Researchers at Elttam discovered vulnerability CVE-2017-17562 present in GoAhead web servers prior to version 3.6.5 used in hundreds of thousands of IoT devices, including products from Canon, Comcast, D-Link, Oracle, HP, and Siemens. The vulnerability exists when CGI is enabled and a CGI program is dynamically linked, a common configuration – between 500,000 and 700,000 devices are believed to be affected. If exploited, this vulnerability could allow a remote threat actor to execute code on the affected device. While GoAhead has updated their web server to patch the vulnerability, hardware vendors now need to push firmware updates to their affected products. Threat actors will likely attempt to capitalize on this wide-reaching vulnerability by targeting the affected products in order to use them as nodes in a botnet or to spread malware. The NJCCIC recommends all users and administrators of the affected products review the Elttam blog post,use the proof-of-concept code to test if devices are vulnerable, and immediately patch all affected products as updates become available. Additionally, users should take steps to secure IoT devices by isolating them from the public internet where possible, changing the default passwords and enabling multi-factor authentication where available, closing all unnecessary ports and services, and whitelisting IP addresses/IP subnets or requiring a VPN to access the local network.
Threat actors are continuing to purchase WordPress plugins to add backdoor code to them for malicious purposes. Most recently, a threat actor added backdoor code to three old, abandoned plugins in order to insert content and links on affected sites via a remote server. Researchers believe that the code is being used to inject hidden search engine optimization (SEO) spam on affected sites to help improve the search engine ranking of other sites. Just last week, Wordfence experts determined a UK individual purchased and inserted backdoor code into several popular plugins, including Captcha and Display Widgets. Additionally, White Fir Design researchers recently determined that hundreds of WordPress sites are still running one of the 14 plugins that contained a similar SEO spam backdoor, three years after it was first reported. While WordPress has either removed or replaced some of the malicious plugins with clean versions, the NJCCIC recommends all WordPress website administrators review the linked reports above and verify that they have non-malicious versions of affected plugins installed.
A threat actor executed hundreds of thousands of attempts to exploit a zero-day vulnerability CVE-2017-17215 in the Huawei HG532 home router in an effort to create an updated variant of the Mirai botnet. The implementation of the Universal Plug and Play (UPnP) protocol via the TR-064 technical report standard allowed remote attackers to execute arbitrary commands on the device. The OKIRU/SATORI malware was injected into the targeted devices. The majority of these exploit attempts were observed in the US, Italy, Germany, and Egypt. It was determined that the perpetrator of these attacks was an amateur hacker under the name “Nexus Zeta,” exemplifying the increased risk to internet-of-things (IoT) devices even from unskilled threat actors. Check Point researchers disclosed their findings to Huawei who have since patched the vulnerability and pushed an update to its customers. The NJCCIC recommends users and administrators of the Huawei HG532 home router review the Check Point report and the Huawei Security Notice, and ensure their device has been updated to the most current version. Additionally, all users and administrators of IoT devices, such as routers, are highly encouraged to ensure devices are properly configured and secured upon connecting them to a network, and to always keep hardware and software up-to-date.
Researchers at Trend Micro identified a new cryptocurrency-mining bot, dubbed Digmine, spreading through Facebook Messenger installed on Windows systems. The malware is distributed via messages containing a file named video_xxxx.zip – of which each “x” is a number – that hides an executable file. If the user runs the file, they are infected with Digmine which then contacts its command and control (C2) server. The C2 server sends the victim a Monero cryptocurrency miner and a malicious Chrome extension used to propagate to new victims. If the targeted user’s account is set to automatically sign in, the Digmine Chrome extension will access the user’s Facebook Messenger profile and send a message containing a similar video_xxxx.zipfile to all of the user’s contacts. Digmine was first discovered targeting South Korean users and has since spread to other regions around the world. Facebook was notified of this campaign and has since removed the malicious links from Messenger conversations; however, the threat actors can easily change their distribution links. These types of campaigns are likely to continue as the price and popularity of cryptocurrency rises. The NJCCIC recommends social media users review the Trend Micro report, educate themselves on this and similar tactics, enable account privacy settings, use strong passwords, enable multi-factor authentication where available, and monitor system CPU usage for spikes in activity that may indicate the presence of a cryptocurrency miner.
