Threat Intelligence Posts

TARGET – AUSTRALIAN PRIME MINISTER’S DOMAIN HIJACKED

October 23, 2018

An individual at DigitalEagle's Digital Marketing Agency based out of Australia was able to purchase the rights to domain "scottmorrison.com.au," the domain that hosted the official website of Scott Morrison, the current Prime Minister of Australia. The individual purchased the rights to the domain at an auction for expiring domains for fifty US dollars.

After the purchase of the domain, the individual created a fresh Wordpress site hosted on the domain and placed humorous content poking fun at the prime minister including references to the song "Scotty Doesn't Know" from the 2004 film Eurotrip.

It appears that the new website was up for two days from October 18th to October 20th and went viral receiving over 340,000 visitors. The individual that hijacked the site blogged the experience and detailed other alternate scenarios that could've ensued if a malicious attacker would have taken control of the domain. This could have included using the domain to phish for sensitive information, receive sensitive emails, or continue to maintain the site and deliver fake content regarding political opinions of the PM. After two days, the hijacker gladly gave back the domain and the original website has since been restored. No crimes appear to have been committed in this particular situation and no arrests have been made.

Proficio Threat Intelligence Recommendations:

  • Validate a procedure is in place to renew domains owned by the organization.

  • Have a monitoring solution in place to look for major content changes to hosted websites.

Personal Blog of Events - Click Here

ATTACKER – NEW NORTH KOREAN THREAT GROUP TARGETING FINANCIAL INSTITUTIONS

October 4, 2018

FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.

Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.

At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.

The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.

FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.

Proficio Threat Intelligence Recommendations:

  • Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.

  • Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).

FireEye Blog - Click Here
FireEye Special Report - Click Here

VULNERABILITY – NEW APPLE iOS 12 SCREEN BYPASS DISCOVERED

October 3, 2018

It didn’t take long until a new lock screen flow was found for the new Apple’s iOS 12, released on 17 September 2018. Spanish researcher Jose Rodriguez published a YouTube video in Spanish language detailing the steps of the quite complex passcode bypass. An English-speaking version of the same video was subsequently published on YouTube.

According to the video, the attacker would need to exploit Siri, which would ave to be enabled, to access the phone’s contacts, numbers, emails and photos. It goes without saying that the Face ID functionality must be either inactivated or physically obfuscated. The process is not an easy one as it requires the offender to have physical access to the Apple device as well as a total of 37 steps to eventually gain access to the stored pictures.

This is the third time the same researcher exposed Apple’s security flaws. The latest bypass appears to work on all Apple devices running iOS 12 (and the iOS 12.1 beta), including the new XS.

4th Paragraph.

Proficio Threat Intelligence Recommendations:

  • The bypass can be mitigated by disabling the Siri’s lock screen access via Settings > Face ID and Passcode or Settings > Touch ID and Passcode > disable “Allow access when locked”

General Information - Click Here

METHOD – REMCOS RAT

October 2, 2018

A new remote access tool, known as Remcos, has been seen rising in popularity over the last month and has been linked to several recent attacks. Remcos, which sells for €58-389 from the vendor Breaking Security, is a security tool advertised for “ethical hacking” and otherwise legal purposes. Remcos boasts the ability to monitor keystrokes, manage files, take remote screenshots, execute remote commands, and otherwise control an endpoint remotely. Not surprisingly, this tool is being purchased and used by criminals, who are then using the tool for malicious purposes, such as for controlling botnets.

In some recent attacks, spear phishing emails were observed being sent to government contractors, in which the attackers crafted emails posing as various tax agencies or government organizations. The emails contained custom logos; realistic privacy disclosure statements; spoofed sender addresses; and other details to appear as legitimate as possible. Attached to the emails were Microsoft Office files mimicking legitimate tax documents and displaying intentionally blurred image previews. The victims were in fact lured into enabling the macros in order to view the content of the given file. However, once the macros were enabled by the user and the file was reopened, an executable was created through a set of routines from arrays embedded in the Microsoft Office attachment. This executable would then run Remcos silently in the background and provide the attacker with a platform where to observe the user or conduct further malicious activity from.

