Threat Intelligence Posts

Ransomware Alert

December 5, 2019

You may have seen the tweet from Proficio’s Threat Intelligence team regarding recent increases in ransomware, specifically the ransomware strain Troldesh (aka Shade). Shade is primarily distributed via malicious phishing emails and exploit kits, and targets Windows systems. The attachments are either ZIP files containing JavaScript or PDF files with links to download ZIP files. The JavaScript looks to download the Shade ransomware from websites already compromised by the cybercriminals. This ransomware payload is signed with a signature that claims to be from Comodo as a way to fake legitimacy. TOR appears to be Shade's primary command and control channel and TOR pages are also utilized as decryptor pages. Shade can download additional modules through TOR that can be used to mine cryptocurrency as well as generate ad-fraud traffic. Some ways to identify the presence of Shade ransomware or signs of a potential Shade ransomware attack in your environment include: The presence of attempted TOR traffic in an environment where TOR traffic is not allowed or unexpected. TOR activity from internal hosts in your environment will trigger a Proficio AAR use case. The traffic identified may not be TOR or tied to this ransomware, but that will be determined during the analyst investigation. Execution of JavaScript commands involving URLs ending with ".jpg"​ Such activity generally falls under the scope of malicious JavaScript activity and should be picked up by most EDR platforms; the initial configuration of your EDR solution should be sufficient to catch this, it should not require manual set up for these specific threats. If these logs are sent to Proficio, our correlation rules can detect activity relating to potential ransomware activity. Clients with supported web proxy products or URL filters can also generally rely on them as a way to pick up non user-driven activity towards such URLs. Investigations also will be performed on any potential exploit kit activities found. The presence of csrss.exe in  "C:\ProgramData\services\" and "C:\ProgramData\Windows\" EDR platforms should block or quarantine Shade upon the detection of malicious executables. If the logs are sent to Proficio, this will trigger an AAR alert that will be review by Proficio analysts. Their investigations will determine if the executable is malicious and if it is tied to a specific threat. Files with "crypted000007" file extensions If the EDR platform detects this, the infection likely has already been successful. Similarly to the csrss.exe, if logs are sent to Proficio, it will trigger an AAR that will be investigated by our analysts who will determine the validity of the threat. Presence of crypto-mining activity and traffic Such activity will typically be picked up by most EDR platforms. Clients using such EDR products are covered in terms of detections in this area. Customers with IDPS and web proxy products can also generally rely on such products for the detection of traffic and activity related to crypto-mining. If these logs are sent to Proficio, we will investigate these incidents and escalate as required. Some ways to mitigate and reduce the possibility of a successful

Read More

Security Overhaul: Migrating from a Legacy MSSP to a Splunk MDR Service Provider

November 11, 2019

Why Change? In the early 2000s, when Security Information and Event Monitoring systems (SIEMs) came onto the market, they were often expensive and complex to manage. But many organizations were required to collect, analyze and store security logs to meet compliance requirements, and a SIEM was the perfect tool for the job. Today most IT organizations expect much more from their SIEM than meeting compliance requirements. Modern SIEMs must detect advanced threats and provide automated response and containment functions. For all but very large organizations, the most practical approach to security monitoring was to partner with a Managed Security Service Provider (MSSP). MSSPs were responsible for monitoring and investigating security events and managing SIEM systems. Some MSSPs extended this role by developing their own SIEM. As technology has evolved and cybersecurity has become increasingly complex, many users found that older SIEMs are not only complicated to properly run and maintain, but also haven’t evolved enough to stay ahead of today’s cyberthreat landscape. Older SIEMs struggle to ingest all data types and have slow or difficult search capability, poor user interfaces and lack scalability. And as these platforms age, there is often less support available from the vendor or the MSSP, leading to frustration and lengthy problem resolutions. Finding the Right Tool If you’re leading your organization’s transition away from its legacy SIEM, where do you start? The first step in selecting a SIEM is determining your objectives and needs. Questions you should ask include: What’s my budget for the solution? What is my risk profile? What are my critical digital assets that must be protected? What is my timeline for implementation? Do you want to host the system on-prem or in the cloud? How much data will be ingested? Which data sources are being sent? Are there any critical use cases that I need to move over? Will I build my own security content, or do I want a pre-packaged solution? What response and containment functions must be automated? What role should AI and Machine Learning play in detecting and responding to threats? Can I scale my environment and team over time? What are my business continuity goals? Once you gather the requirements for your new solution, you will have a better idea which solutions to focus on in your search. Today many organizations select Splunk as their SIEM. Splunk is a Leader in the Gartner SIEM Magic Quadrant and highly regarded for its search ability and powerful data analytics. Splunk’s unique approach to data ingestion and robust library of apps allows you to send a wide range of log sources directly to their system and define use cases for your data. Splunk software can be installed in your organization’s IT infrastructure or hosted in the cloud. Splunk offers a managed cloud-based service and some MSSPs also offer to host Splunk in their own cloud infrastructure. The decision to deploy your Splunk SIEM on-premise or in the cloud rests on trade-offs between control, scalability, and access to in-house expertise. Some

