Články

Aktuálne informácie zo sveta bezpečnosti IT riešení

Aktuálne hrozby podľa Fortinetu za 8.12 - 14.12. 2018 viac článkov »

Aktuálne hrozby podľa Fortinetu za 8.12 - 14.12. 2018

Vďaka nášmu partnerovi Fornitet, vám aj tento týždeň prinášame report odhalených hrozieb za predchádzajúci týždeň. Report si môžete precitať nižšie v anglickom jazyku. V prípade otázok nás neváhajte kontaktovať.


Microsoft's Patch Tuesday came with 39 updates, with 9 rated critical and 1 under active attack. Two of this month's patches were vulnerabilities discovered by FortiGuard Labs researchers. Our researchers discovered both vulnerabilities in September this year, and have worked closely with Microsoft to ensure that the patch successfully addressed the weaknesses.

CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook. The vulnerability results from Microsoft Outlook's failure to properly handle objects in memory. To exploit this vulnerability, a user must open a specially crafted RWZ file with an affected version of Microsoft Office. Once an attacker is successful in exploiting the vulnerability they can perform actions in the security permissions context of the current user. FortiGuard Labs signature: MS.Outlook.CVE-2018-8587.Remote.Code.Execution

CVE-2018-8612 is a Denial of Service (DoS) vulnerability in Microsoft Universal Telemetry Client (UTC). UTC is a remote procedure call (RPC) services that is used to collect telemetry data from Windows 10 to identify security and reliability issues; this helps to improve the quality of Windows and related services, and to make design decisions for future releases. This DoS vulnerability is caused by insufficient user input validation sent to APIs exposed via UTC RPC interfaces that eventually lead to null pointer dereference. The vulnerability can be triggered by a local authenticated user to effectively terminate the service that can normally be done by administrative users. FortiGuard Labs signature: MS.RPC.UTC.DoS

Note that one of this month's vulnerabilities, CVE-2018-8611, is under active attack. This is a Win32K elevation of privilege flaw and likely being used for targeted attacks. The vulnerability requires an attacker to have an established presence on a target system. Consider this vulnerability a priority when developing your patching strategy.

For more details on this month's Patch Tuesday, visit: Microsoft Security Update Guide 

FortiGuard always practices responsible disclosure and will not publish details of any vulnerability we discover until the patch has been released. To find out more about our program, visit: FortiGuard Zero-Day Research.

 

Application Vulnerabilities / IPS

 

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow

26,970

2

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution

21,713

3

D-Link.DSL-2750B.CLI.OS.Command.Injection

19,072

4

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities

18,491

5

PHPUnit.Eval-stdin.PHP.Remote.Code.Execution

18,629

 

SoftNAS.Cloud.snserv.recentVersion.OS.Command.Injection – A vulnerability exists in the SoftNAS Cloud product, which is a software-defined NAS file delivered as a virtual appliance that can be set up and run on private, public, or hybrid clouds. The software itself is pretty mature, with features such as snapshots, encryption, rapid rollbacks, and high-availability capabilities. The flaw relates to a PHP command injection vulnerability that was found on the web administration panel, located on the script named "snserv," which did not thoroughly sanitize inputted parameters before sending them to execution. All SoftNAS versions before 4.0.3 are vulnerable to this bug. More specifically, the "recentversion" parameter to the "snsrv" script is the one to blame. This function does not properly authenticate or validate sessions, allowing an unauthenticated attacker to execute payloads as the root user, since *wait for it* the web server runs Apache, and the Apache user has an entry on the sudoers file, allowing it to execute anything as the super user.

The researchers responsible for the discovery disclosed a simple HTTP GET parameter to get shell on a vulnerable server. We are seeing an enormous increase in the activity for this signature worldwide, with the last 24 hours of activity being 73% higher than the observed average for the last 30 days, and 34% higher than the last 7 days' average.

Signatures: SoftNAS.Cloud.snserv.recentVersion.OS.Command.Injection 

Avahi.NULL.UDP.Packet.DoS – Avahi, for those who are unaware, is a Linux service that facilitates local network service discovery via the mDNS/DNS-SD protocol suite. This is similar to Apple's Bonjour, where once connected to the network, other users, printers, and shares will appear on your local machine. It was discovered back in 2011 that Avahi (before 0.6.29) allowed remote attackers to cause a denial of service (via an infinite loop being triggered on the code path taken) on the Avahi daemon by simply sending it an empty mDNS IPv4 or IPv6 packet to the Avahi service port 5353. This has been assigned CVE-2011-1002 and has been exploited in the wild ever since. We are now seeing an increase in the amount of detections regarding this signature, with a 25% increase when comparing the last 7 days' average and the last 24 hours. If we compare the last 24 hours to the last 30 days' average, the jump is even higher, with 45% more triggers worldwide.

Signatures: Avahi.NULL.UDP.Packet.DoS

 

Malware Activity

 

Rank

Name

Prevalence

1

Android/Agent.FJ!tr

5,967

2

W32/Agent.AJFK!tr

4,471

3

MSOffice/CVE_2017_11882.A!exploit

3,739

4

W32/Kryptik.GLZZ!tr

3,629

5

W32/Agent.HTL!tr.rkit

2,419

 

More Hidden Cobra Hijinks! –  FortiGuard Labs is aware of a new campaign called "Operation Sharpshooter," which targets global defense organizations and critical infrastructure groups and is attributed to Lazarus/Hidden Cobra. Operation Sharpshooter leverages embedded shellcode that is called from a malicious macro to download a second-stage payload for further exploitation. The second-stage payload is downloaded from a remote site to %startup%mssynce.exe on the victim machine to ensure persistence for the downloaded second-stage implant. Another payload downloaded is a document that is likely a decoy to hide the malicious content. Once the decoy and second-stage payload are downloaded to the victim machine, they are executed using various commands.