While spear phishing emails and malicious attachments are nothing new to security professionals, the latest attacks with Remcos are both sophisticated and well executed.The attackers involved with these recent campaigns have been going to great lengths to craft very realistic spear phishing emails that have misled multiple targets. Additionally, some security appliances may not initially detect these malicious attachments due to the fact that the Remcos executable is obfuscated by the use of arrays to store and assemble the source code. And to make matters worse, because the Remcos RAT is sold as ethical hacking software, many endpoint protection vendors do not even include the Remcos file hashes in their malware definitions.

Proficio Threat Intelligence Recommendations:

  • Disable Microsoft Office macros.

  • Conduct spear phishing awareness training sessions with employees.

  • Update security appliances definitions to include Remcos IoCs.
Talos Intelligence - Click Here

TARGET – FACEBOOK DATA BREACH

October 1, 2018

Facebook has returned to the headlines again for issues regarding user privacy and personal information exposure after an alleged attack on their network. The social media giant admitted at least 50 million users may have had their personal information compromised due to the attack, which has been touted as the largest breach in the company’s 14 year history. And if the exposure of user data wasn’t bad enough, the attackers were also able to gain control of user accounts, allowing them to potentially pose as users or view their private information.

The breach has been traced to code vulnerabilities in the “View As” feature that allows users to view their profile as someone else, and code related to uploading birthday videos. Once exploited, these vulnerabilities allowed attackers to steal account access tokens. Some industry experts are also suggesting affiliated services, such as Spotify and Instagram, may have been compromised as a result of this breach. Investigation of the extent of the breach is still underway, and it is unclear whether certain individuals were targeted. Likewise, it is still unknown whether this attack was carried out by nation state actors or a hacker collective. Facebook has confirmed that they are working with law enforcement and that all vulnerabilities have now been patched. They have also forced access token resets for all accounts that were observed using the “View As” feature during the last year, requiring users to manually login to their accounts where they will be greeted with a security notification. Additionally, Facebook has temporarily disabled the “View As” feature while they conduct further security assessments.

The news comes as Facebook is still recovering from the Cambridge Analytica scandal, which lead to a congressional hearing involving Facebook’s senior executives and revealed millions of users had their information collected by third parties for political campaigns. This latest breach has renewed calls for government regulation of social media policies and procedures. As more developments emerge, this story is likely to weigh heavily on the future of social media platforms.

Proficio Threat Intelligence Recommendations:

  • Consider the possible risks of allowing employees access social media at work, and make appropriate guidelines and/or changes to your organization’s AUP.

  • Review the social media accounts your organization uses and develop policies regarding what information can be shared via social media accounts.

  • Individuals should read the FTC’s recommendations for consumers, located here:
    https://www.consumer.ftc.gov/blog/2018/10/facebook-breach-what-do-next
Facebook Security Update Announcement - Click Here

TARGET – British Airways Credit Card Data Breach

September 7, 2018

On September 7th, it was publicly disclosed that 380,000 customer transactions processed by the British Airways website between August 21st to September 5th were compromised by attackers. The information believed to be obtained in the transactions included the name, email address, and credit card information for the transaction including the credit card CVV code.

Details of exactly how the British Airways site was hacked is not publicly available at this time. Because the CVV code was obtained as part of the stolen data, security researchers believe that the hackers may have copied customer data as they inserted it into the British Airways website.

Users affected are currently being notified. British Airways disclosed the breach within 72 hours of when the breach became known as part of new GDPR regulations. For GDPR regulations, if British Airways is found to have not done enough to protect consumer information, it could face a fine of up to 4 percent of annual revenue which is by some estimates around 500,000 pounds.

Proficio Threat Intelligence Recommendations:

  • Validate public facing web services that process payment information are patched.

  • Make sure a continuous monitoring solution around intrusions into websites that process payment information have a continuous monitoring solution in place.
General Info on Breach - Click Here

TARGET – 20,000 USERS FROM AIR CANADA’S MOBILE APP BREACHED

September 1, 2018

Air Canada is requesting a password reset of its entire 1.7 million user base for its mobile app. This was caused from the detection of unusual login behavior between August 22nd to August 24th, leading to suspect that 20,000 user accounts held within the aircraft's mobile app had been compromised.

