My information Resource (blog.mir.net)

Go here
for more information

National Cyber Awareness System:

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between
the Department of Homeland Security (DHS) and the Federal Bureau of
Investigation (FBI). DHS and FBI are releasing this TA to provide
information about a major online ad fraud operation—referred to by the U.S.
Government as “3ve”—involving the control of over 1.7 million
unique Internet Protocol (IP) addresses globally, when sampled over a
10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and
large numbers of visitors to view those ads. 3ve created fake versions of both
(websites and visitors), and funneled the advertising revenue to cyber
criminals. 3ve obtained control over 1.7 million unique IPs by
leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as
well as Border Gateway Patrol-hijacked IP addresses. 

Boaxxe/Miuref
Malware

Boaxxe malware is spread through email attachments and drive-by downloads.
The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a
data center. Hundreds of machines in this data center are browsing to
counterfeit websites. When these counterfeit webpages are loaded into a
browser, requests are made for ads to be placed on these pages. The machines in
the data center use the Boaxxe botnet as a proxy to make requests for these
ads. A command and control (C2) server sends instructions to the infected
botnet computers to make the ad requests in an effort to hide their true data
center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by
downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden
Chromium Embedded Framework (CEF) browser on the infected machine that the user
cannot see. A C2 server tells the infected machine to visit counterfeit
websites. When the counterfeit webpage is loaded in the hidden browser,
requests are made for ads to be placed on these counterfeit pages. The infected
machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of
compromise (IOCs) below, keep in mind that any one indicator on its own may not
necessarily mean that a machine is infected. Some IOCs may be present for legitimate
applications and network traffic as well, but are included here for
completeness.

Boaxxe/Miuref
Malware

Boaxxe malware leaves several executables on the infected machine. They may
be found in one or more of the following locations:

• %UserProfile%AppDataLocalVirtualStorelsass.aaa
• %UserProfile%AppDataLocalTemp lt;RANDOM>.exe
• %UserProfile%AppDataLocal lt;Random eight-character folder
name> lt;original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the
executables created above.

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun lt;Above path
to executable>

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may
be found on the infected machine:

• %UserProfileAppDataLocalTemp lt;RANDOM> .exe/.bat
• %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet
FilesContent.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe
• %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.lnk
• %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.bat

Kovter is known to hide in the registry under:

• HKCUSOFTWARE lt;RANDOM> lt;RANDOM>

The customized CEF browser is dropped to:

• %UserProfile%AppDataLocal lt;RANDOM>

The keys will look like random values and contain scripts. In some values, a
User-Agent string can be clearly identified. An additional key containing a
link to a batch script on the hard drive may be placed within registry key:

• HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

There are several patterns in the network requests that are made by Kovter
malware when visiting the counterfeit websites. The following are regex rules
for these URL patterns:

• /?ptrackp=d{5,8}
• /feedrsd/click?feed_id=d{1,5}&sub_id=d{1,5}&cid=[a-f0-9-]*&spoof_domain=[w.d-_]*&land_ip=d{1,3}.d{1,3}.d{1,3}.d{1,3}
• /feedrsd/vast_track?a=impression&feed_id=d{5}&sub_id=d{1,5}&sub2_id=d{1,5}&cid=[a-fd-]

The following is a YARA rule for detecting Kovter:

Solution

If you believe you may be a victim of 3ve and its associated malware or
hijacked IPs, and have information that may be useful to investigators, submit
your complaint to www.ic3.gov and use the
hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware
infections associated with Boaxxe/Miuref or Kovter:

