Archive for November, 2018

Rewterz Threat Advisory – CVE-2018-15442 – Cisco WebEx Meetings Elevation of Privilege Vulnerability

A vulnerability in the update service command of Cisco WebEx Meetings Desktop App can be exploited using a crafted argument to gain system privileges.

 

 

IMPACT:  MEDIUM

 

 

PUBLISH DATE:  28-11-2018

 

 

OVERVIEW

 

 

The update service of Cisco Webex Meetings Desktop App for Windows contains a flaw which can be exploited by an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. The vendor has released updates.

 

 

ANALYSIS

 

 

This is a code injection or an OS command injection vulnerability. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the vulnerability requires local access for an attacker to execute code, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.

 

 

The vulnerability can be exploited by copying to a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 “attacker-controlled-path” (if the parameter 1 doesn’t work, then 2 should be used)

 

 

PROOF OF CONCEPT

 

Proof of concept exists for this vulnerability. Follow the link to access it.

 

https://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability

 

 

AFFECTED PRODUCTS

 

 

Cisco Webex Meetings Desktop App releases prior to 33.6.4

Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6

(running on a Microsoft Windows end-user system.)

 

 

UPDATES

 

 

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection

 

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.


Rewterz Threat Advisory – Recent Malicious IPs, Domains and their Impacts

A list of malicious domains and IPs is given below. The contents were observed carrying out malicious activities during November 16-22, 2018.

 

 

IMPACT:  VARIABLE

 

 

PUBLISH DATE:  27-11-2018

 

 

OVERVIEW

 

 

Listed below are some malicious IPs and domains that are suspected to be involved in malicious activities ranging from social engineering to dropping malware and payloads.

 

 

IMPACT ANALYSIS

 

 

The malicious activities associated with these threat indicators include the following known trojans and malware:

 

Powershell Empire

Empire is a pure PowerShell post-exploitation agent that implements the ability to run PowerShell agents without needing powershell.exe and contains rapidly deployable post-exploitation modules that evade network detection.

 

Emotet

Emotet is a banking trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected computer, allowing sensitive data to be stolen.

 

Banload

BANLOAD malware variants arrive on the systems as files dropped by other malware or as files downloaded unknowingly by users when visiting malicious sites.

 

Ursnif

Ursnif is a data stealing malware with variants like Backdoors, spyware and file infectors.

 

Trickbot

TrickBot has become one of the most versatile threats of 2018. It’s distributed through separate distinct malicious spam (malspam) campaigns.

 

Arkei

Arkei is a malware strain specialized in dumping and stealing passwords and wallet private keys.

 

TinyNuke

Tinynuke, or Nukebot malware, is a trojan able to perform man in the browser attacks against modern web browsers. It’s promoted through social networking and advertisements that contain links to malicious software installers.

 

Alureon

Alureon is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, Paypal information, social security numbers, and other sensitive user data.

 

Trojan Downloader

A Trojan Downloader is a malicious program typically installed through an exploit sent through malicious attachments. It allows the download to install malware onto a victim’s computer.

 

MalDoc

There are powerful malicious document (maldoc) generation techniques that are effective at bypassing anti-virus detection. Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.

 

GrandCrab

Based on a ransomware-as-a-service model, GrandCrab is a ransomware that mines cryptocurrencies and shares profits between malware developers and cybercriminals.

 

 

THREAT INDICATORS

 

 

IP Addresses

 

  • 248.56[.]131
  • 120.97[.]51
  • 223.109[.]139
  • 243.111[.]170
  • 143.57[.]109
  • 184.13[.]216
  • 213.21[.]254
  • 58.165[.]119
  • 0.186[.]35
  • 201.103[.]16
  • 32.33[.]194
  • 201.103[.]26
  • 207.113[.]106
  • 247.181[.]125

 

Domains

  • dayterria[.]com
  • cjwefrfomatt[.]com
  • onetwoabc[.]ws
  • kerondown[.]com
  • azzoodijdhgdr[.]com
  • ogdotighth[.]com
  • bellsyscdn[.]com
  • lootototic[.]com
  • wassedfast[.]com
  • bizziniinfissi[.]com

 

 

RECOMMENDATIONS

 

 

  • Consider blocking and alerting on these IP addresses and domains as this reduces the risk of security incidents.
  • Review previously blocked IPs and domains and consider unblocking them, for the ones that have not been included in the fresh report and may not be malicious anymore.
  • Note that some of the IP addresses may belong to legitimate organizations.
  • If any traffic is found on either of the Malware Data tabs, then check the source host for signs of infection and report to us.

