Zip Slip

Researchers from security firm Snyk have publicized a vulnerability in multiple archive file-extraction libraries found in thousands of open-source web application projects including those from HP, Amazon, Apache, Oracle, Linkedin, Twitter, and others. Dubbed “Zip Slip,” the flaw could allow a threat actor to perform a traversal attack, enabling access to the root directory on an application and possibly granting remote code execution. In ecosystems such as .NET, Java, JavaScript, Go, and Ruby, there is no central software library for unpacking archive files, causing developers to write their own code to enable that functionality. A threat actor could create a specially-crafted archive file containing extra directory paths that will traverse up to the root directory as the file is extracted, giving the actor access to the file system outside the folder in which it should reside. Since developers share the code snippets on developer community sites, such as StackOverflow, Zip Slip has been able to spread to many software projects. The vulnerability can affect the following file types: .zip, .tar, .jar, .war, .cpio, .apk, .rar, and 7z. The NJCCIC recommends all users and administrators of the libraries listed above review the Snyk report on Zip Slip and update to the newest, patched version as soon as possible.

APT28 Changes TTPs, Casts Wide Net with Parallel Attacks

APT28, also known as Fancy Bear or Sofacy, changed their tactics, techniques, and procedures (TTPs) in recent campaigns. According to researchers at Palo Alto Networks, the advanced persistent threat (APT) group attributed to the Russian government engaged in tactics typically conducted by profit-motivated threat actors, targeting a large number of individuals and attempting to deliver several malware variants at once, a technique known as “parallel attacks.” Spear-phishing emails delivered in these campaigns were sent with an attached executable file, a Microsoft Office document containing malicious macros, or an Office document leveraging a Dynamic Data Exchange (DDE) exploit. These files attempted to deliver the Koadic remote access trojan or one of three versions of the Zebrocy backdoor. Users involved with foreign affairs at various government organizations all over the world were targeted in these campaigns. The NJCCIC recommends entities that may be considered high-value targets for APT28 operations review the Palo Alto Networks report for more information on recent campaigns, including tactics, techniques, and procedures (TTPs) and associated IOCs. Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep antivirus, hardware, and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities. 

Prowli Botnet

The GuardiCore security team discovered a new botnet that has infected over 40,000 web servers, modems, and Internt of Things (IoT) devices, compromising over 9,000 companies worldwide. Dubbed “Prowli,” the botnet uses known vulnerabilities and brute-force attacks to infect devices and use them for cryptocurrency mining and to redirect users to malicious sites. The targeted servers and IoT devices used for cryptocurrency-mining operations are infected with a Monero miner and the r2r2 worm. The worm uses the infected devices to perform SSH brute-force attacks on new devices in order to expand the botnet. If Prowli compromises content management system (CMS) platforms that run websites such as Drupal, they are infected with a backdoor that allows the threat actor to inject malicious code into the website. This code directs users to a traffic distribution system (TDS) that then redirects victims to other malicious sites. Vulnerable devices include CMS servers, backup servers, DSL modems, and IoT devices. The NJCCIC recommends users and administrators of vulnerable platforms review the GuardiCore report for additional information and indicators of compromise (IOCs). Additionally, it is encouraged to establish strong passwords and multi-factor authentication and keep all software up-to-date.

Windows JScript Component Vulnerable to Remote Code Execution

A vulnerability in the Windows operating system JScript component could allow a threat actor to perform remote code execution on a targeted computer. Given a rating of 6.8 out of 10 on the CVSSv2 severity scale, the vulnerability can be exploited by a victim visiting a malicious webpage or downloading a malicious JavaScript file. This will only grant the threat actor the ability to perform remote code execution within a sandboxed environment; however, if additional vulnerabilities are exploited, they could gain access to the entire system. Microsoft has been notified of the vulnerability and is working on fix. The NJCCIC recommends Windows users and administrators review the Zero Day Initiative Advisory for more details on the vulnerability and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails.

XENOTIME Cyber Threat Group Behind TRISIS Expands Targeting

XENOTIME, the cyber threat group behind the TRISIS malware, is shifting and expanding their targeting, according to cybersecurity firm Dragos. TRISIS, also known as TRITON, is a family of malware specifically designed to target industrial control system (ICS) components, particularly Schneider Electric’s Triconex Safety Instrument System (SIS) controllers. When cybersecurity researchers first reported on the malware back in December 2017, it had successfully infected a network in the Middle East; however, the malware failed to execute properly. While their initial targets were based in the Middle East, the group operates globally, and intelligence suggests the group is targeting safety systems beyond Schneider Electric’s Triconex and in multiple facilities. Dragos is moderately confident that XENOTIME is seeking access to systems and capabilities to carry out a future disruptive or destructive attack. The NJCCIC recommends critical infrastructure owners and operators review the recent blog post and original TRISIS report from Dragos and the TRITON report from FireEye, scan networks using the IOCs provided, and apply the recommendations to reduce the cyber risk posed by this threat. The NJCCIC threat profile on TRISIS/TRITON can be found here.

