Monday, October 28, 2019

Apps Apple App Store that are infected with clicker trojan malware.

    Wandera’s threat research team has discovered 17* apps on the Apple App Store that are infected with clicker trojan malware. The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

    The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Because these apps are infected with the clicker trojan module, they fall within the trojan category of Wandera’s malware classification.

About the infected apps

    The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:
All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd.

Adware Campaign Affects Millions

    Smartphones have become the icon of our modern technological society. They are so prevalent that app development has grown exponentially in recent years in the struggle to become the next Facebook or Pinterest. The phrase “There’s an app for that” truly describes the breadth of apps available. However, this can also lead to many malicious apps available that could be harmful to users, such as the Ashas family of adware apps available on the Google Play store.

    ESET researchers discovered a family of 42 apps, dubbed the Ashas family, that were originally designed as legitimate apps but later updated to provide fullscreen advertisements to users and exfiltration of some basic device data. The original functionality, such as photo viewers, video downloaders, music apps, and games still exists but with the malicious activity included as well. The adware campaign had been active since July 2018 with over 8 million downloads and half of the apps still available on the Play store at the time of discovery. Since the researchers reported their findings, the remaining apps have been removed.

    The apps use a command and control (C&C) server to send device information such as type, version of the operating system, language, installed apps, free storage space, and other fingerprinting data. The app is then configured from the C&C server and also includes ways of avoiding detection. First, the app can detect if it is being run on a Google server and therefore will not run the adware payload. Next, a custom delay can be set so that ads are displayed well after starting the app (a half-hour later, for instance) so that the user doesn’t associate the ad behavior with that particular app. Ashas apps can also display a different icon when users try to determine which app is showing the ad, usually hiding as Google or Facebook. Finally, the app installs a shortcut in the app menu instead of the icon itself so that when a user tries to delete it, they are removing only the shortcut and the app continues to run in the background. 

    ESET researchers managed to track down the author of the Ashas apps, a university student in Vietnam. They backtracked from the IP address of the C&C server to the owner information, then to university information and eventually the author’s YouTube channel and personal Facebook page. All of the information was publicly-available open-source data, showing that the author didn’t try to cover his tracks. This leads the researchers to believe that the developer started honestly when creating the apps and then later decided to turn to malicious behavior.

Sources:

 • https://thehackernews.com/2019/10/42-adware-apps-with-8-milliondownloads.html 

 • https://www.welivesecurity.com/2019/10/24/tracking-down-developerandroid-adware/ 

https://www.zdnet.com/article/vietnamese-student-behind-androidadware-strain-that-infected-millions/10

Tuesday, October 22, 2019

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

NIST   National Vulnerability Database  - CVE-2019-17666 Detail            
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
 
Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.
 
A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.
The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.
"The bug is serious," Nico Waisman, who is a principal security engineer at Github, told Ars. "It's a vulnerability that triggers an overflow remotely through Wi-Fi on the Linux kernel, as long as you're using the Realtek (RTLWIFI) driver."
The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.
Waisman said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine.
"I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
After the vulnerability became public, the researcher discussed the flaw on Twitter.

Notice of Absence

The driver flaw can be triggered when an affected device is within radio range of a malicious device. As long as the Wi-Fi is turned on, it requires no interaction on the part of the end user. The malicious device exploits the vulnerability by using a power-saving feature known as a Notice of Absence that's built into Wi-Fi Direct, a standard that allows two devices to connect over Wi-Fi without the need of an access point. The attack would work by adding vendor-specific information elements to Wi-Fi beacons that, when received by a vulnerable device, trigger the buffer overflow in the Linux kernel.
The vulnerability only affects Linux devices that use a Realtek chip when Wi-Fi is turned on. The flaw can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer. Based on links here and here, it appears that Android devices with Realtek Wi-Fi chips may also be affected.
Representatives of both Realtek and Google didn't immediately comment on this story.
While it's still not clear how severely this vulnerability can be exploited, the prospect of code-execution attacks that can be staged wirelessly by devices within radio range is serious. This post will be updated if new information becomes available.

you can read the full post here

Monday, October 21, 2019

New malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic.

   The vast majority of websites these days have Hypertext Transfer Protocol Secure (HTTPS) enabled, adding a layer of security that protects our communications against eavesdropping and tampering. It is encrypted using Transport Layer Security (TLS), the current standard for secure web communication. Like all protocols, it is not immune to attack. Some of the more infamous malware that impacts TLS (or its predecessor Secure Sockets Layer [SSL]) are FREAK, Logjam, POODLE, and Heartbleed.

