Apps Apple App Store that are infected with clicker trojan malware.

    Wandera’s threat research team has discovered 17* apps on the Apple App Store that are infected with clicker trojan malware. The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.

    The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Because these apps are infected with the clicker trojan module, they fall within the trojan category of Wandera’s malware classification.

About the infected apps

    The group of 17 infected apps covers a random set of application categories, including productivity, platform utilities, and travel. The full list of infected apps appears below:
All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd.

Adware Campaign Affects Millions

    Smartphones have become the icon of our modern technological society. They are so prevalent that app development has grown exponentially in recent years in the struggle to become the next Facebook or Pinterest. The phrase “There’s an app for that” truly describes the breadth of apps available. However, this can also lead to many malicious apps available that could be harmful to users, such as the Ashas family of adware apps available on the Google Play store.

    ESET researchers discovered a family of 42 apps, dubbed the Ashas family, that were originally designed as legitimate apps but later updated to provide fullscreen advertisements to users and exfiltration of some basic device data. The original functionality, such as photo viewers, video downloaders, music apps, and games still exists but with the malicious activity included as well. The adware campaign had been active since July 2018 with over 8 million downloads and half of the apps still available on the Play store at the time of discovery. Since the researchers reported their findings, the remaining apps have been removed.

    The apps use a command and control (C&C) server to send device information such as type, version of the operating system, language, installed apps, free storage space, and other fingerprinting data. The app is then configured from the C&C server and also includes ways of avoiding detection. First, the app can detect if it is being run on a Google server and therefore will not run the adware payload. Next, a custom delay can be set so that ads are displayed well after starting the app (a half-hour later, for instance) so that the user doesn’t associate the ad behavior with that particular app. Ashas apps can also display a different icon when users try to determine which app is showing the ad, usually hiding as Google or Facebook. Finally, the app installs a shortcut in the app menu instead of the icon itself so that when a user tries to delete it, they are removing only the shortcut and the app continues to run in the background. 

    ESET researchers managed to track down the author of the Ashas apps, a university student in Vietnam. They backtracked from the IP address of the C&C server to the owner information, then to university information and eventually the author’s YouTube channel and personal Facebook page. All of the information was publicly-available open-source data, showing that the author didn’t try to cover his tracks. This leads the researchers to believe that the developer started honestly when creating the apps and then later decided to turn to malicious behavior.

Sources:

 • https://thehackernews.com/2019/10/42-adware-apps-with-8-milliondownloads.html 

 • https://www.welivesecurity.com/2019/10/24/tracking-down-developerandroid-adware/ 

https://www.zdnet.com/article/vietnamese-student-behind-androidadware-strain-that-infected-millions/10

Unpatched Linux bug may open devices to serious attacks over Wi-Fi

NIST   National Vulnerability Database  – CVE-2019-17666 Detail
           

           

Current Description

rtl_p2p_noa_ie in
drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through
5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
 
Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.
 

A potentially serious vulnerability in Linux may make it possible for
nearby devices to use Wi-Fi signals to crash or fully compromise
vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support
Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow
in the Linux kernel when a machine with a Realtek Wi-Fi chip is within
radio range of a malicious device. At a minimum, exploits would cause an
operating-system crash and could possibly allow a hacker to gain
complete control of the computer. The flaw dates back to version 3.10.1
of the Linux kernel released in 2013.

“The bug is serious,” Nico Waisman, who is a principal security
engineer at Github, told Ars. “It’s a vulnerability that triggers an
overflow remotely through Wi-Fi on the Linux kernel, as long as you’re
using the Realtek (RTLWIFI) driver.”

The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix
on Wednesday that will likely be incorporated into the OS kernel in the
coming days or weeks. Only after that will the fix make its way into
various Linux distributions.

Waisman said he has not yet devised a proof-of-concept attack that
exploits the vulnerability in a way that can execute malicious code on a
vulnerable machine.

“I’m still working on exploitation, and it will definitely… take
some time (of course, it might not be possible),” he wrote in a direct
message. “On paper, [this] is an overflow that should be exploitable.
Worst-case scenario, [this] is a denial of service; best scenario, you
get a shell.”

After the vulnerability became public, the researcher discussed the flaw on Twitter.

