SPECIAL HOLIDAY OFFER: Custom Recon Report with free Anomali Enterprise Trial   Sign Up Now

WTB: WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping

October 17, 2017 | Gage Mele

The intelligence in this week’s iteration discuss the following threats: Data breach, Malware, Malvertising, Phishing, RAT, Support scam, Threat group, Vulnerabilities, Wi-Fi, and Zero-day. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (October 16, 2017)
Security researchers have discovered a vulnerability that affects nearly every Wi-Fi enabled device. The vulnerability, dubbed "KRACK" (Key Reinstallation Attack), resides in the WPA2 protocol that is commonly used in securing wireless networks. Specifically, the flaw lies in the protocol's four-way handshake which allows new devices with a pre-share password to join the network. An actor would first need to trick an individual into reinstalling a cryptographic nonce, a randomly generated number used to prevent replay attacks, that already exists. A reused nonce can allow a threat actor to attack the encryption of the protocol which could lead to hijacked connections and injected content into the network traffic stream.
Recommendation: Your company should be on the lookout for the necessary security patches and apply them as soon as possible, some companies and already issued patches. Additionally, measures should be in place to monitor your company's traffic for any potential malicious activity.
Tags: Vulnerability, Wi-Fi

Decoy Microsoft Word Document Delivers Malware Through A RAT (October 13, 2017)
MalwareBytes researchers have discovered that threat actors are using malicious Microsoft Office documents, that require no user interaction, to infect users with a Remote Administration Tool (RAT). The RAT is a commercial tool known as "Orcus RAT" that is being used for malicious purposes. Using this tactic, the Office documents can appear benign. If an individual opens the Word document, it will trigger an automatic download of a malicious RTF files that deploys the exploit "CVE-2017-8759" to deliver the payload.
Recommendation: Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, the patch for CVE-2017-8759 should be applied as soon as possible if it has not been already.
Tags: Malcicious Word document, RAT

Hyatt Suffers Second Card Data Breach in Two Years (October 13, 2017)
The multinational hotel operator, "Hyatt," has acknowledged that some of their locations were compromised by unknown actors. Hyatt discovered that unauthorized access to payment card information, that was entered manually or swiped at front desks, occurred between March 18 and July 2, 2017. The breach affects 41 locations in 11 countries. As of this writing, it is unknown how many people may be affected by this incident.
Recommendation: POS Security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the POS system should occur along with a formal incident response investigation.
Tags: Data breach, Data theft, Hyatt

Equifax Website Hacked Again (October 12, 2017)
Security researcher, Randy Abrams, discovered that on October 11, 2017, The U.S.-based credit bureau "Equifax" had its website compromised. Abrams discovered that for several hours, on October 11, and again on October 12, the Equifax website was offering visitors a fake Adobe Flash update. If a user downloaded the update, they would be infected with adware.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Additionally, policies should be in place for webmaster to apply updates as soon as possible from the official vendor websites.
Tags: Website compromise, Equifax

PDF Phishing Leads to NanoCore RAT, Targets French Nationals (October 12, 2017)
A new phishing campaign has been identified to be targeting French nationals, according to Fortinet researchers. The actors are using phishing emails that purport to be banking loan offers. The emails have PDF file attachments that contain embedded JavaScript that will download an HTA file from a Google Drive shared link. The HTA file will drop and subsequently execute "NanoCore" Remote Access Trojan (RAT) payload.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link or open an attachment can often be indicative of a phishing attack.
Tags: Phishing, RAT, Nanocore

Spoofed SEC Emails Distribute Evolved DNSMessenger (October 11, 2017)
Cisco Talos researchers have published additional information regarding threat actors spoofing emails from the U.S. Securities Exchange Commission (SEC) to deliver malware. Researchers have observed that actors are now spoofing emails to make them appear to be from the SEC's Electronic Data Gathering Analysis and Retrieval (EDGAR) system. The emails contain a malicious attachment that begins the infection process when opened that leads to infection with "DNSMessenger" malware.
Recommendation: The impersonation of government agencies continues to be an effective phishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. in the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Phishing, SEC, Spoofed email, Malware, DNSMessenger

Equifax: Up to 15 Million More at Risk (October 11, 2017)
The U.S.-based credit bureau "Equifax" has added additional information regarding the breach it suffered in September. The bureau has now stated that it believes that approximately 15.2 million U.K. records were affected, specifically, individuals who were entered into its database between 2011 and 2016. Researchers state that out of the 15.2 million, 693,665 individuals are categorized as "high-risk." After news of the breach was reported in September, Equifax had first stated that approximately 400,000 U.K. consumers were affected.
Recommendation: With nearly half of the U.S. population, and a significant increase in U.K. individuals affected by this breach, it is important for individuals to check to see if they are affected by using the following website "https://www.equifaxsecurity2017.com/potential-impact/". Affected individuals in the United Kingdom will have letters sent to them by Equifax, specifying what data was exactly accessed. Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data breach, Data theft, Equifax

