Threat Report Feb 2020 Summary

Feb 2020 revealed some new malware as well as some old. Here is a list of major breaches and cyber security incidents for the month:

Targeted Phishing Attack Aims For Well-Known Corporate Brands

A targeted phishing attack using SLK attachments is underway against thirteen companies, with some of them being well-known brands, to gain access to their corporate networks. Being able to compromise a large corporate network is a goldmine for threat actors as it allows them to steal corporate secrets and private financial documents, perform enterprise ransomware attacks, and to steal files to be used in blackmail attempts. A new phishing campaign discovered by MalwareHunterTeam has been seen targeting thirteen companies with specially crafted emails that pretend to be from the company’s vendor or client.

 

Unsafe WordPress Plugin Installed on Nearly 200,000 Sites

The developers of the ThemeGrill Demo Importer for WordPress have updated the plugin to remove a critical bug that gives admin privileges to unauthenticated users. In the process of getting logged in as an administrator, the attackers also restore the site’s entire database to its default state. Most active versions vulnerable. The component, which is used for easy import of ThemeGrill themes demo content, widgets, and settings, is present on more than 200,000 WordPress sites. A vulnerable version runs on most of them. The bug is present in versions of the ThemeGrill Demo Importer plugin 1.3.4 up to 1.6.1. The most popular active versions, according to statistics from the official WordPress plugin repository, are 1.4 through 1.6, which account for more than 98% of the current installations. Wiping the database of a vulnerable site requires a theme developed by ThemeGrill to be active. Since the plugin is installed, there is a chance that a theme from the developer is active.”

 

Hacker Group Catfishes Israeli Soldiers Into Installing Mobile RAT

A hacking group compromised mobile phones belonging to soldiers in the Israel Defense Forces (IDF) using pics of young girls and directing them to download malware disguised as chat apps. Behind this endeavor is an actor identified as APT-C-23, known for cyberattacks in the Middle East and associated with the Hamas militant group. Fake profiles, fake apps, fake promises. Baiting Israeli soldiers with pics of attractive women pretending to be fresh immigrants to Israel, the hackers instructed victims to download from a provided link an app that purported to be similar to Snapchat, but not available from an official app store.

 

Fox Kitten Campaign – Iranian Hackers Exploit 1-day VPN Flaws in Attacks

The campaign targeted dozens of companies and organizations in Israel and around the world, experts pointed out that the most successful and significant attack vector used by the Iranian hackers was the exploitation of unpatched VPN and RDP services. Iran-linked hackers have targeted companies from different sectors, including IT, Telecommunication, Oil, and Gas, Aviation, Government, and Security. “This attack vector is not used exclusively by the Iranian APT groups; it became the main attack vector for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups.” reads the report published by ClearSky. “We assess this attack vector to be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.” Experts explained that Iranian hackers have focused their interest in 1-day flaws and developed a significant capability in developing working exploits for them that were employed in their operations.

 

CVE-2019-0604 SharePoint Remote Code Execution (RCE) Vulnerability

A few days ago I saw a post from Alienvault which says attackers are still exploiting SharePoint vulnerability to attack Middle East government organization. Having said that I found Income Tax Department India and MIT Sloan was also vulnerable to CVE-2019-0604 a remote code execution vulnerability which exists in Microsoft SharePoint. A malicious actor could exploit this vulnerability by simply sending a specially crafted SharePoint application package. Technical analysis: I found this vulnerability during my free time while I was browsing to ZoomEye to find such component. The application (incometaxindia.gov.in) was found to be vulnerable as it was using SharePoint as a technology to host its service. To verify this I’ve sent a crafted payload which enable the remote server (incometaxindia.gov.in) to perform a DNS lookup on my burp collaborator. You can do this manual by sending the crafted XML payload or via desharialize.

Data Breaches
 
Data Breach Exposes Clearview AI Client List
SecurityPhresh – Feb 26 2020 23:38
Most of the companys clients are law enforcement.
 
How to Prevent an AWS Cloud Bucket Data Leak
Dark Reading: – Feb 26 2020 19:10
Misconfigured AWS buckets have led to huge data breaches. Following a handful of practices will help keep you from becoming the next news story.
 
UK Financial Regulator Admits to Data Breach
SecurityWeek RSS Feed – Feb 26 2020 09:38
Britain’s Financial Conduct Authority on Tuesday admitted to a data breach, in an embarrassing revelation for the regulator and its boss, who shortly takes over at the Bank of England. …
 
Samsung says Find my Mobile glitch not connected to recent data leak
ZDNet Security – Feb 26 2020 11:31
The strange Find my Mobile ‘1’ glitch experienced by users is thought to be wholly separate from recent customer data exposure.

 

 

Top Malware Reported

 

  1. EMOTET
  2. TRICKBOT
  3. KRYPTIK
  4. TOFSEE
  5. NJRAT

 

 

Trending CVEs

  1. CVE-2017-11882 CVSS: 7.8
  2. CVE-2017-0199 CVSS: 7.8
  3. CVE-2014-2875 CVSS: N/A
  4. CVE-2014-2030 CVSS: N/A
  5. CVE-2019-9502 CVSS: 8.8

 

 Recommendations

  1. Update vulnerable services
  2. Only allow traffic to necessary and well secured ports
  3. Update AV solutions
  4. Phishing training for the employees.
  5. Regular pentests would identify possible weak points

 

 Sources:

Exploit-DB

McAfeee

TrendMicro

Symantec

NIST

Google

FireEye