Activity Summary – Week Ending September 21, 2018

Once again the Cyber Threat Alliance (CTA) members have collaborated on research. This week the CTA members released a collaborative report on illicit cryptomining (aka cryptojacking). Fortinet is a founding member of the CTA and believe that working together with other cybersecurity organizations, we can improve cybersecurity across our global digital ecosystem. Below is a synopsis of the report; the full report can be read here: The Illicit Cryptocurrency Mining Threat.

This joint analysis report describes the current state of illicit cryptocurrency mining, its impacts, recommendations to reduce your risk, and a discussion of the future of the illicit mining threat. This paper is a call to action for network defenders. By implementing the recommendations and best practices in this report, they will be able to make an outsized impact on the threat of illicit cryptocurrency mining and save their organizations time and resources while also improving their security posture against other cyber threats. CTA and network defenders have the ability to disrupt the activities of illicit miners by raising their costs and forcing them to change their behavior. Together, we can keep them from succeeding in their goals.

Key Findings from the Illicit Cryptocurrency Mining Joint Analysis include (read the full report for more details):

  • EternalBlue still impacting businesses: A patch for EternalBlue has been available for 18 months and even after being exploited in two significant global cyberattacks — WannaCry and NotPetya — there are still countless organizations that are being victimized by this exploit, as it’s being used by additional mining malware.
  • A much larger patching problem: The fact that EternalBlue is still being exploited points to a much larger patching problem for organizations. CTA has found numerous instances of old, unpatched devices being targeted with success using publicly disclosed vulnerabilities.
  • The canary in the coal mine: The presence of illicit cryptocurrency mining within an enterprise is indicative of additional flaws in cybersecurity posture that must be addressed. If miners can gain access to use the processing power of your networks, then you can be assured that more sophisticated actors may already have access.
  • The rise of the script kiddie: Novice attackers are able to access easy to use malware and browser-based exploits to mine cryptocurrency with little upfront work or knowledge.
  • Growth in sophistication: Additionally, CTA found that attackers are beginning to become more sophisticated to hide their activity and remain undetected as long as possible. Attackers are increasingly targeting internet-of-things (IoT) devices, despite their lower processing power. The targeting of routers and media devices, such as smart TVs, cable boxes, and DVRs, are on the rise.
  • Physical damage and stress to infected devices: Illicit cryptocurrency mining can also lead to reduced computer performance and an increased likelihood of mechanical failure of heat-sensitive parts or elements of the cooling system.

For this Joint Analysis, CTA members worked together to highlight the new and growing threat from illicit 3 cryptocurrency mining. This report was created using correlated, shared threat intelligence, which allowed CTA to develop a multifaceted analysis of the threat posed by the illicit cryptocurrency mining adversary. The Joint Analysis was produced with a targeted goal in sight: to enable everyone in the digital ecosystem the ability to take actions that will raise the costs for these adversaries over the long run and disrupt their entire underlying business model.

CTA Illicit Cryptomining Whitepaper.
Fortinet Quarterly Threat Landscape Report.

Click Here to Listen

Application Vulnerabilities / IPS

MS.Windows.Scheduler.SchRpcSetSecurity.Privilege.Escalation – This is a vulnerability that allows local privilege escalation on Windows platforms 7, 8.1, and 10 and server versions 2008, 2012, and 2016. It has been assigned the CVE-2018-8440 and a patch was released by Microsoft last week (

The issue lies in the Advanced Local Procedure Call (ALPC), specifically in the function SchRpcSetSecurity, which fails to properly check permissions and allows for non-administrators to alter permissions of files that are referenced by hard links in the directory C:\Windows\Tasks.This can be exploited if a user has read access to a file and can create a hard link to that file on the referenced directory, and if the hard link is set for a DLL, then the user can alter the permissions of that DLL so that it could inject code of his choosing into system DLLs. The issue basically allows for modification of files that are not touchable by the current user, opening a wide array of options when trying to achieve privilege escalation. There are multiple exploits available for both 32-bit and 64-bit platforms. Reports of malware known as PowerPool arose only two days after the initial release of the disclosure of the zero day and was found to be leveraging this exploitation to modify the content of C:\Program Files(x86)\Google\Update\GoogleUpdate.exe, which is regularly executed with administrator privileges. Further research deemed the malware experimental at best since it did not have any advanced techniques and had very few functions.

