Threat Intelligence Posts

Method: Roaming Mantis Malware

April 23, 2018

Kaspersky Labs has detailed Android malware mainly targeting Chinese and Korean users. The malware is designed to steal two-factor authentication codes for Google accounts sent via SMS/MMS.

Kaspersky Labs has detailed a lot of the interesting technical elements of the malware. For example, command and control for samples analyzed were found to lookup strings of web pages hosted on legitimate sites such as sohu.com and baidu.com. Kaspersky also believes the initial infection vector for the Android devices were compromised routers in Asia. The routers were redirecting Android devices towards malicious sites via DNS hijacking. The malware does have a component that appears to target English speaking users, but the HTML code within the malware is written in broken English. Most researchers after additional analysis have attributed this malware to cybercriminals focusing on Chinese and Korean targets.

Proficio Threat Intelligence Recommends:

  • Do not allow users that have Android devices to bring “rooted” devices into corporate networks (rooted devices were targeted in this campaign).
  • Routers in this attack allowed attackers to perform DNS hijacking in this campaign. Monitoring corporate routers for attacks and compromise should be performed by security operations.
  • SOCs (security operation centers) often detect BYOD infected cellular devices in guest networks or corporate wireless networks. Corporate IT should decide on an action (or no action) to be taken when these detections occur.
https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/

Vulnerability: Trustjacking

April 16, 2018

A new iPhone vulnerability was disclosed at the RSA Conference in San Francisco. The vulnerability allows persistent control over an iPhone device without it being physically connected to a computer. With just a simple tap by the iOS device owner when connected to the same network as the attacker, the network link grants permanent control of the device without the owner even knowing the device has been compromised.This vulnerability exploits a weakness in an iOS function called iTunes Wi-Fi sync, a feature that allows users to sync up iTunes content and data between Apple devices wirelessly. How it works:

  • User connects phone to a malicious charger/computer and chooses to trust it
  • Attacker allows the device to connect to iTunes and enables iTunes Wi-Fi sync (can be accomplished automated without user interaction)
  • The attacker remotely installs a developer image suitable to users iOS version over Wi-Fi
Attackers are then able to gain access to photos, install applications, remote backup as well as receive a livestream of the screen without needing any other confirmation from the user. After that initial “tap to trust” moment, the attacker does not require any more interaction with the user and all of the user’s vulnerable data is accessible remotely.

Proficio Threat Intelligence Recommends:

  • Clear all “trusted” computers on iOS devices by resetting the location and privacy settings
  • Enable encrypted backup on your iOS devices
https://www.symantec.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability

Vulnerability: CVE-2018-0171 – Cisco IOS and IOS XE Software Smart Install – Remote Code Execution

April 5, 2018

March 28, 2018 - Cisco has disclosed a vulnerability in the Smart Install feature of the Cisco IOS Software and Cisco IOS XE Software.  This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on affected switches as well as leverage this vulnerability to cause the devices to reload, which will result in a temporary DoS while the devices are reloading.

The vulnerability is due to improper validation of packet data resulting in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected switch on TCP port 4786. Only Smart Install client switches are affected by the vulnerability. Smart Install client functionality is enabled by default on Cisco IOS switches on software releases that have not been updated to address the Cisco bug ID CSCvd36820.

Researchers said they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open. Sophisticated nation-state groups have previously exploited vulnerabilities in Smart Install in their campaigns targeting critical infrastructure. There has not been any evidence indicating that CVE-2018-0171 has been exploited in malicious attacks.

Cisco has responded by releasing software updates to fix this critical vulnerability for affected switches. Switches that are running releases earlier than Cisco IOS Software Release 12.2(52)SE are not capable of running Smart Install.

General Information - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

Cisco IOS Software Checker - https://tools.cisco.com/security/center/softwarechecker.x

Proficio Threat Intelligence Recommendations:

  • Utilize the Cisco IOS Software Checker to determine if devices are vulnerable

Vulnerability: CVE-2018-7600 – Drupal core – Remote Code Execution

March 28, 2018 - A vulnerability has been discovered that could allow criminals to execute code remotely on websites that are running Drupal. Drupal is a Content Management System (CMS) that is used by more than 1 million websites worldwide. According to W3techs.com, Drupal is third most popular CMS, only behind Joomla and WordPress. The discovered vulnerability can be exploited by an input validation issue that allows unsanitized data to enter Drupal’s data space. Drupal warns that an unprivileged and untrusted attacker could compromise the site and modify or delete data hosted on affected CMS platforms.

Due to the high criticality of the vulnerability, Drupal informed website administrators a week prior that important fixes would be coming soon.The idea was to attempt to stay ahead of potential attackers who could quickly develop code that would exploit Drupal websites once made aware of the vulnerability.

Drupal has since released updates to patch the vulnerability and recommends users who have deployed the Content-Management Framework to immediately update to versions 7.58 or 8.5.1. Although Drupal versions 8.3.x and 8.4.x are no longer supported, Drupal has released an out-of-band patch that would fix the highly critical security issue in updates 8.3.9 and 8.4.6.

General Info - https://www.theregister.co.uk/2018/03/28/drupal_urgent_security_software_patch/

Drupals FAQ surrounding CVE-2018-7600 - https://groups.drupal.org/security/faq-2018-002

Proficio Threat Intelligence Recommendations:

  • Immediately update Drupal to versions 7.58 or 8.5.1

Target: MyFitnessPal – 150 million hacked

March 30, 2018

Athletic Apparel & Footwear mogul Under Armour announced that their popular fitness app, MyFitnessPal, has suffered from a massive data breach. Investigation has revealed that somewhere close to 150 million accounts have been compromised. The account information exposed includes: usernames, email addresses and hashed passwords. Under Armour revealed that no credit card information or other payment information had been affected by the hack.

