Cyber Hub

The notorious Emotet group was recently linked to a new SMiShing campaign in which phishing domains for banks are being used to harvest credentials and drop malware on the victim’s machine. Researchers also suspect that some payloads in this campaign are linked to TrickBot.

A group of researchers uncovered an APT campaign backed by Iran that exploited vulnerabilities found on different VPNs. Purportedly the campaign has been ongoing for the last three years and was aimed against dozens of companies and organizations in several countries like Israel, U.S., Saudi Arabia, Australia and others. As part of the campaign, dubbed ‘Fox Kitten’ by the researchers, the hackers targeted companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. The researchers believe that the goal of the attacks is to breach networks, move laterally once they have access to the internal systems and plant backdoors to be exploited when necessary. An interesting aspect of this campaign, according to the research, is that known Iran-backed APTs seem to have collaborated in order to carry it out: APT33-Elfin, APT34-OilRig and potentially APT 39-Chafer. 

Over the past couple of weeks, several phishing campaigns were observed being launched by threat actors against organizations and end-users around the world. The campaigns are linked to different threat actors and target various countries using different social engineering techniques. A new phishing campaign that uses Google Forms was detected, as well as continuous use of the concern of the Coronavirus and another campaign that uses Microsoft Excel files. 

CyberProof CTI team continuously monitors changes to Emotet malware campaign, currently one of the most prolific malware families.  Over the past week, we have seen an increase in Emotet targeted attacks, as well as malware modification.  Emotet  Emotet is a banking trojan written to perpetrate fraud. It is usually distributed through large-scale spam campaigns with links to malicious word documents containing a PowerShell downloader script and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Emotet is known to be bundled alongside Zeus Panda (Panda Banker), Trickbot, and IceID.

A proof of concept exploit for a denial of service vulnerabilities (CVE-2020-0609 and CVE-2020-0610) in the Remote Desktop Gateway (RD Gateway) component on Windows Server (2012, 2012 R2, 2016, and 2019) devices was published recently. The two vulnerabilities are dubbed BlueGate and were patched by Microsoft as part of January Patch Tuesday. RD Gateway is used to fence off Remote Desktop servers on internal networks from Internet connections and to only allow the ones that successfully authenticate on the gateway to reach the server. RDG supports three different protocols: HTTP, HTTPS, and UDP. The updated function in the recent update made by Microsoft prior to the discovery of the flaws is responsible for handling the UDP protocol. The RDG UDP protocol allows for large messages to be split across multiple separate UDP packets. Due to the property that UDP is connectionless, packets can arrive out of order. The job of this function is to re-assemble messages, ensuring each part is in the correct place. Once exploited, the vulnerabilities can allow an unauthenticated attacker that connects to the target system using RDP, executing arbitrary code. According to Microsoft, these vulnerabilities are pre-authentication and requires no user interaction. In addition, the vulnerability only affects UDP transport, which by default runs on UDP port 3391.

During the last month we have witnessed several large-scale ransomware attacks, the most prominent of them being the Sodinokibi attack on the currency exchange company Travelex, whose website is still unavailable at the time of writing this piece. However, we have identified a trend with these threat actors who, in order to increase the likelihood of the victims effectively paying the ransom, are stealing and threatening to leak the victim’s data. Companies may be more apt to pay a ransom if it costs less than the possible fines, data breach notification costs, loss of trade and business secrets, tarnishing of brand image, and potential lawsuits for the disclosing of personal data.

After a break of several weeks, the infamous Emotet trojan has restarted its activity, running spear-phishing campaigns in more than 80 countries around the world. The group behind Emotet, TA542, is focusing on phishing emails, pretending to be proof-of-delivery documents, reports, agreements, and statements. The banking trojan that has become a powerful botnet that is also used to deliver other malware such as Trickbot and Ryuk ransomware, is known with its advanced social engineering campaigns using regular emails and reply-chain attacks made thanks to successful account takeover attacks.

On Friday, January 17, there was a high-risk memory corruption vulnerability (CVE-2020-0674) in the security update released by Microsoft. Microsoft issued a warning about this critical IE Zero Day vulnerability that actively exploited in wide and warns Windows users.  A critical remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. According to the advisory: “A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user… An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Following our recent CTI alert from January 14 regarding a patch for a critical vulnerability in Microsoft Windows clients and servers, our team kept a close look on any developments on the matter. 

This week, security researchers published proof-of-concept (PoC) exploits for the recently patched vulnerability in the Windows operating system, which was published and reported to Microsoft by the NSA. It affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.  

The bug described as “seriously, seriously bad” by security advisors is the first one to be reported to Microsoft by the NSA.  The DHS' CISA department issued an emergency directive, giving government agencies ten days to patch systems by applying the January 2020 Microsoft Patch Tuesday updates. 

This week, NetLab researchers found that a cybercrime group is enslaving Linux servers running vulnerable Webmin apps in a new botnet that security researchers are currently tracking under the name of Roboto.

Roboto appeared in July of this year and is linked to the disclosure of a major security flaw in a Web app installed on more than 215,000 Linux servers - a perfect basis for building a botnet. The team behind Webmin, a web-based remote management app for Linux systems, disclosed and patched a vulnerability that allowed attackers to run malicious code with root privileges and take over older Webmin versions. Because of the security flaw's easy exploitation and the vast number of vulnerable systems, attacks against Webmin installs began days after the vulnerability was disclosed.