Researchers at Trustwave discovered a vulnerability that exists in the Electron software framework used in desktop applications for Microsoft Skype and Visual Studio Code, Slack, Brave browser, Signal, Twitch, and many more. Successful exploitation of CVE-2018-1000136 could allow a threat actor to perform remote code execution on vulnerable versions of Electron. The vulnerability takes advantage of the nodeIntegration option found within the WebPreferences configuration file of Electron-based apps. By exploiting a cross-site scripting (XSS) vulnerability, a threat actor could create a new WebView window in the Electron-based app and, by setting the NodeIntegration flag equal to “true,” gain access to operating system features. The flaw was reported to the Electron team and patches were released for vulnerable versions of the framework, versions prior to 1.7.13, 1.8.4, or 2.0.0-beta.3. The NJCCIC recommends all users of Electron-based apps review the Trustwave blogfor more information and apply the necessary updates for vulnerable applications as soon as possible.
Vulnerabilities in OpenPGP and S/MIME Could Reveal Email Content
Security researchers have discovered critical vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. Successful exploitation of the vulnerabilities, dubbed “EFAIL,” could allow threat actors to decrypt sent or received email messages, revealing the plaintext, readable content. The vulnerabilities may be exploited via a CBC/CFB gadget attack or an HTML exfiltration attack. The NJCCIC recommends those using OpenPGP and S/MIME for email encryption review the EFAIL report and the CERT/CC Vulnerability Note, disable the viewing of HTML email to eliminate the primary way of exploiting the flaws, and apply patches if and when they become available.
Cryptocurrency-Mining Malware Infects 500,000 Machines
Qihoo 360 Total Security researchers discovered a new cryptocurrency-mining malware that crashes the system if a user attempts to remove its mining process. Dubbed WinstarNssmMiner, the malware has been leveraged in over half a million attacks in the past three days alone. Once executed, the malware creates two processes on the infected device, a mining function using the XMRig Monero miner and another process used for detecting antivirus products. If the malware detects a reputable antivirus solution, it will stop the infection attempt. The NJCCIC recommends all users review the Qihoo 360 Total Security blog for more information. Additionally, install a reputable antivirus/ antimalware solution on all systems to protect against this and similar threats.
DDoS Attacks Bypassing Mitigation Solutions via the UPnP Protocol
Threat actors are circumventing DDoS (distributed denial-of-service) mitigation solutions by taking advantage of the Universal Plug and Play (UPnP) protocol to mask the source port of packets sent during a DDoS flood attack, according to DDoS mitigation firm Imperva. These attacks hide their source IPs using UPnP and then leverage DNS and NTP protocols during the DDoS flood. The NJCCIC recommends reviewing the Imperva report and disabling UPnP support for networks not using the feature.
Vega Stealer Malware Targets User Credentials and Credit Card Numbers
A new malware campaign is targeting Google Chrome and Mozilla Firefox browsers to steal credentials and other sensitive data, according to researchers at Proofpoint. Dubbed “Vega Stealer,” the malware is being spread via phishing emails targeting marketing, advertising, public relations, retail, and manufacturing companies. Attached to the email is a word document containing malicious macros that, when enabled, download the Vega Stealer malware. Once the system is infected, the malware steals passwords, saved credit card data, autofill profile information, cookies from Chrome, and specific passwords and keys from Firefox. Additionally, Vega Stealer can take a screenshot of the victim’s system and search for files on the system that end in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdfand, if found, send these files to the threat actor’s Command and Control (C2) server. Proofpoint believes that this campaign could be connected to the same threat actors behind the Ursnif banking Trojan. The NJCCIC recommends Chrome and Firefox users and administrators review the Proofpoint report and educate end users about this and similar threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.
Kitty Malware Infecting Vulnerable Drupal Sites
A new malware targeting vulnerable Drupal sites is installing a cryptocurrency-miner and a PHP backdoor onto compromised servers. Dubbed “Kitty” by security researchers from Imperva, the malware exploits the Drupalgeddon2 vulnerability in Drupal sites that allows a remote attacker to execute malicious code. Once an attacker gains access to the server, the popular XMRig Monero miner is installed and begins using the compromised server’s resources to mine the cryptocurrency. Along with the cryptocurrency-miner, a backdoor is installed, and the threat actor creates a time-based job scheduler that re-downloads the malicious script every minute. This process allows the malware to re-infect a server even if updates are attempted. The NJCCIC recommends all Drupal site owners and administrators review the Imperva security blog for more information, ensure all Drupal sites are up-to-date with the most recent patches, run a full system scan, and follow the recovery instructions, if necessary. Additionally, monitor network activity for anomalies indicative of cryptocurrency-mining activity. End users are encouraged to use web browsers that proactively block cryptocurrency-mining scripts or install a reputable ad-blocking, script-blocking, and coin-blocking extension in their current browser.