In regards to the total number of records compromised, SecurityScorecard revealed that this is the largest data breach this year and is in the top five to date.

Under Armour became aware of the breach on March 25th and has since required all users to change their passwords and recommends that they closely monitor their accounts for suspicious behavior.

General information on the data breach - http://www.zdnet.com/article/under-armour-reports-150-million-myfitnesspal-accounts-hacked/

Method: TA 18-086A: Brute Force Attacks / Password Spraying

In March 2018, the Department of Justice indicted nine Iranian nationals for conducting brute force style attacks against organizations in the United States utilizing a technique referred to as “Password Spraying”.

Characteristically, brute force attacks attempt to authenticate credentials by guessing the password of a single user account, however accounts now will typically lock out after a handful of failed attempts. “Password Spraying” attempts to successfully authenticate using easy-to-guess passwords against multiple user accounts. This technique reduces the chance of triggering red flags for multiple failed attempts from a single user.

“Password Spray” attacks target single sign-on (SSO) and cloud-based applications that use federated authentication protocols in an attempt to hide malicious traffic. Federated authentication protocols are used in linking a person’s electronic identity across multiple identity management systems, which will also broaden the attacker’s scope to maximize access to intellectual property during a successful compromise.

Proficio Threat Intelligence Recommendations:

  • Implement strong password standards
  • Enable multi-factor authentication
  • Abstain from clicking non-validated email links
Alert TA 18-086A - https://www.us-cert.gov/ncas/alerts/TA18-086A

Target: Expedia Orbitz – 880K data breach

Travel giant Expedia Orbitz, has disclosed a security breach that’s affected at least 880,000 customer payment cards. It appears that the attackers had potential access to the data between the Oct. 1, 2017 and Dec. 22, 2017. The investigation revealed that the attackers had potentially exposed customer names, addresses, payment card information and email addresses when the Orbitz.com legacy site was compromised. Expedia Orbitz reported the issue on March 27th and says the issue was addressed when it was discovered on the 1st of October 2017.

Orbitz doesn’t have direct evidence of what information was actually stolen at this time. Working closely with law enforcement, Orbitz was able to confirm that no U.S. social security numbers were exposed.

General information on the data breach - https://www.reuters.com/article/us-orbitz-cyber/expedias-orbitz-says-880000-payment-cards-hit-in-breach-idUSKBN1GW23V

Attacker: Actor – Mabna Institute / Silent Librarian

The Mabna Institute, also known as the threat actor “Silent Librarian” (Phishlabs), is a group of nine Iranian citizens that have been charged in a computer hacking campaign. The campaign compromised various targets, such as US and foreign universities, private companies, and US government entities. Several specific targets were identified by PhishLabs and the FBI, and they the US Department of Labor, the Federal Energy Regulatory Commission, the Los Alamos National Laboratory, and the Memorial Sloan Kettering Cancer Center. According to the FBI, the campaign has been ongoing for about four years and has compromised 144 US based universities and 176 foreign universities. According to Phishlabs, the tactics of the phishing campaigns used to compromise these entities barely changed over time. Targeted users were sent emails stating their library account was expiring. The users were then directed to a link which was a redirect to a phishing page requesting a username and password.

FBI release on individuals wanted - https://www.fbi.gov/news/stories/nine-iranians-charged-in-hacking-scheme-032318

Phislabs technical analysis of the campaign - https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment

Proficio Threat Intelligence Recommendations:

  • User phishing training usually helps mitigate risk against users falling for basic types of phishing campaigns.

Method: Linux Malware – GoScanSSH

March 29, 2018

Researchers at Cisco Talos during an incident response engagement have identified a new malware family being used to compromise SSH servers exposed to the internet. The malware is written in Go, a programming language created at Google in 2009. The infection methods being used were SSH brute force attacks against public facing SSH services. Once a host has been infected, it reaches out to domains over Tor2Web as part of command and control. According to Cisco Talos, the attack campaign has been ongoing for at least nine months. Something that is out of the ordinary regarding the campaign is the malware has a component, which was built in to avoid compromising certain government domains (.mil, .gov, .army, etc.).

Technical analysis of sample malware - http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html

Proficio Threat Intelligence Recommendations:

  • Restrict public facing SSH access to only the parties who need direct access to it.
  • Use strong passwords for any type of SSH authentication open to the internet.
  • Apply tools such as Fail2Ban to mitigate the risk of brute force attacks

Method: Android Malware – RottenSys

March 28, 2018

Researchers at Check Point have identified a new type of mobile adware that has infected nearly 5 million devices since 2016. The application disguises itself as a “System Wi-Fi Service” on the Android OS and was likely inserted on the devices before they were purchased. The package has the ability to participate in advertisement activities and also has the ability to spy on many applications within the phone. The distributor that initially appears responsible for delivering the phones is Tian Pai, a Chinese based entity.

Technical analysis of application - https://research.checkpoint.com/rottensys-not-secure-wi-fi-service/

Proficio Threat Intelligence Recommendations:

  • Be cautious of using phones for business purposes that are from the Chinese distributors that are listed in the above article.