Activity Summary – Week Ending September 14, 2018

Get patching! For September Patch Tuesday Microsoft released updates addressing 61 vulnerabilities! Severity breakdown is: 17 rated critical, 43 rated important, and only one is rated as moderate. There were several Adobe updates as well.

FortiGuard Labs played a significant role in this month’s release. Our researcher, Honggang Ren, discovered, and is appropriately acknowledged by Microsoft, a remote code execution vulnerability in the Microsoft JET Database Engine (CVE-2018-8392). If exploited, the attacker could take full control of the affected system, including installing programs, view, modify, or delete data, and create new accounts with full user rights. Exploitation occurs when a user opens a specially crafted Excel file with one of the affected Microsoft Windows versions. And it isn’t difficult to convince a target victim to open an infected Excel file in email, using social engineering tactics. Just a reminder that when FortiGuard Labs discovers a vulnerability, we create an IPS signature that protects our customers while the affected vendor is working on a patch. You can find more detail in our blog. Our IPS signature is: Microsoft.JET.Database.Engine.Remote.Code.Execution.

One of the more notable patches this month addresses a recent zero-day vulnerability (CVE-2018-8440) that was posted to Twitter in August, and subsequently used in a malware campaign. This vulnerability is an elevation of privilege flaw that exits within the Advanced Local Procedure Call (ALPC) function in the Windows Task Manager; when exploited allows restricted users to launch a process to gain administrative control. Beings that this defect is being actively exploited, we would recommend prioritizing the update. Fortinet has AV signatures in place for the ALPC vulnerability exploit: W32/Agent.SZS!tr, W32/Agent.TDK!tr, W32/Generik.NDNVFHD!tr, W64/Agent.H!exploit.

There were three other vulnerabilities that were disclosed publicly prior to Patch Tuesday, but so far they don’t seem to be publically exploited. CVE-2018-8409 (important) CVE-2018-8457 (critical), CVE-2018-8475 (critical). It is always worth considering prioritizing these updates should your environment be exposed.

The full list of patches and affected systems can be found on the Microsoft Security Update Guide website.

Click Here to Listen

Application Vulnerabilities / IPS

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution – In the span of eight years, there have been 72 various Apache Struts related vulnerabilities discovered. Our IPS signature Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution detects attacks on attackers trying to exploit remote code execution vulnerabilities in Apache Struts (versions Struts 2.3.5 through Struts 2.3.31 and Struts 2.5 through Struts 2.5.10), specifically CVE-2017-5638. This signature consistently ranks in the top 5 of our IPS signature detections, and for good reason. Attackers know this exploitation vector is not only the best way of getting onto a compromised system and getting access to it, but due to the recent advent of cryptocurrency and its profitability, attackers have installed nefarious JavaScript code on these servers that often mine cryptocurrency, like Monero, via the victim’s browser, and ultimately harnessing their CPU cycles.

Also, due to the lucrative possibilities (the recent Equifax breach was blamed on Apache Struts) these exploits may yield the attacker, it was seen several weeks ago that attackers were able to incorporate three of the most useful Apache Struts vulnerabilities (CVE-2013-2251, CVE-2017-5638, and CVE-2018-11776) into one automated tool. And as you read below in the article “Updates to Mirai and Gafgyt”, it was observed that Mirai has incorporated Apache Struts into its list of targets, specifically CVE-2017-5638. Countries in the top 3 affected by this vulnerability are the United States (20%), Japan (7%), and India (5%).

Signatures: Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution

VACRON.CCTV.Board.CGI.cmd.Parameter.Command.Execution – When purchasing devices that connect to the Internet, especially innocuous ones such as webcams, routers, etc., security is often overlooked and discounted due to the fact that these devices are often rushed to market by the vendor. While some of these devices offer no value to the attacker, others could allow for an attacker to compromise a machine that contains useful data (banking credentials, PII, etc) or even enable a DDOS attack.

As we now know, IoT devices offer attackers another DDoS vector versus your traditional botnet and can earn them money by selling their services on the darknet. Our IPS signature, VACRON.CCTV.Board.CGI.cmd.Parameter.Command.Execution, has seen a recent rise in detections as of late. This IPS signature detects on attempts to pass malformed HTTP requests that are not sufficiently sanitized when passed to board.cgi. The vulnerability is due to insufficient sanitizing of user-supplied inputs in the application when parsing HTTP requests. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted HTTP request. Based on our telemetry, it appears that quite a few organizations in the education sector in various countries are targets of attackers trying to leverage this exploit. At the time of disclosure, it appears that the vendor has not acknowledged this public disclosure, and there are no known mitigations in place. One a side note, it would be wise before purchasing IoT devices to do your own due diligence and research to see if there are any vulnerabilities and exploits known, and if they have been addressed, specifically by the vendor. Countries in the top 3 affected by this vulnerability are the United States (20%), Japan (6%), and Taiwan (5%).

