Netizen Threat Brief: 24 April 2018 Edition

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

  1. Drupal Bug
  2. SCADA Router Flaws
  3. Windows Tech Support Scams
  4. LinkedIn AutoFill Plugin Flaw

1. Drupal Bug

Overview

A highly critical vulnerability has been discovered in a popular open-source Content Management System (CMS) called Drupal. The platform is now being actively exploited by hackers to install cryptocurrency miners and to also launch Distributed Denial of Service (DDoS) attacks from the systems that they have compromised.

In the wake of the discovered exploit a botnet has been identified as Muhstik. The Muhstik botnet is piggybacking off the Drupal bug, accessing URLs and injecting publicly available exploit code. The method by which the botnet injects code is allowing hackers to execute commands on targeted servers that are running Drupal.

Recommendations

The Muhstik botnet exploits versions 6, 7, and 8 of the Drupal CMS platform. The afflicted versions could potentially allow an attacker to exploit several vectors on a Drupal site, resulting in the site becoming completely compromised. Over a million Drupal sites have been discovered to be vulnerable to a condition where unauthorized and untrusted users (the attackers) could modify or even delete data hosted on the affected CMS platforms. Muhstik has the capability to install two coinminers – XMRig (XMR) and CGMiner – to mine the open-source, peer-to-peer Dash cryptocurrency.  Drupal has since released a patch for the exploit. We recommend upgrading and patching your Drupal site to the most current version.

We also recommend:

  • Multifactor Authentication (MFA). It is always good to have an added layer of security if a password becomes compromised.
  • Utilizing complex and strong passwords. Muhstik scans for weak SSH passwords; don’t have one of them.
  • Examine install configurations for any issues (safe extensions, no default passwords, employ the principle of least privilege, access control etc.)
  • Apply all relevant patches and updates

Muhstik Crypotmining Pool:

  • 47.135.208.145:4871

Muhstik scans the following TCP ports using the aiox86 scanning module:

  • 80
  • 8080
  • 7001
  • 2004

2. SCADA Router Flaws

Overview

The Moxa EDR-810 Series router protects critical facilities while also maintaining a fast transmission of data. Other features include redundancy protection measures: industrial firewall, NAT, VPN, and L2 (Layer 2) switching structures. Common vulnerabilities among Supervisory Control and Data Acquisition (SCADA) systems include firmware flaws, injections, and weak password encryption.

An industrial router model is designed to provide multifunctional protection within industrial controls systems (ICS) and some models have been identified as having 17 security vulnerabilities. ICS includes pumping and treatment, distributed control systems, oil, energy, and automated manufacturing sectors to name a few. Some of the vulnerabilities are prone to high severity injection commands and denial of service (DoS) flaws, and some medium weaknesses such as password storage and encryption.

However, with the Moxa EDR-810 series of SCADA router, it was discovered that attackers exploited vulnerabilities allowing the them escalate privileges through a specially crafted HTTP POST request, gaining access to the root shell and enabling control of the targeted device. Another flaw lets attackers exploit DoS flaws in the web server and Service Agent by way of specially crafted and designed HTTP URI and TCP ports of 4000 or higher; because of this vulnerability, an attacker can send a network packet that they created to, say, port 4001 causing the system to crash. In addition to the password storage and weak encryption threats, attackers were also able to perform cross-site request forgery (CSRF) to execute malicious code and reconfigure the device.

Recommendations

As always, we recommend updating the firmware to its latest version to avoid any weaknesses in the routers features. It is also recommended to apply the following practices to better safeguard your systems:

  • Network Segmentation: Partition and define the system into specific security zones to isolate and to implement layers of protection, especially for the critical parts of the network.
  • Patch Management: Ensure that your overall control system security is safe from the newest vulnerabilities by regularly installing vendor-released software patches.
  • Intrusion Detection: Establish system-monitoring methods for early identification of malicious activity in the network, from inside the organization to all other possible points of entry.
  • Periodic Assessment and Audits: Periodic testing and verification ensures that the security components of a system are running as assigned, thereby reducing windows of opportunity for threat actors.
  • Incident Planning and Response: Identify and establish a comprehensive proactive and reactive response plan that allow members of the organization to prevent incidents from scaling, as well as to know how to identify these incidents when they happen and what to do when they occur. This also calls for collaborative assessment, planning, maintenance, and implementation.

3. Windows Tech Support Scams

Overview

Microsoft has revealed an increase in tech support scams around the world, jumping about 24% from previous statistics. An estimated 153,000 reports were received in response to the scams from users in 183 different countries. Of these reports, about 15% of victims gave the scammers their personal information. That is roughly 22,000 users that lost somewhere between $200-$400 each. One user in particular had their account drained of $110,000.

Recommendations

We also recommend the following to recognize a scam and what to do about it:

  • Verify the call. Is there a reason for them to be calling you?
  • Do not give out personal or company information over the phone.
  • Be aware that many of these scams attempt to tray and pose a sense of urgency or intimidation that is threatening (i.e. We are going to close out your account if you do not update your information.). These characteristics are indicative of a scam or phishing phone call.

Microsoft states that receiving a phone call is never a good sign. An error message from Windows will not display a phone number. If any support were offered, they would direct you to the support section of their own website(s). Microsoft also stated that they would never just call out of the blue.

4. LinkedIn AutoFill Plugin Flaw

Overview

LinkedIn’s widely popular AutoFill functionally was discovered to leak its users’ sensitive information to third party websites without the user even knowing about it. The AutoFill function described allows users to fill in their profile data quickly for convenience purposes. The information that can automatically be applied includes the user’s full name, email address, ZIP code, as well as their company and job title. It was previously understood that the AutoFill feature works solely on whitelisted websites, however this has been discovered to not be the case.

A legitimate website would, more often than not, place an AutoFill button near the fields that can be populated, however, an attacker could use that kind of feature on their own website and change the properties so that the button is spread across the entire webpage, invisible to the user. The user then clicks anywhere on that page, and LinkedIn interprets this as the AutoFill button being pressed and sends the users’ data via an HTTP POST message to the malicious site.

Recommendations

LinkedIn has since released a patch, however we recommend not using autofill functions in general as they pose a security risk. Personal information should not be readily available in one click. In addition, be wary of phishing attempts, such as fake websites:

  • Do not click on attachments from unknown senders or for information that you did not request or even know anything about
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place (HTTPS).
  • Be wary of poor spelling, grammar, and formatting. Only give personal information to a known site that you trust.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s