The backdoor exfiltrates data to the command and control about the victim endpoint, and provides network adapter info, computer name, username, IP address information, native system information, and OS information. It also sends data to a remote server using HTTP POST. The back door also has the capability to execute commands, get drive information, launch processes from the Windows binary, get process information, terminate process, get file timestamp info, read files, clear process memory, write file to disk, delete file, remote connection via IP address, and change file attributes and folder properties.

Signatures: W32/WildPositron.A!tr, VBA/Agent.KPH!tr

Indicator(s):
34[.]214[.]99[.]20/view_style[.]php
137[.]74[.]41[.]56/board[.]php 
kingkoil[.]com[.]sg/board[.]php
hxxp://208.117.44.112/document/Strategic Planning Manager.doc 
hxxp://208.117.44.112/document/Business Intelligence Administrator.doc 
hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1
 

Sofacys Choice –
 FortiGuard Labs is aware of a new campaign by the Sofacy Group. Discovered by researchers earlier this week, this new campaign leverages interest in the recent fatal Lion Air crash. This new campaign reveals that a maliciously crafted Word document with the title "crash list (Lion Air Boeing 737).docx" is sent to unsuspecting victims, via spear phishing. The majority of the documents lure victims to enable the macros, as they are hoping that less than sophisticated victims would be enticed and compelled to open the file based on the file name alone. Other themes observed were Brexit named documents, and Israel rocket attacks as well. The first-stage payload downloaded by these weaponized documents was the Zebrocy downloader, which interestingly enough, was seen developed in multiple languages such as Delphi, C#, and VB.NET. Also observed being distributed via these documents was the use of the Cannon back door, which can take screenshots, gather system information, and connect to a C2 server to specific email addresses over port 587 to evade detection.

Signatures: MSOffice/Agent.LBE!tr

Indicator(s):
hxxp://188[.]241[.]58[.]170/local/s3/filters[.]php 
hxxp://185[.]203[.]118[.]198/en_action_device/center_correct_customer/drivers-i7-x86[.]php 
hxxp://145[.]249[.]105[.]165/resource-store/stockroom-center-service/check[.]php 
hxxp://109[.]248[.]148[.]42/agr-enum/progress-inform/cube[.]php

Web Filtering Activity


More Cyber Monday Scams – Recently, the FortiGuard Labs Web Filtering team has observed a campaign distributing Emotet targeting the UK with a particularly effective email lure pretending to be a Cyber Monday Voucher from Amazon.co.uk. The threat actors use email addresses and subjects that persuade or entice a user to read the email and follow the links and download the malicious Word document at the end. The downloaded Word docs are given very convincing names such as "cyber_monday_coupon," which contain the nefarious Emotet malware. FortiGuard Labs Web Filtering Team has blacklisted all the IOCs.

Indicator(s):
hxxp://pcgestion[.]com/En/Clients_CM_Coupons 
hxxp://mexathermal[.]co[.]uk/EN/CyberMonday2018

 

Source : https://fortiguard.com/resources/threat-brief/2018/12/14/fortiguard-threat-intelligence-brief-december-14-2018

 

Prečo si vybrať nás?

Dôveryhodnosť

Na trhu pôsobíme už od roku 2008 a našu dôveryhodnosť potvrdzujú partnerstvá popredných spoločností v oblasti IT a hlavne množstvo spokojných zákazníkov, ktorí využívajú naše služby. Nie sme nováčikom a vieme, čo vaša IT infraštruktúra potrebuje a radi vám to ponúkneme. O našej kvalite hovorí aj certifikácia systémov manažérstva podľa normy ISO 9 001.

Profesionalita

Bezpečnosť vašich dát nedokáže chrániť len tak niekto. Obráťte sa teda na profesionálneho partnera. Naše bohaté skúsenosti potvrdzujú školenia, ktoré naši zamestnanci absolvujú pravidelne, aby vám vedeli vždy poskytnúť adekvátne rady a zabezpečiť tak plynulý a ničím nerušený chod vašej infraštruktúry. Sme vlastníkom certifikácie 27 001, takže vaše dáta sú u nás v bezpečí.

Efektivita

Neponúkame vám riešenia, ktoré sú pre vás zbytočné, len aby sme na vás zarobili. Našim cieľom nie je nanútiť vám robustné riešenie, ktoré budete využívať na minimum, no zároveň návrh štruktúry berieme vážne aj s ohľadom na prípadné plány rozvoja vašej spoločnosti. Prioritou pre nás je vaša spokojnosť a bezpečnosť vašich dát.

Referencie

Trenčianska vodohospodárska spoločnosť a. s.
Správa služieb diplomatickému zboru, a.s.
UPC BROADBAND SLOVAKIA s.r.o.
Úrad vlády Slovenskej republiky
EBA s.r.o.
CNC, a.s.

Kontakt


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – sekretariát
+421 41/202 88 81 – technická podpora
+421 41/202 88 82 – obchodné oddelenie
IČO: 43892345
DIČ: 2022541378
IČ DPH: SK2022541378
Okresný súd Žilina, odd.: Sro, vl. číslo 20197/L

Bankové spojenie (IBAN):
SK13 1100 0000 0026 2582 3735