Activity Summary – Week Ending
July 27, 2018

Experts have been warning consumers for years about vulnerabilities in home automation solutions, and Hide ‘N Seek (HNS) might be the first in-the-wild malware to actively target these vulnerabilities. It is expected that the growth of Internet of Things (IoT) devices will reach 20.4 billion by 2020, and a growing segment of these devices are designed for home and business automation. While these devices make people’s lives much easier, they are also good news for cyber criminals since more connected IoT devices means more potential vulnerabilities.

HNS is an IoT botnet which communicates in a complex and decentralized manner (using custom-built peer-to-peer communication) in order to implement a variety of malicious routines. FortiGuard Labs has been monitoring this botnet malware carefully since it was first discovered at the start of the year. While it initially targeted routers, IP cameras, and DVRs, HNS now also targets cross-platform database solutions and smart home devices.

How did HNS evolve to this point? In large part, it is due to the open source Mirai code that is available to malware developers. Getting its inspiration from, as well as copying some code from Mirai, HNS has created a new identity for itself. In this report we will take a look at HNS evolution and how it was able to add exploits on a regular basis over the past several months without making headlines.

Read our Threat Research blog for the full report from our FortiGuard Labs Researcher team. IPS signatures are listed in the blog

Application Vulnerabilities / IPS

Dasan.GPON.Remote.Code.Execution – We’ve seen a significant rise in detections in our IPS signature, Dasan.GPON.Remote.Code.Execution, targeting the United States, India, and Canada, with the United States seeing the most activity in percentages of activity (19%), which detects attempts to exploit Dasan routers, specifically models ZNID-GPON-25xx and certain H640-series ONTs (CVE-2018-10561 and CVE-2018-10562). In a nutshell, the vulnerabilities allow an attacker to bypass authentication by using a carefully crafted string into the affected device’s web interface. Alongside the second vulnerability, which allows for command injection, it creates a powerful combination that allows for full control of the device by a remote attacker. The rise makes sense, as it has been documented by various entities being used in the Omni botnet, which is a fork of Mirai.

Signatures: Dasan.GPON.Remote.Code.Execution

JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution – Not to be confused with the ’80s horror flick, we saw an increase in the number of triggers for our IPS signature JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution yesterday, targeting the United States, Japan, and India, with the United States seeing the most percentage of activity (20%). The signature addresses attempts to attack the “shell” file on the web interface of DVR devices that run on the JAWS HTTP server, which allows remote attackers to execute arbitrary commands without any authentication. The increase is interesting due to the rise in overall numbers of IoT attacks seen lately, which lead us to believe that attackers are either testing and/or incorporating known IoT exploits into their arsenal. At this time, we haven’t observed any malware leveraging this exploit, but FortiGuard Labs will be on the lookout for any samples seen using this vulnerability and will provide any updates if warranted.

Signatures: JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution

Malware Activity

Sounds Like a Type of Bagel Sandwich – Earlier this week, a new campaign called Luoxk was discovered by researchers, which took advantage of several vulnerabilities to spread. The malware uses a combination of exploits and malware to conduct its attacks. The first vulnerability observed was the use of CVE-2018-2893, which is an Oracle WebLogic server vulnerability, and was patched recently on July 18, and then observed being used in targeted attacks three days later. This vulnerability allows for the complete takeover of the targeted server, which can be used for various reasons such as providing a download point for the malware. It appears Luoxk has a DDoS, reverse shell, cryptomining, and process kill components associated with it.

FortiGuard Labs has confirmed that our IPS signature Oracle.WebLogic.Server.resolveProxyClass.Deserialization covers this recently disclosed issue for CVE-2018-2893.

Signatures: Java/Agent.C9D4!tr, Oracle.WebLogic.Server.resolveProxyClass.Deserializatiion

Kronos is Back – Earlier this week, it was observed that the Kronos banking Trojan, which was last observed in action in 2014, is back from the dead. Observed by researchers earlier this week, the Kronos banking Trojan appears to be active in Germany, Japan, and Poland. There were two various delivery types observed in the attack delivery, one being the ubiquitous malicious Word macro, which downloaded the payload, and another mechanism being a malvertising campaign that used a JavaScript redirect, which ultimately led to the RIG exploit kit that downloaded the Smoke Loader variant. In this case, it appears Kronos has the capability to perform man-in-the-middle (MITM) attacks, infostealing, VNC, and keylogger functionality.

Signatures: W32/Injector.ABG!tr, W32/Kryptik.GITY!tr, W32/GenKryptik.CFGD!tr, W32/ZEGOST.SM51!tr.bdr, W32/Waldek.BBLL!tr, W32/Agent.CQC!tr.dldr

Web Filtering

Targeted Attacks on IPhone Users in India – The FortiGuard Labs Web Filtering team has recently become aware of a recent, highly targeted campaign in India discovered by researchers, using a campaign deploying an open-source mobile device management (MDM) application. The purpose is believed to attack several Apple iPhone users, where the malicious applications installed are controlled by the culprits. Some of the platforms used for their activities are WhatsApp, Telegram, PrayTime and possibly a few others. They have the capabilities of acquiring victim’s phone number, serial number, location, contacts, photos and text messages.

Indicator(s):
ios-certificate-update[.]com
wpitcher[.]com
Voguextra[.]com
Techwach[.]com

More Zombies – FortiGuard Labs is aware of ZombieBoy, which is a cryptomining worm that uses exploits such as WinEggDrop to search for new hosts. It first uses the EternalBlue/DoublePulsar exploits to remotely install the main dll. The program used to install the 2 exploits is called ZombieBoyTools and is of Chinese origin. ZombieBoy also uses several servers running HFS (http file server) in order to obtain payloads.

Indicator(s):
ca[.]posthash[.]org:443/by[.]exe
sm[.]posthash[.]org:443/2
Dns[.]posthash[.]org:52009
sm[.]posthash[.]org:443
ca[.]posthash[.]org/netsyst96[.]dll

Threat Research & Insights

FortiGuard Labs Threat Intelligence Podcast #3 – FortiGuard Threat Intelligence Podcast (TIP) provides highlights and commentary into top cyber threats, data breaches, and cybercrime. Join Fortinet’s top threat experts as they delve into today’s critical cybersecurity topics. Informative. Scary. Insightful. [Listen Here]

Hide ‘N Seek: From Home Routers to Smart Home Insecurities – In this report we will take a look at HNS evolution and how it was able to add exploits on a regular basis over the past several months without making headlines. [Read More]

IcedID & Trickbot: A Give-and-Take Relationship – FortiGuard Labs blog on research showcasing a likeness and collaboration between TrickBot and IcedID [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs