Threat Intelligence Posts

The state of Cyber Security in Industrial Control Systems

August 29, 2019

In this day and age everyone knows a little something about Cyber Security. You don’t have to be in the industry to know that there are “bad guys” (or countries) persistently trying to gain access to information systems across the globe. In the US, our own IRS has been breached exposing the data of around 724,000 American citizens. Less understood by the public, but more damaging, was the Equifax breach which exposed around 148 million social security numbers. That’s pretty bad, but to the average citizen it doesn’t impact their daily physical world. Those breaches happened “somewhere else” or “maybe in a cloud”. Life didn’t stop as it should have, unless someone stole your identity. Even then there was a process in place to deal with those individuals. What the general public doesn’t know, or doesn’t understand, is the cyber security risk to the physical world in addition to the virtual one that we have already accepted as common place. What would the public’s response be if a Nuclear Reactor exploded? Or, the water supply for a city was turned off? How would people react if regulators and valves for gas lines were all set to full-open and houses started exploding? The implications to impact are Up to this point in time Operational Technology and Information Technology had nothing to do with each other. OT was responsible for manufacturing, or any physical process and IT was a cost center that was a “necessary evil” in order to run the business. Operational Technology has become far more complicated over the years, with traditional communication protocols (MODBUS, DH+, ControlNet, etc) being replaced by TCP/IP or at the least, CIP. This has naturally brought IT into the picture since these devices are now connecting to standard switches and routers. So, what do we do? Keep in mind that Cyber Security for OT is not as mature as Cyber Security for IT. It hasn’t been around as long, and budget hasn’t traditionally been allocated for these efforts in the past. Below are some things to consider when starting this journey: Partner Up: There is no need to reinvent the wheel here. There are many frameworks that are great starting points to help identify areas for improvements, and to help prioritize what should be done first. Some of the commonly utilized frameworks are ISO27001, NIST, NERC, and FERC. The nature of your business will help determine which framework you should be looking at. In addition to frameworks, there are services available to assess your current architecture and posture and build plans specific to your business for improving your defense. This also gives you a partner, so you don’t have to feel like you are fighting this battle alone. Additionally, a security assessment partner can help you select the right framework for your business and security goals. The Cyber Security community is a close-knit group, and it is important that we stand together in order to move forward. [caption id="attachment_3042" align="alignright" width="300"] HMIs are infamous for

Read More

VULNERABILITY – Office 365 ZWSP Detection

January 22, 2019

Earlier this month, security researchers at Avanan discovered a new zero-width space (ZWSP) vulnerability that was confirmed to have affected Office 365 environments between November 10th, 2018 until January 9th, 2019. ZWSP strings are non-printing Unicode characters normally used to do benign things, such as for enabling line wrapping in long words. However, with this vulnerability attackers used ZWSP strings such as ​ to break up malicious URLs in order to avoid detection by security measures. In the case of Office 365, this technique allowed malicious URLs to completely bypass the security checks of both Office 365 EOP and Office 365 ATP.

Normally, Office 365 security checks would have successfully examined and detected a malicious URL string sent to a user via email. Subsequently, any user clicking a malicious embedded link would be redirected to a red Microsoft security splash page alerting the user to the potential risks of proceeding to the associated webpage. However, by using the ZWSP vulnerability a user would be able to open the raw HTML of an email and then modify a malicious URL such as "www.verybadstuff.com" to become "www​.verybadstuff​.com", completely bypassing the Office 365 security checks.

While this vulnerability has since been fixed by Microsoft, Avanan reported over 90% of their client base had been hit with attempted phishing emails that utilized this vulnerability. Moving forward we expect to see similar vulnerabilities to bypass security filters for URLs. Nonetheless, we were impressed with the relative ease of executing this particular vulnerability. Below we have listed some steps to help safeguard your users.

Proficio Threat Intelligence Recommendations:

  • Regularly conduct phishing awareness training.

  • Perform checks for this vulnerability when performing internal audits.

  • Ensure Microsoft systems have been updated with the latest patches.
Avanan Security Blog - Click Here
Vulnerability Demo Video - Click Here

VULNERABILITY – IE ZERO DAY FLAW (CVE-2018-8653)

January 10, 2019

In the second half of December 2018, a new IE Zero Day named "CVE-2018-8653" was discovered. According to Microsoft, the vulnerability errors when the “scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” This means that an attacker successfully attacking a machine vulnerable to this flaw, would obtain the same rights as the exploited user. If the victim is an administrator, then an attacker could take full control of the affected system and perform further exploitation activity by modifying data; installing new software; or creating additional user accounts for future access.

But how could this vulnerability be exploited? The easiest way would be for an attacker to host a specially crafted website that takes advantage of the flaw when browsed to through Internet Explorer. In this scenario, there are a number of techniques an attacker can use in order to trick their victims into accessing a malicious website, the most common one being phishing emails with links to such site. According to Cylance researchers, the CVE-2018-8653 "utilizes a use-after-free (UAF) to gain arbitrary code execution within the context of jscript.dll by masquerading as a fake RegExpObj.” Use After Free represents an attempt to access heap memory that was previously allocated and then freed, mostly resulting in program crashing and the execution of arbitrary code. This type of attack bypasses traditional exploit techniques and instead creates a new call stack to the real stack. Then changes to memory permissions of the heap occur where shell-code is stored and then executed, therefore giving an attacker full control of the system.

