- Email: [email protected]
Citrix flaw remains critical
NEWS
Editorial Office: Editorial Office: Elsevier Ltd Elsevier Ltd The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com Publisher: Greg Valero Publishing Director: Sarah Jenkins E-mail: [email protected] Editor: SteveMansfield-Devine Mansfield-Devine Editor: Steve E-mail:[email protected] [email protected] E-mail: Senior Editor: Sarah Gordon Columnists: Editoral Ian Goslin,Advisory Karen Renaud, International Board: Spence, Colin Tankard Dario Forte, Dave Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The International Editoral Advisory Board: Fortress; Hancock, Communications; Ken Lindup, Dario Bill Forte, EdwardExodus Amoroso, AT&T Bell Laboratories; Consultant at Cylink; Dennis&Longley, Queensland University Fred Cohen, Fred Cohen Associates; Jon David, The ofFortress; Technology; Tim Myers, Novell; Tom Mulhall; Padget Bill Hancock, Exodus Communications; Ken Petterson, Martin Marietta; Schultz, Hightower; Lindup, Consultant at Cylink;Eugene Dennis Longley, Queensland Eugene Spafford, Purdue University; WinnNovell; Schwartau, Inter.Pact University of Technology; Tim Myers, Tom Mulhall;
Padget Petterson, Martin Marietta; Eugene Production Support Manager: Lin Schultz, Lucas Hightower;E-mail: [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact Subscription Information Production Support Manager: Lin Lucas An annual subscription Network Security includes 12 E-mail: to [email protected] issues and online access for up to 5 users. Prices: Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is Permissions may be sought directly fromatElsevier Global Rights received. Periodicals postage is paid Rahway, NJ 07065, Department, PO Box Oxford OX5 1DX, UK; phone: 1865 USA. Postmaster send800, all USA address corrections to:+44 Network 843830,365 fax: +44 1865 853333, email:NJ [email protected]. You Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights & permission’. In the USA, users may clear permissions and make Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 843830, fax: +44 1865 853333, email: [email protected]. You Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: payments through the Copyright Clearance Center, Inc., 222 Rosewood +44 (0)20 7631 5500. Other countries may have a local reproDrive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 graphic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of artidistribution outside the institution. Permission of the Publisher cles including abstracts for internal circulation within their institutions. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside and translations. the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically Permission of the Publisher is required to store or use electronically any material contained in this publication, including any article or any material contained in this journal, including any article or part of part of an article. Except as outlined above, no part of this publicaan article. Except as outlined above, no part of this publication may tion may be reproduced, stored in a retrieval system or transmitted be reproduced, stored in a retrieval system or transmitted in any form in any form or by any means, electronic, mechanical, photocopying, or by any means, electronic, mechanical, photocopying, recording or recording or otherwise, without prior written permission of the otherwise, without prior written permission of the Publisher. Address Publisher. Address permissions requests to: Elsevier Science Global permissions requests to: Elsevier Science Global Rights Department, at Rights Department, at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Notice Notice No responsibility is assumed by the Publisher for any injury and/or damNo responsibility is assumed by the Publisher for any injury and/ age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, negligence or otherwise, or from any use or operation of any methinstructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. rapid advan ces in the medical sciences, in particular, independent Because of rapid advances in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although independent verification of diagnoses and drug dosages should be all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of made of it by its manufacturer. such product or of the claims made of it by its manufacturer.
12987 Pre-press/Printed by Digitally Produced by Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited
2
Network Security
...Continued from front page are working under the assumption that the entire domain is compromised. The attacker doesn’t show signs of activity so far, we assume they established their position and are dormant.” According to the publication: “Dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached.” Although there are no details as to what data was compromised, the article says the internal report “implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders”. The intrusions affected an estimated 42 servers in three locations: the UN Office in Vienna, the UN Office in Geneva, and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters, also in Geneva. The intrusions compromised core infrastructure systems, including user and password management and firewalls. Staff were told to change their passwords but were not informed about the breach, nor that there was the potential that personal data had been put at risk. One claim suggested that as much as 400GB of data had been exfiltrated from the servers, possibly including staff records, health insurance and commercial contract data, although the UN claimed that no important data was accessed. “Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information,” said a UN statement. “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The internal report, dated 20 September 2019, suggests the breaches occurred two months earlier. The entry point seems to have been a known vulnerability in Microsoft SharePoint (CVE2019-0604). A patch had been available for months before the breach but the UN had not applied it to the breached systems. Widely available exploits for this vulnerability allow attackers to bypass authentication and perform system-level commands. It seems that the Vienna net-
work was breached first and the attackers used that to pivot to the other systems. Once the story broke, spokesperson Stéphane Dujarric admitted that: “The attack resulted in a compromise of core infrastructure components,” and “was determined to be serious”. However, the internal report used phrases such as “major meltdown” and “counting our casualties”. The report by The New Humanitarian is here: http://bit.ly/2H8CEEe. Meanwhile, the UN has come in for a targeted phishing campaign. Malicious emails were sent to 600 staffers across the organisation, purporting to come from the Permanent Mission of Norway, which represents the country at the UN headquarters in New York. The emails claimed there was an issue with an attached agreement document. According to security firm Cofense, the attachment was a Word document with malicious macros capable of downloading the Emotet malware.
