Archive for category Uncategorized

Rewterz Threat Alert – CStealer Password Stealer Sends Stolen Data to a MongoDB Database

Severity

Medium

Analysis Summary

A new Windows trojan has been discovered that attempts to steal passwords stored in the Google Chrome browser. While this is nothing unique, what stands out is that the malware uses a remote MongoDB database to store the stolen passwords.

This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.

Targeting Chrome Passwords

Instead of compiling the stolen passwords into a file and sending them to a C2 under the attackers control, the malware connects directly to a remote MongoDB database and uses it to store the stolen credentials.

To do this, the malware includes hardcoded MongoDB credentials and utilizes the MongoDB C Driver as a client library to connect to the database. 

While this method ultimately serves its purpose of stealing passwords, it also opens the door for other attackers to gain access to the victim’s credentials.

Impact

Credential theftI

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Nemty Ransomware Delivered via Trik Botnet Using SMB Protocol

Severity

High

Analysis Summary

Nemty ransomware has partnered with Trik botnet which delivers Nemty to compromised computers. The criminals behind the botnet use the infected computers to send email spam and have been observed pushing out a wide range of malware families, now including Nemty. In the past, Nemty has been observed being spread via the RIG exploit kit, as well as via malicious spam campaigns targeting users in Korea and China, where the malware is attached inside an archive. 36% targets are located in China while Korea houses 40% of Nemty’s targets.

We observed a recent version of Trik delivering a tiny component that uses the Server Message Block (SMB) protocol and a list of hardcoded credentials to try to connect to remote computers with port 139 open.

First, the SMB component creates a registry entry. Trik then checks if the file winsvcs.txt is present or not in the %AppData% directory on the compromised computer. If winsvcs.txt is not present, the Nemty ransomware is downloaded and executed. If winsvcs.txt is present, the SMB component checks if it is running as a service or not. If it is not running as a service, the component tries to spread itself through the SMB protocol. To find targets, the SMB component generates random IP addresses then tries to connect to them on port 139. The malware can infect public IP addresses with port 139 open that are using any of the common administrator usernames and passwords on its list. If access is granted, the malware uses the SMB protocol to copy itself to the remote machine. It then uses the Windows Service Control Manager to start the SMB component’s process on the remote machine. It deletes shadow copies and backups before, rather than after encryption.

The developers behind the Nemty ransomware are constantly updating and improving its code, as well as its delivery methods, in an attempt to reach more victims.

Impact

  • Files Encryption
  • Unauthorized Access

Indicators of Compromise

MD5

  • 6c05aa998d0523f2855769bd30b2d0d1
  • 7334c27a6a2531b01ec94922160b87cf
  • a24bb61df75034769ffdda61c7a25926
  • e3b9f2863742a134506a017edbd09594
  • 80f5f2296cae3bea63fc14a867d97dd4
  • 3282f6c806a89359ec94f287cf6c699c
  • 95a2272ee95654fd51b5351811f3d989
  • 89eadd686c2dff611578028a608a6168
  • 51960de3286cf12fc93374cc8b87dd90
  • bb08689787fcb4bc029679acd1708177
  • 4297543f5744a0d90a1e5504fc807927
  • 76291be32823737f50c0a2593567019e
  • a37356a3804652f5484b891de66925e1
  • 712a19e062672ca95f393732f9250b6e
  • 36a8bf060f86867226c4268b41965e48
  • 87f19914a9966998a89839dbdc978d4f
  • ab97f71125a89d4d3d0855b8a419d3e1
  • f8dcf54aa841455db600fd9dd5243727
  • c6eeb9b0ffc0dcb664a25a4b3b0b4d40

