![]()
01/22/2019 06:48 PM EST
Original
release date: January 22, 2019 The U.S. Department of Homeland Security (DHS) Cybersecurity and Federal agencies should review Emergency
|
WordPress Pressed into Service
Researchers at Defiant Threat Intelligence Team have identified a brute force attack campaign on WordPress sites. There have been four command and control (C2) servers identified, over 14,000 proxy servers from best-proxies.ru, and over 20,000 infected WordPress sites. The attacks make XML-RPC authentication attempts against accounts. XML-RPC authentication is used for network services that require security but do not require callers to identify themselves. It is often used in the APIs for mobile app developers to allow their apps to post to WordPress. As such, the apps usually store credentials locally which makes failed credentials fairly uncommon. The high rate of failure caught the researcher’s attention and revealed the campaign.
The plan of this attack contains three steps: create a list of credentials using dynamic wordlist generation, lean on multicall vulnerability to attack on scale, and try to cover its tracks with proxy servers between C2 servers and infected sites. The credentials begin with common passwords along with passwords generated from the list of usernames. Examples given in their report include the domain name, the username, and the username with common values appended to the end. Their example is an attack on example.com with the user name alice, the attack would use example, alice, alice1, alice2, alice2015, alice2016, alice2017, alice2018, and so forth. The attack also relied on the multicall functionality of XML-RPC authentication, the ability to send multiple username and password pairs at once and receive a list of successes and failures. This would allow the attack to make significant initial gains on progress but is limited to attacks on WordPress versions 4.3 and older.
Version 4.4 had since patched this issue and will return failures on any further attempts if the initial attempt is a failure. It is currently on version 4.9.8, but many users are still vulnerable to the multicall attack vector because they have not updated.
Finally, the attacker tries to cover their tracks by using proxy servers to anonymize the control between the attacker and the infected sites. The researchers at Defiant found a word list regeneration script that included a path argument that contained an IP address. The IP address brought the researchers to a login page on a server, which they easily uncovered as one of the C2 servers. They found four different servers which were poorly guarded. The researchers are currently working alongside law enforcement to remedy the attacks and reach out to the victims to alleviate the attacks.
The best defense against such brute force attacks would be to use long randomly generated passwords and updating your services to the latest versions.
Sources:
• https://www.wordfence.com/blog/2018/12/wordpress-botnet-attackingwordpress/
• https://threatpost.com/infected-wordpress-sites-are-attacking-otherwordpress-sites/139666/12
Free Ebook Azure in a month of Lunches
To help developers build and run their applications, services and
integrate upcoming technologies, Microsoft has released an eBook – Learn Azure in a Month of Lunches.
The eBook offers great insights into entry into cloud administration.
Besides, it also gives a high-level explanation of each concept and
common implementations. It breaks down the most important Azure concepts into bite-sized lessons. Using this you will be able to learn how to:
Get Started with Azure
- Use core Azure infrastructure for writing and deploying web servers.
- Make your applications and data secure
- Utilize platform services—including how to choose which service for which task.
- Get ready to adapt to new technologies, including containers and Kubernetes, AI/Machine Learning, and IoT.
There’s a powerful suite of Azure services dedicated to containers
that aligns more with the PaaS approach. If you are not aware,
containers offer a concept of isolation similar to VMs. However,
Containers are typically much more lightweight than VMs and can start up
quicker than VMs, often in a matter of seconds rather than minutes.
Moreover, the size of a container image is typically only tens or
hundreds of MBs, compared to many tens of GBs for VMs.
You can download this Azure eBook here.
Phishing for 2FA
Cybersecurity professionals have known for a long time that passwords alone are not secure enough. Two-factor Authentication (2FA) has become an increasingly common way to add another layer of security. But like anything else in the security world, it is not infallible. This week Amnesty International reported that hacker groups are targeting the email accounts of journalists and human rights activists from the Middle East and North Africa.
One campaign targeted well -known secure email services like ProtonMail, while another campaign focused on Google and Yahoo! accounts where the hackers were able to harvest credentials even from 2FA-enabled accounts.
Chances are, you have at least one account with 2FA. If you’ve ever had to enter a code sent to your smartphone, you’ve used it before. It may seem like a hacker wouldn’t be able to get that code, but if they couldn’t stay one step ahead, they wouldn’t be in business. This report found that the attacks used tried-and true phishing techniques, but with some extra infrastructure in place to automate the process.
