BRAINTRACE
THREAT ADVISORY REPORT
JANUARY 14, 2021
TABLE OF CONTENTS BACKGROUND ...... 2 NEW BABUK LOCKER RANSOMWARE ...... 2 FILELESS MALWARE ...... 3 POSSIBLE CLONING OF YOUR GOOGLE TITAN 2FA SECURITY KEY ...... 3 SWATTING ATTACKS WITH IOT DEVICES...... 4 RECENT DEVELOPMENTS OF THE SEARCHDIMENSION MALWARE FAMILY ...... 5 NVIDIA PATCHES 16 VULNERABILITIES IN RECENT SECURITY UPDATE ...... 6 NEW QRAT PHISHING ATTACK ...... 7 BUG IN INTEL X86 BOOT ROMS CAN EXPOSE DATA ...... 7 EMISSARY PANDA APT USING RANSOMWARE ...... 9 SOFTMAKER OFFICE SOFTWARE UNDER TARGETED ATTACK CAMPAIGN ...... 10 NEW PAYPAL PHISHING CAMPAIGN ...... 11 TELEGRAMS “PEOPLE NEARBY” FEATURE...... 12 NEW ZEND FRAMEWORK RCE VULNERABILITY ...... 12 GOOGLE PATCHES ANDROID RCE BUG ...... 13
BRAINTRACE.COM CONFIDENTIAL 1
BACKGROUND This report was created to update our clients on up-and-coming vulnerabilities and exploits that our security experts have discovered. Our team works diligently on researching threats and vulnerabilities to provide you with a safer network. If you have any questions, do not hesitate to contact us.
NEW BABUK LOCKER RANSOMWARE The first new ransomware of 2021 is called Babuk Locker. The threat actors target users worldwide and demand a ransom of $60,000 to $85,000 in Bitcoin. Every Babuk Locker executable analyzed has been customized on a per-victim basis to contain a hardcoded extension, ransom note, and a Tor victim URL.
Affected Systems
◾ All Systems
Vulnerability Overview
The threat actors use the Elliptic-curve Diffie–Hellman algorithm to encrypt the victim's files. This algorithm has proven effective in attacking a lot of companies so far. The threat actors use a command- line argument to control if the ransomware encrypts the network or the local files first. Once launched, the ransomware will terminate various Windows services and processes known to keep files open and prevent encryption, such as database servers, mail servers, backup software, mail clients, and web browsers.
During encryption, Babuk Locker will use a hardcoded extension and append it to each encrypted file. So far, all of the file extensions have been the same, [.]__NIST_K571__. A ransom note is created with the victim's name and links to images proving that the threat actors stole the files during encryption. The note contains a basic explanation and a link to a Tor site where the victim can negotiate the ransom with the threat actors. A Babuk Locker representative states that they will soon launch a dedicated leak site post the stolen data in a hacker forum.
Indicators of Compromise
Ransom note: ◾ How To Restore Your Files[.]txt
SHA256: ◾ 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
MD5: ◾ e10713a4a5f635767dcd54d609bed977
Filename: ◾ ecdh_pub_k[.]bin
BRAINTRACE.COM CONFIDENTIAL 2
Recommendation
It is recommended to have strong security practices and not download or open any files from a phishing email or unknown source.
Reference https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise- ransomware-of-2021/
FILELESS MALWARE When computers get infected with malware, a file is usually saved on the culprit's computer. Then antivirus software or other malware removal tools are sent to find the malicious file and remove it. From there, the computer is cleared of this threat. Fileless malware is not saved on the computer, and because of that, it may be able to evade antivirus software and other security monitoring tools if not configured correctly.
Affected Systems
◾ All Systems
Vulnerability Overview
Fileless malware works slightly differently because it sends its malware through a file, but the file is not saved on the computer. Rather it is disguised as a process and running in memory.
Even then, there are versions of malware where fileless malware will get on the system through exploitation code execution or abusing a network application's ability to run system commands.
Overall, fileless malware is harder to detect and will need various methods to detect, such as evaluating a process's behavior or determining normal traffic.
Recommendation
Verify that whatever security solution you are using can identify indicators that exist solely in memory.
Reference https://www.helpnetsecurity.com/2021/01/04/fileless-malware/?web_view=true
POSSIBLE CLONING OF YOUR GOOGLE TITAN 2FA SECURITY KEY Multi-factor authentication is a great layer of defense when it comes to the security of an account. A user needs to know their password, but having something in their possession, whether it is a software token or hardware token, dramatically increases the chance of an account not being accessed without
BRAINTRACE.COM CONFIDENTIAL 3
permission. Hardware keys or tokens have been used for some time. In this article, security researchers discuss how threat actors can clone these keys by exploiting an electromagnetic side-channel in the chip embedded in it.