Researchers at Proofpoint published a white paper detailing North Korea’s financially-motivated cyber activity, including their recent targeting of Bitcoin. North Korea is commonly named as one of the United States’ top cyber adversaries; however, they often operate much differently than cyber adversaries like Russia, China, and Iran. Largely due to sanctions against the state, North Korea has resorted to engaging in cyber-attacks traditionally carried out by cybercriminals in order to steal funds. The advanced persistent threat (APT) group associated with the North Korean government, the Lazarus Group, is attributed to various financially-motivated cyber-attacks that have occurred over the last few years, including: the February 2016 attack against the SWIFT banking system that resulted in the theft of $81 million from the central bank of Bangladesh, subsequent attacks on dozens of other financial institutions around the world, and the May 2017 WannaCry ransomware attack that impacted hundreds of thousands of computers around the world. Recently, the group has capitalized on the increasing interest and surging prices of cryptocurrencies. The Lazarus Group is accused of the following: stealing millions of dollars’ worth of Bitcoin from the South Korean Bitcoin exchange Youbit, successfully breaching several cryptocurrency companies and exchanges, and targeting individuals and organizations with spear-phishing emails containing links and attachments to deliver the PowerRatankba malware that steals credentials for cryptocurrency wallets. Additionally, researchers believe the group targeted SoftCamp point-of-sale terminals, largely used in South Korea, with the RatankbaPOS malware in order to steal bank card data. The NJCCIC recommends reviewing the Proofpoint report “North Korea Bitten By Bitcoin Bug” for more information on recent Lazarus Group activity, including various attack vectors and tools used by the group. We recommend cryptocurrency owners remain vigilant and maintain awareness of threats targeting cryptocurrency wallets and exchanges, avoid using links provided in emails or through social media platforms to visit cryptocurrency wallet and exchange sites and instead type the legitimate address directly into the URL field of their web browsers, and exercise caution before downloading any cryptocurrency-related application or allowing full read/write API access to accounts from external sources. Lastly, we strongly recommend enabling multi-factor authentication on all accounts that offer it to prevent unauthorized access as a result of credential compromise.
Google Project Zero researcher Tavis Ormandy discovered a vulnerability in the Keeper password manager browser extension that is installed by default on Windows 10 and in tandem with the Keeper desktop application. This vulnerability, if exploited, can allow remote threat actors to steal passwords stored by the extension if a victim visits a specially-crafted malicious website. The NJCCIC recommends Keeper users read the Keeper blog post titled Update for Keeper Browser Extension 11.4.4 and ensure that their browser extensions are updated to the latest version. Edge, Chrome, and Firefox users should receive the update automatically; however, Safari browser users will need to apply the update manually by visiting Keeper’s download page.
Cisco Talos discovered a pair of vulnerabilities in the VNC implementation for VMWare products that, if exploited, could allow a threat actor to execute code. VNC is implemented for remote management and access, and automation for VMWare Workstation, Player, and ESXi. A threat actor could initiate a VNC session – which does not require a username and password by default – and craft a set of VNC packets to trigger the vulnerabilities. The NJCCIC recommends VMWare users and administrators review the Talos advisories for CVE-2017-4933 and CVE-2017-4941 and immediately turn on VNC authentication to mitigate these vulnerabilities.
Security researchers at Preempt discovered a vulnerability affecting organizations that use Microsoft’s Azure AD Connect software to connect a Microsoft Office 365 cloud deployment with on-premises Microsoft Active Directory (AD) Domain Services, known as a hybrid deployment. This vulnerability exists due to a configuration error between the Azure AD Connect software and the AD DS directory synchronization account and can result in the creation of several unauthorized stealthy administrator accounts – user accounts that exist outside of the protected administrator group but have elevated domain privileges. These privileged accounts create a grave risk to organizations as they are often overlooked and not properly managed, and credentials for these accounts could easily be compromised and exploited by threat actors to gain unauthorized access to networks. The NJCCIC recommends all network administrators who installed Azure AD Connect using the default/express installation option and manage a hybrid deployment as described above review Microsoft Security Advisory 4056318 and the Preempt Blog to learn more about this vulnerability and audit their networks for stealthy administrator accounts. Microsoft released a free PowerShell script for administrators to tighten permissions of the AD domain accounts and Preempt released a free tool designed to locate stealthy administrator accounts. The NJCCIC makes no claim as to the effectiveness of these tools and users are advised to exercise caution when downloading and installing any software from the internet.