Read More

The state of Cyber Security in Industrial Control Systems

August 29, 2019

In this day and age everyone knows a little something about Cyber Security. You don’t have to be in the industry to know that there are “bad guys” (or countries) persistently trying to gain access to information systems across the globe. In the US, our own IRS has been breached exposing the data of around 724,000 American citizens. Less understood by the public, but more damaging, was the Equifax breach which exposed around 148 million social security numbers. That’s pretty bad, but to the average citizen it doesn’t impact their daily physical world. Those breaches happened “somewhere else” or “maybe in a cloud”. Life didn’t stop as it should have, unless someone stole your identity. Even then there was a process in place to deal with those individuals. What the general public doesn’t know, or doesn’t understand, is the cyber security risk to the physical world in addition to the virtual one that we have already accepted as common place. What would the public’s response be if a Nuclear Reactor exploded? Or, the water supply for a city was turned off? How would people react if regulators and valves for gas lines were all set to full-open and houses started exploding? The implications to impact are Up to this point in time Operational Technology and Information Technology had nothing to do with each other. OT was responsible for manufacturing, or any physical process and IT was a cost center that was a “necessary evil” in order to run the business. Operational Technology has become far more complicated over the years, with traditional communication protocols (MODBUS, DH+, ControlNet, etc) being replaced by TCP/IP or at the least, CIP. This has naturally brought IT into the picture since these devices are now connecting to standard switches and routers. So, what do we do? Keep in mind that Cyber Security for OT is not as mature as Cyber Security for IT. It hasn’t been around as long, and budget hasn’t traditionally been allocated for these efforts in the past. Below are some things to consider when starting this journey: Partner Up: There is no need to reinvent the wheel here. There are many frameworks that are great starting points to help identify areas for improvements, and to help prioritize what should be done first. Some of the commonly utilized frameworks are ISO27001, NIST, NERC, and FERC. The nature of your business will help determine which framework you should be looking at. In addition to frameworks, there are services available to assess your current architecture and posture and build plans specific to your business for improving your defense. This also gives you a partner, so you don’t have to feel like you are fighting this battle alone. Additionally, a security assessment partner can help you select the right framework for your business and security goals. The Cyber Security community is a close-knit group, and it is important that we stand together in order to move forward. [caption id="attachment_3042" align="alignright" width="300"] HMIs are infamous for

Read More

VULNERABILITY – Office 365 ZWSP Detection

January 22, 2019

Earlier this month, security researchers at Avanan discovered a new zero-width space (ZWSP) vulnerability that was confirmed to have affected Office 365 environments between November 10th, 2018 until January 9th, 2019. ZWSP strings are non-printing Unicode characters normally used to do benign things, such as for enabling line wrapping in long words. However, with this vulnerability attackers used ZWSP strings such as ​ to break up malicious URLs in order to avoid detection by security measures. In the case of Office 365, this technique allowed malicious URLs to completely bypass the security checks of both Office 365 EOP and Office 365 ATP.