Office 365 Zero-Day
A zero-day vulnerability has been discovered in Office 365 that could allow a threat actor to successfully send a malicious email to a victim without being detected by email security systems. Dubbed baseStriker, the vulnerability can be exploited by disguising a malicious link within code using the “< base > HTML tag.” Due to an email filter handling issue, Office 365 security systems fail to render these URLs correctly before scanning, preventing the system from detecting a malicious link and allowing these emails to be delivered to end users. Threat actors have been exploiting this vulnerability through phishing attacks, but researchers believe the flaw could be used to distribute ransomware, malware, or other malicious content. BaseStriker affects all Office 365 configurations and there are currently no patches to address the vulnerability. The NJCCIC recommends all users and administrators of Office 365 review the Avanan report on baseStriker, enable multi-factor authentication, and apply necessary patches if and when they become available. The NJCCIC recommends educating end users about this and similar threats and reminding them never to click on links delivered in unexpected or unsolicited emails, especially to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action.
KRACK Wi-Fi Vulnerability Affects BD Medical Devices
Becton, Dickinson and Company (BD) released a security bulletin detailing how their medical devices can be affected by the Key Reinstallation Attack (KRACK) flaw, a vulnerability in the Wi-Fi Protected Access II (WPA2) protocol used to secure modern Wi-Fi networks. A threat actor within range of the affected Wi-Fi network could conduct Man-in-the-Middle (MitM) attacks, exfiltrate data, and change patient records. BD has released patches for some of its vulnerable devices and will release additional patches for the remaining devices. The NJCCIC recommends all users and administrators of BD manufactured devices review the BD Product Security Bulletin for a list of affected products and the NJCCIC Vulnerability Advisory for details on the KRACK vulnerability, and apply the necessary updates as soon as they are made available.
Critical Security Flaw in Schneider Electric ICS Software
Researchers at security firm Tenable discovered a stack-based buffer overflow vulnerability in a popular industrial control system software that could potentially be exploited to shut down power plants and other critical infrastructure facilities. Receiving a severity score of 9.8 out of 10, the vulnerability affects Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition 2017 products, both designed to automate components of a power plant or manufacturing unit. Successful exploitation of this vulnerability could allow a remote, unauthenticated threat actor to execute code with elevated privileges and take control of the affected system. Schneider Electric has released an update to patch the critical vulnerability. The NJCCIC recommends all users and administrators of InduSoft Web Studio and InTouch Machine Edition 2017 versions 8.1 and prior review the Schneider Electric Security Bulletin for more information and apply the necessary update as soon as possible. For more information on cyber risk to critical infrastructure, please read the NJCCIC Threat Analysis Addressing Vulnerabilities in Critical Infrastructure.
Oracle WebLogic
On April 17, Oracle released its April 2018 Critical Patch Update (CPU), patching a vulnerability, CVE-2018-2628, in the WLS core component for versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware), a Java EE application server. Successful exploitation of this vulnerability could allow threat actors to execute remote code without authenticating to the system. A day later, a researcher who discovered the vulnerability published a blog post detailing how the vulnerability works. Shortly thereafter, proof-of-concept (PoC) code was posted to GitHub that could be used to exploit the vulnerability. Almost instantly, there was a spike in scans for port 7001, the port used by vulnerable WebLogic “T3” servers and threat actors began infecting vulnerable servers with malware. Furthermore, an Alibaba Cloud engineer discovered that the patch provided for CVE-2018-2628 can be bypassed, leaving even patched systems vulnerable. The NJCCIC recommends all users and administrators of Oracle WebLogic servers review the CPU security advisory for more details and, until a complete patch is released by Oracle, block incoming connections on port 7001 for affected servers.