(An IP address can be associated with multiple domain names for those belonging to a hosting company, and a domain name can be associated with multiple IP addresses that utilize fast flux DNS or cloud hosting.)

 

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.


Rewterz Threat ADVISORY – CVE-2018-19406 & CVE-2018-19407 – Linux Kernel Denial of Service vulnerabilities

Two unpatched vulnerabilities are found in Linux Kernel. Both are NULL pointer deference issues that can be used by local attackers to induce DoS condition.

 

 

IMPACT:  MEDIUM

 

 

PUBLISH DATE:  27-11-2018

 

 

OVERVIEW

 

 

Two vulnerabilities in the arch/x86/kvm/lapic.c and vcpu_scan_ioapic in Linux Kernel can be exploited by local malicious attackers to induce Denial of Service on target system. The flaws have not been patched by the vendor.

 

 

ANALYSIS

 

 

A kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel’s 4.19.2 and earlier versions lets local users to cause a denial of service (NULL pointer dereference and BUG). The condition is induced via crafted system calls that reach a situation where the apic map is uninitialized.

 

The reason is that the apic map has not yet been initialized, the testcase triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map is dereferenced. This patch fixes it by checking whether or not apic map is NULL and bailing out immediately if that is the case.

 

The second flaw, tracked as CVE-2018-19407 is found in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.

 

The flaw is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) fails to initialize correctly.

Using crafted system calls that reach a situation where ioapic is uninitialized, a malicious attacker may launch a Denial of Service attack on the target system.

 

The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed.

 

 

AFFECTED PRODUCTS

 

 

Linux kernel 4.19.2 and earlier versions.

 

 

UPDATES

 

 

Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream. Whereas, no official updates or patches have been released by the vendor yet.

 

 

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.


ADVISORY ON CVE-2013-2094 & CVE-2016-5195 – Linux Crypto-miner trojan and privilege escalation exploits

A New Linux crypto-miner executes shell on Linux and exploits privilege escalation vulnerabilities to steal root password and disables antivirus.

 

 

IMPACT:  MEDIUM

 

 

PUBLISH DATE:  26-11-2018

 

 

OVERVIEW

 

 

It has been identified that a Linux crypto-miner has the ability to steal root passwords and disable the system’s antivirus.

 

The trojan first identifies and kills all rival cryptocurrency-mining malware families, and then downloads and starts its own Monero-mining operation. Trojan also installs a rootkit and another strain of malware that can execute DDoS attacks.

 

 

ANALYSIS

 

 

This new malware strain doesn’t have a distinctive name and is being tracked by its generic detection name of Linux.BtcMine.174.

But despite the generic name, the trojan is a little bit more complex than most Linux malware, mainly because of the plethora of malicious features it includes.

 

The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it has write permissions so it can copy itself and later use to download other modules.

 

Once the trojan has a foothold on the system it uses one of two privilege escalation exploits CVE-2016-5195 (also known as Dirty COW) and CVE-2013-2094 to get root permissions and have full access to the OS.

 

 

INDICATORS OF COMPROMISE

 

 

SHA1 file hashes for the trojan’s various components are available on GitHub.

