Archive for December, 2018

Rewterz Threat Alert – Message Hoaxing emerges in Pakistan via ScareWare Messages

SEVERITY: Medium

 

 

CATEGORY: Informative updates

 

 

ANALYSIS SUMMARY

 

 

An old tactic of scareware messages (message hoaxing) has resurfaced, targeting employees from different sectors. The campaign spreads via emails claiming that the attackers have got passwords of the victims’ social media accounts. The attackers use the fear factor to get a BitCoin payment while threatening with consequences that spoil reputation. This is an old tactic which has been going on for a while in different parts of the world and now it has emerged in Pakistan.

 

 

Targets fall victim to these emails due to the subject used, i.e. usernames and password. Hackers are using real time data (i.e passwords) to blackmail the targets. The emails looks like this:

 

 

 

 

The email contains a bitcoin address and tolerates zero negotiation, discouraging any risk-taking. Therefore most victims will be blackmailed into making the payment, as the hoax offers no flexibility.

 

 

REMEDIATION

 

 

  • Do not respond to this email.
  • Change your password if this seems to be correct. (it is likely that the sender of this email got your password from the leak on the dark web).
  • Check your computer for Firewall and RDP of what ports are open to the world.
  • Make sure you’re running the latest version of Anti Virus that blocks malicious software and other threats.

Rewterz Threat Advisory – CVE-2018-0732 – F5 Multiple Products OpenSSL Denial of Service Vulnerability

SEVERITY: Medium

 

 

CATEGORY: Vulnerability

 

 

ANALYSIS SUMMARY

 

 

During key agreement in a TLS handshake using a DH(E) based ciphersuite, a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

 

 

AFFECTED PRODUCTS

 

 

  • Traffix SDC 4.4.0
  • Traffix SDC 5.0.0 – 5.1.0
  • F5 iWorkflow 2.1.0 – 2.3.0
  • BIG-IQ Centralized Management 4.6.0
  • BIG-IQ Centralized Management 5.0.0 – 5.4.0
  • BIG-IQ Centralized Management 6.0.0
  • Enterprise Manager 3.1.1
  • BIG-IP (LTM) 11.2.1 – 11.6.3
  • BIG-IP (LTM) 12.1.0 – 12.1.3
  • BIG-IP (LTM) 13.0.0 – 13.1.1
  • BIG-IP (LTM) 14.0.0 – 14.1.0
  • BIG-IP (AAM) 11.2.1 – 11.6.3
  • BIG-IP (AAM) 12.1.0 – 12.1.3
  • BIG-IP (AAM) 13.0.0 – 13.1.1
  • BIG-IP (AAM) 14.0.0 – 14.1.0
  • BIG-IP (AFM) 11.2.1 – 11.6.3
  • BIG-IP (AFM) 12.1.0 – 12.1.3
  • BIG-IP (AFM) 13.0.0 – 13.1.1
  • BIG-IP (AFM) 14.0.0 – 14.1.0
  • BIG-IP (Analytics) 11.2.1 – 11.6.3
  • BIG-IP (Analytics) 12.1.0 – 12.1.3
  • BIG-IP (Analytics) 13.0.0 – 13.1.1
  • BIG-IP (Analytics) 14.0.0 – 14.1.0
  • BIG-IP (APM ) 11.2.1 – 11.6.3
  • BIG-IP (APM ) 12.1.0 – 12.1.3
  • BIG-IP (APM ) 13.0.0 – 13.1.1
  • BIG-IP (APM ) 14.0.0 – 14.1.0
  • BIG-IP (ASM) 11.2.1 – 11.6.3
  • BIG-IP (ASM) 12.1.0 – 12.1.3
  • BIG-IP (ASM) 13.0.0 – 13.1.1
  • BIG-IP (ASM) 14.0.0 – 14.1.0
  • BIG-IP (DNS) 11.2.1 – 11.6.3
  • BIG-IP (DNS) 12.1.0 – 12.1.3
  • BIG-IP (DNS) 13.0.0 – 13.1.1
  • BIG-IP (DNS) 14.0.0 – 14.1.0
  • BIG-IP (Edge Gateway) 11.2.1 – 11.6.3
  • BIG-IP (Edge Gateway) 12.1.0 – 12.1.3
  • BIG-IP (Edge Gateway) 13.0.0 – 13.1.1
  • BIG-IP (Edge Gateway) 14.0.0 – 14.1.0
  • BIG-IP (FPS) 11.2.1 – 11.6.3
  • BIG-IP (FPS) 12.1.0 – 12.1.3
  • BIG-IP (FPS) 13.0.0 – 13.1.1
  • BIG-IP (FPS) 14.0.0 – 14.1.0
  • BIG-IP (GTM) 11.2.1 – 11.6.3
  • BIG-IP (GTM) 12.1.0 – 12.1.3
  • BIG-IP (GTM) 13.0.0 – 13.1.1
  • BIG-IP (GTM) 14.0.0 – 14.1.0
  • BIG-IP (LinkController) 11.2.1 – 11.6.3
  • BIG-IP (LinkController) 12.1.0 – 12.1.3
  • BIG-IP (LinkController) 13.0.0 – 13.1.1
  • BIG-IP (LinkController) 14.0.0 – 14.1.0
  • BIG-IP (PEM) 11.2.1 – 11.6.3 1
  • BIG-IP (PEM) 12.1.0 – 12.1.3
  • BIG-IP (PEM) 13.0.0 – 13.1.1
  • BIG-IP (PEM) 14.0.0 – 14.1.0
  • BIG-IP (WebAccelerator) 11.2.1 – 11.6.3
  • BIG-IP (WebAccelerator) 12.1.0 – 12.1.3
  • BIG-IP (WebAccelerator) 13.0.0 – 13.1.1
  • BIG-IP (WebAccelerator) 14.0.0 – 14.1.0

