Month: December 2020

ESET researchers have
recently released information on the discovery of a new backdoor dubbed Crutch that uses Dropbox to exfiltrate
stolen files. Crutch has been seen as
early as 2015 and is believed to be a second-stage backdoor that is deployed
after a victim has already been compromised. Researchers have seen the Skipper implant and the PowerShell Empire post-exploitation
agent used as initial infection vectors. Until July 2019, Crutch v3 used an architecture based on
manual input of commands through Dropbox that are then run on the victim’s
machine. It included a monitor for removable drives that looked for files with certain extensions, such as .pdf, .rtf, .doc, and .docx,
then compressed and staged the
files for exfiltration. These files were then uploaded to a hard-coded Dropbox account controlled
by the attackers. Persistence was maintained by using
hijacked browser processes in Chrome, Firefox,
or OneDrive. In one
instance, the Crutch operator even left a little taunt
for the victim,
running the command “mkdir %temp%Illbeback”.

In July of 2019, researchers discovered a newer version of Crutch that was auto- mated rather than
having the operator run commands manually. The
persistence mechanism changed to using a Microsoft
Outlook component, Finder, rather than the browser processes. The drive monitor also got a makeover
and could now monitor local drives as well as removable drives. Interesting
files are still compressed, encrypted, and staged for exfiltration. Instead of
the operator manually uploading them to Dropbox, however, Crutch v4 now uploads the files
automatically using the Windows version of the wget utility.

ESET researchers
have attributed Crutch to the
Russians peaking APT group Turla.
They discovered several strong links between a 2016 version of the Crutch dropper and a Turla tool called Gazer. For instance,
both samples were found on the same machine within
a 5-day period, PDB paths were almost identical, and they both used the exact
same RC4 key to decrypt their payloads.

“Given these
elements and that Turla malware
families are not known to be shared among different groups, we believe that Crutch is a malware family that is part
of the Turla arsenal,” says the ESET
release. Crutch was also discovered
on the network of the Ministry of Foreign Affairs in an undisclosed European
Union country, which also aligns with Turla’s
previous strategies targeting gov- ernments, embassies, and military
organizations.

Sources:

Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks | Threatpost

Turla Crutch: Keeping the “back door” open | WeLiveSecurity

Experts Uncover ‘Crutch’ Russian Malware Used in APT Attacks for 5 Years (thehackernews.com)

 It’s
been a while since credit card and social security numbers were enough to
supply the criminal market with stolen data. In the last few years there has
been a marked increase in the amount of healthcare data up for sale thanks to
some major data breaches and the notoriously poor security of smaller
healthcare providers.

While it may be improving, there
are still plenty of unpatched systems out there. Even worse, there are some providers using applications that are largely unsupported. A recent
announcement from researchers at Bishop Fox is proof of that.

An open source application called OpenClinic, used for health records
management, was found to have four major 0-day vulnerabilities. The most critical vulnerability is a missing
authentication check where a patient does not have to sign in to
view test results. This would allow an attacker to directly access patient
data with only the path to the file.

The other three
bugs require authentication. A cross-site scripting vulnerability allows an
attacker to “embed a malicious payload within a medical record’s address
field.” With administrator privileges an attacker could upload malicious
files to an endpoint on the server, allowing them to execute arbitrary code.

There is also
a path traversal vulnerability that allows files to be stored outside of
designated directories. All versions of OpenClinic are vulnerable to all four
bugs. The last update to the application was in 2016.

The Bishop Fox team attempted to contact the developers for OpenClinic
three times but received
no response. After
90 days (per their disclosure policy), they
published their findings. OpenClinic appears to no longer be supported and the
changelog suggests that releases were few and far between to begin with.

Unfortunately, a
quick Google search suggests that there are few providers out there still using
the software in some capacity. The exposed records are old, but exposed
nonetheless. The best option for anyone still using the application is to find
an alternative as soon as possible.

Sources:

    ·      Electronic Medical Records Cracked Open by Unpatched OpenClinic Bugs | Threatpost

·      Zero-day vulnerabilities in healthcare records application OpenClinic could expose patients’ test results | The Daily Swig (portswigger.net)

·        What is OpenClinic?  (sourceforge.net)