Details on Threat Group That Claims to Have Obtained President Trump’s Legal Documents

REvil/Sodinokibi Ransomware
OVERVIEW
The REvil/Sodinokibi threat group has taken ransomware attacks to a new level. While most variants, like the recent strain of DoppelPaymer ransomware, encrypt victim’s files, Proficio’s Threat Intelligence Team has seen an uptick of strains that also steal data to further pressure victims into paying ransoms. This group, infamously known as the one claiming to have obtained President Donald Trump’s legal documents, more recently attacked the law firm Grubman Shire Meiselas & Sacks (GSMLaw) which resulted in the exfiltration of multiple celebrities’ legal documents.

In this blog, we will be sharing additional details we discovered based on our research on the REvil/Sodinokibi ransomware.

RANSOMWARE DETAILS
REvil/Sodinokibi ransomware was discovered back in April 2019, where it was initially found to propagate via exploitation of a vulnerability in Oracle WebLogic. REvil/Sodinokibi is a ransomware-as-a-service (RaaS) and was suspected to be associated with GandCrab, a RaaS that had shut down operations in May 2019. REvil/Sodinokibi was found to share similar codes with GandCrab ransomware, such as the random URL generation.

Within the past year, REvil/Sodinokibi threat actors have been observed to utilize multiple techniques to spread ransomware to targets. Based on our research, some of distribution methods used are:

  • Oracle WebLogic vulnerability (CVE-2019-2725)
  • Malspam campaigns
  • Hack WordPress sites and fake forum posts containing a link to the ransomware installer
  • Breach managed service providers (MSPs) via exposed RDP
  • Webroot SecureAnywhere console in MSPs that deploys ransomware on the MSPs’ customers systems
  • RIG exploit kit
  • Pulse Secure VPN vulnerability (CVE-2019-11510)

Once the ransomware is delivered to a victim device, it can perform the following tasks:

  • Exploit the CVE-2018-8453 vulnerability to elevate privileges
  • Terminate blacklisted processes prior to encryption to eliminate resource conflicts
  • Wipe the contents of blacklisted folders
  • Encrypt non-whitelisted files and folders on local storage devices and network shares
  • Exfiltrate basic host information

Upon successful encryption of the victim’s files, the ransomware appends a randomly generated file extension to the file name made up of 5 to 10 alphanumeric characters. A ransom note is dropped onto the victim’s device with instructions on how the victim can pay the ransom.

Example of a ransom note

Figure 1 – Example of a ransom note

REvil/Sodinokibi threat actors usually provide two methods of payment. The first method is to access a Tor site using a Tor browser; the other is to use their secondary website. Earlier attacks provided “decryptor[.]top” as their secondary payment site, however more recent attacks appear to have switched to “decryptor[.]cc” instead.

Since January 2020, the threat actors behind the REvil/Sodinokibi ransomware have started to publish data stolen from victims that did not pay their ransom on time. This method of pressuring victims was inspired by Maze ransomware, which started this trend among ransomwares.

ADDITIONAL ACTIONS BY THE THREAT INTELLIGENCE TEAM

PRECAUTIONARY AND DETECTION MEASURES
Prevention is better than a cure, and given the popularity of ransomware attacks, you always need to be prepared. When possible, you must safeguard yourself and your organization to avoid being the next victim of ransomware attacks. We recommendthe use of a managed EDR service to help you deal with any ransomware attack quickly.

We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools update to date to provide detection and prevention from the spread of ransomware.
  • Make use of managed EDR services to quickly react and contain any ransomware identified before any major damage can be done.
    • Managed EDR services can also play a big part in monitoring and alerting on attack vectors that are often used as distribution methods for ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Close any unnecessary network ports to reduce entry points for attackers.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

 

REFERENCES

  • https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-distributed-by-hackers-posing-as-german-bsi/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-via-fake-forums-on-hacked-sites/
  • https://www.zdnet.com/article/ransomware-gang-hacks-msps-to-deploy-ransomware-on-customer-systems/
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-targeting-asia-via-the-rig-exploit-kit/
  • https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/
  • https://www.secureworks.com/research/revil-sodinokibi-ransomware
  • https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
  • https://www.bleepingcomputer.com/news/security/shared-code-links-sodinokibi-to-gandcrab-minus-the-fun-and-games/
  • https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html?m=1
  • https://www.pcrisk.com/removal-guides/14942-sodinokibi-ransomware

DoppelPaymer Ransomware

OVERVIEW
Recently, Proficio’s Threat Intelligence Team has observed a surge in ransomware cases that take advantage of the current COVID-19 situation. In this blog, we will discuss a variant of ransomware named “DoppelPaymer”, which has significantly raised its popularity over the last month, and provide additional details discovered during our research.

