Novinky

Aktuálne informácie zo sveta bezpečnosti IT riešení

Aktuálne hrozby podľa Fortinetu za 22.- 28.9. 2018 viac článkov »

Aktuálne hrozby podľa Fortinetu za 22.- 28.9. 2018

Náš partner spoločnosť Fortinet každý týždeň vydáva správu o odhalených hrozbách. Report v angličtine za ostatný týždeň si môžete precitať nižšie. V prípade otázok nás neváhajte kontaktovať.


Activity Summary - Week Ending September 28, 2018

 

VPNFilter, a multi-stage modular framework that has infected hundreds of thousands of network devices around the world, has been discovered to have even greater capabilities than originally profiled. Announcing their findings through the Cyber Threat Alliance, Cisco's Talos provided early awareness and early sharing of IOCs with the CTA members. Seven additional third-stage modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices. New capabilities include data filtering and multiple encrypted tunneling functions to mask command and control and data exfiltration traffic. It is important to note that this threat is difficult to detect and difficult to detect on unpatched devices.

MikroTik network devices were heavily targeted by the threat actor, especially in Ukraine. These devices seemed to be critical to the actor's operational goals. The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries from Talos.
Expanded VPNFilter capabilities:

  1. Additional capabilities that could be leveraged to map networks and exploit endpoint systems that are connected to devices compromised by VPNFilter.
  2. Multiple ways for the threat actor to obfuscate and/or encrypt malicious traffic, including communications used for C2 and data exfiltration.
  3. Multiple tools that could be utilized to identify additional victims accessible from the actor's foothold on devices compromised by VPNFilter for the purposes of both lateral movement within a network, as well as to identify new edge devices in other networks of interest to the actor.
  4. The capacity to build a distributed network of proxies that could be leveraged in future unrelated attacks to provide a means of obfuscating the true source of attack traffic by making it appear as if the attacks originated from devices previously compromised by VPNFilter.

Fortinet's antivirus signature: ELF/VPNFilter.A!tr

There is much more to understand about this threat. Read the full research from
Cisco Talos blog
Fortinet blog
Cyber Threat Alliance membership

 

Application Vulnerabilities / IPS

 

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow

45,127

2

D-Link.DSL-2750B.CLI.OS.Command.Injection

38,291

3

Dasan.GPON.Remote.Code.Execution

29,188

4

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution

27,655

5

MS.Windows.HTTP.sys.Request.Handling.Remote.Code.Execution

19,231

 

Joomla.Plugin.Com.Jce.Arbitrary.File. – JCE is a popular plugin for Joomla, which allows for easier creating of content, with features that resemble the ones found in feature-rich text editors like Microsoft Word.

This exploits a file upload vulnerability present in the Joomla com_jce plugin. By exploiting this vulnerability, an unauthenticated attacker can run arbitrary code by uploading files on the server and executing them.

Affected JCE 2.1.0 is vulnerable; other versions may also be affected. At the time of this writing, public proof of concept exploits were available on popular search engines.

We are seeing increased telemetry for this specific signature, with our sensors detecting a 32% increase when comparing the average of the last 7 days versus the average for the last 30 days. The most affected countries are the United States 6.98%, Mexico 6.51%, and Japan 5.56%. 

Signatures: Joomla.Plugin.Com.Jce.Arbitrary.File.Upload 

Apache.Tomcat.Arbitrary.JSP.file.Upload – A remote code execution vulnerability lies in the code of Apache Tomcat versions 7.0.0 to 7.0.9 and 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46, and 7.0.0 to 7.0.81.

The vulnerability can be triggered if the HTTP PUT methods are enabled. When this is configured, it is possible to upload a JSP file to the vulnerable server via crafting a malicious PUT request. The execution can be achieved by then requesting this same file from the web server, causing it to execute attacker supplied code.

At the time of this writing, there were public exploits available as well as Metasploit modules on popular threat intelligence distribution websites.

We are seeing increased activity for this attack, with 3% of all sensors reporting this attack. The last 7 days' average is 10% higher than the last 30 days' average. The most affected countries are India 9.60%, the United States 8.67%, and China 7.27%.

Signatures: Apache.Tomcat.Arbitrary.JSP.file.Upload

 

Malware Activity

 

Rank

Name

Prevalence

1

Android/Agent.FJ!tr

8,848

2

W32/Agent.AJFK!tr

6,452

3

VBA/Agent.9197!tr

5,906

4

PDF/Agent.UC!tr.dldr

5,530

5

MSOffice/CVE_2017_11882.A!exploit

5,529

 

Virobot Packs a 1-2 Punch! –  FortiGuard Labs has observed a new ransomware/botnet hybrid in the wild, dubbed Virobot. Virobot appears to be targeting users specifically in the United States. Observed during the analysis, Virobot also becomes part of a spam botnet that pushes itself out to find more victims to target to increase the spread. Virobot will perform several cursory checks, such as Machine GUID and product key, to determine if it should encrypt the machine. If Virobot finds a specific registry key, it will then proceed with creating an encryption key and forwarding the details of the key to the C2 server. Once this has occurred, encryption begins and users are then prompted with the customary ransomlock key screen, which contains details in French, as this ransomware family has been observed being active only in the United States. Also, in order for the encryption routine to be successful, it will need to be able to connect to the C2 server, and at the time of discovery it appears the C2 servers are down, therefore lessening impact. Additional functionality of Virobot includes keylogging functionality, which is exfiltrated back to the C2 server. It also contains downloading capabilities, which may run additional malicious payloads executed via PowerShell.

