Digest

April 2019, Edi�on 1.0

NETWORK INTELLIGENCE SECURITY ADVISORY The major security news items of the month - major threats and security patch advisory. The advisory also includes IOCs and remedia�on steps.

IN THIS EDITION:

Security Advisory Listing Severity

Internet Information Services (IIS) instance running on Critical Windows is vulnerable to Denial of Service (DoS) condition

PINCHY SPIDER Threat Actor found targeting Critical organizations on a global scale

New Variant of Tinba Banking Trojan (aka, Tiny Banker) found Critical targeting Banking and Financial Institutions in India

GlobeImposter v3.0 Ransomware found targeting Healthcare Critical Organizations, Banks and Financial Institutions in South Asia

A joint malware operation from Wizard Spider and Lunar Spider Critical Threat Actors continued to target Banking & Financial Institutions

ALSO INSIDE Security Patch Advisory

To know more about our services reach us at info@niiconsul�ng.com or visit www.niiconsul�ng.com SECURITY ADVISORY

Internet Information Services (IIS) instance running on Microsoft is vulnerable to Denial of Service (DoS) condition Severity: Critical Date: March 1, 2019

IMPACT INTRODUCTION

This flaw poses a serious risk of Internet Information Services (IIS) instance running on Denial of Service (DoS) attack, Server is vulnerable to Denial of Service (DoS) condition. which results in unavailability of Web Applications hosted on IIS This flaw lies with HTTP/2 specification that allows clients to specify any instance. number of frames with any number of SETTINGS parameters and sent it to the IIS instance running on Microsoft Windows Server, which causes IIS instance to become unstable while handling excessive number of HTTP/2 SETTINGS included in a request and high CPU utilization on Microsoft Windows Server. This, as a result, leads to Denial of Service (DoS) condition for IIS instance running on Microsoft Windows Server. REMEDIATION A remote attacker might take advantage of this flaw by sending maliciously crafted HTTP/2 requests to a Microsoft Windows Server running Internet 1. Kindly apply available Information Services (IIS) instance, that causes high CPU utilization on Microsoft patches on Microsoft Windows Server and instability of IIS instance running on a server. This Windows Workstations & results in Denial of Service (DoS) condition for Web Application hosted via Servers. IIS instance running on Windows Server.

2. Kindly define thresholds on the number of HTTP/2 Settings VULNERABILITY parameters exchanged over a • and installation) connection. • Windows Server, version 1709/1803 (Server Core Installation) • Version 1607/1703/1709 for 32-bit and x64based Systems 3. Kindly refer the attached Excel • Windows 10 Version 1803 for 32-bit, x64-based and ARM64based Systems Sheet, for quick access to • Windows 10 Version 1709 for ARM64-based System available security patches. READ

• ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames

• Define thresholds on the number of HTTP/2 Settings parameters exchanged over a connection SECURITY ADVISORY

PINCHY SPIDER Threat Actor found targeting organizations on a global scale, by deploying new variant of GandCrab v5.2 Ransomware Severity: Critical Date: March 06, 2019

