Bug Allowed Malware to Appear as Apple Software

A researcher at security firm Okta discovered a bug that existed in third-party Mac security programs from Facebook, VirusTotal, Google, and others that could allow malware to appear as legitimate programs code-signed by Apple. The bug is a result of the method the applications use to verify that an executable is properly signed. Some security programs whitelist executables based on their embedded signatures but often do not check every component of the file to ensure the signature is valid. Bleeping Computer provides a list of affected programs hereThe NJCCIC recommends users of affected programs apply patches as soon as they become available.

Android Debugging Port Left Open Leaving Devices Vulnerable

According to security researcher Kevin Beaumont, Android devices are being shipped by some vendors with the Android Debug Bridge (ADB) over Wi-Fi feature enabled, leaving the device vulnerable to remote connections via TCP port 5555. In February of this year, researchers at Qihoo 360 Netlab discovered that threat actors were exploiting a vulnerability in the ADB debugging port to install the cryptocurrency miner ADB.Miner on vulnerable Android devices. After the device is infected, it scans for additional devices with port 5555 open in order to spread the infection. Additionally, a Metasploit module is available to automate the process of exploiting vulnerable Android devices via port 5555, making it easier for less-sophisticated threat actors to take control of these devices. The NJCCIC recommends all users of Android devices review Kevin Beaumont’s blog post for more information on this vulnerability and ensure they do not have ADB over Wi-Fi enabled on their devices. 

Sensitive Navy Data Allegedly Stolen by Chinese Hackers

Chinese government-affiliated threat actors reportedly stole over 614GB of sensitive information from a US Navy contractor, including information on electronic warfare, an anti-ship missile program, sensor data, and submarine data relating to cryptographic systems. This data was housed on an unclassified server of an unnamed contractor, highlighting the need to ensure contractors and other third-party vendors are adhering to the information security standards necessary to protect sensitive information and networks. The NJCCIC recommends organizations that may be considered valuable targets for cyber-espionage activity, including US defense contractors, implement a Defense-in-Depth cybersecurity strategy; employ the Principle of Least Privilege; enable multi-factor authentication for user accounts; and keep antivirus, hardware, and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities.

IQY Attachment Malspam Campaign

Antivirus platform Barkly published a report on a new malspam (malware spam) campaign spread via the Necurs botnet and targeting users by taking advantage of Microsoft Excel’s .iqy file type. When these files are opened, a connection is made to a website listed within the file and then pulls data from that website into an Excel spreadsheet. This data executes a PowerShell script that then installs the FlawedAmmyy remote access trojan, providing attackers with remote access to administrative functions on the infected device. This attack has evaded antivirus detection as its file content is not explicitly malicious. If Excel is configured to block external content, which is often the default, users will be prompted with a “Microsoft Excel Security Notice” when an .iqy file type is opened. Users are advised to select “disable” to prevent the malicious script from executing. Emails sent with this campaign include subject lines referencing unpaid invoices, scanned document attachments, or purchase orders and may come from an email address seemingly internal to your organization. The NJCCIC recommends all users and administrators review the Barkly report for more information on this malspam campaign and apply the recommendations provided, including preventing Excel from starting other applications or creating external connections, adjusting firewall settings and email filters to block .iqy files, orif this file type is necessary for your operations, set the default option to open within Notepad where the malicious script will not run. Users should also refer to the NJCCIC’s General Cybersecurity Best Practices guide for tips to increase email security.

Patchwork Cyber-Espionage Group Expands Targets

Patchwork, also referred to as Dropping Elephant, is a cyber-espionage group that targets diplomatic and government agencies, private businesses, and, most recently, US think tank organizations. As the name suggests, the group is known for rehashing tools and malware in its campaigns to obtain sensitive and confidential data. Patchwork employs social engineering tactics, backdoors, and exploits known vulnerabilities in Dynamic Data Exchange (DDE) and Windows Script Component (SCT). The group recently expanded their spear-phishing campaigns to track which recipients opened emails and incorporated topics related to the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS). Currently, Patchwork is leveraging the open-source malware Quasar RAT to enable functionalities such as remote desktop access, webcam viewing, keylogging, file management, and the ability to download, upload, and execute files remotely. Patchwork has been observed distributing Quasar RAT in spear-phishing emails that contain hyperlinked text leading to a malicious Rich Text Format (RTF) document that, when opened, downloads and executes the malware on the targeted system. The NJCCIC recommends organizations review the Volexity report, educate their users on spear-phishing and other social engineering tactics, deploy proactive defenses such as email gateways, firewalls, and endpoint protection, employ the Principle of Least Privilege on all user accounts, and always keep hardware and software updated.

