Articles

Fresh information from the world of IT security

Activity Summary - Week Ending January 25, 2019 more articles »

Activity Summary - Week Ending January 25, 2019

Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us


FortiGuard Labs has a dedicated team of researchers that look for vulnerabilities and weaknesses in high-impacting programs and applications. The intent is to find the vulnerabilities before the bad actors, and work with the affected vendors to get an effective patch released before the vulnerability is exploited.

In December, the FortiGuard Labs research team discovered a vulnerability in QuartzCore of macOS and iOS. This week, Apple released two updates: macOS 10.14.3 and iOS 12.1.3, which include the fix for this vulnerability with the identifier CVE-2019-6231. The vulnerability could allow a malicious application to be able to allow access to restricted memory.

QuartzCore, also known as CoreAnimation, is a framework used by macOS and iOS to create animatable screen graphics. It uses a unique rendering model where the graphics operations are run in a separate process. The process is WindowServer. On iOS, the process is backboardd. Both of these processes have the right to call setuid. 

The serivce named com.apple.CARenderServer in QuartzCore is usually referenced as CARenderServer. This service exists in both macOS and iOS, and can be accessed from the Safari sandbox. There also exists an integer overflow when QuartzCcore handles image objects in the function CA::Render::Image::Decode().

You can get the full details of our analysis on the blog, where we deep dive into the macOS vulnerability [Read More]. Apple spells out more details around their two updates here

Anatova Ranswomare - A new multi-module ransomware has been discovered. Anatova is being reported across the globe, with most detections in the United States, followed by Belgium, Germany, France and the United Kingdom. The malware authors typically use an icon for a game or application as a decoy to entice users to download it.

Anatova, when launched, asks for admin privileges, runs a few checks and then encrypts files on the computer. It then demands 10 DASH coins ($700 value). The ransomware's multi-module feature extends its capabilities to cause further villainous activities, at a later time, potentially becoming an 'all-in-one' tool. Anatova reportedly contains an anti-analysis routine by embedding a memory cleaning procedure that appears to activate under certain conditions. One interesting tactic is checking the username of the logged-in user, if it matches a specific list, then a cleaning process is employed and the ransomware exits. Interestingly, the ransomware also encrypts using some tricks - encrypting most of the strings and using different keys for decrypting them, and relying on dynamic calls. Each victim needs a separate and specific key to unlock the encrypted files. Additionally, to eliminate file recovery opportunities, the ransomware destroys the volume shadow copies overwriting them ten times ensuring no backup local files is possible.

Due to Anatova's obfuscation capabilities and the ability to infect network shares, there is concern that this could be a potentially serious threat. Note that while we have seen ransomware threats trending down in overall numbers of late, this type of threat is still poses a consequential problem and should be taken seriously. For more details: [Read More]

Signatures: W32/Azden.A!tr, W32/Encoder.BHU!tr, W64/Encoder.BHU!tr.ransom

Application Vulnerabilities / IPS

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow 

27,754

2

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution 

17,831

3

D-Link.DSL-2750B.CLI.OS.Command.Injection 

16,964

4

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities 

15,481

5

PHPUnit.Eval-stdin.PHP.Remote.Code.Execution 

13,023

 

Drupal.Core.database.inc.expandArguments.SQL.Injection -- Drupal is an open-source content-management platform written in PHP and distributed under the GNU General Public License. The standard release of Drupal, Drupal Core, contains features common among content management systems. In 2014, an SQL injection vulnerability was discovered in Drupal Core. The vulnerability is due to insufficient validation of user-supplied data when expanding argument values used in SQL queries.

A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted parameter to a Drupal Core server. Successful exploitation could lead to arbitrary code execution under the security context of the server. This issue lies in the "expandArguments" function found in the database abstraction API in Drupal Core versions 7.x. Prior to version 7.32, this function did not properly construct prepared statements.

Malicious.JavaScript.Obfuscation.Code.Packer.Detection -- This signature helps us gauge the prevalence of popular obfuscation techniques generally used when delivering malicious JavaScript payloads. The signature attempts to detect the most common evasion tactics used to conceal mal-intended JavaScript scripts.

Certain evasion methodologies are constantly being used by threat actors to try to bypass conventional signature matching and outdated AV technology. Important functions being used by these threats include the unescape(), reverse(), and toString() functions. The order in which they appear is also significant and hence analyzed by the signature. We have observed a significant increase of events triggered across our devices related to this specific IPS signature on a daily basis, which suggests this is a popular method by attackers.

Signatures: Malicious.JavaScript.Obfuscation.Code.Packer.Detection

 

Malware Activity

Rank

Name

Prevalence

1

Android/Agent.FJ!tr 

5,536

2

W32/Agent.AJFK!tr 

5,254

3

MSOffice/CVE_2017_11882.A!exploit 

4,154

4

MSWord/Agent.MY!exploit 

3,948

5

Adware/Agent 

3,576

 

A 'Rocke'-y and Cloudy Start to 2019 -- FortiGuard Labs is aware of recent activity from a malware family coined the Rocke Group that actively targets cloud products. This week, researchers released research on the cryptojacking activity that bypassed cloud security products by simply uninstalling them. The malware targets cloud workload protection platforms (CWPPs). Specifically, the products that appeared to be targeted in this attack were well known Chinese-based cloud security solutions. The malware targets Linux-based servers. It is believed that the Iron cyber-crime group, an APT believed to be of Chinese origin, is behind these attacks.