Gold Galleon Threat Group Targets Maritime with BEC Scheme
A threat group operating out of Nigeria, dubbed “Gold Galleon,” is targeting the global maritime shipping industry with a business email compromise (BEC) campaign – a type of social engineering scheme. The campaign involves sending targets fraudulent invoices and financial documents, using a combination of malware and social engineering techniques to steal corporate email account credentials and use these accounts to send fake payment requests and steal millions of dollars. Researchers estimate Gold Galleon attempted to steal $3.9 million between June 2017 and January 2018 alone. The maritime industry is a particularly attractive target given the amount of international business and financial transactions and communications that commonly occurs. Poor cybersecurity protections also allow threat actors to be successful even when employing unsophisticated tactics and off-the-shelf tools. The NJCCIC recommends all users and administrators in the maritime industry review the Secureworks report on Gold Galleon and organizations from all industries are encouraged to educate end users on the threat of BEC and similar social engineering schemes, implement account security features such as multi-factor authentication, observe strict wire transfer policies, and verify vendors and clients prior to conducting financial transactions. Organizations are also encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and keep hardware and software up-to-date.
Russian APT Group Fancy Bear (APT28) Distributes Malicious Versions of LoJack Software
Researchers at Arbor Networks detected modified versions of legitimate LoJack applications that appear to be associated with the Russian APT Group Fancy Bear, also tracked as APT28 and Sofacy. LoJack software is used by organizations and individuals to track and locate devices in the case of theft and, by default, comes with a built-in persistence system. The altered versions contain minor modifications in the application’s binary which enable connections to remote C2 domains believed to be associated with Fancy Bear operations. Because the alterations are minor, many antivirus systems do not detect the affected software versions. Although distribution methods are currently unknown, the malicious LoJack applications are likely distributed via spear-phishing emails crafted to trick recipients into downloading and installing LoJack. The NJCCIC recommends network administrators review the Arbor Networks report and scan their networks for associated IoCs. We also strongly recommend that all email users maintain awareness of emerging phishing campaigns and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.
PoC Code Can Crash a Windows System Via a USB Drive
Proof-of-concept (PoC) code was published on GitHub that can be used to crash most Windows operating systems in seconds by exploiting a vulnerability in Microsoft’s handling of NTFS (New Technology File System) images. Placing a malformed NTFS image on a USB drive and plugging it into a targeted Windows system, including those in locked mode, will crash the system and result in the Blue Screen of Death. Even systems with auto-play disabled for removable media will crash when Windows Defender scans the USB drive. The researcher also claims the code could be delivered through malware. While the code works on most Windows operating systems, the vulnerability it exploits appears to be fixed for the most recent Windows 10 release. Because of these risks, the NJCCIC recommends organizations minimize, or possibly eliminate, the use of USB devices and similar removable media. To defend against malware, organizations are encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, establish strong identity and access management controls, including multi-factor authentication, and keep hardware and software up-to-date.
FacexWorm Malware Spreading via Facebook Messenger
Trend Micro researchers have discovered a new malware variant spreading to Facebook users. Dubbed FacexWorm, the malware is distributed via a malicious link in a Facebook Messenger chat. If clicked, the link redirects users to a fake YouTube page where they are instructed to install a YouTube-themed Chrome extension in their browser. When downloaded, the extension conducts a number of malicious activities. The malware can steal login credentials when the user accesses certain sites and sends those credentials to C2 servers controlled by the threat actor. If the victim accesses any of the 52 cryptocurrency-related sites hardcoded into the extension, they are redirected to a web page that asks them to verify their account by sending Ether cryptocurrency to an account controlled by the threat actor. If any transactions are performed on these sites, FacexWorm can replace the recipient’s cryptocurrency wallet address with one linked to the threat actor. The extension also injects an obfuscated Coinhive script onto the infected system, using the system’s CPU resources to mine cryptocurrency. This campaign is perpetuated by using the compromised user’s Facebook account to send their friends the same malicious link via Facebook Messenger. The NJCCIC recommends Facebook users review the Trend Micro report and exercise increased caution when using social media platforms and avoid clicking on links in unexpected messages until their legitimacy has been verified by the message sender. Additionally, we recommend users and administrators install browser extensions directly from official browser stores, run updated antivirus software, proactively block outbound connections to the domains coinhive[.]com and coin-hive[.]com, and monitor network activity for anomalies that indicate cryptocurrency-mining activity.
