Month: May 2019

    The Dells SupportAssist software is currently associated with a vulnerability allowing Remote Code Execution (RCE) attacks. It comes pre-installed on virtually all new Dell devices running Windows®, the SupportAssist application “proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin.”

    Dell released an advisory, DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities, where it announced “An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.” The vulnerability is being tracked as CVE-2019-3719 and comes with a Base Severity score 8.0 HIGH in NIST’s CVE database. MITRE has performed an analysis on the vulnerability and has also added that description to the CVE stating, “Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables.”
    Primarily Dell uses the SupportAssist application to be able to install drivers and other software remotely, but to accomplish this, it must be able to detect what is already present on your system.   Installing the SupportAssist package installs two packages, the SupportAssistAgent, and the Dell Hardware Support service. The services essentially expose a REST API of sorts which supports the communication between the service and Dell’s websites.

    Security researcher Bill Demirkapi who discovered the vulnerability states in his blog “On start, Dell SupportAssist starts a web server (System.Net.HttpListener) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest.
ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks. Later in this article, we’ll get into some of the issues in the integrity checks, but for now most are not important to achieve RCE.”

    It should also be noted that Demirkapi discovered the vulnerability in September of 2018 and promptly sent a write up to Dell explaining the RCE vulnerability. Dell confirmed the vulnerability on 11/22/2018 and finally released a patch and advisory on 4/18/2019. 
Sources: 
• https://nvd.nist.gov/vuln/detail/CVE20193719#vulnCurrentDescriptionTitle
• https://d4stiny.github.io/RemoteCode-Execution-on-most-Dellcomputers

Agenda:

• Innovations in Microsoft’s hybrid strategy: Deep dive into Microsoft’s hyperconverged technologies and how to add hybrid services from Azure.
• Modernize Windows Server apps and workloads: Learn about security, Remote Desktop Services, containers, and features on demand.
• New in management and security: See what’s new in Windows Admin Center, System Center 2019, and Windows Server 2019.
• Insights and best practices: Chat with Windows Server community experts.
• Looking ahead: Learn more about Windows Server Semi-Annual Channel and Windows Server on Azure.

    Researchers have found a new version of the Hawkeye malware kit and have noticed that alongside technical advances, they’ve included some business improvements.

    While Hawkeye has been a product since 2013, the recent change in ownership at the end of 2018 has decided that change beyond just its capabilities is in order. Providing a business via a licensing model extends the longevity and security of a revenue source and maintains the sales relationship with minimal effort. Including a terms of service that forbids illicit use sheds a small degree of liability, but including a restriction against their product being scanned by antivirus software seems to negate any possible plausible deniability. These steps seem to be an effort to distance the provider from the “troubled youth” of the malware and legitimize it to some degree but utterly fails to actually reform it.

    The malware itself is found in ongoing malware campaigns since mid 2018, before the regime change. The formula adheres to many of the usual suspects: vague emails about fiscal functions and duties that sound urgent, confirmations and audits of things that require oversight, general notices of company gatherings with details not contained in the body of the email, and other pedestrian and mundane pieces of bait for the weaponized Excel hook. Sometimes an RTF or Doc file is used for older campaigns and occasionally the malicious document is stored a few more steps away in a drobox or other file sharing location.

    The current attacks use the CVE-2017-11882 vulnerability, a buffer overflow vulnerability in Excel’s equation editor. It triggers the memory handling error when the  data sent for the font name is too long which then allows the attacker to execute arbitrary code on the victims machine with the victims level of privilege. 
    At this point the attacker downloads a payload from an attacker controlled server, which decompiles itself and retrieves a final payload which cements Hawkeye in the user’s system. The researchers found tools not used in the current campaign such as Anti-Virtual machine detection, USB drive infection, and others.
   Hawkeye itself offers keylogging, systems monitoring, and other espionage tools as well as a way to exfiltrate data collected and technical support for as long as your license is valid. The latest campaign hinges on a vulnerability that has since been patched. As always, update your programs and be vigilant of any suspicious documents.
Sources: 
• https://securityaffairs.co/wordpress/84008/malware/hawkeyestealer.html
• https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
• https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/

   Macro enabled Office documents are a useful tool for automating advanced calculations in document files but they have a long history of abuse as well. They are easy to spot as documents containing embedded Visual Basic for Applications (VBA) code have a ‘m’ at the end of the filename, e.g .xlsm or .docm. When opening these files Microsoft Office asks if you would like to enable the embedded macros, and for good reason. They can be used to run malicious code on a target system or infect the computer with malware.

    Researchers at Checkpoint recently uncovered a new malicious document campaign targeting government finance entities and several embassies in Europe. If these documents are opened with macros enabled they drop multiple malicious AutoHotKey scripts onto the target system and begin communicating with command and control servers to exfiltrate data. Specifically the document drops 4 files, the AutoHotKey program itself and 3 scripts used to gather information or take control of the computer. ‘htv.ahk’ is the most dangerous of the 3 scripts dropped, it grabs a malicious version of Teamviewer, executes it, and then sends login credentials to the attackers server.

