REN-ISAC Daily Watch Report 2019-07-19 SHARING GUIDELINES: This Report Can Be Shared Within -Closed- Communities of Cyber Security Practitioners
REN-ISAC Daily Watch Report 2019-07-19 SHARING GUIDELINES: This report can be shared within -closed- communities of cyber security practitioners. It must NOT be shared publicly.
Handlers: Sheryl Swinson (REN-ISAC), Jennifer Pacenza (REN-ISAC), Max Pitchkites (REN-ISAC), Nathaniel Pellant (REN-ISAC), and other credits [A].
CRITICAL NOTICES ======Nothing to report.
UPCOMING ======Nothing to report.
FOLLOW-UPS ======Nothing to report.
VULNERABILITIES AND EXPLOITS (only items of particular note) ======
Chrome's Incognito Mode Has Loophole https://www.itnews.com.au/news/chromes-incognito-mode-has-loophole-528441
Chrome's Incognito Mode contains a flaw allowing websites to detect when users are accessing their site with Incognito Mode, Google announced yesterday.
“Chrome’s FileSystem API is disabled in Incognito Mode to avoid leaving traces of activity on someone’s device," Google explains. "Sites can check for the availability of the FileSystem API and, if they receive an error message, determine that a private session is occurring and give the user a different experience.”
The flaw does not pose a security threat to users because websites are still unable to identify individuals, but it does create a business problem. The flaw has been used by websites, according to Google, to compel Incognito users to switch to the normal browsing mode under the assumption that Incognito users are bypassing paywalls and registration requirements.
The flaw will be fixed on Chrome version 76, slated for release on July 30.
-----
US-CERT: Canadian Centre for Cyber Security Releases Advisory on Fileless Malware https://www.us-cert.gov/ncas/current-activity/2019/07/18/canadian-centre-cyber-security- releases-advisory-fileless-malware
The Canadian Centre for Cyber Security (CCCS) has released an advisory on an Astaroth fileless malware campaign affecting Microsoft Windows. Astaroth resides solely in memory, and an attacker can use it and other fileless malware to steal information, such as credentials and keystrokes, and obtain other sensitive data.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review CCCS’s Fileless Malware Advisory for potential infection vectors and recommended mitigations and refer to CISA’s Tip on Protecting Against Malicious Code.
The Advisory: https://cyber.gc.ca/en/alerts/fileless-malware-advisory
CISA Tip: https://www.us-cert.gov/ncas/tips/ST18-271
-----
Exploits Reported at Exploit Database: http://www.exploit-db.com/
[ remote ]
MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)
[ web apps ]
REDCap < 9.1.2 - Cross-Site Scripting Web Ofisi Firma 13 - 'oz' SQL Injection Web Ofisi Rent a Car 3 - 'klima' SQL Injection Web Ofisi Firma Rehberi 1 - 'il' SQL Injection Web Ofisi Emlak 3 - 'emlak_durumu' SQL Injection Web Ofisi Emlak 2 - 'ara' SQL Injection Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection Web Ofisi E-Ticaret 3 - 'a' SQL Injection fuelCMS 1.4.1 - Remote Code Execution
-----
Debian LTS:
[DLA 1833-2] bzip2 regression update https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html
[DLA 1855-1] exiv2 security update https://lists.debian.org/debian-lts-announce/2019/07/msg00015.html
-----
SUSE:
SUSE-SU-2019:1894-1: moderate: Security update for LibreOffice http://lists.suse.com/pipermail/sle-security-updates/2019-July/005733.html
SUSE-SU-2019:14127-1: important: Security update for the Linux Kernel http://lists.suse.com/pipermail/sle-security-updates/2019-July/005734.html
SUSE-SU-2019:1896-1: moderate: Security update for libxml2 http://lists.suse.com/pipermail/sle-security-updates/2019-July/005735.html
SUSE-SU-2019:1895-1: moderate: Security update for tomcat http://lists.suse.com/pipermail/sle-security-updates/2019-July/005736.html
-----
Ubuntu:
[USN-4065-1] Squid vulnerabilities https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/005019.html
[USN-4066-1] libmspack vulnerability https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/005020.html
Ubuntu 18.10 (Cosmic Cuttlefish) End of Life reached on July 18 2019 https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/005021.html
-----
VIRUSES, WORMS, and MALWARE (only items of particular note) ======
Bitpaymer Ransomware Leveraging New Custom Packer Framework Against Targets Across the U.S. http://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework
Morphisec Labs recently analyzed a ransomware campaign featuring the BitPaymer ransomware and the Dridex banking Trojan, which have attacked 15 companies across the United States over the last three months. Private and public companies have been hit including companies in finance, agriculture, and technology. A notable target was a supply chain solutions provider, which may have been an attempt to spread the malware as far as possible.