It starts with a security alert email that links to a counterfeit login page. Once the victim enters their credentials, the attackers’ server automatically sends those credentials to the legitimate login page. This triggers a request for a 2FA code from the legitimate site that is sent to the victim. The victim enters the code on the fake site, which also passes it to the legitimate site, giving the hackers access to the account. From here the attackers would enable access for third-party apps to keep control of the account.
Despite the extra steps happening in the background, the time it takes to do it is negligible and the victim would not notice the process taking any longer. However, the hackers behind these campaigns did make some mistakes. The servers hosting their fake Google and Yahoo! pages were not locked down. Researchers were able to use exposed directories to view various files and determine what the hackers were up to.
This is not to say that we shouldn’t keep using 2FA – it absolutely is better than a password alone. But it’s worth keeping in mind that phishing is still prevalent because it works and its success isn’t limited to stealing passwords. For folks that feel they are at risk or that just want some extra protection, researchers recommend using hardware tokens.
Sources:
• https://motherboard.vice.com/ en_us/article/bje3kw/how-hackersbypass-gmail-two-factorauthentication-2fa-yahoo
• https://www.amnesty.org/en/latest/ research/2018/12/when-bestpractice-is-not-good-enough/
• https://thestack.com/ security/2018/12/20/hackers-bypass -two-factor-authentication-at-scale/
Lojax UEFI Rootkit
Unified Extensible Firmware Interface (UEFI) rootkits gained quite a bit of attention in the security community over the years with a considerable amount of research going into the topic. However, there’s been limited practical use of this malware type in the wild until the discovery of LoJax. Researchers at ESET associate this new malware with the Sednit group, also known as Fancy Bear, and thoroughly discussed it at the 35C3 conference in Germany late last month.
What makes this kind of malware so dangerous is that it lies within the firmware of a physical machine, thus it is extremely hard to detect and very difficult to cleanse. It can survive reboots, operating system reinstallation, and even hard disk replacement. The chain of infection can usually be broken down into four stages: (1) User-Mode client infection, (2) Kernel-Mode escalation, (3) System Management Mode injection, and ($) SPI Flashing. As is the case for other types of malware, an initial client-side exploit dropper (mechanism for an attacker to get user access to a victim system) is needed. Once attackers have user access to a vulnerable host, they then escalate privileges to system access and attempt to bypass various kernel level security controls such as code signing policies to install kernel-mode payloads. Then the malware elevates privileges to execute System Management Mode payloads so it has access to SPI Flash. Lastly they bypass flash writing protection altering Flash firmware to implant their own flash malware.
LoJax, named after Absolute Software Corporation’s LoJack, is unique for using Lojack’s persistence technique of coming pre-installed in the firmware of laptops manufactured by various OEMs. Due to security weaknesses and misconfigurations within LoJack, attackers were able to trojanize the anti-theft tool creating LoJax. Once LoJax implants itself within the firmware and the system is booted, it loads the malicious SecDxe DXE driver and calls EFI_EVENT_GROUP_READY_TO_BOOT. This callback loads an embedded NTFS DXE driver, writes ‘rpcnetp.exe’ and ‘autoche.exe’ to the OS, and modifies the registry key ‘HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl Session ManagerBootExecute’. The rpcnetp.exe executable is a small agent that is used to initiate communication back to the attacker Command and Control (C&C) server.
As of the date of the initial LoJax research, the primary targets have been different entities in the Balkans as well as Central and Eastern Europe. The primary defense against this malware is enabling Secure Boot and ensuring UEFI firmware is up to date.
Sources
• https://www.welivesecurity.com/wp-content/uploads/2018/09/ESETLoJax.pdf
• https://threatpost.com/uefi-rootkit-sednit/140420/http://www.ncsl.org/
DNS Infrastructure Hijacking Campaign
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
NCCIC encourages administrators to review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:
- Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
- Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
CryptoMix Misdirection
The group behind the CryptoMix malware have changed tactics once again. The bad actors in this case brute force a login through RDP, and then encrypt the data on your computer while attempting to identify and remove any local backups available. With a successful attack, there’s no way to regain your data without the decryption key or through an off-network backup of the system. When attempting to contact the group of enterprising individuals, they will send you an email claiming that the proceeds of your “donation” are going to be put towards charity. They allude that by paying the ransom, the victim will help fund the treatment and care of sick children! In addition to this patently absurd falsity, the bad actors have taken information from local news and crowdfunding websites to be more believable. While this is a bit far fetched, the idea behind it is rather applicable to malware.
