Category Archives: Security Alert

New Method of Attack Abuses PowerPoint Slide Show

A new threat has been discovered within the CVE-2017-0199 vulnerability. CVE-2017-0199 was originally a zero-day Remote Code Execution vulnerability using a flaw within Microsoft Office to allow the execution of malware embedded within an infected Rich Text Format (RTF) file. The original flaw existed within the Windows Object Linking and Embedding (OLE) interface of Microsoft Office.

A new method of exploit has been discovered using a PowerPoint slideshow. The exploit arrives as an email attachment on an email claiming to be an internet service provider as part of a spear-phishing campaign. When opened it shows the text “CVE-2017-8570” which is a different Microsoft Office vulnerability. CVE-2017-0199 is then exploited using a moniker script downloading a second-stage binary from a remote command and control server. This binary file finally downloads a Remote Access Trojan (RAT) and executes it.

Previously, the detection rate for this threat was high but attackers are able to evade detection through use of the new PPSX attack vector.

Affected Platforms:

Microsoft Windows – all versions

Resolution:

  • Ensure staff awareness of phishing attacks. Awareness campaigns should be provided and regularly refreshed to keep employees appraised of the latest phishing techniques.
  • Regular patching of systems with the latest security updates. Microsoft has already addressed this vulnerability back in April; users with updated patches are safe from these attacks.





Globe Imposter 2.0 Ransomware

A new version of the Globe Imposter ransomware has been identified (Globe Imposter 2.0). This new version is the second release of the encryption trojan. It has the same ransom note and encryption standards as the previous version. It aims to avoid detection by communicating via multiple email accounts and servers on the TOR network.

Globe Imposter is distributed via spam emails loaded with fake invoices and convinces the user to open a macro-enabled Microsoft Word file. Once opened, the Globe Imposter 2.0 ransomware is installed in a random folder within the AppData directory and begins searching for accessible memory storage devices and removable media to encrypt.

Affected Platforms:

Microsoft Windows – all versions

Recommended Action:

To avoid becoming infected with ransomware, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.





Javascript Backdoor – Bateleur

A new Javascript backdoor has been observed in recent attacks by Carbanak – an (APT) Advanced Persistent Threat group.

The backdoor is considered adaptable and versatile. Bateleur contains many features including anti-sandbox functionality, anti-analysis, retrieval of infected system information, the listing of running processes, execution of custom commands and Powershell scripts, loading of .exe and .dll (Dynamic Link Library) files, taking screenshots, uninstalling and updating itself.

Furthermore, it is possible Bateleur has the ability to steal passwords, although the latter requires an additional module from its C2 (command and control) server.

Affected Platforms:

Microsoft Windows – all versions

Recommended Action:

Ensure anti-virus is kept up to date.

As the backdoor has only just been detailed, detection may be low and will have been non-existent in the past, hence retrospective hunting on indicators in historic logs is recommended.

A full-spectrum IPS/IDS system would also mitigate the risk through active detection capabilities, as well as having a mature Security Operations Centre.

Network segregation is advisable, as it would prohibit lateral movement across corporate networks – hindering an attacker’s ability to access sensitive information from multiple parts of the business.





Microsoft Office Outlook Memory Corruption Vulnerability

Affected Platforms

All versions of Microsoft Office (Outlook) across all platforms

Description

A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.

The security update addresses the vulnerability by correcting the way that Microsoft Outlook parses specially crafted email messages.

Remediation

Review and apply the updates stated on Microsoft guidance on: CVE-2017-8663 – details here





New Variant Of The Feodo Banking Trojan – Emotet Trojan

A new variant of the Feodo banking trojan called Emotet has been identified. It has refined its operation in a number of areas including its ability to spread, prevent analysis and act as a backdoor to further malware installation.

This trojan is distributed through mass spam email campaigns which include an attached macro enabled Word document. The email and attachment are reportedly claiming to be an invoice but upon opening the document the malware is dropped onto the system.

Emotet is capable of intercepting encrypted communications by performing a Man-in-the Browser attack (MitB) capturing log-in credentials for banking and social media accounts, infecting the system with further malware and also stealing money from the compromised bank account(s). Email contacts on the infected system are harvested allowing for targeted campaigns against the contacts of the system’s owner.

It also attempts to spread laterally over the network by attempting to brute force the passwords of any accounts visible to it, including on network shares and locations, and then dropping a self-extracting RAR file onto a compromised host, thus spreading and starting the cycle again.

When the malware detects that it is operating in a sandbox or virtual environment it alters its behaviour to prevent proper analysis and research. It is reported that its behaviour also changes based on geographical location; in the UK it has been seen dropping the Dridex banking trojan on infected systems.

Affected Platforms:

Microsoft Windows – all versions

Recomended Action:

  • Monitor network and proxy logs for indicators of compromise.
  • Never open email attachments or links from untrusted sources. If an email looks suspicious the user should try to make contact with the sender by other means to verify their identity.
  • Ensure malware definitions are kept up-to-date.
  • Make sure that cyber-awareness training is kept up-to-date.
  • Ensure that macros are disabled by default.
  • Enforce strong password policies on all accounts.





