Activity Summary – Week Ending November 2, 2018
Cybercrime-as-a Service has created an entry point for novice distributed denial-of-service (DDoS) attackers by offering simple options to anonymously attack nearly any website and forcing it offline. Due to the public release of source code for some popular bots, building a botnet to provide these sort of services is easier than ever. Minor modifications to the source code allow cyber criminals to create their own versions that continue to spread mayhem.
FortiGuard Labs recently discovered a new platform offering a DDoS-for-hire service called “0x-booter”. This service comes with an explicitly defined user interface which enables nearly anyone to learn and use the service. And like any other DDoS-for-hire, initiating a DDoS attack through a web user interface avoids the need for direct contact between the user and the bot master. In the attack hub interface the details of the host or domain, port, attack duration, and the type of attack can all be configured before launching an attack.
0x-booter is available to anyone who signs up on the website. The price for the 0x-booter service ranges from $20 to $150, depending on the number of attacks, the duration of an attack, and customer support. In today’s current cybercrime economy, a few dollars combined with malicious intent can translate to considerable damage to virtually any target.
After analyzing both the website and the associated botnet, Bushido, we discovered that the codes used have been copy and pasted from an open source and modified for their own purposes. In fact, the 0x-booter website was based on another ‘booter/stresser’ called Ninjaboot, the source code of which was leaked in hacking forums last year. Bushido borrows a lot of its code from Mirai and is still considered a fork of Mirai. Bad actors tend to reuse capabilities that were proven successful in the past – why reinvent the wheel.
You can read more details of our analysis on our blog, including the details of our detection and the associated IOCs. DDoS-for-Hire Service Powered by Bushido Botnet
Application Vulnerabilities / IPS
NUUO.NVRmini.OS.Command.Injection – NUUO is a company that delivers video management solutions since 2004, and today is one of the leaders in global surveillance solutions for the enterprise. In 2016, a security researcher discovered that NUUO products suffered from multiple remote command injection vulnerabilities, and attempted to contact NUUO in order to carry out the responsible disclosure process, as disclosed by the author (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5351.php), but the company failed to commit to fixing the issue at that time. So on August 6, 2016, the vulnerability was publicly disclosed. The vulnerability affects NUUO versions <=3.0, and the vulnerabilities are all exploited through injection of commands when sending an http request to the web interface. A simple request can be sent and executed by the underlying operating system. This signature has been in the top of our telemetry reports and is now triggering on 14.81% of all sensors that are reporting any given IPS signature, indicating it is most likely the work of a botnet. The most-affected countries were the United States (17.71%), Japan (6.03%), and Taiwan (4.36%).
EnGenius.EnShare.IoT.Gigabit.Cloud.Service.Command.Injection – EnGenius EnShare is a solution that allows for seamless access to content hosted on a USB storage attached to the router. Even when you are outside your home, when connected to the Internet you will have your files at your fingertips. A remote code execution vulnerability was found on the ‘usbinteract.cgi’ script, which allows an attacker to inject any command it wishes to execute via the path parameter as parsed by the vulnerable script. This can be abused by crafting a special HTTP request with the command and sending it to the HTTP server.
Affected versions are ESR300 (1.4.9, 1.4.7, 1.4.2, 22.214.171.124, 1.4.0, 126.96.36.199, 188.8.131.52) ESR350 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 184.108.40.206, 220.127.116.11) ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52) EPG5000 (184.108.40.206, 220.127.116.11, 18.104.22.168, 1.3.3, 1.3.2, 1.3.0, 1.2.0) ESR900 (1.4.5, 1.4.3, 1.4.0, 22.214.171.124 build-12032015@liwei (5668b74), 126.96.36.199, 1.3.0, 188.8.131.52, 1.1.0)ESR1200 (1.4.5, 1.4.3, 1.4.1, 184.108.40.206, 1.1.0) ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 220.127.116.11, 1.3.0, 18.104.22.168, 1.1.0).
This is a signature that has shown rapid growth over the last month; it jumped from less than 0.1% to close to 14% in a month. The most-affected countries were the United States (17.57%), Japan (6.09%), and Taiwan (4.37%).
