Threat Intelligence Posts

VULNERABILITY – IE ZERO DAY FLAW (CVE-2018-8653)

January 10, 2019

In the second half of December 2018, a new IE Zero Day named "CVE-2018-8653" was discovered. According to Microsoft, the vulnerability errors when the “scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” This means that an attacker successfully attacking a machine vulnerable to this flaw, would obtain the same rights as the exploited user. If the victim is an administrator, then an attacker could take full control of the affected system and perform further exploitation activity by modifying data; installing new software; or creating additional user accounts for future access.

But how could this vulnerability be exploited? The easiest way would be for an attacker to host a specially crafted website that takes advantage of the flaw when browsed to through Internet Explorer. In this scenario, there are a number of techniques an attacker can use in order to trick their victims into accessing a malicious website, the most common one being phishing emails with links to such site. According to Cylance researchers, the CVE-2018-8653 "utilizes a use-after-free (UAF) to gain arbitrary code execution within the context of jscript.dll by masquerading as a fake RegExpObj.” Use After Free represents an attempt to access heap memory that was previously allocated and then freed, mostly resulting in program crashing and the execution of arbitrary code. This type of attack bypasses traditional exploit techniques and instead creates a new call stack to the real stack. Then changes to memory permissions of the heap occur where shell-code is stored and then executed, therefore giving an attacker full control of the system.

In an effort to mitigate malicious attacks, Microsoft released an out-of-band patch ahead of the January 2019 update. The vulnerability affected versions of Internet Explorer 9 on Windows Server 2008; IE 10 on Windows Server 2012, and IE 11 for Windows 7-10 as well as Windows Server 2012, 2016 and 2019. At this time, Microsoft has not presented any details about attacks that have possibly already taken place or the potential associated damage/losses that have occurred. The update to patch this vulnerability was released on December 19th.

Proficio Threat Intelligence Recommendations:

  • Maintain all software up to date with the latest patches.

  • Refrain from operating with administrative privileges while performing standard work activities.

  • Conduct training on social engineering techniques in order to mitigate the risk of phishing attacks among employees.
Microsoft Report - Click Here
Cylance Report - Click Here

METHOD – New OpenSSH backdoors exploiting Linux servers discovered

December 12, 2018

ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.

This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.

Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.

The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.

Proficio Threat Intelligence Recommendations:

  • Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).

  • Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.
ESET Report - Click Here

Breach – United States Postal Service

December 6, 2018

A serious vulnerability on the United States Postal Service (USPS) website (www.usps.com) was discovered in early November by an anonymous security researcher. The vulnerability reportedly allowed access to account details for over 60 million users, which included personal information such as email address; username; user ID; account number; street address; and phone number among others. Additionally, anyone exploiting the vulnerability would also be able to access package tracking information and, in some cases, even modify user account data.

The vulnerability was traced to a major flaw in the authentication process for a USPS package tracking system known as “Informed Visibility.” The API for this system had essentially no access control measures in place to prevent basic unauthorized requests. This meant that any person that made a free USPS web account could log in and then make specific queries to view personal information of other users. A knowledgeable user could easily make queries containing a wildcard character, in order to produce a list that returned all account entries. The results could even reveal information such as multiple user accounts tied to a single home address, indicating a shared household. None of these unauthorized queries required the use of special hacking tools.

While researchers have reported this information to USPS, who claims to have fixed this issue, any unauthorized queries made during the exposure time frame could have leaked personal information to attackers. Not to mention, any of the leaked data could have possibly been saved for future attacks. In particular, 60 million email addresses would be considered a treasure trove to those conducting spam email or phishing campaigns.

Proficio Threat Intelligence Recommendations:

  • If your company utilizes a USPS web account, review your account information for unauthorized modifications. If any unauthorized changes have been made to your account, report your findings to USPS.

  • While no passwords were reported leaked in this breach, it is advised to change the password of your USPS web account, to a strong randomized password, as a precaution.
Krebs On Security - Click Here

TARGET – AUSTRALIAN PRIME MINISTER’S DOMAIN HIJACKED

October 23, 2018

An individual at DigitalEagle's Digital Marketing Agency based out of Australia was able to purchase the rights to domain "scottmorrison.com.au," the domain that hosted the official website of Scott Morrison, the current Prime Minister of Australia. The individual purchased the rights to the domain at an auction for expiring domains for fifty US dollars.