Affected Systems
◾ All versions of Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40.
◾ NXP JavaCard chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants.
Vulnerability Overview
The vulnerability is linked to accounts from a FIDO Universal 2nd Factor device like the Google Titan Key or Yubikey and other keys listed in this report and article.
The attacker would need to steal the credentials linked to the key, gain access to the Titan Security key question, and have the skills to write custom software to pull the key linked to the account and $12,000 worth of equipment to accomplish this task.
An obtained key would need to be taken apart and then glean the ECDSA encryption key via a side- channel attack in which the electromagnetic radiations are observed coming off of the NXP chip.
Recommendation
It is still recommended to use the Google security key because of the sophistication of the attack, but to remain aware of your key's physical location.
Reference https://thehackernews.com/2021/01/new-attack-could-let-hackers-clone- your.html?&web_view=true
SWATTING ATTACKS WITH IOT DEVICES. The FBI sent out an alert earlier this week about hackers being able to hijack smart home systems with stolen email passwords after being reached out by the device manufacturers about these ongoing attacks. VICE reported finding RING credential stuffing for as little as six dollars on hacker forums. RING is also planning to come out with End-to-End encryption by the end of the year to help with security.
Affected Systems
◾ RING doorbell, and other Smart devices and surveillance systems.
BRAINTRACE.COM CONFIDENTIAL 4
Vulnerability Overview
Threat actors hijack a victim’s smart security systems with stolen email passwords to swat the victim’s home. Swatting is a falsely reported emergency to authorities to get swat teams at specific locations where there is no emergency. Swatting is nothing new and has targeted video streamers in the past. However, it’s recently been targeting smart doorbells and smart surveillance cameras. In the past, swatting attacks would make calls appear as if it were coming from the victims by spoofing the phone number, but with threat actors hacking into security devices directly, it makes the calls look more legitimate.
Recommendation
It is recommended not to use the same credentials for multiple accounts and to make sure you have two-factor authentication enabled where possible.
Reference https://threatpost.com/fbi-warn-home-security-devices-swatting/162678/
RECENT DEVELOPMENTS OF THE SEARCHDIMENSION MALWARE FAMILY SearchDimension is a malware family that hijacks browsers to make money through ad clicks. In 2020, SearchDimension expanded its features by obfuscating the process required to remove its malicious browser extensions, malicious web push notifications, complete replacement of your current browser with a compromised version, and overriding the search engine in use in preference of their own.
Affected Systems
◾ Windows ◾ macOS
Vulnerability Overview
The new push notification feature allows SearchDimension to push advertising onto its victims, the mentioned obfuscation is commonly the removal of the 'remove' button for the malicious extension, the browser replacement is most commonly Google Chrome, which comes with malicious extensions pre-installed, and search engines are overridden by pulling a user's search term from the browser history and simultaneously closing the current tab and opening a new malicious one.
Visuals of the most common tell-tale indicators of SearchDimension can be found in the reference article.
Recommendation
Be wary of pop-ups for unsolicited extensions, services, and other offers. Only install extensions that have a clear track record of service and value.
BRAINTRACE.COM CONFIDENTIAL 5
Reference https://blog.malwarebytes.com/adware/2020/12/searchdimension-search-hijackers/
NVIDIA PATCHES 16 VULNERABILITIES IN RECENT SECURITY UPDATE Nvidia, a multinational technology company most known for its gaming and professional GPUs, recently released security updates for 16 vulnerabilities in its Graphics Driver. These vulnerabilities allow an attacker to launch DoS attacks, tamper with and sniff for private data.
Affected Systems
◾ Windows and Linux Nvidia GeForce Graphics Drivers and vGPU managers that have not been updated.
Vulnerability Overview
Of these, CVE-2021-1051 is the highest rated on the CVSS scale at 8.4/10, which stems from a problem in the graphics driver's kernel mode layer. The layer handler (nvlddmkm.sys) for the interface (DxgkDdiEscape) contains an issue where a certain operation can be used to escalate permissions and launch DoS attacks. CVE-2021-1052 is a vulnerability in the same kernel mode layer and interface as the above CVE that may allow clients in user-mode to access legacy privileged APIs leading to Dos, privilege escalation, and information leaks.
