Posts

Method: SIM Swapping Used to Target Cryptocurrency Entrepreneurs

Police in California arrested a 20 year old from Boston at Los Angeles International Airport on his way to Europe. The individual, Joel Ortiz, was accused of targeting cryptocurrency entrepreneurs by compromising their two factor authentication hosted on their mobile phone number by a method called SIM swapping. The results of his activities are rumored to have resulted in the theft of five million dollars and forty phone numbers hijacked.

According to multiple sources, it is suspected that Joel along with a group of accomplices were able to socially engineer cell phone providers to send them a replacement SIM card for victims that enabled them to hijack the phone number to a device of their choice. Once this is in place, the attackers are able to receive text messages related to two factor authentications and account resets.

The attacker took some obvious actions in some instances tipping his hand that he had hijacked the device. One of the victim’s daughter got a text message requesting to “TELL YOUR DAD TO GIVE US BITCOIN.”

Seeing that the attacker group was led by a 20 year old that took some careless actions against victims and on his social media regarding his spending habits, it is possible that this method of attack could be used by more sophisticated threat actors against organizations that use two factor authentication with mobile devices.

Proficio Threat Intelligence Recommendations:

  • For personal and corporate devices, take actions with the cell phone provider for an extra layer of security to prevent SIM Swapping (ex: Implement T-Mobile “care password”).
  • Assess and secure any two factor authentication used by the organization around text messages or phone call verification procedures.


General Information – Click Here

TARGET: Valve Game in Marketplace Distributed Cryptocurrency Miner

Valve pulled the game “Abstractism” from the Steam store after several sources on the internet stated the game was suspected to contain a cryptocurrency-mining bot. Youtube user SidAlpha and other bloggers on the internet flagged the game for very suspicious behavior such as the gaming package being flagged by antivirus software, the authors stating that the game should be left running in yhe background for extended periods of time, and the game taking up an extraordinary amount of GPU and CPU system resources at run time.

Steam is a digital distribution platform owned by the Valve Corporation that allows video game developers to publish to their platform. In this particular instance, it looks like a group of developers were able to compromise the supply chain of the platform and release a bogus game that performs cryptomining.

When the developers of the game were confronted with the findings that the game mines Bitcoin, the developer “Okalu Union” stated “Bitcoin is outdated, we currently use Abstractism to mine only Monero coins.” The developer then went on to contract the prior statement with “Abstractism does not mine any of cryptocurrency. Probably, you are playing on high graphic settings.”

Something very important to note is that in this case, developers went after a lack of controls in the software supply chain of the Valve platform to perform cybercriminal activity. All organizations depend on a variety of software supply chains to deliver legitimate software downloads and updates. The software supply chain will likely be a target for cybercriminal threat actors in the future and this trend will likely increase with progression of the threat landscape.

Proficio Threat Intelligence Recommendations:

  • Make sure your organization has an acceptable use policy that bans the usage of applications that introduce risk to your organization such as gaming applications.
  • Keep endpoint security controls such as antivirus and EDR (endpoint detection and response) up to date and and validate they work as a preventative control.
  • Assess if your organization has MDM (mobile device management) software and assess if it allows the installation of unauthorized applications that may introduce risk to the organization.


General Information – Click Here

Method: Latest updates on the RIG Exploit Kit

On May 31st, Trend Micro posted technical analysis on updates to the RIG Exploit Kit. Updates include the delivery of a cryptocurrency mining malware as its final payload. Recently, it has been observed to exploit CVE-2018-8174, which affects the VBScript Engine accessed by Internet Explorer and Microsoft Office documents on systems running Windows 7 and later. Previously, RIG was observed delivering delivering GandCrab ransomware and Panda Banker as it’s payload. Distributing cryptocurrency mining malware is a new trend from the actors that run RIG. Following the previous methods of distribution, RIG uses malvertisements with a hidden iframe that redirects the victims to RIG’s landing page where the second-stage of the attack is then downloaded, retrieved and used to download a Monero Miner.

The Proficio Threat Intelligence Recommendations:

  • Note the trend of cybercriminal threat actors moving away from distributing banking trojans and ransomware and instead distributing cryptocurrency mining malware.
  • Be aware of indicators of cryptocurrency mining malware on systems such as increased CPU utilization and slow performance of the operating system.

General Info – Click Here

TARGET: Two Major Canadian Banks Breached

Two Canadian banks claim to have been breached by attackers this week. Simplii Financial which is owned by CIBC, has claimed that it may have lost personal and account information for over 40,000 bank customers. The Bank of Montreal then followed this news by claiming that they too had been breached and lost up to 50,000 individuals’ personal and account information.

The attackers had tipped off both banks that they possessed the data and threatened to take the information public if they were not paid one million dollars worth of cryptocurrency each. Based on the nature of the situation, both banks decided to go public and not give in to the attacker’s demands.

