Activity Summary – Week Ending November 16, 2018

This week Fortinet released our latest Quarterly Threat Landscape Report. Every second of every day FortiGuard Labs is collecting data gathered from millions of devices and sensors around the world. The sheer volume of data we analyze gives us a distinct and unparalleled perspective of the global threat landscape. This data cumulates into our quarterly threat report where we can provide a unique narrative of the threat world. We offer up a lot of insights and data in this report. For one, unique new malware variants continue to grow at an astronomic pace, increasing 43% over the previous quarter – and 129% over this time last year. Threat actors are utilizing automation that enables malware to be easily modified to try and evade detection. This make it even more critical that you leverage security vendors (like Fortinet) that bring capabilities to detect known and unknown threats.

Another unique insight is our deeper analysis of malware impact on weekends and holidays. Business traffic diminishes pretty significantly on non-workdays. This actually allows malicious traffic to be more prominent and easier to detect. It is more important than ever that firms implement a 24x7x365 security and network operations monitoring and response program. And if they are unable, that they leverage MSSPs as needed.

This quarter we looked deeper into the cryptojacking malware impact. What we found is that those impacted by cryptojacking are more likely to be exploited by additional malware. Cryptojacking is clearly a gateway threat. Proves that you must always be diligent to keep your defenses on guard at all times.

Android devices are a top target of threat actors. We found that 14% of all our malware detected was targeting Android devices, compared with iOS at only .0003% of all malware. This makes a strong case for open vs closed operating systems.

What do we mean by botnet burstiness? How many firms saw severe exploits? Which platforms were affected by 0-days found by FortiGuard’s zero-day research team? I encourage you to read the full report to find out: Fortinet Quarterly Threat Landscape Report.

Microsoft released patches for 62 vulnerabilities this month. One of the more critical patches is for CVE-2018-8589, a vulnerability that is under active attack. Malware is leveraging kernel elevation bugs to escalate the privileges, giving the attacker full control of a target system. Two other vulnerabilities are publically known: CVE-2018-8584, a Windows ALPC Elevation of Privilege vulnerability, and CVE-2018-8566 a BitLocker Security Feature Bypass vulnerability.

FortiGuard Labs Researcher, Yonghui Han, discovered four zero-day vulnerabilities related to Microsoft Office: CVE-2018-8522, CVE-2018-8524, CVE-2018-8576, CVE-2018-8582. These are all Outlook Remote Code Execution vulnerabilities that could lead to remote code execution. Fortinet always follows responsible disclosure and won’t release details of our zero-day finds until a patch is in place. However, we do release IPS signatures that protect our customers, in the event that the vulnerability is exploited before being patched. In this case, the following IPS signatures protected our customers between our find date and November’s patch release.

IPS Signatures:
FG-VD-18-134_Microsoft.0day (for CVE-2018-8522)
FG-VD-18-131_Microsoft.0day (for CVE-2018-8524)
FG-VD-18-130_Microsoft.0day (for CVE-2018-8576)
FG-VD-18-138_Microsoft.0day (for CVE-2018-8582)

See our blog for more details [Read More]. For more details on all the vulnerabilities and patches, please check out Microsoft’s Update Center: Microsoft Security Update Guide.

Click Here to Listen

Application Vulnerabilities / IPS

WordPress.Plugin.Userpro.Authentication.Bypass – It was found back in November 2017 that the WordPress plugin UserPro version earlier than 4.9.17 is prone to a login bypass authentication vulnerability. There is public information on how to exploit this vulnerability as well as exploit code widely available for popular exploitation frameworks, providing a good starting point to exploit this on a massive scale. The vulnerability was quickly patched by Wordfence the day after the initial contact by security researcher, Iain Hadgraft. In order to exploit this vulnerability, one must only visit the WordPress site that has the vulnerable plugin and append a specific string to it. If the site has the “admin” username still enabled by default, the user will then be prompted with the WebGUI with full administrator privileges. Sites without the “admin” username enabled are not affected. We are seeing this signature in the top 100 of telemetry for this month, and specifically for the last seven days, and have seen it fluctuate between 0.44% and 2.5% of our telemetry. The most affected countries are the United States (9.49%), Spain (9.21%), and Peru (8.13%).

Signatures: WordPress.Plugin.Userpro.Authentication.Bypass

Dasan.GPON.Remote.Code.Execution – We have seen increased activity in our (IPS) signature, Dasan.GPON.Remote.Code.Execution. This vulnerability detection refers to distinct issues on the HTTP server on DASAN GPON home routers, which allow for authentication bypass and command injection by inserting text into specific HTTP parameters. Because of the way the system passes parameters to the ping and traceroute functions, command injection is possible by manipulating the host parameter. Since the router saves ping results in various directories and transmits it to the user when the user revisits a specific folder, it is quite simple to execute commands and retrieve their output with the authentication bypass vulnerability. The United States (22%), Canada (4%), and Brazil (4%) round out the top of our telemetry charts.