IMPACT INTRODUCTION

This poses a serious risk of PINCHY SPIDER Threat Actor found targeting organizations on a global unauthorized access, data scale, by deploying a new variant of GandCrab (GandCrab v5.2) breach, data exfiltration, data Ransomware. loss and causes financial loss to PINCHY SPIDER Threat Actor initially uses RDP and stolen credentials from a an organization. compromised host, to proceed with lateral movement across the enterprise network and then deploy GandCrab v5.2 across multiple systems. This threat actor uses system administration tools such as Sysinternals REMEDIATION Process Monitor, Process Hacker, and a file search tool called LAN Search Pro to assist with the collection of system information during the 1. Ensure Microsoft Windows reconnaissance phase. Workstations and Servers are This threat actor also uses the organization's IT systems management up-to-date with the latest software, called LANDesk, to deploy a Phorpiex Malware on multiple security patches. 2. Immediately apply Security systems across the enterprise network. This Phorpiex Malware is a loader Patches for Microsoft SMB which downloads and installs other malware, such as Smoke Bot (aka, vulnerabilities CVE-2019-0633 & Smoke Loader) Banking Trojan, Azorult Info-stealer, and XMRig Coin Miner. CVE-2019-0630, on Windows OS. 3. Ensure to Disable SMB version VULNERABILITY 1 (SMBv1) on Windows OS. 4. Ensure Antivirus Signature All Microsoft Windows Workstation and Server are vulnerable. Database is up-to-date and Antivirus scan is run on daily or weekly basis. READ 5. Ensure web browsers are updated to the latest release. PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute 6. Ensure PowerShell and GandCrab Ransomware Remote Desktop features are Disabled on non-administrative systems in the production environment. 7. Ensure VBScript execution in is Disable on connected Windows System. 8. Ensure Macros are Disabled in Microsoft Office Product on connected Windows System. 9. Ensure ActiveX Control is Disable in Office files. 10. Ensure ActiveX Control is Disable in Internet Explorer. 11. Kindly ensure Adobe Flash Player is updated to the latest release. 12. Kindly Block mentioned IP/ Domain on security devices. 13. Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor. SECURITY ADVISORY

New Variant of Tinba Banking Trojan (aka, Tiny Banker) found targeting Banking and Financial Institutions in India, and other countries on a global scale Severity: Critical Date: March 06, 2019

IMPACT INTRODUCTION

This poses a serious risk of Tinba Banking Trojan (aka, Tiny Banker) found targeting Banking and unauthorized access, data Financial Institutions in India, and other countries on a global scale. breach, data exfiltration and causes financial loss to an • It steals browsing data, login credentials, and other sensitive information organization. by executing Man-In-The-Browser (MITB) attack on compromised systems.

• It performs code injections on legitimate Windows processes such as REMEDIATION Winver.exe, Explorer.exe and others, to hide and achieve persistence.

1. Ensure Microsoft Windows • It can detect and evade virtual environments by calling the following Workstations and Servers are Windows , ▪ GetDiskFreeSpaceExW ▪ GlobalMemoryStatusEx ▪ up-to-date with the latest GetAdaptersAddresses security patches. 2. Immediately apply Security • It also monitors user activity in the active window by calling Patches for Microsoft GetForegroundWindow. These functions allow the malware to identify vulnerabilities CVE-2019-0808, whether or not the platform is an analysis environment such as sandbox or CVE2019-0797, CVE-2019-0784, CVE-2019-0667 & CVE-2019-0666, debugger. on Windows OS. 3. Immediately apply Security • It exfiltrates data to the C2 server using the HTTP POST method, and data Patches for Microsoft SMB is encrypted prior to data exfiltration. vulnerabilities CVE-2019-0633 & CVE-2019-0630, on Windows OS. VULNERABILITY 4. Ensure to Disable SMB version 1 (SMBv1) on Windows OS. All Microsoft Windows Workstation and Server are vulnerable. 5. Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or READ weekly basis. 6. Ensure PowerShell feature is Tiny Banker”, a banking Trojan that has targeted Windows computers since Disabled on nonadministrative 2012 systems in the production environment. 7. Ensure VBScript execution in Internet Explorer is Disable on connected Windows System. 8. Ensure Macros are Disabled in Microsoft Office Product on connected Windows System. 9. Ensure ActiveX Control is Disable in Office files. 10. Ensure ActiveX Control is Disable in Internet Explorer. SECURITY ADVISORY

GlobeImposter v3.0 Ransomware found targeting Healthcare Organizations, Banks and Financial Institutions in South Asia Severity: Critical Date: March 19, 2019