RANSOMWARE DETAILS
“DoppelPaymer” is said to be the evolution from “BitPaymer Ransomware”. This strain of ransomware is an enterprise-targeting variant. Based on its history of attacks and the information within the ransom notes, we believe that the threat actor group is targeting English-speaking victims.

While earlier builds of the malware were identified back in April 2019, the first known victims of DoppelPaymer ransomware were seen in June 2019. DoppelPaymer ransomware is likely a variant of BitPaymer Ransomware, where initial ransom notes would contain the string of text “BitPaymer”. The name “DoppelPaymer” was given by researchers to identify this new variant of ransomware found in the wild. Following that, the threat actor appears to have adopted this name and has changed the string of text from “BitPaymer” to “DoppelPaymer” within the ransom notes. Based on the similarities between both ransomware variants, the threat actor groups for DoppelPaymer are suspected to be likely a split from INDRIK SPIDER cybercrime group.

DoppelPaymer ransomware is known to consist of both Dridex and BitPaymer source code. Several other interesting traits that were observed, including:

  • Encryption method 2048-bit RSA + 256-bit AES
  • Encrypted files are renamed with a “.locked” extension
  • Latest version of variants mark data with “.doppeled” appendix
  • Ability to terminate processes and services that may interfere with file encryption using the technique ProcessHacker

DoppelPaymer ransomware is usually dropped by the Dridex trojan; however, this ransomware is not limited to one distribution method. Based on our research, the following are some of the distribution methods that have been observed over the year:

  • Insecure RDP configuration
  • Email spam and malicious attachments
  • Deceptive downloads
  • Botnets
  • Exploits
  • Malicious advertisement
  • Web injects
  • Fake updates
  • Repackaged
  • Infected installers

Upon successful infection and encryption of data on the victim’s computer, the victim’s files would be renamed, and a ransom note in text file format could be found within the victim’s system.

Ransom notes sample

Figure 1 Ransom notes

It’s interesting to note that there is no ransom amount stated within the text file. Instead, a list of instructions was being provided to the victim to follow strictly. The victims were requested to download “Tor Browser” and to subsequently type into an address bar provided to access the DoppelPaymer portal.

Accessing Tor link in Ransom Notes Sample

Figure 2 Accessing Tor link found in ransom notes

DoppelPaymer Ransomware Payment Portal Sample

Figure 3 DoppelPaymer Ransomware Payment Portal

After the portal was accessed from the Tor browser, the victim would be provided with several key pieces of information, such as a countdown timer for a “special price”, a unique reference ID used to identify the victim, the ransom amount and a BTC address where the ransom payment can be sent to.

Further research on DoppelPaymer ransomware reveals that, in the earlier days, victims who are not willing to pay the ransom would have their data sold on the darknet. Following the trends from various ransomware groups such as Maze , the DoppelPaymer threat actor group was inspired to launch a public website for use as a shaming platform to victims who are not willing to pay the ransom.

A video demonstration of file encryption can also be seen on YouTube.


PRECAUTIONARY MEASURES
Prevention is always better than a cure. It is advisable to safeguard yourself and your organization to avoid being the next victim of a ransomware attack. We advise using a managed EDR service to better prepare yourself for dealing with a ransomware attack. We also recommend organizations consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection and prevention from the spread of ransomware.
  • Make use of a managed EDR service to quickly react and contain any ransomware vendor
  • Managed EDR services can also play a big part in monitoring and alerting on attacked vectors used as a distribution method
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date with the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

For the latest information from our Threat Intelligence Team on the DoppelPaymer attacks and other threats, please visit our Twitter Feed.

