JS Sniffer exploited in multiple attacks for e-commerce data theft
Target: e-commerce financial framework Magento, OpenCart, Dealer.com, Shopify, WordPress and others
Summary: Researchers have been tracking a new e-commerce financial data theft framework since 2017. JS Sniffer has been mainly leveraged against Magento, an open source e-commerce platform, but has also been observed attacking OpenCart, Dealer.com, Shopify, WordPress and others.
JS Sniffer has been developed as a data scraping tool which sucks up vast amounts of credentials, passwords, financial details and other personal data from its victims. It sits quietly in the background on legitimate websites making many victims unaware that as they enter details for a legitimate transaction, their details are being harvested by cyber-criminal gangs.
Blackgear Cyberespionage Campaign
Target: Public sector agencies, telecommunications companies and other high-technology industries.
Attack Vector: Via phishing email.
Summary: Researchers at TrendMicro have recently observed a continuing cyberespionage campaign from Blackgear. The campaign has been around since 2008 and is based on the Protux backdoor. A notable characteristic now is that instead of having the C2 information embedded within the malware, Blackgear is abusing blogging, microblogging and social media services to hide this configuration.
Blackgear’s attacks have been known to target several different regions and industries, including Japan, South Korea, and Taiwan. The attacks have most commonly targeted public sector agencies, telecommunications companies, and other high-technology industries. Their malware delivery techniques include RAR self-extracting executable (SFX) or office Visual Basic Script to create a decoy document.
The malware is delivered via a phishing email with a decoy document or fake installer file. This decoy document will extract the Marade downloader which saves itself into the Temp folder on the victim’s machine, then increases its file size to over 50MB to bypass traditional sandbox solutions. Marade will check to see if the host is connected to the internet and if there is antivirus installed. If the host is able to connect to the internet and does not have antivirus software, then Marade will take the C2 configuration from a public blog or social media controlled by Blackgear (such as a Facebook pages which was used). If it cannot connect then it will use the C2 configuration embedded in the code. The C2 server sends Protux to the victim’s machine and executes. Protux is a known backdoor which abuses rundll32. It also tests the host’s network connectivity and retrieves the C2 server from another blog.
Analyst Comment: This threat is assessed as 3e MODERATE. The malware has developed and improved upon previous versions and this could indicate that it will continue to make use of modern technology to disguise itself from antivirus software, increasing the likelihood of further attacks. Protux is an old backdoor first seen in 2005 and research has shown that several samples have version numbers embedded. It was initially observed connecting directly to the C2 server, however, it now appears to be making use of encrypted configuration through keywords on social media. As this continuing trend is finding new ways to avoid antivirus and the impact on the brand and reputation of a company if compromised, there is a moderate risk.
Malware Author Builds 18,000-Strong Botnet in one day with one exploit
Target: Huawei, Realtek routers or other IoT devices.
Attack Vector: CVE-2017-17215 or CVE-2014-8361 allowing attacker to execute arbitrary code.
Summary: Researchers from NewSky Security have tracked the creation of a huge new botnet that amassed a large amount of victims in a very short time. The threat actor exploited a vulnerability in Huawei HG532 routers, CVE-2017-17215, in which an authenticated attacker could send malicious packets to port 37215 and launch attacks. This could lead to the remote execution of arbitrary code. In just 24 hrs the bot had amassed a massive 18,000 devices and the malware author has now launched a further targeted attack leveraging CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869. If successful, an attacker can exploit this issue to execute arbitrary code with root privileges. This is still being tested according to researchers.
The threat actor claiming to have created this new bot uses pseudonyms Anarchy or Wicked and is a well-known malware author. Previous exploits seen used by this threat actor have been variations on the Mirai IoT malware, known as Wicked, Omni, and Owari (Sora). All have been used in DDoS attacks in the past.This attack came just a day before the UK Governments report into Huawei’s broadband and mobile infrastructure equipment concluded that it has “only limited assurance” that the equipment poses no threat to national security. This again shows Anarchy/ Wicked has looked to gain further kudos in the criminal fraternity by riding on the media wave of interest.
Analyst Comment: The threat is assessed as 3c MODERATE. If successful, this malware is capable of very powerful DDoS attacks and/ or delivery of other malware such as stealers, cryptomining software and other malicious payloads. The impact of a DDoS attack would be brand damaging and have severe financial implications for a target.