Signatures: W32/Generic.SM!tr

Indicator(s):
viro[.]mleydier[.]fr


Yet Another Tech Support Scam –
 FortiGuard Labs is aware of a new tech support scam malware discovered earlier this week by researchers. Once the malware is run, the victim is presented with a lock screen that at first glance appears to be an official notice from Microsoft, which is reminiscent of the classic blue screen of death (BSOD). The distribution vector at this time is unknown. Telltale giveaways of this poorly crafted scheme indicate that the author is not a native English speaker as there are multiple capitalization, grammar, and punctuation issues. Another interesting twist is that the file is being distributed under a well-known antivirus vendor product name as *****SECURITY.EXE.

Below is the notice the victim sees:

Your Windows Security has been Compromised and Microsoft has detected an unsolvable threat and this threat can result a great loss to your computer and it has been violated the terms of Microsoft.

Your PC has been Blocked so you cannot access your PC right now and it is very much bad for you. We have cover you with 2 options

  1. Install a New Windows (Removes all the data and files)

 

 

  1. Purchase and Verify the new License from the Microsoft Certified Technician

 

 


The choice is yours, If you choose the number 1. Then we are going to delete all of your files from your comptuer and we are going to ban you from your PC and the 2nd one refers if you want your files back, click the below butten (what to do) and you need to purchase and verify the new license from the microsoft certified technician and you will get your files back.

Department: Windows Help and Support

Contact +1-888-398-0888 


Obviously, calling the number above is not suggested.

Signatures: MSIL/FakeSupport.CT!tr

Web Filtering Activity


PartnerStroka – FortiGuard Labs Web Filtering team has observed a new type of tech support scam named Partnerstroka. Discovered by researchers earlier this week, Partnerstroka redirects users through malvertising campaigns on websites that have been injected with malicious advertisement code. The technique used is similar to other tech scams as well which is by displaying "scareware"-type on-screen warnings that leads victims into contacting a fake customer support representative.

FortiGuard Labs has blacklisted all related IOCs.

Indicator(s):
getshopea7[.]info
meshopea4[.]info
bestshopec97[.]info
ourtabta133[.]club
xtabtec134[.]club
doebase1089[.]club
digivinta137[.]club
99shopez16[.]club
part-added-to-a-book-document[.]blogspot[.]com
best-account-in-world[.]blogspot[.]com
thjdfk[.]blogspot[.]com
webanalysesteam[.]blogspot[.]com
latestdeliverystatusesofallyours[.]blogspot[.]com
speechwordstominutes[.]blogspot[.]com
templateanditwillalwaysservethe[.]blogspot[.]com
themeswritingpadandcustomise[.]blogspot[.]com

 

Source : https://fortiguard.com/resources/threat-brief/2018/09/28/fortiguard-threat-intelligence-brief-september-28-2018

 

Prečo si vybrať nás?

Dôveryhodnosť

Na trhu pôsobíme už od roku 2008 a našu dôveryhodnosť potvrdzujú partnerstvá popredných spoločností v oblasti IT a hlavne množstvo spokojných zákazníkov, ktorí využívajú naše služby. Nie sme nováčikom a vieme, čo vaša IT infraštruktúra potrebuje a radi vám to ponúkneme. O našej kvalite hovorí aj certifikácia systémov manažérstva podľa normy ISO 9 001.

Profesionalita

Bezpečnosť vašich dát nedokáže chrániť len tak niekto. Obráťte sa teda na profesionálneho partnera. Naše bohaté skúsenosti potvrdzujú školenia, ktoré naši zamestnanci absolvujú pravidelne, aby vám vedeli vždy poskytnúť adekvátne rady a zabezpečiť tak plynulý a ničím nerušený chod vašej infraštruktúry. Sme vlastníkom certifikácie 27 001, takže vaše dáta sú u nás v bezpečí.

Efektivita

Neponúkame vám riešenia, ktoré sú pre vás zbytočné, len aby sme na vás zarobili. Našim cieľom nie je nanútiť vám robustné riešenie, ktoré budete využívať na minimum, no zároveň návrh štruktúry berieme vážne aj s ohľadom na prípadné plány rozvoja vašej spoločnosti. Prioritou pre nás je vaša spokojnosť a bezpečnosť vašich dát.

Referencie

GGE a.s.
PosAm, spol. s r.o.
Ministerstvo školstva, vedy, výskumu a športu SR
IKAR, a.s.
Trenčianska vodohospodárska spoločnosť a. s.
Saneca Pharmaceuticals a.s.

Kontakt


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – sekretariát
+421 41/202 88 80 – obchodné oddelenie
IČO: 43892345
DIČ: 2022541378
IČ DPH: SK2022541378
Okresný súd Žilina, odd.: Sro, vl. číslo 20197/L

Bankové spojenie (IBAN):
SK13 1100 0000 0026 2582 3735