SH256

  • 62c3b52b5310393dbf0590bc246161249632a1d2f21c3aa7fb779dc8018a0edf
  • 5078a0940abc31a7fa271483ac345044a91a0e21c517bceb85091cd3fca310f7
  • 0c77b260ee3fdd2754cd4f289efce709519aad34fa3cb84663655a6240e45973
  • 1ab8feefd67f3706a42f996a3291d24a7ab2c5eb67d98236eb73995d587576ad
  • 3ecb650c471d7c8291d084fffd634da0eddc9a473d29792d5033fe5fdcbf4ddd
  • 64d187bed40d023e14d41b1a80d528f5c12dcf743fcb4de91530567d3244e09e
  • 77689e7752470501d26cf8a5e2eb9b4e1ac372b27b2151268e0acf024e355f99
  • 81dab2787f72997afb09fb98ada159f78c3e93f9d3fa83f844e580620d08322a
  • 87fb207ae29baa300c2377625b745667a516e2243e1904ef81b4f7b97b5da1b0
  • 9875c102bbe89ad636096efca6b04d6b843529eb9717d822f7b0b42a087c7332
  • a0170a01e656cf7089a0d68a1803c3e2ba64ba8996c8eb5ffa8098940cb4c0ec
  • b9b4511065cb56bd162e143c22cf2afe32e3ee6617ba5a4852182cb0781f18f1
  • c6f43bedad8b0c3f60d71a2a6c1fab297e144483f17deeb5150bdbe6c73755a4
  • d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf
  • d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
  • db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
  • f4909c420e208e4728116e8b0f4254c9f741d864f9618cddbe3f51b71f602066
  • fa2993f2455971244350178008cc671fb739b53d79b594c80e69047421ce1666
  • bf480a5862210b9e033f270379bb95c1d1fadd16bf0d21db5bfbc9268ae595ac

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download email attachments/click on URLs coming from untrusted email addresses.
  • Actively monitor Port 139.

Here’s how VPNs can be Exploited by Attackers

Overview

It is generally believed that data transfers are safest over a VPN connection. However, here is a bad news. They too are vulnerable and can be hacked and used to cause you harm. Earlier this week, vulnerabilities in VPN servers were exploited by Nation-state attackers. Hence, although they make network communication more secure, VPNs too demand their due share of attention from time to time.

Weak Encryption

  • If you’re using a VPN employing an older, breakable encryption algorithm, a data breach surprise just might be on its way to you. Weak encryption alone is enough to let your guards down for attackers; let aside the approaching quantum computing’s powerful brute-force capabilities.
  • Many encryption algorithms have now been discarded or marked as unsafe and vulnerable, including DES, 3DES, SHA-1 and RSA (with small keys); they either have algorithmic flaws or they are susceptible to brute-force methods.
  • Some other products using proprietary encryption methods that promise super-double-plus ninja-grade security lack proofs to their claims.

Use VPNs that reportedly utilize known-good encryption algorithms such as AES, elliptic-curve Diffie-Hellman (ECDH), SHA-256 (or greater), or RSA with a 1536- or 2048-bit key. Also make sure that a strong encryption algorithm is not wrecked by a poor implementation.

Vulnerable Key-Handling

All VPNs rely on encryption keys for doing their security job. Therefore key-handling is a critical phenomenon. For example, in a demonstration at Black Hat USA 2019, researchers Orange Tsai and Meh Chang showed that a vulnerability in a Palo Alto Networks SSL VPN exposed a hard-coded password for the encryption key. This undoubtedly makes the vulnerability much more worse. Vulnerabilities that lead to storing of hard-coded encryption keys insecurely are very dangerous and severe. Unfortunately organizations can do little more than timely patching the vulnerabilities.

Authentication Bypass

Even if your VPN uses an impenetrable encryption, another major criminal gateway can be authentication. When a vulnerability in the VPN allows a threat actor to access critical assets behind the VPN, without demanding a user authentication, resources will end up in the hands of criminals.

For instance, In April Pulse Secure announced a set of vulnerabilities in its Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) products. Some of these allowed an attacker to use a specific URI as part of an HTTPS request to gain access to arbitrary files on the destination network. The vulnerability has already been patched, but users who are oblivious to the existence of this vulnerability and have not applied patches are likely to welcome bad news. Moreover, the flaw does not draw attention to itself. The users have to seek the updates proactively to apply timely patches.

Weak Protocols

Majority of VPNs use five protocols. Depending on the strength of a protocol, the strength of a VPN can be evaluated.

