Posts

METHOD – New OpenSSH backdoors exploiting Linux servers discovered

ESET recently released a report listing 21 in-the-wild OpenSSH malware families reportedly targeting the portable OpenSSH used in Linux OS, out of which 12 appears to have not been documented before.

This report comes as a follow up of the ESET 2014 research “Operation Windigo”, originally focusing on Linux server-side credential stealing malware campaign with the Ebury OpenSSH backdoor at its core. The ESET group then went on to analyze other OpenSSH backdoors that were detected during the operation “Windigo” and mostly unknown to the broader security community. They were able to do so by employing the Windigo Perl script with signatures aimed at 40 different backdoors. In brief, with this script the attackers originally attempted to detect other OpenSSH backdoors before deploying the Ebury, researchers said.

Among the observed malware samples, some were found to present similarities and shared techniques and were all the result of a few critical functions’ modifications. If none of them used complex obfuscating methods, most of them log the passwords supplied by the users and almost all of them exfiltrate the data by copying the credentials to a local file. Additionally, 9 out of 21 of the backdoor families also pushed the data to a C2 server using common network ports such as port 80 (HTTP), 443 (HTTPS) and 1194 (OpenVPN), usually left open on network firewalls. Rare cases also presented data exfiltration by email.

The raw data of the research did not provide information on the infection vector used in the initial compromise. However, they shed some light on how they extended their reach. All backdoors in fact embedded the credential-stealing functionality and could spread exploiting such stolen credentials. Among the more sophisticated samples that were examined, some of the other most interesting features were the ability to receive commands through the SSH password (the Chandrila backdoor); the implementation of a crypto-mining extension (the Bonadan backdoor); and a bot functionality (the Kessel backdoor). The ESET report includes a detailed feature grid for each analyzed OpenSSH backdoor family.

Proficio Threat Intelligence Recommendations:

  • Since brute-force could be used in gaining access through SSH password authentication, consider utilizing long and complex passphrases; enabling key-based authentications; disabling remote root login, and using multi-factor authentication via the PAM (Pluggable Authentication Module).
  • Consider blocking IP addresses attempting brute force attacks by using, for example, the Fail2ban software.
  • Update IDS/IPS to take appropriate actions when triggering on the IOCs listed in the ESET report.

ESET Report – Click Here

METHOD – REMCOS RAT

A new remote access tool, known as Remcos, has been seen rising in popularity over the last month and has been linked to several recent attacks. Remcos, which sells for €58-389 from the vendor Breaking Security, is a security tool advertised for “ethical hacking” and otherwise legal purposes. Remcos boasts the ability to monitor keystrokes, manage files, take remote screenshots, execute remote commands, and otherwise control an endpoint remotely. Not surprisingly, this tool is being purchased and used by criminals, who are then using the tool for malicious purposes, such as for controlling botnets.

In some recent attacks, spear phishing emails were observed being sent to government contractors, in which the attackers crafted emails posing as various tax agencies or government organizations. The emails contained custom logos; realistic privacy disclosure statements; spoofed sender addresses; and other details to appear as legitimate as possible. Attached to the emails were Microsoft Office files mimicking legitimate tax documents and displaying intentionally blurred image previews. The victims were in fact lured into enabling the macros in order to view the content of the given file. However, once the macros were enabled by the user and the file was reopened, an executable was created through a set of routines from arrays embedded in the Microsoft Office attachment. This executable would then run Remcos silently in the background and provide the attacker with a platform where to observe the user or conduct further malicious activity from.

While spear phishing emails and malicious attachments are nothing new to security professionals, the latest attacks with Remcos are both sophisticated and well executed.The attackers involved with these recent campaigns have been going to great lengths to craft very realistic spear phishing emails that have misled multiple targets. Additionally, some security appliances may not initially detect these malicious attachments due to the fact that the Remcos executable is obfuscated by the use of arrays to store and assemble the source code. And to make matters worse, because the Remcos RAT is sold as ethical hacking software, many endpoint protection vendors do not even include the Remcos file hashes in their malware definitions.