CVE-2021-1053, CVE-2021-1054, CVE-2021-1055 (on the same kernel layer and interface as the two above), and CVE-2021-1056 (on the nvidia.ko kernel layer, which does not follow OS file system permissions for GPU device isolation) could allow DoS or information leaks.
The rest of the flaws come from Nvidia's vGPU manager, a tool that allows multiple VMs to simultaneously access a single physical GPU when using the Nvidia graphics drivers running on a physical OS. CVE-2021-1057 allows users to allocate unauthorized resources that could lead to confidentiality and data integrity issues, DoS, and information leaks.
CVE-2021-1059 is an input validation vulnerability in the vGPU plugin that may allow integer overflow. CVE-2021-1061 involves using a race condition, which could cause the vGPU to use edited resources previously validated, which could lead to DoS or information leaks. Lastly, CVE-2021-1065 is a data input validation vulnerability that can lead to data tampering and DoS.
Recommendation
Update and apply all patches released by Nvidia.
Patch URL https://nvidia.custhelp.com/app/answers/detail/a_id/5142
BRAINTRACE.COM CONFIDENTIAL 6
Reference https://threatpost.com/nvidia-windows-gamers-graphics-driver-flaws/162857/
NEW QRAT PHISHING ATTACK The latest phishing attack from Quaverse Remote Access Trojan (QRat) entices users to download malware, which gives hackers full dominion over infected Microsoft Windows machines. QRat first appeared in 2015 and has continued to find success because it is hard to detect because of its confusing nature and provides attackers with remote access to compromised users' devices. This Trojan malware is capable of stealing passwords, keylogging, file browsing, taking screenshots, plus more. This can allow attackers to achieve access to sensitive data.
Affected Systems
◾ All Systems
Vulnerability Overview
A new phishing attack delivers Windows Trojan malware. The Quaverse Remote Access Trojan (QRat) enables hackers to have full control of affected machines with the ability to take passwords and other delicate data. Although it is seemingly obvious to not download software from unverified sources, hackers can utilize curiosity to their advantage in this new phishing scam. Cybersecurity researchers from Trustwave have now identified this new QRat campaign.
The process starts with a phishing email claims to offer the victim a loan with a "good return on investment" that could intrigue the victim. However, malicious email attachment is not related to the subject of the phishing email at all. Rather, it claims to have a video of Donald Trump. Researchers believe this attachment is based on what is currently newsworthy. Regardless, attempting to open the Java Archive (JAR) file will run an installer for QRat malware. Hackers can manipulate curiosity and, by doing so, can install software used for remote access and penetration testing to avoid detection.
Recommendation
Please be mindful of phishing emails and never click on a link from a suspicious email. Also, never accept and download software from an unverified source.
Reference https://www.zdnet.com/article/this-new-phishing-attack-uses-an-odd-lure-to-deliver-windows- trojan-malware/
BUG IN INTEL X86 BOOT ROMS CAN EXPOSE DATA It really is not too often we see bugs in the bootup processes of our endpoints. Maybe once a quarter, we see some bug that can expose data or allow remote code execution (RCE) to occur. As it has been
BRAINTRACE.COM CONFIDENTIAL 7
a while, we were due for another. Fortunately, while this bug does affect nearly every x86 processor Intel has produced, the exploit conditions are difficult and cannot be done remotely.
Affected Systems
◾ Intel x86-type Processors
Vulnerability Overview
The situation with the bug, CVE-2020-8705, involves two items: root of trust and race conditions. In short, a root of trust validates that everything in a software stack or chain is valid. The other, race conditions, can happen in software when two processes are competing to report a certain state, such as running or stopped.
The bug involves exploiting these items in the bootup process to corrupt your boot process. The issue involves the S3 sleep state, where the RAM information is preserved while the CPU is shut down. This is a common sleep or hibernation state for computers worldwide. When the computer wakes up, the CPU must boot up as part of the process to resume normal operations. The issue is that, with UEFI bios, a root of trust check is not done.
Because of this, it is possible to change the bios' information, such as flashing a ROM, without the CPU being turned on (see article). This could allow the endpoint in question to reach a denial-of-service state. But worse, it could allow for scanning of RAM for decryption keys and other data.
The researcher who discovered this issue described it as a slow-motion race between when the boot ROM is checked and when the code is executed.
Recommendation
However scary this issue may seem, physical access to the hardware is required to execute this attack. As such, proper precautions with ensuring your hardware is secure is recommended. As this is not technically a critical issue (CVSS 3.0 score of 7.6), it is no expected to be widely patched by vendors. However, you can deploy Intel's firmware workaround tool to provide further backstops against this issue.