Zip Slip

Researchers from security firm Snyk have publicized a vulnerability in multiple archive file-extraction libraries found in thousands of open-source web application projects including those from HP, Amazon, Apache, Oracle, Linkedin, Twitter, and others. Dubbed “Zip Slip,” the flaw could allow a threat actor to perform a traversal attack, enabling access to the root directory on an application and possibly granting remote code execution. In ecosystems such as .NET, Java, JavaScript, Go, and Ruby, there is no central software library for unpacking archive files, causing developers to write their own code to enable that functionality. A threat actor could create a specially-crafted archive file containing extra directory paths that will traverse up to the root directory as the file is extracted, giving the actor access to the file system outside the folder in which it should reside. Since developers share the code snippets on developer community sites, such as StackOverflow, Zip Slip has been able to spread to many software projects. The vulnerability can affect the following file types: .zip, .tar, .jar, .war, .cpio, .apk, .rar, and 7z. The NJCCIC recommends all users and administrators of the libraries listed above review the Snyk report on Zip Slip and update to the newest, patched version as soon as possible.

APT28 Changes TTPs, Casts Wide Net with Parallel Attacks

APT28, also known as Fancy Bear or Sofacy, changed their tactics, techniques, and procedures (TTPs) in recent campaigns. According to researchers at Palo Alto Networks, the advanced persistent threat (APT) group attributed to the Russian government engaged in tactics typically conducted by profit-motivated threat actors, targeting a large number of individuals and attempting to deliver several malware variants at once, a technique known as “parallel attacks.” Spear-phishing emails delivered in these campaigns were sent with an attached executable file, a Microsoft Office document containing malicious macros, or an Office document leveraging a Dynamic Data Exchange (DDE) exploit. These files attempted to deliver the Koadic remote access trojan or one of three versions of the Zebrocy backdoor. Users involved with foreign affairs at various government organizations all over the world were targeted in these campaigns. The NJCCIC recommends entities that may be considered high-value targets for APT28 operations review the Palo Alto Networks report for more information on recent campaigns, including tactics, techniques, and procedures (TTPs) and associated IOCs. Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep antivirus, hardware, and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities. 

Prowli Botnet

The GuardiCore security team discovered a new botnet that has infected over 40,000 web servers, modems, and Internt of Things (IoT) devices, compromising over 9,000 companies worldwide. Dubbed “Prowli,” the botnet uses known vulnerabilities and brute-force attacks to infect devices and use them for cryptocurrency mining and to redirect users to malicious sites. The targeted servers and IoT devices used for cryptocurrency-mining operations are infected with a Monero miner and the r2r2 worm. The worm uses the infected devices to perform SSH brute-force attacks on new devices in order to expand the botnet. If Prowli compromises content management system (CMS) platforms that run websites such as Drupal, they are infected with a backdoor that allows the threat actor to inject malicious code into the website. This code directs users to a traffic distribution system (TDS) that then redirects victims to other malicious sites. Vulnerable devices include CMS servers, backup servers, DSL modems, and IoT devices. The NJCCIC recommends users and administrators of vulnerable platforms review the GuardiCore report for additional information and indicators of compromise (IOCs). Additionally, it is encouraged to establish strong passwords and multi-factor authentication and keep all software up-to-date.

Windows JScript Component Vulnerable to Remote Code Execution

A vulnerability in the Windows operating system JScript component could allow a threat actor to perform remote code execution on a targeted computer. Given a rating of 6.8 out of 10 on the CVSSv2 severity scale, the vulnerability can be exploited by a victim visiting a malicious webpage or downloading a malicious JavaScript file. This will only grant the threat actor the ability to perform remote code execution within a sandboxed environment; however, if additional vulnerabilities are exploited, they could gain access to the entire system. Microsoft has been notified of the vulnerability and is working on fix. The NJCCIC recommends Windows users and administrators review the Zero Day Initiative Advisory for more details on the vulnerability and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails.

XENOTIME Cyber Threat Group Behind TRISIS Expands Targeting

XENOTIME, the cyber threat group behind the TRISIS malware, is shifting and expanding their targeting, according to cybersecurity firm Dragos. TRISIS, also known as TRITON, is a family of malware specifically designed to target industrial control system (ICS) components, particularly Schneider Electric’s Triconex Safety Instrument System (SIS) controllers. When cybersecurity researchers first reported on the malware back in December 2017, it had successfully infected a network in the Middle East; however, the malware failed to execute properly. While their initial targets were based in the Middle East, the group operates globally, and intelligence suggests the group is targeting safety systems beyond Schneider Electric’s Triconex and in multiple facilities. Dragos is moderately confident that XENOTIME is seeking access to systems and capabilities to carry out a future disruptive or destructive attack. The NJCCIC recommends critical infrastructure owners and operators review the recent blog post and original TRISIS report from Dragos and the TRITON report from FireEye, scan networks using the IOCs provided, and apply the recommendations to reduce the cyber risk posed by this threat. The NJCCIC threat profile on TRISIS/TRITON can be found here.

