Threat Intelligence Posts

Vulnerability: Google Chrome Browser – CVE-2018-6148: Incorrect handling of CSP header

June 7, 2018

On May 23rd, a security researcher reported a vulnerability in the Chrome Desktop Browser (Pre-Version 67.0.3396.79) that allows for the mishandling of the Content Security Policy (CSP) header. The CSP header allows website developers to implement a 2nd layer of security on their websites to prevent possible malicious activity. The vulnerability bypasses the SECURITY_CHECK in Chrome, allowing possible cross-site scripting, clickjacking, and varying types of code injection attacks against vulnerable users browsing affected websites.

Chrome released a patch on June 05 fixing the vulnerability and raising the version to 67.0.3396.79. Chrome has reserved CVE-2018-6148 for the vulnerability but is restricting details surrounding the bug until the majority of Chrome users have been updated to prevent threat actors from exploiting the vulnerability.

The Proficio Threat Intelligence Recommendations:

  • Update Chrome to the latest version
  • Always make sure to stay up to date on application updates and security patches
Patch Release Page - Click Here
General Info - Click Here

TARGET: Two Major Canadian Banks Breached

May 31, 2018

Two Canadian banks claim to have been breached by attackers this week. Simplii Financial which is owned by CIBC, has claimed that it may have lost personal and account information for over 40,000 bank customers. The Bank of Montreal then followed this news by claiming that they too had been breached and lost up to 50,000 individuals’ personal and account information.

The attackers had tipped off both banks that they possessed the data and threatened to take the information public if they were not paid one million dollars worth of cryptocurrency each. Based on the nature of the situation, both banks decided to go public and not give in to the attacker’s demands.

The attacker’s actions are unusual compared to recent trend of events. Most recent “ransom” attacks have involved gaining control of assets within an organization and then encrypting the contents held within those assets using ransomware. In this particular attack, the attackers attempted to blackmail the banks by threatening to release information regarding the breach if the banks did not pay up.

The method of how the banks were breached are unknown at this time. It is suspected that the attackers may have targeted some type of account reset feature held on servers that store user account information. They may have then used an application that had some type of algorithm that could access bank account numbers and then systematically pull user account information.

Proficio Threat Intelligence Recommendations:

  • Ensure the application security of password reset features on relevant applications
  • Enforce strict access controls and monitoring against assets that hold personal user information, especially banking applications that may hold bank account information.
General Info - Click Here

METHOD: HIDDEN COBRA Joanap and Brambul Malware Activity

May 29, 2018

US-CERT has released a technical advisory regarding a RAT (remote access tool) and an SMB (server message block) worm dubbed respectively Joanap and Brambul. Both claimed to be leveraged by the North Korea’s threat actor HIDDEN COBRA (aka Lazarous) since 2009. HIDDEN COBRA is an alias used to describe global hacking performed by a group tied with supporting the North Korean Government.

Based on the report findings, HIDDEN COBRA is responsible for using these two types of malware to target victims globally across multiple sectors. The worm appears to leverage relatively old and unsophisticated attack methods for spreading. Once infected, a system will attempt to brute force remote shares hosted over the SMB protocol using a set of about 150 common passwords such as “123456” and “cookie123” and “dbpassword.”

Analysis of the IoCs (indicators of compromise) provided in the article revealed that infrastructure primarily located in Latin American, the Middle East, and the Asia Pacific have been compromised with the malware. Command and control for the malware is somewhat unique, in that it gathers details and then attempts to send out emails to two known email addresses (misswang8107@gmail[.]com and redhat@gmail[.]com) with the compromised details of the host.

Luckily, most antivirus vendors have good detection rates for this type of malware since its older and well-known, and it attempts to spread using relatively simple passwords.  The risk for most corporate environments regarding this threat is relatively low.

Proficio Threat Intelligence Recommendations:

  • Deny SMB from the internet at perimeter firewalls
  • Enforce a password policy that does not allow weak passwords as a means to authenticate to SMB shares inside the LAN
General Info - Click Here

TARGET: Nuance Communications – Lost Revenue and PHI

May 27, 2018

Nuance Communications, a healthcare software company which specializes in speech and imaging, has had a run of bad luck with external and internal incidents in 2017.

