Researchers at Radware discovered a trojan inside the free Windows application “Relieve Stress Paint.” Dubbed “Stresspaint,” the malware is distributed via Facebook and email spam messages directing users to аоӏ[.]net, a website domain impersonating the real aol[.]net by using Unicode characters. When converted to punycode, the website domain actually spells out 80a2a18a[.]net. If a user downloads the application from this site, they receive a legitimate drawing tool; however, the app also runs malicious files in the background, allowing the malware to set a Windows registry key that executes a .exe file every time the device boots to maintain persistence. The malware collects details on the user’s Facebook account, Chrome login data and session cookies, and their Globally Unique Identifier (GUI), and sends this information to the threat actor’s C2 server. The NJCCIC recommends users review the BleepingComputer article, verify the URL of websites they visit to ensure their legitimacy, avoid downloading applications and other software from third-party sites, and run an up-to-date antivirus solution on all devices.
Carlos Pacho of Cisco Talos discovered several vulnerabilities that exist in the Moxa EDR-810 industrial secure router used for remote management of critical infrastructure systems. The flaws – which include weak cryptography, passwords stored in plaintext, denial-of-service vulnerabilities, and an exploitable command injection – could be leveraged by threat actors to escalate privileges, intercept administrative account credentials, render the server offline, or gain complete control over the target device. Moxa EDR-810 V4.1 build 17030317 is impacted by the disclosed vulnerabilities; however, previous versions may also be affected. The NJCCIC recommends users and administrators of Moxa EDR-810 industrial secure routers update to firmware version V4.2 Build 18041013 as soon as possible.
Cisco Talos disclosed a vulnerability found in the Foscam C1 Indoor HD Camera, a network-based camera commonly used as a home security monitoring device. Successful exploitation of the vulnerability CVE-2017-2871 could allow a threat actor to gain complete control of the device through an unsecured Trivial File Transfer Protocol (TFTP) server used for firmware updates. A threat actor can leverage these TFTP servers to perform a custom firmware upgrade on the device without authenticating. US-CERT recently published an advisory on state-sponsored cyber actors targeting similar networking infrastructure devices and how they are using TFTP to discover information about these devices. The NJCCIC recommends users and administrators of Foscam products review the Cisco Talos report for more information and visit the Foscam support page to update the firmware of affected Foscam cameras as soon as possible. Users are encouraged to keep firmware for all IoT devices updated with the latest patches.
Vulnerability CVE-2018-7600 discovered in March by the Drupal CMS team, dubbed “Drupalgeddon2,” is being exploited by threat actors who are using the flaw to infect servers with backdoor scripts and cryptocurrency-mining software. In early April, a Russian security researcher published proof-of-concept (PoC) code for the vulnerability, sparking scans for vulnerable sites within hours of publication. Information security researchers have also reported that botnets controlled by criminal groups are exploiting the vulnerability. There are at least 3,300 Drupal-powered sites hosted in New Jersey. Site administrators are advised to ensure they are running patched version 7.58 or 8.5.1. The NJCCIC recommends all Drupal site owners and administrators review the Drupal Core highly critical public service announcement and follow the recovery instructions if necessary, review the previous NJCCIC advisory on Drupalgeddon2, and update their sites to the most recent patched version immediately.
Researchers at Menlo Security recently uncovered a new campaign targeting US and Middle East financial and information service sectors. This malware campaign delivers FormBook to targets via emails containing Microsoft Word attachments and does not require the recipient to enable macros in order to start malicious activities. FormBook bypasses security measures as the malicious component is hosted on a remote server and the document delivered to victims does not contain active malicious code or shellcode. This malware exploits CVE-2017-8570, a vulnerability in Microsoft Office that allows for execution without enabling macros, and it also utilizes design flaws in the document formats .docx and RTF. Microsoft patched this vulnerability in July of 2017. The NJCCIC recommends users and administrators ensure all Microsoft Office products are up-to-date with the latest patches.
FireEye recently identified a new malicious operation that leverages compromised websites to install the NetSupport Manager remote control software on systems, unbeknownst to users. When visited, these websites prompt the user to download and install the NetSupport Manager executable disguised as updates for popular applications such as Adobe Flash, Chrome, and Firefox. Since this remote access software is a legitimate tool commonly used by administrators to gain authorized remote access to computers on a network, it may evade antivirus detection when delivered by this campaign, especially if the tool has been whitelisted in the environment. The NJCCIC recommends all network administrators review FireEye’s report for additional information and scan all systems for the associated indicators of compromise (IoCs). Current users and administrators of the NetSupport Manager remote control software are encouraged to audit all instances of the software on their network to ensure secure configurations and help differentiate between legitimate and potentially malicious installations.