The most vulnerable part of every secure system is the human element. Which brings attention to one of the most widely adopted tactics that has been used to acquire information in recent years: social engineering. By interacting with the human component and appealing to either emotions or inattentiveness, bad actors can obtain information or access to locations with next to zero technical prowess. A study at the university of Luxembourg showed that among three groups of individuals given a gift either at the start of interaction, after the question, or as a reward for revealing their password, anywhere from 3050% disclosed their sensitive information. The number goes as high as 47.9% when the reward is predicated on giving an answer. While this is just a single anecdote involving college students, the mentality doesn’t disappear when applied to the working world. Even clicking a real website link is enough when there exists a piece of malware that utilizes a flash exploit to infect the computer upon displaying the malicious advertisement.
One of the best solutions for this social vector is due diligence. Well-designed policies that employees are intimately aware of through thorough training, including awareness of these threats, better threat identification in e-mail firewalls, and clearer communication of proper procedures for employees will help ease the threat of this specific branch of malware. The science does not lie, people want to trust other people, especially those who are friendly, and identifying those who would abuse this trust for personal gain is easier said than done. As professionals, the education and increased awareness of those who aren’t so technically inclined is paramount for the safety of the collective companies that we represent.
Sources:
• https://www.sciencedaily.com/releases/2016/05/160512085123.htm
• https://www.zdnet.com/article/this-old-ransomware-is-using-anunpleasant-new-trick-to-try-and-make-you-pay-up/
• https://www.zdnet.com/article/this-malvertising-campaign-infected-pcswith-ransomware-without-users-even-clicking-a-link/
Hacker Exposes Another Zero-Day Exploit
A hacker called SandboxEscaper disclosed an unpatched zero-day exploit affecting the Windows® operating system. This is the third zero-day exploit SandboxEscaper has disclosed in the last six months. The first exploit was a privilege escalation vulnerability taking advantage of the Advanced Local Procedure Call. SandboxEscaper also released a proof-of-concept (PoC) confirming that the first exploit worked on a fully-patched 64-bit version of Windows 10. The second exploit was another privilege escalation flaw that resided in Microsoft® Data Sharing (dssvc.dll). This exploit allowed lower-privileged users to delete files that normally would only be available to admin level users. They also released a PoC, confirming that the exploit works on a fully patched version of Windows 10, Server 2016, and Server 2019, but doesn’t affect older versions of Windows because dssvc.dll was introduced in Windows 10.
The most recent exploit is “…an arbitrary file read issue” that could allow a malicious program to read the content of any file on a targeted Windows computer that would normally only be accessible with admin privileges. This vulnerability exists within a function in Windows called MsiAdvertiseProduct, which is used to generate advertising scripts, advertise products to the computer, and enable the installer to write the registry and shortcut information used to assign or publish a product to a script. According to SandboxEscaper, this exploit could allow a malicious program to force the installer to make a copy of any file in the system, regardless of privileges, and read its content. They also released a PoC, however, their GitHub account has been taken down since releasing this exploit. Their Twitter account has been suspended, as well as their alternate account. Finally, SandboxEscaper may be under investigation by the FBI. They posted a screenshot of an email from Google stating “Google has received legal process by the Federal Bureau of Investigation (Eastern District of New York) compelling the release of information related to your Google account.”
This blog post has since been removed, as has the blog posts disclosing the various exploits, but the screenshot can still be found on Twitter reposted by other hackers. The motive of this subpoena is unknown at the moment, though, as SandboxEscaper allegedly tweeted something containing a threat against the President of the United States. The tweet was quickly deleted and we are unable to locate any screenshot or mention of the specific contents of the tweet.