 

 

REMEDIATION

 

 

Update to a fixed version that vendor has released.

For BIG-IP LTM 14.0.0 – 14.1.0, Enterprise Manager, BIG-IQ Centralized Management:

No official solution is currently available.

 

BIG-IP LTM 11.2.1 – 11.6.3, 12.1.0 – 12.1.3, 13.0.0 – 13.1.1:

Update to version 11.6.3.3, 12.1.4, or 13.1.1.2.

 

BIG-IP AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator: Update to version 11.6.3.3, 12.1.4, or 13.1.1.2


Rewterz Threat Alert – JungleSec Ransomware Infects Victims Through IPMI Remote Consoles

SEVERITY: MEDIUM

 

 

CATEGORY: EMERGING THREAT

 

 

ANALYSIS SUMMARY: 

 

 

Insecure IPMI (Intelligent Platform Management Interface) cards are being used to deploy a ransomware called JungleSec. Having accessed the servers, attackers can reboot the computer into single user mode to gain root access, so that they can download and compile the ccrypt encryption program.

 

Researchers at bleeping computer explained that attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one case, the victim had not changed the default password of IPMI interface, whereas the other case involved exploitation of vulnerabilities in the IPMI interface despite disabling the Admin user.

 

The ccrypt encryption program is downloaded to encrypt a victim’s files. Once it has encrypted files, it leaves a ransom note as ENCRYPTED.md and demands 0.3 bitcoins as ransom, with below content.

 

What happen to my data ?
———————–
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a file(s) will result to a fail of the recovery process, meaning your file(s) will be loss for good.

How can I retrieve them ?
————————- –
To known the process, you must first send 0.3 bitcoin to the following address : [bitcoin_address]
– Once the payment made, send your email address to junglesec@anonymousspeech.com, do not forget to mention the IP of server/computer

Will you send the process recovery once payment is made ?
——————————————————– –
We have no interest to not send you the recovery process if payment was made. – Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hours

By Jungle_Sec

 

The attackers also left behind a backdoor to listen on TCP port 64321. Furthermore, they searched for and mounted virtual machine disks, but could not encrypt them and only succeeded at encrypting a useless home directory and a kvm machine.

 

It was also reported that many victims have paid ransom and still haven’t received a response to decrypt their files, which further asserts why ransom payments should not be made.

 

 

AFFECTED PRODUCTS

 

Linux, Mac, Windows

 

 

INDICATORS OF COMPROMISE

 

Filename:

  • ENCRYPTED.md
  • key.txt

 

Email Subject:

junglesec@anonymousspeech[.]com

 

 

REMEDIATION

 

 

  • IPMI interfaces should be secured properly to prevent compromise of a server.
  • Immediately change IPMI default passwords, set by the manufacturers.
  • Administrators must configure ACL (Access Control List) allowing only certain IP addresses to access the IPMI interface.
  • IPMI interfaces should be configured to listen in on an internal IP address that is only accessible by local admins or through a VPN connection.
  • For added security, add a password to the GRUB bootloader making it very difficult for the attackers to reboot the system into single user mode

Rewterz Threat Alert – Financial sector hit by malicious email campaign that abuses Google Cloud Storage

SEVERITY: Medium

 

 

CATEGORY: Cyber Crime

 

 

ANALYSIS SUMMARY:

 

 

A new cyber-attack campaign on financial sector has been observed, primarily in the UK and USA. The attackers behind this espionage are delivering their malicious payload via Google Cloud Storage. The malicious payloads are hosted on storage.googleapis.com associated to the storage service. The attack begins with phishing emails luring targets into clicking on malicious links. These links redirect the victims to archived files like .zip and .gz.

 

The lure consists of ‘Remittance invoice’ offers as can be seen in the image below.

 

 

 

The malicious files contain two types of payloads, .vbs scripts and .jar (Java Archive) files which are highly complex and perplexing. Making full use of Reputation-jacking, the act of hiding behind reputed organizations to evade detection, these attackers host their malicious payloads on the widely trusted service of Google Cloud Storage. The campaign uses malicious links instead of malicious attachments because most security controls are able to detect malicious files, while being ignorant to malicious links if they’re not in the blacklist.

The experts analyzed three scripts which belong to the Houdini malware family. These include :

  • Transfer invoice[.]vbs
  • Transfer[.]vbs
  • Bank slip[.]vbs

The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain as their C&C server (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com). Moreover, the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file. These files belong to the jRat and QRat malware family. This email campaign is being tracked by researchers at MenloLabs security.

Attackers in the cyber arena are focusing their target on financial sector and more and more sophisticated phishing attacks are being observed targeting bank employees.

 

 

INDICATORS OF COMPROMISE

 

URLs:

 

  • hxxps://storage[.]googleapis[.]com/officexel/Remittance%20invoice[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/TT%20COPY[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/new%20slip[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/Transfer%20invoice[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/transfer[.]gz
  • hxxps://storage[.]googleapis[.]com/officexel/Swift%20Invoice[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/payment%20slip[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/bank%20slip[.]zip
  • fud[.]fudcrypt[.]com
  • pm2bitcoin[.]com
  • storage[.]googleapis[.]co

 

Email Subject:

 

  • Re-Confirm Details
  • SWIFT COPY
  • Transaction Slip
  • Confirmation
  • TRANSFR
  • bank transfer
  • bank slip

 

Email Addresses:

 

  • infototrade6@yahoo[.]com
  • exchange[.]reza@yahoo[.]com
  • bestradingint@yahoo[.]com
  • infoalborzlead@yahoo[.]co[.]uk
  • nayan1maii@yahoo[.]com

 

Malware Hashes:

 