Watch Out for These High-Pressure Apple Malware Scams (October 11, 2017)
A new scam campaign has been found to be targeting Apple product users, according to Sophos researchers. The actors are using scare-tactics by impersonating the Apple support and stealing the company's images to use in support scams. The alerts present to Mac users purport that the machine has been infected various forms of malware, or contains critical vulnerabilities. If a user proceeds with the directions in the "security alert," they will be asked to install a third-party software to "fix" the issues. Researchers also note that they identified a fake Adobe Flash Player updated being used by threat actors in this round of Apple scams.
Recommendation: Technical support scams are common threats facing individuals and companies alike. Any image that appears that requests a phone number be called in order to receive assistance in repairing a machine is likely fake. Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. Policies should also be in place to educate your employees on the proper steps to avoid these scams, and who to inform if such an instance occurs.
Tags: Security/Support scam, Apple

Microsoft Patches Windows Zero-Day Flaws Tied to DNSSEC (October 10, 2017)
Microsoft's Patch Tuesday has issued security updates that address a zero-day vulnerability in the Windows DNS client. Specifically, the Windows DNS client in Windows version 8 and 10, as well as Windows Server 2012 and 2016. The heap buffer overflow vulnerabilities, registered as "CVE-2017-11779," were identified in one of the data record features used in the secure Domain Name System (DNSSEC). If a threat actor exploits this vulnerability, it could allow her/him to take full control of the affected machine without the need for any user interaction.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature in Windows operating systems is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerability, Zero day, Microsoft

ATMii: A Small but Effective ATM Robber (October 10, 2017)
Kaspersky Labs researchers have released information on a new ATM malware, dubbed "ATMii," that was discovered in April 2017. To compromise an ATM, an actor will first need physical access to the machine such as USB drive, or direct access to the machine over its network. The objective of ATMii is to force the ATM to dispense all of the cash it holds. The malware targets a proprietary ATM software process to inject malicious code into it, thus loading a malicious DLL file. The DLL file listens for commands, including a dispense command to dispense currency.
Recommendation: ATM security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed Ploutus infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.
Tags: Malware, ATMii

OilRig Group Steps Up Attacks with New Deliver Documents and new Injector Trojan (October 9, 2017)
Unit 42 researchers have published their findings on a new spear phishing campaign that is being conducted by the threat group "OilRig." Researchers discovered in July 2017 that the group was using a custom tool called "ISMAgent" in a new campaign of targeted attacks. By August 2017, OilRig began distributing a new trojan called "Agent Injector" that is used to install the ISMAgent backdoor, dubbed "ISMInjector." The malware is distributed via spear phishing emails that contain attachments with malicious macros.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: Threat group,OilRig, Phishing, Malware

Malvertising Group Spreading Kovter Malware via Fake Browser Updates (October 9, 2017)
The threat group behind the Kovter malware family, "KovterCoreG," has been observed to be conducting a large-scale malvertising campaign, according to Proofpoint researchers. KovCoreG is using fake Adobe Flash and web browser updates to trick users into installing the Kovter malware; Kovter is capable of downloading other forms of malware such as infostealers and ransomware. The campaign focused on Australian, Canadian, U.K., and U.S. visitors to an adult website, and distributed malvertisements via "Traffic Junky," both companies have since removed the malvertisements. Researchers note that they expect new malvertisements to be distributed to users on other online locations.
Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations.
Tags: Malvertising, Threat group, KoveterCoreG, Malware, Kovter

Formbook Malware Targets U.S. Defense Contractors Aerospace and Manufacturing Sectors (October 9, 2017)
FireEye researchers have identified a new malware called "FormBook" that is used in targeted attacks by unknown threat actors. The actors are targeting aerospace firms, defense contractors, and manufacturing organizations located in the U.S. and South Korea. The data-stealing malware is being distributed via phishing emails that contain malicious DOC, PDF, or XLS attachments. FormBook is capable of multiple forms of malicious activity including: extracting data from HTTP sessions, keylogging, and stealing clipboard contents. Additionally, FormBook can execute commands from a Command and Control (C2) server such as downloading files, and starting processes, among others.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Phishing, Malware, Formbook

Gage Mele
About the Author

Gage Mele

Threat Intelligence Analyst

Get the latest threat intelligence news in your email.