After the purchase of the domain, the individual created a fresh Wordpress site hosted on the domain and placed humorous content poking fun at the prime minister including references to the song "Scotty Doesn't Know" from the 2004 film Eurotrip.

It appears that the new website was up for two days from October 18th to October 20th and went viral receiving over 340,000 visitors. The individual that hijacked the site blogged the experience and detailed other alternate scenarios that could've ensued if a malicious attacker would have taken control of the domain. This could have included using the domain to phish for sensitive information, receive sensitive emails, or continue to maintain the site and deliver fake content regarding political opinions of the PM. After two days, the hijacker gladly gave back the domain and the original website has since been restored. No crimes appear to have been committed in this particular situation and no arrests have been made.

Proficio Threat Intelligence Recommendations:

  • Validate a procedure is in place to renew domains owned by the organization.

  • Have a monitoring solution in place to look for major content changes to hosted websites.

Personal Blog of Events - Click Here

ATTACKER – NEW NORTH KOREAN THREAT GROUP TARGETING FINANCIAL INSTITUTIONS

October 4, 2018

FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.

Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.

At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.

The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.

FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.

Proficio Threat Intelligence Recommendations:

  • Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).

FireEye Blog - Click Here
FireEye Special Report - Click Here

VULNERABILITY – NEW APPLE iOS 12 SCREEN BYPASS DISCOVERED

October 3, 2018

It didn’t take long until a new lock screen flow was found for the new Apple’s iOS 12, released on 17 September 2018. Spanish researcher Jose Rodriguez published a YouTube video in Spanish language detailing the steps of the quite complex passcode bypass. An English-speaking version of the same video was subsequently published on YouTube.

According to the video, the attacker would need to exploit Siri, which would ave to be enabled, to access the phone’s contacts, numbers, emails and photos. It goes without saying that the Face ID functionality must be either inactivated or physically obfuscated. The process is not an easy one as it requires the offender to have physical access to the Apple device as well as a total of 37 steps to eventually gain access to the stored pictures.

This is the third time the same researcher exposed Apple’s security flaws. The latest bypass appears to work on all Apple devices running iOS 12 (and the iOS 12.1 beta), including the new XS.

4th Paragraph.

Proficio Threat Intelligence Recommendations:

  • The bypass can be mitigated by disabling the Siri’s lock screen access via Settings > Face ID and Passcode or Settings > Touch ID and Passcode > disable “Allow access when locked”

General Information - Click Here

METHOD – REMCOS RAT

October 2, 2018

A new remote access tool, known as Remcos, has been seen rising in popularity over the last month and has been linked to several recent attacks. Remcos, which sells for €58-389 from the vendor Breaking Security, is a security tool advertised for “ethical hacking” and otherwise legal purposes. Remcos boasts the ability to monitor keystrokes, manage files, take remote screenshots, execute remote commands, and otherwise control an endpoint remotely. Not surprisingly, this tool is being purchased and used by criminals, who are then using the tool for malicious purposes, such as for controlling botnets.

In some recent attacks, spear phishing emails were observed being sent to government contractors, in which the attackers crafted emails posing as various tax agencies or government organizations. The emails contained custom logos; realistic privacy disclosure statements; spoofed sender addresses; and other details to appear as legitimate as possible. Attached to the emails were Microsoft Office files mimicking legitimate tax documents and displaying intentionally blurred image previews. The victims were in fact lured into enabling the macros in order to view the content of the given file. However, once the macros were enabled by the user and the file was reopened, an executable was created through a set of routines from arrays embedded in the Microsoft Office attachment. This executable would then run Remcos silently in the background and provide the attacker with a platform where to observe the user or conduct further malicious activity from.

While spear phishing emails and malicious attachments are nothing new to security professionals, the latest attacks with Remcos are both sophisticated and well executed.The attackers involved with these recent campaigns have been going to great lengths to craft very realistic spear phishing emails that have misled multiple targets. Additionally, some security appliances may not initially detect these malicious attachments due to the fact that the Remcos executable is obfuscated by the use of arrays to store and assemble the source code. And to make matters worse, because the Remcos RAT is sold as ethical hacking software, many endpoint protection vendors do not even include the Remcos file hashes in their malware definitions.

Proficio Threat Intelligence Recommendations:

  • Disable Microsoft Office macros.