Citrix flaw remains critical
T
he critical vulnerability affecting the Citrix Application Delivery Controller (ADC) and Gateway (CVE2019-19781) is still a major cause for concern even though the flaw has been patched.
According to Positive Technologies, the security company that revealed the issue, more than six weeks after the threat became public knowledge, nearly one in five (19%) of organisations has yet to implement the patches. That represents around 15,000 organisations that are still at risk. And the flaw is under active attack in the wild. Some system administrators may find that the flaw has already been patched for them – by hackers. According to FireEye, a hacking group dubbed NotRobin is bundling mitigation code with its exploits. This allows them to install malware, such as backdoors, on a vulnerable system, then close off the vulnerability so that it can’t be used by other cyber criminals. “The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked,” the FireEye report explains. “However, when the actor provides the
February 2020
NEWS/THREATWATCH
Threatwatch Emotet wifi attack The infamous Emotet trojan now has a new worm-like module that allows the malware to spread via insecure wifi networks, according to researchers at Binary Defense. Once established on a wifi-enabled computer, this new strain uses calls to wlanAPI.dll in an attempt to discover nearby wireless networks. If these are password protected, it will attempt to brute force a connection. Once on the wifi network, the malware looks for other Windows machines with non-hidden shares, scans for all users on those devices and tries to brute force its way into administrator accounts. If successful, it installs a service called ‘Windows Defender System Service’ to achieve persistence on the system. There’s more information here: http://bit.ly/2urMdf6. Motherboard flaw A long-deprecated driver for old versions of Gigabyte PC motherboards is being exploited by attackers to hijack Windows systems, disable anti-malware defences and install ransomware. Sophos discovered the read-write flaw – which it has dubbed RobbinHood – in a driver that Gigabyte stopped shipping and supporting some time ago but which still has a valid cryptographic signature. By using the
hardcoded key during subsequent exploitation, NotRobin does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.” The FireEye report is here: http://bit. ly/2OI0oDx. FireEye also said there have been reports of attackers exploiting the flaw to install the Ragnarok ransomware and cryptomining malware. “Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point,” the firm said. FireEye has worked with Citrix to develop a scanner that can detect compromised appliances. This is based on indicators of compromise gathered during incident response engagements. “The goal of the scanner is to analyse available log sources and system forensic artefacts to identify evidence of successful exploitation of CVE-2019-19781,” Citrix said. “There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a
February 2020
driver as a vector, anti-malware systems ignore the malware because it appears legitimate. The attackers then use this approach to load a second, unsigned driver that enables the ransomware. The flaw affects Windows 7, 8 and 10 machines. There’s more information here: http://bit.ly/2UDk3s9. ICS ransomware A new strain of ransomware has features designed specifically to attack organisations running industrial control system (ICS) devices, according to security firm Dragos. Although it mostly functions like any other ransomware – encrypting files and displaying a ransom message – it also comes with a ‘kill list’ of ICS-specific processes that it attempts to shut down. These include processes relating to ICS products such as GE’s Proficy data historian, the GE Fanuc licensing server, Honeywell’s HMIWeb application and the ThingWorx Industrial Connectivity Suite, as well as a number of other remote monitoring and licensing server solutions. Dragos describes the malware as primitive, but warns that it still represents “specific and unique risks and cost-imposition scenarios for industrial environments”. There’s more information here: http://bit.ly/31GJ9b4.
system is free of compromise.” The tool is available on GitHub here: https://github.com/citrix/ioc-scannerCVE-2019-19781. The US Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Defense, has also released details on how to detect vulnerable systems. The details are here: www.us-cert.gov/ncas/alerts/ aa20-031a.
