Netizen Threat Brief: 16 May 2018 Edition

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

  1. MFA Bypass
  2. Windows IIS 6.0 Cryptomining
  3. Malicious Chrome Extensions
  4. Vulnerable PGP Tools
  5. GDPR Phishing Scam

1. MFA Bypass

Overview

Two-factor authentication (2FA) or multi-factor authentication (MFA) are commonly used as an added layer of security for logins. The extra security proves beneficial when it comes to phishing attacks looking for a user’s password. MFA can be secure. However, hackers have discovered a way to spoof a login page, tricking the user into giving away their username, password, and MFA credentials; often they trick users by way of phishing campaigns. In short, the credentials taken from the spoofed site can be used to access the legitimate site.

Recommendations

Attackers will attempt to spoof a website and will try tricking a user to log into it. It is best practice to:

  • Train users on the tell-tale signs of phishing emails and websites (improper formatting, grammar, style, lack of professional tone, etc.). Scrutinize emails, verify senders, and hover over links to see where they actually go.
  • If possible, utilize Fast Identity Online (FIDO) authentication. FIDO stores personally identifiable information (PII) locally on the user’s device to protect it. FIDO also utilizes the Universal Second Factor (U2F) protocol, which creates a new key pair during registration with an online service and then retains the private key. The public key is then registered with the online service.

2. Windows IIS 6.0 Cryptomining

Overview

Windows Internet Information Services 6.0 possesses an open vulnerability that is being targeted to mine a cryptocurrency known as Electroneum. While this operating system had been declared to have reached its ‘end of life’ (EOL) three years ago, there are still operational systems online and vulnerable. Campaigns have been launched by the hacking group Lazarus, exploiting this vulnerability to install malware targeting specific organizations.

The campaign:

  • The campaign targets Windows IIS 6.0 servers through a vulnerability (CVE-2017-7269) released over a year ago.
  • The “Squiblydoo” technique is used to download and execute the malware.
  • The author named the malware file “Isass.eXe”, likely to camouflage it as the legitimate Isass.exe process.
  • The malware hosting server resides in Beijing, China, inside China Unicom’s network.

Recommendations

The recommend searching your systems for the following indicators of compromise:

Malware Hosting Server:

  • 117[.]79[.]132[.]174

Mining pool addresses:

  • electroneum.hashvault.pro:80
  • etn-eu1.nanopool.org:13333
  • etn-eu2.nanopool.org:13333
  • etn-us-east1.nanopool.org:13333
  • etn-us-west1.nanopool.org:13333
  • etn-asia1.nanopool.org:13333
  • etn-jp1.nanopool.org:13333
  • etn-au1.nanopool.org:13333

Files:

  • sct: c7b01b6a732b06174a1d36da46463e22
  • eXe: 2f3ec555526902d25454d6bfc4495da7

We also recommend:

  • Discontinuing the use of EOL software as much as feasible.
  • Patch any critical vulnerabilities as soon as an update or patch is released.
  • If patching is not an option consider using other forms of control, such as a Web Application Firewall (WAF).
  • If at all possible, segment your network and do not allow vulnerable systems to touch the internet. If it has no business talking to the outside world then it should remain on the internal network.

3. Malicious Chrome Extensions

Overview

Malicious Google Chrome extensions have infected over 100,000 users. The extensions are pushed in links over Facebook, where it would lead victims to a fake YouTube page that would then ask for that particular extension to be installed. After the bad agent is installed in the victim’s Chrome browser, the extensions then execute JavaScript code, claiming the victim’s computer a part of a botnet. As a part of the botnet, the victim’s Facebook, among other social media content, credentials are stolen. Armed with the information of the user’s social media, the malicious links that started this whole process can then be delivered to the friends of the infected person.

To add insult to injury the botnet also installs cryptocurrency miners among other added measures to prevent an infected user from removing the malicious extensions. The extensions tab will close automatically upon opening and a variety of security tools that are normally offered by Facebook and Google, are blacklisted from running.

Recommendations

The following extensions should not be trusted or installed:

  • Nigelify
  • PwnerLike
  • Alt-j
  • Fix-case
  • Divinity 2 Original Sin: Wiki Skill Popup
  • Keeprivate
  • iHabno

We also recommend not using any third-party chrome extensions if at all feasible. If they serve a valid business function that is required by the organization, then all extensions used either by the company or on the company network should be vetted and confirmed of legitimacy before use.

4. Vulnerable PGP Tools

Overview

Software vulnerabilities have been discovered in two email and data encrypting techniques: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions S/MIME. The vulnerabilities open the possibility of encrypted data being read in plaintext, including past emails. Attackers exfiltrate data by first accessing these encrypted emails by way of network eavesdropping, compromising accounts, servers, backup systems, or client computers commonly by way of phishing. Once this has been accomplished the attacker will create exfil channels by abusing the active content of HTML emails (externally loaded images or styles) to retrieve through requested URLs. The threat exists in implementation errors and not the protocols themselves.

Recommendations

We recommend discontinuing, disabling, or uninstalling tools that automatically decrypt PGP-encrypted email, if at all feasible. We also recommend:

  • Not using HTML mails if at all possible
  • Disallow any access to external links if not required
  • While a patch is not yet available, we recommend doing so for PGP and S/MIME controls as soon as it is released.

5. GDPR Phishing Scam

Overview

Apple users are being targeted by a phishing campaign that tricks users into updating their profiles, falsely claiming that the “update” is a preventative security hardening preparation of General Data Protection Regulation (GDPR) policies. GDPR is a legitimate happening set to take effect on May 25th. The attack, if executed successfully, tricks users into disclosing their Apple account credentials to steal further personally information (credit card and other Apple account information).

A phishing email is sent with a malicious link that takes the user to a legitimate-looking Apple web page. The user is threatened to click the link or risk the suspension of a service to their account.

Recommendations

Phishing emails are all too common. This one, in particular, had the classic signs of intimidation/threats of taking something away from the user. While it has been said many times, users must always have security in mind with the internet, and so we recommend:

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments

Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as:

  • Be wary of poor spelling, grammar, and formatting. As can be seen with the Dropbox phishing email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
  • Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s