DHS and FBI Issue Alert on North Korean APT

The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint Technical Alert (TA) detailing the IP addresses and additional indicators of compromise (IOCs) associated with two malware variants used in cyber operations conducted by the North Korean advanced persistent threat (APT) group Hidden Cobra, also known as Lazarus Group. The alert provides .csv and .stix files containing the IOCs for a remote access trojan (RAT) known as Joanap and a Server Message Block (SMB) worm known as Brambul that can be downloaded and used by network defenders to reduce their exposure to related malicious cyber activity. The FBI has high confidence that Hidden Cobra is using the IP addresses provided in the TA to maintain persistence on victims’ systems and enable network exploitation. The National Cybersecurity and Communications Integration Center (NCCIC) conducted technical analysis on the two malware variants and published a Malware Analysis Report (MAR) that examines the tactics, techniques, and procedures observed. The NJCCIC recommends users and administrators review the TA and associated MAR, scan their networks for the IOCs provided in the reports, and implement the recommended mitigation strategies. If associated Hidden Cobra activity is detected, isolate the affected system(s) from the network immediately, and report the incident to the NJCCIC and the NCCIC or FBI CyWatch.

UPDATE: The FBI Issues PSA on VPNFilter Threat to Routers

The FBI issued a Public Service Announcement on Friday, May 25, updating their guidance for owners of small office/home office (SOHO) routers to combat the threat of the VPNFilter malware. The FBI is now recommending all owners of SOHO routers, regardless of the manufacturer, reboot their devices to temporarily disrupt the malware’s second and third stages. The first stage of the malware, providing it persistence, will still be present after a reboot. To ensure the malware is completely removed from the router, users are advised to reboot and then reset their routers to factory, default settings. This is typically done by holding down a small button on the back of the router. Resetting will require the user to reestablish their configuration settings. Conducting a reboot followed by a reset will allow the device to reconnect to the C2 server associated with VPNFilter (now controlled by the FBI) via its persistence capability, providing the FBI with an accurate count of infected devices and a list of vulnerable devices. A subsequent reset will then wipe the malware from the device. The size and scope of VPNFilter is significant and the investigation is still ongoing. The FBI is also advising all Wi-Fi router owners and administrators to establish strong passwords and enable encryption for remote management settings or consider disabling remote access altogether. For additional information and recommendations, please review the US-CERT Alert and the original NJCCIC threat alert.

DrayTek Routers

Threat actors are exploiting a zero-day vulnerability in DrayTek routers and changing the DNS settings to communicate with a server at 38[.]134[.]121[.]95. The motivation for changing users’ DNS settings is unknown; however, threat actors may be changing the settings in order to conduct Man-in-the-Middle (MitM) attacks and redirect users to fraudulent websites intended to appear as a legitimate site. There are approximately 6,720 DrayTek devices in United States that may be vulnerable. The NJCCIC recommends users and administrators of DrayTek routers review the DrayTek Advisories (12) for more information and a list of affected devices, check your current DNS settings following the instructions provided, and apply the firmware update as soon as it is made available.

Brain Food Botnet

Proofpoint researchers discovered a new botnet spreading via phishing emails, dubbed “Brain Food,” that has infected over 5,000 websites in the last four months, with over 2,400 of those sites showing activity in the last week. These emails typically contain a shortened URL and may be sent from a spoofed email impersonating someone known to the victim. The link redirects the user to a website containing an article about a miracle weight loss pill, using stolen branding to make the website appear as a legitimate source. In the background of the website, a malicious PHP script runs and sends system information to the C2 server and contains a backdoor that could allow a threat actor to perform remote code execution on an infected system. The NJCCIC recommends reviewing the Proofpoint report and educating end users about this and similar threats and reminding them never to click on links delivered in unexpected or unsolicited emails. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. 

Turla APT Group Now Leverages Metasploit in Operations

The Russia-linked advanced persistent threat (APT) group “Turla” is now leveraging off-the-shelf tools in their cyber-espionage operations. The group, which has been active since 2007, is known for targeting private businesses and government organizations, historically targeting the US Department of State and the US Central Command. Recent Turla operations leverage Metasploit, the popular open source exploitation framework, to spread the Mosquito backdoor trojan. Beginning in March, the campaign utilizes a fake Adobe Flash Player installer, a tactic used in previous campaigns, to execute a Metasploit shellcode and download a legitimate Flash installer. The Metasploit shellcode downloads Meterpreter, a payload that provides the threat actor control of the compromised system, which then downloads the Mosquito backdoor. The NJCCIC recommends reviewing the ESET report for additional details on recent Turla activity and scanning networks for the associated IOCs provided in the report. If Turla activity is suspected, isolate the affected system(s) from the network immediately and perform a full system scan.

