Netizen Threat Brief: 13 June 2018 Edition

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

  1. Zip Slip
  2. Password Reset Flaw
  3. Loki Bot Malware
  4. MitM Chrome Extension
  5. MyHeritage Breach

1. Zip Slip

Overview

Thousands of online projects may have been affected by a vulnerability known as Zip Slip. Attackers have discovered that they can create Zip archives that utilize a attack, which enables them to access files and directories that are stored outside the default folder. This attack allows the attacker to overwrite important files on affected systems, which can either destroy them or replace them with other malicious substitutes.

Zip Slip has been found on the following platforms:

  • Java: It is very prevalent here because Java has no central library that offers high-level processing of archive files.
  • JavaScript
  • Ruby
  • .NET
  • Go

Attackers will target a site that will allow them to upload zip files, and then create malicious versions of the kinds of files that they would like to overwrite. It is even possible for an attacker to attach a zip file to an email, with the malicious file targeting a common location of a Windows desktop.

Recommendations

Like many software bugs, the usual fix is a simple patch. Below and libraries with known vulnerabilities on GitHub. Peruse the list and see if you are using any vulnerable software, as there are updates for most of them on the list. We also recommend that:

  • Projects and libraries with known Zip Slip vulnerabilities https://github.com/snyk/zip-slip-vulnerability
  • If you maintain software that unzips files automatically, you should test to see if it is vulnerable.
  • Consider whether standard libraries would be a better option for your organization.
  • Check to see if your applications are operating in accordance with the principle of least privilege.

2. Password Reset Flaw

Overview

Large cable and internet provider, , has a bug in the way they reset account passwords for their customers. The bug would allow anyone to take over a user’s account. An attacker with some determination and a few hours of their time would be able to take over a customer account with just a username and email address.

The attacker can bypass the access code sent during the reset process exploiting a small flaw; the access code field is not limited allowing for any number of attempts to try codes. Using an automated network intercept tool, the attacker could try as many as 100 codes in 10 seconds, eventually unlocking the account.

Recommendations

The service has since been shutdown and is likely to result in a patch. Once the patch becomes available, it is recommended to apply the fix as soon as possible. It is also recommended that different methods of multifactor authentication (MFA) are utilized. MFA can be a text message or even an application that either approves or denies a sign-in request.

3. Loki Bot Malware

Overview

Malware known as Loki Bot attempts to steal login credentials from infected users and sends the data and other sensitive material to a command and control (C2) server from an infected Windows host. Loki Bot is commonly distributed through malicious spam (malspam). The malware typically has an RTF attachment and is disguised as a Word document. When the file is opened, with a vulnerable version of Microsoft Office, the malware is then downloaded and Loki Bot is installed. Once installed Loki Bot steals usernames, passwords, and other sensitive data pertaining to the Windows Host.

Recommendations

The most effective aversion to this threat would be to make sure all updates and patches are implemented on your Windows system(s). Poor system upkeep seems to be the main opening that this threat needs in order to exploit a vulnerability. The following are also some indicators of the malware:

Indicators are not the same as a block list.  If you need to block the associated web traffic, block anything going to these two domains:

  • com
  • service-sbullet.com

Information from the malicious spam:

  • Date: Sunday, 11 Jun 2018 01:05 UTC
  • From: “Gold Link Logistics” <c37120b2324@fb90cfa11840.tr>
  • Subject: Re: Aw: Aw: Shipping Documents
  • Attachment Name: shipping documents.doc

Traffic from an infected Windows host:

  • 163.221.2 TCP port 443 (HTTPS) – service-sbullet.com – GET /images/mg2/m.exe
  • 122.138.6 TCP port 80 (HTTP) – oceanlinkmarrine.com – POST /loki4/fre.php

Associated malware:

SHA256 hash: b66d5b28c57517b8b7d2751e30e5175149479e5fde086b293a016aac11cdd546

  • File size: 7,347 bytes
  • File name: shipping documents.doc
  • File description: RTF exploiting CVE-2017-11882 disguised as a Word document

SHA256 hash: a747eeac9ae8ee9317871dfaa2a368f2e82894f601a90614da5818f8f91d1d78

  • File size: 667,648 bytes
  • File location: hxxp://service-sbullet.com/images/mg2/m.exe
  • File description: Windows executable file for Lokibot

System administrators can also implement Microsoft’s best practices when it comes to software restriction policies. https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies-technical-overview

4. MitM Chrome Extension

Overview

A malicious chrome extension known as Desbloquear Conteúdo (Unblock Content) targeted Brazilian online banking services. The goal of the malicious extensions is to accumulate stolen user logins and passwords, further allowing the attackers to steal money from the victims’ bank accounts. While most of our users are not in Brazil, the threat of malicious extensions are ever present globally.

This is not the first time that Chrome has been found with bad extensions wanting to steal user information and data (Nyoogle, Lite Bookmarks, Stickies, etc.). In fact, over 500,000 users were affected by the ones that were just mentioned, which is why it is incredibly important to be vigilant and careful of the extensions that you use.

Recommendations

Browser extensions designed to steal logins and passwords are more than feasible, and they should be taken seriously. We recommend discontinuing the use of such extensions if at all possible, however business needs may arise to which they are required. If you must use extensions:

  • Have a good antivirus solution (like Symantec) that is up to date and can check for suspicious activity regarding newly installed extensions.
  • Perform routine patches and updates. Often, malicious extensions require some sort of open vulnerability in a system to activate. Stay current.
  • Only install verified extensions with large numbers of installations and reviews in the Chrome Web Store.
  • Avoid third-party extensions as their validity cannot always be determined.

5. MyHeritage Breach

Overview

The breach was discovered when a security researcher found an archive on a third-party server containing the personal details of 92,283,889 MyHeritage users. The archive contained only emails and hashed passwords, but not payment card details or DNA test results. MyHeritage says it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.

The company also promised to roll out a two-factor authentication (2FA) feature for user accounts, so even if the hacker manages to decrypt the hashed passwords, these would be useless without the second-step verification code.

It goes without saying that MyHeritage users should change their passwords as soon as possible.

The MyHeritage incident marks the biggest data breach of the year and the biggest leak since last year’s Equifax hack.

Recommendations

This breach is a reminder of the importance of using different passwords for every online account.  While the precise password for each account was not revealed, the hash could be reverse-engineer to discover the original password. Since the email address for the accounts was revealed, there is a chance an advisory could try password with the email on different sites, hoping to login successfully.

  • MyHeritage is only now adopting two-factor authentication (2FA); users should always make use of this feature wherever possible.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s