Heartbleed, Meltdown, Zombieload and now BlueKeep. Many serious vulnerabilities are given a name these days, often (though not always: BlueKeep is an exception) with a marketing motive behind it. Such naming remains controversial in the security community and there certainly have been cases where the seriousness of a vulnerability didn’t live up to the hype that came with its name and logo.
But as someone who regularly writes about vulnerabilities and how they are being exploited in the wild, I don’t think it’s a bad trend. And I fully agree with RiskIQ founder Brandon Dixon, who wrote a blog post praising the naming of vulnerabilities. Though of course I might change my mind if I see named vulnerabilities being used to spread Fear, Uncertainty and Doubt on the Infosecurity Europe show floor next week. If you're going to be at Infosecurity or at BSides London (which VB is sponsoring and will attend) don’t hesitate to say hello and ask me about our upcoming conference (which also takes place in London) or our tests!
Editor, Virus Bulletin
For the privacy conscious among you: we do not track clicks on the links contained in this newsletter to individual subscribers, but should you feel more comfortable, we believe that any of the links mentioned here can be found through search engines. All links have been added to the Wayback Machine.
CVE-2019-0708 continues to get security researchers excited - and security defenders worried. The vulnerability in Windows Remote Desktop is also known as BlueKeep, a name Kevin Beaumont came up with at the beginning of a long, informative and ongoing Twitter thread, and that appears to have stuck. A scan by Robert Graham of the IPv4 space has shown that almost a million devices directly connected to the Internet are vulnerable to BlueKeep, and of course that doesn’t include vulnerable devices on internal networks. If an exploit is turned into a code execution worm, as is feared, the combination of those means it can do really serious harm, similar to that which WannaCry did two years ago. Microsoft says it is confident an exploit exists, thus urges users to patch their systems. Meanwhile, proof-of-concept code that creates a denial-of-service condition has been posted publicly, which prompted ‘MalwareTech’ to publish his own analysis of the vulnerability.
One Microsoft vulnerability that has been exploited in the wild is CVE-2019-0604, which affects Microsoft Sharepoint, and which was patched in March. Palo Alto Networks researchers have written a detailed analysis of exploits of this vulnerability by Emissary Panda (APT27), an APT group generally believed to be Chinese. They used the vulnerability to install web shells, which were then used to upload legitimate executables for DLL-sideloading purposes. One of the web shells used is China Chopper, which has previously been used by Emissary Panda. The researchers’ findings match those of Tom Webb published on the SANS Internet Storm Center blog earlier last month, as well as those of the national CERTs of both Saudi Arabia and Canada.
From the use of hijacked satellite Internet connections for command and control to registering as a transport agent in Microsoft Exchange, the Turla group has long been known to be one of the most advanced and inventive APT groups. Now ESET researcher Matthieu Faou has published new research into the PowerShell loader used by the group. Interestingly, the PowerShell scripts aren’t merely droppers for next-stage malware: they actually persist on an infected system. Turla’s PowerShell loader was previously analysed by Kaspersky in 2018, but since then the authors have improved their scripts to make them more stable.
Intezer researcher Nacho Sanmillan has analysed the newly found HiddenWasp Linux malware that shares some code with the Mirai botnet and the Azazel rootkit, but which appears to be used for remote access against targeted systems. Nacho also found some code similarities with some Chinese Linux malware, a subject on which he will present a reserve paper at VB2019.
Despite similar names and, possibly, a shared country of origin, Hidden Bee appears unrelated to HiddenWasp. In a thorough analysis of the latest version of the Windows malware, Malwarebytes researcher ‘hasherezade’ notes various updates and concludes that this is commodity malware (used for cryptocurrency mining) written with the professionalism of an APT actor.
The same is also said by Guardicore researchers Ophir Harpaz and Daniel Goldberg in their analysis of what they call the Nansh0u cryptocurrency mining campaign, which thus far has infected more than 50,000 servers running MS-SQL by using common credentials. The researchers say there is strong evidence that the campaign has also infected servers running PHPMyAdmin.
Since the discovery of ‘Skimer’ a decade ago, dozens of ATM malware families have been discovered, varying greatly in both functionality and sophistication. For Cisco Talos researcher Vanja Svajcer, a multiple-time VB conference speaker, this was a good opportunity to look back at the past decade and some of the more interesting malware families. He notes their prevalence in Eastern Europe and Latin America; ATM malware in Latin America was the subject of a VB2017 conference presentation by Kaspersky Lab researchers Thiago Marques and Fabio Assolini.
Hardly a week goes by when we don’t mention Magecart in this newsletter. Last week Fortinet researcher Rommel Joven analysed a Magecart campaign that led to the theft of some 185,000 credit card details. The campaign likely came from what the now classic RiskIQ/Flashpoint report calls Group 1 and uses a JavaScript skimmer loaded directly into the HTML code of a compromised website. At VB2019, RiskIQ researcher Yonathan Klijnsma, one of the authors of said report, will present a paper on Magecart.
In its latest quarterly threat report, Proofpoint states that more than 60% of the malicious email payloads it sees are the Emotet trojan. Emotet is a downloader that is mostly used to download other malware onto the infected machine, so this figure in itself doesn’t say much about the kind of malware seen by victims. At VB2019, Sophos researcher Luca Nagy will present a paper on Emotet that looks at every aspect of this important threat. If you're going to BSides London this week, you will also be able to see Luca present a shorter version of her VB2019 talk.
Yoroi researchers have analysed a new attack by the TA505 cybercrime group that targets an Italian bank. A malicious Word document leads to the execution of macro code and, eventually, to the downloading of a remote access tool.