The information that may have been leaked within the breach possibly included customer's passport number; passport expiration date; passport country of issuance and residence; NEXUS number; Aeroplan account number; and personal details such as gender, date of birth, and nationality. Payment card information was protected and not believed to have been exposed in the breach.

It should be noted that Air Canada was able to detect the suspicious login activity almost immediately, which then led to the discovery of the breach. Proficio Threat Intelligence Recommendations:

  • Log hosted web application activity to enable monitoring and auditing of the app.

  • Have a monitoring solution in place for web application authentication activity.

  • Have a breach notification procedure in place for hosted web applications

  • Users should use secure and complex passwords to protect their accounts
Summary of Details of Breach - Click Here

TARGET – Democratic National Committee Phishing Mix-up

August 23, 2018

On August 22nd, the Democratic National Committee made a press release stating that a cybersecurity service provider had alerted them of a phishing page that was stood up to target their Votebuilder website. The investigation was escalated to the FBI and immediately Russia was suspected due to previous attack activity from 2016.

A day later, the Democratic National Committee came out and stated that the event had been a false alarm and was actually an authorized penetration test being performed against the Michigan Democratic Party.

While some bad press was received regarding the matter, many cybersecurity professionals attempted to give some praise for the DNC gaining the capability to quickly detect and report the attack. Because of the miscommunication between the DNC and Michigan Democratic Party, penetration tests and red team activity will likely be coordinated between the groups in the future.

Proficio Threat Intelligence Recommendations:

  • Validate that any red team or penetration test activity performed is coordinated in some way with subsidiaries and business partners that might be affected.

  • Employ two factor authentication for public facing web services that might be a target for hackers to use in a phishing campaign.

Reporting before discovery of mix-up - Click Here
Reporting after discovery of mix-up - Click Here

VULNERABILITY – New critical vulnerability impacting Apache Struts

August 22, 2018

A new Apache Struts remote code execution vulnerability dubbed CVE-2018-11776 was recently discovered by security researchers. The root cause of the flow was identified in the lack of input validation on the URL passed to the Struts framework affecting all versions of Struts 2.

The criticality of the CVE-2018-11776 resides in the depth of its operational level. As a matter of fact, it affects the Struts code running not only on a single functional area but across all libraries used by the web application framework. Following the discovery, the Apache Software Foundation released the patch and urged all users of Struts 2.3 and Struts 2.5 to upgrade to the latest versions. Shortly after the patch was released on August 22nd, a proof-of-concept was posted on Github with a Python script that eases exploitation.

Proficio Threat Intelligence Recommendations:

  • Users of Apache Struts are urged to update their Struts framework to its latest version. More technical details and guidelines can be found in the advisory released by the Apache Software Foundation, available at: here.
General Information - Click Here

ATTACKER – Dark Tequila banking campaign hits Mexico

August 21, 2018

An active financial malicious campaign dubbed “Dark Tequila” heavily targeting Mexico since at least 2013 has been recently analyzed by the Kaspersky Lab researchers. According to reports, the malware primarily aims at stealing sensitive information, including but not limited to financial data, login credentials to popular websites, domain registers and file storage accounts.

Five operational modules have been identified by the researchers within the multistage payload, spread via spear-phishing or infected USB devices. The supporting infrastructure reportedly proved to be “unusually sophisticated” and the payload activates only if certain specific technical conditions are met. All the stolen data is then encrypted and uploaded to the C2 server.

The campaign was considered to be against Mexican institutions since the malware has a mechanism that will uninstall itself if the system is not in Mexico or the host infected is a "casual" infection. The target list retrieved from the final payload of the malware also contained the names of several Mexican banking institutions and some of the comments in the code were written in Spanish.

Proficio Threat Intelligence Recommendations:

  • Refrain from opening email from unknown senders and insert USB keys of unknown origin.

  • Deploy a SPAM filter that detects malicious attachments

  • Always make sure antivirus, software and operating systems are up-to-date.
General Information - Click Here