Signatures: MS.Windows.Scheduler.SchRpcSetSecurity.Privilege.Escalation

Memcached.UDP.Amplification.Detection – Memcached is a distributed memory caching system that is generally used to speed up dynamic database-driven websites by caching them on memory. Industry-leading technology companies such as Facebook and YouTube are using Memcached for their operations. There is an issue that affects Memcached versions prior to 1.5.6 and allows for the system to be used as a DDoS amplifier if left unauthenticated and using UDP as the transport mechanism. The amplification gained through this is close to 5100x and it was used on attacks in the past. The exploitation is very trivial, with access to the Memcached server, and the user then creates an object in memory and then requests this same packet with a different spoofed IP address of the victim. A quick query on shows more than 134k Memcached servers; how many of them are left unauthenticated and running over UDP? Probably future DDoS attacks will tell. We are seeing a 29% growth when comparing the last 24 hours versus monthly averages. The most affected counties are the U.S. (28.49%), Taiwan (6.69%), and Japan (5.52%).

Signatures: Memcached.UDP.Amplification.Detection

Malware Activity

Magecart Attacks on the Rise! – Magento is an open source ecommerce platform that offers flexible solutions, a vibrant extensions marketplace, and an open global ecosystem. Based off of the Zend Framework and PHP. Magento is considered to be the leading platform within the ecommerce market. In less than 10 years, Magento has had massive success rolling out its solutions to small at-home/startup business to multinational conglomerates. Magento’s popularity is similar to that of other popular open-source CMS frameworks such as Drupal, Joomla, and WordPress, albeit with a specific focus on the ecommerce side. Over the course of several months, it was reported that Ticketmaster, British Airways, and most recently – Feedify (a customer-retention tool), Newegg (ecommerce), and Steinmart (clothing retailer) have been affected by attackers known as Magecart.

It is surmised that the attackers behind Magecart have used a combination of either known Magento vulnerabilities or vulnerabilities in server-side software that the victims are using. The attacks often require write access to the server hosting the Magento payment scripts, and simply as in the last British Airways attack, 22 lines of code were injected into existing pages that exfiltrated data to websites that looked to be related to the victims (e.g.,, which were not owned by British Airways but by the attacker. In the Feedify instance, the URL appeared to be a third-party or stats-collecting URL [hxxps://info-stat[.]ws/js/slider.js], hence thwarting any alerts of network administrators. FortiGuard Labs recommends that online shoppers use credit cards and not debit cards for their protection. FortiGuard Labs is also monitoring this situation and will provide relevant updates as they become available.

Signatures: JS/MagentoSkimmer.B!tr


Attacks on Korean-Speaking Users Using Telegram – FortiGuard Labs is aware of a new malicious campaign targeting Korean-speaking users with what appears to be a white paper being advertised on a cryptocurrency-related channel. The file in question has the extension of .scr, which is indicative of a screensaver file for Windows operating systems (we’ve also observed the file name of 1.exe floating around). It is peculiar because Telegram is well known for its mobile application, but very few are aware that Telegram has a desktop version as well, as perhaps the attackers were hoping that the victims will be compelled to either download the Windows version or already have it preinstalled. The malware has all the marks of an infostealing Trojan, specifically what appears to be part of the AZORult family.

Our observations and traits of the malware highlight that it will steal and intercept sensitive data from browsers, and will POST exfiltrated information to a remote server located in Iceland. It also will download what appears to be around 49 signed clean files as a way to perhaps evade detection (via DLL side-loading) and thwart analysis. Other evasion techniques observed were files marked for deletion.

Signatures: W32/Kryptik.GKUJ!tr


Web Filtering

BonUpdater – FortiGuard Labs Web Filtering team is aware of a new campaign targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. Researchers discovered that BONUPDATER uses a maliciously crafted Microsoft Word document that contains a macro which is responsible for installing the malware. Other traits observed is that it uses DNS tunneling to communicate with its C2 server and has the ability to use TXT records within its DNS tunneling protocol for further communication to the C2 server.


Threat Research & Insights

Beware of Emails Purporting to be from the IRS – FortiGuard Labs has come across a peculiar phishing campaign purporting to be from the United States Internal Revenue Service (IRS), which is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING. [Read More]

Results from the Third Annual “ETSI NFV Plugtest + OPNFV SFC/NSH” Event – Read Fortinet’s report on our recent participation in this year’s ETSI NFV Plugtest event, where vendors and open source communities meet, collaborate, and assess the level of interoperability of the ETSI implementation [Read More]

News Courtesy: FortiGuard – Weekly Threat Briefs