Proficio Threat Intelligence Recommendations:

  • Disable Microsoft Office macros.
  • Conduct spear phishing awareness training sessions with employees.
  • Update security appliances definitions to include Remcos IoCs.


Talos Intelligence – Click Here

METHOD – Business Email Compromise Statistics from FBI

Business email compromise (BEC) / email account compromise (EAC) is a scam where a combination of social engineering and computer intrusion techniques are used to obtain a transfer of funds from an organization. Lately, sophisticated / targeted social engineering and compromised email accounts have been used to conduct these attacks. According to the FBI, the scam has been reported in all 50 states in the US and 150 countries. Additionally, between December 2016 and May 2018, there was a 136% increase in identified global exposed losses.

In the report, the FBI mentions the targeting of the real-estate sector as the major increase. Also mentioned in the report was the fact that small, medium, and large sized businesses are being targeted as well.

Since 2015, Proficio has worked with clients that have been targets of various BEC scams. What Proficio has observed is impersonation of executives is common and finance and human resource departments are often targets of the scam.

Although the scams were known, What was not known was the impact of these scams and how profitable the parties performing the attacks could be. According to the FBI report, between October 2013 and May 2018, over 78,000 reported incidents accounted for over $12,000,000,000 in losses.

Because these attacks are now in the billions in losses and attackers will likely have resources and motives in the future to perform these attacks, it is recommended to pay a great deal of attention to these types of attacks in the future.

Proficio Threat Intelligence Recommendations:

  • Place additional checks and balances with procedures for wire transfers performed on behalf of the organization.
  • Deploy additional targeted user training around phishing for key executives and individuals in the finance and human resources department.
  • Report activity to the FBI if a successful BEC happens.

Public Service Annountcment – Click Here

METHOD – The Ramnit Trojan Family Evolution Within the “Black” Botnet Campaign

Researchers at Check Point warned a much larger attack could follow the so-called “Black” botnet campaign. This campaign was uncovered between May-July 2018 and used the Ramnit Trojan to create a network of malicious proxy servers operating as a high-centralized botnet or as independent botnets. To date, over 100,000 computers have been infected, researchers said.

Ramnit was first seen in 2011 as one of the most prominent banking malware with extensive information exfiltration capabilities, which targeted industries and banks in North America and the UK throughout 2015 and 2016. Additional Ramnit’s features also include modules such as FTPServer and WebInjects embedded in the malware package and the capability of backdooring infected machines. According to Check Point, Ramnit recently proved to be in fact merely a first-stage compromise, likely distributed via spam campaigns and employed as a loader for a second infection – the Ngioweb malware.

Originally seen in the second half of 2017, Ngioweb is reported as a multifunctional proxy server using two layers of encryption and supporting back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports. After analyzing the malware functionality, Check Point researchers identified two stages of C2 infrastructure used. Meanwhile STAGE -0 C2 server informs the malware is ready to go over an unencrypted HTTP connection, STAGE -1 C2 server later controls the malware via an encrypted channel. In addition, Ngioweb has a dual operational mode, working as both a regular back-connect proxy and a relay proxy. The first allows to access remote service on behalf of an infected host or internal resources in the local network of an infected host, whereas the latter – most powerful – allows the attackers to build chains of proxies, making their services barely traceable. Concerns are that between the two pieces of malicious code, the operators behind the campaign are attempting to build an extended, multi-purpose proxy botnet possibly used to launch further attacks.

Proficio Threat Intelligence Recommendations:

  • Consider educating users on the best practice for email security, especially if the source looks suspicious. In addition, network administrators should also consider implementing an effective anti-spam strategy within their organization.
  • Assess adding the IOCs provided in the Check Point analysis to preventative endpoint security controls.
  • Ensure endpoint security controls are maintained and up-to-date for a higher detection rates.

General Information – Click Here

METHOD – Law Office Credentials on the Dark Web

CNBC has reported that access to various law firms’ files and networks are being sold on the Dark Web. In one particular example, access to a New York City law firm was being sold for $3,500 and the individual or group offering access stated they could give screenshots as evidence of the break in.

According to Cybersecurity Service Provider Q6, beyond the New York one, law firms across the United States including multiple firms in Beverly Hills have access being advertised for sale on the Dark Web. The information in the specific New York example was identified on a Russian speaking Forum.