The use of the same exploit as the Satori and Brickerbot bots and other vulnerabilities against networked devices is further evidence the threat actor is experienced and looking to amass as many devices as possible before commencing attacks or hiring out the bot. Therefore, future attacks using this vector remain a significant risk. The actor has previously accomplished a number of successful IoT bot campaigns and is motivated by both kudos and financial gain, from with webstressor payments or renting out the botnet.
The potential for the growth of this botnet is also a significant cause for concern as the actor has shown dissatisfaction with the enormous grown of their bot in a small time period with one device targeted. They immediately begun exploiting a vulnerability against Realtek routers, possibly to try to work in the shadows as the initial increase in activity from the first attack drew attention. Therefore the likelihood of infection is raised with multiple IoT devices being targeted and possible lateral movement through networks
ApophisSquad and 4SPEC7 DDoS ProtonMail. Potential risk to British business.
Target: ProtonMail, ProtonVPN as well as Radware and other DDoS mitigators.
Attack Vector: DDoS attack. SSDP and TCP SYN multi-vector observed.
Threat Actor: ApophisSquad and affiliated group 4SPEC7.
Summary: ApophisSquad has been observed continuing their already significant volume of activity, attacking multiple targets during June. This included hoax bomb threats in addition to attacks which appeared to primarily target British businesses. An affiliate of the group, possibly a subsidy and known as 4SPEC7, has also joined the group in attacking multiple targets with similar tactics. Of significance is the targeting of ProtonMail, an encrypted email service, with a DDoS attack. Further reports indicate the ProtonVPN service had also been affected by the attacks sustained for several hours and causing multiple outages of a few minutes at a time. Risk assessment summary: This threat is assessed as 3d MODERATE. The groups have historically been observed targeting British businesses and with this attack initially cited as a test, the likelihood of further DDoS campaigns are high. An attack would also likely target organisations in Britain as opposed to other nations, making the risk more relevant. This is likely due to the Russian links the group’s are alleged to hold, and the political fallout between the two nations. Businesses targeted are usually high-profile as the group continuously aims to achieve as much attention and recognition as possible. In June, the threat actors demonstrated their capability to deliver enormous attacks, using multiple variants of the DDoS attack vector, revealing the ability to customise attacks to achieve the greatest possible damage.
Malware creators have used PROPagate in Rig Exploit Kit for the first time
Target: Non specific.
Attack Vector: Compromised website that loads the RIG EK landing page.
Summary: Researchers at FireEye have observed a code injection technique called PROPagate being used in the wild for the first time in a targeted malware campaign. PROPagate is a code injection technique first discovered in November 2017 which takes advantage of generic properties of legitimate Windows GUI management APIs and functions. The SetWindowSubclass API has been abused so that it loads and executes malicious code is injected into the processes of legitimate apps.
Risk assessment summary: This threat is assessed as 3e MODERATE. This is part of a trend of cryptomining malware being seen regularly used as a source of income for cybercriminals. The affordable price of malware tools like this and its appeal to inexperienced threat actors also drives up the risk. The techniques used in this campaign are likely to be exploited by other actors for more sinister means, such as ransomware, data exfiltration and possibly Denial of Service attacks. Whilst the impact of Crypto Currency miners is moderate, if the exploits used were to be used to deliver a more potent payload, the impact would be raised significantly.
New variant of malware dubbed PBot seen in the wild.
Target: Anybody. Attack Vector: Redirection from legitimate sites, leading to the pages that trigger the download. Summary: A new variant of the well-known adware dubbed PBot has been observed installing malicious browser extensions such as cryptocurrency miners. The adware, originally used to create pop-up ads on victim’s browsers, has recently been seen to include malicious extensions aimed at generating revenue through acts such as cryptomining. As yet the websites being used are unknown. Risk assessment summary: This threat is assessed at 3d MODERATE. As this was originally adware, it was relatively harmless. However, with the new modules that are included in this variant, the threat is increased. As the new variant provides the authors with the ability to install extensions capable of expanding the capabilities, the threat level of this particular variant is raised. As there have been 50,000 installation attempts during April, this malware is very active and chances of infection are high if users are not vigilant.
New TLBleed vulnerability could leak cryptography keys
Target: Intel’s processors.
Attack Vector: Exploitation of Intel’s Hyper-Threading technology and processor caches to leak data.