  • In the mid-1990s, PPTP (Point-to-Point Tunneling Protocol) was developed and placed into service. Although very fast, more than two decades later, it is now considered unsecure.
  • Likewise, another old protocol L2TP is quick to establish a tunnel, but surprisingly offers no encryption at all. Therefore it can not ensure protection independent of an encryption protocol.
  • Cisco and Microsoft’s contribution to the list of VPN protocols, IKEv2 is a newer protocol often used together with IPSec. Although often used in mobile communications for being able to handle brief interruptions in the connection, IKEv2 is no more a promising protocol. Reason? Thanks to Edward Snowden’s warning that the NSA has learned to break its encryption.

While experts consider these three protocols damaged, there are few choices left.

  • Security engineers say that OpenVPN is currently the best available protocol. Although Fast and secure, it too is complex to set up as a “raw” protocol for in-house employees.
  • Wireguard is another protocol waving from the future, but currently it is not complete.

Free VPNs

Even if an organization keeps track of all available patches and uses the best encryption and protocols, there may be other VPNs being used by their employees that aren’t secure. They may be using VPNs from remote work locations which are apparently free, but are meant to track their online moves. The VPN providers in collaboration with advertising networks often offer these free products to track users online. While advertisements may be bearable, VPN mentor reports that free VPNs are also being used to deploy malware. They may also feed on your bandwidth or overall data per month. Hence, it is best to use VPNs that are secure and are purchased by the organization itself.

Single-Layer Protection

VPNs apart from tunneling encrypted network communication serve other functions too. VPN should mask the end user’s IP address to make tracking more difficult, and should limit possibility of long-duration campaigns. In addition, a VPN may also offer blacklist URL protection (warning against malicious websites).

A VPN provided by the organization ensures that communication between the employee and the enterprise network takes places in an encrypted tunnel. From there on, the organization’s security infrastructure will take over. Third-party VPNs if being used, must be made sure to be as secure as the one provided by the company. 

Weaponized HTTPS

One of the basic tools of safe remote computing, the HTTPS, is being used by criminals as a gateway to cover up their malicious activities. Although this protocol safely carries legitimate traffic, a specially crafted HTTPS request can be used to bypass authentication as a key step in allowing data to be taken from the network. As free certificate authorities rise, the green lock is no more a definite security indicator.

It is crucial to monitor and patch vulnerabilities in the tools that you are using, in order to maintain a healthy and secure usage of VPN. Moreover, monitoring traffic from new sources is also essential to avoid security risks.

Remediation

  • Use VPNs that utilize latest strong encryption algorithms.
  • Keep all tools updated to latest patched versions.
  • Ensure secure key-handling.
  • Use the IKEv2 protocol along with IPSec.
  • Avoid using VPNs with single-layer protection.
  • Only use recommended and known VPNs and avoid using open source or free VPNs at all costs.

Outdated OS gets ATMs Hacked within minutes

While bank customers have a blind faith on the technologically advanced machine called ATM, it’s cyber security measures have shocking lapses and loopholes in most cases. 5 years after the support for Windows XP was withdrawn, numerous ATM machines are still running on Windows XP, exposing them to various vulnerabilities and attacks. These ATMs running on end-of-life operating systems are the most attractive cash machines for hackers, each one ready to spit about $200,000 in cash. It is surprising how ATM operators have still not discarded such insecure ATMs running an old operating system on archaic components.

image-1570450734.jpg

Security Risks for ATMs running on outdated OS

Where insecure network communication between the bank and the ATM machines is reportedly a major security risk, encryption of this network communication is also very important to keep intruders outside and to avoid manipulation of this communication. However, end-of-life systems are an even bigger problem.

Why is Windows XP a major threat?

Released in 2001, Windows XP is now an archaic talk. Microsoft ended support for this OS in 2014 and stopped releasing anti-malware patches for it on July 14th, 2015. So it no longer receives security patches and updates. Hence, they are vulnerable to network or local access attacks. Consequently, even small groups of criminals could communicate to install code, avoid the ATM’s built-in defense mechanisms, and avoid detection on the transaction log. Exploiting the vulnerabilities and executing remote code, fraudulent transactions can be carried out within moments. 