The steps taken by the malware will ultimately lead to the execution of a Monero cryptocurrency miner on the infected system. To do so, the malware will execute known exploits to attempt to get admin-level access on the machine. This will allow the malware to perform a service uninstall. Thus, the malware will attempt to uninstall various cloud security services popular in China. With the security service uninstalled, the malware will then proceed to download a payload from a server and run it. The malware may also make several attempts to ensure it is the only process in the system to mine for cryptocurrency by killing other processes and blocking other similar cryptomining malware.

Although the steps taken by this malware appear straightforward, incidences like these will only become more prevalent over time as more and more services move to the cloud. In conclusion, it is important to continue to focus on robust cloud security solutions and mitigate these challenges posed to cloud security products.

Signatures: Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection, Linux/CoinMiner.0623!tr

Indicator(s):
hxxp://dwn.rundll32.ml
hxxp://www.aybc.so
hxxp://a.ssvs.space
hxxp://sydwzl.cn

Magecart Attacks: Ecommerce Advertising on the Line? -- FortiGuard Labs is aware of recent activity from the actors behind the recent round of Magecart attacks. Earlier this week, researchers documented yet another Magecart attack on multiple ecommerce websites through code injection into a third-party JavaScript library offered by an advertising company. It appears that the organization responsible for the library has since made the appropriate amends. However, prior to its detection, there were over 250 ecommerce websites documented to be affected.

Magecart is originally an open-source shopping cart. A compromised Magecart is an exploited version of the original that aims to steal payment information through skimming scripts. This most recent documented attack was suspected to be carried out by a new subgroup of Magecart actors dubbed Magecart Group 12. To avoid detection, an obfuscated malicious JavaScript script is injected into an ecommerce site. Then, upon detecting user payment, the malicious script will record form fields and values and encode them in Base64 before sending it to the server. The origin of this attack indicates a European target and/or source as the script attempts to identify English, French, and German keywords.

Signatures: JS/MCart.4C13!tr, JS/MCart.281D!tr, JS/MCart.6850!tr, JS/MCart.9260!tr

Indicator(s):
givemejs[.]cc
content-delivery[.]cc
cdn-content[.]cc
deliveryjs[.]cc

 

Web Filtering Activity

Controlling the Control Panel -- The FortiGuard Web Filter team is aware of a phishing campaign that bypasses email security measures via a file attachment with a .cpl extension. Earlier this week, researchers released information on this phishing campaign. The emails claim to be a message from the "Servicio de Impuestos Internos," the Internal Revenue Service of Chile, and appears to target a Spanish-speaking victim. Specifically, the campaign is seen to be targeting South American citizens. The use of these .cpl files as attachments has been seen with other phishing campaigns delivering known banking Trojans, like Banload.

The original functionality of a .cpl file is intended for usage of control panel tools on Windows operating systems. Once the .cpl file has been executed, it will download the second payload to execute an OverByte ICS Logger. Upon successful execution of this payload, this keylogger will attempt to log the victim's banking information and sends it to the C2 server.

The FortiGuard Web Filter team has blacklisted all the IPs and URLs associated with this phishing campaign.

Indicator(s):
hxxps://gentsilen.com.mx/cl/factura.php
185-35-139-197[.]v4[.]as62454[.]net
185-35-139-190[.]v4[.]as62454[.]net
185[.]35[.]137[.]85
185[.]35[.]137[.]80
185[.]35[.]139[.]190

 

 

Source : https://fortiguard.com/resources/threat-brief/2019/01/25/fortiguard-threat-intelligence-brief-january-25-2019

Why to choose us?

Credibility

We have been on the market since 2008 and our credibility can be approved by partnership with prominent companies in the field of IT and mostly by lots of satisfied customers who use our services. We are not freshmen. Our team knows what your IT infrastructure needs and we will be happy to provide it to you. Our quality is also reflected in certification of the management systems according to the ISO 9 001 standard.

Professional attitude

Your data should not be protected by inexperienced people. Therefore, ask for a professional partner. Our rich experience is attested by trainings which our employees attend on a regular basis so that they can give you adequate advice and ensure fluent running of your infrastructure. We are owners of the 27 001 certification, which means your data are secured.

Efficiency

We do not offer you unnecessary solution just to earn money at your expense. Our purpose is not to impose a robust solution you will be using at the minimum level. However, this does not mean we do not take structure design seriously. We also consider possible plans of your company’s development. Your satisfaction and data security are our main priority.

References

Ministerstvo školstva, vedy, výskumu a športu SR
Slovak Telekom, a.s.
Motor-Car Group
Trenčianska vodohospodárska spoločnosť a. s.
Správa služieb diplomatickému zboru, a.s.
CNC, a.s.

Articles more articles »

Activity Summary - Week Ending January 4, 2019

Activity Summary - Week Ending January 4, 2019

22.02.2019 | Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us

Read more »

Contact


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – front office
+421 41/202 88 81 – support
+421 41/202 88 82 – sales department
Company No.: 43892345
TAX No.: 2022541378
VAT No.: SK2022541378
Bank account (IBAN):
SK13 1100 0000 0026 2582 3735