The popular credentials that are advertised on this site were mainly IT admin credentials with high privileges. These accounts appeared to go for the most money. Some of the value provided by these credentials is the ability to access multiple users’ email accounts to obtain sensitive information.

The sanitized screenshots provided by CNBC on where the information was being sold detailed a robust web platform that included support, a balance for purchases, and website sections such as “FAQ”, “Invoices” and “Settings.”

Proficio Threat Intelligence Recommendations:

  • Employ additional controls around privileged users within the organization.
  • Assess working with partners to perform dark web sweeps or dark web monitoring.
  • Have a continuous monitoring program in place to detect suspicious access for public facing remote authentication services.

CNBC Article – Click Here

Method: SIM Swapping Used to Target Cryptocurrency Entrepreneurs

Police in California arrested a 20 year old from Boston at Los Angeles International Airport on his way to Europe. The individual, Joel Ortiz, was accused of targeting cryptocurrency entrepreneurs by compromising their two factor authentication hosted on their mobile phone number by a method called SIM swapping. The results of his activities are rumored to have resulted in the theft of five million dollars and forty phone numbers hijacked.

According to multiple sources, it is suspected that Joel along with a group of accomplices were able to socially engineer cell phone providers to send them a replacement SIM card for victims that enabled them to hijack the phone number to a device of their choice. Once this is in place, the attackers are able to receive text messages related to two factor authentications and account resets.

The attacker took some obvious actions in some instances tipping his hand that he had hijacked the device. One of the victim’s daughter got a text message requesting to “TELL YOUR DAD TO GIVE US BITCOIN.”

Seeing that the attacker group was led by a 20 year old that took some careless actions against victims and on his social media regarding his spending habits, it is possible that this method of attack could be used by more sophisticated threat actors against organizations that use two factor authentication with mobile devices.

Proficio Threat Intelligence Recommendations:

  • For personal and corporate devices, take actions with the cell phone provider for an extra layer of security to prevent SIM Swapping (ex: Implement T-Mobile “care password”).
  • Assess and secure any two factor authentication used by the organization around text messages or phone call verification procedures.


General Information – Click Here

METHOD: Scammers Use Breached Personal Data in Phishing Campaigns

Scammers often use a wide spectrum of social engineering methods when persuading potential victims to follow the desired course of action. Recent campaigns are using details gathered in mass breaches such as passwords, email addresses, and other personal information gained from past data compromises. Such example of scams include:

 

1) Personalized Porn Extortion Scam
This campaign involves the sender claiming to have the evidence of the recipient’s porn viewing activities, and then demands payment in exchange of “suppressing” the evidence. It is also observed that the scammer utilises personal information about the recipient beyond just the name, such as a real password the recipient used that was discovered in a data breach dump. Attackers have also been observed claiming to have RDP (remote desktop protocol) access to your computer as a means to watch you while you browse the pornography sites. The scam often demands payment via non-trackable cryptocurrency like Bitcoin and deems this as “privacy fees.” The real user password used in the scam was likely to have been obtained and in one of the mass data breaches that includes email addresses, passwords, and other personal information.

2) Data Breach Lawsuit Case
In this case, the scammer utilizes the victim’s phone number to prove that the victim has sensitive data that was leaked. The scammer poses as an entity that is preparing to sue the company that allegedly leaked the data:

“Your data is compromised. We are preparing a lawsuit against the company that allowed a big data leak. If all our clients win a case, we plan to get a large amount of compensation and all the data and photos that were stolen from the company. For example, we write to your email and include part your number ****** from a large leak.”

The sender’s objective is to solicit additional personal information from the victim under the guise of preparing the lawsuit, possibly requesting the social security number, banking account details, etc.

Proficio Threat Intelligence Recommendations:

  • Enabling spam filters to recognize and prevent emails from suspicious sources to reach the inbox of employees.
  • Do not email or reply the scammers.
  • Paying only highlights being vulnerable and you may be targeted by the scammers again.


