Threats of the Week – May 21, 2019

Threats of the Week – May 21, 2019

 ELECTRICFISH Malware

 

 

The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

Source: National Cybersecurity and Communications Integration Center

How do you protect yourself?

Proper security measures must be in place to defend against ELECTRICFISH Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7841

 

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

Source: Adobe

How do you protect yourself?

Ensure your Adobe software is updated to the latest version.

 

ScarCruft APT

 

 

The ScarCruft Korean-speaking APT is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.

An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.

The researchers said that spear-phishing and the use of various public exploits remain ScarCruft’s go-to initial attack vectors. Once the victim is compromised, the attack installs an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control (UAC) in order to execute the next payload, a downloader, with higher privileges. This stage connects with the command-and-control (C2) server to grab the next payload, which is hidden in an image using steganography.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against ScarCruft APT and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – May 13, 2019

Threats of the Week – May 13, 2019

Xwo Malware

 

 

Xwo, a newly revealed web service vulnerability scanning malware discovered by Alien Labs, a subsidiary of AT&T, was named after the very dropper which serves as it propagating module with a file named xwo.exe. Unlike a typical ransomware that immediately issues an encryption process against the user files, Xwo was more of a monitoring-type kind of virus. Initial checks show that it plants itself into the system in order to monitor the passwords for certain system services. Once a certain login credential is entered into the system, it will log the information and send it to its authors through its command and control center.

Source: The Threat Report

How do you protect yourself?

Proper security measures must be in place to defend against Xwo Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-11561

 

 

The Chuango 433 MHz burglar-alarm product line is vulnerable to a Denial of Service attack. When the condition is triggered, the OV2 base station is unable to process sensor states and effectively prevents the alarm from setting off, as demonstrated by Chuango branded products, and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System.

Source: CVE

How do you protect yourself?

Ensure you’re updated with the latest firmware patches when available.

 

MegaCortex Ransomware

 

 

The ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions –in a tactic that is known as “big-game hunting.”

MegaCortex appears to be just as dangerous as the other “big-game hunting” ransomware strains, with hackers quickly escalating their access to a domain controller, from where they try to deploy the ransomware to as many internal workstations as possible.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against MegaCortex Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – May 6, 2019

Threats of the Week – May 6, 2019

Shellbot Malware

 

 

Shellbot, first written about by Jask in February, now uses an old but reliable SSH brute force technique to break into internet-connected Linux servers with weak passwords to infect a system and mine cryptocurrency.

But now the malware has new capabilities allowing it to spread through a network and shut down other cryptominers on infected computers, allowing the malware to free up more processing power for its own cryptomining operation.

The malware has three components. Although it’s not known exactly how the malware is delivered, the researchers found the dropper script used to install the malicious payload from the malware’s command and control server, an IRC chat server, which the hackers can use to check the status of the malware and remotely run commands. Using a 272-line script, the malware checks to see if any other cryptominers are on the system and installs its own. Then, the cryptominer begins mining Monero, a privacy-focused cryptocurrency, and sends the proceeds back to a MoneroHash server.

Source: TechCrunch

How do you protect yourself?

Proper security measures must be in place to defend against Shellbot Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-10952

 

 

An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems.

Source: NIST

How do you protect yourself?

Ensure you’re updated with the latest firmware patches.

 

Sodinokibi Ransomware

 

 

A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.

The ransomware first came onto researchers’ radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.

Once attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called “radm.exe.” That then saved the ransomware locally and executed it.

Once downloaded, the ransomware encrypted the victim’s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Sodinokibi Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – April 22, 2019

Threats of the Week – April 22, 2019

Scranos Malware

 

 

A new rootkit-based malware family known as “Scranos” is being used in global cyberattacks as its authors grow their potential target base while adding new components and fixing bugs.

Scranos is a password- and data-stealing operation based around a rootkit driver, which has been digitally signed with a certificate believed to be stolen. When it was first detected, Scranos was localized to the Asian market; specifically, China.

Source: Dark Reading

How do you protect yourself?