WannaMine; Wanna Patch Your Systems? – FortiGuard Labs is aware of a new WannaMine attack discovered earlier this week by researchers. As usual with WannaMine attacks, this campaign focuses on installing via the infamous EternalBlue exploit, which was released in 2016 by the Shadow Brokers, then downloads various Trojans to gain a stronger foothold within the network. The Trojans are made up of three components: RecentFileProgrom.exe, res.exe, and tor.exe, which perform the following:
- RecentFileProgrom.exe – Looks for other machines to compromise via EternalBlue and spread
- res.exe – Contains mining processes. What is interesting is that the files dropped use JPG files which actually are PE files that contain an MZ header to bypass AV detections, and the JPG files ultimately contain the mining components that mine cryptocurrency in the background.
- tor.exe – And finally, to make matters worse, this file is responsible for connecting the malware to the Nitol botnet.
Other interesting observations seen as well were the usage of Linux binaries that also performed mining processes by compromising telnet connections via UDP injection techniques, and then taking advantage of a known vulnerability in the Linux kernel (CVE-2016-5195) called “Dirty COW,” which is a privilege escalation vulnerability to install the miners. Thankfully, mitigation against this exists, in the form of MS17-010.
Signatures: W32/Banload.YCQ!tr.dldr, W32/CVE_2015_1701!exploit, W64/CVE_2015_1701.A!tr, Linux/CVE_2016_5195.A!exploit, W32/ShadowBrokers.AO!tr, W32/Delf.CJX!tr.dldr, ELF/Ganiw.A!tr, W32/UACMe.E!tr, W32/ServStart.GL!tr, W32/CVE_2015_1701.AQ!tr
Yet Another Ransomware-as-a-Service – FortiGuard Labs has observed a new Ransomware-as-a-Service (RaaS), dubbed Kraken, being distributed in the underground forums. Discovered earlier this week by researchers, Kraken is a new ransomware variant that is written in C#. What makes this ransomware unique is its use of various encryption algorithms, such as AES, RC4, and Salsa20, for speed and to ultimately compromise a victim where it would be impossible to recover encrypted data without the help of the attackers. Similar to GandCrab, Kraken provides rolling updates and support to its user base every 15 days. The affiliates who target victims with Kraken must pay the developers a percentage of the payment to obtain the key. This provides the developers a level of protection and anonymity, essentially removing themselves from any attacks affiliates create themselves. It is interesting to note that Kraken developers have stated that the ransomware may not be used in former Soviet republics, or in Iran.
Observations during analysis are that the ransomware encrypts data on the disk very quickly. It also uses well-known external tools, such as SDelete from the Sysinternals suite, to wipe files from the victim machine, to ultimately make recovery more difficult. The Kraken encryption routine in a nutshell is distributed via the Fallout Exploit Kit, which installs and runs the Kraken payload, then connects to a command and control server at basze.tk where it performs cursory checks to ensure it is not running on a machine in one of the blacklisted countries. It then drops files into the %TEMP% folder, which tries to bypass UAC, and performs the encryption routine, deletes various files, and as an ultimate insult to incident responders, deletes itself off the machine.
Signatures: W32/Ransom.FAQ!tr, MSIL/Filecoder.PI!tr, W32/TorJok.PI!tr, W32/Encoder!tr, W32/Encoder.B!tr, W32/Malicious_Behavior.SBX, MSIL/Filecoder.PI!tr.ransom, W32/SelfDel.PI!tr
Meet Khalesi! – FortiGuard Labs Web Filtering team has observed Khalesi, an infostealing Trojan during the end of August 2018. Discovered by researchers, this malware is associated with the KPOT malware campaign. Khalesi variants used in this campaign were compiled with a Visual Basic 6 (VB6) compiler, while others were compiled using a Portable Executable (PE) compiler. The malware is capable of stealing Windows and browser credentials, credit card information, virtual coins, and data from messaging apps. The malware also collects a variety of data from various sources on the affected systems by communicating with a command and control (C2) domain. All of the IPs are located in Eastern Europe, and FortiGuard Labs Web Filtering team has blacklisted all the related IOCs.
Threat Research & Insights
Inspecting Mach Messages in macOS Kernel-Mode Part I: – Mach IPC and Mach message are the foundation for many communications that occur in macOS. The question that many threat researchers ask is, “how can we inspect these Mach messages in user-mode or kernel-mode perspective?” In this blog, FortiGuard Labs looks at how to inspect Mach message in kernel-mode perspective by setting up an inline hook on specific kernel APIs for handling Mach messages [Read More]
Part II – Inspecting Mach Messages in macOS Kernel-Mode: – Sniffing the received Mach messages – In part II, we continue to define how to inspect received Mach messages by setting up a kernel inline hook. [Read More]
News Courtesy: FortiGuard – Weekly Threat Briefs