Archive for February, 2020

Rewterz Threat Advisory – CVE-2019-16028 – Cisco Firepower Management Center

Severity

High

Analysis Summary

The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.

Impact

Authentication Bypass

Affected Vendors

Cisco

Affected Products

Cisco FMC Software

Remediation

Please refer to vendor’s advisory for the list of affected products and patches.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-fmc-auth


Rewterz Informative Update : Ransomware Impacting Pipeline Operations

Severity

High

Overview

CISA informs of a cyber-attack that was launched recently, affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before proceeding to its OT network. The threat actor then deployed commodity ransomware to encrypt data on both IT and OT networks.

Impact

Specific assets experienced a Loss of Availability on the OT network. These included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators. The attack did not impact any programmable logic controllers (PLCs) and the victim did not lose control of operations. Operational shutdown had to be implemented.

Response

Deliberate and controlled shutdown of operations had to be implemented for two days, due to lack of cyber-security accommodation in their emergency response plan. A Loss of Productivity and Revenue had to be endured meanwhile, that usually happens when adversaries cause disruption and even damage to the availability and integrity of control system operations, devices, and related processes. Normal operations were resumed afterwards.

Attack Summary

The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks. The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility.

Although only one geographical control facility was affected, other geographically distinct compression facilities also had to halt operations due to pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days. The victim acknowledges the lack in their cyber-security knowledge for failing to adequately incorporate cyber-security into emergency response planning.

Remediation

CISA recommends following mitigations to avoid and handle cyber attacks on operational control devices and networks.

Technical and Architectural Mitigations

  • Implement and ensure robust Network Segmentation between IT and OT networks to avoid extension of a cyber attack from IT network to OT network. A demilitarized zone (DMZ) should regulate all communication between the IT and OT networks.
  • Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.
  • Require Multi-Factor Authentication to remotely access the OT and IT networks from external sources.
  • Implement regular Data Backup procedures isolated from network connections, on both the IT and OT networks.
  • Revise account management policies to ensure that user and process accounts are limited through Account Use Policies, User Account Control, and Privileged Account Management. Organize access rights based on the principles of least privilege and separation of duties.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a User Training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files from reaching end users.
  • Filter Network Traffic to prohibit ingress and egress communications with known malicious Internet Protocol (IP) addresses. Prevent users from accessing malicious websites using Uniform Resource Locator (URL) blacklists and/or whitelists.
  • Update Software including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system.
  • Set Antivirus/Antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement Execution Prevention by disabling macro scripts from Microsoft Office files transmitted via email and consider using Office Viewer software to open them.
  • Implement Execution Prevention via application whitelisting, which only allows systems to execute programs known and permitted by security policy.
  • Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
  • Restrict Remote Desktop Protocol (RDP) to limit access to resources over network. If RDP is operationally necessary, restrict the originating sources and require Multi-Factor Authentication.

Planning and Operational Mitigations

  • Accommodate all possible impacts of cyber attacks in the organization’s emergency response plan.
  • Implement response playbooks to identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue.
  • Exercise emergency failure drills and implement alternate control systems, including manual operation to enhance employees’ decision-making experience, while assuming degraded electronic communications. The lessons learned will enhance emergency response playbooks.
  • Identify single points of failure (technical and human) for operational visibility and response planning.
  • Implement segregated communication capabilities between geographically separated facilities.
  • Recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into the organization’s safety training program.
  • Ensure the organization’s security program and emergency response plan consider third parties with legitimate need for OT network access, including engineers and vendors.

Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware

Severity

High

Analysis Summary

The cybercrime group that launched the Satan, DBGer and Lucky ransomware and perhaps Iron ransomware recently introduced a new version or rebranding named “5ss5c”. This version of the ransomware adds EternalBlue exploit and new functionalities.

It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials)
  • Mimikatz and what appears another password dumper/stealer
  • The actual ransomware

Indicators of compromise are given below.

Impact

  • Files Encryption
  • Credential theft
  • Information theft

Indicators of Compromise

From Email

5ss5c@mail[.]ru

MD5

  • e56b28203a66d88da2c951c9b47fb2c0
  • 8accffa5e7d5b14ee8109a8f99c72661
  • 756b6353239874d64291e399584ac9e5
  • ba008ae920251f962fdc0f80c27dd975
  • dc646bdbe28b453ba190a6356959d028
  • f56025565de4f53f5771d4966c2b5555
  • dfc0966397adcd590a4fba85d16bccf6
  • 0f371453cdab407283e2723b0c99c2f5
  • 680d9c8bb70e38d3727753430c655699
  • 853358339279b590fb1c40c3dc0cdb72
  • 09d45ae26830115fd8d9cdc2aa640ca5
  • 01a9b1f9a9db526a54a64e39a605dd30
  • ca3c0851c7451fc34dc37c2c53e2f70a

SHA-256

  • 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
  • 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
  • e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
  • 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
  • ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
  • ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
  • 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7

Source IP

  • 58[.]221[.]158[.]90
  • 61[.]186[.]243[.]2

URL

  • http[:]//58[.]221[.]158[.]90[:]88/car/cpt[.]dat
  • http[:]//58[.]221[.]158[.]90[:]88/car/down[.]txt
  • http[:]//58[.]221[.]158[.]90[:]88/car/c[.]dat

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not click on URLs attached in untrusted emails.
  • Maintain a backup for all files.

Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims

Severity

High

Analysis Summary

Emotet has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks. Emotet sample leverages a “Wi-Fi spreader” module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them. This module has been running “unnoticed” for around two years. The development marks an escalation of Emotet’s capabilities, as networks in close physical proximity to the original victim are now susceptible to infection. The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords. The worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It’s not immediately clear how this list of passwords was put together.

Emotet malware cybersecurity

If the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource. Successful brute force then leads to next phase by installing malicious payloads — called “service.exe” — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService). In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Impact

  • Infection of Wi-Fi networks
  • Unauthorized Access

Indicators of Compromise

Source IP

  • 87.106.37.146
  • 45.79.223.161

Remediation

  • Block the threat indicators at their respective controls.
  • Implement very strong passwords for wireless networks.

Rewterz Threat Advisory – CVE-2020-3119 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution

Severity

High

Analysis Summary

The vulnerability exists because the Cisco Discovery Protocol parser does not properly validate input for certain fields in a Cisco Discovery Protocol message. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. An successful exploit could allow the attacker to cause a stack overflow, which could allow the attacker to execute arbitrary code with administrative privileges on an affected device.

Impact

Privilege Escalation

Affected Vendors

Cisco

Affected Products

  • Cisco Nexus 3000 Series Switches
  • Cisco Nexus 5500 Platform Switches
  • Cisco Nexus 5600 Platform Switches
  • Cisco Nexus 6000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • Cisco Nexus 9000 Series Switches in standalone NX-OS mode

Remediation

Please refer to vendor’s advisory for the list of upgraded patches.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-nxos-cdp-rce


Rewterz Threat Advisory – ICS: Siemens SIMATIC CP 1543-1

Severity

High

Analysis Summary

CVE-2019-12815

An arbitrary file copy vulnerability in mod_copy of the embedded FTP server allows for remote code execution and information disclosure without authentication.

CVE-2019-18217

Incorrect handling of overly long commands in the embedded FTP server allow an attacker to cause a denial-of-service condition by entering an infinite loop.

Impact

  • Remote code execution
  • Information disclosure without authentication
  • Denial of service.

Affected Vendors

Siemens

Affected Products

SIMATIC CP 1543-1 all versions starting at 2.0 and prior to 2.2

Remediation

Update to latest Version 2.2


Copyright © Rewterz. All rights reserved.