Archive for July, 2018

Rewterz Threat Advisory – CVE-2018-1336 and CVE-2018-8037 Apache Releases Security Updates for Apache Tomcat

This is an advisory on security updates released by The Apache Software Foundation to address vulnerabilities in Apache Tomcat.

 

IMPACT:  CRITICAL

PUBLISH DATE:  23-07-2018

 

OVERVIEW

The Apache Software Foundation has recently released updates to patch the vulnerabilities found in some versions of the Apache Tomcat. These vulnerabilities can be exploited to obtain sensitive information.

 

BACKGROUND INFORMATION

The Apache Software Foundation has discovered two vulnerabilities in the Apache Tomcat software. CVE-2018-1336 Apache Tomcat – Denial of Service vulnerability, and CVE-2018-8037 Apache Tomcat – Information Disclosure vulnerability, were found on July 22nd, that have been patched by the Apache Software Foundation the following day.

 

The addressed vulnerabilities were found in the Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

 

WORK FLOW ANALYSIS

CVE-2018-1336 is an Apache Tomcat Denial of Service vulnerability. Tomcat uses the UTF-8 decoder of the late Apache Harmony project, that decoder has a not supported edge case (aka Bug), which can lead to an infinite loop while trying to decode UTF-8 encoded characters, when an overflow in the UTF-8 décor is mishandled. Thus, the infinite loop leads to Denial of Service (DoS).

 

CVE-2018-8037 is an Apache Tomcat Information Disclosure vulnerability. It occurs due to a bug in the tracking of connection closures, that can lead to reuse of user sessions in a new connection. It seems that the researchers are not yet entirely clear on what factor triggered this potentially grave vulnerability of mixed up user sessions in the NIO and NIO2 connectors. According to the reporter it was accompanied by several exceptions happening in the same time frame.

 

AVAILABLE UPDATES

 

Updates for CVE-2018-8037:

 

Affected version Upgrade to
Apache Tomcat 9.0.0.M9 to 9.0.9 Apache Tomcat 9.0.10 or later.
Apache Tomcat 8.5.5 to 8.5.31 Apache Tomcat 8.5.32 or later.

 

 

Updates for CVE-2018-1336:

 

Affected version Upgrade to
Apache Tomcat 9.0.0.M9 to 9.0.7 Apache Tomcat 9.0.7 or later
Apache Tomcat 8.5.0 to 8.5.30 Apache Tomcat 8.5.32 or later
Apache Tomcat 8.0.0.RC1 to 8.0.51 Apache Tomcat 8.0.52 or later
Apache Tomcat 7.0.28 to 7.0.86 Apache Tomcat 7.0.90 or later

 

RESOLVE 

To stay safe from known vulnerabilities, we advise you to update your Tomcat installations each time a new Tomcat patch release is announced.

                       

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.


Rewterz Threat Advisory – Emotet, A Banking Trojan Responsible For Network-Wide Infection

This is an advisory on Emotet, an advanced, modular banking Trojan also serving as a dropper of other banking Trojans.

 

IMPACT:  HIGH

PUBLISH DATE:  20-07-2018

OVERVIEW

Emotet is a highly devastating banking Trojan. Its worm-like features ensure speedy network-wide infection, which are difficult to combat. Emotet infections have costed SLTT governments up to $1 million per incident to remediate. Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

 

 BACKGROUND INFORMATION

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be one of the most expensive and destructive malwares, affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

 

 WORK FLOW ANALYSIS

Emotet is disseminated through emails containing malicious attachments or links, using similar branding to that of the recipient.

As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices.

 

 

Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the spam email. Once downloaded, Emotet attempts to penetrate the local networks through incorporated spreader modules.

 

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

 

  • exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  • Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  • WebBrowserPassView is a password recovery tool that steals passwords stored on Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  • Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  • Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account.

Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk.

 

Emotet’s access to SMB can result in the infection of entire domains (servers and clients).

 

To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.”

 

Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.

 

Emotet artifacts usually mimic the names of known executables. Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.

 

Note: Privileged accounts are not to be used while logging in to compromised systems during remediation, as that might speed up the propagation of the infection.

 

 

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.


Rewterz Threat Advisory – Cisco Firepower Management Center FTP Security Bypass Vulnerability

This is an advisory on a vulnerability found in Cisco Firepower Management Center. Malicious people can exploit the vulnerability to bypass security restrictions.