So far there has been little variation in the attack pattern. Phishing emails containing Dridex are sent to targeted companies and provide the first foothold into the system. Dridex performs a full recon stage and steals AD credentials, then the malware operators deploy the BitPaymer ransomware onto the compromised network over the weekend - usually on Saturdays. This careful timing of events allows the ransomware to compromise the servers that run 24/7 and spread to the first employees returning to work from the weekend.
The ransomware was observed bypassing advanced endpoint detection response (EDR) solutions that many compromised organizations had in place. The ransomware and the payload loader evade detection by making use of a new framework that allows the hackers to obfuscate and compile a custom loader just 2 or 3 hours before the ransomware's deployment.
-----
Fake Office 365 Site Pushes Trickbot Trojan as Browser Update https://www.bleepingcomputer.com/news/security/fake-office-365-site-pushes-trickbot- trojan-as-browser-update/
Security researchers from MalwareHunterTeam discovered a bogus Microsoft Office 365 website that lures unsuspecting Chrome and Firefox users into downloading the password- stealing Trojan known as TrickBot disguised as a browser update. On the surface the website appears to be a legitimate Microsoft page and even contains links leading to legitimate Microsoft pages, but after a few seconds, the site's visitors are confronted with an alert stating that their browser needs to be updated.
The dialog boxes tell the visitors that their browser is out of date and need to be updated or else suffer the "loss of all stored and personal data" and encounter other browser errors. Clicking on the update button will run an executable named upd365_58vo1[.]exe that will install TrickBot onto the user's computer. The Trojan will be injected into a scvhost[.]exe process when executed so that it will not be visible in the task manager. Then it will communicate with its command-and-control server and perform a variety of malicious tasks such as sending the C2 server information about the victim's computer, its installed programs, Windows services, and steal personal information like saved login credentials, browsing history, form autofill information, and more.
-----
Elusive MegaCortex Ransomware Found - Here is What We Know https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found- here-is-what-we-know/
Security researchers at BleepingComputer acquired a sample of the nebulous MegaCortex ransomware and analyzed the methods it uses to encrypt targeted systems.
MegaCortex gains access to networks by compromising the network’s Windows domain controller and installing Cobalt Strike to open a reverse shell back to the ransomware operators. They then use PsExec to distribute a batch file and the ransomware contained in an executable named winnit[.]exe. Once the batch file is executed, the workstations connected to that network are compromised. Sophos, the cybersecurity firm that originally discovered MegaCortex, pointed out the interesting fact that Emotet or Qakbot Trojans were also found on networks infected with MegaCortex.
A sample of the ransomware analyzed by MalwareHunterTeam contained code signed with a certificate from a U.K. company entitled "ABADAN PIZZA LTD;" it is possible that this is the name of a company that went out of business and was then claimed by the attackers in order to purchase a certificate.
MegaCortex will disable precisely 1,396 Windows services and processes when it compromises a computer, including services related to security software, database servers, mail servers, and backup software. It will also refrain from encrypting certain file types such as .dll, .exe, .sys, .mui, bootmgr, temp/, and several others. All files encrypted by the ransomware will have the .megacortx extension and a “MEGA-G8=” file marker. During encryption the ransomware will create a log file at C:/x5gj5_gmG8[.]log containing a list of files that the ransomware would not or could not encrypt.
The ransom note demands a sum that can vary from anywhere between 2-3 Bitcoins to as much as 600. The note is written with an especially aggressive tone. “We have seen a lot of ransom notes here at BleepingComputer and I can say that the language used in MegaCortex's is one of the most aggressive ones I have seen to date.” A sample note is included in the article, along with IoCs.
-----
Magecart Group Spotted Operating from War Zone https://www.infosecurity-magazine.com/news/magecart-group-spotted-operating/ AND No Man’s Land: How a Magecart Group is Running a Web Skimming Operation from a War Zone (Original Source) https://blog.malwarebytes.com/cybercrime/2019/07/no-mans-land-how-a-magecart-group-is- running-a-web-skimming-operation-from-a-war-zone/
The Malwarebytes Threat Intelligence Team identified another threat actor using Magecart to steal customer card information from e-commerce sites. The scheme works by using JavaScript disguised as a Google Analytics domain (associated with another breach last year). Account credentials along with names, addresses, emails, and phone numbers are exfiltrated to international servers (also disguised as a Google domain).
