In the next issue you will find an article dedicated to the recent Meltdown and Spectre vulnerabilities, which are not covered in this bulletin.
DDoS attacks and Botnets
Necurs botnet now distributes ransomware
Necurs is alive and kickin’ and is distributing malware with, at least, three different campaigns as MyOnlineSecurity reports.
The first campaign is about the Scarab ransomware and is spread through emails. A bogus email has [email protected] as sender, “Scanned from HP” (or other brand) as object, the email body is blank but there’s an attachment which, obviously is the ransomware itself. Such email pretends to deliver documents scanned with a network printer.
The second campaign too is conveyed via email and is about another ransomware, Globeimposter. The sender is [email protected], a random alphanumeric string as object (ie, FL-610025 11.30.2017), and as the previous one it has no body content but an attachment.
The third campaign is similar and pretends to deliver an invoice from Amazon as an attachment. It’s not a ransomware, but a banking trojan indeed.
ProxyM botnet attacks websites
Dr.Web identified a botnet, called ProxyM, which is based on the Linux.ProxyM.1 malware and previously used for email spam campaigns (up to 400 messages per device per day).
The malware being distributed attacks Linux devices and creates a SOCKS proxy server; the attack mode has changed recently, and today ProxyM hacks websites. Infected hosts perform SQL Injection, XSS (Cross-Sie Scriptingt) and LFI (Local File Inclusion) attacks on websites like forums, game servers and generic sites, without a precise scheme. Dr.Web observed 10 to 40 thousands attacks per day.
The authors of the Mirai botnet pleaded guilty
The three 20-year-old creators of the Mirai botnet pleaded guilty: Paras Jha, Josiah White and Dalton Norman, created in the summer of 2016 the botnet responsible, among the others of unprecedented DDoS attacks to the KrebsOnSecurity website and to the infrastructures of providers like OVH and DynDNS. The latter caused issues to many websites.
Specifically, White created the Telnet scanner, Jha managed the infrastructure and the remote control features of the malware and Norman created new exploits. According to the documents of the process, punishment include 5 years of imprisonment.
Satori botnet is composed by at least 280.000 infected devices
360 Netlab identified a botnet composed by at least 280.000 infected devices.
The botnet is called Satori and is based on the infamous Mirai botnet, but it has a few differences: it doesn’t use a Telnet scanner, instead the worm directly attacks ports 37215 and 52869. The exploit used on the latter port is derived from vulnerability CVE-2014-8361 and it’s a Remote Code Execution by means of a specially crafted NewInternalClient request; it’s an issue of the Realtek SDK. The former port is exploited with a vulnerability whose specifications hasn’t been disclosed yet; it could be a zero-day as a bigger number of hosts have been infected by this vulnerability.
After the publication of the article, the authors of the botnet sent a command to bots requiring to stop any scanning activity. Actually, the activity of the two ports (see here and here) has diminished dramatically.
Andromeda botnet has been dismantled
On 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners (most notably, ESET and Microsoft), dismantled Andromeda (aka Gamarue), one of the longest running malware families in existence.
Andromeda is linked to more than 80 different malwares, including the infamous Petya and Cerber ransomware that hit, on average, a million devices per month in the last six months.
A technical explanation of the functioning of Andromeda can be found in this TechNet blog post.
Zealot uses an NSA exploit to mine Monero on Linux and Windows
F5 researchers identified a spam campaign that leverages some NSA exploits to install software on Linux and Windows that mines Monero.
The network is scanned seeking sensible hosts; when found, they are attacked with exploits about Apache Struts and DotNetNuke, two web application frameworks for Java and ASP.NET respectively. If the infected machine runs Windows, the EternalBlue and EternalSynergy NSA exploits are used to move across the local network. EternalBlue has been used in the WannaCry outbreak. Then a PowerShell script downloads and runs the malware that mines Monero. A Python script is used on Linux.
This attack is described as sophisticated by researchers, and its peculiar traits include how bots communicate with C&C servers: the malware adds specific User-Agent headers and cookies according to the circumstance, therefore who tries to reach a C&C server via browser or specific tool (it, researchers), receives a different reply from the malware.
As a remediation, F5 advises to apply patches for the two vulnerabilities.
Mirai: a retrospective analysis
Its creators pleaded guilty, and now the Mirai botnet can be considered as dead, although it has some clones around.
Cloudflare published a very interesting retrospective analysis of the botnet that covers its vital cycle -from the creation to the end across the attacks to KrebsOnSecurity, OVH and DynDNS- and a detailed explanation of its functioning.
Spamhaus report on botnets is available
Spamhaus is a non-profit Swiss company in the IT security world which recently published a report on the state of botnet in 2017.
Some interesting results include the growth of the number of C&C server (Command & Control: these servers manage the operations of infected hosts in a botnet) in IoT botnet which nearly tripled with respect to the previous year and the number of IP addresses used in botnet, which grew by 32%: almost 9.500. Of these, 68% (6.500) belong to servers rented from cloud and web hosting companies: botnets are so profitable that hackers rent servers directly from inattentive providers for their operations.
