Weekly Threat Briefing: Windows Systems Vulnerable To FragmentSmack, 90s-Like DoS Bug

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: APT10, APT34, BEC campaign. BOUNDUPDATER, Data breach, PyLocky and Spear Phishing. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.bleepingcomputer.com/news/security/windows-systems-vulnerable-to-fragmentsmack-90s-like-dos-bug/" target="_blank">Windows Systems Vulnerable To FragmentSmack, 90s-Like DoS Bug</a> (September 15, 2018) Several versions of Windows, including Windows 7 through 10 and Core Installations, are vulnerable to a specific Denial-of-Service (DoS) bug that could leave the machine completely unresponsive with zero mitigation factors. This vulnerability, registered as “CVE-2018-5391” and known as “FragmentSmack,” sends multiple IP fragments with incorrect values for the fragment offset that are expected to be reassembled into their original packet at the destination. However, packet reassembly at the destination is prevented due to the kernel not being able to reassemble the fragments, causing them to be queued. This causes the machine to reach maximum CPU utilization levels that then causes the machine to be unresponsive. This vulnerability has had a security patch recently released by Microsoft. <a href="https://forum.anomali.com/t/windows-systems-vulnerable-to-fragmentsmack-90s-like-dos-bug/2940" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/windows-systems-vulnerable-to-fragmentsmack-90s-like-dos-bug/2940" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/windows-systems-vulnerable-to-fragmentsmack-90s-like-dos-bug/2940" target="_blank"> recommendation</a><a href="https://www.bleepingcomputer.com/news/security/new-brrr-dharma-ransomware-variant-released/" target="_blank">New Brrr Dharma Ransomware Variant Released </a> (September 15, 2018) Researcher, Jakub Kroustek, discovered a new variant of the Dharma ransomware called “Brrr” from the “.id-[id].[email].brrr” extension that is added to a file once it is encrypted. This ransomware is manually installed by threat actors who gain unauthorized access to Remote Desktop Services directly connected to the internet through brute forcing the password to the specific machine. The ransomware runs once the threat actor successfully brute forces the machine and installs the malware. The malware then will automatically run following installation and encrypts mapped network drives, shared virtual machine host drives, and unmapped network shares. The malware will then create two ransom notes to show on the infected computer, and autoruns when a user logs into the machine. The ransom note states that a user must contact the specified email to get further instructions on payment for a decryption key for their files. <a href="https://forum.anomali.com/t/new-brrr-dharma-ransomware-variant-released/2941" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-brrr-dharma-ransomware-variant-released/2941" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-brrr-dharma-ransomware-variant-released/2941" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&CK] Credential Dumping (T1003)</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&CK] Brute Force (T1110)</a><a href="https://www.zdnet.com/article/nasty-piece-of-css-code-crashes-and-restarts-iphones/" target="_blank">Nasty Piece Of CSS Code Crashes And Restarts iPhones </a> (September 15, 2018) Security researcher, Sabri Haddouche, discovered a vulnerability in the WebKit engine used by the Safari browser that crashes and restarts the iOS operating system. This vulnerability can be exploited by loading an HTML page that has a specifically made CSS file which tries to apply a backdrop-filter to the page to accelerate loading elements in the background. This overloads the graphic resources causing a kernel panic in the operating system, causing it to crash and restart the iPhone, iPad, or Mac machine. Apple was made aware of the vulnerability. <a href="https://forum.anomali.com/t/nasty-piece-of-css-code-crashes-and-restarts-iphones/2942" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/nasty-piece-of-css-code-crashes-and-restarts-iphones/2942" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/nasty-piece-of-css-code-crashes-and-restarts-iphones/2942" target="_blank"> recommendation</a><a href="https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/" target="_blank">Fallout Exploit Kit Pushing The SAVEfiles Ransomware </a> (September 14, 2018) The Fallout Exploit kit has been observed to distribute a new ransomware, called “SAVEfiles,” through a malvertising campaign primarily targeting Japan, France, among other countries. The malvertisement causes a chain of redirects that leads victims to a site that hosts the malicious Fallout Exploit kit. This exploit kit then installs the SAVEfiles ransomware automatically to the user’s machine. The malware encrypts all files on the infected machine and requires a user to purchase a unique decryptor tool that the threat actor will provide after being contacted at the email it provides. The Fallout Exploit kit exploits vulnerabilities in VBScript and Flash Player to install malware using website redirects. <a