DHS and FBI Issue Alert on North Korean APT

The US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint Technical Alert (TA) detailing the IP addresses and additional indicators of compromise (IOCs) associated with two malware variants used in cyber operations conducted by the North Korean advanced persistent threat (APT) group Hidden Cobra, also known as Lazarus Group. The alert provides .csv and .stix files containing the IOCs for a remote access trojan (RAT) known as Joanap and a Server Message Block (SMB) worm known as Brambul that can be downloaded and used by network defenders to reduce their exposure to related malicious cyber activity. The FBI has high confidence that Hidden Cobra is using the IP addresses provided in the TA to maintain persistence on victims’ systems and enable network exploitation. The National Cybersecurity and Communications Integration Center (NCCIC) conducted technical analysis on the two malware variants and published a Malware Analysis Report (MAR) that examines the tactics, techniques, and procedures observed. The NJCCIC recommends users and administrators review the TA and associated MAR, scan their networks for the IOCs provided in the reports, and implement the recommended mitigation strategies. If associated Hidden Cobra activity is detected, isolate the affected system(s) from the network immediately, and report the incident to the NJCCIC and the NCCIC or FBI CyWatch.

UPDATE: The FBI Issues PSA on VPNFilter Threat to Routers

The FBI issued a Public Service Announcement on Friday, May 25, updating their guidance for owners of small office/home office (SOHO) routers to combat the threat of the VPNFilter malware. The FBI is now recommending all owners of SOHO routers, regardless of the manufacturer, reboot their devices to temporarily disrupt the malware’s second and third stages. The first stage of the malware, providing it persistence, will still be present after a reboot. To ensure the malware is completely removed from the router, users are advised to reboot and then reset their routers to factory, default settings. This is typically done by holding down a small button on the back of the router. Resetting will require the user to reestablish their configuration settings. Conducting a reboot followed by a reset will allow the device to reconnect to the C2 server associated with VPNFilter (now controlled by the FBI) via its persistence capability, providing the FBI with an accurate count of infected devices and a list of vulnerable devices. A subsequent reset will then wipe the malware from the device. The size and scope of VPNFilter is significant and the investigation is still ongoing. The FBI is also advising all Wi-Fi router owners and administrators to establish strong passwords and enable encryption for remote management settings or consider disabling remote access altogether. For additional information and recommendations, please review the US-CERT Alert and the original NJCCIC threat alert.

DrayTek Routers

Threat actors are exploiting a zero-day vulnerability in DrayTek routers and changing the DNS settings to communicate with a server at 38[.]134[.]121[.]95. The motivation for changing users’ DNS settings is unknown; however, threat actors may be changing the settings in order to conduct Man-in-the-Middle (MitM) attacks and redirect users to fraudulent websites intended to appear as a legitimate site. There are approximately 6,720 DrayTek devices in United States that may be vulnerable. The NJCCIC recommends users and administrators of DrayTek routers review the DrayTek Advisories (12) for more information and a list of affected devices, check your current DNS settings following the instructions provided, and apply the firmware update as soon as it is made available.

Brain Food Botnet

Proofpoint researchers discovered a new botnet spreading via phishing emails, dubbed “Brain Food,” that has infected over 5,000 websites in the last four months, with over 2,400 of those sites showing activity in the last week. These emails typically contain a shortened URL and may be sent from a spoofed email impersonating someone known to the victim. The link redirects the user to a website containing an article about a miracle weight loss pill, using stolen branding to make the website appear as a legitimate source. In the background of the website, a malicious PHP script runs and sends system information to the C2 server and contains a backdoor that could allow a threat actor to perform remote code execution on an infected system. The NJCCIC recommends reviewing the Proofpoint report and educating end users about this and similar threats and reminding them never to click on links delivered in unexpected or unsolicited emails. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. 

Turla APT Group Now Leverages Metasploit in Operations

The Russia-linked advanced persistent threat (APT) group “Turla” is now leveraging off-the-shelf tools in their cyber-espionage operations. The group, which has been active since 2007, is known for targeting private businesses and government organizations, historically targeting the US Department of State and the US Central Command. Recent Turla operations leverage Metasploit, the popular open source exploitation framework, to spread the Mosquito backdoor trojan. Beginning in March, the campaign utilizes a fake Adobe Flash Player installer, a tactic used in previous campaigns, to execute a Metasploit shellcode and download a legitimate Flash installer. The Metasploit shellcode downloads Meterpreter, a payload that provides the threat actor control of the compromised system, which then downloads the Mosquito backdoor. The NJCCIC recommends reviewing the ESET report for additional details on recent Turla activity and scanning networks for the associated IOCs provided in the report. If Turla activity is suspected, isolate the affected system(s) from the network immediately and perform a full system scan.