The FBI Takes Down Massive VPNFilter Botnet Comprised of Infected Networking Equipment

After obtaining a court order based on an affidavit, the FBI has taken control of the command and control (C2) servers associated with VPNFilter, a botnet comprised of over 500,000 devices. The FBI believes APT28, also known as Fancy Bear and Sofacy, may be behind the botnet and planned to use it in a cyber-attack against the Ukraine. The malware used to create the botnet, also called VPNFilter, can steal website credentials, monitor Modbus protocols used by supervisory control and data acquisition (SCADA) systems, and even render devices unusable and cut off internet access for users of the devices, either individually or en masse. Devices affected by VPNFilter include Linksys, MikroTik, NETGEAR, TP-LINK networking equipment for small office and home office (SOHO) spaces and QNAP network-attached storage (NAS) devices. These devices are notoriously hard to defend as they are meant to sit at the perimeter of a network, are often without security services to defend against threats, and may contain difficult-to-patch public vulnerabilities. The NJCCIC highly recommends reviewing the FBI Private Industry Notification and the Cisco Talos blog post for more information on VPNFilter, keep potentially vulnerable devices updated with the latest patches, and implement the recommended protections and mitigations, including utilizing the indicators of compromise (IOCs) and Snort signatures provided. The FBI is asking users and administrators of infected routers and NAS devices to reset their devices in order to have their device reconnect to the C2 server. This will provide the FBI with an accurate number of affected devices and an updated list of vulnerable devices. The information gathered will be used to notify companies, internet service providers, and public and private sector partners. 

Security Flaw Impacts Electron-Based Apps

Researchers at Trustwave discovered a vulnerability that exists in the Electron software framework used in desktop applications for Microsoft Skype and Visual Studio Code, Slack, Brave browser, Signal, Twitch, and many more. Successful exploitation of CVE-2018-1000136 could allow a threat actor to perform remote code execution on vulnerable versions of Electron. The vulnerability takes advantage of the nodeIntegration option found within the WebPreferences configuration file of Electron-based apps. By exploiting a cross-site scripting (XSS) vulnerability, a threat actor could create a new WebView window in the Electron-based app and, by setting the NodeIntegration flag equal to “true,” gain access to operating system features. The flaw was reported to the Electron team and patches were released for vulnerable versions of the framework, versions prior to 1.7.13, 1.8.4, or 2.0.0-beta.3. The NJCCIC recommends all users of Electron-based apps review the Trustwave blogfor more information and apply the necessary updates for vulnerable applications as soon as possible. 

Vulnerabilities in OpenPGP and S/MIME Could Reveal Email Content

Security researchers have discovered critical vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. Successful exploitation of the vulnerabilities, dubbed “EFAIL,” could allow threat actors to decrypt sent or received email messages, revealing the plaintext, readable content. The vulnerabilities may be exploited via a CBC/CFB gadget attack or an HTML exfiltration attack. The NJCCIC recommends those using OpenPGP and S/MIME for email encryption review the EFAIL report and the CERT/CC Vulnerability Note, disable the viewing of HTML email to eliminate the primary way of exploiting the flaws, and apply patches if and when they become available.

Cryptocurrency-Mining Malware Infects 500,000 Machines

Qihoo 360 Total Security researchers discovered a new cryptocurrency-mining malware that crashes the system if a user attempts to remove its mining process. Dubbed WinstarNssmMiner, the malware has been leveraged in over half a million attacks in the past three days alone. Once executed, the malware creates two processes on the infected device, a mining function using the XMRig Monero miner and another process used for detecting antivirus products. If the malware detects a reputable antivirus solution, it will stop the infection attempt. The NJCCIC recommends all users review the Qihoo 360 Total Security blog for more information. Additionally, install a reputable antivirus/ antimalware solution on all systems to protect against this and similar threats. 

DDoS Attacks Bypassing Mitigation Solutions via the UPnP Protocol

Threat actors are circumventing DDoS (distributed denial-of-service) mitigation solutions by taking advantage of the Universal Plug and Play (UPnP) protocol to mask the source port of packets sent during a DDoS flood attack, according to DDoS mitigation firm Imperva. These attacks hide their source IPs using UPnP and then leverage DNS and NTP protocols during the DDoS flood. The NJCCIC recommends reviewing the Imperva report and disabling UPnP support for networks not using the feature.