   More recently, researchers from Kaspersky's Global Research and Analysis Team (GReAT) discovered a malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic. Dubbed Reductor, it appears to be related to the COMPfun trojan discovered in 2014, which provides one of its infection vectors. Servers that that are infected with COMPfun can be used to download and install Reductor. Reductor is also delivered through software downloads from untrustworthy sites. 

   Once installed, the malware patches Firefox® and Chrome web browsers to snoop on the victim's encrypted traffic. It modifies the target's TLS certificate and gives the attacker remote access to manipulate and execute files. What really sets Reductor apart is the way that it patches the code for pseudorandom number generator functions (PRNG). This function adds random numbers to the packet at the beginning of the TLS handshake. Reductor is able to use the PRNG code to inject victim-specific identifiers, allowing the attacker to track the victim's traffic wherever it goes. 

   GReAT believes Reductor comes from a hacker group operating under the protection of the Russian government and may be linked to the Advanced Persistent Thread (APT) group Turla, however there is no concrete evidence to support a Turla connection. There are similarities both with the COMPfun code and in the affected victims, where "cyber-espionage on diplomatic entities" appears to be a primary objective. 

Sources
 • https://www.bleepingcomputer.com/news/security/hackers-patch-webbrowsers-to-track-encrypted-traffic/

https://threatpost.com/new-reductor-malware-hijacks-httpstraffic/148904/

https://securelist.com/compfun-successor-reductor/93633/

New Phishing Emails Attack

  Phishing emails typically provide some obvious tells to their malicious nature. However, when a    phishing email contains information such as organizationspecific email bodies and email signatures, organization branding, and relevant news, it can be harder to distinguish the difference between legitimate and malicious. These factors are what make the phishing campaign of TA407 or the “Silent Librarian” threat actor group different. This group, as described by researchers at Proofpoint and Secureworks, are a group of Iranian hackers targeting the intellectual property of universities in the United States and Europe.

    This is done through a phishing campaign targeted at university students which redirect users to a malicious landing page tailored to look like the universities’ login page. The hackers are then able to access library content with the stolen account credentials. 
What makes this campaign unique is the length at which the threat actors went to appear convincing. Each targeted university has a personalized landing page. In addition to that, the email contains proper grammar, providing links to library resources and a helpdesk email address if the student should need any help with account login. The landing page contains spoofed display names, stolen branding matching the actual login page and even in one case, an accurate weather forecast informing students that the campus is closed due to a snowstorm.

   In 2018, the US Department of Justice charged nine members of the group for their actions, alleging that between 2013 and 2017, TA407’s activities accounted for $3.4 billion worth of stolen intellectual property, 31.5 terabytes of academic data, almost 8000 compromised university accounts and 3700 compromised accounts belonging to professors at US-based universities. They also allege that 144 US-based and 176 foreign universities were victims of the scheme. The Department of Justice states that this group operates on behalf of the Iranian government and that the stolen data is being used by the Iranian government and Iranian universities. Although this specific phishing campaign is targeted toward students, there are many steps that you can take to avoid falling victim to phishing emails. Noticing such things as a strange sender email address, the lack of identifying information (e.g. valid account number, name, address), links to strange domains, and improper grammar may all be a tell that the email is malicious. If you are still unable to determine if it is a phishing email, it may be best to visit the site in question directly and not through any links provided in the email. 

Sources

https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/

 • https://www.proofpoint.com/us/threat-insight/post/threat-actor-profileta407-silent-librarian 

New Infected Docker Daemons in the Docker Engine

    Researchers at Palo Alto's Unit 42 have discovered a worm that mines Monero, a privacy focused cryptocurrency, and spreads itself via infected Docker Daemons in the Docker Engine. Shodan scans of Docker engines show over 2000 unsecured Docker hosts. The researchers have named the cyptojacking malware Graboid. 

    Graboid has a downloader planted on an infected Docker image with a Docker Client tool used to connect to other Docker hosts. The attacker accesses an unsecured Docker host and infects it with the malicious image. Anti-virus solutions would normally look for viral content or virus like activity but not check the contents of data within container as the container is maintained separately from the main machine. This form of obfuscation has been observed in other containerization solutions before, but Graboid is exceptional in its erratic and relatively ineffective methodology.