The FBI Takes Down Massive VPNFilter Botnet Comprised of Infected Networking Equipment

After obtaining a court order based on an affidavit, the FBI has taken control of the command and control (C2) servers associated with VPNFilter, a botnet comprised of over 500,000 devices. The FBI believes APT28, also known as Fancy Bear and Sofacy, may be behind the botnet and planned to use it in a cyber-attack against the Ukraine. The malware used to create the botnet, also called VPNFilter, can steal website credentials, monitor Modbus protocols used by supervisory control and data acquisition (SCADA) systems, and even render devices unusable and cut off internet access for users of the devices, either individually or en masse. Devices affected by VPNFilter include Linksys, MikroTik, NETGEAR, TP-LINK networking equipment for small office and home office (SOHO) spaces and QNAP network-attached storage (NAS) devices. These devices are notoriously hard to defend as they are meant to sit at the perimeter of a network, are often without security services to defend against threats, and may contain difficult-to-patch public vulnerabilities. The NJCCIC highly recommends reviewing the FBI Private Industry Notification and the Cisco Talos blog post for more information on VPNFilter, keep potentially vulnerable devices updated with the latest patches, and implement the recommended protections and mitigations, including utilizing the indicators of compromise (IOCs) and Snort signatures provided. The FBI is asking users and administrators of infected routers and NAS devices to reset their devices in order to have their device reconnect to the C2 server. This will provide the FBI with an accurate number of affected devices and an updated list of vulnerable devices. The information gathered will be used to notify companies, internet service providers, and public and private sector partners. 

Security Flaw Impacts Electron-Based Apps

Researchers at Trustwave discovered a vulnerability that exists in the Electron software framework used in desktop applications for Microsoft Skype and Visual Studio Code, Slack, Brave browser, Signal, Twitch, and many more. Successful exploitation of CVE-2018-1000136 could allow a threat actor to perform remote code execution on vulnerable versions of Electron. The vulnerability takes advantage of the nodeIntegration option found within the WebPreferences configuration file of Electron-based apps. By exploiting a cross-site scripting (XSS) vulnerability, a threat actor could create a new WebView window in the Electron-based app and, by setting the NodeIntegration flag equal to “true,” gain access to operating system features. The flaw was reported to the Electron team and patches were released for vulnerable versions of the framework, versions prior to 1.7.13, 1.8.4, or 2.0.0-beta.3. The NJCCIC recommends all users of Electron-based apps review the Trustwave blogfor more information and apply the necessary updates for vulnerable applications as soon as possible. 

Vulnerabilities in OpenPGP and S/MIME Could Reveal Email Content

Security researchers have discovered critical vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. Successful exploitation of the vulnerabilities, dubbed “EFAIL,” could allow threat actors to decrypt sent or received email messages, revealing the plaintext, readable content. The vulnerabilities may be exploited via a CBC/CFB gadget attack or an HTML exfiltration attack. The NJCCIC recommends those using OpenPGP and S/MIME for email encryption review the EFAIL report and the CERT/CC Vulnerability Note, disable the viewing of HTML email to eliminate the primary way of exploiting the flaws, and apply patches if and when they become available.

Cryptocurrency-Mining Malware Infects 500,000 Machines

Qihoo 360 Total Security researchers discovered a new cryptocurrency-mining malware that crashes the system if a user attempts to remove its mining process. Dubbed WinstarNssmMiner, the malware has been leveraged in over half a million attacks in the past three days alone. Once executed, the malware creates two processes on the infected device, a mining function using the XMRig Monero miner and another process used for detecting antivirus products. If the malware detects a reputable antivirus solution, it will stop the infection attempt. The NJCCIC recommends all users review the Qihoo 360 Total Security blog for more information. Additionally, install a reputable antivirus/ antimalware solution on all systems to protect against this and similar threats. 

DDoS Attacks Bypassing Mitigation Solutions via the UPnP Protocol

Threat actors are circumventing DDoS (distributed denial-of-service) mitigation solutions by taking advantage of the Universal Plug and Play (UPnP) protocol to mask the source port of packets sent during a DDoS flood attack, according to DDoS mitigation firm Imperva. These attacks hide their source IPs using UPnP and then leverage DNS and NTP protocols during the DDoS flood. The NJCCIC recommends reviewing the Imperva report and disabling UPnP support for networks not using the feature.