IMPACT INTRODUCTION

GlobeImposter v3.0 Ransomware GlobeImposter v3.0 Ransomware found targeting Healthcare, Banking and found targeting Healthcare Financial Institutions in South Asia. This ransomware attack is delivered via Organizations, Banks and a spear-phishing email which either contains macro-enabled Word Financial Institutions in South document or malicious web URL. This ransomware comes with added Asia. functionality such as Brute-Force & Reverse RDP Attacks and Vulnerability Exploitation capabilities, to rapidly propagate throughout the shared networks. WIDELY TARGETED CVE IDs ▪ This ransomware uses code injection techniques to evade detection by ▪ CVE-2019-0808 security solutions. ▪ CVE-2019-0797 ▪ CVE-2019-0784 ▪ This ransomware uses a combination of RSA and AES encryption ▪ CVE-2019-0667 algorithms, for encrypting files onto the victim’s computer system. Data is ▪ CVE-2019-0666 encrypted using the 2048-bit encryption key. ▪ CVE-2019-0633 ▪ CVE-2019-0630 This ransomware randomly changes file extension of encrypted files to any of the below mentioned extensions. Ox4444, .China4444, .Help4444, .Rat4444, .Tiger4444, .Rabbit4444, .Dragon4444, .Snake4444, .Horse4444, .Goat4444, .Monkey4444, ABUSED PROTOCOL .Rooster4444, .Dog4444, and .Pig4444

▪ 135 - Remote Procedure Call (RPC) VULNERABILITY ▪ 139 - NetBIOS All Microsoft Windows Workstation and Server are vulnerable. ▪ 445 - (SMB) ▪ 3389 - Remote Desktop Protocol (RDP) READ Analysis of CASE A Latest Variant of the GlobeImposter Family SECURITY ADVISORY

A joint malware operation from Wizard Spider and Lunar Spider Threat Actors continued to target Banking & Financial Institutions, and Commodity Sector Severity: Critical Date: March 26, 2019

IMPACT INTRODUCTION

This poses a serious risk of A targeted Spear-Phishing Campaign from Wizard Spider (Russian Based) unauthorized access, data and Lunar Spider (Eastern European-Based) Threat Actors continued to breach, data exfiltration and target Banking & Financial Institutions, and Commodity Sector in Europe, causes financial loss to an United States, Middle East, Asia Pacific, South Asia and South East Asia. organization. Received Spear-Phishing email contains either Macro enabled Word Document or URL link to a malicious website, which drops Emotet Banking Trojan during the first stage of the infection chain. WIDELY TARGETED CVE IDs • Later, the Emotet Banking Trojan drops a malware loader called BokBot • CVE-2019-0633 (aka, IcedID Banking Trojan) and a bundle of DLL (Dynamic Link Library) files • CVE-2019-0630 during the second stage of the infection chain. • CVE-2019-0808 • CVE-2019-0797 • A new variant of BokBot Malware used in this attack comes with additional • CVE-2019-0784 capabilities such as exploitation of Microsoft vulnerabilities CVE-2019-0808, • CVE-2019-0667 CVE-2019-0797, CVE-20190784, CVE-2019-0667 and CVE-2019-0666. • CVE-2019-0666 • And Finally, BokBot will further drop a TrickBot Banking Trojan which has added exploitation module and capability to do the lateral movement.

• TrickBot's exploitation module is packed with zero-day EternalBlue Exploit code which targets Microsoft SMB vulnerabilities CVE-2019-0633 and CVE-2019-0630 in Microsoft Windows Products.

• And the other supporting module of TrickBot which allows lateral movement takes advantage of these SMB vulnerabilities for further malware attacks on and Domain Controller services running on Microsoft Windows Servers.

VULNERABILITY

All Microsoft Windows Workstation and Server are vulnerable. READ

New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration Security Patch Advisory 04th March 2019 – 10th March 2019 | TRAC-ID: NII19.03.0.2

UBUNTU Security Patch Advisory

CENTOS

ORACLE Security Patch Advisory

IBM