Articles

Fresh information from the world of IT security

Activity Summary - Week Ending January 4, 2019 more articles »

Activity Summary - Week Ending January 4, 2019

Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us


The Ryuk ransomware caused a major disruption for some high-profile print media organizations in the United States. This malware is typically used in targeted attacks carried out via phishing or through planted files on insecure remote desktops. While the code appears to have similarities with Hermes, a ransomware associated with the North Korean hacker group Lazarus, no connection has been publically credited at this time, although the attack does appear to have originated from outside the United States. While this attack is still being investigated, it is noted that it appears the intention was to disable the infrastructure, specifically servers, as opposed to stealing information. Overall, the attack did cause the cybercriminals expected disruption, but alas, newspapers did go out, rather a bit later than expected.

Ryuk ransomware either will use the file naming format - [original filename.ext].RYK or does not change the name or extensions of the files being encrypted. The malware attempts to inject its code into the address space of processes, except explorer.exe, csrss.exe, and lsaas.exe. The malware has been observed to affect/encrypt files located on shared drives within the same subnet. Other nefarious behavior includes registry modifications, killing processes related to antivirus, database, document editing software, and backup programs.

For more details about the Ryuk ransomware, read the FortiGuard Labs encyclopedia description: W64/Ryuk.223E!tr.ransom

FortiGuard has following signatures: W64/Ryuk.223E!tr.ransom, W32/Invader.CUZR!tr.ransom, W32/Ryuk.A!tr.ransom, W32/Filecoder.NTS!tr.ransom, W64/Filecoder.Z!tr.ransom

Application Vulnerabilities / IPS

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow 

27,609

2

D-Link.DSL-2750B.CLI.OS.Command.Injection 

19,358

3

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution 

18,263

4

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities 

16,902

5

PHPUnit.Eval-stdin.PHP.Remote.Code.Execution 

14,341

 

ThinkPHP.Controller.Parameter.Remote.Code.Execution -- According to their documentation, "ThinkPHP is a fast and simple lightweight development framework based on MVC and object-oriented. It is released under the Apache2 open source protocol. Since its inception, it has been adhering to simple and practical design principles, while maintaining excellent performance and simple code." And it is very much in widespread use around the globe, especially in China. It was discovered that ThinkPHP versions 5.0 and 5.1 are vulnerable to a remote code execution vulnerability, which by the time of this writing is being actively exploited by cyber criminals in the wild, making this detection jump to the second most detected IPS attack. What attackers generally do is after they get remote code execution on the server, they deploy a php backdoor on the system to make sure that they can get in afterwards and continue their nefarious work. We are seeing this campaign propagating other IoT malware as well. There have been exploits disclosed and available for download on popular threat-intelligence portals, which we believe led to this quick use of this cyber weapon. ThinkPHP has patched the issue on versions 5.0.23 and 5.1.31.

Signatures: ThinkPHP.Controller.Parameter.Remote.Code.Execution

UPnP.SSDP.M.Search.Anomaly -- This is a signature that detects attempts to scan for open UPnP/SSDP routers on the internet. Usually this service should not be enabled on the WAN interface, but it can be for any number of reasons, such as misconfiguration from the user and/or vendor. Theoretically, SSDP packets should be sent to multicast address 239.255.255.250 on port 1900. If we detect traffic that is being sent to a specific IP other than that, we identify this as being generated by a scanner. Attackers are leveraging these devices to carry on an attack using NAT injection on those devices that expose UPnP/SSDP services on their WAN interface. By using this, attackers create a loophole that after exploitinb the flaw, allows them to access internal resources and creating new NAT rules from SSDP endpoints. One other attack that can be executed is using the device as a proxy for malicious traffic - using the same flaw but exploiting it differently to create proxied connections between the attacker and the router. According to an Akamai study, there are about 70k vulnerable devices on the internet. (https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf).

Signatures: UPnP.SSDP.M.Search.Anomaly

 

Malware Activity

Rank

Name

Prevalence

1

Android/Agent.FJ!tr 

4,849

2

Adware/Agent 

2,798

3

W32/Agent.HTL!tr.rkit 

1,754

4

Android/Hiddad.HI!tr 

1,655

5

MSOffice/CVE_2017_11882.A!exploit 

1,209

 

Another Christmas Present? -- FortiGuard labs is aware of a new update to the FilesLocker ransomware. Earlier this week, researchers discovered a variant of FilesLocker, a second version released, this one with a Christmas theme. When the victim is presented with the lock screen, a cozy and very detailed ornamental background with various red and gold ball ornaments, candy canes, gifts, a Christmas tree, and a snowman is presented to the victim with the notification in English and Chinese that they have been infected, showing them the flag, which appears to be region specific.

