Netizen Threat Brief: 14 March 2018 Edition

Threats:

Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

  1. Fruitfly/Quimitchin Malware
  2. Chrome WebUSB Vulnerability
  3. Slingshot Router Vulnerability

1. Fruitfly/Quimitchin Malware

Overview

The Fruitfly Malware, discovered primarily in macOS systems, is using antiquated code to help run undetected and has been reported to attack biomedical research institutions. Some of the code involved also shows signs of running on Linux as well.

Fruitfly, known as OSX.Backdoor.Quimitchin when detected, is used to access user information, log keystrokes to gather credentials, and pivot into other systems and services. It contains just two files: one hidden script is used to communicate back to servers—taking screenshots and reporting system uptime—the second script grants the malware the ability to hide its icon from showing in the macOS Dock. The malware’s primary intention is to grab screenshots and gain webcam access.

Antiquated software Fruitfly runs on includes: SGGetChannelDeviceList, SGSetChannelDevice, SGSetChannelDeviceInput, and SGStartRecord.

Recommendations

The attack vector for Fruitfly includes these externally facing services:

  • Apple Filing Protocol (AFP, port 548)
  • RDP or other VNC
  • SSH (port 22)
  • Back to My Mac (BTMM)

The following are network indicators of Fruitfly/Quimitchin presence:

  • eidk.duckdns.org
  • h8cnq8.duckdns.org
  • hh4de2.duckdns.org
  • hlkmm2.duckdns.org
  • hnqi24.duckdns.org
  • fejose2.duckdns.org
  • fovdim2.duckdns.org
  • eidk.hopto.org
  • eutq.hopto.org
  • tmp1.hopto.org
  • tmp2.hopto.org
  • h8cnq8.hopto.org
  • hh4de2.hopto.org
  • hlkmm2.hopto.org
  • hnqi24.hopto.org
  • fejose2.hopto.org
  • fovdim2.hopto.org

Mac host-based indicators:

  • ~/Library/LaunchAgents/com.client.client.plist
  • ~/Library/LaunchAgents/com.adobe.ARM.<16 random alphanumeric characters>.plist
  • ~/.tmp
  • ~/.client
  • ~/fpsaud
  • ~/Library/Application Support/<16 random alphanumeric characters>
  • ~/.cr or ~/.cr2

Windows host-based indicators:

  • Path of %PROGRAMFILES%\Sophos Suite for NT\
  • Custom (per infection) executable with ‘SAVCleanupService.exe’ or ‘SAVservice.exe’
  • C:\a.exe
  • C:\ab.exe
  • C:\client.exe

Our recommendations will vary in response to different networks, however, system credentials should be both strong, complex, and updated at regular intervals. It is also important to keep antivirus software up to date for the best possible chance of catching malware. It would also prove beneficial to conduct a vulnerability assessment of the local network in its entirety to discover deep rooted malware, such as this, that may be hidden without knowledge.

2. Chrome WebUSB Vulnerability

Overview

Multifactor Authentication (MFA) has been widely used as an added layer of security for credentials and logins. A common example of MFA would be logging into a work account and after entering the password, a verification notification is sent to a user’s phone by way of app or text message to confirm the valid sign-in. While this method is common, there are many other methods—one of which is YubiKey.

YubiKey utilizes a token system, in which a USB device is inserted very much like a regular key. To login, a user would enter their username, plug in their YubiKey and physically press the key to gain access—meaning you cannot log into this account without that key—making this incredibly useful against phishing attempts. Sounds secure right?

A new browser feature in Google Chrome, known as Chrome WebUSB (or WebUSB, is being exploited to potentially bypass the account protections of any victim using a YubiKey.

With a carefully crafted phishing website, a hacker can trick a victim into typing their username and password—which is just standard phishing—but will then send a query directly from their malicious site to the victim’s YubiKey, using that response to unlock that person’s account.

Recommendations

Chrome WebUSB allows websites to directly connect to USB devices, and until a patch is released, we recommend:

  • If feasible do not use tokens like YubiKey on Chrome
  • Verify the sites that you are using are legitimate. It is worth noting that these hackers have to prompt the victim’s permission to enable WebUSB access to their YubiKey as well as the physical touch of the key. Do not enable if you do not trust the site.
  • Be aware of phishing attempts, often appearing as trustworthy emails which contents may be intimidating or even threating—asking for account/billing updates—claiming a consequence if the required materials are not met.

3. Slingshot Router Vulnerability

Overview

A new cyber-threat, known as Slingshot, is a form of cyber-espionage that targets routers and uses them as a launch pad to attack other computers within a network—collecting screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more, although its kernel access means it can steal whatever it wants. This new Slingshot campaign utilizes a wide variety of tools and techniques, making it a much more complex attack than most other malware.

During the configuration process of the router, the router’s managements software downloads and runs the malicious module on the administrator’s computer. As it currently stands, the method of hacking is currently unknown.

Once the router is infected, Slingshot then downloads a range of additional malware modules onto the device—most notably, Cahnadr and GollumApp. The two pieces of malware link together to support each other in gathering information. Cahnadr, in particular, initiates a kernel-mode program that executes malicious code without crashing the entire file system. The complexity of Slingshot itself is indicative of a highly organized group—if not an entity that is state sponsored.

Recommendations

As it appears, individual victims are the main focus rather than organizations, however, there have still been some government institutions being targeted. Current research suggests that MikroTik routers are the only devices affected, although some victims could have been infected through other means.

We recommend to all MikroTik users to upgrade their routers to the latest firmware version as soon as possible. We recommended other brands of routers be upgraded/updated as well, and to also keep all antivirus software current and up to date. Finally, workstation’s and systems should be patched accordingly, as some vulnerable services on these system may have also allowed Slingshot to enter the network.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s