Activity Summary – Week Ending October 26, 2018
Attackers have always been seeking new avenues for exploitation; short of discovering zero days themselves. Many attackers have relied on known vulnerabilities either disclosed responsibly or irresponsibly to a vendor. Also, even if there is a patch available, such as the industry standard Patch Tuesday cycle by Microsoft/Adobe, attackers have taken said patches from vendors and have tried to reverse engineer the patches themselves, where it has often become known as Exploit Wednesday, to exploit those who have not applied patches themselves, due to poor patch management or carelessness.
Application Vulnerabilities / IPS
MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow – FortiGuard Labs has observed an increase of detections in our IPS signature, MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow. This signature addresses a buffer overflow vulnerability in the WebDAV service in Microsoft IIS 6.0 identified as CVE-2017-7269, which allows remote attackers to execute arbitrary code via a long HTTP header request. Apparently attacks first seen in the wild occurred in July or August of 2016. As the proof of concept was disclosed on GitHub several months afterward, there have been increasing amounts of attacks. FortiGuard Labs has seen a major increase in telemetry consistent with attempts on CVE-2017-7269 over the course of several months now. Attacks are primarily concentrated in the United States (20%), Japan (6%), and India (4%). Microsoft did not release a patch for this specific vulnerability, but instead offers the following guidance:
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site. Fortinet customers who have not been able to upgrade to IIS 7.0 are protected against attacks on this vulnerability with the signature below.
OpenSSL.Heartbleed.Attack – FortiGuard Labs has observed an increase of detections for our IPS signature, OpenSSL.Heartbleed.Attack. The vulnerability exists in OpenSSL, where the vulnerability is due to an insufficient input validation in the application when handling a crafted SSL Heartbeat request. A remote attacker can exploit this vulnerability to gain unauthorized access to sensitive information via the crafted SSL request. Quite interestingly, this signature is over four years old and was addressed by multiple advisories worldwide, suggesting affected organizations should update to the latest version of OpenSSL. Attackers often know that organizations are slow to patch and are often looking for victims to target. We note this attack increasing in the United States (27%), Canada (5%), and Japan (4%), re-emerging in the top 15 of our IPS telemetry charts.
ICS Attacks Attributed to Russia – FortiGuard Labs is aware of reports that last year’s attack on Schneider Electric (ICS) equipment codenamed TRITON, TRISYS, and HATMAN has been attributed by researchers this week to be originating out of Russia, specifically the Central Scientific Research Institute of Chemistry and Mechanics in Moscow (CNIIHM).The analysis concluded that the malware was connected with high confidence to this organization based on environmental variables discovered during testing and was tied to TEMP.Veles. Also, it appears that the attackers behind TEMP.Veles have been in operation since 2013. Four files tested in 2013 are based on Cryptcat, which is an open source project that is based off of Netcat, which is a computer networking utility for reading from, and writing to, network connections using TCP or UDP. Cryptcat differs with Netcat via Twofish encryption.TEMP. Veles used several lateral movement tools such as WMImplant. It also has been observed testing multiple frameworks such as Metasploit, Cobalt Strike, and PowerSploit. The payloads used by TEMP.Veles are weaponized versions of legitimate open-source software used for communication with command and control servers. Other observations made by researchers tie this threat actor back to this organization that has a unique handle or username, which is a moniker used by a person active in the Russian infosec community, which also ties the correlation with CNIIHM, as this person has stated they were a professor at CNIIHM. Another claim by the researchers is that this organization would be the only organization capable of carrying out such attacks, due to the knowledge pool of individuals within this organization.
Grey Energy – GreyEnergy, not to be confused with BlackEnergy from 2015, where 230,000 people were left without electricity in Ukraine, appears to have been active for the past three years, and was discovered by researchers this past week. This APT group’s main motivation is lateral movement and data exfiltration, and does not rely on destructive attacks, therefore staying under the radar for quite some time. It is very modular in nature and the attacker has control over what modules to upload to, dependent on victim environment, and can tailor these modules based on campaign. The modules have been observed to exhibit RAT (Remote Access Trojan) functionality, such as keystroke logging, credential theft, screenshot taking, etc.
According to the research, GreyEnergy does not actively target ICS machines, but targets machines running SCADA software and workstations. An interesting observation made by the authors is the appearance of GreyEnergy coinciding with BlackEnergy authors going offline. Targets of GreyEnergy have also been a BlackEnergy target in the past. The APT group have targeted infrastructure in Poland and Ukraine as well. Tor relay servers were used as active command and control servers as well. Favorite tools of GreyEnergy are usage of the publicly available tools Mimikatz, PsExec, WinExe, and Nmap, as well as a custom port scanner. What makes GreyEnergy different from BlackEnergy is that it is more modular in its toolset, but also in how it pushes its modular tools to different victims based on need and campaign. It also uses fileless techniques for evasion and making analysis even more difficult, and in a deceptive move, will wipe itself to avoid forensic analysis. Its distribution method is believed to be spear phishing and compromised web servers.
Signatures: W32/Agent.SCM!tr, Riskware/WinExec, W32/Agent.WTD!tr, Adware/Winexe, Riskware/Winexe, W32/SelfDel.BGEE!tr, W32/Agent.SCT!tr, WM/Agent.BC!tr.dldr
Hurricane Michael Phishing Scam Abusing Microsoft Azure Blob Storage – FortiGuard Labs Web Filtering team has recently observed various phishing campaigns exploiting Hurricane Michael, mainly using a PDF file within an email, as an attacking method. We have noticed many of these recent campaigns focusing on webmail credential theft. In this campaign, the threat actors abuse Microsoft Azure blob storage to host phishing templates and malicious files since August of this year. Victims are redirected by clicking on the linked icons that open a bit.ly link, and then to the attackers phishing landing page
FortiGuard Labs Web Filtering analysts have reviewed and added all the IOCs malicious.
Threat Research & Insights
FortiGuard Labs Threat Intelligence Podcast #9 – FortiGuard Threat Intelligence Podcast (TIP) provides highlights and commentary into top cyber threats, data breaches, and cybercrime. Join Fortinet’s top threat experts as they delve into today’s critical cybersecurity topics. Informative. Scary. Insightful. [Listen Here]
Securing the Future of Blockchain in Asia Pacific – Blockchain is not just about cryptocurrencies anymore. The blockchain adoption rate is growing extremely fast – expanding its footprint globally across multiple industries and economic sectors. As blockchains grow in economic importance, they will undoubtedly become more attractive targets for cybersecurity interference. [Read More]
News Courtesy: FortiGuard – Weekly Threat Briefs