href="https://forum.anomali.com/t/fallout-exploit-kit-pushing-the-savefiles-ransomware/2943" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/fallout-exploit-kit-pushing-the-savefiles-ransomware/2943" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/fallout-exploit-kit-pushing-the-savefiles-ransomware/2943" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947267">[MITRE ATT&CK] Drive-by Compromise (T1189)</a><a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank">APT10 Targeting Japanese Corporations Using Updated TTPs </a> (September 13, 2018) Chinese cyber espionage group, APT10 (also known as Menupass), have been seen recently targeting the Japanese media sector through a spear phishing campaign containing a malicious attachment that installs the backdoor, UPPERCUT. The threat group sends phishing emails that appear to pertain to maritime, diplomatic, and North Korean issues and contain a malicious Microsoft Word document that is password-protected to bypass spam detection. The password for the document is provided in the body of the email. If opened, the document requests macros to be enabled that then drops three PEM files into the machine’s %TEMP% folder. The macro decodes the files and then launches GUP.exe, which is a free generic updater binary used by Notepad++. This installs a malicious Dynamic Link Library (DLL) that runs shellcode to decompress another DLL. This DLL is the backdoor UPPERCUT that initializes communication with the threat actor’s command and control (C2) server using Blowfish encryption. <a href="https://forum.anomali.com/t/apt10-targeting-japanese-corporations-using-updated-ttps/2944" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/apt10-targeting-japanese-corporations-using-updated-ttps/2944" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/apt10-targeting-japanese-corporations-using-updated-ttps/2944" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://www.infosecurity-magazine.com/news/veeam-manages-expose-data-mongodb/" target="_blank">Veeam Manages to Expose Data in MongoDB Snafu </a> (September 13, 2018) The data management company, Veeam, suffered a data breach after a misconfigured MongoDB server exposed 445 million records, including email addresses and potential customer names, to the public. Security researcher, Bob Diachenko, discovered an Amazon-hosted IP address that was left exposed without a password from August 31 until September 9, 2018. The 200 gigabytes of data was from the company’s marketing automation team included millions of files from between 2013 and 2017. This caused information such as country, customer’s names, email addresses, organization size, recipient type, and others to be public-facing. Following the breach, Veeam quickly secured the database server, as well as released a statement that said many of the files were duplicates, so the actual number of accessible emails and records is closer to 4.5 million. <a href="https://forum.anomali.com/t/veeam-manages-to-expose-data-in-mongodb-snafu/2945" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/veeam-manages-to-expose-data-in-mongodb-snafu/2945" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/veeam-manages-to-expose-data-in-mongodb-snafu/2945" target="_blank"> recommendation</a><a href="https://www.zdnet.com/article/bec-scam-artist-ordered-to-pay-back-2-5-million-lands-hefty-prison-sentence/" target="_blank">BEC scam artist ordered to pay back $2.5 million, lands hefty prison sentence</a> (September 13, 2018) A Nigerian man was sentenced to five years in prison and ordered to pay back $2.5 million USD in damages to victims after running a business email compromise (BEC) campaign between 2014 and 2016 that attempted to defraud over $25 million USD out of victims. The man, Onyekachi Emmanuel Opara, operated from Nigeria but targeted victims across the world including Australia, New Zealand, Singapore, the UK, and the US. The man distributed phishing emails to employees of targeted businesses, pretending to be third-party vendors or supervisors with email addresses that were extremely similar to legitimate domains. This phishing campaign created fake DocuSign login pages on over 100 different compromised websites to obtain unauthorised access to their business credentials. On top of phishing emails, Opara created a fake dating profile to enter inauthentic relationships with men and get them to send money to the perpetrator thinking it was their online “girlfriend.” He was extradited to the US where he pled guilty to two counts: conspiracy to commit wire fraud, and wire fraud. <a href="https://forum.anomali.com/t/bec-scam-artist-ordered-to-pay-back-2-5-million-lands-hefty-prison-sentence/2946" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/bec-scam-artist-ordered-to-pay-back-2-5-million-lands-hefty-prison-sentence/2946" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/bec-scam-artist-ordered-to-pay-back-2-5-million-lands-hefty-prison-sentence/2946" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a><a href="https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/" target="_blank">Kodi Add-ons Launch Cryptomining Campaign </a> (September 13, 2018) The open-source “Kodi” media player software was found to have a repository for third-party add-ons, called “XvBMC,” was part of a cryptomining campaign dating back to December 2017. The repository, which was shut down in August 2018, was likely inadvertently distributing add-ons that contained cryptomining malware that mined the “Monero” cryptocurrency. Kodi users were infected with the cryptomining malware either by adding a URL of a malicious repository to download add-ons, or installed a version Kodi that had a malicious repository already installed. The top five countries affected by this cryptomining campaign from most to least are the U.S., Israel, Greece, the U.K., and the Netherlands. <a href="https://forum.anomali.com/t/kodi-add-ons-launch-cryptomining-campaign/2947" target="_blank">Click</a><a href="https://forum.anomali.com/t/kodi-add-ons-launch-cryptomining-campaign/2947" target="_blank"> here for </a><a href="https://forum.anomali.com/t/kodi-add-ons-launch-cryptomining-campaign/2947" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/kodi-add-ons-launch-cryptomining-campaign/2947" target="_blank"> recommendation</a><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank">OilRig Uses updated BONDUPDATER to Target Middle Eastern Government </a> (September 12, 2018) Palo Alto Networks Unit 42 researchers have found that the Advanced Persistent Threat (APT) group “OilRig” (APT34), which is believed to be based in Iran, launched a new spear phishing campaign in August 2018. The campaign was identified targeting an unnamed government organization in the Middle East with a phishing email with no subject line and was specifically tailored to target said organization with the email’s content. The email had a malicious document attachment with a macro that, if enabled, will attempt to download a new version of the BONDUPDATER trojan. The malware achieves persistence by creating a scheduled task and communicates to is Command and Control (C2). <a href="https://forum.anomali.com/t/oilrig-uses-updated-bondupdater-to-target-middle-eastern-government/2948" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/oilrig-uses-updated-bondupdater-to-target-middle-eastern-government/2948" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/oilrig-uses-updated-bondupdater-to-target-middle-eastern-government/2948" target="_blank"> recommendation</a><a href="https://www.bleepingcomputer.com/news/security/apples-safari-falls-for-new-address-bar-spoofing-trick/" target="_blank">Apple's Safari Falls For New Address Bar Spoofing Trick </a> (September 11, 2018) A vulnerability in the Safari web browser, registered as “CVE-2018-8383,” has been discovered that allows threat actors to control the content displayed in an address bar that then create difficult-to-detect phishing schemes. A security researcher, Rafay Baloch, recreated the vulnerability in both Safari and Microsoft Edge web browsers. A threat actor could easily delay the address bar from updating with the accurate website URL, and impersonate any web page while the target see a legitimate domain name in the bar complete with authentication marks. For example, Baloch tested this with a proof-of-concept (PoC) page that loaded content from gmail[.]com but was hosted on a sh3ifu[.]com server. It could be possible to detect this suspicious web page as the page loading wheel and bar are still visible, but this often is indicative of background elements on a page being loaded more slowly which is common during the loading stage of accessing a normal web page. Apple acknowledged the bug, and is reportedly including a fix for it in the upcoming security update release. <a href="https://forum.anomali.com/t/apples-safari-falls-for-new-address-bar-spoofing-trick/2949" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/apples-safari-falls-for-new-address-bar-spoofing-trick/2949" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/apples-safari-falls-for-new-address-bar-spoofing-trick/2949" target="_blank"> recommendation</a><a href="https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack" target="_blank">Securonix Threat Research: Kronos/Osiris Banking Trojan Attack </a> (September 11, 2018) A new variant of the Kronos banking trojan, which was first discovered in June 2014 being offered for purchase on underground forums for approximately $7,000 (USD), has been found in three separate campaigns, according to Securonix researchers. The malicious campaigns first began in July 2018 and were observed to target individuals in Germany, Japan, and Poland. This new Kronos variant includes capabilities such as keylogging, remote control via Virtual Network Computing (VNC), using the Tor network for Command and Control (C2), as well as previously used abilities such as form-grabbing and web-injection. Kronos is distributed via phishing emails that contain custom-created Microsoft Word documents or RTF attachments with macro or OLE content that, if enabled, will download and execute VB stager; the documents exploit a Microsoft Office Equation Editor Component vulnerability registered as “CVE-2017-11882.” Other distribution methods include malspam delivered via the RIG exploit kit. <a href="https://forum.anomali.com/t/securonix-threat-research-kronos-osiris-banking-trojan-attack/2950" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/securonix-threat-research-kronos-osiris-banking-trojan-attack/2950" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/securonix-threat-research-kronos-osiris-banking-trojan-attack/2950" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture (T1056)</a><a href="https://securityintelligence.com/news/new-zero-day-vulnerability-for-windows-tweeted-immediately-exploited/" target="_blank">New Zero-Day Vulnerability for Windows Tweeted, Immediately Exploited </a> (September 11, 2018) A tweet was observed by ESET researchers, which was posted on August 27, 2018, that contained a link to a GitHub repository that contained proof-of-concept code for a zero-day exploit. The exploit affects Windows operating systems versions 7 through 10 by taking advantage of a vulnerability in the Advanced Local Procedure Call (ALPC) process. While the tweet has since been deleted, a threat group called “PowerPool” followed the link and used the information to create its own version of the zero-day exploit. The exploit has been observed being used in the wild by the group to target machines in Chile, Germany, India, the Philippines, Poland, Russian, the U.K., and the U.S. <a href="https://forum.anomali.com/t/new-zero-day-vulnerability-for-windows-tweeted-immediately-exploited/2951" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-zero-day-vulnerability-for-windows-tweeted-immediately-exploited/2951" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-zero-day-vulnerability-for-windows-tweeted-immediately-exploited/2951" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&CK] Execution through API (T1106)</a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" target="_blank">A Closer Look At The Locky Poser, PyLocky Ransomware </a> (September 10, 2018) A new ransomware feigning to be a Locky ransomware variation, dubbed “PyLocky,” has been seen recently delivering spam emails to distribute ransomware. This campaign was observed targeting French businesses with phishing emails that pretended to be related to invoice receipts. The emails contain a link that, if clicked, will redirect the user to a malicious URL that contains PyLocky. The URL leads to a ZIP file that has a signed executable in it that will run and drop malware components containing several C++ and Python libraries and the Python 2.7 Core dynamic-link library (DLL) with the ransomware executable. This malware then encrypts archive files, databases, documents, images, programs, games, and videos, amongst others. Following encryption, the ransomware displays a ransom note in English, French, Korean, and Italian, suggesting Italian and Korean speakers may also be targets. The ransom note states that users must purchase a decryptor via a Tor browser in order to get their files back, and threatens that the price will increase as time passes. The threat actors allow the users to decrypt one image format file for free to see it is legitimate. PyLocky features anti-machine learning capabilities which makes it more difficult to conduct static analysis of the malware. <a href="https://forum.anomali.com/t/a-closer-look-at-the-locky-poser-pylocky-ransomware/2952" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/a-closer-look-at-the-locky-poser-pylocky-ransomware/2952" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/a-closer-look-at-the-locky-poser-pylocky-ransomware/2952" target="_blank"> recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&CK] Windows Management Instrumentation (T1047)</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&CK] Spearphishing Link (T1192)</a><a href="https://www.zdnet.com/article/popular-vpns-contain-code-execution-security-flaws-despite-patches/" target="_blank">Popular VPNs contained code execution security flaws, despite patches</a> (September 10, 2018) Popular Virtual Private Network (VPN) software applications, ProtonVPN and NordVPN were discovered to have vulnerabilities that could allow threat actors to execute arbitrary code. Security researchers from Cisco Talos found two vulnerabilities, registered as “CVE-2018-3952” and “CVE-2018-4010” that allow for code execution on Microsoft Windows machines. Despite security patches being released in April 2018 and implemented for these two applications, it is still possible circumvent that the fix and execute code as an administrator on the system. The vulnerabilities in these two applications allow logged-in users to execute binaries that include the VPN configuration option that can set a specific VPN server location. That information is sent through an OpenVPN file which a threat actor could input their own command line in. The OpenVPN file could allow a dynamic library plugin to run for every new VPN connection which would then execute code in the context of a SYSTEM user. A compromised and malicious OpenVPN file can lead to tampering with the VPN service, information disclosure, and hijacking through arbitrary commands. CVE-2018-3952 affects NordVPN and CVE-2018-4010 affects ProtonVPN, and both vulnerabilities can allow for privilege escalation and arbitrary command execution. <a href="https://forum.anomali.com/t/popular-vpns-contained-code-execution-security-flaws-despite-patches/2953" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/popular-vpns-contained-code-execution-security-flaws-despite-patches/2953" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/popular-vpns-contained-code-execution-security-flaws-despite-patches/2953" target="_blank"> recommendation</a></div></div>