Summary: A vulnerability in Intel’s processors has proved to be exploitable by a malware with the aim of extracting encryption keys and sensitive information from applications. The code used for the malware is capable of extracting a secret 256-bit key from another program while it performs a signing operation with libgcrypt’s Curve 25519 EdDSA implementation. Each key was obtained using brute force and machine-learning software.
Risk assessment summary: This threat has been assessed as 3c MODERATE. If successful, TLBleed can leverage flaws in protection of the CPU’s translation lookaside buffer, which can be exploited to extract cryptography keys from another running program with a minimum 98% success rate. However, it is to be considered that malware would need to be running, or a malicious user logged into the system, to exploit it. Additionally, the attack is not currently running in the wild. However, it can be seen as alarming for public cloud users, as other guest instances on the same hardware could attempt to use this to exfiltrate data from threads running in other cores.
Cryptocurrency-mining bot targets devices with SSH service
Target: Internet of Things (IoT) devices that have an open Remote Desktop Protocol (RDP) port.
Attack Vector: Cryptocurrency miner.
Summary: A newly discovered cryptocurrency-mining bot is targeting Internet of Things (IoT) devices that have an open Remote Desktop Protocol (RDP) port, enabling it to exploit vulnerable devices. Not only are attackers targeting IoT connected devices, they are also capable of carrying out cryptocurrency mining in the background. The IP related to the attack has been identified as 18.104.22.168, which is based in the US, California, and connected to the organisation Vivid Hosting. It has seen to be typically landing on port 22, an SSH service. This implies the attack could be applicable to all servers and connected devices with a running SSH service.
Risk assessment summary: This threat has been assessed as 3c MODERATE. If successful, the attacker can install a cryptocurrency miner on to a device using social engineering tactics. Once the miner has been installed, the attackers can funnel profit, in the form of Monero and Ethereum cryptocurrency, over to a scam website. However, the likelihood of infection is mitigated by employing good security practices to protect against phishing or embedded email delivered malware.
ApophisSquad activity increases; threat to British entities
Target: Large/government related British corporations, schools and gaming sector.
Attack Vector: Hoax threats, DDoS attacks, data leaks.
Threat Actor: ApophisSquad.
Summary: Since late 2017 increasing activity has been observed from the hacktivist group known as ApophisSquad. The group have been particularly active since March with the brunt of their activity targeted towards British institutions. The group have been observed sending hoax threats, conducting DDoS attacks and carrying out data leaks. These have all been carried out against various high-level targets, some related to government as well as major banks, such as Barclays UK. In addition, the group has promised further attacks. Risk assessment summary: This threat is assessed as 3b MODERATE. The release of open source tools which any threat actor can use is a significant risk in the long term. Many threat actors are restricted from carrying out DDoS attacks or gaining leaked credentials due to insufficient capacity or intelligence. The use of these tools will enable threat actors to overcome this barrier. The threat actor has also displayed an expert execution of DDoS attacks on numerous instances and also appears to prefer targeting big businesses and the gaming industry.
The chance of further attacks is also high, with the group indicating they will continue and also plan to release their DDoS tool which is still in development. In addition, the group has repeatedly disrupted the same targets, suggesting further repeated attacks are possible. However, there is no indication that the group is state-owned, which may alleviate the possibility of a tit-for-tat situation developing.
Adobe Flash Player zero-day vulnerability
Target: Middle Eastern markets.
Attack Vector: Adobe’s Flash Player software.
Summary: Security researchers from a number of security firms independently contacted Adobe to report attackers using a previously undisclosed zero-day vulnerability in the wild on a large scale. The vulnerability, CVE-2018-5002, affects Adobe’s Flash Player software with firmware version of 22.214.171.124 and earlier. Adobe released a new firmware patch 126.96.36.199 and urged users to install it if they do not have automatic updates activated. This is the second zero-day vulnerability Adobe have patched in 2018 following Korean based attackers deploying CVE-2018-4878 against Korean targets in January .
Risk assessment summary: The threat is assessed as 3c MODERATE. This zero-day vulnerability has been observed actively exploited and, although patched, it remains a vulnerability with many systems still unprotected, driving up the likelihood of successful exploitation. This is likely to stay high until organisations update firmware in their estate. Flash Player is one of Adobes most popular products, raising the likelihood and risk of attack.