NSA finds major Windows bug
M
icrosoft has patched a major flaw in the CryptoAPI functionality of Windows 10 and Server 2016. But aside from the serious nature of the vulnerability, what makes this bug interesting is that the firm was alerted to it by the US National Security Agency (NSA).
The NSA has gained a certain notoriety for keeping details of exploitable software flaws to itself, so that it can exploit them for its own intelligence-gathering operations. In this instance, however,
TrickBot UAC evasion The TrickBot trojan has adopted a new way of bypassing Windows 10 User Account Control (UAC) mechanisms so that it can be installed with no user warnings. Now, when the malware is being installed on a PC, it checks to see if the OS is Windows 7 or Windows 10. If the former, it uses the existing CMSTPLUA UAC bypass method. If Windows 10, it makes use of the fodhelper.exe program – a trusted binary in the Windows system that is used to execute code with administrator privileges. The ability to exploit this part of the OS to bypass UAC was discovered back in 2017. There’s more information here: http://bit.ly/37c2kuo. Metamorfo targets banks A new version of the Metamorfo banking trojan is casting its net wider. Unlike an earlier version, which focused purely on banks in Brazil, the second strain is targeting the customers of financial institutions in multiple countries, researchers at Fortinet have warned. The firm discovered the trojan being distributed as an MSI file hidden in a Zip archive. This file is automatically executed by MsiExec. exe in Windows if a user double-clicks on the file. There is a full analysis here: http://bit. ly/38lBt0c.
the agency seems to have regarded the vulnerability as so serious that it was critical that Microsoft fixed it. The bug has been dubbed ‘CurveBall’ and proofof-concept exploits were released by security researchers within 24 hours of the announcement. The vulnerability (CVE-2020-0601) allows attackers to disguise malware as legitimate, signed software as well as spoofing X.509 certificate chains for other forms of attack. This could allow for the interception and modification of TLSencrypted communications, such as web sessions. And, by bypassing authentication, it could allow for remote code execution. According to the NSA: “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.” There’s more information here: http:// bit.ly/2UGlK80 and here: http://bit. ly/2OF3W9K.
Network Security
3
Editorial Office: Editorial Office: Elsevier Ltd Elsevier Ltd The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com Publisher: Greg Valero Publishing Director: Sarah Jenkins E-mail: [email protected] Editor: SteveMansfield-Devine Mansfield-Devine Editor: Steve E-mail:[email protected] [email protected] E-mail: Senior Editor: Sarah Gordon Columnists: Editoral Ian Goslin,Advisory Karen Renaud, International Board: Spence, Colin Tankard Dario Forte, Dave Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The International Editoral Advisory Board: Fortress; Hancock, Communications; Ken Lindup, Dario Bill Forte, EdwardExodus Amoroso, AT&T Bell Laboratories; Consultant at Cylink; Dennis&Longley, Queensland University Fred Cohen, Fred Cohen Associates; Jon David, The ofFortress; Technology; Tim Myers, Novell; Tom Mulhall; Padget Bill Hancock, Exodus Communications; Ken Petterson, Martin Marietta; Schultz, Hightower; Lindup, Consultant at Cylink;Eugene Dennis Longley, Queensland Eugene Spafford, Purdue University; WinnNovell; Schwartau, Inter.Pact University of Technology; Tim Myers, Tom Mulhall;
Padget Petterson, Martin Marietta; Eugene Production Support Manager: Lin Schultz, Lucas Hightower;E-mail: [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact Subscription Information Production Support Manager: Lin Lucas An annual subscription Network Security includes 12 E-mail: to [email protected] issues and online access for up to 5 users. Prices: Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is Permissions may be sought directly fromatElsevier Global Rights received. Periodicals postage is paid Rahway, NJ 07065, Department, PO Box Oxford OX5 1DX, UK; phone: 1865 USA. Postmaster send800, all USA address corrections to:+44 Network 843830,365 fax: +44 1865 853333, email:NJ [email protected]. You Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights & permission’. In the USA, users may clear permissions and make Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 843830, fax: +44 1865 853333, email: [email protected]. You Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: payments through the Copyright Clearance Center, Inc., 222 Rosewood +44 (0)20 7631 5500. Other countries may have a local reproDrive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 graphic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of artidistribution outside the institution. Permission of the Publisher cles including abstracts for internal circulation within their institutions. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside and translations. the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically Permission of the Publisher is required to store or use electronically any material contained in this publication, including any article or any material contained in this journal, including any article or part of part of an article. Except as outlined above, no part of this publicaan article. Except as outlined above, no part of this publication may tion may be reproduced, stored in a retrieval system or transmitted be reproduced, stored in a retrieval system or transmitted in any form in any form or by any means, electronic, mechanical, photocopying, or by any means, electronic, mechanical, photocopying, recording or recording or otherwise, without prior written permission of the otherwise, without prior written permission of the Publisher. Address Publisher. Address permissions requests to: Elsevier Science Global permissions requests to: Elsevier Science Global Rights Department, at Rights Department, at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Notice Notice No responsibility is assumed by the Publisher for any injury and/or damNo responsibility is assumed by the Publisher for any injury and/ age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, negligence or otherwise, or from any use or operation of any methinstructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. rapid advan ces in the medical sciences, in particular, independent Because of rapid advances in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although independent verification of diagnoses and drug dosages should be all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of made of it by its manufacturer. such product or of the claims made of it by its manufacturer.