 

https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174

 

 

Here’s further analysis of the Trojan in case system admins want to scan their systems.

https://vms.drweb.com/virus/?i=17645163

 

 

AFFECTED PRODUCTS

 

 

Red Hat Virtualization 4.x Red Hat Enterprise Linux Desktop 7

Red Hat Enterprise Linux HPC Node 7

Red Hat Enterprise Linux Server 7

Red Hat Enterprise Linux Workstation 7

 

 

UPDATES

 

 

Red Hat Network provides the updated packages via the following links.

http://rhn.redhat.com

https://access.redhat.com/errata/RHSA-2018:3092

 

 

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.


Expected cyber-crime techniques for 2019

Sophos Lab has released a threat report covering expected modes of cyber-attacks in 2019.

 

 

Release Date: 26th November 2018

 

 

Cyber attackers are successfully evading detection on Windows computers by abusing legitimate admin tools commonly found on the operating system.

 

This is a pivotal finding of the SophosLabs 2019 Threat Report, which traces how the technique has risen from the fringes of the cybercriminal playbook to become a common feature in a growing number of cyber-attacks for the upcoming year.

 

Known in security parlance as ‘living off the Land’ or ‘LoL’ because it avoids the need to download dedicated tools, this technique of cyber-attack seems to be interested in targeting PowerShell, a powerful command line shell that ships by default on all recent Windows computers even though few users have heard of it.

 

Alternatives include Windows Scripting Host (WScript.exe), the Windows Management Instrumentation Command line (WMIC), as well as popular external tools such as PsExec and WinSCP.

 

It’s a simple strategy that makes detection a puzzle. Removing the tools is an option but comes with disadvantages few admins would be happy with, notes the report:

 

PowerShell is also an integral component of tools that help administrators manage networks

 of almost any size, and as a result, must be present and must be enabled in order for those

admins to be able to do things like, for example, push group policy changes”.

 

Attackers, of course, know this and often feel brazen enough to chain together a sequence of scripting and command interfaces, each running in a different Windows process.

 

 

ATTACK VECTOR

 

 

According to SophosLabs, attacks might start with a malicious JavaScript attachment, in turn invoking wscript.exe, before finally downloading a custom PowerShell script. Defenders face a challenge:

 

“With a wide range of file types that include several “plain text” scripts, chained in no particular order and without any predictability, the challenge becomes how to separate the normal operations of a computer from the anomalous behavior of a machine in the throes of a malware infection”.

 

 

TYPES OF ATTACKS

 

Macro attacks 2.0

 

 

Meanwhile, attackers show no signs of giving up on new variations on Microsoft Office macro attacks, another route to launch exploits without the need for conventional executable.

 

In recent years, protections such as disabling macros inside documents or using preview mode have blunted this technique.

 

Unfortunately, attackers have developed techniques to persuade people to disable these using macro builder tools that package Office, Flash, and other exploits within a document that throws up sophisticated social engineering prompts.

 

Compounding this, cybercriminals have refreshed their older stock of software flaws in favor of more dangerous and recent equivalents – SophosLabs’ analysis of malicious documents found that only 3% of exploits inside builders date from years earlier than 2017.

 

With well-used filetypes now blocked or monitored by endpoint security, the trend is to use more exotic filetypes to launch attacks, especially apparently innocuous ones that can be called from a Windows shell such as .cmd (Command File) .cpl (Control Panel), .HTA (Windows Script Host), .LNK (Windows Shortcut), and .PIF (Program Information File).

 

 

Lateral Movement of Malware

 

 

The EternalBlue exploit (CVE2017-0144) has surprisingly become a popular staple for malware writers, despite Microsoft issuing a patch in advance of its first use by WannaCry in May 2017.

 

Cryptominers have been enthusiastic users of EternalBlue, using it to move laterally through networks to infect as many machines as possible.

 

Attackers combining these innovations – Windows LoL tools, macro attacks, novel exploits and crypto-mining – represents a challenge because they often confound the assumptions of defenders.

 

Their uptake of these more complex and esoteric approaches has been driven, ironically, by the success of the cybersecurity industry at curbing traditional malware.

 

Concludes Sophos CTO, Joe Levy:

“We expect we’ll eventually be left with fewer, but smarter and stronger, adversaries”.

