Posts

Method: TA 18-086A: Brute Force Attacks / Password Spraying

In March 2018, the Department of Justice indicted nine Iranian nationals for conducting brute force style attacks against organizations in the United States utilizing a technique referred to as “Password Spraying”.

Characteristically, brute force attacks attempt to authenticate credentials by guessing the password of a single user account, however accounts now will typically lock out after a handful of failed attempts. “Password Spraying” attempts to successfully authenticate using easy-to-guess passwords against multiple user accounts. This technique reduces the chance of triggering red flags for multiple failed attempts from a single user.

“Password Spray” attacks target single sign-on (SSO) and cloud-based applications that use federated authentication protocols in an attempt to hide malicious traffic. Federated authentication protocols are used in linking a person’s electronic identity across multiple identity management systems, which will also broaden the attacker’s scope to maximize access to intellectual property during a successful compromise.

Proficio Threat Intelligence Recommendations:

  • Implement strong password standards
  • Enable multi-factor authentication
  • Abstain from clicking non-validated email links

Alert TA 18-086A – Click Here

Method: Linux Malware – GoScanSSH

Researchers at Cisco Talos during an incident response engagement have identified a new malware family being used to compromise SSH servers exposed to the internet, called GoScanSSH. The malware is written in Go, a programming language created at Google in 2009. The infection methods being used were SSH brute force attacks against public facing SSH services. Once a host has been infected, it reaches out to domains over Tor2Web as part of command and control. According to Cisco Talos, the attack campaign has been ongoing for at least nine months. Something that is out of the ordinary regarding the campaign is the malware has a component, which was built in to avoid compromising certain government domains (.mil, .gov, .army, etc.).

Technical analysis of sample malware – http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html

Proficio Threat Intelligence Recommendations:

  • Restrict public facing SSH access to only the parties who need direct access to it.
  • Use strong passwords for any type of SSH authentication open to the internet.
  • Apply tools such as Fail2Ban to mitigate the risk of brute force attacks

Method: Android Malware – RottenSys

Researchers at Check Point have identified a new type of mobile adware, called RottenSys, that has infected nearly 5 million devices since 2016. The application disguises itself as a “System Wi-Fi Service” on the Android OS and was likely inserted on the devices before they were purchased. The package has the ability to participate in advertisement activities and also has the ability to spy on many applications within the phone. The distributor that initially appears responsible for delivering the phones is Tian Pai, a Chinese based entity.

Technical analysis of application – https://research.checkpoint.com/rottensys-not-secure-wi-fi-service/

Proficio Threat Intelligence Recommendations:

  • Be cautious of using phones for business purposes that are from the Chinese distributors that are listed in the above article.

Method: Windows Malware – ThreatKit

March 25th – Researchers at Proofpoint have discovered a new type of exploit kit, called ThreatKit, that allows attackers to craft malicious Office Documents and attempt to exploit CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The Word Document comes with an embedded executable that is decoded as a result of successful exploitation of the system. In some instances with successful exploitation, once the embedded executable is extracted, a separate decoy document is opened. The message of the decoy documents that were provided by Proofpoint contained the following text:

“Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience.”

The spam campaigns tracked by Proofpoint that use this exploit kit result in various forms of banking malware being installed on the system.

Technical analysis of campaign – https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

Proficio Threat Intelligence Recommendations:

  • Validate the proper Microsoft Office patches have been applied by checking the Microsoft Tech Center for advisories around CVE-2017-8570 , CVE-2017-11882 , and CVE-2018-0802.
  • EDR products such as CarbonBlack look for abuse of the various components used in this campaign such as abnormal use of MSHTA. Validate your endpoint solution can detect and prevent the activity in this article.