The most hosted malare is Pony (a trojan that steals credentials), then different kinds of trojans, backdoors, DDoS bots and, naturally, ransomware.
As VPS and hosting account most times require a domain name, hackers have to register some: the most used domain are .com, .pw, .info and .top. NameCheap is indicated as the main registrar.
Botnet infects Linux systems via SSH to mine Monero
F5 Networks researchers identified a botnet that propagates via SSH and mines crypto-currencies. The botnet is composed by Linux host infected via SSH and vulnerable to CVE-2017-12149, a vulnerability of JBoss 5.2, a Java application server. It’s called PyCryptoMiner as the malware uses a Python (.py) script; the PasteBin service is used to host the commands of the main C&C server in case it’s unavailable. PasteBin is a service that allows to post a public code snippet that can be shared among people.
The malare then adds a Monero miner on infected hosts. As the miner is written in Python, it can pass unobserved quite easily. As a remediation, F5 advises to adopt stricter SSH security measures. JBoss 6 and 7 are not affected by the vulnerability.
Satori-based botnet mines Ethereum
In a detailed post (as they always do!) on their bog, Qihoo 360 Netlas researchers warn about a new Satori-based botnet.
Last 8th January they observed for the first time an attack aimed to hosts exposed on the NEt via port 3333, the port used by Claymore Miner, a mining software which mines Ethereum. The attack is about substituting the address of the virtual wallet of the legitim host proprietary with the one of the hackers: an infected host continues to mine crypto-currencies but the work is assigned to the hackers’ wallet.
The attack is based on port 3333 which is used by Claymore Miner to manage the EthMan.exe file, in particular it allows management operations like restarting the miner, upload files and other operations. Details of the exploit are not disclosed yet.
Because of that, the botnet has been called Satori.Coin.Robber.
StorageCrypt infects NAS devices via SambaCry
Lawrence Abrams explains in a detailed article the details of a new ransomware, called StorageCrypt, which aims towards NAS devices and exploits a known vulnerability.
CVE-2017-7494, aka SambaCry, allows the execution of a remote shell. In this case it’s used to download and run an executable file which contains the StorageCrypt ransomware.
As a prevention method, don’t expose the NAS on the Net, use a dedicated VPN if you have to do so. A patch for SambaCry is also available.
HC7 ransomware uses remote desktop connections
A new ransomware that uses exposed RDP connections has recently appeared. Its first version, HC6, contained an hard-coded decryption key, so it was defeated quite easily.
Unfortunately, it has been removed in its next version, HC7, for which a decryption tool is available anyhow.
HC7 leverages remote desktop connections (RDP) exposed on the Net that are used by hackers to install the ransomware directly on the host, then it spreads on other computers on the same network. Further information about the ransomware are available in this article.
As a prevention method, protect RDP connections with a dedicated VPN.
New decryption tools are available
Despite every month the list of ransomware grows, fortunately some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
Researcher Michael Gillespie released a tool for HC6 and another for Crypt12, Fare9 (that’s the Twitter handle) created a tool for Crypton, a ransomware distributed with a fake keygen for EaseUS Data Recovery, Ryan Zisk wrote a tutorial on how to decrypt files encrypted bu HC7 and Dr.Web released a tool for Blind & Kill.
McAfee released Ransomware Recover, a service that offers different decryption tools, like the NoMoreRansom project does.
MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to the dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.
VenusLocker shifts from ransomware to mining Monero
In the last months the value of crypto-currencies grew exponentially and that phenomenon is reflected into hackers’ activities.
For instance the group that manages VenusLocker, as Fortinet explains, shifts from ransomware to mining Monero, a crypto-currency that guarantees anonimity and has an algorithm conceived for ordinary computers (and not high-resources servers like BitCoin). Therefore Monero has a particular appeal on hackers.
The VenusLocker malware campaing is spread with phishing emails that contain an infected attachment or a link to the miner.
Given the high yield, hackers are expected to shift their focus from ransomware to mining operations.
Fortinet VPN Client exposes credentials
FortiClient is the antivirus from Fortinet for home and enterprise users and Windows, macOS and Linux platforms.
SEC Consult researchers identified a vulnerability in the integrated VPN client that exposes any saved credential. Credentials are stored locally and encrypted with a key hard-coded in the client’s binaries, and weak reading permissions allow an easy read to non-authorized users.
Fortinet published a note with updates for the client that fix the vulnerability.
Palo Alto firewall vulnerable to a remote attack
Researcher Philip Pettersson discovered that by leveraging 3 different vulnerabilities, an hacker can execute remote code with root permissions on Palo Alto firewalls powered by their proprietary PAN-OS operating system.
