Články

Aktuálne informácie zo sveta bezpečnosti IT riešení

Activity Summary - Week Ending January 4, 2019 viac článkov »

Activity Summary - Week Ending January 4, 2019

Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us


The Ryuk ransomware caused a major disruption for some high-profile print media organizations in the United States. This malware is typically used in targeted attacks carried out via phishing or through planted files on insecure remote desktops. While the code appears to have similarities with Hermes, a ransomware associated with the North Korean hacker group Lazarus, no connection has been publically credited at this time, although the attack does appear to have originated from outside the United States. While this attack is still being investigated, it is noted that it appears the intention was to disable the infrastructure, specifically servers, as opposed to stealing information. Overall, the attack did cause the cybercriminals expected disruption, but alas, newspapers did go out, rather a bit later than expected.

Ryuk ransomware either will use the file naming format - [original filename.ext].RYK or does not change the name or extensions of the files being encrypted. The malware attempts to inject its code into the address space of processes, except explorer.exe, csrss.exe, and lsaas.exe. The malware has been observed to affect/encrypt files located on shared drives within the same subnet. Other nefarious behavior includes registry modifications, killing processes related to antivirus, database, document editing software, and backup programs.

For more details about the Ryuk ransomware, read the FortiGuard Labs encyclopedia description: W64/Ryuk.223E!tr.ransom

FortiGuard has following signatures: W64/Ryuk.223E!tr.ransom, W32/Invader.CUZR!tr.ransom, W32/Ryuk.A!tr.ransom, W32/Filecoder.NTS!tr.ransom, W64/Filecoder.Z!tr.ransom

Application Vulnerabilities / IPS

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow 

27,609

2

D-Link.DSL-2750B.CLI.OS.Command.Injection 

19,358

3

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution 

18,263

4

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities 

16,902

5

PHPUnit.Eval-stdin.PHP.Remote.Code.Execution 

14,341

 

ThinkPHP.Controller.Parameter.Remote.Code.Execution -- According to their documentation, "ThinkPHP is a fast and simple lightweight development framework based on MVC and object-oriented. It is released under the Apache2 open source protocol. Since its inception, it has been adhering to simple and practical design principles, while maintaining excellent performance and simple code." And it is very much in widespread use around the globe, especially in China. It was discovered that ThinkPHP versions 5.0 and 5.1 are vulnerable to a remote code execution vulnerability, which by the time of this writing is being actively exploited by cyber criminals in the wild, making this detection jump to the second most detected IPS attack. What attackers generally do is after they get remote code execution on the server, they deploy a php backdoor on the system to make sure that they can get in afterwards and continue their nefarious work. We are seeing this campaign propagating other IoT malware as well. There have been exploits disclosed and available for download on popular threat-intelligence portals, which we believe led to this quick use of this cyber weapon. ThinkPHP has patched the issue on versions 5.0.23 and 5.1.31.

Signatures: ThinkPHP.Controller.Parameter.Remote.Code.Execution

UPnP.SSDP.M.Search.Anomaly -- This is a signature that detects attempts to scan for open UPnP/SSDP routers on the internet. Usually this service should not be enabled on the WAN interface, but it can be for any number of reasons, such as misconfiguration from the user and/or vendor. Theoretically, SSDP packets should be sent to multicast address 239.255.255.250 on port 1900. If we detect traffic that is being sent to a specific IP other than that, we identify this as being generated by a scanner. Attackers are leveraging these devices to carry on an attack using NAT injection on those devices that expose UPnP/SSDP services on their WAN interface. By using this, attackers create a loophole that after exploitinb the flaw, allows them to access internal resources and creating new NAT rules from SSDP endpoints. One other attack that can be executed is using the device as a proxy for malicious traffic - using the same flaw but exploiting it differently to create proxied connections between the attacker and the router. According to an Akamai study, there are about 70k vulnerable devices on the internet. (https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf).

Signatures: UPnP.SSDP.M.Search.Anomaly

 

Malware Activity

Rank

Name

Prevalence

1

Android/Agent.FJ!tr 

4,849

2

Adware/Agent 

2,798

3

W32/Agent.HTL!tr.rkit 

1,754

4

Android/Hiddad.HI!tr 

1,655

5

MSOffice/CVE_2017_11882.A!exploit 

1,209

 

Another Christmas Present? -- FortiGuard labs is aware of a new update to the FilesLocker ransomware. Earlier this week, researchers discovered a variant of FilesLocker, a second version released, this one with a Christmas theme. When the victim is presented with the lock screen, a cozy and very detailed ornamental background with various red and gold ball ornaments, candy canes, gifts, a Christmas tree, and a snowman is presented to the victim with the notification in English and Chinese that they have been infected, showing them the flag, which appears to be region specific.

All your important files have been encrypted!If you understand the importance of the situation
Please read the "#DECRYPT MY FILES#.txt" on the desktop to contact us

According to researchers, the actors behind this latest ransomware variant were nice (pun intended) to leave a copy of the master key on Pastebin, strangely enough after the encryption routine was performed. Because of this, researchers in the security community were able to create a decryption tool that was successful in decrypting versions 1.0 and 2.0.

