Tuesday, June 23, 2020

Targeting U.S. Banking Customers QBOT back

    Sometimes malware can be a one-hit wonder: show up on the scene, cause chaos, and then never be troublesome again after exploits are patched and antivirus scanners are updated to help protect against it. Sometimes, however, a piece of malware just keeps reappearing with alterations that make it relevant again. One such program, Qbot, has been around for over 12 years and has now popped back up to attack customers who use a multitude of U.S. financial institutions.

    Qbot, also known as Quakbot, Qakbot, and Pinkslipbot, is a Windows-based malware that first appeared around 2008 and has always been focused on gathering browsing data and financial information from victims. There are gaps where Qbot would seem to disappear for a while, but then it would come back with some new functionality such as improved detection evasion or worm-like spreading capabilities. New Qbot campaigns have been uncovered in October 2014, April 2016, and May 2017, as well as being used by the Emotet gang last year as the payload malware. The latest strain was first seen in January of this year and is now targeting banking portals for Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank, TD Bank, Wells Fargo, and more.

   Researchers at F5, an application threat intelligence research lab, discovered this variant and worked out how the new infection process works. The malware is delivered to the target computer through one of a variety of sources: phishing attempts, web exploits that drop the malware as the payload, or through malicious file sharing activities. Once the malware is on the system, the executable loads Qbot into the running explorer.exe application. Next, the malware copies itself into the application folder’s default location and the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run so that it will run up-on system reboots. Qbot then creates a .dat file with system information and the botnet name, executes from the %APPDATA% folder, and replaces the original infection file to cover its tracks. Finally, the malware injects itself into a new-ly created explorer.exe instance for use for updates from external C2 servers.

    The newest variant of Qbot includes a packing layer that scrambles the code to evade Antivirus scanners and signature-based tools, as well as anti-virtual ma-chine techniques to keep people from easily examining how the malware operates. Researchers suggest keeping antivirus software updated and staying up to date on critical patches for other software as well. User awareness training to spot phishing attempts can also be helpful in preventing victimization.

Friday, June 19, 2020

Ripple20 Vulnerabilities Affecting Treck IP Stacks

Treck TCP/IP Stack (Update A)

Legal Notice

All information products included in https://us-cert.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.


  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely
  • Vendor: Treck Inc.
  • Equipment: TCP/IP
  • Vulnerabilities: Improper Handling of Length Parameter Inconsistency, Improper Input Validation, Double Free, Out-of-bounds Read, Integer Overflow or Wraparound, Improper Null Termination, Improper Access Control
CISA is aware of a public report, known as “Ripple20” that details vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.


This updated advisory is a follow-up to the original advisory titled ICSA-20-168-01 Treck TCP/IP Stack that was published June 16, 2020, to the ICS webpage on us-cert.gov. 


Successful exploitation of these vulnerabilities may allow remote code execution or exposure of sensitive information.



The Treck TCP/IP stack is affected including:
  • IPv4
  • IPv6
  • UDP
  • DNS
  • DHCP
  • TCP
  • ICMPv4
  • ARP
Please go to ICS Cert page for more details

Saturday, June 13, 2020


Using a new tool specifically designed for security testing on USB drivers, a group of cybersecurity specialists discovered 26 new security flaws present in various operating systems.

Cisco has disclosed four critical security

    The critical flaws are part of Cisco's June 3 semi-annual advisory bundle for IOS XE and IOS networking software, which includes 23 advisories describing 25 vulnerabilities. 
     The 9.8 out of 10 severity bug, CVE-2020-3227, concerns the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software, which allows a remote attacker without credentials to execute Cisco IOx API commands without proper authorization.

     CVE-2020-3205 is a command-injection vulnerability in Cisco's implementation of the inter-VM channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000).  The software doesn't adequately validate signaling packets directed to the Virtual Device Server (VDS), which could allow an attacker to send malicious packets to an affected device, gain control of VDS and then completely compromise the system, including the IOS VM and guest VM.  VDS handles access to devices that are shared by IOS and the guest OS, such as flash memory, USB ports, and the console.  "A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user," Cisco said. "Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise."

    CVE-2020-3198 and CVE-2020-3258 are part of the same advisory and concern a remote code execution vulnerability in the same industrial Cisco routers.
    The flaw CVE-2020-3198 allows an unauthenticated, remote attacker to execute arbitrary code on affected systems or cause it to crash and reload.  An attacker could exploit the vulnerability by sending malicious UDP packets over IPv4 or IPv6 to an affected device. Cisco notes that the bug can be mitigated by implementing an access control list that restricts inbound traffic to UDP port 9700 of the device. It has a severity score of 9.8 out of 10. 
     The second bug, CVE-2020-3258, is less severe with a score of 5.7 out of 10 and could allow an unauthenticated local attacker to execute arbitrary code on the device. However, the attacker also must have valid user credentials at privilege level 15, the highest level in Cisco's scheme. The vulnerability allows an attacker to modify the device's run-time memory, overwrite system memory locations and execute arbitrary code on the affected device. 
To learn more go here.

New ransomware targeting Windows and Linux systems

    Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cyber criminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks. 
    Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that has been observed in-the-wild since at least December 2019[1]. It is deployed in the form of a Trojanized Java Runtime Environment (JRE) and leverages an obscure Java image format to fly under the radar.
    The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom. However, due to the reuse of a common RSA private key it may be possible to recover data without the need for payment in earlier variants.
To read more go here