Notice of Absence

The driver flaw can be triggered when an affected device is within
radio range of a malicious device. As long as the Wi-Fi is turned on, it
requires no interaction on the part of the end user. The malicious
device exploits the vulnerability by using a power-saving feature known
as a Notice of Absence that’s built into Wi-Fi Direct,
a standard that allows two devices to connect over Wi-Fi without the
need of an access point. The attack would work by adding vendor-specific
information elements to Wi-Fi beacons that, when received by a
vulnerable device, trigger the buffer overflow in the Linux kernel.

The vulnerability only affects Linux devices that use a Realtek chip
when Wi-Fi is turned on. The flaw can’t be triggered if Wi-Fi is turned
off or if the device uses a Wi-Fi chip from a different manufacturer.
Based on links here and here, it appears that Android devices with Realtek Wi-Fi chips may also be affected.

Representatives of both Realtek and Google didn’t immediately comment on this story.

While it’s still not clear how severely this vulnerability can be
exploited, the prospect of code-execution attacks that can be staged
wirelessly by devices within radio range is serious. This post will be
updated if new information becomes available.

you can read the full post here

New malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic.

   The vast majority of websites these days have Hypertext Transfer Protocol Secure (HTTPS) enabled, adding a layer of security that protects our communications against eavesdropping and tampering. It is encrypted using Transport Layer Security (TLS), the current standard for secure web communication. Like all protocols, it is not immune to attack. Some of the more infamous malware that impacts TLS (or its predecessor Secure Sockets Layer [SSL]) are FREAK, Logjam, POODLE, and Heartbleed.

   More recently, researchers from Kaspersky’s Global Research and Analysis Team (GReAT) discovered a malware strain that allows the adversary to deploy man-in-the-middle (MitM) attacks on TLS traffic. Dubbed Reductor, it appears to be related to the COMPfun trojan discovered in 2014, which provides one of its infection vectors. Servers that that are infected with COMPfun can be used to download and install Reductor. Reductor is also delivered through software downloads from untrustworthy sites. 

   Once installed, the malware patches Firefox® and Chrome web browsers to snoop on the victim’s encrypted traffic. It modifies the target’s TLS certificate and gives the attacker remote access to manipulate and execute files. What really sets Reductor apart is the way that it patches the code for pseudorandom number generator functions (PRNG). This function adds random numbers to the packet at the beginning of the TLS handshake. Reductor is able to use the PRNG code to inject victim-specific identifiers, allowing the attacker to track the victim’s traffic wherever it goes. 

   GReAT believes Reductor comes from a hacker group operating under the protection of the Russian government and may be linked to the Advanced Persistent Thread (APT) group Turla, however there is no concrete evidence to support a Turla connection. There are similarities both with the COMPfun code and in the affected victims, where “cyber-espionage on diplomatic entities” appears to be a primary objective. 

Sources
 • https://www.bleepingcomputer.com/news/security/hackers-patch-webbrowsers-to-track-encrypted-traffic/

https://threatpost.com/new-reductor-malware-hijacks-httpstraffic/148904/

https://securelist.com/compfun-successor-reductor/93633/

New Phishing Emails Attack

  Phishing emails typically provide some obvious tells to their malicious nature. However, when a    phishing email contains information such as organizationspecific email bodies and email signatures, organization branding, and relevant news, it can be harder to distinguish the difference between legitimate and malicious. These factors are what make the phishing campaign of TA407 or the “Silent Librarian” threat actor group different. This group, as described by researchers at Proofpoint and Secureworks, are a group of Iranian hackers targeting the intellectual property of universities in the United States and Europe.

    This is done through a phishing campaign targeted at university students which redirect users to a malicious landing page tailored to look like the universities’ login page. The hackers are then able to access library content with the stolen account credentials. 
What makes this campaign unique is the length at which the threat actors went to appear convincing. Each targeted university has a personalized landing page. In addition to that, the email contains proper grammar, providing links to library resources and a helpdesk email address if the student should need any help with account login. The landing page contains spoofed display names, stolen branding matching the actual login page and even in one case, an accurate weather forecast informing students that the campus is closed due to a snowstorm.

   In 2018, the US Department of Justice charged nine members of the group for their actions, alleging that between 2013 and 2017, TA407’s activities accounted for $3.4 billion worth of stolen intellectual property, 31.5 terabytes of academic data, almost 8000 compromised university accounts and 3700 compromised accounts belonging to professors at US-based universities. They also allege that 144 US-based and 176 foreign universities were victims of the scheme. The Department of Justice states that this group operates on behalf of the Iranian government and that the stolen data is being used by the Iranian government and Iranian universities. Although this specific phishing campaign is targeted toward students, there are many steps that you can take to avoid falling victim to phishing emails. Noticing such things as a strange sender email address, the lack of identifying information (e.g. valid account number, name, address), links to strange domains, and improper grammar may all be a tell that the email is malicious. If you are still unable to determine if it is a phishing email, it may be best to visit the site in question directly and not through any links provided in the email. 