Last year NotPetya malware cost the company $92 million in revenue, mainly from the disruption of transcription services and systems used by healthcare customers. Nuance quickly attempted to restore client functionality which took over a month for complete remediation and restoration. This attack constituted a security incident under the HIPPA Security Rule but not a breach of PHI under the BNR (Breach Notification Rules).

In December 2017, only months following the NotPetya incident, there was an unrelated data breach from a former Nuance employee involving the PHI of 45,000 individuals. The records included healthcare provider’s patient assessments, diagnoses, dates of service and care plans. The attacker  stole these records through an unauthorized access of a transcription platform.

Nuance stated that it continues to enhance its security protection to prevent further cyberattacks as these incidents have resulted in negative press and has lost potential revenue.

Proficio Threat Intelligence Recommendations:

  • Proper network segmentation to mitigate the spread of malware outbreaks
  • Implement and enforce access controls to prevent unauthorized access
  • Backup critical systems and store them off-network
  General Info - Click Here

Target: Coca-Cola Data Breach

May 25, 2018

Things are starting to fizz up! Back in September 2017, a disgruntled former employee of the soda pop conglomerate, Coca-Cola, managed to walk out the door of their global headquarters with an external hard drive containing over 8,000 confidential employee records. Although they would not disclose the specifics of the information stolen, the company did reveal that employee personal information had been compromised.

The crime went unnoticed until law enforcement officials brought it to the company’s attention. It appears that Coca-Cola had no idea that the external drive and personal data were missing until the FBI found the hard drive in the possession of the former employee. Coca-Cola has since notified the affected employees.

Proficio Threat Intelligence Recommendations:

  • Implement additional access controls around sensitive data.
  • Invest in solutions such as a UBA (user behavior analytics) platform to detect insider threat activity.
General Info - Click Here

Attacker: Xenotime and Trisis ICS Attacks

May 24, 2018

Dragos, an information security consulting firm that specializes in industrial control system (ICS) security consulting, reported that the threat actor known as “Xenotime” has expanded its presence in compromising ICS systems beyond the Middle East. In late 2017, FireEye and Dragos reported a threat actor had released TRISIS malware that had targeted a Middle East oil company. The attack resulted in a complete shutdown of the oil and gas facility. Forensics revealed that malware had targeted the safety instrumentation system (SIS) component of a Schneider Electric’s Triconex system that was present within the facility.

Safety instrumentation systems are responsible for taking action on critical situations within industrial control systems. They could be responsible for opening and closing valves or other types of safety systems. Failure of an SIS may result in loss of life or the disruption in the functionality of a facility. This threat actor is suspected to be state sponsored and was attempting to engineer an attack that could be used to cause physical damage in the event of a political conflict. The new revelation from Dragos indicates that the same party that was targeting the Middle East company has now expanded its presence to multiple regions around the world by targeting multiple types of ICS environments. This is very alarming issue since this threat actor is actively attempting intrusions with the intent to cause physical damage to ICS systems that may result in a loss of life or major disruption of critical industrial facilities.

Proficio Threat Intelligence Recommendations:

  • Validate an ICS monitoring solution is in place.
  • Develop special focused monitoring use cases around assets within ICS networks.
  • Monitor for vulnerability advisories from your ICS vendors.
General Info - Click Here

Method: VPNFilter Malware responsible for botnet army of 500,000 devices

May 23, 2018

Researchers from Cisco Talos with the help of numerous threat intelligence partners, have identified at least 500,000 devices worldwide that have been infected with VPNFilter malware. Large segments of the malware’s code were repurposed from the notorious BlackEnergy malware, which was responsible for massive DDoS attacks targeting Ukrainian infrastructure resulting in widespread power outages.

The majority of known infected hosts are from small office or home network devices which usually act as the perimeter network device with little to no defense in depth.  Many of these devices have publicly known exploits or default credentials that make compromising a device of this type trivial when best practices are not followed.

Known Affected Network Devices:

  • Linksys
  • MikroTik
  • NETGEAR
  • TP-Link
  • QNAP NAS

The capabilities of the VPNFilter are numerous, and  include unrestricted data collection from an affected device including banking credential theft, as well as the ability to execute a kill command to render the device unusable.  Another area of concern is the VPNFilter’s ability to monitor Modbus SCADA protocols, which are commonly used by industrial devices/applications like the BlackEnergy malware, which rendered many of Ukraine’s power substations inoperable.