  • Many researchers have demonstrated successful network spoofing attacks and black box attacks on such ATMs running on outdated OS.
  • Another issue is, banks tend to use the same configuration on large number of ATMs, allowing for mass replication of a single successful attack on one ATM machine.
  • Moreover, these EOL systems can only be patched manually and it is practically impossible for a bank’s IT professionals to visit the machines, branch-by-branch, one-by-one, to apply Microsoft’s Windows XP for Embedded Systems’ security patches.
  • Additionally, many ATMs running XPe (embedded Windows XP) may not be using Enhanced Write Filter. EWF is designed to protect malware from executing onto a drive, corrupting files. While running EWF is always optional in XPe, it also has its own patches that need to be managed.

Why is Windows 7 a threat?

ATMs using Windows 7 are also at an approaching security risk. Just like Windows XP, Windows 7 is also being discarded by Microsoft and its support seizes on January 14th, 2020. Within 4 months, ATMs running on Windows 7 will also be exposed to cyber attacks. ATM system operators need to prioritize migration of ATMs from outdated OS to the latest OS available. However, the hardware and software migration will cost significantly high and will consume about six months to complete the process. This update therefore demands immediate attention and prioritizing.

What ATM operators can do

  • Revise your current ATM network, shut-down outdated machines and replace them with new solutions in the market, such as virtual ATMs.
  • Migrate your ATM OS to the latest version of Windows 10 or Linux.
  • In addition, many hardware platforms internal to current ATMs are too old to be supported by the more current Windows 10. As a result, many ATM operators such as banks will need to replace their hardware components with newer solutions to run on a newer OS.

Although an operating system migration and a computer platform upgrade together may prove very costly for all deployments of ATM machines, these steps are crucial to avoid millions being cashed out fraudulently by hackers. In addition, these ATMs are connected to a bank’s centralized electronic banking systems in order to operate, thereby camouflaging the security risk that could cost Trillions.


Rewterz Threat Alert – Reductor Infects Files on the Fly to Compromise TLS Traffic

Severity

Medium

Analysis Summary

Besides typical RAT functions such as uploading, downloading and executing files, Reductor’s authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. Reductor has been linked to Turla APT, based on the victimology. Reductor spreads by either infecting popular software distributions (Internet Downloader Manager, WinRAR, etc. and, for at least one victim, through a popular warez website over HTTP); or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts.

The malware adds digital certificates from its data section to the target host and allows the operators to add additional certificates remotely through a named pipe. The solution that Reductor’s developers found to mark TLS traffic is the most ingenious part. They don’t touch the network packets at all; instead developers analyzed the Firefox source code and Chrome binary code to patch the corresponding pseudo random number generation (PRNG) functions in the process’s memory.

In the first scenario, the attackers use infected software installers with 32- and 64-bit versions of Reductor included. These installers may be for popular Internet Download Manager, Office Activator, etc. In the second scenario, the targets are already infected with the COMpfun Trojan, which uses COM CLSID for persistence. After getting into the browser’s address space, the Trojan can receive the command to download additional modules from the C2. As a result, the target’s browser downloaded Reductor’s custom dropper-decryptor.
Reductor samples hold DER-encoded root X509v3 certificates in the .data section to add on the target hosts.

Impact

Data Manipulation

Indicators of Compromise

IP(s) / Hostname(s)

  • compfun[.]net
  • adstat[.]pw
  • bill-tat[.]pw

Malware Hash (MD5/SHA1/SH256)

  • 7911F8D717DC9D7A78D99E687A12D7AD
  • 4e2d038e9d72ee4d660755ba973a31471dda167d1a51bfdfe60abb2b3de78ba1
  • e49666f7882f299c2845c7e31e3d842a387ef10d

Remediation

  • Block the threat indicators at their respective controls.
  • Keep software like IDM and WinRAR updated to the latest patched versions.
  • Do not download software from untrusted sources.