Signatures: MSIL/Crypren_V2_0!tr.ransom

Bamboozled by Goblin Panda -- FortiGuard Labs is aware of a new campaign by the threat actors behind Goblin Panda. This new campaign utilizes a new dropper. Previous iterations used an OLE package to drop a file in %appdata% where it then proceeds to decode two files, a legitimate file and a RAT (Plugx/Newcore/Sisfader). It appears that the threat actors have changed their routine by using one large OLE file which is mapped in memory and one PE is used to drop the files. The threat currently uses CVE-2017-11882, known as the Microsoft Office Memory Corruption Vulnerability, which has been distributed in weaponized campaigns delivered in malicious RTF files. CVE-2017-11882 allows attackers to run arbitrary code and potentially take control of a system. Also, to make matters worse and even more confusing, there appears to be an overlap between CVE-2017-11882 and CVE-2017-0802, where a fix was released in the January 2018 monthly bulletin cycle. The vulnerability is a stack overflow bug when parsing the long font name string in a FONT record, similar to CVE-2017-11882. It can be used by attackers to execute arbitrary code in the security context of the logged-on user.

Indicator(s):
skylineqaz.crabdance[.]com
tele.zyms[.]com
uzwatersource.dynamic-dns[.]net

Web Filtering Activity

A "JAR" Full -- FortiGuard Labs Web Filtering team is aware of a new, malicious email campaign targeting employees of banks and financial services companies. The malicious payload was hosted on storage.googleapis.com, which is very popular with enterprise customers. Attackers used malicious VBS scripts and JAR files to compromise various endpoints. The scripts are highly obfuscated with three levels of highly obfuscated VBScript, using Base64 encoding. Two C2 servers (fud[.]fudcrypt[.]com and pm2bitcoin[.]com) were used in all of the scripts).

Indicator(s):
fud[.]fudcrypt[.]com
hxxp://rccgovercomersabuja[.]org/jre[.]zip
hxxps://storage[.]googleapis[.]com/officexel/bank%20slip[.]zip
hxxps://storage[.]googleapis[.]com/officexel/new%20slip[.]zip
hxxps://storage[.]googleapis[.]com/officexel/payment%20slip[.]zip
hxxps://storage[.]googleapis[.]com/officexel/Remittance%20invoice[.]zip
https://storage[.]googleapis[.]com/officexel/Swift%20Invoice[.]zip
hxxps://storage[.]googleapis[.]com/officexel/Transfer%20invoice[.]zip
hxxps://storage[.]googleapis[.]com/officexel/transfer[.]gz
hxxps://storage[.]googleapis[.]com/officexel/TT%20COPY[.]zip
pm2bitcoin[.]com
rccgovercomersabuja[.]org

 

 

Source : https://fortiguard.com/resources/threat-brief/2018/12/21/fortiguard-threat-intelligence-brief-december-21-2018

 

Prečo si vybrať nás?

Dôveryhodnosť

Na trhu pôsobíme už od roku 2008 a našu dôveryhodnosť potvrdzujú partnerstvá popredných spoločností v oblasti IT a hlavne množstvo spokojných zákazníkov, ktorí využívajú naše služby. Nie sme nováčikom a vieme, čo vaša IT infraštruktúra potrebuje a radi vám to ponúkneme. O našej kvalite hovorí aj certifikácia systémov manažérstva podľa normy ISO 9 001.

Profesionalita

Bezpečnosť vašich dát nedokáže chrániť len tak niekto. Obráťte sa teda na profesionálneho partnera. Naše bohaté skúsenosti potvrdzujú školenia, ktoré naši zamestnanci absolvujú pravidelne, aby vám vedeli vždy poskytnúť adekvátne rady a zabezpečiť tak plynulý a ničím nerušený chod vašej infraštruktúry. Sme vlastníkom certifikácie 27 001, takže vaše dáta sú u nás v bezpečí.

Efektivita

Neponúkame vám riešenia, ktoré sú pre vás zbytočné, len aby sme na vás zarobili. Našim cieľom nie je nanútiť vám robustné riešenie, ktoré budete využívať na minimum, no zároveň návrh štruktúry berieme vážne aj s ohľadom na prípadné plány rozvoja vašej spoločnosti. Prioritou pre nás je vaša spokojnosť a bezpečnosť vašich dát.

Referencie

Slovak Telekom, a.s.
ASBIS SK spol. s r.o.
Trenčianska vodohospodárska spoločnosť a. s.
Úrad vlády Slovenskej republiky
Motor-Car Group
Saneca Pharmaceuticals a.s.

Kontakt


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – sekretariát
+421 41/202 88 81 – technická podpora
+421 41/202 88 82 – obchodné oddelenie
IČO: 43892345
DIČ: 2022541378
IČ DPH: SK2022541378
Okresný súd Žilina, odd.: Sro, vl. číslo 20197/L

Bankové spojenie (IBAN):
SK13 1100 0000 0026 2582 3735