  • 739110ba3a95568803a48c2ac21c860058cd82f7512605103e79fdb8e0ceb8e2
  • Ea6dd952f98a8445b9fe7bfe4a903cffe9f3dc1f20c3e63970048b5423d7378f
  • Ade9a6e8995a58b71c55e2116ad3956a6e7cafce9a5fee50e9d8506f1cfa5a9a
  • B3b2988f8bf4881d7a7774a52a06a49e9a942e8587b8e2b1ec4754a3eb157bb1
  • 56b51220f1a41f316f26f0312590d3b4222185e407a1256766b6cb1c5de98635
  • 1a3dd0fc8a4725048776c596a2a77f5d9dc5b62e3d99cb60617f3ed5182b2f5b
  • 589ea2ae48ba41c11eca1bad367b333a91ec7298ca9a38135ae0e4263ccd0392
  • Fcc9ffdc225e6ac608a4a498fcce4290b2089a026cb57f0ee82a616fcd735140
  • C958d28cecc1cdba9e0a9e6caf9d194f17989905d1677d90e11c4647a88b42bf
  • 828482782171fe0c3980ec9454887806757c2bf6d6d0c35ea408e9b65e2ec581

 

 

REMEDIATION

 

Block the IoCs at their respective controls. Also, make sure all employees are trained against phishing attacks.


Rewterz Threat Alert – WannaCry still Lurks on Infected Computers, 18 months after the initial outburst

SEVERITY: LOW

 

 

CATEGORY: INFORMATIVE UPDATES

 

 

ANALYSIS SUMMARY:

 

 

Eighteen months after the initial outburst, WannaCry ransomware still lurks on hundreds of infected computers and continues towards infecting more computers.

 

When the WannaCry was first unleashed, Kryptos Logic security researcher Marcus Hutchins registered a domain that acted as a killswitch for the ransomware component of the infection. If the infection would connect to this killswitch domain, the ransomware component would not activate. The infection however, silently runs in the background and keeps on checking the killswitch routinely to check whether the domain is still live.

 

The initial outburst of WannaCry in 2017 was just a beginning, as many security analysts predicted higher levels of attack. Here’s one of such alerts.

 

As they predicted, the espionage continues till date. The WannaCry domain is observed to be receiving 17 million
connections coming from 630 unique IP addresses from 194 different countries in a week.

 

What is WannaCry?

 

The WannaCry ransomware has multiple components. It arrives on the infected machine in form of a dropper. It’s a self contained program which extracts the other application components embedded within itself.
Those components are:

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor

 

Once it is launched, WannaCry tries to access a hard coded URL (Killswitch), and if it can’t, it searches for and encrypts files in a slew of important formats ranging from MS Office to MP3s, leaving them inaccessible to the user and displays a ransom notice to the user, demanding bitcoins to decrypt the files.

 

Below is the graph showing countries that are still infected with WannaCry.

 

 

 

 

All it needs is an Internet outage to occur and for the kill switch domain to no longer be accessible for the ransomware to kick in.

 

 

REMEDIATION:

 

 

It is recommended to monitor your range of IP addresses for all known infections, including WannaCry and similar malware families.


Rewterz Threat Advisory – CVE-2018-12882 – updates for IBM Lotus Protector for Mail Security PHP DoS Vulnerability

SEVERITY: MEDIUM

 

 

CATEGORY: VULNERABILITY

 

 

ANALYSIS SUMMARY:

 

 

IBM Lotus Protector for mail security has now released updates for a previously disclosed vulnerability identified as CVE-2018-12882. The flaw is that the exif_read_from_impl function in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function. Successful exploitation of the flaw causes Denial of Service condition.

 

Vendor has released fixes for the vulnerability.

 

 

AFFECTED PRODUCTS

 

 

  • IBM Lotus for Mail Protector 2.8.3.0
  • IBM Lotus for Mail Protector 2.8.1.0

 

 

IMPACT

 

Denial of service with application crash.

 

 

REMEDIATION

 

 

Vendor has released fixes for this vulnerability.

A php-upgrade-7_2_7 will solve the problem.

 

For IBM Lotus Protector for mail security, follow the vendor’s link below:

https://www-01.ibm.com/support/docview.wss?uid=ibm10787455

 


Copyright © Rewterz. All rights reserved.