“Voicemail” Phishing Campaign

OVERVIEW
On February 28th, the Proficio Threat Intelligence Team identified a new spear-phishing campaign that pretends to be sending a voicemail to targeted recipients.

In this blog, we share some of the findings from our deep-dive investigations into the attack activities that we have observed for this campaign.

PHISHING DETAILS
The attack starts with a phishing email pretending to send the recipient a voicemail. The email has a sender address starting with “voice@” and a subject containing text such as “New VM was sent” or “Voice Receiver”. The email contains a URL link which when clicked, redirects the recipient to a phishing page that resembles a Microsoft login page. The victim’s credentials are then stolen when entered and submitted on the fake login page.

An example of a fake Microsoft login page

Figure 1a and 1b

Figure 1 – An example of the fake login page (a) and real (b)

The initial phishing attempt is merely the first step of the adversary’s intrusion attempt. After successfully gaining user login, the threat actor responsible uses the credentials obtained to conduct a targeted spear phishing campaign against other employees within the victim’s organization.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team gathered and researched a number of different IOCs to identify potential access to the phishing sites. The IOCs included email subject strings, known domains, URL parameters and IP addresses. These IOCs were used to kickstart the detection and discovery phase of our threat hunting campaign. We identified several potential victims and performed deep-dive investigations on each potential victims identified.

The most notable and useful indicator we generated was the sequence of redirections that occurred after clicking the initial phishing link. Such activity strongly indicated a successful access attempt to the phishing page by the victim(s), and we were thus able to identify potentially successful phishing attempts with a high level of confidence despite the limited visibility of the dataset at our disposal.

Our investigations indicate that this campaign appears to focus on targeting organizations rather than random individuals, as we observed that the phishing emails were being sent to multiple employees within an organization together in a single wave. The adversary does not appear to be targeting any specific organization as there were no repeated attempts to send the emails to the targets even if the emails were blocked or did not result in a successful click-through.

No specific industry sector was targeted; we identified several victims of this campaign, all from different sectors:

  • Banking and Financial
  • Technology
  • Commercial Services
  • Real Estate
  • Healthcare

All clients that we identified had a successful clickthrough activity of this phishing campaign have been notified. If you would like to know more about this campaign and what we have found, please reach out to your Client Success Manager or Security Advisor.

FUTURE PRECAUTIONARY MEASURES
Such phishing campaigns are not uncommon, and have been heightened in the past month where multiple phishing campaigns are using COVID-19 to lure victims. The use of COVID-19 as a phishing hook has been very effective in generating click-throughs for attackers’ phishing campaigns. To avoid being the next victim of credential theft, you can put into place safeguards to protect yourself and your organization from phishing attacks.

We would recommend the following measures:

  • To improve cybersecurity awareness, educate your employees and users.
  • To prevent malicious content from reaching users and reduce the chance of a possible compromise, apply content filters on email gateways and systems.
  • If any suspicious emails are received, report them to your security team so they can notify other employees in the organization of the threat.
  • Always verify such suspicious emails through a different channel.

Mailto and Mailto-2 Ransomware

OVERVIEW
In October of 2019, a group of relatively new ransomware strains called Mailto and Mailto-2 were found in the wild. These two ransomware types were also known as “Kokoklock” and “Kazkavkovkiz” where the names have been used interchangeably with no clear definitions at this point of time.

This ransomware group gained attention with the recent ransomware attack against the Australian Toll Group. The Australian Toll Group has subsequently disclosed that their network was being attacked by the Mailto ransomware prior to a service disruption and system shut down.

The Proficio Threat Intelligence Team posted information about Toll Group attacks in our Twitter Feed. In this blog, we share some of our findings pertaining to this new ransomware’s behavior in the wild.

RANSOMWARE DETAILS
This type ransomware is relatively new and first surfaced in late 2019, and as such there is limited information available. Mailto ransomware was seen in the wild during the month of September where Mailto-2 ransomware was seen around October. They are recognizable by the extension that is appended to encrypted victims’ files.