All your important files have been encrypted!If you understand the importance of the situation
Please read the "#DECRYPT MY FILES#.txt" on the desktop to contact us

According to researchers, the actors behind this latest ransomware variant were nice (pun intended) to leave a copy of the master key on Pastebin, strangely enough after the encryption routine was performed. Because of this, researchers in the security community were able to create a decryption tool that was successful in decrypting versions 1.0 and 2.0.

Signatures: MSIL/Crypren_V2_0!tr.ransom

Bamboozled by Goblin Panda -- FortiGuard Labs is aware of a new campaign by the threat actors behind Goblin Panda. This new campaign utilizes a new dropper. Previous iterations used an OLE package to drop a file in %appdata% where it then proceeds to decode two files, a legitimate file and a RAT (Plugx/Newcore/Sisfader). It appears that the threat actors have changed their routine by using one large OLE file which is mapped in memory and one PE is used to drop the files. The threat currently uses CVE-2017-11882, known as the Microsoft Office Memory Corruption Vulnerability, which has been distributed in weaponized campaigns delivered in malicious RTF files. CVE-2017-11882 allows attackers to run arbitrary code and potentially take control of a system. Also, to make matters worse and even more confusing, there appears to be an overlap between CVE-2017-11882 and CVE-2017-0802, where a fix was released in the January 2018 monthly bulletin cycle. The vulnerability is a stack overflow bug when parsing the long font name string in a FONT record, similar to CVE-2017-11882. It can be used by attackers to execute arbitrary code in the security context of the logged-on user.

Indicator(s):
skylineqaz.crabdance[.]com
tele.zyms[.]com
uzwatersource.dynamic-dns[.]net

Web Filtering Activity

A "JAR" Full -- FortiGuard Labs Web Filtering team is aware of a new, malicious email campaign targeting employees of banks and financial services companies. The malicious payload was hosted on storage.googleapis.com, which is very popular with enterprise customers. Attackers used malicious VBS scripts and JAR files to compromise various endpoints. The scripts are highly obfuscated with three levels of highly obfuscated VBScript, using Base64 encoding. Two C2 servers (fud[.]fudcrypt[.]com and pm2bitcoin[.]com) were used in all of the scripts).

Indicator(s):
fud[.]fudcrypt[.]com
hxxp://rccgovercomersabuja[.]org/jre[.]zip
hxxps://storage[.]googleapis[.]com/officexel/bank%20slip[.]zip
hxxps://storage[.]googleapis[.]com/officexel/new%20slip[.]zip
hxxps://storage[.]googleapis[.]com/officexel/payment%20slip[.]zip
hxxps://storage[.]googleapis[.]com/officexel/Remittance%20invoice[.]zip
https://storage[.]googleapis[.]com/officexel/Swift%20Invoice[.]zip
hxxps://storage[.]googleapis[.]com/officexel/Transfer%20invoice[.]zip
hxxps://storage[.]googleapis[.]com/officexel/transfer[.]gz
hxxps://storage[.]googleapis[.]com/officexel/TT%20COPY[.]zip
pm2bitcoin[.]com
rccgovercomersabuja[.]org

 

 

Source : https://fortiguard.com/resources/threat-brief/2019/01/04/fortiguard-threat-intelligence-brief-january-04-2019

 

 

Why to choose us?

Credibility

We have been on the market since 2008 and our credibility can be approved by partnership with prominent companies in the field of IT and mostly by lots of satisfied customers who use our services. We are not freshmen. Our team knows what your IT infrastructure needs and we will be happy to provide it to you. Our quality is also reflected in certification of the management systems according to the ISO 9 001 standard.

Professional attitude

Your data should not be protected by inexperienced people. Therefore, ask for a professional partner. Our rich experience is attested by trainings which our employees attend on a regular basis so that they can give you adequate advice and ensure fluent running of your infrastructure. We are owners of the 27 001 certification, which means your data are secured.

Efficiency

We do not offer you unnecessary solution just to earn money at your expense. Our purpose is not to impose a robust solution you will be using at the minimum level. However, this does not mean we do not take structure design seriously. We also consider possible plans of your company’s development. Your satisfaction and data security are our main priority.

References

Slovak Telekom, a.s.
PosAm, spol. s r.o.
UPC BROADBAND SLOVAKIA s.r.o.
EBA s.r.o.
Správa služieb diplomatickému zboru, a.s.
Saneca Pharmaceuticals a.s.

Articles more articles »

Activity Summary - Week Ending January 4, 2019

Activity Summary - Week Ending January 4, 2019

22.02.2019 | Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us

Read more »

Contact


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – front office
+421 41/202 88 81 – support
+421 41/202 88 82 – sales department
Company No.: 43892345
TAX No.: 2022541378
VAT No.: SK2022541378
Bank account (IBAN):
SK13 1100 0000 0026 2582 3735