In an effort to mitigate malicious attacks, Microsoft released an out-of-band patch ahead of the January 2019 update. The vulnerability affected versions of Internet Explorer 9 on Windows Server 2008; IE 10 on Windows Server 2012, and IE 11 for Windows 7-10 as well as Windows Server 2012, 2016 and 2019. At this time, Microsoft has not presented any details about attacks that have possibly already taken place or the potential associated damage/losses that have occurred. The update to patch this vulnerability was released on December 19th.

Proficio Threat Intelligence Recommendations:

  • Maintain all software up to date with the latest patches.

  • Refrain from operating with administrative privileges while performing standard work activities.

  • Conduct training on social engineering techniques in order to mitigate the risk of phishing attacks among employees.
Microsoft Report - Click Here
Cylance Report - Click Here

METHOD – New OpenSSH backdoors exploiting Linux servers discovered

December 12, 2018

ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.

This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.

Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.

The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.

Proficio Threat Intelligence Recommendations:

  • Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).

  • Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.
ESET Report - Click Here

Breach – United States Postal Service

December 6, 2018

A serious vulnerability on the United States Postal Service (USPS) website (www.usps.com) was discovered in early November by an anonymous security researcher. The vulnerability reportedly allowed access to account details for over 60 million users, which included personal information such as email address; username; user ID; account number; street address; and phone number among others. Additionally, anyone exploiting the vulnerability would also be able to access package tracking information and, in some cases, even modify user account data.

The vulnerability was traced to a major flaw in the authentication process for a USPS package tracking system known as “Informed Visibility.” The API for this system had essentially no access control measures in place to prevent basic unauthorized requests. This meant that any person that made a free USPS web account could log in and then make specific queries to view personal information of other users. A knowledgeable user could easily make queries containing a wildcard character, in order to produce a list that returned all account entries. The results could even reveal information such as multiple user accounts tied to a single home address, indicating a shared household. None of these unauthorized queries required the use of special hacking tools.

While researchers have reported this information to USPS, who claims to have fixed this issue, any unauthorized queries made during the exposure time frame could have leaked personal information to attackers. Not to mention, any of the leaked data could have possibly been saved for future attacks. In particular, 60 million email addresses would be considered a treasure trove to those conducting spam email or phishing campaigns.

Proficio Threat Intelligence Recommendations:

  • If your company utilizes a USPS web account, review your account information for unauthorized modifications. If any unauthorized changes have been made to your account, report your findings to USPS.

  • While no passwords were reported leaked in this breach, it is advised to change the password of your USPS web account, to a strong randomized password, as a precaution.
Krebs On Security - Click Here

TARGET – AUSTRALIAN PRIME MINISTER’S DOMAIN HIJACKED

October 23, 2018

An individual at DigitalEagle's Digital Marketing Agency based out of Australia was able to purchase the rights to domain "scottmorrison.com.au," the domain that hosted the official website of Scott Morrison, the current Prime Minister of Australia. The individual purchased the rights to the domain at an auction for expiring domains for fifty US dollars.

After the purchase of the domain, the individual created a fresh Wordpress site hosted on the domain and placed humorous content poking fun at the prime minister including references to the song "Scotty Doesn't Know" from the 2004 film Eurotrip.

It appears that the new website was up for two days from October 18th to October 20th and went viral receiving over 340,000 visitors. The individual that hijacked the site blogged the experience and detailed other alternate scenarios that could've ensued if a malicious attacker would have taken control of the domain. This could have included using the domain to phish for sensitive information, receive sensitive emails, or continue to maintain the site and deliver fake content regarding political opinions of the PM. After two days, the hijacker gladly gave back the domain and the original website has since been restored. No crimes appear to have been committed in this particular situation and no arrests have been made.

Proficio Threat Intelligence Recommendations:

  • Validate a procedure is in place to renew domains owned by the organization.

  • Have a monitoring solution in place to look for major content changes to hosted websites.

Personal Blog of Events - Click Here

ATTACKER – NEW NORTH KOREAN THREAT GROUP TARGETING FINANCIAL INSTITUTIONS

October 4, 2018

FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.

Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.

At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.

The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.

FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.

Proficio Threat Intelligence Recommendations:

  • Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).

FireEye Blog - Click Here
FireEye Special Report - Click Here

VULNERABILITY – NEW APPLE iOS 12 SCREEN BYPASS DISCOVERED

October 3, 2018

It didn’t take long until a new lock screen flow was found for the new Apple’s iOS 12, released on 17 September 2018. Spanish researcher Jose Rodriguez published a YouTube video in Spanish language detailing the steps of the quite complex passcode bypass. An English-speaking version of the same video was subsequently published on YouTube.