Forensic data suggests the group is located in Luhansk (technically Ukraine) near the border of Russia. Because the area is currently riddled with combat, researchers say it is “an ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.”
Luhansk is the capital of an unrecognized state created in 2014 by Russian-backed separatists. The nature of the ongoing political situation makes eliminating the hosting services all the more difficult. The threat actor uses ASN AS58271 ‘FOP Gubina Lubov Petrivna’ which, on the same ASN as 176.119.1[.]70, contains another skimmer (xn—google-analytics-xpb[.]com).
-----
PHISHING, SOCIAL ENGINEERING and IDENTITY THEFT ======Nothing to report.
HACKS, ATTACKS, AND DATA THEFT/LOSS ======
AMCA Breach Total Hits 22.2 Million Patients https://digitalguardian.com/blog/amca-breach-total-hits-222-million-patients
The American Medical Collection Agency (AMCA) suffered a data breach possibly dating back to August 2018 and new figures regarding the scale of its impact have surfaced. The original estimate of 20 million people with compromised data has been revised to 22.2 million people when the Texas-based organization Clinical Pathology Laboratories, Inc. (CPL) confessed this week that 2.2 million of its patients’ data was compromised in the same incident. The facility, which used AMCA as its collection agency, was notified by AMCA in May regarding the incident but only now learned the full extent of the damage.
CPL affirmed that patient names, addresses, phone numbers, dates of birth, dates of service, balance information, payment card or banking information and treatment provider information might have been accessed in the breach. Other organizations associated with AMCA suffered a breach of Social Security numbers as well, but CPL's statement says its patients have not been impacted on that front. AMCA said 11.9 million Quest Diagnostics patients’ Social Security numbers had been breached, however.
-----
PRIVACY ======
Kazakhstan Begins Intercepting HTTPS Internet Traffic of All Citizens Forcefully https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html
In April the government of Kazakhstan compelled all of the country’s major Internet Service Providers (ISPs) to issue a mandatory "national security certificate" to all of their customers if they want to continue using the internet. Once installed, the root certificate will enable ISPs to monitor their customers' encrypted HTTPS and TLS connections and allow the government to monitor the online activity of its people. Essentially, the government is launching a giant man- in-the-middle attack (MiTM) on all of its internet-using citizens.
Major Kazakh ISP Tele2 is now redirecting all of its users' HTTPS traffic to a web page showing a set of instructions on how to install the root certificate on Windows, macOS, Android, and iOS devices. Kazakh users can only access non-HTTPS websites without the certificates, but in order to download the government certificates in the first place, users will have to download them from insecure HTTP connections and thus expose themselves to MiTM attacks.
"A security certificate has been introduced that will become an effective tool for protecting the country's information space from hackers, Internet fraudsters and other types of cyber threats," reads a note from a Kazakh ISP.
-----
REPORTS, PAPERS, AND PRESENTATIONS ======
Shapeshifting Morpheus Chip Aims to Baffle Hackers https://nakedsecurity.sophos.com/2019/07/19/shapeshifting-morpheus-chip-aims-to-baffle- hackers/ AND Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn (Original Source) https://web.eecs.umich.edu/~barisk/public/morpheus.pdf
Morpheus, A new chip architecture designed to counter weaknesses present in today’s designs is drawing attention from researchers at the University of Michigan. The project is backed by the U.S. Defense Advanced Research Projects Agency. Though the concept is promising, many are hesitant to immediately assume the new design will fix any and all security woes.
Today, cyberattacks typically utilize malware that exploits programming (like permissions and code injection) or manipulates unusual states (such as memory buffer overruns). Vulnerability patches—in a gross oversimplification—aim to reduce the chance for error in code. As more code is added to software, however, that code must too be revised to deter hackers from manipulating it.
Morpheus’s goal is to circumvent this possibility by encrypting and randomizing - ‘churning’ - data every 50 milliseconds. Todd Austin of the University of Michigan explains it in this way: “Imagine trying to solve a Rubik’s Cube that rearranges itself every time you blink. That’s what hackers are up against with Morpheus. It makes the computer an unsolvable puzzle.”