 

 

IMPACT:  NORMAL

PUBLISH DATE:  12-07-2018

OVERVIEW

It is reported that a file policy restriction in the Cisco FireSIGHT System Software “Block upload with reset” is vulnerable to bypassing by an attacker due to a vulnerability found in the Detection engine of Cisco FireSIGHT System Software.

 

 

SUMMARY

During internal security testing, a vulnerability was detected could allow an unauthenticated, remote attacker to bypass a file policy that is configured to block the transfer of files to an affected system via FTP. The vulnerability exists because the affected software incorrectly handles FTP control connections. An attacker could exploit this vulnerability by sending a maliciously crafted FTP connection to transfer a file to an affected device. A successful exploit could allow the attacker to bypass a file policy that is configured to apply the Block upload with reset action to FTP traffic.

 

 

Affected Products

Cisco Firepower Management Center (formerly Cisco FireSIGHT Management Center) The vulnerability is reported in versions 6.2.2.1, 6.2.3, and 6.3.0.

 

 

 RESOLVE

Please contact the vendor for details about an update as the bug report CSCvh70130 indicates a fixed status, however, not in all cases appropriate fixed versions are mentioned.

 

 

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.

 


Rewterz Threat Advisory – CVE-2018-5007 and CVE-2018-5008 Microsoft Windows Adobe Flash Player Multiple Vulnerabilities

This is an advisory on multiple vulnerabilities reported in Flash player of Microsoft Windows.

IMPACT:  CRITICAL

PUBLISH DATE:  10-07-2018

 

OVERVIEW

Multiple vulnerabilities have been found in the Microsoft Windows which can be exploited by people having malicious intentions. These vulnerabilities can be used to steal potentially sensitive information and a vulnerable system can be compromised.

 

AFFECTED PRODUCTS

The Microsoft Windows has been found to be vulnerable to cyber threats, with reference to the vulnerabilities CVE-2018-5008 (Flash Plugin- Information Disclosure vulnerability) and CVE-2018-5007 (Flash Plugin- Arbitrary Code Execution vulnerability).

 

These were reported by Pedro Sampaio and can be exploited to attack systems running outdated versions of Microsoft Windows.

 

Both these vulnerabilities are fixed in the updated flash plugin version 30.0.0.134.

 

  • Microsoft Windows Server 2012
  • Microsoft Windows RT 8.1 Microsoft Windows 8.1
  • Microsoft Windows 10
  • Microsoft Windows Server 2016

 

RESOLVE

It is recommended to update your products in use. Updates are available for these products:

 

 Windows 10, x64-based systems: (KB4338832)

  • Adobe Flash Player on Windows 10 Version 1607
  • Adobe Flash Player on Windows 10 Version 1703
  • Adobe Flash Player on Windows 10 Version 1709
  • Adobe Flash Player on Windows 10 Version 1803

Windows 10, 32-bit systems: (KB4338832)

  • Adobe Flash Player on Windows 10
  • Adobe Flash Player on Windows 10 Version 1607
  • Adobe Flash Player on Windows 10 Version 1703
  • Adobe Flash Player on Windows 10 Version 1709
  • Adobe Flash Player on Windows 10 Version 1803

Others 

  • Adobe Flash Player on Windows Server 2016 (KB4338832)
  • Adobe Flash Player on Windows RT 8.1 (KB4338832)
  • Adobe Flash Player on Windows 8.1 for x64-based systems (KB4338832)
  • Adobe Flash Player on Windows Server 2012 R2 (KB4338832)
  • Adobe Flash Player on Windows 8.1 for 32-bit systems (KB4338832)
  • Adobe Flash Player on Windows Server 2012 (KB4338832)

                       

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid


Rewterz Threat Advisory – SWIFT-themed Phishing Emails

This is an advisory on SWIFT-themed phishing emails containing a malicious URL that leads to a malicious zip file.

 

IMPACT:  NORMAL

PUBLISH DATE:  10-07-2018

OVERVIEW

A member has reported SWIFT-themed phishing emails containing a URL. Clicking on the URL redirects to a Date-SWIFTMessageType-themed (i.e: 10_07_18_MT103_Copy) malicious zip file.

 

BACKGROUND INFORMATION

SWIFT-themed emails involve emails about remittance from banks. These emails may include subjects like “A percentage of your paid tax is being refunded. Please login to check” or “Your refund request expires today. Login here to claim it”. The email usually contains a URL leading to a SWIFT login page.

 

Phishing emails are malicious emails used by attackers to harvest credentials from a user.

