Category Archives: Security Alert

AnyDesk Bundled with New Ransomware Variant

Trend Micro recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.  This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.

In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.

Although the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites.

Once downloaded, RANSOM_BLACKHEART drops and executes two files:

  • %User Temp%\ANYDESK.exe
  • %User Temp%\BLACKROUTER.exe

Trend Micro believe bundling AnyDesk with the ransomware might be an evasion tactic. Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the ransomware while it performs its encryption routine. Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools.

Screenshot of the ransom note




cURL FTP Shutdown Response Buffer Overflow Remote Code Execution Vulnerability [CVE-2018-1000300]

CVE Number – CVE-2018-1000300

A vulnerability in cURL could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a heap-based memory buffer overflow condition that could occur when the affected software closes an FTP connection with long server command replies. An attacker could exploit this vulnerability by persuading a user to send a request to an attacker-controlled server. If successful, the attacker-controlled server could return a malicious FTP shutdown response, which could trigger a heap-based memory buffer condition that the attacker could use to execute arbitrary code.

The cURL Project has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, an attacker may use misleading language and instructions to persuade a user to send a request to an attacker-controlled server.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
Fixed Software
  • The cURL Project has released software updates at the following link: cURL 7.60.0





Pivotal Software Spring Security OAuth Authorization Request Remote Code Execution Vulnerability [CVE-2018-1260]

CVE Number – CVE-2018-1260

A vulnerability in Pivotal Software Spring Security OAuth could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to improper validation of user-supplied input processed by the affected software. An attacker could exploit the vulnerability by sending an authorization request that submits malicious input to the targeted authorization endpoint. An exploit could allow the attacker to execute arbitrary code on the targeted system when the resource owner is forwarded to the approval endpoint.

Pivotal Software has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, an attacker must make an authorization request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software





Google And Microsoft Find New Strain Of Spectre And Meltdown [Variant 3a & 4]

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

CVE-2018-3639 – Speculative Store Bypass (SSB) – known as Spectre Variant 4 or SpectreNG

Security researchers at Google and Microsoft have found a new variant of the Spectre security flaw that was first reported back in January this year.

To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device.

Security researchers identified two software analysis methods that, if used for malicious purposes, have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems.

Intel worked closely with other technology companies and several operating system and system software vendors, developing an industry-wide approach to mitigate these issues promptly.

To fix the problem, Intel has released beta microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). SSBD provides additional protection by blocking Speculative Store Bypass from occurring. Intel hopes most major operating system and hypervisors will add support for Speculative Store Bypass Disable (SSBD) starting as early as May 21, 2018.

Description:

CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as Variant 4

  • Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

  • Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
  • 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Additional Information

Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:

  • Variant 1: Bounds Check Bypass – CVE-2017-5753
  • Variant 2: Branch Target Injection – CVE-2017-5715
  • Variant 3: Rogue Data Cache Load – CVE-2017-5754
  • Variant 3a: Rogue System Register Read – CVE-2018-3640
  • Variant 4: Speculative Store Bypass – CVE-2018-3639

Patches For Variant 3a & 4

Link to Vendor Information Date Added
AMD May 21, 2018
ARM May 21, 2018
Intel May 22, 2018
Microsoft May 21, 2018
Redhat May 21, 2018





Google Chrome Malware – Malicious Software Can Steal Your Saved Credit Card Payment Details [Vega Stealer]

Recently, Proofpoint observed a campaign targeting Marketing/Advertising/Public Relations and Retail/Manufacturing industries with a new malware called Vega Stealer. The malware contains stealing functionality targeting saved credentials and credit cards in the Chrome and Firefox browsers, as well as stealing sensitive documents from infected computers. Vega is a variant of August Stealer with only a subset of its functionality as well as several important new features.

Vega Stealer keeps on working, and takes a screenshot of the infected PC and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.

Proofpoint is urging users to be on the lookout for suspicious emails that may suddenly pop up in their inbox.

Vega Stealer communicates with a hardcoded C&C server using the HTTP protocol.

The best way to protect yourself from malware etc is by approaching all attachments with caution. If you don’t know where it came from, it’s better to ignore it.

Domains And IP’s To Block

hxxp://46.161.40[.]155




Drupal Remote Code Execution Vulnerability [CVE-2018-7602]

A vulnerability in multiple subsystems of Drupal could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to an unspecified condition in multiple subsystems of the affected software. An attacker could exploit this vulnerability by sending crafted input to the affected application on a targeted system. An exploit could allow the attacker to execute arbitrary code, which could result in a complete compromise of the affected Drupal site.

Drupal.org has confirmed the vulnerability and released software updates.

CVE number – CVE-2018-7602

Analysis
  • To exploit this vulnerability, the attacker must have user-level access to the targeted system. This access requirement could reduce the likelihood of a successful exploit.

    This vulnerability is related to the vulnerability identified as CVE-2018-7600. Cisco previously covered this vulnerability in a Vulnerability Alert at the following link: Alert ID 57297

    Drupal.org is aware that is vulnerability, along with CVE-2018-7600, is actively being exploited in the wild.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to allow only privileged users to access administration or management systems.

    Administrators are advised to monitor affected systems.