    After retrieving and establishing the malicious image, the attacker then downloads the 4 shell scripts of DOOM. These Shell scrips are named live.sh, worm.sh, xmr.sh, and cleanxmr.sh. The first script, live.sh, surveys the victim assessing the resources to be plundered. it reports the number of available CPUs on the compromised host for the Command & control (C2) server to coordinate. The next script brings the ever hunting nose of the beast. The worm.sh script downloads the list of over 2000 vulnerable host's IPs and replicates itself onto one of those IPs randomly. Then the last two scripts bring the chaos. The xmr.sh script deploys gakaws/nginx, a Monero cryptominer disguised to look like a NGIX load balancer/ web server, and does so on a randomly selected infected server. The last script, cleanxmr.sh, stops any xmrig based containers on another randomly selected infected server. It seems like Graboid runs Cleanxmr.sh before it runs xmr.sh as to avoid deactivating any Docker engines that just had their Monero mining capabilities turned on. This leads to a delay in the mining capabilities being turned on until the host is selected randomly by another infected host. Eventually the host will be selected to be disabled until a later time to be re enabled. This flash of infection and erratic appearances as well as the worm functionality has led to the researcher's choice in naming the malware after the monsters in the 1990's film Tremors.

    Graboid currently uses 15 C2 servers where 14 are included in the list of vulnerable IPs and the last has over 50 known vulnerabilities. The researchers have observed that it is likely these are controlled by the attacker illicitly. they have also calculated that it would have taken about 60 minutes to infect 70% of the vulnerable hosts with returns diminishing sharply after that. At that point there would be about 900 active miners at any particular time rotating through the available infected hosts with all of the infected hosts acting as nodes to facilitate communication with the Monero blockhain network. With a 100 second period of activity, a node is expected to be active for 250 seconds before being deactivated.

Sources:
 • https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/

https://threatpost.com/dockercontainers-graboid-cryptoworm/149235/

https://securityaffairs.co/wordpress/92586/malware/graboidtargets-docker-hub.html

NSA and NCSC Release Joint Advisory on Turla Group Activity


National Cyber Awareness System:

 


10/21/2019 11:56 AM EDT

 

Original release date: October 21, 2019

The National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) have released a joint advisory on advanced persistent threat (APT) group Turla—widely reported to be Russian. The advisory provides an update to NCSC’s January 2018 report on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to steal sensitive data. Additionally, the advisory states that Turla has compromised—and is currently leveraging—an Iranian APT group’s infrastructure and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources for more information:
•    NSA Advisory
Turla Group Exploits Iranian APT To Expand Coverage Of Victims
•    UK NCSC Advisory Turla group exploits Iranian APT to expand coverage of victims
•    January 2018 UK NCSC Report Turla Group Malware

Wednesday, October 16, 2019

Is Your VPN at Risk ?

    A commonly used method to secure network resources is a Virtual Private Network (VPN). They allow remote network devices to securely communicate with local resources as if they were physically plugged into the same network segment. You may even use one when working remotely to help keep your network traffic secure. While they can easily provide a lot of protection from various network attacks there are many pitfalls to avoid in order to keep the network resources secure.

    One common mistake when setting up a VPN is not properly securing the devices that the VPN provides access to. Because the servers or devices will not have direct inbound internet access many times a relaxed security policy is taken. This is because it is assumed that in order to access them an attacker would first have to either be on the network directly or be connected tuourhrough the VPN. Another common mistake is not regularly updating the VPN software. There are many reasons this can occur, including avoiding downtime or not wanting to break something that appears to be working fine as is.

    This week the National Security Agency (NSA) issued an advisory stating that APT groups have been actively using flaws in some popular VPN software to attack networks. They say the groups have weaponized three vulnerabilities against two pieces of VPN software, Pulse Secure VPN and Fortinet VPN. Two of the vulnerabilities, CVE-2019-11539 and CVE-201911510 specifically target Pulse Secure VPN servers. They allow remote unauthenticated command injection and arbitrary file reads on the VPN server device. The remaining vulnerability, CVE-201813379, targets Fortinet VPN servers and allows for remote unauthenticated arbitrary file reads from the server device. The National Cyber Security Center in the UK posted a separate advisory which added CVE-2018-13383 and CVE-2018-13383 to the list of vulnerabilities being used against Fortinet devices. Palo Alto Networks VPN software was also added to the vulnerable devices list with attackers utilizing CVE-2019-1579 for remote code execution on the affected VPN servers.