NewSky Security researchers discovered more than 1,000 Lexmark printers unsecured and exposed to the internet. Using Shodan, a publicly available internet-of-things (IoT) search engine, NJCCIC analysts determined that this exposure impacts some organizations within New Jersey. Several of these printers’ administrative panels are remotely accessible over TCP ports 80 and 443 and do not require login credentials to view or modify settings. These printers also have several other ports open including TCP port 21 (FTP) and TCP port 445 (SMB) creating additional opportunities for unauthorized access into both the device and the organization’s network. This access allows a remote actor to do the following: view the location, device status, printer model, firmware version, ink levels, and network configurations; upload custom firmware files; access the remote operator panel; modify various settings; set PINs and passwords; create alerts and alarms, restore printers to factory default settings; and erase the printers’ memory and hard disks, among other options. The NJCCIC recommends organizations using internet-enabled printers isolate them from the public internet, create new login credentials if none exist or change the default password to the administrative control panel, close all unnecessary ports and services, whitelist IP addresses/IP subnets or require a VPN to access the local network, and keep all firmware updated.
Researchers at HackRead discovered a malware distribution campaign that abuses Google Adwords to appear at the top of search engine results when users search for antivirus software or the Chrome web browser. The campaign hosts the malware on a Google Sites page, a tool provided through Google’s G Suite that allows users to create collaboration and file-sharing pages. The campaign uses Google Sites to trick users into thinking they are downloading the legitimate Chrome browser installation file. If a user clicks the “Download Chrome” button, they are redirected to a Google Drive link that downloads a malicious file named ChromeSetup.exe to the user’s system. Similar scams have recently been observed targeting users of cryptocurrency exchange sites in an attempt to steal login credentials and funds from the associated accounts.The NJCCIC recommends users review the HackRead report and exercise caution when downloading files from the internet. Users can check the integrity of files by uploading them to sites such as VirusTotal, Malwr, or Metadefender that provide free online tools used to analyze files and URLs for embedded malware. Additionally, we encourage users to install a reputable ad-blocking browser extension to help mitigate this threat.
A malware campaign, dubbed “Zealot,” is currently targeting Linux and Windows servers with exploits in an attempt to install malware designed to mine the Monero cryptocurrency. The threat actors behind the campaign are using exploits for both an Apache Struts vulnerability CVE-2017-5638, the same exploit used in the Equifax hack, and a DotNetNuke (DNN) ASP.NET CMS vulnerability CVE-2017-9822 to obtain control of unpatched servers. On infected Windows machines, the attackers use two NSA exploits, EternalBlue and EternalSynergy, to move laterally in the victim’s local network and use PowerShell to download and install the malware to mine Monero. On infected Linux machines, the attackers use Python scripts, likely from the EmpireProject post-exploitation framework, and install the same malware. Based on the multi-stage infection chain and the use of advanced malware, researchers at F5 Networks believe sophisticated actors developed and are running this campaign. The NJCCIC recommends administrators of Windows and Linux servers review the F5 Networks report, ensure their systems are patched against the vulnerabilities exploited in this campaign, consider implementing a web application firewall, close all unnecessary ports on the network, and apply the Principle of Least Privilege for all user accounts.