Sources

https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/

 • https://www.proofpoint.com/us/threat-insight/post/threat-actor-profileta407-silent-librarian 

New Infected Docker Daemons in the Docker Engine

    Researchers at Palo Alto’s Unit 42 have discovered a worm that mines Monero, a privacy focused cryptocurrency, and spreads itself via infected Docker Daemons in the Docker Engine. Shodan scans of Docker engines show over 2000 unsecured Docker hosts. The researchers have named the cyptojacking malware Graboid. 

    Graboid has a downloader planted on an infected Docker image with a Docker Client tool used to connect to other Docker hosts. The attacker accesses an unsecured Docker host and infects it with the malicious image. Anti-virus solutions would normally look for viral content or virus like activity but not check the contents of data within container as the container is maintained separately from the main machine. This form of obfuscation has been observed in other containerization solutions before, but Graboid is exceptional in its erratic and relatively ineffective methodology.

    After retrieving and establishing the malicious image, the attacker then downloads the 4 shell scripts of DOOM. These Shell scrips are named live.sh, worm.sh, xmr.sh, and cleanxmr.sh. The first script, live.sh, surveys the victim assessing the resources to be plundered. it reports the number of available CPUs on the compromised host for the Command & control (C2) server to coordinate. The next script brings the ever hunting nose of the beast. The worm.sh script downloads the list of over 2000 vulnerable host’s IPs and replicates itself onto one of those IPs randomly. Then the last two scripts bring the chaos. The xmr.sh script deploys gakaws/nginx, a Monero cryptominer disguised to look like a NGIX load balancer/ web server, and does so on a randomly selected infected server. The last script, cleanxmr.sh, stops any xmrig based containers on another randomly selected infected server. It seems like Graboid runs Cleanxmr.sh before it runs xmr.sh as to avoid deactivating any Docker engines that just had their Monero mining capabilities turned on. This leads to a delay in the mining capabilities being turned on until the host is selected randomly by another infected host. Eventually the host will be selected to be disabled until a later time to be re enabled. This flash of infection and erratic appearances as well as the worm functionality has led to the researcher’s choice in naming the malware after the monsters in the 1990’s film Tremors.

    Graboid currently uses 15 C2 servers where 14 are included in the list of vulnerable IPs and the last has over 50 known vulnerabilities. The researchers have observed that it is likely these are controlled by the attacker illicitly. they have also calculated that it would have taken about 60 minutes to infect 70% of the vulnerable hosts with returns diminishing sharply after that. At that point there would be about 900 active miners at any particular time rotating through the available infected hosts with all of the infected hosts acting as nodes to facilitate communication with the Monero blockhain network. With a 100 second period of activity, a node is expected to be active for 250 seconds before being deactivated.

Sources:
 • https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/

https://threatpost.com/dockercontainers-graboid-cryptoworm/149235/

https://securityaffairs.co/wordpress/92586/malware/graboidtargets-docker-hub.html

NSA and NCSC Release Joint Advisory on Turla Group Activity

National Cyber Awareness System:

 

10/21/2019 11:56 AM EDT

 

Original
release date: October 21, 2019

The National Security Agency (NSA) and the United Kingdom National Cyber
Security Centre (NCSC) have released a
joint
advisory
on advanced persistent threat (APT) group Turla—widely reported to
be Russian. The advisory provides an update to
NCSC’s January 2018
report
on Turla’s use of the malicious Neuron, Nautilus, and Snake tools to
steal sensitive data. Additionally, the advisory states that Turla has
compromised—and is currently leveraging—an Iranian APT group’s infrastructure
and resources, which include the Neuron and Nautilus tools.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
and administrators to review the following resources for more information:
•    NSA Advisory
Turla
Group Exploits Iranian APT To Expand Coverage Of Victims


•    UK NCSC Advisory
Turla
group exploits Iranian APT to expand coverage of victims


•    January 2018 UK NCSC Report
Turla Group Malware

Is Your VPN at Risk ?

    A commonly used method to secure network resources is a Virtual Private Network (VPN). They allow remote network devices to securely communicate with local resources as if they were physically plugged into the same network segment. You may even use one when working remotely to help keep your network traffic secure. While they can easily provide a lot of protection from various network attacks there are many pitfalls to avoid in order to keep the network resources secure.

    One common mistake when setting up a VPN is not properly securing the devices that the VPN provides access to. Because the servers or devices will not have direct inbound internet access many times a relaxed security policy is taken. This is because it is assumed that in order to access them an attacker would first have to either be on the network directly or be connected tuourhrough the VPN. Another common mistake is not regularly updating the VPN software. There are many reasons this can occur, including avoiding downtime or not wanting to break something that appears to be working fine as is.

    This week the National Security Agency (NSA) issued an advisory stating that APT groups have been actively using flaws in some popular VPN software to attack networks. They say the groups have weaponized three vulnerabilities against two pieces of VPN software, Pulse Secure VPN and Fortinet VPN. Two of the vulnerabilities, CVE-2019-11539 and CVE-201911510 specifically target Pulse Secure VPN servers. They allow remote unauthenticated command injection and arbitrary file reads on the VPN server device. The remaining vulnerability, CVE-201813379, targets Fortinet VPN servers and allows for remote unauthenticated arbitrary file reads from the server device. The National Cyber Security Center in the UK posted a separate advisory which added CVE-2018-13383 and CVE-2018-13383 to the list of vulnerabilities being used against Fortinet devices. Palo Alto Networks VPN software was also added to the vulnerable devices list with attackers utilizing CVE-2019-1579 for remote code execution on the affected VPN servers.

    In total the two agencies reported six vulnerabilities against three separate VPN software vendors. For each of the affected VPN products the vulnerabilities being used could allow an attacker access to the network resources as if the attacker were physically on the network. All of the affected products have updates available to fix these flaws so it is important that they are updated immediately if an affected version is still in use. The NSA also recommends rotating any existing VPN keys or tokens just in case they were stolen before the patches were able to be applied. 
Sources:

https://threatpost.com/apt-groupsexploiting-flaws-in-unpatched-vpnsofficials-warn/148956/

https://www.cyberscoop.com/vpnvulnerabilities-china-apt-palo-alto/

Ransomware attacks across the world – TheCybersecurity and Infrastructure Security Agency (CISA)

The
Cybersecurity and Infrastructure Security Agency (CISA) has observed an
increase in ransomware attacks across the world: See CISA’s Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak

Ransomware is a type of malicious software, or malware, designed to
deny access to a computer system or data until a ransom is paid.
Ransomware typically spreads through phishing emails or by unknowingly
visiting an infected website.

Ransomware can be devastating to an individual or an organization.
Anyone with important data stored on their computer or network is at
risk, including government or law enforcement agencies and healthcare
systems or other critical infrastructure entities. Recovery can be a
difficult process that may require the services of a reputable data
recovery specialist, and some victims pay to recover their files.
However, there is no guarantee that individuals will recover their files
if they pay the ransom.

CISA recommends the following precautions to protect users against the threat of ransomware:

  • Update software and operating systems with the latest patches.
    Outdated applications and operating systems are the target of most
    attacks.
  • Never click on links or open attachments in unsolicited emails.
  • Backup data on a regular basis. Keep it on a separate device and store it offline.
  • Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.

In addition, CISA also recommends that organizations employ the following best practices:

  • Restrict users’ permissions to install and run software
    applications, and apply the principle of “least privilege” to all
    systems and services. Restricting these privileges may prevent malware
    from running or limit its capability to spread through a network.
  • Use application whitelisting to allow only approved programs to run on a network.
  • Enable strong spam filters to prevent phishing emails from reaching
    the end users and authenticate inbound email to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.

See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA’s Awareness Briefings on Combating Ransomware, Joint Ransomware Statement, and CISA Insights – Ransomware Outbreak for more information.

For recent CISA Alerts on specific ransomware threats, see:

Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office, or Secret Service Field Office.

NCSC Releases Fact Sheet on DNS Monitoring

Original
release date: October 4, 2019

The Dutch National Cyber Security Centre (NCSC) has released a fact sheet on
the increasing difficulty of Domain Name System (DNS) monitoring. NCSC warns
that although modernization of transport protocols is helpful, it also makes it
more difficult to monitor or modify DNS requests. These changes could render an
organization’s security controls ineffective.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends users
and administrators review the Dutch NCSC
fact
sheet on DNS monitoring
for additional information and recommendations.