The attacker’s actions are unusual compared to recent trend of events. Most recent “ransom” attacks have involved gaining control of assets within an organization and then encrypting the contents held within those assets using ransomware. In this particular attack, the attackers attempted to blackmail the banks by threatening to release information regarding the breach if the banks did not pay up.

The method of how the banks were breached are unknown at this time. It is suspected that the attackers may have targeted some type of account reset feature held on servers that store user account information. They may have then used an application that had some type of algorithm that could access bank account numbers and then systematically pull user account information.

Proficio Threat Intelligence Recommendations:

  • Ensure the application security of password reset features on relevant applications
  • Enforce strict access controls and monitoring against assets that hold personal user information, especially banking applications that may hold bank account information.

General Info – Click Here

Attack: AWS Route 53 Hijack

In late April, a complex attack was executed in the core internet infrastructure by attackers that redirected users of the MyEtherWallet.com website towards a phishing site.

The incident has been described as a BGP or Border Gateway Protocol “leak” that allowed the attackers to wrongly announce protocol (IP) in a space that’s owned by Amazon’s Route 53 managed DNS service. The hackers were able to hijack DNS entries after executing a BGP route hijack that redirected entire swaths of internet traffic meant for Amazon servers to systems that they controlled. Attackers acquired over $150,000 from the site because users ignored an HTTPS browser warning that stated that the site that was using a self-signed TLS certificate.

Some of the hijacked traffic was used by the MyEtherWallet.com internal team. Because of this discrepancy, attackers were able to point domain name resolutions from the MyEtherWallet.com domain to an IP address located in Russia, where they hosted their fake version of the MyEtherWallet.com website that logged private keys. Users who were logged into their account could have had their credentials compromised and users who had already signed in would have transmitted login information through cookies. Once the credentials had been compromised, attackers then were able to login and steal Ethereum from victims wallets. It was reported that DNS servers were hijacked at 12pm UTC on April 25th, and it appears that the redirects occurred for approximately 2 hours. The incident highlighted a well-known weaknesses in core Internet infrastructure.

Proficio Threat Intelligence Recommendations:

  • Do not input personal information into sites using self-signed TLS certifications
  • Block traffic from IP addresses geo-located in Russia

General Information – Click Here

Method: MassMiner Worm Malware

Cryptocurrency mining malware has been on the rise in 2018.  The malware has an especially nasty variant which leverages multiple exploits and hacking tools to spread. The MassMiner worm is a type of mining malware that has been observed propagating from local networks to high value targets, like Microsoft’s SQL servers, with greater mining potential.

Infected hosts attempt to spread the worm by first utilizing the MassScan tool to enumerate potential victims and subsequently running a variety of exploits which include the infamous CVE-2017-0143 EternalBlue exploit, CVE-2017-5638 Apache Struts exploit and CVE-2017-10271 WebServer exploit. MassMiner will also brute force Microsoft SQL servers by using SQLck and then once compromised will run scripts to install MassMiner.  Powershell is used in the same manner to download MassMiner to compromised Weblogic servers and a VisualBasic script is utilized to deploy the worm to compromised Apache Struts servers.

MassMiner then goes through the process of disabling numerous security features including anti-virus, to ensure persistence and evade detection.

MassMiner tactics include:

  • Copying itself to taskhost.exe and the Startup folder
  • Unauthorizing changes to the ACL to grant full access to certain files in the system
  • Disabling Windows Firewall
  • Downloading a config file to point compromised host to C&C server for further instructions

Proficio Threat Intelligence Recommendations:

  • Harden high value assets such as servers by ensuring vulnerabilities are patched by implementing the latest stable updates

 

General Info – Click Here

Method: PyRoMine Malware

In early April, Fortinet’s FortiGuard Labs discovered a cryptocurrency mining malware that leverages EternalRomance, a remote code execution attack, that was coined, PyRoMine. The EternalRomance exploit was initially discovered in the giant “treasure trove” that was the NSA data leak last year thanks to the ShadowBrokers.

The malware can be found in the form of a standalone executable file that, when executed, will run as a background process, silently stealing CPU resources unbeknownst to its victims. The end goal of this malware is to mine Monero for profits.

PyRoMine sets up a hidden default account on the user’s machine with system administrator privileges, using the password “P@ssw0rdf0rme,” as well as, enabling Remote Desktop Protocol which could be used in the future for re-infection and/or further attacks.

EternalRomance exploit targets SMBv1 Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft patched this vulnerability very quickly after the tools were made public. However, individuals and enterprises alike have been quite slow when it comes to patching the known vulnerabilities and could still be affected by this malware.

Proficio Threat Intelligence Recommendations:

  • Update Windows hosts to use SMBv2
  • Do not allow Remote Desktop Protocol Open from the internet

General Information –  Click Here