5/22/2017 FortiGuard Threat Intelligence Brief January 13, 2017 | FortiGuard
View this article on online
Activity Summary Week Ending January 13, 2017
This week, the world's attention has been focused on US Presidentelect Donald Trump and the allegations that purport to connect him to data stolen by Russian hackers during the 2016 US election. While there is still not enough information to determine whether Trump or his staff were in any way involved with this attack named GRIZZLY STEPPE in a report jointly produced by the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) it is clear that they had access to classified and confidential information that had been stolen during a spear phishing campaign that took place between 2015 and 2016.
It is generally harder to detect a spear phishing email from a regular phishing email as the attacker impersonates someone close to the victim, possibly someone in a position of authority. To avoid becoming a victim to this sort of attack, we at FortiGuard Labs advise you once again to instruct employees to be extremely careful when handling email attachments and links.
Of course, that will not always be enough. In some cases, such as HR staff who are sent resumes from potential candidates, it is actually their job to open attachments from people they don't know. Even the least capable person at your company has an email address, and they are likely to click on attachments regardless of how many times you warn them. Implementing a secure email gateway is the best protection mechanism in these cases.
Malware Activity
Necurs spreads Necurs is one Rank Name Volume
of the world's largest botnets, with 1 PHP/Rst.CO!tr.bdr 120,883 more than six million zombie 2 W64/Egguard.I!tr 79,243 machines attached to it. It's run by 3 Riskware/Asparnet 66,921 organized cybercriminals, and has 4 WM/Agent.D53E!tr.dldr 37,765 been responsible for millions of 5 Android/Qysly.B!tr 28,590 dollars in losses tied to the Dridex banking Trojan, and more recently, the Locky ransomware strain. Locky is notorious for successfully extorting payments from targeted organizations when it encrypts their data and holds it for ransom. Likewise, the Dridex https://fortiguard.com/resources/threatbrief/2017/01/12/fortiguardthreatintelligencebriefjanuary132017 2/5 5/22/2017 FortiGuard Threat Intelligence Brief January 13, 2017 | FortiGuard when it encrypts their data and holds it for ransom. Likewise, the Dridex banking Trojan has netted tens of millions of dollars from victims based in the UK and US. FortiGuard Labs has been tracking Necurs since it was first discovered. Recently though, FortiGuard discovered that criminals managing the botnet began pushing out a multimillion email message campaign. This botnet campaign is climbing our malware list as we tracked approximately 5,300 sensor triggers late last week. Qysly campaign continues Qysly is a malicious Android application that undermines the security of the device it infects and compromises the privacy of the user. Like other Android malware variants, Qysly attempts to steal personal or account information, gain access to device functions via backdoors, send text messages or dial premium numbers, and lock or encrypt the device so the user has to pay to unlock the device. According to our analysis, approximately 98% of our detections are happening in Turkey. Application Vulnerabilities / IPS
Rank Name Volume 1 SIPVicious.SIP.Scanner 3,126,846,500 2 MS.DNS.WINS.Server.Information.Spoofing 2,709,033,639 3 NTP.Monlist.Command.DoS 2,699,033,801 4 DNS.Invalid.Opcode 436,212,248 5 Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass 430,067,104 NTP on the top Network Time Protocol (NTP) continues to confirm its fundamental role in DDoS attacks, as once again the IPS signature NTP.Monlist.Command.DoS was one of the most detected signatures of the week. NTP is a UDPbased protocol that can be persuaded to return a large reply to a small request, thereby allowing an attacker to create a simple Denial of Service attack. This NTP vulnerability was fixed in release 4.2.7p26, so if you are running an NTP server we strongly encourage you to verify that it has been updated to the latest version.
Microsoft Office patched This week, FortiGuard Labs discovered a memory corruption issue that enables remote code execution in both Office 2016 and SharePoint Enterprise Server 2016 when the software fails to properly handle objects in memory. An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the current user. Microsoft inaugurated 2017 by releasing four new updates to fix this vulnerability, identified by the signature MS.Office.PTLS7.RTF.Handling.Memory.Corruption, as well as additional security holes discovered in the Office suite. The patches will be released only for Windows 10 and Server 2016.
Web Filtering
mswinerror01x050117ml dot club FortiGuard Labs identified this domain https://fortiguard.com/resources/threatbrief/2017/01/12/fortiguardthreatintelligencebriefjanuary132017 3/5 5/22/2017 FortiGuard Threat Intelligence Brief January 13, 2017 | FortiGuard as a new tech support scam site, and registered it on January 4th, 2017. When triggered, the site loads a fake alert message and sets the browser to fullscreen mode in order to convince the victim that the reported error is real.
air dash apple dot com FortiGuard Labs discovered this phishing site targeting iCloud users. A reverse whois lookup revealed the threat actor owns a total 7 domain names that were all created for similar purposes. FortiGuard had already blocked five of those domains, and we have subsequently blocked the remaining two.
Threat Research & Insights
PHPMailer Remote Execution code vulnerability This week, a highlevel security update was released to fix a remote code execution vulnerability (CVE201610033) in PHPMailer. FortiGuard Labs recently posted an analysis of this vulnerability on the Fortinet Blog. Read More
Validate your network's security accuracy, application usage and performance with a Fortinet Cyber Threat Assessment.
Request Assessment »
www.fortinet.com Questions? Contact Us
You are receiving this newsletter as part of your Fortinet Developer Network (FNDN) account. Login to FNDN to change your preferences.
(http://www.facebook.com/fortinet) (https://plus.google.com/+fortinet) (http://www.twitter.com/fortinet) (http://www.linkedin.com/company/fortinet)
https://fortiguard.com/resources/threatbrief/2017/01/12/fortiguardthreatintelligencebriefjanuary132017 4/5