There is some evidence that Mailto actors may have utilized techniques such as phishing and password spray attacks, and then used compromised accounts to send further phishing emails to the users’ address book to spread malware. At this time, there is no known information on the cyber groups that are responsible for these types of ransomware, nor is there information on the C2 activities on them.

Upon successful infection of the victims’ systems, both variants of ransomware include a personal extension on infected files, a ransom note and a readme text file to instruct victims on how to make the ransom payment. The main visible difference between “Mailto / Kokoklock” and “Mailto-2 / Kazkavkovkiz” is the personal extensions appended onto the encrypted file.

At this time, the only other notable information that distinguishes this ransomware strain from others operating in the wild is that the targets are instructed to communicate with the attacker via an email provided in the ransom notes. Ransom notes associated with this ransomware include two email addresses with the email domains “@cock[dot]li” and “@tutanota[dot]com”. “Tutanota” is a free and open-source, end-to-end encrypted email. “Cock[dot]li” appears to be a free anonymous email service also known as “Cockmail”, which has been seen to be used in multiple malicious activities.

Figure 1 – An example of ransom notes

Beyond the ransom notes, we are also able to differentiate Mailto ransomware based on the file extension appended on the encrypted files. Following the file extension “[dot]mailto”, “Mailto / Kokoklock” ransomware would append six random alphanumerical digits onto the encrypted files while “Mailto-2 / Kazkavkovkiz” ransomware would append four or five random digits onto the encrypted files. While these extensions are the only ones currently seen in the wild, they may vary over time.

Other noticeable differences between both ransomware variants include the following:

  Mailto / Kokoklock Mailto-2 / Kazkavkovkiz
Decryptor tool Netwalker NIL
Encryption Method Suspected Salsa20 Stream Cipher AES
Format of encrypted files .mailto[<email_address>].<6_alphanumerical_random_digits> .mailto[<email_address>].<random_digits>
Readme file format <6_alphanumerical_random_digits>-Readme.txt <random_digits>-Readme.txt
Other behaviour Seen to masquerade as a legitimate program [Sticky password] NIL

 

PRECAUTIONARY MEASURES
Prevention is better than a cure. It is advisable to safeguard your organization to avoid being the next victim of this ransomware attack. We recommend your organization consider the following measures:

  • Keep your anti-virus software / EDR solutions and other security tools installed on the systems updated for detection of and prevention from the spread of ransomware.
  • Perform regular backups on critical files and systems.
  • Keep your operating systems up to date on the latest security patches.
  • Make use of network segmentation alongside the zero-trust model.
  • Apply content filters on email gateways and email systems to prevent malicious content from reaching users and reduce the chance of a possible compromise.
  • Educate your employees and users to improve cybersecurity awareness.

The Proficio Threat Intelligence Team will continue to monitor developments around this this new ransomware and provide updates as applicable.

Exploits in the Wild for Citrix ADC and Citrix Gateway Vulnerability CVE-2019-19781

OVERVIEW
In December of 2019, the details of a critical vulnerability affecting certain versions of Citrix Application Delivery Controller (formerly known as NetScaler ADC) and Citrix Gateway servers were publicly disclosed.

The Proficio Threat Intelligence Team posted information about the vulnerability and its exploits in our Twitter Feed and issued a security advisory to our clients. In this blog, we share some of the findings from our own deep-dive investigations into the attack activities that we have observed in the wild as well as information that we have previously included within our advisory.

VULNERABILITY DETAILS
Citrix’s disclosed a significant amount of information regarding the CVE-2019-19781 vulnerability and exploit on publicly accessible channels. The details provided in their public release makes it easy for any potential attackers to recreate the exploit discovered.

The vulnerability is centered around a vulnerable parameter that allows for directory traversals due to the improper handling of the pathname. Attackers can exploit this vulnerability through crafted directory traversal requests to access sensitive files, create crafted XML files in the vulnerable server, and execute malicious code within those XML files without any authentication, effectively allowing for remote code execution.

This vulnerability is particularly serious because it allows an attacker to effectively obtain remote code execution capabilities on vulnerable devices. The exploit does not require access or knowledge regarding any user accounts and can be performed by any attacker. This makes this attack suitable for automation and mass-scanning, and we have indeed observed increased volumes of such automated attempts and attacks.

