DDoS attacks and Botnets
Mirai variant turns IoT devices into proxy servers
Fortinet has identified a variant botnet of Mirai, the famous botnet responsible for attacks to DynDNS and KrebsOnSecurity, in addition to DDoS attacks turns infected IoT devices into proxy servers.
The botnet, called Mirai OMG, installs a malware on the victim systems that generates two random ports, adds the appropriate firewall rules, then installs 3proxy, a minimal proxy server.
Fortinet has not detected botnet attacks, analyzed in a quiescent state, and the authors are supposed to sell access to IoT proxy servers.
DDoS attacks exploit malconfigured memcached servers
memcached servers are exposed to a vulnerability of UDP protocol support that makes them perfect for hackers to launch record-breaking DDoS attacks.
GitHub recorded a 1.35Tbps DDoS attack and 126.9 million packets per second which made the service inaccessible for about 10 minutes on February 28th.
A few days later, Arbor Networks detected an even larger attack, 1.7Tbps, addressed to an unidentified American provider.
Both attacks were possible by exploiting a vulnerability of memcached.
Hijame-variant botnet scans for MikroTik devices
Netlab 360 researchers have identified a possible scan activity performed by a variant of the Hijame botnet aimed at routers and MikroTik network devices, a prelude to a possible attack that exploits vulnerable devices found.
The botnet scans available devices on the network and in particular looks for port 8921; if this is open, additional ports are probed and the "Chimay Red" vulnerability that allows remote code execution is exploited.
As a prevention, MikroTik recommends users to block requests on port 8921 and to upgrade RouterOS to version 6.41.3.
The Encapsula report on DDoS attacks in Q4 2017 is now available
Incapsula has published an interesting report about DDoS attacks recorded in the fourth quarter of 2017.
Among the most significant results, we point out a drop in attacks aimed at the network level, while those at the application level have doubled; the USA is not, as you might think, the most targeted country (27%), but Hong Kong (33%) is, with the APAC area affected by almost 70% of total attacks; the internet providers sector (58%) is the most targeted, followed by betting and gambling (24%) and IT & software; about 68% of victims suffer repeated attacks.
Ransomware
AVCrypt first uninstalls antivirus, then encrypts files
MalwareHunter team researchers have identified a ransomware, called AVCrypt, that before encrypting files, it uninstalls the antivirus of the operating system.
AVCrypt uses commands that stop the services needed by Windows Defender and Malwarebytes, two of the most common AV solutions, to work; then using Windows Security Center uses WMIC tries to uninstall the antivirus on your computer.
Finally, it encrypts data without any AV to stop it.
New decryption tools are available
Despite every month the list of ransomware grows, fortunately some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
Relentless researcher Michael Gillespie released a tool for TearDr0p, a tool for Pendor and another one for WhiteRose (which can also be decrypted with Dr.Web’s service), Jakub Kroustek discovered that RaruCrypt can be decrypted easily, NioGuard Security Labs’ Alexander Adamov created a tool for MoneroPay, BitDefender released a tool for GandCrab, South-Korean AhnLab released a tool for Magniber (however the website is available in Korean only, so you need an online translation tool), the “File Decrypters” blog released a tool for BansomQare Manna (and other for Annabelle, Cryakl, GandCab and others).
MalwareBytes discovered how to break the LockCrypt encryption scheme, which is a ransomware that is installed manually by exploiting insecure RDP connections.
MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to the dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.
Vulnerabilities
UDP vulnerability exposes memcached to DDoS attacks
Cloudflare has detected several attacks originating from memcached installations, from UDP port 11211. Memcached is a server-side cache system used by web servers to improve performance.
The attacks are of the "amplification" type; the general idea is that an attacker sends crafted requests to a UDP server which, not knowing that the request is false, promptly prepares the answer. A victim host is overwhelmed by traffic when he receives an unmanageable amount of those responses.
Memcached supports and enables UDP by default; Cloudflare noted that a 15 byte request can result in a 750KB response, with a multiplicative factor of 51,200. Unfortunately, UDP is not supported securely, and port 11211 is directly reachable from abroad if the server is not protected by a firewall.
Version 1.5.6 disables the UDP protocol by default.
Malware is distributed via YouTube
Dr.Web discovered that a malware distributed via videos on YouTube.
The malware is a Trojan written in Python, called Trojan.PWS.Stealer.23012, which intercepts cookies and passwords saved in different browsers including Opera and Chrome and copies the files on the desktop and then send them to the C&C servers.
The infection starts when the user clicks a link posted in video comments, especially videos about video game tricks. The link refers to fake tools that are actually self-extracting archives that place the trojan on the victim's computer.
A backdoor in macOS has been identified
Trend Micro announces the discovery of a backdoor in macOS, the operating system of Apple computers.
The backdoor, called OSX_OCEANLOTUS.D, is thought to be spread by OceanLotus, a group of Vietnamese hackers and responsible for attacks on non-profit companies, media and research institutes.
OSX_OCEANLOTUS.D affects macOS systems with the Perl programming language installed; the backdoor is distributed through a Word document distributed via email and activated when enabling a macro.
The threat is limited to the users of Vietnam (the email refers to the registration at an event organized by the Vietnamese HMDC association), yet it clearly shows that even MacOS is an operating system that can be exploited by hackers and therefore not free from risks.