    In total the two agencies reported six vulnerabilities against three separate VPN software vendors. For each of the affected VPN products the vulnerabilities being used could allow an attacker access to the network resources as if the attacker were physically on the network. All of the affected products have updates available to fix these flaws so it is important that they are updated immediately if an affected version is still in use. The NSA also recommends rotating any existing VPN keys or tokens just in case they were stolen before the patches were able to be applied. 
Sources:

https://threatpost.com/apt-groupsexploiting-flaws-in-unpatched-vpnsofficials-warn/148956/

https://www.cyberscoop.com/vpnvulnerabilities-china-apt-palo-alto/

Saturday, October 5, 2019

Ransomware attacks across the world - TheCybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world: See CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
CISA recommends the following precautions to protect users against the threat of ransomware:
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.
In addition, CISA also recommends that organizations employ the following best practices:
  • Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA's Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak for more information.
For recent CISA Alerts on specific ransomware threats, see:
Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

NCSC Releases Fact Sheet on DNS Monitoring

Original release date: October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns that although modernization of transport protocols is helpful, it also makes it more difficult to monitor or modify DNS requests. These changes could render an organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators review the Dutch NCSC fact sheet on DNS monitoring for additional information and recommendations.

Microsoft Reports Cyberattacks on Targeted Email Accounts


Original release date: October 4, 2019

The Microsoft Threat Intelligence Center (MSTIC) has released a blog post describing an increase in malicious cyber activity from the Iranian group known as Phosphorus. These threat actors are exploiting password reset or account recovery features to take control of targeted email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Microsoft blog for additional information and recommendations and CISA’s Tip on Supplementing Passwords.

New Portable Document Format (PDF) attack on encryption features

    The Portable Document Format (PDF) standard has been able to provide many benefits that unify communications across many different software and hardware platforms. One of those elements is the encryption schemes that allow users to password protect their documents from view, edit, or saving permissions without the required password. Another encryption feature included with the PDF standard is the ability to sign documents with an electronic signature with the same legal standing as a handwritten signature, this may include digital signing which uses cryptographic measures to assure authenticity.

    Researchers from Ruhr University Bochum, FH M√ľnster University of Applied Sciences, and Hackmanit GmbH have developed a two pronged attack on the security measures of PDFs and their encryption schemes. They have named their attack PDFex. In their research they developed methods for the exfiltration of the contents of the encrypted PDF with minimal prior knowledge of the contents of the PDF file. The methods studied can also modify the contents to change the plain text as well as add malicious functionality. The first prong of PDFex attack methods rely on how an encrypted PDF only encrypts portions of the PDF file leaving other portions unencrypted and unprotected. The attacker is then able to modify the contents of the unencrypted portions of the file. In this way they can plant data which submits a form including the contents of the PDF to an attacker controlled server granting the attacker access to the contents of the PDF. The attacker can edit an unencrypted field with a URL which will be sent encrypted and unencrypted strings from the document. The last method in this attack on the unencrypted portion of PDF files injects JavaScript code into the document which then ex filtrates the data within the file. This is the "Direct Exfiltration" method of the PDFex attack.

    The other prong of this attack uses CBC malleability gadgets, tools that are able to edit cipher texts encrypted with the cipher block chaining (CBC) encryption mode without integrity checks. It just so happens that the PDF standard does exactly that. This method can modify plain text as well as add in new encrypted content to the file. This technique can enact the PDF forms and hyperlink techniques as listed in the Direct Exfiltration method. The CBC Gadgets method can also edit PDF object streams such that they submit themselves to an attacker controlled server. Both attacks require the victim to open the tainted document so that the traps can deliver the finally decrypted information to the attacker. The researchers have tested their techniques on 27 PDF viewers and all were susceptible to at least one method of the PDFex attack.
    The attack requires that the attacker have access to the file to modify it, some of the attacks have other requirements such as the ability to trigger URL s from the viewer, or for the viewer to have permission to use JavaScript in the background. One of the researchers reported to Threatpost that "There are currently no effective countermeasures, as the weaknesses lie in the PDF encryption standard itself" and that the best mitigation is to use additional layers of encryption outside of the PDF standard to protect their data.