 

 

 

 

Source:

Cybercriminal techniques – SophosLabs 2019 Threat Report


Rewterz Threat Advisory – FASTCASH ATM CYBER ESPIONAGE INTRODUCES A NEW AIX TROJAN

A new Trojan has been discovered in the on-going FASTCash cyber espionage campaign funded by North Korean government.

 

 

Release Date: November 20th, 2018

 

 

INCIDENT

 

 

The Lazarus hacker group funded by the North Korean government is a predator for the financial sector, targeting major banks in Africa and Asia. It first breaches the target bank’s network and compromises the switch application server handling the ATM transactions. Also known as the Hidden Cobra, the Lazarus group is associated with the on-going FASTCash campaign stealing tens of millions of dollars in multiple ATM attacks across the continents.

 

 

In 2017 alone, Lazarus targeted ATMs in more than 30 countries, whereas in 2018 it compromised banks of 23 countries, simultaneously. Recently, a new Trojan has been found that’s being used in the FASTCash campaigns.

 

 

ATTACK VECTOR

 

 

The initial attack vector used by Lazarus isn’t confirmed. However, traces have been retrieved of the usage of a malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”.

 

 

It seems that the Hidden Cobra attackers initially used a Windows-based malware to explore a bank’s network to identify the payment switch application server. Researchers have found that all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates. Therefore, AIX could be the possible exploit, however, no evidence has been found that proves exploitation of the AIX operating system in these attacks.

 

 

Although each known incident has a different malware associated with it, a detailed analysis of malware samples gathered through these attacks suggests similarities between malware features and capabilities.

 

 

ROOT CAUSE

 

 

Analysts predict that the attacks were initiated with spear-phishing emails against bank employees, which led to compromise of the bank’s network.

 

 

There are multiple versions of the Fastcash Trojan, each of which appears to have been customized for different transaction processing networks. The samples are associated with legitimate primary account numbers, or PANs – the 14 or 16-digit numerical strings found on bank and credit cards that identify a card issuer and account number.

 

 

ANALYSIS

 

 

The malicious code inserted by Lazarus attackers searched for references tied to attacker-controlled accounts, then returned fraudulent information about those accounts in response to balance inquiries made by the Switch application server.

 

 

In simpler words, the validation requests prior to cash withdrawal did not reach the bank for authentication and verification of bank balance. Instead, the communication was spoofed by the attackers and fake responses were generated that made ATMs spit out cash even from the accounts having zero balance.

 

 

 

 

Analysts believe that HIDDEN COBRA (Lazarus) actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. These libraries can be exploited by malicious threat actors to help interpret financial request messages and properly construct fraudulent financial response messages.

 

 

Analysts believe HIDDEN COBRA actors blocked transaction messages in order to stop denial/decline messages from leaving the switch and used a GenerateResponse* function to approve the transactions.

 

 

“In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious [AIX] executable into a running, legitimate process on the switch application server of a financial transaction network, in this case; a network that handles ATM transactions,” analysts say.

 

 

The malicious executable contains logic to construct fraudulent ISO 8583 messages, which is the international standard for financial transaction messaging. The IBM AIX executable files were designed to conduct code injection and inject a library into a currently running process.

 

 

It is believed that the North Korean government funds these attacks to combat international sanctions imposed over its weapons’ development and testing programs. Apart from Lazarus, another major wave of attacks was launched by the APT38 which is also said to be associated with the North Korean government.

 

 

Here’s a detailed coverage of APT38 cyber espionage.

 

 

MITIGATION

 

 

Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.

 

 

LESSON LEARNED

 

Lazarus has previously earned an International reputation as one of the largest groups of cybercriminals targeting the financial sector.

The Sony Pictures Entertainment hack in 2014; the breach of central bank of Bangladesh’s New York Federal Reserve account leading to $81 million being stolen; the WannaCry ransomware outbreak in May 2017, as well as other crypto-mining incidents are also associated with this hacker group.

 

The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.

 


Copyright © Rewterz. All rights reserved.