A team of academic researchers led by Cambridge professor (and VB2015 keynote speaker) Ross Anderson has published a research paper on the cost of cybercrime, an update of a 2012 paper on the same subject. A lot has changed in the seven years since the original paper, from the prominent role smartphones play in our lives to the rise of cryptocurrencies, as well as the appearance of hard-to-classify yet costly attacks such as NotPetya. Perhaps the most interesting conclusion, though, is that the indirect costs of cybercrime are many times greater than the profits made by the criminals.
IBM’s Limor Kessem has noted an increase in malicious email campaigns spreading the latest version of the HawkEye information-stealing trojan (sold as ‘HawkEye Reborn v9’). She points out that the campaigns tend to target businesses, which are more interesting for the criminals running these campaigns. The resurgence of HawkEye was previously noted by Cisco Talos.
ZScaler has looked at the exploit kits seen in the spring of 2019 and noted that several remain active, including the relatively prevalent Rig and the new Spelevo, first seen in March and also seen during VB's most recent web security test.
The My Online Security blog is a good source of information about the many smaller and lesser reported malware and phishing email campaigns. Interestingly, a phishing email was recently found using the blog's domain as a sender.
The same site also noted a campaign serving the Lokibot infostealer through using the NGROK proxy service. This service creates a secure tunnel to the client’s own PC and thus allows the actors to host the malware themselves, minimising the risk of domain or host takedown.
Seqrite has shared some statistics from its MySQL honeypot and notes that attackers either hold the database data to ransom or use MySQL as an entry point for the Linux or Windows server behind it.
Apart from ‘BlueKeep’, another serious remote code execution vulnerability was patched by Microsoft last month: CVE-2019-0725, which affected Windows DHCP server. Analysing the vulnerability, Trend Micro researcher John Simpson concludes that gaining remote code execution is very unlikely but that the vulnerability should nevertheless be patched, especially given the possibility of performing a DoS attack against the DHCP server.
In November last year, Shusei Tomonaga from JPCERT/CC (also a VB2019 speaker) noted that the TScookie malware had a bug that made it fail to read its configuration properly. Half a year later, there has been an update to the malware that fixes this issue.
The persistent cross-site scripting vulnerability in the WP Live Chat Support WordPress plug-in, discovered by Sucuri and subsequently patched, is being exploited in the wild. ZScaler researcher Prakhar Shrotriya notes that the vulnerability is exploited on an unpatched site to change the plug-in settings so that it will inject JavaScript code that redirects users to unwanted and potentially malicious sites.
WordPress’s plug-in woes are far from over. In three separate blog posts, Wordfence’s Mikey Veenstra writes about vulnerabilities in the WP Database Backup, Convert Plus and Slick Popup plug-ins. All three have been patched, but in the latter case this happened after Wordfence went public with details, in line with its standard 30-day disclosure policy.
Running the ‘strings’ command is often one of the first things a malware analyst does when looking at a new sample. And anyone who has ever run that command knows that most of the output is noise. FireEye researchers have written a blog post in which they present a machine learning model to rank the output of the command, which could help the researcher find those strings that are most relevant.
Trend Micro researcher Alfredo Oliveira has a Docker host honeypot with an exposed API and noticed a container was being deployed inside it. On analysing it, he found it came from a publicly available Docker Hub repository and that it contained various scripts, including a Monero miner and a Shodan script that would search for other Docker hosts with exposed APIs.
In an interesting cross-African attack, Netscout noticed a large campaign targeting routers in South Africa that originated from Egypt. The campaign exploits CVE-2014-8361, a five-year-old vulnerability in Realtek routers, and adds the routers to the Hakai botnet, used for DDoS attacks, which Trend Micro analysed earlier in the year. Interestingly, Akamai recently wrote about a large DDoS campaign that also originated from Egypt and that took place back in March (well before the Realtek incident).
In two posts for the SANS Internet Storm Center blog, Didier Stevens shows how to use scdbg to analyse a first stage malicious shellcode and then, if one has access to the remote server from which the second stage payload is downloaded, how to use ncat to retrieve it.
While a BlueKeep worm has yet to be seen, Sophos researchers have described how a worm is going after Apache Tomcat servers with easily guessable administrative passwords to deliver cryptocurrency mining malware.
Perception Point has shared recent examples of various Business Email Compromise campaigns.
Gary Warner writes about having received an Amazon Reward spam message through SMS, the link in which only opened in mobile browsers. He followed the rabbit hole and mostly used it to feed his spam traps.
Among the phishing emails we see in our lab, many look for email credentials, which could lead to account compromise and then at least the use of these accounts as senders in subsequent campaigns. Bleeping Computer writes about two campaigns that pretend to come from Office 365 warning about the deletion of files or of the account itself.
Bleeping Computer has also looked at the Maze ransomware (also known as ‘ChaCha’, due to its use of the ChaCha20 algorithm), that is currently being spread through the Fallout exploit kit. An interesting feature of this ransomware is that it determines the ransom amount based on the type of infected machine, with corporate servers generating higher ransoms than standalone home computers.
Huntress Labs’ John Ferrell has analysed a LNK file that started a chain of downloads that would subsequently be executed to reach a final PowerShell payload.
Finally, ZDNet and other outlets report that the authors behind the GandCrab ransomware have announced they will shut it down within a month. GandCrab, which is sold as ransomware-as-a-service, has been one of the most notorious ransomware families of recent years, but such announcements should always be taken with a pinch of salt. Even if true (the claim of $2.5bn in received ransom payments seems quite excessive), such shutdowns often lead to successor malware taking the place of the original, not rarely using most of the original source code.
© 2019 Virus Bulletin Limited
The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, UK