Researchers note that beyond control-flow attacks, the hope is to one day “protect against side-channel attacks, timing attacks, Rowhammer attacks, and cache attacks.”
AUDIO/PODCAST ======
SANS Daily Network Security Podcast (Stormcast) for Friday, July 19 2019 (~7 min.) https://isc.sans.edu/podcast/podcast6584.mp3
Show Notes & Links https://isc.sans.edu/podcastdetail.html?id=6584
- 802.1x Tips - Kazachstan TLS Interception - BEC Trends - Cylance Weakness
-----
Troy Hunt's Weekly Update #148 (~42 min.) https://omny.fm/shows/troy-hunt-weekly-update/weekly-update-148
Show Notes & Links https://www.troyhunt.com/weekly-update-148/
EV is *Really* Dead; Project Svalbard Updates; Pwned Passwords V5 is (Finally) Live; Heaps More Data Breaches; The HIBP API and Auth; Sponsored by Shape Security
-----
The CyberWire for Friday, July 19 (~25 min.) http://traffic.libsyn.com/thecyberwire/CyberWire_Podcast_2019_07_19.mp3
K3chang is out, about, and more evasive than ever. Data breached at Bulgaria’s National Revenue Agency has turned up online in at least one hacker forum. Facebook’s planned Libra cryptocurrency received close scrutiny and a tepid reception on Capitol Hill this week. Emsisoft offers some common-sense reflections on why local governments are attractive ransomware targets. Please patch BlueKeep. And a hair care product is vulnerable to hacking. Johannes Ullrich from the SANS Technology Institute with tips on ensuring your vulnerability scans are secure. Guest is Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States, and coauthor of the book The Fifth Domain.
For links to all of today's stories check out the CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_19.html
-----
TOOLS AND TIPS ======
CIS Cyber Hygiene Guidance for Windows 10 https://www.cisecurity.org/blog/cyber-hygiene-guidance-for-windows-10/
Executive Summary: CIS is dedicated to offering practical guidance on cyber hygiene to Windows 10 users. To that end, our new resource, the CIS Controls Microsoft Windows 10 Cyber Hygiene Guide, is now available. While many versions of Windows are available, Windows 10 Pro is the primary edition of the Windows 10 operating system discussed within our guide.
Cyber hygiene is often viewed as a set of baseline cybersecurity protections that help to secure an organization. CIS Controls Version 7.1 contains industry-developed cybersecurity best practices against the most common attacks seen in the wild. The protections outlined in 43 of the CIS Sub-Controls makeup Implementation Group 1 (IG1), and form the baseline of cyber hygiene. Tactics for implementing the CIS Controls can vary depending on which technology your organization is using. That’s why we developed a guide just for Windows 10.
We developed the CIS Controls Windows 10 Cyber Hygiene Guide to make cybersecurity basics for this particular technology easier to follow. The guide provides practical step-by-step assistance for securing computers running Windows 10 without the need for advanced technical knowledge. It is targeted to organizations concerned with stopping the theft of company information, website defacement, phishing attacks, ransomware, and data loss – just to name a few!
-----
ARTICLES AND OTHER ======
Robot Account Apocalypse: RPA Risk Exploding with Adoption https://securityledger.com/2019/07/robot-account-apocalypse-rpa-risk-exploding-with- adoption/
Robotic Process Automation (RPA), a process for automating and systematizing mundane tasks, is becoming increasingly ubiquitous. RPA is utilized in domains like data collection and interacting with other processes and systems based on that data. Experts expect RPA implementation, to some degree, in nearly every company within the next five years.
With that likelihood in mind, security researchers and industry experts alike are advocating for proactive action to prevent security mishaps.
Typically, account credentials for interaction between RPA and other components of the system are hardcoded into the RPA code. Plainly visible is the fact that this poses grave security risk. Compounded by the environments in which RPA is implemented, the situation has the potentiality for disaster.
Experts suggest companies “should pursue RPA projects in a deliberate fashion, with the knowledge and support of the CIO and CSO,” and that organizations shouldn’t rush into RPA adoption; instead they should adopt established security practices like “least privilege” to mitigate damage.
-----
NEWS ======Nothing to report.