Vendor Announcements
  • Drupal.org has released a security advisory at the following link: sa-core-2018-004
Fixed Software





Maikspy Spyware

Maikspy is newly observed spyware that targets users on social media and adult gaming sites. There are two known variants of this malware, targeting Google Android and Microsoft Windows devices respectively.

Both variants aim to steal information such as email addresses, banking credentials and contact information. The Android variant propagates via malicious links posted on social media which advertise a fake adult game. Once this is downloaded it displays a message telling the user the app has failed to download, however the spyware will run in the background. The Windows variant is delivered via malicious RAR files downloaded from fake adult sites. These include a .txt file requesting the user disable their anti-virus, so they can access and steal user information.

The latest Maikspy variants revealed that users contracted the spyware from hxxp://miakhalifagame[.]com/, a website that distributes malicious apps (including the 2016 adult game) and connects to its C&C server to upload data from infected devices and machines.

IP’s & Hosts To Block

hxxp://miakhalifagame[.]com

hxxp://fakeomegle[.]com

hxxp://www[.]roundyearfun[.]org ( C&C address to save victims’ data )

107.180.46.243

198.12.155.84

198.12.149.13

Downloading only from legitimate app stores like Google Play can prevent Maikspy from compromising computers and mobile devices. It is also important to be aware of what apps are allowed to access, and to understand the risks before accepting any terms or granting certain permissions to apps.

One way to stay protected is to opt into Google Play Protect. It is designed to work in the background, protecting users from malicious apps in real time.

Affected Platforms

  • Microsoft Windows – All versions
  • Google Android Devices – All versions





GravityRAT Malware

For the past 18 months, Cisco Talos researchers said they have been tracking GravityRAT with the latest “G2” version spotted sa few weeks ago. The location of the developers, known as “The Invincible” and “TheMartian,” are unknown. However, researchers said documents used to test anti-virus detection via VirusTotal were submitted from Pakistan.

The malware dates back December 2016 with early samples given the version name G1 and later G2. The latest GravityRAT, published in December 2017, is GX.

GravityRAT’s infection vector is typical you need to click on a Word .Docx email attachment and enable macros. By doing so, email recipients are shown a “Protected Document” that prompts targets to “prove that the user is not a robot” (similar to a CAPTCHA). Doing so triggers the infection sequence.

In August 2017, the Indian National CERT published an advisory about malicious targeted campaigns that  referencing the command-and-control server infrastructure of what Talos later came to identify as GravityRAT.

C2 Servers

hxxp://cone[.]msoftupdates.com:46769
hxxp://ctwo[.]msoftupdates.com:46769
hxxp://cthree[.]msoftupdates.com:46769
hxxp://eone[.]msoftupdates.eu:46769
hxxp://etwo[.]msoftupdates.eu:46769
hxxp://msupdates[.]mylogisoft.com:46769
hxxp://coreupdate[.]msoftupdates.com:46769
hxxp://updateserver[.]msoftupdates.eu:46769

msoftupdates[.]com
msoftupdates[.]eu
mylogisoft[.]com




Microsoft Exchange Memory Corruption Vulnerability [CVE-2018-8154]

A vulnerability in Microsoft Exchange could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to improper memory operations that are performed by the affected software. An attacker could exploit the vulnerability by sending an email that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the System user and compromise the system completely.

Microsoft confirmed the vulnerability and released software updates.

CVE number – CVE-2018-8154

Analysis
  • To exploit this vulnerability, the attacker must send a malicious request to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

    Microsoft addressed this vulnerability by correcting how the affected software handles objects in memory.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators may consider using the Microsoft Baseline Security Analyzer (MBSA) scan tool to identify common security misconfigurations and missing security updates on system endpoints.

    Administrators are advised to monitor affected systems.

Vendor Announcements

Affected Version

Microsoft Exchange Server 2010 (SP3 RU 21) | 2013 (SP1, CU19, CU20) | 2016 (CU8, CU9)

Fixed Software
  • Microsoft customers can obtain updates directly by using the links in the Microsoft Security Update Guide. These updates are also distributed by Windows automatic update features and are available from the Microsoft Update Catalog. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.





Xen x86 HVM Guest OS Users Denial of Service Vulnerability [CVE-2018-10981]

CVE Number – CVE-2018-10981

A vulnerability in Xen could allow a local attacker on a guest system to cause a denial of service (DoS) condition on a host system.

The vulnerability is due to a failure to reject invalid transitions between states by the affected software. An attacker on a guest system could exploit this vulnerability by making a malicious request designed to force the QEMU device model on the system to switch the request between two states. A successful exploit could trigger an infinite loop condition on the host system, resulting in a DoS condition on the affected system.

Xen.org has confirmed the vulnerability and released software updates.

Analysis
  • To exploit this vulnerability, the attacker must have user-level access to a guest system being hosted by a targeted host system. This access requirement could reduce the likelihood of a successful exploit.

    Only x86 systems are affected by this vulnerability. ARM systems are not affected.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to access local systems.

    Administrators are advised to allow only privileged users to access administration or management systems.

    Administrators are advised to monitor critical systems.

Vendor Announcements
  • Xen.org has released a security advisory at the following link: XSA-262
Fixed Software