Loapi is a new Android malware variant that appears to have evolved from the Podec Android malware. Loapi has a sophisticated modular structure and components for a variety of functions, including: mining the Monero cryptocurrency, downloading and installing additional apps, launching DDoS attacks, and injecting ads in the notification area, among others. The cryptocurrency mining function causes the device to overheat and overwork the phone’s components, causing the battery to bulge and the phone’s cover to deform. Loapi is found hidden in antivirus or adult-themed apps advertised on third-party app stores. The apps inundate users with pop-ups until the user provides it with administrative rights and allows it to uninstall legitimate antivirus apps from the device. To maintain persistence, the malware will close the Settings window if the user attempts to deactivate its administrator account and, if the user attempts to install an app that could detect the malware's presence, Loapi will display a fraudulent message on the screen claiming it detected malware and prompts the user to delete the app. Users will have to boot their device in Safe Mode to remove Loapi-infected apps. The NJCCIC recommends users and administrators of Android devices review the Securelist report on Loapi, run a reputable antivirus application on all devices, avoid downloading apps that require excessive device permissions, and refrain from downloading any apps from third-party, unofficial app stores.
Throughout 2017, a likely-Chinese threat group, dubbed “Hex-Men,” has been deploying malware to target MSSQL and MySQL databases on Windows and Linux systems. The group uses their infrastructure – which has helped them remain hidden most of the year – to scan for vulnerable systems, launch attacks, and host malware. Researchers at GuardiCore identified three main campaigns distributing previously unknown malware variants. The first targeted MSSQL databases running on Windows servers by deploying the remote access trojan (RAT) and cryptocurrency miner “Hex.” The second also targeted MSSQL databases running on Windows servers but instead used the keylogger and backdoor trojan “Taylor.” In a March campaign, the group targeted over 80,000 servers using the Taylor trojan. The third campaign scanned for vulnerable MSSQL and MySQL databases running on either Windows or Linux servers and deployed the Hanako trojan used to launch distributed denial-of-service (DDoS) attacks. The threat actors accessed vulnerable systems by configuring previously infected servers to scan a small set of IP addresses to find databases with weak login credentials. The group scanned for publicly known Azure and AWS public IP ranges in attempts to find an enterprise cloud server that stored sensitive information and was administered by an account with weak credentials. Scanning for only a small number of IPs and using infected servers to do the scanning, along with rotating their C2 servers and domains, allowed the C2 infrastructure to remain largely hidden for a significant amount of time. The NJCCIC recommends administrators of MSSQL and MySQL servers review the GuardiCore report, ensure the use of complex passwords and multi-factor authentication for database accounts, utilize a firewall to block brute-force attempts, and scan systems and networks for the indicators of compromise (IoCs) provided in the report.
In the December 22, 2016 edition of the NJCCIC Weekly Bulletin, we alerted members to a Chinese backdoor that had been discovered embedded in the Adups firmware installed on over 700 million Android-powered devices. After device manufacturers and retailers began refusing to sell the infected devices, Adups pushed a non-malicious version of the firmware to those affected. Recently, however, Malwarebytes researchers discovered a lingering malicious pre-installed Adups component within the firmware of Android devices that obtains system level privileges and can “install and/or update apps without a user’s knowledge or consent.” This component is included with firmware package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears on the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk. These cannot be removed from affected devices and FWUpgradeProvider cannot be disabled, although Malwarebytes does list a possible multi-step solution. It is important to note that FWUpgradeProvider is currently categorized by antivirus vendors as a “Potentially Unwanted Program” (PUP) or “Riskware” as it is capable of installing malicious data-stealing applications but is not capable of stealing data itself. The NJCCIC recommends all Android device users review the Malwarebytes report and determine whether or not their devices are affected. If so, users are encouraged to install a reputable antivirus application to help detect future instances of malicious file installation or consider discontinuing the use of these devices.
Captcha, a WordPress plugin initially developed by BestWebSoft but later sold to a developer named Simply WordPress, was modified with an update containing malicious code that created a backdoor to over 300,000 WordPress-powered websites. Captcha version 4.3.7 was pushed to websites that had the previous version installed and subsequently established a connection to the simplywordpress[.]net domain to download a plugin update package containing the backdoor. This backdoor created a session with user ID 1, set authentication cookies, and then deleted itself, according to a Wordfence security researcher. Once notified, the WordPress security team pushed a clean version of the plugin (4.4.5) to affected websites, which removed the backdoor. In what appears to be an ongoing campaign, the threat actor responsible for the malicious version of the Captcha plugin has been observed purchasing a number of WordPress plugins and modifying them with malicious code. The NJCCIC recommends all WordPress website administrators review the Wordfence report on the Captcha plugin as well as their analysis of this malicious campaign and verify that they have non-malicious versions of affected plugins installed.