Patch URL https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391.html
Reference https://www.eejournal.com/article/security-flaw-afflicts-intel-x86-boot-roms/
BRAINTRACE.COM CONFIDENTIAL 8
EMISSARY PANDA APT USING RANSOMWARE It is not often that an APT group campaigns with ransomware. Usually, the state-sponsored actors are more about data exfiltration and other espionage activities than holding data for ransom. However, a newer group, dubbed APT27 or Emissary Panda, has been seen doing just that sort of thing as of late.
Affected Systems
◾ All Systems
Vulnerability Overview
The group is unusual because it uses known and trusted tools to do the encrypting, such as with BitLocker. This makes their methods somewhat difficult to detect in organizations that use those sorts of tools daily.
Their recent campaigns have targeted online gambling organizations and encrypted many of their servers. This was done reportedly using third party software on those networks, in addition to other exploits, such as CVE-2017-0213, which is a Windows COM vulnerability that allows for privilege escalation exploits. Their backdoor software, dubbed Clambing, is used to establish a presence in the network for reconnaissance and other activities. Other tools the group uses include the PlugX remote access trojan (RAT) and ASPXSpy web shell.
A full detailed report of their activities can be found in the link below: https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf
Indicators of Compromise
URLs: ◾ www.kkxx888666[.]com ◾ www.betwin520[.]com
MD5 Hashes: ◾ e1b44a75947137f4143308d566889837 ◾ 36b33c0cf94dacf7cee5b9a8143098d1 ◾ c4164efa57204ad32aec2b0f1a12bb3a ◾ aa4f7e8e45915a9f55a8b61604758ba3 ◾ 878fa03b792d2925d07f4dac4aa34a47
Recommendation
As always, we recommend testing your networks for vulnerabilities, utilizing a defense-in-depth security posture, and end-user training regarding social engineering attacks as good defense techniques against APT campaigns.
BRAINTRACE.COM CONFIDENTIAL 9
Reference https://techdator.net/chinese-apts-performing-ransomware-attacks-using-legitimate-tools/
SOFTMAKER OFFICE SOFTWARE UNDER TARGETED ATTACK CAMPAIGN Discoveries within the recent version of SoftMaker's TextMaker software has uncovered multiple potential conditions in which an attacker could exploit a victim's machine. Using crafted documents that are later sent to a destination computer, the exploits can then be put into action if these tempting messages are opened. The German office software performs various commonplace tasks from word processing and document design to scripting and has become increasingly popular of late for its range of ability.
Affected Systems
◾ SoftMaker Software GmbH SoftMaker Office TextMaker 2021 (Windows, Mac, Linux).
Vulnerability Overview
CVE-2020-13544 SoftMaker Office TextMaker Document Record Sign-In Extension Vulnerability:
Vulnerabilities within the 2021 TextMaker office software allow for the document-parsing function to be convinced to sign-extend a loop used in the process of a heap buffer and thus writes outside the bounds of this function when reading into local file data. This is triggered by opening an attacker sent document.
CVE-2020-13545 SoftMaker Office TextMaker Document Record Integer Conversion Vulnerability:
TextMaker's document-parsing functionality can be exploited via an opened specially crafted document, causing the document's parser to miscalculate an allocated buffer length and result in it writing outside heap bounds upon running. This vulnerability can then lead to successful memory corruption and loss of local file data.
CVE-2020-13546 SoftMaker Office TextMaker Document Record Integer Overflow Vulnerability:
Attackers sending a malicious document intent on affecting the SoftMaker's Suite app have focused on the allocated buffer used in determining length. Using a subsequent corrupted document parsing function built into TextMaker's 2021 office application can lead to writing outside heap bounds and thus trigger an eventual buffer overflow.
BRAINTRACE.COM CONFIDENTIAL 10
Recommendation
Cisco Talos has begun the process of issuing a relevant patch to address the above vulnerabilities. If the covered software is used, it is strongly recommended to visit the attached patch link and download any available updates.
Patch URL https://www.softmaker.com/en/softmaker-office
Reference https://blog.talosintelligence.com/2021/01/vuln-spotlight-softmaker-office-textmaker-jan- 2021.html?&web_view=true
NEW PAYPAL PHISHING CAMPAIGN A new PayPal text message phishing campaign has begun. This is an attempt to steal account credentials and other vulnerable information that can contribute to identity theft. Smishing scams are progressively popular, so it is imperative to be wary of any text messages that contain links. This campaign is ongoing.