Proper security measures must be in place to defend against Scranos Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-10038

 

 

Evernote has fixed a vulnerability that could have allowed an attacker to run malicious code on a victim’s computer.  The bug could allow an attacker to remotely run malicious commands on any macOS computer with Evernote installed. Since the fix went into effect, Evernote now warns users when they click a link that opens a file on their Mac.

Source: TechCrunch

How do you protect yourself?

Update Evernote for Mac 7.10 Beta 1 and 7.9.1 GA.

 

RobbinHood Ransomware

 

 

A new ransomware is in play called RobbinHood that is targeting entire networks and then encrypting all computers that they can gain access to. They then request a certain amount of bitcoins to decrypt a single computer or a larger amount to decrypt the entire network.

Not much is currently known about this ransomware and a sample for RobbinHood has not currently been found. We have, though, seen the ransom notes and encrypted files of various victims, which allows us to put together a picture of how this ransomware may operate.

Of particular interest is how they stress that the victim’s privacy is important to them and they will not disclose any victims who have paid.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against RobbinHood Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – April 15, 2019

Threats of the Week – April 15, 2019

Baldr Malware

 

 

A new form of information-stealing malware called Baldr believed to be the work of experienced hackers is making the rounds in Russian underground forums.

Information stealers such as Baldr have proven popular in rapid-fire attacks and phishing, given their ability to capture information including machine data, browser history, some stored passwords — depending on how and where they are buried — and valuable files.

Baldr is no different. The malware has “high-level functionality” and the team says is by no means a script kiddie effort thrown together for quick cash.

Instead, Baldr is able to gather user profile data including browser information, as well as detecting the existence of cryptocurrency wallets, VPNs, Telegram, and Jabber. The malware then cycles through the files and folders of key PC locations in order to extract information from important file types.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Baldr Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7130

 

 

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical and an important vulnerability in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Source: Adobe

How do you protect yourself?

Update Adobe Flash Player to version 32.0.0.171.

 

Anubis Android Trojan

 

 

An Android application which steals PayPal credentials, encrypts files from the device’s external storage, and locks the screen using a black screen was spotted in the Google Play Store by ESET malware researcher Lukas Stefanko.

Behind the app’s malicious behavior is an Anubis Android banking Trojan malware payload, a well-known Trojan designed to steal banking credentials, provide its masters with a RAT backdoor, and send SMS spam among other things.

Once the Anubis banking Trojan is dropped by a malware downloader on a victim’s compromised device, it starts collecting banking info either with the help of an inbuilt keylogger module or by taking screenshots when the user inserts credentials into apps, unlike other banking Trojans known to use overlay screens for the same task.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Anubis Android Trojan and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – April 8, 2019

Threats of the Week – April 8, 2019

Xwo Malware

 

 

A new form of malware is scanning the internet for exposed web services and default passwords in what’s thought to be a reconnaissance operation – one which might signal a larger cyberattack is to come.

It’s still uncertain how Xwo started spreading or how it gains access to internet-connected machines, but the malware is designed to conduct reconnaissance and send back information to to the command and control server through an HTTP POST request.

Xwo collects information about the use of default credentials in services such as FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, as well as default credentials and misconfigurations for Tomcat, an open source implementation of the Java Servlet.

The malware also looks to collect information about Default SVN and Git paths, Git repository format version content, PhP admin details and more. It’s highly likely the bot is conducting surveillance of weak points that can be exploited in more damaging attacks further down the line.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Xwo Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-2027

 

 

Android has released its April security bulletin containing details of security vulnerabilities affecting Android devices.

In one of the patches released, the most severe vulnerability could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Source: Android

How do you protect yourself?

Update your devices to the latest Android version.

 

vxCrypter Ransomware

 

 

The vxCrypter Ransomware could be the first ransomware infection that not only encrypts a victim’s data, but also tidy’s up their computer by deleting duplicate files.

When analyzing the ransomware, researchers noticed that the ransomware was keeping tracking of the SHA256 hashes of each file it encrypted. As the ransomware encrypted other files, if it encountered the same SHA256 hash, it would delete the file instead of decrypting it.

It is not known why the ransomware is doing this other than as a possible way to increase the speed of encrypting a computer.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against vxCrypter Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.