5 Cyber Security Measures to Avoid Getting Hacked

Cyber security is a continuous evolutionary process as new threats arise everyday. Apart from advanced security measures, it is advised to follow the following basic steps to minimize cyber security risk. 

1. Implement 2FA

Hackers and phishers can acquire passwords from third party data breaches or through successful credential theft using phishing. The first half of 2019 has also seen many Password spraying attacks, as well as DNS Hijacking campaigns that can be minimized by enabling Two-Factor Authentication (2FA) or Multi-factor authentication (MFA). A 2FA demands an additional authentication along with a password, in order to access an account, thereby providing an additional layer of security.

To implement 2FA, users need to provide an accessible contact like a phone number or an email, so that a special code is sent to that contact each time a login attempt is made. Users can access their accounts by providing that additional code. Many major platforms offer enabling 2FA to verify before each login that the legitimate authorized account holder is making the login attempt. In case an unauthorized login attempt is made, not only is it prevented but also the user is notified by the generation of code that someone is trying to access their account.

2. Use Secured Wi-Fi Network

Unsecured Wi-Fi networks are a great security risk. They are often exploited by attackers to enter target environments. Users should protect and encrypt their Wi-Fi networks to avoid having any intruders scan through their machines. A few encryption options are available that ensure that your Wi-Fi is publicly inaccessible. Wi-Fi Protected Access 3 (or WPA3), for instance, can be set up on new routers by visiting the administrator’s page for your router. This is accessed by typing your router’s IP address in the URL field of your web browser. The most common ones are 192.168.1.1, 192.168.0.1 or 192.168.2.1.

Once inside the router’s menu, there is a section under “Wireless” or “Security” that contains your system’s encryption settings along with some options, including WPA3. If WPA3 is not available then WPA2 is the best option to choose. If your encryption is previously set as WEP or WPA (older standard for older routers), it is advised to change it to WPA2.

After selecting an option, some instructions appear to create an appropriate password, creating which, your Wi-Fi network is secured! In case no option is available, go to router’s settings and update the firmware so your device is as safe as possible. However, do not leave your encryption status to “Open” which means there is no encryption enabled on your Wi-Fi network.

image-1569933641.jpg

3. Keep Passwords Secure

Do not leave passwords hanging around places where they can be accessed. It is always best practice to use separate passwords for each platform. Repetition of passwords is strongly discouraged by security experts. Moreover, the passwords can be stored on a password storing app, which keeps them safe for you and saves you from the trouble of remembering each password. Make sure the app you use is up to the standards of cyber security and recognized by security experts. 

image-1569933724.jpg

4. Ensure Device Protection

Always keep an anti-malware program with updated signatures installed on your computer. More importantly, make sure it is compatible with your device and has the essential features that you need. Mostly PCs are shipped with a pre-installed compatible antimalware called Windows Defender — which is Microsoft’s internally developed anti-malware application. Apart from thoroughly scanning your device for harmful software, Windows Defender is also the first to receive updates, latest signatures and zero-day defenses directly from Microsoft’s own cyber-security labs.

However, downloading the software is not enough. You also need to keep your computer and all software updated. Keeping the Windows updated to the latest version will also keep Windows Defender up to date, which means your device will be protected against malware currently circulating in the cyberspace. Also make sure to scan your device frequently and resolve all detected threats and issues.

5. Implement Timely Patching

Software updates are recommended not because they add the latest features to your system, but because these updates usually include security patches for vulnerabilities, bugs and zero-day exploits found in the software. These patches fix the critically dangerous bugs that may otherwise serve as entry points for hackers. Besides, many critical security flaws have no other solutions than implementing timely patching. Although new system updates are announced with notifications, still it is recommended to keep an eye out for these security updates and apply them as soon as possible.

Having applied the above-mentioned steps it is also recommended that users should enable an additional layer of protection i.e. Virtual Private Network (VPN). Using a VPN, your internet browsing is made anonymous and your internet connection is shielded from cybercriminals and hackers.


Copyright © Rewterz. All rights reserved.