The Remote Code Execution attack can be performed only if the management interface can be reached via WAN, contrarily to any security best practice that limit the access to it via LAN only.
Palo Alto recommends not to expose the management interface on the Internet (ID PAN-SA-2017-0027); versions PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6 are update and are available at this address.
Keylogger found in HP notebook drivers
“ZwClose” published a detailed analysis that covers the discovery of a possible keylogger found in the Synaptics Touchpad driver used by HP in its notebooks.
While analyzing the driver in order to understand how to regulate the keyboard’s retro-illumination, he noticed a line of code in the SynTP.sys file which revealed that the driver “saved scan codes to a WPP trace”. The function is currently not enabled but can be enabled with a certain registry value (UAC neede).
Synaptics released a note explaining how the driver contains a debug tool accidentally left by developers, and how this feature is present on every driver released by Synaptics and used as an OEM product by many computer manufacturer. HP released a list with affected models and related patch.
Coinhive found in Android apps
These two apps have an hidden browser where Coinhive does the mining as long as the app is open, without the user being able to notice it. They’ve been promptly removed from the store.
Intel-AMT based computers are exposed because of a vulnerability
Harry Sintonen, F-Secure Senior Security Consultant, wrote an article posted on the F-Secure blog which illustrates the details of a vulnerability of AMT (Active Management Technology), an Intel technology used in enterprise-tier laptops that allows remote access and control of the computer.
This vulnerability can be exploited by a local attacker who can gain control of the laptop easily, regardless of security measures such as BIOS password, TMP pin, BitLocker (Windows), firewall and access credentials.
The attack itself is easy: the attackers restarts the computer, presses F12 during the POST boot phase and selects the Management Engine BIOS Extension (MEBx) in the boot menu, thus avoiding the BIOS password protection. The default access password is “admin” and it has unlikely been changed by the users as a precise indication from the manufacturer is missing. Then an attacker just needs to change the password, enable remote access, set the user option for AMT opt-in on “None” and enable Wireless Management.
Although the attack requires the physical presence of the attacker, be careful when in public places.
News from the vendors
Github introduces a dependency-security alert tool
Github released a very useful feature that warns if a repository used in a project contains vulnerabilities.
It is estimated that 75% of projects on Github have external libraries; Github will warn if vulnerabilities are found (furnished with CVE catalog number) via email and with a new tool called Dependency Graph included in the Insights part of the repo. It also suggest a safe version of the library if available.
Firefox will warn you if you visit a site that suffered from a data breach
Upcoming versions of Firefox will include an handy tool that warns if a site suffered from data breaches in the past.
The tool is called Breach Alerts and is currently being developed (Github repo here). It uses data provided by the Have I Been Pwned? service that has been collecting data for many years regarding leaked credentials and allows to check whether your own account has been violated or not.
The goals of Breach Alerts are to inform users of any data breach, provided documentation with a “read more” link and offer an email-notification service for websites they’re registered.
Chrome 63 is now available
Google released the new version of its browser. Most new features involve the functioning, user-side news include FTP links labelled as insecure, a warning for Man-in-the-middle attacks, a change of user permissions requirement mode (with a reduction of new request windows up to 50%) and the “always mute” option for websites.
37 vulnerabilities have been fixed. A complete list is available at this address.
Avira introduces SafeThings for IoT devices
Avira introduces SafeThings, its new software solution that protect IoT devices on the Net.
SafeThings can be installed on a router and, by analyzing traffic in a discrete manner, identifies any anomalous behaviour and blocks it. The software, called SafeThings Sentinel, runs in backgrounds and discovers devices, analyzes packet headers and enforce security rules of routers, without touching sensitive data.
Sentinel then transmits data to the Avira SafeThings Protection Cloud which leverages AI to understand the activity patterns of the device and the network. As it identifies an anomaly, it provides the device and Sentinel with the instructions on how to block it.
OpenSSH is now available on Windows
OpenSSH is a suite of command line tools related to the SSH protocols developed by the OpenBSD team that is widely used on Linux and BSD-like (OpenBSD, NetBSD and also macOS) systems. Now it’s available on Windows too, although as a preview feature.
OpenSSH is available as a feature-on-demand with the Windows 10 Fall Creators Update and Windows Server 1709 and can be enabled with a gui (Apps and Features) or via command line with PowerShell or DISM.exe.
Supported features include server and client roles and password and keys authentication. Further information, including the project state, roadmap and use instructions, can be found at the OpenSSH Github repository wiki.
Microsoft Patch Tuesday
As every second tuesday of the month, Microsoft released the cumulative package of Windows systems updates that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features 56 updates, including ones related to Internet Explorer and Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework e .NET Core, ASP.NET Core and Adobe Flash. Vulnerabilities have not been exploited.
November (link to source) and October (link to source) Patch Tuesday updates fixed issues related to tens of problems, and in this case too no vulnerabilities have been exploited.
You can also download single updates and find further information in the Security Update Guide.