Java and SSH bugs exposes Cisco devices
Cisco has recently released updates for two bugs related to Java and SSH that can expose its devices.
The first one is about Java and is found in Cisco Secure Access Control System (ACS) prior to version 5.8 patch 9; it allows an unauthenticated remote user to execute code with root permissions on the device. This is due to an incorrect deserialization of the Java code of user input.
The second is about SSH and is present in the Cisco Prime Collaboration Provisioning software (PCP) version 11.6; it allows logging through hard-coded credentials as a regular user, that can be then elevated to root.
Both vulnerabilities have been solved with ACS and PCP updates.
Cacti vulnerability exposes Linux servers
TrendMicro researchers identified a vulnerability in Cacti's WeatherMap plugin, an open source network monitoring solution. This plugin allows you to create a graphical map view the elements of the network
CVE-2013-2618 is used to install the XMRig Miner (MXR is a crypto-currency) miner in infected Linux systems with the XSS vulnerability that allows the injection of code using the map_title parameter.
There are currently no updates for the plugin.
News from the vendors
Office 365 adds anti-ransomware features
Office 365 introduces several features to fightransomware. File Restore by OneDrive allows the restore of previous versions of files up to 30 days before; the function is also useful in case of corruption, accidental (or voluntary) deletion or other events that make the current version of the file unusable. Ransomware detection & recovery intercepts ransomware attacks and alerts users via email, also providing instructions to use the File Restore function. Other features include file sharing with passwords, email encryption, copy prevention and forwarding of encrypted emails and links check in Word, Excel and PowerPoint, and links and attachments in Outlook.
Starting next July, Chrome will mark HTTP sites as unsafe
As previously announced, Chrome 68, whose release is scheduled for July, will mark HTTP sites as unsafe, so all those who have a website will have to adapt for that date with the adoption of an SSL certificate, if they do not want to incur the penalization of Google.
The adoption of SSL certificates is quite satisfactory: 81 of the top 100 sites are on HTTPS, as well as 78% of Chrome traffic on Chrome OS and macOS and 68% of Chrome traffic on Android and Windows.
Symantec certificates will no longer be recognized by Chrome from April
The next version of Chrome, 66 (scheduled for April), will not support SSL certificates released by Symantec before June 1, 2016, a decision taken following the September incident in which the CA was discovered released over the years of 30 thousand invalid certificates. Symantec has therefore sold its PKI structure.
New features in Chrome 65
Google released Chrome 65, the new version of its browser.
The most important news is the blocking of "tab under" redirects, ie those that occur on the old page when a link to a new page opens from it, as it often happens with malvertising strategies.
New APIs are also introduced and 45 vulnerabilities have been corrected, including 9 high-level ones.
New features in Firefox 59
The new version of Mozilla's browser is now available.
Firefox 59 introduces some news as performance improvements (homepage loading time, loading from network or disk cache, support to OTMP for graphic rendering on macOS operating system), drag & drop in the "customizer" that allows to customize the browser graphics, new functions for the screenshot capture tool (annotations and cropping), WebExtensions API and Real-Time Communications (RTC) functions improved and more.
Several vulnerabilities have also been resolved, including a critical one.
VirusTotal launches Droidy, an Android sandbox
VirusTotal, the service that allows you to scan suspicious files via multiple virus scanning engines, announces Droidy.
Droidy is a sandbox that simulates a specific Android environment to analyze the behavior of Android apps and provide reports for users and researchers. The function is already live on the site and allows you to add the results (including: network and SMS activity, filesystem activity, SQLite database usage, service activities, permissions control, cryptographic activity and others) of this behavioral analysis technique to the “classic” analysis of uploaded files. A similar sandbox is available for macOS.
Firefox tests DNS-over-HTTPS
Mozilla announced that the Nightly version of Firefox experiments the DNS-over-HTTPS protocol (DoH).
The protocol, currently in draft phase, basically allows to perform DNS queries in an encrypted way; in fact, today the web addresses are resolved in IP addresses without any form of encryption, similar to the clear communication via HTTP. DoH, which is being tested by Google, Cloudflare and Mozilla, resolves this problem by encrypting DNS queries.
In Firefox 60 (beta) and Nightly you can enable DoH, enter the address of a server that supports DoH (such as Google DNS or Cloudflare) and test the function.
Firefox too will soon have anti-ads tool
In the wake of Chrome and Opera, which already have dedicated tools, Firefox will also have a tool to block invasive ads (ads). The function is scheduled for the third quarter of 2018, as stated in the roadmap.
Let's Encrypt introduces free SSL wildcard certificates
Let's Encrypt now supports SSL Wildcard certificates, which can be associated with multiple subdomains of the same domain. This is made possible by the release of the ACME (Automated Certificate Management Environment) client v2 that generates and manages certificates. The release is based on the DNS-01 challenge, which consists in proving the possession of the domain by modifying a certain DNS record of TXT type according to specific instructions.
In the first 48 more than 10,000 certificates were issued, a tweet celebrates.
Microsoft Patch Tuesday
As every second tuesday of the month, Microsoft released the cumulative package of systems updates for Windows OS that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features several updates, including ones related to Internet Explorer e Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework and .NET Core, ASP.NET Core and Adobe Flash. Vulnerabilities have not been exploited.
This GFI blog post recaps the updates container in Patch Tuesday.
You can also download single updates and find further information in the Security Update Guide.