the standard Mirai encryption algorithm, a new DDoS attack option, and the exploitation of five registered vulnerabilities. The vulnerabilities include “CVE-2014-8361” and “CVE-2017-17215” Remote Code Execution (RCE) vulnerabilities, alongside two other RCE vulnerabilities and one command injection vulnerability.
Recommendation: The Mirai botnet takes advantage of internet-connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. Organisations and defenders should be aware of all their internet-facing assets and have them under strict monitoring.
Tags: Botnet, Mirai, Processors, DDoS, Vulnerabilities, CVE-2014-8361, CVE-2017-17215