SMBloris – Zero-Day SMB Vulnerability

There has been a new Zero-Day vulnerability found during research into the EternalBlue exploit released by the Shadow Brokers Team. It was discovered that SMBv1 handles allocation of the non-paged pool memory in a way that could be exploited. SMB allocation works by allowing the client to tell the server the size of the buffer it plans to send, the server will then reserve this size buffer within the memory.

The SMBloris exploit works by sending a request for a large buffer size but never sending the content, leaving the memory reserved. With enough of these connections being made, the memory pool will quickly fill up denying memory to other resources until a stage is reached where the memory is totally exhausted. At this point, the server will crash to the point that the device is not even capable of displaying a blue screen of death (BSoD) error. This is because there aren’t enough resources left to generate the error page so the server will simply freeze and be unable to recover.

Affected Platforms:

Microsoft Windows SMBv1

Recomended Actions:

Restrict access to TCP/445 from untrusted networks.

Disable SMBv1.





Vault 7: BothanSpy and Gyrfalcon

Documentation relating to more malware tools have been released as part of the WikiLeaks Vault 7 series.

BothanSpy is described as an implant which targets the popular Microsoft Windows SSH client, Xshell, and steals user credentials for all active SSH sessions. The credentials can be either a username and password or a private SSH key (and password, if set).

Gyrfalcon relates to an implant that targets the OpenSSH client in Linux platforms. The implant is able to steal user credentials from active sessions and is also capable of collecting OpenSSH traffic.

The compilation date of the documentation states that it was written in 2015, which suggests newer operating systems could be affected by the implants.

Affected Platforms:

Xshell version 3, build 0288
Xshell version 4, build 0127
Xshell version 5, build 0497
Xshell version 5, build 0537
Ubuntu 11.10 (x86/x64)
SuSE 10.1 (x86/x64)
RHEL 6.4 (x86/x64)
RHEL 5.10 (x86/x64)
RHEL 4.8 (x86/x64)
RHEL 4.0 (x86/x64)
Debian 6.0.8 (x86/x64)
CentOS 6.0.8 (x86/x64)
CentOS 6.4 (x86/x64)
CentOS 5.10 (x86/x64)
CentOS 5.6 (x86/x64)
Microsoft Windows Vista

  • Monitor network and proxy logs for any anomalous behaviour.
  • Consider remotely logging any attempts to access restricted platforms which may highlight suspicious activities.
  • Make sure that users and services are only operating with the required level of privileges.




RSA-1024 Private Key Extraction Made Possible

A collaboration of security researchers have discovered a vulnerability in the Libgcrypt module of GnuGP that could allow an attacker to recover the private key.

This type of attack is likely to be used by APT groups as part of the exfiltration phase of an attack where the goal is to collect data such as an organisation’s intellectual property.

GnuGP is a widely used free implementation of the OpenPGP standard and is used to encrypt and sign data and communications securely. Libgcrypt is a module that is found inside the GnuGP package providing the encryption functionality.

Updated packages have now been released for all major distributions and can be obtained from the relevant package managers.

Affected Platforms:  libgcrypt20

  • Ensure libgcrypt20 is updated at the earliest opportunity where in use.
  • Where data is highly sensitive, stronger encryptions should be considered.
  • Ensure a multi-layered approach is taken with regards to security solutions such as host and network based intrusion detection mechanisms put in place to detect an attack against systems as well as indicators that may indicate an exfiltration attempt from a system within the network.




ZeroAccess Trojan

ZeroAccess is a stealthy trojan which has been infecting Microsoft Windows systems since at least 2011.

ZeroAccess is used to download other malware onto an affected host using a botnet that had previously been associated with Bitcoin mining and click fraud. It is designed to remain undetected on targeted systems using rootkit techniques.

Upon initial infection, ZeroAccess overwrites the Windows core system files and installs kernel hooks in an attempt to remain stealthy.

The primary purpose of the malware appears to be revenue generation through pay-per-click advertising. However, a back door is installed to allow connections to a command and control server. This provides a remote attacker with full access to the compromised system.

Affected Platforms:  Microsoft Windows – all versions




Ensure that:

  • a robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • all operating systems, applications, antivirus and other security products are kept up to date.
  • all day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
  • your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

The Azer Variant of CryptoMix Ransomware

Security researchers have observed a new variant of CryptoMix ransomware named Azer. This ransomware encrypts files in almost similar manner to all other variants in CryptoMix family.

Azer differs by adding the string “email-[webmafia@asia.com].AZER” to the encrypted files.  It performs no network communication and works completely offline.

Security researchers first spotted the CryptoMix ransomware in March 2016 and during early 2017 the authors renamed CryptoMix to CryptoShield. CryptoMix code quality is quite low compared to other ransomware families and it even comprises flaws that may cause user’s files to become undecryptable. There have been several reports where users paid the unusual extortion amount (5 to 10 Bitcoins) and were subsequently left without decrypted files.

Affected Platforms:  Microsoft Windows – All Versions

To avoid becoming infected with ransomware, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
  • Your organisation adopts a holistic all round approach to Cyber Security as advocated by the “10 Steps To Cyber Security”.

To limit the damage of ransomware and enable recovery:

  • All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.
  • Multiple backups should be created including at least one off-network backup (e.g. to tape).