- Email: [email protected]
NSA finds major Windows bug
NEWS/THREATWATCH
Threatwatch Emotet wifi attack The infamous Emotet trojan now has a new worm-like module that allows the malware to spread via insecure wifi networks, according to researchers at Binary Defense. Once established on a wifi-enabled computer, this new strain uses calls to wlanAPI.dll in an attempt to discover nearby wireless networks. If these are password protected, it will attempt to brute force a connection. Once on the wifi network, the malware looks for other Windows machines with non-hidden shares, scans for all users on those devices and tries to brute force its way into administrator accounts. If successful, it installs a service called ‘Windows Defender System Service’ to achieve persistence on the system. There’s more information here: http://bit.ly/2urMdf6. Motherboard flaw A long-deprecated driver for old versions of Gigabyte PC motherboards is being exploited by attackers to hijack Windows systems, disable anti-malware defences and install ransomware. Sophos discovered the read-write flaw – which it has dubbed RobbinHood – in a driver that Gigabyte stopped shipping and supporting some time ago but which still has a valid cryptographic signature. By using the
hardcoded key during subsequent exploitation, NotRobin does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.” The FireEye report is here: http://bit. ly/2OI0oDx. FireEye also said there have been reports of attackers exploiting the flaw to install the Ragnarok ransomware and cryptomining malware. “Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point,” the firm said. FireEye has worked with Citrix to develop a scanner that can detect compromised appliances. This is based on indicators of compromise gathered during incident response engagements. “The goal of the scanner is to analyse available log sources and system forensic artefacts to identify evidence of successful exploitation of CVE-2019-19781,” Citrix said. “There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a
February 2020
driver as a vector, anti-malware systems ignore the malware because it appears legitimate. The attackers then use this approach to load a second, unsigned driver that enables the ransomware. The flaw affects Windows 7, 8 and 10 machines. There’s more information here: http://bit.ly/2UDk3s9. ICS ransomware A new strain of ransomware has features designed specifically to attack organisations running industrial control system (ICS) devices, according to security firm Dragos. Although it mostly functions like any other ransomware – encrypting files and displaying a ransom message – it also comes with a ‘kill list’ of ICS-specific processes that it attempts to shut down. These include processes relating to ICS products such as GE’s Proficy data historian, the GE Fanuc licensing server, Honeywell’s HMIWeb application and the ThingWorx Industrial Connectivity Suite, as well as a number of other remote monitoring and licensing server solutions. Dragos describes the malware as primitive, but warns that it still represents “specific and unique risks and cost-imposition scenarios for industrial environments”. There’s more information here: http://bit.ly/31GJ9b4.
system is free of compromise.” The tool is available on GitHub here: https://github.com/citrix/ioc-scannerCVE-2019-19781. The US Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Defense, has also released details on how to detect vulnerable systems. The details are here: www.us-cert.gov/ncas/alerts/ aa20-031a.
NSA finds major Windows bug
M
icrosoft has patched a major flaw in the CryptoAPI functionality of Windows 10 and Server 2016. But aside from the serious nature of the vulnerability, what makes this bug interesting is that the firm was alerted to it by the US National Security Agency (NSA).
The NSA has gained a certain notoriety for keeping details of exploitable software flaws to itself, so that it can exploit them for its own intelligence-gathering operations. In this instance, however,
TrickBot UAC evasion The TrickBot trojan has adopted a new way of bypassing Windows 10 User Account Control (UAC) mechanisms so that it can be installed with no user warnings. Now, when the malware is being installed on a PC, it checks to see if the OS is Windows 7 or Windows 10. If the former, it uses the existing CMSTPLUA UAC bypass method. If Windows 10, it makes use of the fodhelper.exe program – a trusted binary in the Windows system that is used to execute code with administrator privileges. The ability to exploit this part of the OS to bypass UAC was discovered back in 2017. There’s more information here: http://bit.ly/37c2kuo. Metamorfo targets banks A new version of the Metamorfo banking trojan is casting its net wider. Unlike an earlier version, which focused purely on banks in Brazil, the second strain is targeting the customers of financial institutions in multiple countries, researchers at Fortinet have warned. The firm discovered the trojan being distributed as an MSI file hidden in a Zip archive. This file is automatically executed by MsiExec. exe in Windows if a user double-clicks on the file. There is a full analysis here: http://bit. ly/38lBt0c.
the agency seems to have regarded the vulnerability as so serious that it was critical that Microsoft fixed it. The bug has been dubbed ‘CurveBall’ and proofof-concept exploits were released by security researchers within 24 hours of the announcement. The vulnerability (CVE-2020-0601) allows attackers to disguise malware as legitimate, signed software as well as spoofing X.509 certificate chains for other forms of attack. This could allow for the interception and modification of TLSencrypted communications, such as web sessions. And, by bypassing authentication, it could allow for remote code execution. According to the NSA: “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.” There’s more information here: http:// bit.ly/2UGlK80 and here: http://bit. ly/2OF3W9K.