There have also been reports of attackers leveraging the exploit of the vulnerability to install malware and backdoors on vulnerable systems, preventing other attackers from exploiting and gaining access to the same system.

DETECTION AND DISCOVERY EFFORTS
Proficio’s Threat Intelligence Team collected a significant number of different IOCs and IOAs to identify potential exploit attempts. The IOCs and IOAs also include malware activity associated with successful exploit attempts against CVE-2019-19781.

We used reverse-engineering and contextualization techniques to research this vulnerability. By removing non-viable indicators that cannot be used for reliable detection or discovery, we were able to isolate high quality, useful and reliable threat indicators. This is particularly important given the limited visibility allowed for an MDRP/MSSP like Proficio.

Our detection and discovery efforts allowed us to identify a significant number of potentially successful exploit attempts against the vulnerable Citrix systems. This in turn allowed us to drive additional data collection efforts that served as a starting point for more deep-dive investigations for every potentially successful exploit attempt. 

NOTABLE CONCLUSIONS

  1. Patching CVE-2019-19781 does not remove malicious artefacts left by successful exploits.

We have encountered several situations in which we were able to identify malicious post-exploit activity after successful exploit attempts against CVE-2019-19781, even though the vulnerability appears to have been patched. Identifying such activity after the patch is not necessarily an indication that the patch has failed, but a possible indication that malicious artefacts were already left behind by a successful exploit attempt prior to the patch being applied.

Organizations should note that compromised systems cannot be remediated by applying patches that were released to fix the vulnerability. Organizations will need to assess vulnerable systems to identify if any malicious artefacts remain from successful exploit attempts. Rebuilding the exploited system after the patch may be the only way to conclusively remove malicious artefacts from affected systems.

  1. Not all successful exploit attempts were accompanied by post-exploit activity.

The exploits against CVE-2019-19781 are particularly suited for automation, and we have observed a significant increase in automated attacks and mass-scanning activities. Our investigation efforts have shown that in some cases, while we were able to identify that a successful exploit attempt is likely to have taken place, we were not able to identify any kind of post-exploit or suspicious activity from the vulnerable system that could have indicated live threat actor activity beyond automated scanning. Of course, this is no reason for complacency. Vulnerable systems should be patched and assessed as quickly as possible, especially if a successful exploit attempt against CVE-2019-19781 was observed. This assessment is required to positively identify the presence of any malicious artefacts on the vulnerable system. Should any be found, rebuilding the vulnerable system may be the only way to quickly and completely remove them from the affected system.

  1. Security devices at the perimeter are the most useful log source for identifying and investigating successful exploits against CVE-2019-19781.

Having identified and investigated more than a dozen successful exploit attempts against CVE-2019-19781, it is interesting to note that the most useful logs for the investigations came from classic security devices like next-generation firewalls (NGFW) and intrusion detection/prevention systems (IDPS). Logs from such devices played a key role in all our deep-dive investigations and in some cases, happened to also be the only log sources with the requisite visibility for detection, discovery and investigation.

It is also interesting to note that logs from Citrix Netscalers were not particularly useful for the detection, discovery and investigation of exploit attempts against CVE-2019-19781. Of all the incidents in which we were able to positively identify the successful exploit attempts against vulnerable Citrix devices, we only made use of Citrix Netscaler logs in 7.6% of our investigations. Most of the logs that we were working with came from NGFWs and IDPS devices. Organizations affected by CVE-2019-19781 should review their logging configurations to ensure that the log events generated by their devices can be used for detection and discovery efforts. The last thing an organization wants is to realize that their current logging is not usable for the detection and discovery when there is a critical need to do so.