MalwareHunterTeam recently discovered two new variants of the Matrix ransomware that are distributed via compromised Remote Desktop services. First detected in 2016, Matrix was previously delivered to victims through an exploit kit known as RIG. In this current campaign, threat actors scan for machines that have their Remote Desktop Protocol (RDP) ports open and exposed to the internet. Once a vulnerable system is located, a brute-force attack is launched against the login credentials used for remote access. If the attack is successful, Matrix ransomware will be installed and executed on the target computer. Despite some differences, both new versions of Matrix encrypt filenames and unmapped network shares, clear Volume Shadow Copies, and display status windows during the encryption process. Encrypted filenames will be appended with [Files4463[@]tuta[.]io] or [RestorFile[@]tutanota[.]com], depending on which variant infects the machine. The NJCCIC recommends all users and administrators running Remote Desktop services review the NJCCIC Threat Analysis titled Remote Access: Open Ports Create Targets of Opportunity, Undue Risk and take proactive steps to reduce their exposure to network compromise as a result of insecure remote access configurations. We also recommend all members and organizations download our PDF titled Ransomware: Risk Mitigation Strategies to learn how to protect data, systems, and networks from ransomware.
Lawrence Abrams of Bleeping Computer reports observing the Bing search engine display Google Chrome advertisements designed to redirect users to a website that delivers installers for adware and Potentially Unwanted Programs (PUPs). These misleading advertisements appear as a top result when a user searches for the phrase “chrome download” using Bing. Although the advertisements appear to lead to Google’s authentic website, the ads actually direct users to the site www[.]googlechrome2018[.]net, designed to lure users into downloading an InstallCore bundle masquerading as ChromeSetup.exe. If users already have Chrome installed on their system, they will be prompted to download and install a “Search Manager” extension. If the Chrome extensions are installed, additional prompts will appear for Chrome extensions, anti-malware PUPs, and other programs that may negatively impact device performance and security. The NJCCIC recommendsinstalling applications from the official Chrome Web Store by directly typing the web address into the URL field. If users have downloaded and installed the affected programs, we recommend uninstalling them immediately and scanning affected devices with a reputable antivirus solution.
Bastille security researcher Balint Seeber recently discovered that the radio protocol used to control sirens in emergency alert systems (EASs) manufactured by ATI Systems is not encrypted. This exposure could create the opportunity for a malicious actor to locate the radio frequency associated with an ATI Systems EAS, and then direct malicious messages to the EAS that could result in generating fraudulent alerts and creating false public alarm. These emergency alert systems are used in universities, industrial sites, military installations, and in cities all around the world. ATI is currently testing a patch for these systems that will include additional security features to the radio protocols used. As these patches are customized for each client, EAS administrators need to contact ATI Systems to receive their specialized patch. The NJCCIC recommends all administrators of ATI Systems emergency alert systems review the SirenJack report and to contact their ATI Systems representative for information on receiving the patch.
Researchers at Intel discovered a critical escalation of privilege vulnerability (CVE-2018-3641) in all versions of Intel’s popular Remote Keyboard app. Successful exploitation of this vulnerability could allow threat actors to execute malicious code and inject keystrokes into remote keyboard sessions as the local user. The app, available on iOS and Android, allows devices to control Next Unit of Computing (NUC) and Compute stick devices used in classrooms, kiosks, and network computer environments through the peer-to-peer network protocol Wi-Fi Direct. Intel has identified two additional vulnerabilities (CVE-2018-3645, CVE-2018-3638) in their advisory that, if exploited, could allow a threat actor to gain access as a privileged user. After discovering these vulnerabilities, Intel has announced that they are discontinuing the Remote Keyboard app. The NJCCIC recommends all users of the Intel Remote Keyboard app review Intel’s security report and uninstall the app immediately.
MindPoint Group researchers discovered a security flaw in Amazon CloudFront’s Content Delivery Network (CDN) that allowed them to hijack subdomains from legitimate websites. This vulnerability exists within Amazon CloudFront’s CDN routing mechanism that links a website’s domain and subdomains to a specific server. If exploited, a remote threat actor could point misconfigured subdomains to their own endpoints and use them to deliver malicious content to unsuspecting visitors. After being notified of the flaw, Amazon took ownership of over 2,000 domains that MindPoint Group researchers hijacked during their demonstration and now uses those pages to display a warning for website owners. Additionally, Amazon launched new AWS security tools for customers. More information about the flaw and Amazon’s new security tools is available via Bleeping Computer. The NJCCIC recommends all Amazon CloudFront administrators review the MindPoint Group report titled CloudFront Hijacking and follow the recommendations included to secure their CloudFront distributions.