Affected Systems
◾ All Systems
Vulnerability Overview
The PayPal text message phishing campaign pretends to be from PayPal by stating your account status has been changed to "limited," which will then put momentary restrictions on withdrawing, sending, or receiving money unless the user "verifies their account" by clicking on a link. The message reads: "PayPal: We've permanently limited your account, please click the link below to verify." By clicking on the link, the user will be brought to a phishing page that prompts you to log in to your account. If a user logs in on a phishing page, the entered PayPal credentials will be given to threat actors. The phishing page will take it a step further and try to gain further details from a user. These include your name, date of birth, address, bank details, etc. This information is used to carry on with identity theft attacks, obtain access to your other accounts, or perform targeted spear-phishing attacks.
Recommendation
Because smishing scams are prevalent, please treat any text messages that contain links as suspicious. Similar to phishing emails, never click on suspicious links. Rather, go directly to the website domain to verify there is a problem associated with your account. If a person received this text and gave out their PayPal information, they should immediately go to PayPal.com to change their password. If that password is associated with any other site passwords, change the password there as well. Be mindful
BRAINTRACE.COM CONFIDENTIAL 11
of other targeted phishing campaigns as well. It is suggested to monitor your credit report to make sure fraudulent accounts are not being made in your name.
Reference https://www.bleepingcomputer.com/news/security/beware-paypal-phishing-texts-state-your- account-is-limited/?&web_v
TELEGRAMS “PEOPLE NEARBY” FEATURE. Telegram is a messaging app that has a people nearby feature built-in. The concern with this is threat actors can abuse to find a victim’s precise location. The company could round a user’s location to the nearest mile to prevent threat actors from learning the precise locations of victims.
Affected Systems
◾ Cell phones that have the app downloaded and have the "People Nearby" feature enabled.
Vulnerability Overview
To spoof a GPS location, the easiest method is to walk around the area, collecting GPS latitude and longitude, and see how far away the person is from you. Or you can go to the google play store and get an app called GPS spoof, within a seven-mile radius, you can spoof a location near the user.
Once you do that, you then collect how far that person is from that point, and then do it a total of 3 times. You then can plug in all 3 different locations into google earth and use a ruler to find the middle point between the 3 locations. The middle point should be the victim’s precise location.
Recommendation
It is recommended to make sure you have the people nearby feature disabled.
Reference https://threatpost.com/telegram-triangulation-users-locations/162762/
NEW ZEND FRAMEWORK RCE VULNERABILITY Researchers have recently discovered a deserialization vulnerability in the Zend Framework. If exploited, the vulnerability can allow threat actors to conduct remote code execution (RCE) on vulnerable PHP applications. The Zend Framework consists of PHP packages used by developers to build object-oriented web applications.
Affected Systems
◾ Zend Framework 3.0.0
BRAINTRACE.COM CONFIDENTIAL 12
Vulnerability Overview
The vulnerability is being tracked as CVE-2021-3007. It can be exploited under certain circumstances that is related to the __destruct method of the Zend\Http\Response\Stream class in Stream[.]php. Deserialization vulnerabilities occur in web applications when encoded data received by the application's user or system is not properly validated before being decoded by the application.
This allows threat actors to run arbitrary commands within vulnerable PHP applications if the Stream class passes an object from the Gravator class where streamName is expected. The vulnerability may be related to Laminas Project laminas-http. Meaning, not all applications built with Laminas project are affected by the vulnerability.
Recommendation
It is recommended to perform thorough security audits of your applications to spot zero-days and vulnerabilities specific to your environment.
Reference https://www.bleepingcomputer.com/news/security/zend-framework-remote-code-execution- vulnerability-revealed/
GOOGLE PATCHES ANDROID RCE BUG Google recently patched two vulnerabilities rated as Critical in their January update for their ubiquitous Android OS. The bugs could allow for remote code execution (RCE) to take place on the device.
Affected Systems
◾ Android 8 through 11.
Vulnerability Overview
The issue, given CVE-2021-0316, is a flaw in the System component of the mobile operating system. This can happen via a specifically crafted transmission. This would allow arbitrary code execution to occur, though more specifics are not known as of the time of this writing.
Recommendation
In total, Google patches about 43 separate bugs in this latest patch cycle. As such, please check your device's update settings to ensure you are updated appropriately.
Patch URL https://source.android.com/security/bulletin/2021-01-01
BRAINTRACE.COM CONFIDENTIAL 13
Reference https://threatpost.com/google-warns-of-critical-android-remote-code-execution-bug/162756/
BRAINTRACE.COM CONFIDENTIAL 14