According to statements from Facebook and Microsoft, North Korean threat actors, known as “Lazarus Group,” used fraudulent Facebook account profiles to masquerade as other people and develop relationships with potential targets. These relationships may have helped the threat actors dupe targets into installing malware on their systems. Facebook and Microsoft, along with other entities in the security community, worked together to disrupt the Lazarus Group’s activities by deleting accounts suspected to be operated by the group. Additionally, Facebook contacted users who may have communicated with the fraudulent accounts and provided suggestions designed to enhance their accounts’ security. The NJCCIC recommends all social media users exercise caution when forming personal relationships through the platforms and avoid divulging sensitive personal or financial information. Additionally, be suspicious of any unexpected or unsolicited links sent or posted via social media, even if they are from those you believe you know, and tighten privacy and security settings on all accounts, enabling multi-factor authentication where available.
The Mozilla Corporation, the organization responsible for the development of the Firefox web browser and other open-source tools, angered Firefox users by forcibly installing a promotional extension into their web browsers without their knowledge or permission. This Firefox extension, named Looking Glass, was designed to promote the season three finale of the Mr. Robot television series and Mozilla described it as “a shared experience to further your immersion into the Mr. Robot universe, also known as an Alternate Reality Game (ARG).” However, instead of allowing Firefox users to decide for themselves whether or not they wanted to add Looking Glass, Mozilla automatically installed the extension on browsers that had the Firefox Studies option enabled within the Privacy & Security setting menu. This resulted in confusion for Firefox users as the extension’s description was vague and initially just included the words, “MY REALITY IS JUST DIFFERENT THAN YOURS,” leading many to believe they had become infected with malware. After receiving pushback from users, Mozilla admitted its role in the promotional stunt and moved the Looking Glass extension into the Firefox add-on store, making its source code available for review on GitHub. Although this extension did not put user data at risk and did not contain malware, this incident highlights the need for software users to remain vigilant even when using products from companies that were previously considered to be reputable and privacy-conscious. The NJCCIC recommends all browser users regularly review installed extensions to ensure that only those they have previously authorized are installed. Additionally, the NJCCIC recommends Firefox users disable the following browser options to prevent further abuse of Firefox Studies by Mozilla: “Allow Firefox to send technical and interaction data to Mozilla” and “Allow Firefox to install and run studies.” Users can locate these options in their Firefox browsers by visiting Tools > Options > Privacy & Security and scrolling down to the “Firefox Data Collection and Use” section of the page.
The NJCCIC has been alerted to a new profit-motivated brute-force attack currently targeting WordPress-powered websites. This attack attempts to compromise administrator login credentials to gain access to vulnerable websites and embed malware designed to mine the cryptocurrency Monero and generate profit for the attacker(s).
Beginning December 18, at approximately 10pm EST, WordPress security plugin developer, Wordfence, detected the start of a large distributed brute-force attack targeting WordPress-powered websites and attempting to gain access to administrator accounts using weak, default, or compromised credentials. This attack originates from a large number of IP addresses, suggesting that a botnet is being used in this campaign. Each IP address was also observed generating a large number of attacks on each target, peaking at approximately 14.1 million attacks per hour against nearly 190,000 WordPress sites. Analysis conducted by Wordfence on one victim’s server revealed an excessive consumption of CPU resources resulting from “long-running Apache processes” and thousands of outgoing connections from the impacted server to port 80 on other servers. Additionally, the botnet appears to be controlled via an IRC server operating over ports 8080 and 9090. The malware used in this sophisticated campaign runs as a regular user account and deletes itself from the infected system’s hard disk, maintaining persistence by installing itself as a cron job, and is scheduled to run every second. Some malware samples contained XMRig, software developed to mine the cryptocurrency Monero by utilizing a system’s CPU. With the price of cryptocurrency rising, profit-motivated hackers have recently been conducting campaigns designed to steal system and network resources of unsuspecting victims for financial gain. Monero, in particular, has gained popularity among cyber criminals due to its privacy features, which significantly reduce law enforcement’s ability to trace transactions to a particular source or destination.