    The malicious version of Teamviewer has a few interesting modifications. First it completely hides the running instance so that the attacker can take control without the user receiving any notifications the way that the standard version would provide. It also allows for the transfer and execution of additional .exe and .dll files onto the target machine. The standard version of Teamviewer only supports transferring files; execution would be done through the Windows GUI. Later versions of the malicious Teamviewer application also provide a more traditional command and control mechanism via text based commands. This interface allows the attacker to do much more including searching for files or download and execution of files from an external webserver.

    Checkpoint acknowledges that in most cases it is difficult to provide attribution for attacks such as these. In this case however they were able to find posts on a clearnet hacking forum with code samples identical to the ones used in the campaign. Beyond the identical code samples the user ‘EvaPicks’ was also talking about techniques used in the campaign. 

    Most high end firewalls will inspect macro enabled document files with extra scrutiny because of attacks like this. AutoHotKey is also frequently detected as malicious software by anti virus programs despite its legitimate use in task automation. Regardless end users must remain vigilant when opening files from unknown sources in order to protect sensitive information and equipment.
Sources:
• https://research.checkpoint.com/finteam-trojanized-teamviewer-againstgovernment-targets/
• https://threatpost.com/teamviewer-attacks-state-department/144014/

     With today’s cyber-focused society, there are numerous security companies constantly on the lookout for new variants of malware and threats that haven’t been seen before. So when new malware is discovered that not only provides a wide array of capabilities but also remained under the radar for 5 years, it begs further investigation. Researchers at Kaspersky Lab recently uncovered such a malware, which they dubbed TajMahal.

     TajMahal is a highly modular piece of malware that was discovered in late 2018 attacking a Central Asian diplomatic agency. It contains 80 different plugins for various capabilities, one of the highest amounts ever seen with an APT. The developers of TajMahal have also made it very stealthy, including using behavioral detection avoidance and creating a new codebase from the ground up rather than using existing code from other sources. The malware contains 2 main modules: Tokyo and Yokohama. 

     While the initial stage of infection is unclear, the first stage of TajMahal is the Tokyo package. This contains 3 modules that install backdoors on the system, run PowerShell scripts, and establish contact with command and control servers. This module then downloads the second package, Yokohama.
  Yokohama is the main data exfiltration module that contains most of the plugins used for obtaining data. It includes “backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine” according to the re Exodus searchers. It can even see files that were accessed on removed USB drives and then copy that specific file the next time the drive is plugged in. The stolen data is exfiltrated using an XML file named TajMahal, hence the name researchers gave the malware itself.

  While TajMahal has only been seen attacking the one organization, researchers have found some aspects of the malware that lead them to believe there may be other versions out in the wild that haven’t been detected yet. Samples studied so far suggest that the group behind the malware has been active since the Fall of 2014, so it is doubtful this will be the last that is seen from them.
Sources:
• https://thehackernews.com/2019/04/apt-malware-framework.html 
• https://threatpost.com/meettajmahal/143644/ 
• https://securelist.com/projecttajmahal/90240/

  The Exodus spyware now also exists in the iOS ecosystem. The package can take and deliver audio recordings, pictures, contacts, and location data. The spyware researchers note that the iOS version of the spyware delivers itself via phishing sites that imitate mobile carriers from Italy and Turkmenistan. According to research by both Lookout and Security without Boarders, the spyware appears to have developed over the span of 5 years.

    The spyware works in three stages: first it lands on the victim’s machine with a lightweight dropper, then it fetches a larger second stage payload which contains several binaries, finally, the third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on the infected device.  Technical details suggest that it may have started life as a legitimate package for government or law-enforcement use. Details indicate that the software was very likely a well-funded project intended for the lawful intercept market. The software makes use of valid certificate-pinning and public key encryption for command-and-control communications, and geo-restrictions, along with a comprehensive well-implemented suite of surveillance features.

   The Android samples led researchers to samples of an iOS variant. The attackers spoofed both Wind Tre SpA, and TMCell sites. An Italian mobile and a Turkmenistan state owned carrier respectively.  In order to spread the iOS version outside of the App Store, the cybercriminals abused Apple’s enterprise provisioning system. Allowing them to sign the apps with legitimate Apple certificates. The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary/in-house apps to their employees without the use of the iOS App Store. The apps themselves dovetail with the phishing sites, recommending that user keep the apps installed and under WiFi coverage to be contacted by operators for assistance.  While the iOS version of the app seems to be more crude than the android counterpart. It might not have the ability to leverage known vulnerabilities, but it was still able to utilize well known API’s to exfiltrate  contacts, photos, videos and audio recordings using a required push notification setting.

   Exodus is thought to be linked to eSurv, an Italian software developer based in Catanzaro in Calabria who is well known for software specializing in CCTV management, surveillance drone, and facial and license-plate recognition software. eSurv is currently under investigation by Italian authorities per local news reports.  Each of the phishing sites contain links to metadata such as the application name, version, icon, and an URL for the IPA file.  An IPA package must contain a mobile provisioning profile with an enterprise’s certificate to be distributed outside the app store. All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L. 

Sources:
• https://it.slashdot.org/story/19/04/08/221253/exodus-spyware-foundtargeting-apple-ios-users
• https://threatpost.com/exodus-spyware-apple-ios/143544/