Signatures: Dasan.GPON.Remote.Code.Execution

Malware Activity

Another APT Targeting Pakistan – FortiGuard Labs is aware of an attack by an APT group dubbed the “White Company.” Discovered by researchers earlier this week, the White Company appears to be targeting interests inside and outside of Pakistan. The White Company appears to have varying degrees of tricks and tools at their disposal, including possibly possessing zero-day exploits, automation (for builds), the ability to be agile in their workflow, and reconnaissance. According to the report, it appears attacks on this region are potentially increasing due to the “One Belt, One Road” initiative that is supposed to be the new Silk Road between China and various other countries on this path. As the One Belt, One Road initiative runs through Pakistan, it may be a viable target for nation-states who are curious about the goings-on of countries involved in this initiative. The techniques used by the White Company are consistent with malware that is used by various APT groups. It is usually delivered by targeted spear-phishing attempts via maliciously crafted Microsoft Office documents. They include the ability to utilize various exploits that are at their own disposal, check environmental deliverables to determine if it is running in a virtualized or analyst machine, delete itself and place a decoy in its place to thwart analysis, and to make matters worse for analysts, it is packed with several layers of obfuscation, which can mean that deobfuscation for analysis can take days or weeks. Once the malware is run and all environmental variables are deemed ideal, the malware will drop several known Remote Access Trojans (RATs), such as NetWire and Revenge. Other commercially available back doors and tools (packers, post exploitation tools) were keenly used by the attackers to make attribution even more difficult.

Signatures: W32/Injector.DTAI!tr, MSIL/Kryptik.LSA!tr, Generik.MAJUEVS!tr, MSIL/Kryptik.KGP!tr, MSIL/Injector.STS!tr, W32/Weecnaw.A!tr.spy


TEMP.Periscope is back! – FortiGuard Labs is aware of a spear-phishing campaign targeting journalists in Southeast Asia, specifically Cambodia. Discovered earlier this week, it appears that the infrastructure is used by the same actor known as TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. It appears that TEMP.Periscope reused publicly reported TTPs from Russian threat groups like Dragonfly and APT28 to target various organizations to likely gain access to sensitive and proprietary information. It appears that this was done as such to create confusion and make attribution even more difficult. The use of false flags appears to have been implanted to distance themselves from identification. The attack vector observed was via spear phishing, sent to the victim from a purported known journalist in Cambodia. Contained within the email were malicious links that would generate an SMB connection. It appears the use of an open-source hack tool called Responder was used in this attack. Further analysis reveals that the spear phish tried to steal SMB credentials of the victim in the form of a hashed password. Also tied to this actor is the use of a JavaScript back door used for nefarious purposes.


Web Filtering

Metamorfo Banking Trojan – The FortiGuard Labs Web Filtering Team is aware of a new Metamorfo Banking Trojan campaign stealing sensitive financial information from their victims. Discovered by researchers earlier this week, the campaign aims to gather credit card information and login credentials for online banking and financial services websites so the data can be monetized by the attackers. It has been targeting customers in Brazil since late October. The malware was found to be distributed into two separate attacks. The first campaign was identified using a zipped file hosted on a free web-hosting platform that contains a Windows LNK file (Link). The purpose of this command is to download and execute a PowerShell script from the attacker’s URL. Meanwhile, for the second campaign, they leverage on PE32 executables to perform the initial stage of the infection process rather than Windows shortcut files (LNK). When the system reaches out to Bitly, the link shortener, to access the contents hosted at the shortened link destination, the redirection will lead the client to the attacker-controlled server hosting a PowerShell script. FortiGuard Labs Web Filtering team has blacklisted all the IOCs related to the incident.

Indicator(s): marcondesduartesousa2018000webhostappcom/downs/imagemFrbmp

Threat Research & Insights

Dharma Ransomware: What It’s Teaching Us – FortiGuard Labs has been monitoring the Dharma (also named CrySiS) malware family for a few years. As we demonstrate in our blog, even though the Dharma ransomware continues to be active, the attackers are not really updating their mode of operation, but continue to rely on a proven tactic to find and infect new victims, which is to leverage badly secured RDP services to gain access to the network. [Read More]

Analyzing the New Non-Beta Version of the Kraken Cryptor Ransomware – FortiGuard Labs recently detected new versions of Kraken Cryptor Ransomware. While the beta tag has been removed from its configuration, there are still numerous bugs in this ransomware, and the author is still continuously modifying its basic functions.
[Read More]

New Loki Variant Being Spread By Phishing Email – After analyzing a new phishing email, we found that it was spreading a new variant of the Loki malware. [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs