Threats of the Week – January 7, 2019

Threats of the Week – January 7, 2019

Mirai Malware

 

 

Trend Micro noted that the threat, which was first identified in early December, takes advantage of an exploit in the ThinkPHP programming framework. The remote code execution (RCE) vulnerability allows threat actors to infect machines based on the Linux operating system and execute Miori, which then generates a notification on the victim’s console.

Once attackers verify that a system has been infected through their command-and-control (C&C) server, they utilize the Telnet protocol and take advantage of weak or commonly used passwords to conduct brute-force attacks on other IP addresses.

Source: SecurityIntelligence

How do you protect yourself?

Proper security measures must be in place to defend against Mirai malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-16011

 

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Affected Versions

Product Track Affected Versions Platform
Acrobat DC Continuous 2019.010.20064 and earlier versions Windows and macOS
Acrobat Reader DC Continuous 2019.010.20064 and earlier versions Windows and macOS
Acrobat 2017 Classic 2017 2017.011.30110 and earlier version Windows and macOS
Acrobat Reader 2017 Classic 2017 2017.011.30110 and earlier version Windows and macOS
Acrobat DC Classic 2015 2015.006.30461 and earlier versions Windows and macOS
Acrobat Reader DC Classic 2015 2015.006.30461 and earlier versions Windows and macOS

Source: Adobe

How do you protect yourself?

Adobe recommends users update their software installations to the latest versions.

 

EternalBlue Exploit

 

 

The latest version of NRSMiner has been spotted in recent attacks across Asia which are compromising systems which have not been patched against the well-known EternalBlue exploit.

According to cybersecurity researchers from F-Secure, unpatched machines in Asia — centered in Vietnam — are being infected with the latest version of NRSMiner, malware designed to steal computing resources in order to mine for cryptocurrency.

The new version of the malware relies on the EternalBlue exploit to spread through local networks.

EternalBlue is an SMBv1 (Server Message Block 1.0) exploit which is able to trigger remote code execution (RCE) attacks via vulnerable Windows Server Message Block (SMB) file-sharing services. The security flaw responsible for the attack, CVE-2017-0144, was patched by Microsoft in March 2017 and yet many systems have still not been updated and remain vulnerable to attack.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against EternalBlue exploit and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – December 31, 2018

Threats of the Week – December 31, 2018

Siren Bot

 

 

Researchers identified a new DoS bot family named Siren that uses 10 different DoS methods to carry out attacks.

The bot is capable of carrying out HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server, according to a Dec. 21 blog post.

Siren is also capable of downloading and executing a payload from the URL given by the C&C server, updating, deleting itself using the cmd process, and uninstalling itself using the same process.

Source: SC Media

How do you protect yourself?

Proper security measures must be in place to defend against Siren bot and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-7800

 

 

Schneider Electric is warning about a critical vulnerability in its EVLink Parking devices – a line of electric vehicle charging stations. The energy management and automation giant said the vulnerability is tied to a hard-coded credential bug that exists within the device that could enable attackers to gain access to the system. Affected are EVLink Parking floor-standing units (v3.2.0-12_v1 and earlier).

Source: ThreatPost

How do you protect yourself?

The vulnerability is fixed in the latest EVlink Charging Station software updates.

 

JungleSec Ransomware

 

 

A ransomware called JungleSec is infecting victims through unsecured IPMI (Intelligent Platform Management Interface) cards since early November.

When originally reported in early November, victims were seen using Windows, Linux, and Mac, but there was no indication as to how they were being infected. Since then, BleepingComputer has spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices.

IPMI is a management interface built into server motherboards or installed as an add-on card that allow administrators to remotely manage the computer, power on and off the computer, get system information, and get access to a KVM that gives you remote console access.

This is extremely useful for managing servers, especially when renting servers from another company at a remote collocation center. If the IPMI interface is not properly configured, though, it could allow attackers to remotely connect to and take control of your servers using default credentials.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against JungleSec ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – December 24, 2018

Threats of the Week – December 24, 2018

ThreadKit Malware

 

 

In the recently released report, Fidelis threat research analysts found that despite reported arrests, Cobalt Group continues to remain active, using a new version of ThreadKit, a macro delivery framework sold and used by numerous actors and groups. In addition, researchers identified CobInt, a loader and backdoor framework utilized in profiling systems.

The threat group had largely been targeting banks in Eastern Europe using phishing emails with malicious PDF attachments that allowed the group to steal more than $32,000 from multiple ATMs in an overnight attack.