This activity has not yet been attributed to any particular threat actor or Advanced Persistent Threat (APT) group.
For more information on this threat, including Indicators of Compromise (IoCs), please review the following open-source Wordfence reports:
- Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC
- Massive Cryptomining Campaign Targeting WordPress Sites
The NJCCIC has not received any reports of this attack being conducted against websites operated by New Jersey organizations; however, all administrators of WordPress-powered websites are encouraged to review the Wordfence reports listed above as soon as possible and take appropriate steps to mitigate this threat. If your organization experiences or suspects attacks associated with this threat, please report the incident to the NJCCIC via the Cyber Incident Report form on our website.
- Change WordPress administrator account login credentials immediately and ensure all login credentials are unique and complex.
- Use multi-factor authentication on all active accounts and delete unused accounts to reduce your attack surface.
- Implement server-level controls and a reputable firewall to block brute-force attacks while also proactively blacklisting known malicious IP addresses.
- Implement audit logging for privileged accounts and configure alerts to notify you of successful and unsuccessful login attempts.
- Monitor server resources to verify that CPU usage remains within normal levels.
If compromised, act quickly to contain and eradicate the threat to prevent damage to your site, server, and the reputation of your brand and IP address.
Please do not hesitate to contact the NJCCIC at firstname.lastname@example.org with any questions.
The NJCCIC has been alerted to a new malware variant designed to specifically target Schneider Electric Triconex Safety Instrumented System (SIS) controllers that are used to ensure industrial equipment, often employed by critical infrastructure sector members, is operating safely.
Cybersecurity firm, Mandiant, a FireEye company, discovered a new malware variant designed to specifically target Triconex Safety Instrumented System (SIS) controllers. The malware, dubbed TRITON, was deployed at an undisclosed critical infrastructure organization after a threat actor gained remote access to a SIS engineering workstation in an effort to reprogram the SIS controllers. This incident caused some SIS controllers to enter a failed safe state, resulting in the automatic shutdown of the associated industrial process.
TRITON malware mimics the legitimate Triconex SIS controller management software for Windows workstations and has the capability to read and write programs, read and write individual functions, and query the state of a SIS controller. TRITON is also capable of communicating with Triconex SIS controllers, sending commands such as halt or read memory content, and reprogramming them with an attacker-defined payload. If the targeted controller fails, TRITON attempts to return it to a running state. If the controller is unable to recover within a specific timeframe, the malware overwrites itself with invalid data to evade detection and analysis. As SIS controllers are designed to read data from industrial equipment to ensure machinery is functioning property, any compromise to these systems has the potential to cause physical damage and disrupt operations.
This activity has not yet been attributed to any particular threat actor or Advanced Persistent Threat (APT) group; however, FireEye assesses with moderate confidence that the actor or group behind the TRITON campaign is sponsored by a nation state.
For more information on this threat, including Indicators of Compromise (IoCs), please review the following open-source FireEye report:
- Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
The NJCCIC has not received any reports of threat actors attempting to conduct this attack against New Jersey organizations or sectors; however, all Critical Infrastructure Sector members, especially those who use Schneider Electric Triconex Safety Instrumented System Controllers, should review the FireEye report as soon as possible and educate management, security teams, network administrators, and industrial control system operators about this threat. If your organization experiences or suspects attacks associated with this threat, please contact your local FBI field office immediately and report the incident to the NJCCIC via theCyber Incident Report form on our website.
- Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
- Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
- Implement change management procedures for changes to key position. Audit current key state regularly.
- Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
- Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
- Monitor ICS network traffic for unexpected communication flows and other anomalous activity.
Please do not hesitate to contact the NJCCIC at email@example.com with any questions.