Sources:

https://www.pdf-insecurity.org/download/paper-pdf_encryptionccs2019.pdf

https://threatpost.com/hack-breakspdf-encryption/148834/

New Malware Uses messaging app Telegram

    Remote malware has been around for almost the entire history of computers. Attackers are always looking for ways to exfiltrate data from systems and be able to control their malware from a remote location. The Command & Control (C2) devices are usually servers controlled by the attacker, but a new malware dubbed by Juniper researchers as Masad has taken a different approach: using the messaging app Telegram for its C2 functions.

    Telegram is a popular messaging and Voice-over-IP (VoIP) app with over 200 million active monthly users. This makes it a pretty good place to try and hide malicious activity. Masad uses the sendDocument API of Telegram to exfiltrate data stolen from victims as a 7zip archive. Juniper has detected over 1,000 variants of Masad in the wild, as well as 338 unique Telegram C2 bots related to its use. Due to the malware being sold as a product rather than kept to a particular group, multiple groups can be using Masad for different campaigns. The developers of Masad have even created a group within Telegram with over 300 members, designed for potential clients and tech support.
Masad’s attack vectors include disguising itself as a legitimate tool or hiding itself in other third-party tools. For instance, it has been seen mimicking CCleaner, Utilman, Whoami, ProxySwitcher, a Samsung Galaxy software update, and many others. The developers have also included current trends in gaming, especially for younger internet users that may not be security conscious, by hiding Masad as Fortniteaimbot 2019.exe and an EXEA HACK CRACKED executable claiming to be for PUBG, CounterStrike Global Offensive, Fortnite, Grand Theft Auto 5, and DOTA.

    The malware also has the capability to download additional malicious tools, usually more cryptominers. Masad has a wide array of abilities for information stealing in addition to its cryptomining. It can steal system information including running processes, desktop files and screenshots, browser information such as cookies, passwords, credit cards, and AutoFill data, as well as Steam, FileZilla, and Discord files. Masad is also being advertised as a Clipper which looks for cryptocurrency wallet information in the system’s clipboard and replaces it with the attacker’s wallet information. It searches for over two dozen different flavors of cryptocurrency, including Bitcoin, Litecoin, Monero, Ethereum, and DogeCoin.

    Juniper researchers recommend locking down the Telegram communication protocol at the firewall level provided there is no legitimate business use that this would interrupt. They also suggest using a next-generation firewall with Advanced Persistent Threat (APT) protection to help counteract the malware if it gets inside the organization.

Sources

https://threatpost.com/masad-spyware-telegram-bots/148759/ 

https://coingeek.com/new-malware-uses-telegram-app-to-replace-cryptoaddresses/

https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltratingusing-Telegram/ba-p/468559 

Baseband Management Controllers (BMC) critical vulnerability

    Baseband Management Controllers (BMC) are a popular feature found on most motherboards targeting the server market. They provide a number of convenience functions for remote management which is great for machines typically located in a cold noisy room. Some of the functions they provide include remote power cycling, keyboard video mouse (KVM), and virtual media emulation. The combination of these functions can allow an administrator to provision a server without ever having to touch it. With that much power over the system they are bound to be a highly valuable target for attack.

    This week the security company Eclypsium released a critical vulnerability they found in Supermicro’s BMC implementation. The vulnerability reported is in the virtual media service subsystem. This service allows a remote administrator to attach USB devices, such as DVD drives or keyboards, to the machine remotely as if they were physically plugged into the machine. The feature requires authentication to function properly of course but the researchers found a way to bypass this requirement. 

    The first weakness is that the BMC would accept authentication requests via plaintext by default. They noted that encryption support is available but based on an old weak Rivest Cipher 4 algorithm. In addition, the key used when using encryption is shared across all Supermicro devices, making man-in-the-middle decryption possible. They also uncovered a complete authentication bypass in the system. This is possible because the BMC does not timeout a valid authorized session in a timely manner. An attacker would be able to re-use the session and gain access if an administrator had recently successfully logged into the system and used the virtual media service. BMC systems are rarely reset due to their nature of being an always online out of band management system, increasing the likelihood of this attack being successful.

    Supermicro has issued an update to their BMC software, but it is unlikely that machines will be patched immediately. This is due to the machines needing to be completely powered off in order to apply the update. Until then it is recommended to block the port used by the virtual media service, port 623, until the patch can be applied. Researchers warn that this will likely not be the last BMC vulnerability discovered, so additional measures should be taken when possible. The best defense against these attacks is keeping vulnerable machines on a separate network from other traffic. Ideally management interfaces should be on their own network that is not exposed to public facing traffic.