Prior to Interpol reportedly arresting the group’s leader in March 2018, it was estimated that the threat actors had pilfered as much as $1.2 billion from banks across 40 different countries.

Source: Infosecurity Magazine

How do you protect yourself?

Proper security measures must be in place to defend against ThreadKit malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-20299

 

 

A recently discovered security vulnerability affects both the Bosch Smart Home 360° indoor as well as the Eyes outdoor cameras. It potentially allows the unauthorized execution of code on the device via the network interface.

The vulnerability can be used to remotely execute code on the device (RCE). This would enable a potential attacker, for example, to bypass access restrictions (e.g. username / password) or to reactivate disabled features (e.g. telnet). A necessary prerequisite for this attack is the network access to the webserver (HTTP / HTTPS) of the device. Despite its high rating, possible attacks are considered incapable of accessing private keys if they are stored on the devices’ Trusted Platform Module (TPM). An affected camera can be restored to its original state by the factory reset button.

Source: Bosch

How do you protect yourself?

The recommended approach is to update the firmware of all Bosch Smart Home cameras to a fixed version, that is, 6.52.4 or higher. Updated firmware files are available and offered to all customers via the existing update mechanism in the Bosch Smart Home camera app.

 

Zebrocy Trojan

 

 

The Zebrocy trojan – a custom downloader malware used by Russia-linked APT Sofacy (a.k.a. APT28, Fancy Bear or Sednit) – has a new variant. While it’s functionally much the same as its other versions, the new code was written using the Go programming language.

The similarities between the new payload and previous Zebrocy variants start with the fact that the versions share the same command-and-control (C2) URL, according to an analysis from Palo Alto’s Unit 42 group. Beyond that, additional overlaps include the fact that it does initial data collection on the compromised system, exfiltrates this information to the C2 server and attempts to download, install and execute an additional payload from the C2.

Source: Threatpost

How do you protect yourself?

Proper security measures must be in place to defend against Zebrocy Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – December 17, 2018

Threats of the Week – December 17, 2018

Shamoon Malware

 

 

Two new samples of the Shamoon data-wiping malware have been discovered in the wild, after a period of silence that lasted for about two years.

In a report sent to BleepingComputer, the research team from Chronicle (cybersecurity subsidiary of Google’s parent company, Alphabet Inc.) says that the new strains were uploaded to VirusTotal on December 10, from Italy.

One variant of Shamoon Chronicle is currently investigating, has the trigger date and local time set to December 7, 2017, 23:51. The researchers note that this is about one year before it was uploaded to the VirusTotal platform.

However, news emerged this week of a cyber attack against Italian oil services provider Saipem. The incident occurred on Monday and impacted over 300 of the company’s servers located in the Middle East, India, Scotland (Aberdeen), and Italy.

It is possible that one of the samples was uploaded by Saipem while trying to determine the nature of the malware that affected its business.

In a statement on Wednesday, Saipem says that the threat actor used a variant of Shamoon for the attack that “led to the cancellation of data and infrastructures, typical effects of malware.”

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Shamoon malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

CVE-2018-15998

 

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Source: Adobe

How do you protect yourself?

Adobe recommends users update their software installations to the latest versions.

 

Optimization Android Trojan

 

 

Last month researchers downloaded a power management app called “Optimization Android” from an undisclosed third-party app store. What they found was instead of optimizing the phone’s battery it changed the Accessibility settings on the phone, enabled the overlay Android accessibility feature and tried to rob them.

In the case of the rogue app “Optimization Android” the app, when first launched, changed the victim’s Accessibility settings to enable overlays and then closed. The app didn’t even try to optimize the phone’s battery.

Next, the app targeted phones that had the PayPal app installed.

The malware then sends the user a notification telling them to launch the official PayPal app (if it is installed on the compromised device), under the guise that they need to “confirm your account immediately.”

Once the user opens the PayPal app, the malicious accessibility service mimics the user’s clicks using its newfound Accessibility services capabilities to send money to the attacker’s PayPal address.

According to researchers, the malicious Accessibility service is activated every time the PayPal app is launched – meaning the attack could take place multiple times.

Source: Threatpost

How do you protect yourself?

Proper security measures must be in place to defend against Optimization Android Trojan and similar threats. Make sure you are only downloading verified, official apps from app stores. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.