Normally, Office 365 security checks would have successfully examined and detected a malicious URL string sent to a user via email. Subsequently, any user clicking a malicious embedded link would be redirected to a red Microsoft security splash page alerting the user to the potential risks of proceeding to the associated webpage. However, by using the ZWSP vulnerability a user would be able to open the raw HTML of an email and then modify a malicious URL such as "www.verybadstuff.com" to become "www​.verybadstuff​.com", completely bypassing the Office 365 security checks.

While this vulnerability has since been fixed by Microsoft, Avanan reported over 90% of their client base had been hit with attempted phishing emails that utilized this vulnerability. Moving forward we expect to see similar vulnerabilities to bypass security filters for URLs. Nonetheless, we were impressed with the relative ease of executing this particular vulnerability. Below we have listed some steps to help safeguard your users.

Proficio Threat Intelligence Recommendations:

  • Regularly conduct phishing awareness training.

  • Perform checks for this vulnerability when performing internal audits.

  • Ensure Microsoft systems have been updated with the latest patches.
Avanan Security Blog - Click Here
Vulnerability Demo Video - Click Here

VULNERABILITY – IE ZERO DAY FLAW (CVE-2018-8653)

January 10, 2019

In the second half of December 2018, a new IE Zero Day named "CVE-2018-8653" was discovered. According to Microsoft, the vulnerability errors when the “scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” This means that an attacker successfully attacking a machine vulnerable to this flaw, would obtain the same rights as the exploited user. If the victim is an administrator, then an attacker could take full control of the affected system and perform further exploitation activity by modifying data; installing new software; or creating additional user accounts for future access.

But how could this vulnerability be exploited? The easiest way would be for an attacker to host a specially crafted website that takes advantage of the flaw when browsed to through Internet Explorer. In this scenario, there are a number of techniques an attacker can use in order to trick their victims into accessing a malicious website, the most common one being phishing emails with links to such site. According to Cylance researchers, the CVE-2018-8653 "utilizes a use-after-free (UAF) to gain arbitrary code execution within the context of jscript.dll by masquerading as a fake RegExpObj.” Use After Free represents an attempt to access heap memory that was previously allocated and then freed, mostly resulting in program crashing and the execution of arbitrary code. This type of attack bypasses traditional exploit techniques and instead creates a new call stack to the real stack. Then changes to memory permissions of the heap occur where shell-code is stored and then executed, therefore giving an attacker full control of the system.

In an effort to mitigate malicious attacks, Microsoft released an out-of-band patch ahead of the January 2019 update. The vulnerability affected versions of Internet Explorer 9 on Windows Server 2008; IE 10 on Windows Server 2012, and IE 11 for Windows 7-10 as well as Windows Server 2012, 2016 and 2019. At this time, Microsoft has not presented any details about attacks that have possibly already taken place or the potential associated damage/losses that have occurred. The update to patch this vulnerability was released on December 19th.

Proficio Threat Intelligence Recommendations:

  • Maintain all software up to date with the latest patches.

  • Refrain from operating with administrative privileges while performing standard work activities.

  • Conduct training on social engineering techniques in order to mitigate the risk of phishing attacks among employees.
Microsoft Report - Click Here
Cylance Report - Click Here

METHOD – New OpenSSH backdoors exploiting Linux servers discovered

December 12, 2018

ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.

This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.

Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.

The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.

Proficio Threat Intelligence Recommendations:

  • Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).

  • Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.
ESET Report - Click Here

Breach – United States Postal Service

December 6, 2018

A serious vulnerability on the United States Postal Service (USPS) website (www.usps.com) was discovered in early November by an anonymous security researcher. The vulnerability reportedly allowed access to account details for over 60 million users, which included personal information such as email address; username; user ID; account number; street address; and phone number among others. Additionally, anyone exploiting the vulnerability would also be able to access package tracking information and, in some cases, even modify user account data.