• Use
  and maintain antivirus software. Antivirus software recognizes and protects your
  computer against most known viruses. Security companies are continuously
  updating their software to counter these advanced threats. Therefore, it
  is important to keep your antivirus software up-to-date. If you suspect
  you may be a victim of malware, update your antivirus software definitions
  and run a full-system scan. (See Understanding Anti-Virus
  Software for more information.)
• Avoid
  clicking links in email. Attackers have become very skilled at making phishing
  emails look legitimate. Users should ensure the link is legitimate by
  typing the link into a new browser. (See Avoiding Social
  Engineering and Phishing Attacks.)
• Change
  your passwords. Your
  original passwords may have been compromised during the infection, so you
  should change them. (See Choosing and Protecting
  Passwords.)
• Keep
  your operating system and application software up-to-date. Install software patches
  so that attackers cannot take advantage of known problems or
  vulnerabilities. You should enable automatic updates of the operating
  system if this option is available. (See Understanding Patches and
  Software Updates for more information.)
• Use
  anti-malware tools. Using a legitimate program that identifies and removes
  malware can help eliminate an infection. Users can consider employing a
  remediation tool. A non-exhaustive list of examples is provided below. The
  U.S. Government does not endorse or support any particular product or
  vendor.
• ESET Online Scanner
• F-Secure
• Malwarebytes
• McAfee
• Microsoft
  Safety Scanner
• Norton Power Eraser
• Trend Micro HouseCall

References

• DOJ
  Press Release
• ewhitehats
  White Paper on Kovter Malware
• ewhitehats: THE
  HUNT FOR 3VE
• Google
  Security Blog: Industry collaboration leads to takedown of the “3ve” ad
  fraud operation

Keyboard
shortcuts are keys or combinations of keys that provide an alternative
way to do something that you’d typically do with a mouse.

Relative Identifier (RID) Hijacking has recently gained public attention as a simple, novel, and effective technique to maintain persistence on a Windows system after initial compromise. As information security awareness continues to rise in many organizations their overall security posture also increases, especially in larger organizations that can afford it. As a result, many attackers are forced to leverage stealth techniques when targeting these types of companies to bypass security mechanisms.
RID Hijacking effectively allows attackers to assign higher level administrative privileges to lower level accounts that they might have direct access to after initial system compromise. What makes this method so attractive to attackers is that it leverages strictly Windows native commands to execute the technique, does not require installing any additional software, and is a relatively simple process. Therefore, it does not make much noise on a system and in many cases is difficult to detect unless defenders are carefully monitoring the Security Account Manager ( SAM) registry.
Since Windows XP, Windows uses the SAM to store security descriptors for user accounts. These Windows systems store most of this information in the ‘HKLMSAMSAMDomainsAccountUse rs’ key, which does require SYSTEM level privileges to access. This key contains a variety of structured information representing user privilege information. The ‘Names’ subkey contains all the local user account names and looking at the ‘F’ value within this structure is a long number that contains the RID value at hex offset 30 within it along with other interesting information such as whether the account is enabled or disabled. According to security researcher, Sebastian Castro the RID copy stored in the ‘F’ value hex number is the value that is used by the Local Security Authority Subsystem Service (LSASS) and the Security Reference Monitor (SRM) to generate the primary access token used when translating from username to security identifier (SID). This token essentially is used on the system when users are attempting to access system services and applications. So if an attacker can modify the RID value to hex 0x1f4 or 500 in decimal of a guest user account as an example, they can give that guest account system level access. This technique is known as RID hijacking.
Sebastian Castro, the security researcher investigating this vulnerability also published an exploit which automates this attack in Metasploit, which is a popular open source exploit framework used by many worldwide. The exploit can be found at ‘post/windows/manage/ rid_hijack’ within the framework. This exploit has been tested on Windows XP, Windows Server 2003, Windows 8.1, and Windows 10. The best-recommended way to defend against this attack is by monitoring the system registry and looking for inconsistencies within the SAM.
  Sources:
https://threatpost.com/trivial-postintrusion-attack-exploits-windowsrid/138448/  https://csl.com.co/en/rid-hijacking/

A zero-day exploit in the jQuery file upload tool may have had an open secret for years. A security researcher at Akamai Security Intelligence Response Team (SIRT) by the name of Larry Cashdollar found the exploit designated CVE-20189206. The vulnerability affects the plugin authored by Sabastian Tschan commonly known as “blueimp”. The jQuery File upload is one of the most starred plugins on github next to the jQuery framework itself. The tool appears to have been forked over 7800 times and has most likely been integrated on thousands of other projects. 
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
 https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
 https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/  

Here is a Blog from Microsoft about changes to Windows 10 1809.