Vega Stealer Malware Targets User Credentials and Credit Card Numbers

A new malware campaign is targeting Google Chrome and Mozilla Firefox browsers to steal credentials and other sensitive data, according to researchers at Proofpoint. Dubbed “Vega Stealer,” the malware is being spread via phishing emails targeting marketing, advertising, public relations, retail, and manufacturing companies. Attached to the email is a word document containing malicious macros that, when enabled, download the Vega Stealer malware. Once the system is infected, the malware steals passwords, saved credit card data, autofill profile information, cookies from Chrome, and specific passwords and keys from Firefox. Additionally, Vega Stealer can take a screenshot of the victim’s system and search for files on the system that end in .doc.docx.txt.rtf.xls.xlsx, or .pdfand, if found, send these files to the threat actor’s Command and Control (C2) server. Proofpoint believes that this campaign could be connected to the same threat actors behind the Ursnif banking Trojan. The NJCCIC recommends Chrome and Firefox users and administrators review the Proofpoint report and educate end users about this and similar threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.

Kitty Malware Infecting Vulnerable Drupal Sites

A new malware targeting vulnerable Drupal sites is installing a cryptocurrency-miner and a PHP backdoor onto compromised servers. Dubbed “Kitty” by security researchers from Imperva, the malware exploits the Drupalgeddon2 vulnerability in Drupal sites that allows a remote attacker to execute malicious code. Once an attacker gains access to the server, the popular XMRig Monero miner is installed and begins using the compromised server’s resources to mine the cryptocurrency. Along with the cryptocurrency-miner, a backdoor is installed, and the threat actor creates a time-based job scheduler that re-downloads the malicious script every minute. This process allows the malware to re-infect a server even if updates are attempted. The NJCCIC recommends all Drupal site owners and administrators review the Imperva security blog for more information, ensure all Drupal sites are up-to-date with the most recent patches, run a full system scan, and follow the recovery instructions, if necessary. Additionally, monitor network activity for anomalies indicative of cryptocurrency-mining activity. End users are encouraged to use web browsers that proactively block cryptocurrency-mining scripts or install a reputable ad-blocking, script-blocking, and coin-blocking extension in their current browser.

Office 365 Zero-Day

A zero-day vulnerability has been discovered in Office 365 that could allow a threat actor to successfully send a malicious email to a victim without being detected by email security systems. Dubbed baseStriker, the vulnerability can be exploited by disguising a malicious link within code using the “< base > HTML tag.” Due to an email filter handling issue, Office 365 security systems fail to render these URLs correctly before scanning, preventing the system from detecting a malicious link and allowing these emails to be delivered to end users. Threat actors have been exploiting this vulnerability through phishing attacks, but researchers believe the flaw could be used to distribute ransomware, malware, or other malicious content. BaseStriker affects all Office 365 configurations and there are currently no patches to address the vulnerability. The NJCCIC recommends all users and administrators of Office 365 review the Avanan report on baseStriker, enable multi-factor authentication, and apply necessary patches if and when they become available. The NJCCIC recommends educating end users about this and similar threats and reminding them never to click on links delivered in unexpected or unsolicited emails, especially to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action.

KRACK Wi-Fi Vulnerability Affects BD Medical Devices

Becton, Dickinson and Company (BD) released a security bulletin detailing how their medical devices can be affected by the Key Reinstallation Attack (KRACK) flaw, a vulnerability in the Wi-Fi Protected Access II (WPA2) protocol used to secure modern Wi-Fi networks. A threat actor within range of the affected Wi-Fi network could conduct Man-in-the-Middle (MitM) attacks, exfiltrate data, and change patient records. BD has released patches for some of its vulnerable devices and will release additional patches  for the remaining devices. The NJCCIC recommends all users and administrators of BD manufactured devices review the BD Product Security Bulletin for a list of affected products and the NJCCIC Vulnerability Advisory for details on the KRACK vulnerability, and apply the necessary updates as soon as they are made available.

Critical Security Flaw in Schneider Electric ICS Software

Researchers at security firm Tenable discovered a stack-based buffer overflow vulnerability in a popular industrial control system software that could potentially be exploited to shut down power plants and other critical infrastructure facilities. Receiving a severity score of 9.8 out of 10, the vulnerability affects Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition 2017 products, both designed to automate components of a power plant or manufacturing unit. Successful exploitation of this vulnerability could allow a remote, unauthenticated threat actor to execute code with elevated privileges and take control of the affected system. Schneider Electric has released an update to patch the critical vulnerability. The NJCCIC recommends all users and administrators of InduSoft Web Studio and InTouch Machine Edition 2017 versions 8.1 and prior review the Schneider Electric Security Bulletin for more information and apply the necessary update as soon as possible. For more information on cyber risk to critical infrastructure, please read the NJCCIC Threat Analysis Addressing Vulnerabilities in Critical Infrastructure.