  • Conduct spear phishing awareness training sessions with employees.

  • Update security appliances definitions to include Remcos IoCs.
Talos Intelligence - Click Here

TARGET – FACEBOOK DATA BREACH

October 1, 2018

Facebook has returned to the headlines again for issues regarding user privacy and personal information exposure after an alleged attack on their network. The social media giant admitted at least 50 million users may have had their personal information compromised due to the attack, which has been touted as the largest breach in the company’s 14 year history. And if the exposure of user data wasn’t bad enough, the attackers were also able to gain control of user accounts, allowing them to potentially pose as users or view their private information.

The breach has been traced to code vulnerabilities in the “View As” feature that allows users to view their profile as someone else, and code related to uploading birthday videos. Once exploited, these vulnerabilities allowed attackers to steal account access tokens. Some industry experts are also suggesting affiliated services, such as Spotify and Instagram, may have been compromised as a result of this breach. Investigation of the extent of the breach is still underway, and it is unclear whether certain individuals were targeted. Likewise, it is still unknown whether this attack was carried out by nation state actors or a hacker collective. Facebook has confirmed that they are working with law enforcement and that all vulnerabilities have now been patched. They have also forced access token resets for all accounts that were observed using the “View As” feature during the last year, requiring users to manually login to their accounts where they will be greeted with a security notification. Additionally, Facebook has temporarily disabled the “View As” feature while they conduct further security assessments.

The news comes as Facebook is still recovering from the Cambridge Analytica scandal, which lead to a congressional hearing involving Facebook’s senior executives and revealed millions of users had their information collected by third parties for political campaigns. This latest breach has renewed calls for government regulation of social media policies and procedures. As more developments emerge, this story is likely to weigh heavily on the future of social media platforms.

Proficio Threat Intelligence Recommendations:

  • Consider the possible risks of allowing employees access social media at work, and make appropriate guidelines and/or changes to your organization’s AUP.

  • Review the social media accounts your organization uses and develop policies regarding what information can be shared via social media accounts.

  • Individuals should read the FTC’s recommendations for consumers, located here:
    https://www.consumer.ftc.gov/blog/2018/10/facebook-breach-what-do-next
Facebook Security Update Announcement - Click Here

TARGET – British Airways Credit Card Data Breach

September 7, 2018

On September 7th, it was publicly disclosed that 380,000 customer transactions processed by the British Airways website between August 21st to September 5th were compromised by attackers. The information believed to be obtained in the transactions included the name, email address, and credit card information for the transaction including the credit card CVV code.

Details of exactly how the British Airways site was hacked is not publicly available at this time. Because the CVV code was obtained as part of the stolen data, security researchers believe that the hackers may have copied customer data as they inserted it into the British Airways website.

Users affected are currently being notified. British Airways disclosed the breach within 72 hours of when the breach became known as part of new GDPR regulations. For GDPR regulations, if British Airways is found to have not done enough to protect consumer information, it could face a fine of up to 4 percent of annual revenue which is by some estimates around 500,000 pounds.

Proficio Threat Intelligence Recommendations:

  • Validate public facing web services that process payment information are patched.

  • Make sure a continuous monitoring solution around intrusions into websites that process payment information have a continuous monitoring solution in place.
General Info on Breach - Click Here

TARGET – 20,000 USERS FROM AIR CANADA’S MOBILE APP BREACHED

September 1, 2018

Air Canada is requesting a password reset of its entire 1.7 million user base for its mobile app. This was caused from the detection of unusual login behavior between August 22nd to August 24th, leading to suspect that 20,000 user accounts held within the aircraft's mobile app had been compromised.

The information that may have been leaked within the breach possibly included customer's passport number; passport expiration date; passport country of issuance and residence; NEXUS number; Aeroplan account number; and personal details such as gender, date of birth, and nationality. Payment card information was protected and not believed to have been exposed in the breach.

It should be noted that Air Canada was able to detect the suspicious login activity almost immediately, which then led to the discovery of the breach. Proficio Threat Intelligence Recommendations:

  • Log hosted web application activity to enable monitoring and auditing of the app.

  • Have a monitoring solution in place for web application authentication activity.

  • Have a breach notification procedure in place for hosted web applications

  • Users should use secure and complex passwords to protect their accounts
Summary of Details of Breach - Click Here