Features we removed in this release

We’re removing the following features and functionalities from the
installed product image in Windows 10, version 1809. Applications or
code that depend on these features won’t function in this release unless
you use an alternate method.

Features we’re no longer developing

We’re no longer actively developing these features and may remove
them from a future update. Some features have been replaced with other
features or functionality, while others are now available from different
sources.

If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.

NIST invites
comments on Draft Special Publication (SP) 800-179 Revision 1, Guide to Securing macOS 10.12 Systems
for IT Professionals: A NIST Security Configuration Checklist. This
publication assists IT professionals in securing macOS 10.12 desktop and laptop
systems within various environments. It provides detailed information about the
security features of macOS 10.12 and security configuration guidelines. The
publication recommends and explains tested, secure settings with the objective
of simplifying the administrative burden of improving the security of macOS
10.12 systems in three types of environments: standalone, managed, and
specialized security-limited functionality.

A public comment period for this document is open until November 16, 2018.
We strongly encourage you to use the comment template for submitting your
comments.

CSRC Update:
https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-179-rev-1-for-comment

Publication Details:
https://csrc.nist.gov/publications/details/sp/800-179/rev-1/draft

For the past four years, thousands of servers may have been subject to an  extremely simple authentication bypass vulnerability. CVE-2018-10933 affects libssh versions since 0.6.0, an implementation library for Secure Shell (SSH) that was released in 2014. It is limited only to certain implementations of SSH and does not affect the widely-used OpenSSH. 
Still, all the attacker has to do is send the server the message SSH2_MSG_USERAUTH_SUCCESS” instead of “SSH2_MSG_USERAUTH_REQUEST” and they have full access. Experts are saying that the overall impact is small, given that OpenSSH is not impacted and a libssh patch has already been released. So how many systems are actually at risk? A quick Shodan search by one researcher returned 6,351 servers just by looking for “libssh”. Another researcher added port 22 to the search, bringing the number down to 3,004. But this doesn’t tell us how many systems are running vulnerable versions of of libssh. And really, pinning down an accurate number is not easy. Shodan doesn’t cover everything that’s out there and what’s out on the internet can change in the blink of an eye. 

Advanced Persistent Threats (APT) are being recognized as one of the biggest cyber threats in the industry today. There are many groups globally behind the numerous attacks of this type in recent history. Three major cyber incidents that garnered global attention were the BlackEnergy power grid attack, the Industroyer power grid attack, and the NotPetya malware outbreak. However, what if the same APT group was behind all three of these attacks?
The BlackEnergy attack caused blackouts in the Ukranian power grid in December 2015. Industroyer, also known as CrashOverride, also attacked the Ukranian power grid in December 2016 and is the first case of malware designed to specifically target a power grid. After the BlackEnergy attack, the group behind it (also called BlackEnergy) became known as TeleBots and carried out attacks against the Ukranian financial sector, eventually culminating in the outbreak of the NotPetya malware. There was speculation in the cybersecurity community that the BlackEnergy and Industroyer attacks were both perpetrated by the TeleBots group but no evidence to support these claims. However, the discovery of another TeleBots malware, Exramel, by the ESET security group in April 2018 provided the missing link.
Exramel uses a backdoor that appears to be an upgraded version of the backdoor used by Industroyer. There are many similarities in the code, especially the list of available commands it can receive from its Command and Control (C&C) servers and the way each handles reporting and redirecting output streams. Each backdoor also disguises itself as an antivirus service for detection avoidance and groups targets based on their security solutions being used. The similarity between the two led the ESET researchers to conclude that it is unlikely to be a case of coincidental code sharing between threat actors.
Linking TeleBots to Industroyer shows just how much of a threat the group can pose, being the single entity behind three of the most groundbreaking and devastating cyberattacks in history. In addition, the recent claims from multiple governments that Russian military intelligence groups are behind TeleBots throws even more intrigue into the mix and leaves a daunting question: what could TeleBots be up to next?
Sources:

 https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraineenergy-grid/138287/
 https://www.zdnet.com/article/security-researchers-find-solid-evidencelinking-industroyer-to-notpetya/
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoorlinking-industroyer-notpetya/