Remote Code Execution Vulnerability in Drupal Exploited in the Wild
Just over a week after threat actors began exploiting a critical Drupal vulnerability, dubbed “Drupalgeddon2,” a separate critical vulnerability (CVE-2018-7602) in Drupal was disclosed by the Drupal CMS team on April 25 and then exploited just five hours later. Successful exploitation of this vulnerability could allow a remote threat actor to execute code and take complete control of the compromised site. Drupal Core versions prior to 7.59, 8.5.3, and 8.4.8 are affected; there are at least 2,700 Drupal-powered sites hosted in New Jersey that may be vulnerable if left unpatched. The NJCCIC recommends all Drupal site owners and administrators review the Drupal Core Security Advisory and update their sites to version 7.5.9 or 8.5.3 as soon as possible. Although Drupal 8.4.x versions are no longer supported by Drupal, version 8.4.8 was released to address the vulnerability.
Cisco WebVPN
A vulnerability found in the Login screen of the Clientless SSL VPN (WebVPN) portal of the Cisco Adaptive Security Appliance (ASA) could allow a threat actor to conduct a cross-site scripting (XSS) attack. Due to inadequate user validation, a threat actor can exploit CVE-2018-0242 to execute arbitrary code or access sensitive browser-based information. There is currently no workaround to address the flaw. The NJCCIC recommends all users and administrators of Cisco ASA software review the Cisco Security Advisory, visit the Cisco bug ID page for information on affected software releases, and apply the patch or workaround if/when it becomes available.
Stresspaint Malware
Researchers at Radware discovered a trojan inside the free Windows application “Relieve Stress Paint.” Dubbed “Stresspaint,” the malware is distributed via Facebook and email spam messages directing users to аоӏ[.]net, a website domain impersonating the real aol[.]net by using Unicode characters. When converted to punycode, the website domain actually spells out 80a2a18a[.]net. If a user downloads the application from this site, they receive a legitimate drawing tool; however, the app also runs malicious files in the background, allowing the malware to set a Windows registry key that executes a .exe file every time the device boots to maintain persistence. The malware collects details on the user’s Facebook account, Chrome login data and session cookies, and their Globally Unique Identifier (GUI), and sends this information to the threat actor’s C2 server. The NJCCIC recommends users review the BleepingComputer article, verify the URL of websites they visit to ensure their legitimacy, avoid downloading applications and other software from third-party sites, and run an up-to-date antivirus solution on all devices.
Moxa EDR-810 Industrial Secure Routers
Carlos Pacho of Cisco Talos discovered several vulnerabilities that exist in the Moxa EDR-810 industrial secure router used for remote management of critical infrastructure systems. The flaws – which include weak cryptography, passwords stored in plaintext, denial-of-service vulnerabilities, and an exploitable command injection – could be leveraged by threat actors to escalate privileges, intercept administrative account credentials, render the server offline, or gain complete control over the target device. Moxa EDR-810 V4.1 build 17030317 is impacted by the disclosed vulnerabilities; however, previous versions may also be affected. The NJCCIC recommends users and administrators of Moxa EDR-810 industrial secure routers update to firmware version V4.2 Build 18041013 as soon as possible.
Foscam IP Camera Vulnerability
Cisco Talos disclosed a vulnerability found in the Foscam C1 Indoor HD Camera, a network-based camera commonly used as a home security monitoring device. Successful exploitation of the vulnerability CVE-2017-2871 could allow a threat actor to gain complete control of the device through an unsecured Trivial File Transfer Protocol (TFTP) server used for firmware updates. A threat actor can leverage these TFTP servers to perform a custom firmware upgrade on the device without authenticating. US-CERT recently published an advisory on state-sponsored cyber actors targeting similar networking infrastructure devices and how they are using TFTP to discover information about these devices. The NJCCIC recommends users and administrators of Foscam products review the Cisco Talos report for more information and visit the Foscam support page to update the firmware of affected Foscam cameras as soon as possible. Users are encouraged to keep firmware for all IoT devices updated with the latest patches.
Drupalgeddon2
Vulnerability CVE-2018-7600 discovered in March by the Drupal CMS team, dubbed “Drupalgeddon2,” is being exploited by threat actors who are using the flaw to infect servers with backdoor scripts and cryptocurrency-mining software. In early April, a Russian security researcher published proof-of-concept (PoC) code for the vulnerability, sparking scans for vulnerable sites within hours of publication. Information security researchers have also reported that botnets controlled by criminal groups are exploiting the vulnerability. There are at least 3,300 Drupal-powered sites hosted in New Jersey. Site administrators are advised to ensure they are running patched version 7.58 or 8.5.1. The NJCCIC recommends all Drupal site owners and administrators review the Drupal Core highly critical public service announcement and follow the recovery instructions if necessary, review the previous NJCCIC advisory on Drupalgeddon2, and update their sites to the most recent patched version immediately.