Google Project Zero researcher Thomas Dullien discovered a critical vulnerability in the Microsoft Malware Protection Engine (MMPE). MMPE is the component responsible for malware scanning, detection, and cleaning within Microsoft products such as Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection. This vulnerability, CVE-2018-0986, could allow an attacker to execute malicious code and gain complete control on a Windows machine through the system privileges that MMPE is provided. Since the MMPE component scans all incoming files by default, an attacker could send malicious code through an email attachment or an instant messenger client and, without user interaction, use it to exploit the vulnerability. Microsoft has fixed the MMPE flaw in Engine version 1.1.14700.5 and the associated update will be pushed to all vulnerable systems this week, unless system owners and administrators have specifically blocked MMPE updates. The NJCCIC recommends all Windows users and administrators review Microsoft’s Security Advisory for more information and ensure that their systems are set to receive the security update designed to patch CVE-2018-0986.
E-commerce sites running on the Magento platform are being compromised by profit-motivated criminals via brute-force attacks against administrator panels using common and default Magento credentials. So far, at least 1,000 Magento sites have been impacted and infected with malicious scripts designed to steal payment card data or deliver additional malware, according to security researchers at Flashpoint. The compromised sites are being exploited to mine cryptocurrency, log payment card data via card-scraping malware such as AZORult, and to redirect visitors to malicious sites that attempt to install malware onto systems via a fraudulent Adobe Flash update. The majority of the identified compromised sites are associated with the education and healthcare sectors and hosted on servers in the US and Europe. At least 365 sites hosted on servers within New Jersey are running Magento and could potentially become targets of this attack if not secured with unique, lengthy, and complex administrator credentials. The NJCCIC recommends all administrators of Magento-powered sites review the Flashpoint blog for additional information, including indicators of compromise (IoCs) and the associated Yara rule, and follow the recommendations outlined in the Magento Security Best Practices guide to secure their websites against this and other attacks.
On March 28, the National Cybersecurity and Communications Integration Center (NCCIC) released a Malware Analysis Report (MAR) detailing analysis from the US DHS and FBI on a newly identified trojan variant dubbed “SHARPKNOT,” used in cyber operations conducted by North Korean advanced persistent threat (APT) group HIDDEN COBRA, aka Lazarus Group. The malware targets systems running Windows OS and is executed via the command line. Once executed, the malware first attempts to disable the “System Event Notification” and the “Alerter” services, the latter is only present in End-of-Life (EOL) operating systems Windows XP and Windows 2003. The malware then overwrites and deletes the Master Boot Record (MBR) and deletes files on mapped network shares and physically connected storage devices. Once the malware has deleted these files, the system is rebooted and left inoperable. The NJCCIC recommends those who could be considered targets for North Korean APT cyber operations review the NCCIC MAR for more information on the SHARPKNOT trojan, scan their network using the YARA rule and Indicators of Compromise (IoCs) provided, and add the STIX file to their threat intelligence sharing platform. If your organization has been impacted by the activity outlined in the MAR, the NJCCIC recommends immediately removing the affected systems from your network and contacting the NJCCIC via the Cyber Incident Report Form or by calling 609-963-6900 ext. 7865. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; keep antivirus, hardware, and software up-to-date; disable unnecessary services on workstations and servers; and establish strong identity and access management controls, including multi-factor authentication. Additionally, users and administrators can better protect their MBR by installing MBR Filter, a Windows disk filter released by Cisco Talos that blocks write access to the MBR, available on GitHub. The NJCCIC makes no claim as to the effectiveness of this tool and users are advised to exercise caution when downloading and installing any software from the internet.
Oracle WebLogic WLS-WSAT vulnerability CVE-2017-10271 is currently being exploited to deliver a fileless cryptocurrency miner to vulnerable servers. Security researchers with Minerva Labs detected the malware, dubbed GhostMiner, which uses two PowerShell scripts to infect victims with a variant of the XMRig Monero miner. Once executed, GhostMiner will terminate any other cryptocurrency miners detected on the same host. At the time of writing, GhostMiner has reportedly generated 1.03 Monero, the equivalent of approximately $200 USD. The NJCCIC recommends reviewing the Minerva report for additional information and Indicators of Compromise (IoCs). Additionally, we recommend all users and administrators of systems using Oracle products review their website for any necessary updates. For additional information about fileless intrusions, please review the NJCCIC Threat Analysis product titled Fileless: Evasive Intrusion Tactics Pose Challenge for Network Defense.