According to the video, the attacker would need to exploit Siri, which would ave to be enabled, to access the phone’s contacts, numbers, emails and photos. It goes without saying that the Face ID functionality must be either inactivated or physically obfuscated. The process is not an easy one as it requires the offender to have physical access to the Apple device as well as a total of 37 steps to eventually gain access to the stored pictures.

This is the third time the same researcher exposed Apple’s security flaws. The latest bypass appears to work on all Apple devices running iOS 12 (and the iOS 12.1 beta), including the new XS.

4th Paragraph.

Proficio Threat Intelligence Recommendations:

  • The bypass can be mitigated by disabling the Siri’s lock screen access via Settings > Face ID and Passcode or Settings > Touch ID and Passcode > disable “Allow access when locked”

General Information - Click Here

METHOD – REMCOS RAT

October 2, 2018

A new remote access tool, known as Remcos, has been seen rising in popularity over the last month and has been linked to several recent attacks. Remcos, which sells for €58-389 from the vendor Breaking Security, is a security tool advertised for “ethical hacking” and otherwise legal purposes. Remcos boasts the ability to monitor keystrokes, manage files, take remote screenshots, execute remote commands, and otherwise control an endpoint remotely. Not surprisingly, this tool is being purchased and used by criminals, who are then using the tool for malicious purposes, such as for controlling botnets.

In some recent attacks, spear phishing emails were observed being sent to government contractors, in which the attackers crafted emails posing as various tax agencies or government organizations. The emails contained custom logos; realistic privacy disclosure statements; spoofed sender addresses; and other details to appear as legitimate as possible. Attached to the emails were Microsoft Office files mimicking legitimate tax documents and displaying intentionally blurred image previews. The victims were in fact lured into enabling the macros in order to view the content of the given file. However, once the macros were enabled by the user and the file was reopened, an executable was created through a set of routines from arrays embedded in the Microsoft Office attachment. This executable would then run Remcos silently in the background and provide the attacker with a platform where to observe the user or conduct further malicious activity from.

While spear phishing emails and malicious attachments are nothing new to security professionals, the latest attacks with Remcos are both sophisticated and well executed.The attackers involved with these recent campaigns have been going to great lengths to craft very realistic spear phishing emails that have misled multiple targets. Additionally, some security appliances may not initially detect these malicious attachments due to the fact that the Remcos executable is obfuscated by the use of arrays to store and assemble the source code. And to make matters worse, because the Remcos RAT is sold as ethical hacking software, many endpoint protection vendors do not even include the Remcos file hashes in their malware definitions.

Proficio Threat Intelligence Recommendations:

  • Disable Microsoft Office macros.

  • Conduct spear phishing awareness training sessions with employees.

  • Update security appliances definitions to include Remcos IoCs.
Talos Intelligence - Click Here

TARGET – FACEBOOK DATA BREACH

October 1, 2018

Facebook has returned to the headlines again for issues regarding user privacy and personal information exposure after an alleged attack on their network. The social media giant admitted at least 50 million users may have had their personal information compromised due to the attack, which has been touted as the largest breach in the company’s 14 year history. And if the exposure of user data wasn’t bad enough, the attackers were also able to gain control of user accounts, allowing them to potentially pose as users or view their private information.

The breach has been traced to code vulnerabilities in the “View As” feature that allows users to view their profile as someone else, and code related to uploading birthday videos. Once exploited, these vulnerabilities allowed attackers to steal account access tokens. Some industry experts are also suggesting affiliated services, such as Spotify and Instagram, may have been compromised as a result of this breach. Investigation of the extent of the breach is still underway, and it is unclear whether certain individuals were targeted. Likewise, it is still unknown whether this attack was carried out by nation state actors or a hacker collective. Facebook has confirmed that they are working with law enforcement and that all vulnerabilities have now been patched. They have also forced access token resets for all accounts that were observed using the “View As” feature during the last year, requiring users to manually login to their accounts where they will be greeted with a security notification. Additionally, Facebook has temporarily disabled the “View As” feature while they conduct further security assessments.

The news comes as Facebook is still recovering from the Cambridge Analytica scandal, which lead to a congressional hearing involving Facebook’s senior executives and revealed millions of users had their information collected by third parties for political campaigns. This latest breach has renewed calls for government regulation of social media policies and procedures. As more developments emerge, this story is likely to weigh heavily on the future of social media platforms.

Proficio Threat Intelligence Recommendations:

  • Consider the possible risks of allowing employees access social media at work, and make appropriate guidelines and/or changes to your organization’s AUP.

  • Review the social media accounts your organization uses and develop policies regarding what information can be shared via social media accounts.

  • Individuals should read the FTC’s recommendations for consumers, located here:
    https://www.consumer.ftc.gov/blog/2018/10/facebook-breach-what-do-next
Facebook Security Update Announcement - Click Here

Secrets to AI Success in your SOC

Download the webinar
This interactive event covered topics such as:
  • Optimal AI deployment for a SOC 
  • Solutions to security data lake management
  • Practices for evaluating AI solutions
  • Benefits and results from an AI led approach 
DOWNLOAD
close-link