Activity Summary – Week Ending September 28, 2018

VPNFilter, a multi-stage modular framework that has infected hundreds of thousands of network devices around the world, has been discovered to have even greater capabilities than originally profiled. Announcing their findings through the Cyber Threat Alliance, Cisco’s Talos provided early awareness and early sharing of IOCs with the CTA members. Seven additional third-stage modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices. New capabilities include data filtering and multiple encrypted tunneling functions to mask command and control and data exfiltration traffic. It is important to note that this threat is difficult to detect and difficult to detect on unpatched devices.

MikroTik network devices were heavily targeted by the threat actor, especially in Ukraine. These devices seemed to be critical to the actor’s operational goals. The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries from Talos.

Expanded VPNFilter capabilities:

  1. Additional capabilities that could be leveraged to map networks and exploit endpoint systems that are connected to devices compromised by VPNFilter.
  2. Multiple ways for the threat actor to obfuscate and/or encrypt malicious traffic, including communications used for C2 and data exfiltration.
  3. Multiple tools that could be utilized to identify additional victims accessible from the actor’s foothold on devices compromised by VPNFilter for the purposes of both lateral movement within a network, as well as to identify new edge devices in other networks of interest to the actor.
  4. The capacity to build a distributed network of proxies that could be leveraged in future unrelated attacks to provide a means of obfuscating the true source of attack traffic by making it appear as if the attacks originated from devices previously compromised by VPNFilter.

Fortinet’s antivirus signature: ELF/VPNFilter.A!tr

There is much more to understand about this threat. Read the full research from
Cisco Talos blog
Fortinet blog
Cyber Threat Alliance membership

Application Vulnerabilities / IPS

Joomla.Plugin.Com.Jce.Arbitrary.File. – JCE is a popular plugin for Joomla, which allows for easier creating of content, with features that resemble the ones found in feature-rich text editors like Microsoft Word.

This exploits a file upload vulnerability present in the Joomla com_jce plugin. By exploiting this vulnerability, an unauthenticated attacker can run arbitrary code by uploading files on the server and executing them.

Affected JCE 2.1.0 is vulnerable; other versions may also be affected. At the time of this writing, public proof of concept exploits were available on popular search engines.

We are seeing increased telemetry for this specific signature, with our sensors detecting a 32% increase when comparing the average of the last 7 days versus the average for the last 30 days. The most affected countries are the United States 6.98%, Mexico 6.51%, and Japan 5.56%.

Signatures: Joomla.Plugin.Com.Jce.Arbitrary.File.Upload

Apache.Tomcat.Arbitrary.JSP.file.Upload – A remote code execution vulnerability lies in the code of Apache Tomcat versions 7.0.0 to 7.0.9 and 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46, and 7.0.0 to 7.0.81.

The vulnerability can be triggered if the HTTP PUT methods are enabled. When this is configured, it is possible to upload a JSP file to the vulnerable server via crafting a malicious PUT request. The execution can be achieved by then requesting this same file from the web server, causing it to execute attacker supplied code.

At the time of this writing, there were public exploits available as well as Metasploit modules on popular threat intelligence distribution websites.

We are seeing increased activity for this attack, with 3% of all sensors reporting this attack. The last 7 days’ average is 10% higher than the last 30 days’ average. The most affected countries are India 9.60%, the United States 8.67%, and China 7.27%.

Signatures: Apache.Tomcat.Arbitrary.JSP.file.Upload

Malware Activity

Virobot Packs a 1-2 Punch! – FortiGuard Labs has observed a new ransomware/botnet hybrid in the wild, dubbed Virobot. Virobot appears to be targeting users specifically in the United States. Observed during the analysis, Virobot also becomes part of a spam botnet that pushes itself out to find more victims to target to increase the spread. Virobot will perform several cursory checks, such as Machine GUID and product key, to determine if it should encrypt the machine. If Virobot finds a specific registry key, it will then proceed with creating an encryption key and forwarding the details of the key to the C2 server. Once this has occurred, encryption begins and users are then prompted with the customary ransomlock key screen, which contains details in French, as this ransomware family has been observed being active only in the United States. Also, in order for the encryption routine to be successful, it will need to be able to connect to the C2 server, and at the time of discovery it appears the C2 servers are down, therefore lessening impact. Additional functionality of Virobot includes keylogging functionality, which is exfiltrated back to the C2 server. It also contains downloading capabilities, which may run additional malicious payloads executed via PowerShell.

Signatures: W32/Generic.SM!tr


Yet Another Tech Support Scam – FortiGuard Labs is aware of a new tech support scam malware discovered earlier this week by researchers. Once the malware is run, the victim is presented with a lock screen that at first glance appears to be an official notice from Microsoft, which is reminiscent of the classic blue screen of death (BSOD). The distribution vector at this time is unknown. Telltale giveaways of this poorly crafted scheme indicate that the author is not a native English speaker as there are multiple capitalization, grammar, and punctuation issues. Another interesting twist is that the file is being distributed under a well-known antivirus vendor product name as *****SECURITY.EXE.

Below is the notice the victim sees:

Your Windows Security has been Compromised and Microsoft has detected an unsolvable threat and this threat can result a great loss to your computer and it has been violated the terms of Microsoft.

Your PC has been Blocked so you cannot access your PC right now and it is very much bad for you. We have cover you with 2 options

  1. Install a New Windows (Removes all the data and files)
  2. Purchase and Verify the new License from the Microsoft Certified Technician

The choice is yours, If you choose the number 1. Then we are going to delete all of your files from your comptuer and we are going to ban you from your PC and the 2nd one refers if you want your files back, click the below butten (what to do) and you need to purchase and verify the new license from the microsoft certified technician and you will get your files back.

Department: Windows Help and Support Contact +1-888-398-0888

Obviously, calling the number above is not suggested.

Signatures: MSIL/FakeSupport.CT!tr

Web Filtering

PartnerStroka – FortiGuard Labs Web Filtering team has observed a new type of tech support scam named Partnerstroka. Discovered by researchers earlier this week, Partnerstroka redirects users through malvertising campaigns on websites that have been injected with malicious advertisement code. The technique used is similar to other tech scams as well which is by displaying “scareware”-type on-screen warnings that leads victims into contacting a fake customer support representative.

FortiGuard Labs has blacklisted all related IOCs.


Threat Research & Insights

Deep Analysis of a Driver-Based MITM Malware: iTranslator – FortiGuard Researchers analyze a new man-in-the-middle malware that contains significant malicious payload. [Read More]

VPNFilter Update — New Attack Modules Documented – This most current update, also posted by Cisco Talos through the Cyber Threat Alliance, identifies additional updates to the VPNFilter malware that have not been seen previously. [Read More]

News Courtesy: FortiGuard РWeekly Threat Briefs