Netizen Threat Brief: 4 April 2018 Edition

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:
1. BranchScope Intel Processor Vulnerability
2. Multiple PHP Vulnerabilities
3. KOVTER Fileless Malware
4. Thieving Android Malware

1. BranchScope Exploit

Overview

Yet another vulnerability has been discovered in Intel processors, known colloquially as BranchScope. This newest threat surfaces in the wake of the Meltdown and Spectre exploits that would, in a manner of speaking, allow an attacker to bypass security measures and steal sensitive data by way of a computer’s processor.

BranchScope in particular resides in a processor’s speculative execution; the method that a processor uses to predict where its current computational task will end. This process enhances the CPU’s speed, letting the chip “speculate” as to what might need to be done later in the command chain. The ultimate goal of speculative execution is to finish the overall task as quickly as possible. With this subtle flaw exploited, hackers with access to the computer will be able to pull data that has been stored from memory that would otherwise be inaccessible to all other applications and users.

Recommendations

BranchScope is currently operating across three generations of Intel processors, grabbing this think-ahead speculative technology and steering it in the wrong direction; exposing critical data and information. With the new exploit, hackers do not even need to have administrator privileges to access where they want to. Data can even be pulled from private regions of memory, known as enclaves, that have been locked away by the processor’s Software Guard Extensions (SGX).

While the exploit is similar to its parent processor vulnerabilities, its ability to take advantage of speculative execution sets it apart, thus paving the way for a slew of new patch and hardware updates in the future. Previous updates and patches in response to Meltdown and Spectre will likely have no effect on BranchScope, however, Intel believes that its current patches should address the BranchScope issue.

Until further fixes are distributed, we recommend staying up to date with software and hardware patches, while also monitoring for any malicious or suspicious activity to systems and hosts.

2. Multiple PHP Vulnerabilities

Overview

Multiple vulnerabilities have been discovered in PHP (Personal Home Page). PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

While there were several vulnerabilities discovered, one of the most severe allows an attacker to execute arbitrary code in the context of the effected application. Different applications offer different level of privilege; depending on the application, a hacker could install programs, view, change, or delete data, or create new accounts with full user rights. If an attacker fails to exploit an application, the attempt could result in a denial-of-service (DoS) condition.

Recommendations

Affected systems include:

  • PHP 7.2 prior to 7.2.4
  • PHP 7.1 prior to 7.1.16
  • PHP 7.0 prior to 7.0.29
  • PHP 5.0 prior to 5.6.35

Details of the particular vulnerabilities, are below:

Version 7.2.4

  • Bug #62545 (wrong unicode mapping in some charsets).
  • Bug #73957 (signed integer conversion in imagescale()).
  • Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).
  • Bug #75867 (Freeing uninitialized pointer).
  • Bug #75873 (pcntl_wexitstatus returns incorrect on Big_Endian platform (s390x)).
  • Bug #75961 (Strange references behavior).
  • Bug #75969 (Assertion failure in live range DCE due to block pass misoptimization).
  • Bug #76025 (Segfault while throwing exception in error_handler).
  • Bug #76041 (null pointer access crashed php).
  • Bug #76044 (‘date: illegal option — -‘ in ./configure on FreeBSD).
  • Bug #76068 (parse_ini_string fails to parse “[foo]nbar=1|>baz”with segfault).
  • Bug #76085 (Segmentation fault in buildFromIterator when directory name contains a n).

Version 7.1.16

  • Bug #76025 (Segfault while throwing exception in error_handler).
  • Bug #76044 (‘date: illegal option — -‘ in ./configure on FreeBSD).
  • Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).
  • Bug #73957 (signed integer conversion in imagescale()).
  • Bug #76088 (ODBC functions are not available by default on Windows).
  • Bug #76074 (opcache corrupts variable in for-loop).
  • Bug #76085 (Segmentation fault in buildFromIterator when directory name contains a n).
  • Bug #74139 (mail.add_x_header default inconsistent with docs).
  • Bug #76068 (parse_ini_string fails to parse “[foo]nbar=1|>baz” with segfault).

Version 7.0.29

  • Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).

Version 5.6.35

  • Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).

Currently, there have been no recorded exploits in the wild. To lessen the chance of a breach, we recommend:

  • Upgrade to the latest version of PHP immediately, after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

3. Kovter Fileless Malware

Overview

Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.

Kovter is no stranger to the malware game. In fact, it has been around for several years. However, since its creation, is has evolved many times, more recently becoming fileless and was the top most used malware last month.

Fileless malware is malicious coding that exists in memory, rather than having to be installed to the target computer’s hard drive. Fileless malware is directly to a computer’s RAM (Random Access Memory), and is then injected into some running processes.

Recommendations

Since its most recent evolution, Kovter has become much more difficult to detect and mitigate. There are, however, steps that organizations can take to help mitigate and prevent a breach from Kovter:

  • Due to its arrival via spam mail, the organization should look into implementing policies that protect against email threats.This includes setting up anti-spam filters that can block malicious emails before they can even reach the endpoint user.
  • One of the simplest and most effective ways to stop fileless malware is to apply security updates as soon as they are available. Organizations should ensure that their systems have the latest updates to prevent being infected by fileless malware—especially those that exploit vulnerabilities.
  • PowerShell is frequently abused by fileless malware, thus organizations should take necessary precautions to secure this component. This includes implementing steps on properly utilizing PowerShell in operational or cloud environments. Organizations can also list triggers for detection, which can be based on commands known to be used by malicious PowerShell scripts. Threat actors, for instance, often use the “^” symbol to obfuscate their command prompt parameters when invoking PowerShell. Organizations can also consider disabling PowerShell itself if necessary.
  • While fileless malware is more difficult to detect, organizations should still put in the effort to monitor and secure all their endpoints. Using firewalls and solutions that can monitor inbound and outbound network traffic can go a long way towards preventing fileless malware from infecting an organization.

4. Thieving Android Malware

Overview

A new Android Trojan masquerading as an antivirus app called Naver Defender, has been secretly recording private phone calls and stealing personal data. Labeled, KevDroid, the malware is what is known as a remote administration tool (RAT) which allows hackers to be able to perform the aforementioned criminal acts, as well as a few other intrusive methods.

This particular type of malware uses an open-source library, readily available on GitHub, which grants the ability to record both incoming and outgoing calls from the compromised Android device. KevDroid has also exhibited the ability to:

  • Record audio
  • Steal web history and files
  • Gain root access
  • Steal call logs, SMS, emails
  • Collect device location at every 10 seconds
  • Collect a list of installed applications

All of this stolen data is then collected and sent to an attacker-controlled command and control (C2) server, hosted on PubNub, a global Data Stream Network, using an HTTP POST request.

Recommendations

The stolen data retrieved off of an individual’s Android could spell disaster. Personal information of that type could lead to possible kidnapping, blackmail by way of images or secret information, credential harvesting, MFA access, banking/financial information, access to privileged accounts, compromised email, etc.

This is what we recommend to keep an Android device secure:

  • Never install applications from 3rd-party stores.
  • Ensure that you have already opted for Google Play Protect.
  • Enable ‘verify apps’ feature from settings.
  • Keep “unknown sources” disabled while not using it.
  • Install anti-virus and security software from a well-known cybersecurity vendor.
  • Regularly back up your phone.
  • Always use an encryption application for protecting any sensitive information on your phone.
  • Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
  • Keep your device always up-to-date with the latest security patches.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s