The vulnerability was traced to a major flaw in the authentication process for a USPS package tracking system known as “Informed Visibility.” The API for this system had essentially no access control measures in place to prevent basic unauthorized requests. This meant that any person that made a free USPS web account could log in and then make specific queries to view personal information of other users. A knowledgeable user could easily make queries containing a wildcard character, in order to produce a list that returned all account entries. The results could even reveal information such as multiple user accounts tied to a single home address, indicating a shared household. None of these unauthorized queries required the use of special hacking tools.

While researchers have reported this information to USPS, who claims to have fixed this issue, any unauthorized queries made during the exposure time frame could have leaked personal information to attackers. Not to mention, any of the leaked data could have possibly been saved for future attacks. In particular, 60 million email addresses would be considered a treasure trove to those conducting spam email or phishing campaigns.

Proficio Threat Intelligence Recommendations:

  • If your company utilizes a USPS web account, review your account information for unauthorized modifications. If any unauthorized changes have been made to your account, report your findings to USPS.

  • While no passwords were reported leaked in this breach, it is advised to change the password of your USPS web account, to a strong randomized password, as a precaution.
Krebs On Security - Click Here

TARGET – AUSTRALIAN PRIME MINISTER’S DOMAIN HIJACKED

October 23, 2018

An individual at DigitalEagle's Digital Marketing Agency based out of Australia was able to purchase the rights to domain "scottmorrison.com.au," the domain that hosted the official website of Scott Morrison, the current Prime Minister of Australia. The individual purchased the rights to the domain at an auction for expiring domains for fifty US dollars.

After the purchase of the domain, the individual created a fresh Wordpress site hosted on the domain and placed humorous content poking fun at the prime minister including references to the song "Scotty Doesn't Know" from the 2004 film Eurotrip.

It appears that the new website was up for two days from October 18th to October 20th and went viral receiving over 340,000 visitors. The individual that hijacked the site blogged the experience and detailed other alternate scenarios that could've ensued if a malicious attacker would have taken control of the domain. This could have included using the domain to phish for sensitive information, receive sensitive emails, or continue to maintain the site and deliver fake content regarding political opinions of the PM. After two days, the hijacker gladly gave back the domain and the original website has since been restored. No crimes appear to have been committed in this particular situation and no arrests have been made.

Proficio Threat Intelligence Recommendations:

  • Validate a procedure is in place to renew domains owned by the organization.

  • Have a monitoring solution in place to look for major content changes to hosted websites.

Personal Blog of Events - Click Here

ATTACKER – NEW NORTH KOREAN THREAT GROUP TARGETING FINANCIAL INSTITUTIONS

October 4, 2018

FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.

Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.

At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.

The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.

FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.

Proficio Threat Intelligence Recommendations:

  • Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).

FireEye Blog - Click Here
FireEye Special Report - Click Here

VULNERABILITY – NEW APPLE iOS 12 SCREEN BYPASS DISCOVERED

October 3, 2018

It didn’t take long until a new lock screen flow was found for the new Apple’s iOS 12, released on 17 September 2018. Spanish researcher Jose Rodriguez published a YouTube video in Spanish language detailing the steps of the quite complex passcode bypass. An English-speaking version of the same video was subsequently published on YouTube.

According to the video, the attacker would need to exploit Siri, which would ave to be enabled, to access the phone’s contacts, numbers, emails and photos. It goes without saying that the Face ID functionality must be either inactivated or physically obfuscated. The process is not an easy one as it requires the offender to have physical access to the Apple device as well as a total of 37 steps to eventually gain access to the stored pictures.

This is the third time the same researcher exposed Apple’s security flaws. The latest bypass appears to work on all Apple devices running iOS 12 (and the iOS 12.1 beta), including the new XS.

4th Paragraph.

Proficio Threat Intelligence Recommendations:

  • The bypass can be mitigated by disabling the Siri’s lock screen access via Settings > Face ID and Passcode or Settings > Touch ID and Passcode > disable “Allow access when locked”

General Information - Click Here