Signatures: VACRON.CCTV.Board.CGI.cmd.Parameter.Command.Execution

Malware Activity

Ursnif and Its Hyper Focus – Earlier this week, researchers discovered another Ursnif campaign, where it was observed the threat actors behind Ursnif were customizing their attack in a “highly localized” campaign. This highly localized campaign included spear-phishing emails that contained relevant names of local businesses in specific geolocations targeting victims. For example, let’s say (fictitiously) the attackers were targeting toy factories in the North Pole – the email sent from the attackers would be similar to this: E.g. “Elfbenefits.doc” sent to various toy factories in the North Pole.

This also correlates to what FortiGuard Labs has recently observed. Analysis also reveals that the attack uses the same methodologies as previous Ursnif attacks that we’ve seen before, where targets are carefully chosen. Earlier last month, we had observed a similar malicious spam campaign targeting a boutique insurance brokerage that offers specialty insurance and risk management services in North America. Instead of localizing their spear-phishing attacks, the attackers behind Ursnif sent specific emails to their victims, which appeared to be related to relevant industry contacts. The spear-phishing email in question appears to be from an individual who is affiliated with a company in the United States that provides specialty heavy construction services, specifically in both the private and public works sector. It can be surmised that the threat actors behind Ursnif have done their homework, as the insurance firm targeted conducts business in the heavy construction industry as well.

What makes these two campaigns different from previous versions of Ursnif is that, although in the past it has been observed that the attackers behind Ursnif have attacked various entities globally, most of the activities for Ursnif have been primarily concentrated in Japan. The Ursnif banking Trojan is one of the most prolific banking Trojans in recent history and has been around since 2007. The latest variant of Ursnif incorporates code of the Gozi malware family and was first seen in the wild in 2017. It has been observed spreading via social engineering methods, most notably spear-phishing attacks that contain malicious attachments, malicious links, and on occasion, exploit kits.

It is unknown at this time whether the attackers behind Ursnif have any intimate knowledge of the business dealings of the firms it is pretending to be or the victim it is targeting. However, it appears that the email is not a mass spam sent blindly, but is targeted and tailored specifically to the victims in order to compel them to open the attachment.

Signatures: W32/Banker.GJZV!tr, W32/GenKryptik.CIRZ!tr, W32/Kryptik.GJZV!tr, W32/GenKryptik.CIUC!tr, WM/Agent.C93D!tr, W32/GenKryptik.CIUO!tr

Updates to Mirai and Gafgyt – The infamous IoT botnets, Mirai and Gafgyt, are back in action, this time with updates to both, not seen previously. Observed by researchers at the beginning of this week, new variants of Mirai and Gafgyt have been discovered targeting multiple vulnerabilities in Apache Struts and Dell SonicWall network security appliances. Apache Struts is an open source web application framework for developing Java EE web applications. Since 2010, there have been over 72 documented vulnerabilities in this framework, offering attackers multiple attack vectors. Multiple Apache Struts vulnerabilities have been targeted in the past, as these vulnerabilities have made various attacks, including lucrative cryptocurrency mining attacks (Monero) for attackers most recently.

An update to the infamous Mirai IoT botnet, which incorporates (CVE-2017-5638), is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts. Also uncovered is an update to Gafgyt that uses the SonicWall GMS exploit (CVE-2018-9866), which is the lack of sanitization of XML-RPC requests to the set_time_config method.

Researchers were unable to correlate why Mirai and Gafgyt started targeting enterprise targets, whereas they stuck to traditional consumer devices previously. Perhaps these new attack vectors are another zombie, which is essentially another tool within the attackers’ war chest to rely on.

Signatures: ELF/Mirai.BO!tr, ELF/Mirai.B!tr, ELF/Mirai.BL!tr, ELF/Mirai.AT!tr, ELF/Tsunami.A!tr

Web Filtering

Not a Music Band – Introducing Fallout and GandCrab – This week researchers discovered a new exploit kit (EK) called Fallout being used to distribute the GandCrab ransomware, along with various downloading Trojans, and other potentially unwanted applications. This new exploit kit is installed on sites that are compromised and uses various Adobe and Microsoft Windows vulnerabilities to ultimately compromise a victim machine.

The exploited vulnerabilities used are Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174).

Before the malware payload is dropped, the EK determines the user agent of the victim’s browser to determine whether or not to proceed. Based on the user’s operating system and browser, the attack either delivered the EK directly or attempts to reroute the victim to other social engineering campaigns. Finally, the request sequence will lead to GandCrab ransomware being fetched and manually loaded into memory by the malware.

FortiGuard Labs has blacklisted all the IOCs into a database.


Kaixin is Back – FortiGuard Labs Web Filtering team has observed the Kaixin Exploit Kit has resurfaced from hiatus, with more malicious payloads infecting victim’s machine. As seen previously, their payloads are in plenty of formats. Another interesting observation is that they are also inclusive of .swf (Flash) and .jar (Java) file extensions. FortiGuard Labs Web Filtering Team has blacklisted all the related IOCs observed in this attack.


Threat Research & Insights

Painting a New Security Landscape – Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting. [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs