Targeting U.S. Banking Customers QBOT back

    Sometimes malware can be a one-hit wonder:
show up on the scene, cause chaos, and then never be troublesome again after
exploits are patched and antivirus scanners are updated to help protect against
it. Sometimes, however, a piece of malware just keeps reappearing with
alterations that make it relevant again. One such program, Qbot, has
been around for over 12 years and has now popped back up to attack customers
who use a multitude of U.S. financial institutions.

    Qbot, also known as Quakbot, Qakbot, and Pinkslipbot, is a
Windows-based malware that first appeared around 2008 and has always been
focused on gathering browsing data and financial information from victims.
There are gaps where Qbot would seem to disappear for a while, but then
it would come back with some new functionality such as improved detection
evasion or worm-like spreading capabilities. New Qbot campaigns have
been uncovered in October 2014, April 2016, and May 2017, as well as being used
by the Emotet gang last year as the payload malware. The latest strain was
first seen in January of this year and is now targeting banking portals for
Bank of America, Capital One, Citibank, Citizen’s Bank, J.P. Morgan, Sun Bank,
TD Bank, Wells Fargo, and more.

   Researchers at F5, an
application threat intelligence research lab, discovered this variant and
worked out how the new infection process works. The malware is delivered to the
target computer through one of a variety of sources: phishing attempts, web
exploits that drop the malware as the payload, or through malicious file
sharing activities. Once the malware is on the system, the executable loads Qbot
into the running explorer.exe application. Next, the malware copies itself
into the application folder’s default location and the registry key
HKCUSoftwareMicrosoftWindowsCurrentVersionRun so that it will run up-on
system reboots. Qbot then creates a .dat file with system information and
the botnet name, executes from the %APPDATA% folder, and replaces the original
infection file to cover its tracks. Finally, the malware injects itself into a
new-ly created explorer.exe instance for use for updates from external C2
servers.

    The newest variant of Qbot includes
a packing layer that scrambles the code to evade Antivirus scanners and
signature-based tools, as well as anti-virtual ma-chine techniques to keep
people from easily examining how the malware operates. Researchers suggest
keeping antivirus software updated and staying up to date on critical patches
for other software as well. User awareness training to spot phishing attempts
can also be helpful in preventing victimization.

Ripple20 Vulnerabilities Affecting Treck IP Stacks

Treck TCP/IP Stack
(Update A)

Legal Notice

All information products included in https://us-cert.gov/ics are
provided “as is” for informational purposes only. The Department
of Homeland Security (DHS) does not provide any warranties of any kind
regarding any information contained within. DHS does not endorse any commercial
product or service, referenced in this product or otherwise. Further
dissemination of this product is governed by the Traffic Light Protocol (TLP)
marking in the header. For more information about TLP, see 
https://www.us-cert.gov/tlp/.


1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely
  • Vendor: Treck Inc.
  • Equipment: TCP/IP
  • Vulnerabilities: Improper Handling
    of Length Parameter Inconsistency, Improper Input Validation, Double Free,
    Out-of-bounds Read, Integer Overflow or Wraparound, Improper Null
    Termination, Improper Access Control
CISA is aware of a public report, known as “Ripple20” that
details vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this
advisory to provide early notice of the reported vulnerabilities and identify
baseline mitigations for reducing risks to these and other cybersecurity
attacks.

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory
titled ICSA-20-168-01 Treck TCP/IP Stack that was published June 16, 2020, to
the ICS webpage on us-cert.gov. 

3. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow
remote code execution or exposure of sensitive information.

4. TECHNICAL DETAILS

4.1 AFFECTED
PRODUCTS

The Treck TCP/IP stack is affected including:
  • IPv4
  • IPv6
  • UDP
  • DNS
  • DHCP
  • TCP
  • ICMPv4
  • ARP

Please go to ICS Cert page for more details

Cisco has disclosed four critical security

   
The critical flaws are part of 
Cisco’s June 3
semi-annual advisory bundle
 for
IOS XE and IOS networking software, which includes 23 advisories describing 25
vulnerabilities. 

     The 9.8 out of 10
severity bug, CVE-2020-3227, concerns the authorization controls for the Cisco
IOx application hosting infrastructure in Cisco IOS XE Software, which allows a
remote attacker without credentials to execute Cisco IOx API commands without
proper authorization.

    
CVE-2020-3205 is a command-injection vulnerability
in Cisco’s implementation of the inter-VM channel of Cisco IOS Software for
Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and
Cisco 1000 Series Connected Grid Routers (CGR1000).  The software doesn’t
adequately validate signaling packets directed to the Virtual Device Server
(VDS), which could allow an attacker to send malicious packets to an affected
device, gain control of VDS and then completely compromise the system,
including the IOS VM and guest VM.  VDS handles access to devices that are
shared by IOS and the guest OS, such as flash memory, USB ports, and the
console.  “A successful exploit could allow the attacker to execute
arbitrary commands in the context of the Linux shell of VDS with the privileges
of the root user,” 
Cisco said. “Because the device is designed on a hypervisor
architecture, exploitation of a vulnerability that affects the inter-VM channel
may lead to a complete system compromise.”

    CVE-2020-3198
and CVE-2020-3258 are part of the same advisory and concern a remote code
execution vulnerability in the same industrial Cisco routers.
    The
flaw CVE-2020-3198 allows an unauthenticated, remote attacker to execute
arbitrary code on affected systems or cause it to crash and reload.  An
attacker could exploit the vulnerability by sending malicious UDP packets over
IPv4 or IPv6 to an affected device. Cisco notes that the bug can be mitigated
by implementing an access control list that restricts inbound traffic to UDP
port 9700 of the device. It has a severity score of 9.8 out of 10. 
    
The second bug, CVE-2020-3258, is less severe with a score of 5.7 out of
10 and could allow an unauthenticated local attacker to execute arbitrary code
on the device. However, the attacker also must have valid user credentials at
privilege level 15, the highest level in Cisco’s scheme. The vulnerability
allows an attacker to modify the device’s run-time memory, overwrite system
memory locations and execute arbitrary code on the affected device. 
To learn more go here.

New ransomware targeting Windows and Linux systems

    Named Tycoon after references in the code, this
ransomware has been active since December 2019 and looks to be the work of
cyber criminals who are highly selective in their targeting. The malware also
uses an uncommon deployment technique that helps stay hidden on compromised
networks. 
   
Tycoon is a multi-platform Java ransomware targeting Windows® and Linux® that
has been observed in-the-wild since at least December 2019[1].
It is deployed in the form of a Trojanized Java Runtime Environment (JRE) and
leverages an obscure Java image format to fly under the radar.
  
   
The threat actors behind Tycoon were observed using highly targeted delivery
mechanisms to infiltrate small to medium sized companies and institutions in
education and software industries, where they would proceed to encrypt file
servers and demand a ransom. However, due to the reuse of a common RSA private
key it may be possible to recover data without the need for payment in earlier
variants.
To read
more go here

NIST Digital Identity Guidelines: Pre-Draft Call for Comments

    NIST
is issuing a Call for Comments
on the four-volume set of Digital Identity Guideline documents,
including: Special Publication (SP) 800-63-3 Digital Identity Guidelines, SP 800-63A Enrollment and Identity Proofing,
SP 800-63B Authentication and
Lifecycle Management
, and SP 800-63C Federation and Assertions. This document set
presents the controls and technical requirements to meet the digital identity
management assurance levels specified in each volume.

    The public comment period ends August 10, 2020.  
See the Call for Comments,
which describes the background for this request and a Note to Reviewers
section for some specific topics about which NIST is seeking your feedback.  

    Please submit your comments to [email protected].

Call
for Comments on Digital Identity Guidelines:
https://csrc.nist.gov/publications/detail/sp/800-63/4/draft

NIST Publishes Security for IoT Device Manufacturers

Some
cybersecurity best practices and guidance for Internet of Things (IoT) device
manufacturers are now available from NIST’s
Cybersecurity for IoT Program
:

More information

NISTIR
8259 details
https://csrc.nist.gov/publications/detail/nistir/8259/final

NISTIR
8259A details
https://csrc.nist.gov/publications/detail/nistir/8259a/final

NIST
Cybersecurity Insights blog: “More than just a milestone in the Botnet Roadmap
towards more securable IoT devices”
https://www.nist.gov/blogs/cybersecurity-insights/more-just-milestone-botnet-roadmap-towards-more-securable-iot-devices

NIST’s
Cybersecurity for IoT Program:
https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

FlowCloud Targeting the U.S. energy sector

   Researchers at Proofpoint have discovered a phishing campaign targeting companies within the United States’ utility sector. This campaign makes use of malicious documents to upload a remote access trojan (RAT) to the target’s system.

    In July 2019, researchers observed the use of a new RAT, called FlowCloud, as part of a spear-phishing campaign targeting the U.S. energy sector. This RAT was able to access the mouse, keyboard, screen, and running services, and exfiltrate that information to a command-and-control (C2) provider. To make themselves more convincing, attackers used emails disguised as training information with subject lines relating to free trials of energy educational courses. Content of the emails also impersonated the authentic American Society of Civil Engineers and masqueraded as coming from the organization’s domain.

    Early in the campaign, the threat actors used portable executable (PE) attachments to distribute us Microsoft Word documents. Researchers then started to notice some similarities bthe malware. However, in November 2019, the threat actors shifted from PE attachments to malicioetween FlowCloud and another malware campaign, LookBack. Both FlowCloud and LookBack targeted the United States’ utility sector. Both used malicious Word documents, and as of November 2019, both used the same IP addresses for staging and surveillance. Also, similar attachment macros, installation techniques, and infrastructure confirmed to researchers that FlowCloud and LookBack are related. Proofpoint was able to determine that both campaigns, which started around the same time, are linked to the advanced persistent threat (APT) group TA410. Also, Proofpoint researchers have found similarities between TA410 and APT10, the latter being a known Chinese espionage group. However, the researchers believe that the similarities may be intentional and that “the reuse of well-publicized APT10 techniques and infrastructure may be an attempt by threat actors to create a false flag.” TA410 is currently tracked independently of APT10. Proofpoint states that both malware families demonstrate a high level of sophistication in their development and presentation. Not much is known about the impact that these campaigns have had on the energy sector.

    As demonstrated by the FlowCloud and LookBack malware campaigns, the TA410 operators demonstrate a willingness to adapt and target their phishing tactics to increase the effectiveness of each campaign. Targeted phishing emails can be hard to spot, which is why, in addition to implementing proper security  systems and protocols, employee training is so necessary. Phishing attacks are still the most common way for attackers to enter an organization’s network. Educating end-users can go a long way in preventing an organization from becoming a victim of one of these attacks.

Sources

Citrix storage zone controllers security Issue

    The modern workplace involves a great amount of collaboration between team members and the generation of electronic documents for various purposes.  However, sharing these documents in a secure manner, especially with remote employees, has always been a troublesome issue. Citrix ShareFile is an application designed to solve that problem, but it was recently revealed that vulnerabilities in the application could lead to sharing files with more than just teammates
and other authorized personnel.

    Citrix ShareFile is a collaboration and file sharing tool designed to allow employees to securely exchange proprietary and sensitive business data. This could include product designs, financial data, security information, and much more. Citrix offers two ways to use ShareFile: Citrix hosted cloud storage or an on premises secure cloud instance that the customer manages. The storage can be split up into buckets, called storage zones, that are managed by one or more storage zone controllers.

    Multiple vulnerabilities were disclosed by Citrix in the storage zone controllers which could allow an unauthenticated attacker access to all of the files and documents managed by that controller. While the technical details on the vulnerabilities have not been released yet, they have been classified as CVE-2020-7473, CVE-2020-8982, and CVE-2020-8983.

    These vulnerabilities affect versions 5.9.0/5.8.0/5.7.0/5.6.0/5.5.0 and earlier. Companies that use the Citrix-hosted instances of ShareFile do not need to do anything to correct the issue as Citrix has already updated their storage zone controllers and storage zones. However, customer-managed storage zone controllers will need to be updated to 5.10.0+ or the x.x.1+ version of each of the
sub versions listed above. There is a caveat: any storage zones created by a storage zone controller running a vulnerable version will still have the vulnerability even if the controller is updated. Citrix released a mitigation tool that needs to be used on the storage zone controllers handling the affected zones, as well as instructions on how to do so.

    The modern workplace relies on electronic data sharing and collaboration, especially in today’s COVID-19 environment. While Citrix has tried to get ahead of these vulnerabilities, who knows if anyone has been exploiting these flaws before now. While data in storage and transmission will always be a spotlight area in cybersecurity, remember that things are not always as secure as they may seem.

Sources:
https://thehackernews.com/2020/05/citrix-sharefile-vulnerability.html

https://support.citrix.com/article/CTX269106

MagBo new marketplace for comprimised sites

    The dark web is not the only place to find dark things. As we’ve shown in the past, there are plenty of criminals operating on the clear web, often in places more open than you’d expect. This week,  researchers from threat intelligence firm KELA released a report on a marketplace called MagBo.

    This particular site specializes in selling remote access to products such as compromised servers. If you’ve ever heard of xDedic, the popular shop for RDP access to compromised servers (until last year), you might think MagBo is doing the same thing. But the KELA researchers found that marketplaces have evolved beyond simply selling credentials or sitting around waiting for buyers.
MagBo, and other sites like it, are being calling Remote Access Markets (RAM).

    Products range from bulk credentials, to fully compromised networks, and the marketplace itself is streamlining operations.  In order to maximize profits, marketplaces have shifted to automated
sales platforms, allowing buyers to get what they need quickly and giving the sellers more opportunity for higher sales volumes.
  
    These shifts in marketplace dynamics are not unique to MagBo, but something else is. It’s very easy to start a marketplace, but incredibly difficult to make it successful- regardless of whether you’re on the dark web or the clear web. So why did MagBo take off? Researchers noted that most marketplaces obfuscate the target of their products in order to prevent competitors from stealing their own access, but not MagBo. They list everything in the clear. This allows the buyer to know what they are paying for and likely leads to a quicker sale. That level of transparency also allowed researchers greater insight into MagBo’s products.

    Writers from ZDNet found listings for everything from small business web pages to government portals. Access is sold for targets across all major industries and the site’s offerings are growing by the day. KELA estimates “between 200 and 400 new sites are being added on a daily basis, with around 200 being sold off.” In its roughly two years of operation, MagBo has grown to include “over 28,000 servers totaling around $700,000 worth of goods.” KELA was further able to identify 43,000 unique hostnames from historical data and they estimate around 150,000 unique websites have been offered for sale throughout MagBo’s operation. Web shells are the most popular product available and “190 different threat actors currently have active listings on the market.”

    So how do you find out if access to your organization is for sale on MagBo? That depends on who you know. It’s an invitation only marketplace, which means you either have to know someone on the in-side or find someone that is selling an invite. The best thing you can do is make sure you are following security best practices, because with all of this visibility, MagBo may not last much longer and it’s just a matter of time before another marketplace takes its place.

Sources:
  https://www.zdnet.com/article/a-cybercrime-store-is-selling-access-to-more-than-43000-hacked-servers/

https://ke-la.com/access-as-a-service-remote-access-markets-in-the-cybercrime-underground/