Proficio Threat Intelligence Recommendations:
  • Users of SOHO routers and/or NAS devices ensure default credentials are changed and reset devices to factory defaults and reboot them in order to remove the non-persistent stage 2 and stage 3 malware.
  General Info - Click Here

Vulnerability: Variants 3a and 4 of Side Channel Vulnerabilities

On May 21st, two vulnerabilities (CVE-2018-3640 -  Variant 3A- Rogue System Register Read and CVE-2018-3639 – Variant 4 - Speculative Store Bypass) were publicly disclosed.  These vulnerabilities indicate new variants of the Spectre and Meltdown class of hardware vulnerabilities and use “side-channel attacks” against speculative execution on many CPU architectures. Each of the vulnerabilities, Variants 3a and 4, attempt to exploit AMD, ARM and Intel CPUs. The effects vary from vendor to vendor. Details are scarce at this time on how an attacker would use these vulnerabilities in practical attacks.

A “side-channel attack,” targets the implementation of a computer system rather than the actual implemented software or algorithm.  The Spectre and Meltdown class of vulnerabilities use cache side-channel attacks, or monitor the cache within CPUs, to gain access to sensitive information that was previously unavailable through normal access.  Variant 3a uses a method of exploitation known as “Rogue System Register Read,” while Variant 4 uses an attack called speculative store bypass. Both vulnerabilities are highly complex and take advantage of various features of the “speculative execution” within various CPU architectures. Both if executed properly could result in unauthorized access to information within a system’s memory, such as passwords or other sensitive data.

The Proficio Threat Intelligence Recommendations:  

  • Stay tuned for any type of practical attack that is being carried out in the wild against organizations leveraging these vulnerabilities. Note that these are difficult and complex vulnerabilities to leverage in practical attacks.
  • Apply standard patches and updates to both hardware, software, and operating systems that would mitigate risks of these vulnerabilities.
General Info - Click Here

Vulnerability: Red Hat DHCP Client Script Code Execution – CVE-2018-1111

May 17, 2018

A vulnerability affecting Red Hat DHCP Services was released via Twitter on May 16th. The exploit, tagged as Dynoroot by the research community and cataloged as CVE-2018-1111, allows an attacker to spoof a DHCP response and execute arbitrary commands with root privileges on a vulnerable Red Hat host. The vulnerability was discovered by Felix Wilhelm of Google, who stated the exploit could fit in a Tweet. Approximately six hours later, Barkın Kılıç, a Penetration Tester for Innovera, posted a proof-of-concept of the exploit using Dnsmasq, a lightweight service that can provide DHCP services.

The vulnerable platforms include the following:  

  • RHEL 6
  • RHEL 7
  • Red Hat Fedora 28
  • Red Hat Enterprise Virtualization 4.1 (includes vulnerable components)

Proficio Threat Intelligence Recommendations:

  • Patch vulnerable Red Hat Operating Systems ASAP
  • Many IDPS vendors are releasing signatures for this attack (ex: Palo Alto - 40739 - RedHat DHCP Client Script Remote Code Execution Vulnerability). Put these signatures in block mode if possible if no well-known false positives are detected.
  • Make sure monitoring includes visibility of suspicious east / west traffic, especially for DHCP activity to and from RHEL servers.
  General Info - Click Here
Twitter POC - Click Here

Method: RIG Exploit Kit – Grobios Malware

May 16, 2018

The use of exploit kits has generally been declining over the past two years, however FireEye has recently observed in March active development of the RIG EK capable of delivering a trojan named Grobios, a type of malware.  

Victims are first redirected to a compromised domain with an embedded malicious iframe which then redirects to the RIG EK landing page which loads a malicious Flash file. When the Flash file is executed, it drops the Grobios trojan onto the host and subsequently uses various techniques to evade detection and gain persistence.

The techniques used for evasion/persistence include masquerading as legitimate software and detecting VM & malware analysis tools. After detection evasion and persistence is achieved, network communication is established to hardcoded IPs point towards their respective C&C servers awaiting further instruction.  

Proficio Threat Intelligence Recommendations:

  • Ensure network nodes are fully patched to minimize attack surface
  General Info - Click Here