Threats of the Week – December 10, 2018

Threats of the Week – December 10, 2018

Emotet Malware

 

 

“Emotet has been terrorizing systems worldwide for much of the year, with heavy campaigns in both Q1 and Q3 of 2018. In July 2018, US-CERT released an alert about Emotet and its capabilities,” wrote Adam Kujawa, director of Malwarebytes Labs.

The malware reportedly borrows the propagation and anti-forensic techniques seen in previous complex nation-state attacks, which means that the unique behaviors and tactics of these newest malware are able to withstand attempts at cleanup.

According to Malwarebytes, Emotet malware was detected and removed more than 1.5 million times between January and September 2018, while its telemetry further revealed the detection and removal of TrickBot within a single industry nearly half a million times in the first nine months of 2018.

Source: Infosecurity Magazine

How do you protect yourself?

Proper security measures must be in place to defend against Emotet malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

CVE-2018-15983

 

 

Adobe has released security updates for Adobe Flash Player version 31.0.0.153 and earlier versions for Windows, macOS, Linux and Chrome OS. These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer. Successful exploitation could lead to Arbitrary Code Execution and privilege escalation in the context of the current user respectively.

Adobe is aware of reports that an exploit for CVE-2018-15982 exists in the wild.

Source: Adobe

How do you protect yourself?

Update your Adobe Flash Player to the latest version.

 

Danabot Trojan

 

 

DanaBot is a Trojan written in the Delphi programming language, that includes banking site web injections and stealer functions such as detailed system information and screenshots of the user’s desktop.

DanaBot began as an email campaign claiming to be from the NSW Roads and Maritime Services. The messages used the subject “Your E-Toll account statement” and contained URLs redirecting to documents hosted on another site, containing a macro that downloaded DanaBot if enabled.

DanaBot is the latest example of malware focused on persistence and stealing useful information that can later be monetised rather than demanding an immediate ransom from victims.

Source: IT Brief

How do you protect yourself?

Proper security measures must be in place to defend against Danabot and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.

Threats of the Week – December 3, 2018

Threats of the Week – December 3, 2018

KingMiner Malware

 

 

The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. Once access is granted, a .sct Windows Scriptlet file is downloaded and executed on the victim’s machine.

This script scans and detects the CPU architecture of the machine and downloads a payload tailored for the CPU in use. The payload appears to be a .zip but is actually an XML file which the researchers say will “bypass emulation attempts.”

Once extracted, the malware payload creates a set of new registry keys and executes an XMRig miner file, designed for mining Monero.

The miner is configured to use 75 percent of CPU capacity, but potentially due to coding errors, will actually utilize 100 percent of the CPU.

To make it more difficult to track or issue attribution to the threat actor, the KingMiner’s mining pool has been made private and the API has been turned off. In addition, the wallet has never been used in public mining pools, and so it is not possible for the researchers to know what domains are in use — or how many Monero coins have been mined through the attacks.

The new version of KingMiner is being deployed with two other variants, and the malware’s operators appear to be continually improving the malware — with a particular focus on avoiding emulation and detection.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against KingMiner malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

CVE-2018-18203

 

 

A vulnerability in the update mechanism of Subaru StarLink Harman head units 2017, 2018, and 2019 may give an attacker (with physical access to the vehicle’s USB ports) the ability to rewrite the firmware of the head unit. This occurs because the device accepts modified QNX6 filesystem images (as long as the attacker obtains access to certain Harman decryption/encryption code) as a consequence of a bug where unsigned images pass a validity check. An attacker could potentially install persistent malicious head unit firmware and execute arbitrary code as the root user.

Source: GitHub

How do you protect yourself?

Note from Subaru
Subaru will have updates for head units affected by this flaw in the coming weeks.

Note from Harman
The firmware update process attempted to verify the authenticity of the QNXCNDFS dat files. The procedure in question had a bug in it that caused unsigned images to verify as “valid”, which allowed for unsigned code installation.

 

njRAT/BLADABINDI

 

 

Researchers last week detected a new, fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives.

Also known as BLADABINDI or njw0rm, the njRAT acts as a backdoor, capable of cyber espionage, keylogging, distributed denial of service attacks, retrieving and executing files, and stealing credentials from web browsers.

This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect, Trend Micro threats analyst Carl Maverick R. Pascual reported today in a company blog post.

Source: SC Magazine

How do you protect yourself?

Proper security measures must be in place to defend against njRAT and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.