UPCOMING CONFERENCES, WORKSHOPS, TRAINING, ETC. ======
Upcoming REN-ISAC Regional Member Meetings https://members.ren-isac.net/confluence/display/RMM (Open to members only - sign in with your normal REN-ISAC credentials)
Upcoming webcasts from SANS https://www.sans.org/webcasts/upcoming
~~~ 2019 ~~~
IETF 105 July 20 - July 26 Montreal, Canada https://www.ietf.org/how/meetings/105/
Black Hat USA August 3 -9 Las Vegas, NV https://www.blackhat.com/
BSides Las Vegas August 6 - 7 Las Vegas, NV https://www.bsideslv.org/
Def Con 27 August 8 - 11 Las Vegas, NV https://www.defcon.org/
The Underground Economy Conference 2019 September 3 - 6 Strasbourg, France https://partners.team-cymru.com/isoi_ue19
Derbycon 9.0 September 6 - 8 Louisville, KY https://www.derbycon.com/
Gateways 2019 September 23 - 25 San Diego, CA https://sciencegateways.org/web/gateways2019/welcome
2019 Australian Cyber Conference October 7 - 9 Melbourne https://cyberconference.com.au/
SECTOR 2019 October 9 - 10 Toronto, Ontario https://sector.ca/
M3AAWG 47th General Meeting October 14 - 17 Montreal, Canada https://www.m3aawg.org/upcoming-meetings
Hack.lu October 16 - 17 (pending confirmation) Luxembourg http://www.hack.lu/
Florida Cyber Conference 2019 October 24 - 25 Tampa, FL https://flcybercon.com/
GrrCON October 24 - 25 Grand Rapids, MI http://grrcon.com/
LASCON 2019 October 24 - 25 Austin, TX https://lascon.org/
Triangle InfoSeCon October 25 Raleigh, NC https://www.triangleinfosecon.com/
ISF Annual Congress 2019 October 26 - 28 Dublin, Ireland https://www.securityforum.org/events/world-congress/isfs-30th-annual-world-congress/
Executive Alliance's National security Leaders Symposium 2019 October 27 - 29 Naples, FL https://www.itsecurityleaders.com/national_2019
NONOG 77 October 28 - 30 Austin, TX https://www.nanog.org/meetings/future
ISC2 Security Congress October 28 - 30 Orlando, FL http://congress.isc2.org/
ACM CSS November 11 - 15 London, UK https://www.sigsac.org/ccs/CCS2019/
IETF 106 November 16 - 22 TBD https://www.ietf.org/how/meetings/106/
North America CSX Cybersecurity Nexus Conference November 20 - 21 New York, NY https://www.isaca.org/ecommerce/Pages/csx-north-america.aspx
DeepSec November 28 - 29 Vienna https://deepsec.net/
ACSAC 2019 December 9 - 13 San Juan, Puerto Rico https://www.acsac.org/
~~~ 2020 ~~~
NANOG 78 February 10 - 12 San Francisco, CA https://www.nanog.org/meetings/future
M3AAWG 48th General Meeting February 17 - 20 San Francisco, CA https://www.m3aawg.org/upcoming-meetings
RSA March 4 - 8 San Francisco, CA https://www.rsaconference.com/events/us19
IETF 107 March 21 - 27 Vancouver, BC, Canada https://www.ietf.org/how/meetings/upcoming/
Educause Security Professionals Conference April 21 - 23 Bellevue, Washington https://events.educause.edu/security-professionals-conference/2020
NANOG 79 June 1 - 3 Boston, MA https://www.nanog.org/meetings/future
M3AAWG 49th General Meeting June 8 - 11 European location TBD https://www.m3aawg.org/upcoming-meetings
IETF 108 July 25 - 31 Madrid, Spain https://www.ietf.org/how/meetings/upcoming/
M3AAWG 50th General Meeting October 12 - 15 Brooklyn, NY https://www.m3aawg.org/upcoming-meetings
NANOG 80 October 19 - 20 Seattle, WA https://www.nanog.org/meetings/future
IETF 109 November 14 - 20 Location TBD https://www.ietf.org/how/meetings/upcoming/
-----
REFERENCES ======
[A] CREDITS
Thanks to the following individuals for contribution to the Daily Report:
Sheryl Swinson (REN-ISAC), co-editor Jennifer Pacenza (REN-ISAC), co-editor Max Pitchkites (REN-ISAC), writer Bryce Hart (REN-ISAC), writer Nathaniel Pellant (REN-ISAC), writer Joseph Potchanant (REN-ISAC), writer Susan Coleman (REN-ISAC), writer Sarah Bigham (REN-ISAC), writer Chris O'Donnell (REN-ISAC), writer Doug Pearson (REN-ISAC), editor in chief