  1. Not all IOCs are created equal – some IOCs are more useful than others.

We made use of a wide range of different IOCs that went through our qualification process. While we are confident in our selection of relevant IOCs, they did not play equal roles when it comes to our detection and discovery efforts. The following IOCs that have proven to be the most relevant and prevalent when it comes to performing deep-dive investigations:

  • /ci.sh
    The filename references an installation script payload for a cryptocurrency miner. The payload creates a download loop for itself as a way to stage a backdoor for later while using cron jobs for persistence.
    Reference
  • 95[.]179[.]163[.]186
    This IP address is known to used to download exploit payloads against CVE-2019-19781. One such payload would be the NOTROBIN malware. The IP address used to point towards the domain (vilarunners[dot]cat).
    Reference
  • 185[.]178[.]45[.]221
    This IP address was used to host the file (ci.sh). Refer to the details on the IOC (ci.sh)
  • 62[.]113[.]112[.]33
    This IP address was also used to host the file (ci.sh). Refer to the details on the IOC (ci.sh)
  • 45[.]120[.]53[.]214
    Attackers are known to execute a curl command on successfully exploited systems in order to download a malicious shell script from this IP address onto a successfully exploited system.
    Reference

Even with the multitude of detection and discovery methodologies, the best way to deal with a known serious vulnerability is to patch the vulnerability when the patch becomes available. Since the initial disclosure of the vulnerability, Citrix has released patch updates for the impacted versions. After applying the patch fixes by Citrix, affected clients should also make use of the Verification Tool they provide to verify that the mitigation steps and patch fixes are applied correctly. Should the patch fixes provided by Citrix not be a suitable solution, the mitigation steps provided by Citrix alongside the vulnerability disclosure should be followed. Your cybersecurity team should closely follows vendor recommended best practices to ensure you’re patching known vulnerabilities as soon as possible.

VULNERABILITY – OFFICE 365 ZWSP DETECTION

Earlier this month, security researchers at Avanan discovered a new zero-width space (ZWSP) vulnerability that was confirmed to have affected Office 365 environments between November 10th, 2018 until January 9th, 2019. ZWSP strings are non-printing Unicode characters normally used to do benign things, such as for enabling line wrapping in long words. However, with this vulnerability attackers used ZWSP strings such as ​ to break up malicious URLs in order to avoid detection by security measures. In the case of Office 365, this technique allowed malicious URLs to completely bypass the security checks of both Office 365 EOP and Office 365 ATP.

Normally, Office 365 security checks would have successfully examined and detected a malicious URL string sent to a user via email. Subsequently, any user clicking a malicious embedded link would be redirected to a red Microsoft security splash page alerting the user to the potential risks of proceeding to the associated webpage. However, by using the ZWSP vulnerability a user would be able to open the raw HTML of an email and then modify a malicious URL such as “www.verybadstuff.com” to become “www​.verybadstuff​.com”, completely bypassing the Office 365 security checks.

While this vulnerability has since been fixed by Microsoft, Avanan reported over 90% of their client base had been hit with attempted phishing emails that utilized this vulnerability. Moving forward we expect to see similar vulnerabilities to bypass security filters for URLs. Nonetheless, we were impressed with the relative ease of executing this particular vulnerability. Below we have listed some steps to help safeguard your users.

Proficio Threat Intelligence Recommendations:

  • Regularly conduct phishing awareness training.
  • Perform checks for this vulnerability when performing internal audits.
  • Ensure Microsoft systems have been updated with the latest patches.

Avanan Security Blog – Click Here

Vulnerability Demo Video – Click Here

VULNERABILITY – IE ZERO DAY FLAW (CVE-2018-8653)

In the second half of December 2018, a new IE Zero Day named “CVE-2018-8653” was discovered. According to Microsoft, the vulnerability errors when the “scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” This means that an attacker successfully attacking a machine vulnerable to this flaw, would obtain the same rights as the exploited user. If the victim is an administrator, then an attacker could take full control of the affected system and perform further exploitation activity by modifying data; installing new software; or creating additional user accounts for future access.

But how could this vulnerability be exploited? The easiest way would be for an attacker to host a specially crafted website that takes advantage of the flaw when browsed to through Internet Explorer. In this scenario, there are a number of techniques an attacker can use in order to trick their victims into accessing a malicious website, the most common one being phishing emails with links to such site. According to Cylance researchers, the CVE-2018-8653 “utilizes a use-after-free (UAF) to gain arbitrary code execution within the context of jscript.dll by masquerading as a fake RegExpObj.” Use After Free represents an attempt to access heap memory that was previously allocated and then freed, mostly resulting in program crashing and the execution of arbitrary code. This type of attack bypasses traditional exploit techniques and instead creates a new call stack to the real stack. Then changes to memory permissions of the heap occur where shell-code is stored and then executed, therefore giving an attacker full control of the system.