Sources:
• https://thehackernews.com/2018/08/windows-zero-day-exploit.html
• https://thehackernews.com/2018/10/windows-zero-day-exploit.html
• https://thehackernews.com/2018/12/windows-zero-dayexploit.html
• http://www.ncsl.org/research/telecommunications-andinformation-technology/cybersecurity-legislation-2018.aspx
Gas and Oil Industry More Vulnerable to Malware then Ever Before
Oil and gas companies within the Middle East and Russia have once again been targeted and attacked by various strains of malware. One of the strains appears to be the third version of the Shamoon worm that ran rampant in 2016, and the other one is known as Seedworm, named after the cyber espionage group that created it.
Shamoon was built as a master boot record eraser that infected Windows® based machines so that once exploited they could not reboot once turned off. Back in 2016, Shamoon spread by using a list of hostnames taken directly from the Active Directory of a compromised host. Version 3 has discarded this method of infection and follows in the footsteps of WannaCry and NotPetya, propagating over compromised networks using the Server Message Block protocol within Windows. 300 servers and 100 personal computers out of a total of 4000 machines have been crippled in the attack against Italian oil and gas contractor Saipem. Luckily no data was lost due to the company backing up their systems, proving the importance of having proper disaster recovery policies in place.
Seedworm has infiltrated more than 30 organizations already, with most of the targets within the Middle East and Russia. Telecommunications and IT services were the main targets due to the fact that agencies could provide the hackers with additional targets to attack, but the second target were businesses in the oil and gas industry. Seedworm uses a tool called Powermud, a custom made script that allows the threat actors to evade detection in systems that Seedworm compromises. Once compromised, Seedworm executes a payload that scans through web browsers and email to steal credentials, giving researchers the opinion that gaining access to victim personal information is the hacker group’s primary goal. Seedworm, also known as MuddWater or Zagos, is well known for constantly changing tactics. By relying on public tools available on repositories such as GitHub allows the group to quickly update and alter operations through only applying small changes to the code.
The security of the gas and oil industries is essential to maintain stability in the nation’s critical infrastructure. As more and more malware strains become increasingly sophisticated in their execution, so should the enforcement of the policies and procedures to defend against them. With the digitization of the industry, over 50 percent of the managers responsible for the protection of the industry have said they are more vulnerable to cyber attacks then ever before.
Sources:
https://thehill.com/policy/cybersecurity/420616-security-firm-unveils-newtactics-of-active-cyber-espionage-group
https://thehackernews.com/2018/12/shamoon-malware-attack.html?m=1
Logitech Leaves Keystroke Injection Flaw Unaddressed for Months.
Three months ago, security researcher Travis Ormandy from Google Project Zero detailed a significant flaw of which Logitech has finally released a patch. In his September 18th meeting the engineers at Logitech gave the impression that they understood the problem and had a fix in mind and were ready to roll out a patch immediately.
The flaw in the Logitech Options application resides in the users ability to customize the behavior or buttons on their mice and keyboards. This feature is enabled by an app that leaves a WebSocket server on the system that the app is installed upon. That server supports several intrusive commands, auto-starts due to a registry entry, and has a very flimsy authentication method.
Travis details in his report: “The only ‘authentication’ is that you have to provide a Process ID (PID) of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.” Once a malicious actor puts in the microseconds of work needed to gain access they can send commands, change options or even send keystrokes. This suggests that the app could be a fantastically powerful attack platform locally or even remotely through the use of keystroke injection attacks.
Injection attacks can give an actor the ability to create other attack vectors within an organization. They can farm information from infected systems like email and contact information, install additional malware like keyloggers or botnets, or even perform a total system take over. An exploit like this can very easily be used to gain additional access to other systems or servers within an organization. In turn, that can easily turn into a massive data breach and/or loss of customer data. Alternatively it can be used to gain banking information or even direct access, turning your keyboard or mouse into a platform to exploit a less security-conscious home user’s banking or credit card information, access medical records or log passwords, or even add them to a botnet.
Ormandy details that the issue was not resolved in the October 1st release of the Options app. After giving Logitech three months to fix the issue, he decided to go public with his bug report. It seems that the bug report had some traction on twitter by Dec 11th pointing out that the problem exists on the Mac versions as well. The patch was released Thursday Dec 13th. Ormandy continues to show skepticism that Logitech will act promptly without the threat of bad publicity.
Sources:
https://www.zdnet.com/article/logitech-app-security-flaw-allowed-keystrokeinjection-attacks/
https://threatpost.com/logitech-keystroke-injection-flaw/139928/