Sources

 • https://csoonline.com/article/3435900/insecure-virtual-usb-feature-insupermicro-bmcs-exposes-servers-to-attack.html

https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack

Fake Veteran Hiring Website

    Researchers at Cisco Talos have discovered a fake veteran hiring website, hosted by an Iranian hacking group, luring users into downloading malware by spoofing a legitimate veteran job search site. The sham website, hiremilitaryheroes.com has been designed to resemble the valid US Chamber of Congress sponsored hireheroesusa.org and is targeting veteran job seekers with malicious code including Remote Administration Trojans and spying tools.

    Researchers have attributed the website to a nation state hacking group known as “Tortoiseshell”, which has since been determined to be aligned with the Iranian hacking team “Imperial Kitten”. Adam Meyers, VP of intelligence at CrowdStrike noted in their research that “Imperial Kitten” is a nation-state hacking group supporting Iran’s Islamic Revolutionary Guard. The modus operandi for the group has been to first target major IT provider networks in Saudi Arabia and then to leapfrog from those provider networks to customer target networks. The Iranian group has been hosting a website with an image from the film “Flags of our Fathers” seen here. The malicious site prompts users to download their “desktop app” for free. The app is a fake installer that downloads malware to the device. The downloads are binary base 64 encoded and perform reconnaissance and provide remote administrative access to the victim’s machine.

    The recon tool collects a vast amount of information from the system including, date and time, installed drivers, patch levels, network configuration, number of processors, hardware and firmware versions, a listing of accounts, and much more. This information is then sent to two hardcoded email addresses in the malware, “ericaclayton2020@gmail.com” and “marinaparks108@gmail.com”. The threat actors also deploy a Remote Access Tool (RAT) which reaches back to the Command and Control (C2) server for further directions from the hacking group. The RAT has functionality allowing it to download additional modules from the internet, zip and unzip files, and to execute commands on the system.
    The malicious website has the potential to impact a large swath of victims due to the nature of this particular attack vector. Americans are supportive of veterans, and one could imagine how many could be infected if this fake site is shared online among social media sites. 

Sources:

https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html

Google Play Store and Malicious Applications

    There has always been a battle between the Google Play Store and the malicious applications that attempt to reside on it. Google implements rigorous security testing of all apps, but some can still slip through the cracks. Such was the case when researchers from Symantec’s Threat Intelligence team found 25 instances of malicious apps, with a combined userbase of over 2.1 million, on the Google Play Store. These apps were designed to be camouflaged as photo utility and fashion apps, and upon download, did not exhibit any malicious properties. It wasn’t until the app downloads a remote configuration file that it becomes malicious. This behavior is what allows the app to bypass the security checks implemented by Google. Since the malicious code is not actually in the app and is downloaded remotely, Google is none the wiser. Researchers say that the 25 apps share a similar code structure, leading them to believe that the developers are part of the same organization or, at least, using the same code base. 

    Once installed, the app hides its icon and begins to display full-screen advertisements at random intervals with the app title hidden. This is done to prevent users from determining which app is responsible for the ads. This behavior continues even when the app is closed. This can be confusing for users who cannot even recall downloading the app as there is no icon or name associated with the behavior. Another interesting trick the developers use is the use of two versions of the same app. One version is a malicious version with full-screen advertisements while the other is a non-malicious version, which just so happens to be present in the Google Play’s Top App Charts. The researchers believe that this is done in the hope that users accidentally download the malicious copy of the app instead of the popular, non-malicious version. 

    The researchers believe that the primary reason for the creation of these apps is the monetary gain from the advertising revenue. There will be some subset of users that will continue to deal with the advertisements, despite their annoyance. When downloading apps from the Google Play Store, it can be difficult to determine which are malicious at first glance. In order to protect yourself from malicious applications, the researchers suggest keeping software updated, not downloading apps from unfamiliar sites, only installing apps from trusted sources, and noticing the permissions requested by apps that you download

Sources: 

https://www.bleepingcomputer.com/news/security/malicious-androidapps-evade-google-play-protect-via-remote-commands/ 

https://www.symantec.com/blogs/threat-intelligence/hidden-adwaregoogle-play09