In an effort to mitigate malicious attacks, Microsoft released an out-of-band patch ahead of the January 2019 update. The vulnerability affected versions of Internet Explorer 9 on Windows Server 2008; IE 10 on Windows Server 2012, and IE 11 for Windows 7-10 as well as Windows Server 2012, 2016 and 2019. At this time, Microsoft has not presented any details about attacks that have possibly already taken place or the potential associated damage/losses that have occurred. The update to patch this vulnerability was released on December 19th.

Proficio Threat Intelligence Recommendations:

  • Maintain all software up to date with the latest patches.
  • Refrain from operating with administrative privileges while performing standard work activities.
  • Conduct training on social engineering techniques in order to mitigate the risk of phishing attacks among employees.

Microsoft Report – Click Here

Cylance Report – Click Here

METHOD – New OpenSSH backdoors exploiting Linux servers discovered

ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.

This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.

Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.

The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.

Proficio Threat Intelligence Recommendations:

  • Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).
  • Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.
  • Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.

ESET Report – Click Here

BREACH – United States Postal Service

A serious vulnerability on the United States Postal Service (USPS) website (www.usps.com) was discovered in early November by an anonymous security researcher. The vulnerability reportedly allowed access to account details for over 60 million users, which included personal information such as email address; username; user ID; account number; street address; and phone number among others. Additionally, anyone exploiting the vulnerability would also be able to access package tracking information and, in some cases, even modify user account data.

The vulnerability was traced to a major flaw in the authentication process for a USPS package tracking system known as “Informed Visibility.” The API for this system had essentially no access control measures in place to prevent basic unauthorized requests. This meant that any person that made a free USPS web account could log in and then make specific queries to view personal information of other users. A knowledgeable user could easily make queries containing a wildcard character, in order to produce a list that returned all account entries. The results could even reveal information such as multiple user accounts tied to a single home address, indicating a shared household. None of these unauthorized queries required the use of special hacking tools.

While researchers have reported this information to USPS, who claims to have fixed this issue, any unauthorized queries made during the exposure time frame could have leaked personal information to attackers. Not to mention, any of the leaked data could have possibly been saved for future attacks. In particular, 60 million email addresses would be considered a treasure trove to those conducting spam email or phishing campaigns.

Proficio Threat Intelligence Recommendations:

  • If your company utilizes a USPS web account, review your account information for unauthorized modifications. If any unauthorized changes have been made to your account, report your findings to USPS.
  • While no passwords were reported leaked in this breach, it is advised to change the password of your USPS web account, to a strong randomized password, as a precaution.

Krebs On Security – Click Here

TARGET – AUSTRALIAN PRIME MINISTER’S DOMAIN HIJACKED

An individual at DigitalEagle’s Digital Marketing Agency based out of Australia was able to purchase the rights to domain “scottmorrison.com.au,” the domain that hosted the official website of Scott Morrison, the current Prime Minister of Australia. The individual purchased the rights to the domain at an auction for expiring domains for fifty US dollars.

After the purchase of the domain, the individual created a fresh WordPress site hosted on the domain and placed humorous content poking fun at the prime minister including references to the song “Scotty Doesn’t Know” from the 2004 film Eurotrip.

It appears that the new website was up for two days from October 18th to October 20th and went viral receiving over 340,000 visitors. The individual that hijacked the site blogged the experience and detailed other alternate scenarios that could’ve ensued if a malicious attacker would have taken control of the domain. This could have included using the domain to phish for sensitive information, receive sensitive emails, or continue to maintain the site and deliver fake content regarding political opinions of the PM. After two days, the hijacker gladly gave back the domain and the original website has since been restored. No crimes appear to have been committed in this particular situation and no arrests have been made.

Proficio Threat Intelligence Recommendations:

  • Validate a procedure is in place to renew domains owned by the organization.
  • Have a monitoring solution in place to look for major content changes to hosted websites.


Personal Blog of Events – Click Here