 

Once the user enters credentials on the fake SWIFT login page, the attackers can use the credentials to transfer unauthorized funds from their original account.

 

WORK ANALYSIS

These phishing emails may be meant to drop payloads. There are several kinds of cyber attacks involving phishing emails. These can be used to steal sensitive information like passwords or may drop malicious files and payloads which further execute cyber attacks through remote code execution.

 

The payloads observed in the samples have the following details:

 

Payload URL

hxxp://irontech.ind[.]br/10_07_18_MT103_Copy.zip

 

VT – Detection Ratio 3 / 68

 

URLVoid – Safety Reputation 0/35

 

Domain 1st Registered Unknown

 

Server Location (BR) Brazil

 

ASN AS27715

 

ASN Owner LocaWeb Ltd

 

Payload Zip

10_07_18_MT103_Copy.zip

 

VT – Detection Ratio 17/62

 

MD5 03ab4e91c30a55bd13a1a008401e72f7

 

SHA1 3764911740702a30924990b0265c3eac53f1db82

 

SHA256 efce38cf340ef2de620e025147c75de667f9f0d495b23c61c4d75bfe9e60ac45

 

File type ZIP

 

File size 154.0 KB (157724 bytes)

 

Analyst Note: The MT103 is a SWIFT message format used for making payments.

 

Payload

10_07_18_MT103_Copy.exe

 

VT – Detection Ratio 29/68

 

MD5 4a629ccf87f24ac4720d890b1292da82

 

SHA1 291ff2f443e03ccf0b44ae227110f69a62f68d22

 

SHA256 127663c557f11c8571b6c73cd58f673ab705bff8ab273bd087480f215eb09ea7

 

File type Win32 EXE

 

File size 568.0 KB (581632 bytes)

 

C2s

newlogs1.hopto[.]org:2730

 

VT – Detection Ratio 2/67

 

URLVoid – Safety Reputation 1/35

 

Domain 1st Registered Unknown

 

Server Location (CH) Switzerland

 

ASN AS48971

 

ASN Owner DATAWIRE AG

 

newlogs.ddnsgeek[.]com:2730 VT – Detection Ratio 1/67

 

URLVoid – Safety Reputation 1/35

 

Domain 1st Registered Unknown

 

Server Location (AL) Albania

 

ASN AS197706 ASN Owner KemiNet Ltd.

 

THREAT INDICATORS

  • laux-prien[@]t-online[.]de
  • hxxp://irontech.ind[.]br/10_07_18_MT103_Copy.zip
  • 03ab4e91c30a55bd13a1a008401e72f7
  • 3764911740702a30924990b0265c3eac53f1db82
  • efce38cf340ef2de620e025147c75de667f9f0d495b23c61c4d75bfe9e60ac45
  • 4a629ccf87f24ac4720d890b1292da82
  • 291ff2f443e03ccf0b44ae227110f69a62f68d22
  • 127663c557f11c8571b6c73cd58f673ab705bff8ab273bd087480f215eb09ea7

 

RESOLVE

Organizations may consider blocking the threat indicators mentioned above. It is recommended to conduct training sessions for employees, explaining them to avoid clicking links or files attached with such phishing.

 

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.


Rewterz Threat Advisory – Cisco Firepower Management Center FTP Security Bypass Vulnerability

This is an advisory on a vulnerability found in Cisco Firepower Management Center which can be exploited to bypass a configured URL-based access control policy.

 

IMPACT:  NORMAL

PUBLISH DATE:  12-07-2018

OVERVIEW

An error within the detection engine when handling TCP packets can be exploited to bypass a configured URL-based access control policy.

 

 

SUMMARY

The vulnerability exists because the affected software incorrectly handles TCP packets that are received out of order when a TCP SYN retransmission is issued. An attacker could exploit this vulnerability by sending a maliciously crafted connection through an affected device.

 

AFFECTED PRODUCTS

Cisco Firepower Management Center Software (formerly Cisco FireSIGHT Management Center) Versions 6.0.0, 6.1.0, 6.2.0, 6.2.1, and 6.2.2.

 

 

 RESOLVE

The vulnerability is reported in the versions 6.0.0, 6.1.0, 6.2.0, 6.2.1, and 6.2.2.

Users are recommended to update their Cisco FirePower Management Software to version 6.2.2.3 or 6.2.3.

 

 

 

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.

 


Copyright © Rewterz. All rights reserved.