General Information on Campaigns – Click Here

Method: Latest updates on the RIG Exploit Kit

On May 31st, Trend Micro posted technical analysis on updates to the RIG Exploit Kit. Updates include the delivery of a cryptocurrency mining malware as its final payload. Recently, it has been observed to exploit CVE-2018-8174, which affects the VBScript Engine accessed by Internet Explorer and Microsoft Office documents on systems running Windows 7 and later. Previously, RIG was observed delivering delivering GandCrab ransomware and Panda Banker as it’s payload. Distributing cryptocurrency mining malware is a new trend from the actors that run RIG. Following the previous methods of distribution, RIG uses malvertisements with a hidden iframe that redirects the victims to RIG’s landing page where the second-stage of the attack is then downloaded, retrieved and used to download a Monero Miner.

The Proficio Threat Intelligence Recommendations:

  • Note the trend of cybercriminal threat actors moving away from distributing banking trojans and ransomware and instead distributing cryptocurrency mining malware.
  • Be aware of indicators of cryptocurrency mining malware on systems such as increased CPU utilization and slow performance of the operating system.

General Info – Click Here

Method: FakeSpy – Android Trojan targeting Japanese and Korean Speaking Users

On June 19th, TrendMicro released technical analysis on FakeSpy malware targeting Korean and Japanese mobile users. FakeSpy has been observed sending mobile text messages with a malicious link message that prompts a malicious Android application package. This application masquerades itself as an app for local consumer financial service companies to Korean users. For Japanese users, it pretends to be an application for transportation, logistics, courier and e-commerce companies. This application is known to monitor for text messages and send these messages back to a C&C server. It has also been observed adding contacts to the devices, resetting the device, setting it to mute, updating configurations and stealing device information.

FakeSpy has also been known to check for banking related applications and replace it with counterfeit versions. These applications will then phish for user’s credentials by informing the users that their application needs to be updated and asks them to input their key. FakeSpy hides and updates their C2 server by making use of social media. The application will access the Twitter Page that the handler maintains and parse its content to retrieve the C2 IP address.

The Proficio Threat Intelligence Recommendations:

  • Considering that FakeSpy is distributed via phishing messages, users can avoid being a victim by practicing good security habits including checking for grammatical errors and avoiding unsolicited messages that contain URL links.

Technical Analysis of Malware – Click Here

METHOD – RANCOR Malware: Southeast Asia

A new malware campaign was observed this month, which appears to be politically driven and targets organizations operating in southeast Asia. The malware was dubbed “RANCOR” by Palo Alto researchers and falls under the Trojan malware classification. Additionally, the malware appears to make use of code from two malware families: DDKONG and PLAINTEE.

The malware has been observed in at least three cases, in which high profile individuals were targeted in spear phishing emails. The email contained malicious attachments in the form of .hta, .xlxs, and .dll file types. When opened, these attachments open decoy PDFs or web pages that claim to be related to political parties from the given country. However, these attachments would also execute scripts in the background in order to complete their installation on the host system.

While this behavior might seem easy to detect at first glance, the closer look reveals the malware writers took several steps to evade detection. Researchers noted that the malicious scripts were typically hidden in the metadata of the files and executed when certain conditions were met. Additionally, in the case of web pages opening, the websites of legitimate government
organizations and Facebook were compromised in order to bypass security.

Though current findings show only Cambodia and Singapore have been targeted thus far in the RANCOR campaign, a number of other countries located in Asia Pacific could be targeted as well and it is recommended to update security controls to detect the IOCs associated with this attack. One tell tale sign of some RANCOR variants is the rare use of a custom UDP protocol. This protocol may be detected by some heuristic IDPS devices searching for file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows and corresponding to the SHA256 hash below.

IDPS devices can be updated to trigger on the following additional signatures that have been observed:

  • Domain: www.facebook-apps.com
  • IPv4: 89.46.222.97
  • SHA256: 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855
  • SHA256: c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d

The Proficio Threat Intelligence Recommendations:

  • Ensure security devices are updated to latest stable firmware.
  • Monitor for IOCs related to file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows.
  • Change the default handler for “.hta” files in your enterprise environment so that they cannot be directly executed.

Source of Analysis – Click Here