12987 Pre-press/Printed by Digitally Produced by Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited
2
Network Security
...Continued from front page are working under the assumption that the entire domain is compromised. The attacker doesn’t show signs of activity so far, we assume they established their position and are dormant.” According to the publication: “Dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached.” Although there are no details as to what data was compromised, the article says the internal report “implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders”. The intrusions affected an estimated 42 servers in three locations: the UN Office in Vienna, the UN Office in Geneva, and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters, also in Geneva. The intrusions compromised core infrastructure systems, including user and password management and firewalls. Staff were told to change their passwords but were not informed about the breach, nor that there was the potential that personal data had been put at risk. One claim suggested that as much as 400GB of data had been exfiltrated from the servers, possibly including staff records, health insurance and commercial contract data, although the UN claimed that no important data was accessed. “Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information,” said a UN statement. “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The internal report, dated 20 September 2019, suggests the breaches occurred two months earlier. The entry point seems to have been a known vulnerability in Microsoft SharePoint (CVE2019-0604). A patch had been available for months before the breach but the UN had not applied it to the breached systems. Widely available exploits for this vulnerability allow attackers to bypass authentication and perform system-level commands. It seems that the Vienna net-
work was breached first and the attackers used that to pivot to the other systems. Once the story broke, spokesperson Stéphane Dujarric admitted that: “The attack resulted in a compromise of core infrastructure components,” and “was determined to be serious”. However, the internal report used phrases such as “major meltdown” and “counting our casualties”. The report by The New Humanitarian is here: http://bit.ly/2H8CEEe. Meanwhile, the UN has come in for a targeted phishing campaign. Malicious emails were sent to 600 staffers across the organisation, purporting to come from the Permanent Mission of Norway, which represents the country at the UN headquarters in New York. The emails claimed there was an issue with an attached agreement document. According to security firm Cofense, the attachment was a Word document with malicious macros capable of downloading the Emotet malware.
Citrix flaw remains critical
T
he critical vulnerability affecting the Citrix Application Delivery Controller (ADC) and Gateway (CVE2019-19781) is still a major cause for concern even though the flaw has been patched.