Network Security
3
Threatwatch Emotet wifi attack The infamous Emotet trojan now has a new worm-like module that allows the malware to spread via insecure wifi networks, according to researchers at Binary Defense. Once established on a wifi-enabled computer, this new strain uses calls to wlanAPI.dll in an attempt to discover nearby wireless networks. If these are password protected, it will attempt to brute force a connection. Once on the wifi network, the malware looks for other Windows machines with non-hidden shares, scans for all users on those devices and tries to brute force its way into administrator accounts. If successful, it installs a service called ‘Windows Defender System Service’ to achieve persistence on the system. There’s more information here: http://bit.ly/2urMdf6. Motherboard flaw A long-deprecated driver for old versions of Gigabyte PC motherboards is being exploited by attackers to hijack Windows systems, disable anti-malware defences and install ransomware. Sophos discovered the read-write flaw – which it has dubbed RobbinHood – in a driver that Gigabyte stopped shipping and supporting some time ago but which still has a valid cryptographic signature. By using the
hardcoded key during subsequent exploitation, NotRobin does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.” The FireEye report is here: http://bit. ly/2OI0oDx. FireEye also said there have been reports of attackers exploiting the flaw to install the Ragnarok ransomware and cryptomining malware. “Based on our initial observations, the ultimate intent may have been the deployment of ransomware, using the Gateway as a central pivot point,” the firm said. FireEye has worked with Citrix to develop a scanner that can detect compromised appliances. This is based on indicators of compromise gathered during incident response engagements. “The goal of the scanner is to analyse available log sources and system forensic artefacts to identify evidence of successful exploitation of CVE-2019-19781,” Citrix said. “There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a
February 2020
driver as a vector, anti-malware systems ignore the malware because it appears legitimate. The attackers then use this approach to load a second, unsigned driver that enables the ransomware. The flaw affects Windows 7, 8 and 10 machines. There’s more information here: http://bit.ly/2UDk3s9. ICS ransomware A new strain of ransomware has features designed specifically to attack organisations running industrial control system (ICS) devices, according to security firm Dragos. Although it mostly functions like any other ransomware – encrypting files and displaying a ransom message – it also comes with a ‘kill list’ of ICS-specific processes that it attempts to shut down. These include processes relating to ICS products such as GE’s Proficy data historian, the GE Fanuc licensing server, Honeywell’s HMIWeb application and the ThingWorx Industrial Connectivity Suite, as well as a number of other remote monitoring and licensing server solutions. Dragos describes the malware as primitive, but warns that it still represents “specific and unique risks and cost-imposition scenarios for industrial environments”. There’s more information here: http://bit.ly/31GJ9b4.
system is free of compromise.” The tool is available on GitHub here: https://github.com/citrix/ioc-scannerCVE-2019-19781. The US Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Defense, has also released details on how to detect vulnerable systems. The details are here: www.us-cert.gov/ncas/alerts/ aa20-031a.
NSA finds major Windows bug
M
icrosoft has patched a major flaw in the CryptoAPI functionality of Windows 10 and Server 2016. But aside from the serious nature of the vulnerability, what makes this bug interesting is that the firm was alerted to it by the US National Security Agency (NSA).
The NSA has gained a certain notoriety for keeping details of exploitable software flaws to itself, so that it can exploit them for its own intelligence-gathering operations. In this instance, however,
TrickBot UAC evasion The TrickBot trojan has adopted a new way of bypassing Windows 10 User Account Control (UAC) mechanisms so that it can be installed with no user warnings. Now, when the malware is being installed on a PC, it checks to see if the OS is Windows 7 or Windows 10. If the former, it uses the existing CMSTPLUA UAC bypass method. If Windows 10, it makes use of the fodhelper.exe program – a trusted binary in the Windows system that is used to execute code with administrator privileges. The ability to exploit this part of the OS to bypass UAC was discovered back in 2017. There’s more information here: http://bit.ly/37c2kuo. Metamorfo targets banks A new version of the Metamorfo banking trojan is casting its net wider. Unlike an earlier version, which focused purely on banks in Brazil, the second strain is targeting the customers of financial institutions in multiple countries, researchers at Fortinet have warned. The firm discovered the trojan being distributed as an MSI file hidden in a Zip archive. This file is automatically executed by MsiExec. exe in Windows if a user double-clicks on the file. There is a full analysis here: http://bit. ly/38lBt0c.
the agency seems to have regarded the vulnerability as so serious that it was critical that Microsoft fixed it. The bug has been dubbed ‘CurveBall’ and proofof-concept exploits were released by security researchers within 24 hours of the announcement. The vulnerability (CVE-2020-0601) allows attackers to disguise malware as legitimate, signed software as well as spoofing X.509 certificate chains for other forms of attack. This could allow for the interception and modification of TLSencrypted communications, such as web sessions. And, by bypassing authentication, it could allow for remote code execution. According to the NSA: “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.” There’s more information here: http:// bit.ly/2UGlK80 and here: http://bit. ly/2OF3W9K.
Network Security
3