A SophosLabs researcher discovered two new Android malware variants hidden inside apps available for download in the Google Play store. The first variant, dubbed “Guerilla,” was found in 15 seemingly-legitimate apps and is described as a fully functioning backdoor, allowing threat actors to download additional malware onto infected devices. The threat actors push aggressive ad-click plugins to the victims, covertly generating ad revenue for the perpetrators. The second malware, dubbed “HiddnAd,” was hidden in seven different apps, including six QR code-reading apps and one “smart compass” app. The malicious apps were downloaded hundreds of thousands of times and bypassed security in the Play store by delaying malicious activity until six hours after installation. Once the malicious activity began, pop-up advertisements would display on the victim’s device as well as Android notifications containing links that, if clicked, generated ad revenue for the threat actors. Google has since removed the infected apps from the Play store. The NJCCIC recommends Android users review the Sophos reports on the Guerilla and HiddnAd malware variants for a list of affected apps and, if installed, immediately remove the apps from the device. Additionally, we recommend running a reputable antivirus application on all devices, refrain from downloading apps that require excessive device permissions, promptly remove apps that execute unexpected or unwanted behavior, and keep all device software and apps updated to the most recent version.
A new malware variant, dubbed GoScanSSH by Cisco Talos researchers, attempts to compromise Linux-based SSH servers that are exposed to the internet and join them to a botnet. Written in the Go programming language, GoScanSSH uses a previously infected device to scan randomly generated IP addresses for open SSH ports, attempts to establish an SSH connection with an identified target, and then gathers information about the domains associated with it. Researchers have determined that GoScanSSH compares these associated domains and IP addresses with an internal blacklist to avoid compromising military and government-based servers. When the malware finds a viable target with an open SSH port, an SSH credential brute-force attack is initiated using a word list containing over 7,000 common username and password combinations, mostly comprised of weak or default device credentials. If a credential match is found and access can be obtained, a unique GoScanSSH malware binary will then be installed on the system. After the malware gathers information on the infected device, it begins searching for new devices to compromise. The NJCCIC recommends administrators of Linux-based systems with open and publicly exposed SSH ports review the Talos report for additional information and Indicators of Compromise (IoCs), change any and all default account credentials, ensure systems have unique and complex account credentials, and close port 22 if it is not needed. If SSH is needed in your environment, consider implementing IP whitelisting and a multi-factor authentication solution to protect against brute-force attacks.
A severe vulnerability in Drupal’s management software was recently discovered by the Drupal CMS team. Dubbed Drupalgeddon2, the flaw (CVE-2018-7600) could allow threat actors to take over a vulnerable site simply by accessing the URL. Although, at this time, there is no proof-of-concept (PoC) code, Drupal’s security team anticipates the vulnerability will be actively exploited by threat actors within hours or days. Assigned a severity score of 21 out of 25, it is critical that owners and administrators of websites running Drupal 7.x and 8.x immediately update to Drupal 7.58 and 8.5.1, respectively. End-of-Life Drupal 6 is also affected; those running Drupal 6 may visit the Drupal 6 Long Term Support site and apply the provided patch. The NJCCIC recommends all Drupal site owners and administrators review the Drupal security advisory for more information and update their sites to a patched version immediately, or implement mitigation solutions until a patch can be applied.
Researchers at Digital Defense discovered six zero-day vulnerabilities in various ManageEngine applications including Log360, EventLog Analyzer, and Application Manager. The flaws – which include unauthorized file upload, blind SQL injection, local file inclusion, and API key disclosure – could be leveraged by threat actors to conduct remote code execution with escalated privileges and obtain sensitive information. ManageEngine was alerted to the security vulnerabilities on February 12 and issued patches on March 7. The NJCCIC recommends users and administrators of affected ManageEngine products review the Digital Defense Security Advisories (1, 2) and apply the available patches as soon as possible.
Researchers at RandoriSec discovered several high-severity vulnerabilities in the firmware of the Geutebrück-made IP security cameras Geutebrück G-Cam/EFD-2250 version 220.127.116.11 and Topline TopFD-2125 version 3.15.1. According to an ICS-CERT Advisory, the vulnerabilities include improper authentication, improper access control, SQL injection, Cross-Site Request Forgery, Server-Side Request Forgery, and Cross-Site Scripting flaws that, if successfully exploited, could allow a threat actor to conduct proxy network scans, provide database access, download full configuration including passwords, conduct remote code execution, and add an unauthorized user to the system. Additionally, these vulnerabilities could be used by threat actors to gain control of devices and add them to a botnet. Researchers at RandoriSec suspect that these firmware vulnerabilities may exist in other popular IP-based security cameras from various vendors. The NJCCIC recommends users of the affected Geutebrück products review the ICS-CERT Advisory. G-Cam/EFD-2250 camera users are highly recommended to download and update to the newest firmware version 18.104.22.168 by registering for a new WebClub account or logging into an existing account here. We recommend Topline TopFC-2125 users implement the advised workaround provided here, and apply any patches should they become available. All users and administrators of IP-based cameras are encouraged to reduce their network exposure by ensuring their devices are not accessible via the internet, use VPNs for remote access, enable two-factor authentication where available, and always keep devices updated.