According to Positive Technologies, the security company that revealed the issue, more than six weeks after the threat became public knowledge, nearly one in five (19%) of organisations has yet to implement the patches. That represents around 15,000 organisations that are still at risk. And the flaw is under active attack in the wild. Some system administrators may find that the flaw has already been patched for them – by hackers. According to FireEye, a hacking group dubbed NotRobin is bundling mitigation code with its exploits. This allows them to install malware, such as backdoors, on a vulnerable system, then close off the vulnerability so that it can’t be used by other cyber criminals. “The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked,” the FireEye report explains. “However, when the actor provides the
February 2020
NEWS/THREATWATCH
Threatwatch Emotet wifi attack The infamous Emotet trojan now has a new worm-like module that allows the malware to spread via insecure wifi networks, according to researchers at Binary Defense. Once established on a wifi-enabled computer, this new strain uses calls to wlanAPI.dll in an attempt to discover nearby wireless networks. If these are password protected, it will attempt to brute force a connection. Once on the wifi network, the malware looks for other Windows machines with non-hidden shares, scans for all users on those devices and tries to brute force its way into administrator accounts. If successful, it installs a service called ‘Windows Defender System Service’ to achieve persistence on the system. There’s more information here: http://bit.ly/2urMdf6. Motherboard flaw A long-deprecated driver for old versions of Gigabyte PC motherboards is being exploited by attackers to hijack Windows systems, disable anti-malware defences and install ransomware. Sophos discovered the read-write flaw – which it has dubbed RobbinHood – in a driver that Gigabyte stopped shipping and supporting some time ago but which still has a valid cryptographic signature. By using the
hardcoded key during subsequent exploitation, NotRobin does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.” The FireEye report is here: http://bit. ly/2OI0oDx. FireEye also said there have been reports of attackers exploiting the flaw to install the Ragnarok ransomware and cryptomining malware. “Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point,” the firm said. FireEye has worked with Citrix to develop a scanner that can detect compromised appliances. This is based on indicators of compromise gathered during incident response engagements. “The goal of the scanner is to analyse available log sources and system forensic artefacts to identify evidence of successful exploitation of CVE-2019-19781,” Citrix said. “There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a
February 2020
driver as a vector, anti-malware systems ignore the malware because it appears legitimate. The attackers then use this approach to load a second, unsigned driver that enables the ransomware. The flaw affects Windows 7, 8 and 10 machines. There’s more information here: http://bit.ly/2UDk3s9. ICS ransomware A new strain of ransomware has features designed specifically to attack organisations running industrial control system (ICS) devices, according to security firm Dragos. Although it mostly functions like any other ransomware – encrypting files and displaying a ransom message – it also comes with a ‘kill list’ of ICS-specific processes that it attempts to shut down. These include processes relating to ICS products such as GE’s Proficy data historian, the GE Fanuc licensing server, Honeywell’s HMIWeb application and the ThingWorx Industrial Connectivity Suite, as well as a number of other remote monitoring and licensing server solutions. Dragos describes the malware as primitive, but warns that it still represents “specific and unique risks and cost-imposition scenarios for industrial environments”. There’s more information here: http://bit.ly/31GJ9b4.
system is free of compromise.” The tool is available on GitHub here: https://github.com/citrix/ioc-scannerCVE-2019-19781. The US Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Defense, has also released details on how to detect vulnerable systems. The details are here: www.us-cert.gov/ncas/alerts/ aa20-031a.
NSA finds major Windows bug
M
icrosoft has patched a major flaw in the CryptoAPI functionality of Windows 10 and Server 2016. But aside from the serious nature of the vulnerability, what makes this bug interesting is that the firm was alerted to it by the US National Security Agency (NSA).
The NSA has gained a certain notoriety for keeping details of exploitable software flaws to itself, so that it can exploit them for its own intelligence-gathering operations. In this instance, however,
TrickBot UAC evasion The TrickBot trojan has adopted a new way of bypassing Windows 10 User Account Control (UAC) mechanisms so that it can be installed with no user warnings. Now, when the malware is being installed on a PC, it checks to see if the OS is Windows 7 or Windows 10. If the former, it uses the existing CMSTPLUA UAC bypass method. If Windows 10, it makes use of the fodhelper.exe program – a trusted binary in the Windows system that is used to execute code with administrator privileges. The ability to exploit this part of the OS to bypass UAC was discovered back in 2017. There’s more information here: http://bit.ly/37c2kuo. Metamorfo targets banks A new version of the Metamorfo banking trojan is casting its net wider. Unlike an earlier version, which focused purely on banks in Brazil, the second strain is targeting the customers of financial institutions in multiple countries, researchers at Fortinet have warned. The firm discovered the trojan being distributed as an MSI file hidden in a Zip archive. This file is automatically executed by MsiExec. exe in Windows if a user double-clicks on the file. There is a full analysis here: http://bit. ly/38lBt0c.
the agency seems to have regarded the vulnerability as so serious that it was critical that Microsoft fixed it. The bug has been dubbed ‘CurveBall’ and proofof-concept exploits were released by security researchers within 24 hours of the announcement. The vulnerability (CVE-2020-0601) allows attackers to disguise malware as legitimate, signed software as well as spoofing X.509 certificate chains for other forms of attack. This could allow for the interception and modification of TLSencrypted communications, such as web sessions. And, by bypassing authentication, it could allow for remote code execution. According to the NSA: “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.” There’s more information here: http:// bit.ly/2UGlK80 and here: http://bit. ly/2OF3W9K.
Network Security
3