Executive Summary
The commonly observed threat category for the past week was phishing schemes. Security researchers from various cyber security companies uncovered various phishing schemes that was used in wild. So, it is important for the users to be aware about such phishing schemes and be vigilant against them.
Figure 1: Threat Categories
The following graph represents the trend in different cyber threats as compared to previous week.
Trending Threats
Git Project Patches Remote Code Execution Vulnerability in Git(October 06, 2018)
The Git Project announced yesterday a critical arbitrary code execution vulnerability in the Git command line client, Git Desktop, and Atom that could allow malicious repositories to remotely execute commands on a vulnerable machine. This vulnerability has been assigned the CVE-2018-17456 ID and is like a previous CVE-2017-1000117 option injection vulnerability. Like the previous vulnerability, a malicious repository can create a .gitmodules file that contains an URL that starts with a dash.
Recommendation: This vulnerability has been fixed in Git v2.19.1 (with backports in v2.14.5, v2.15.3, v2.16.5, v2.17.2, and v2.18.1), GitHub Desktop 1.4.2, Github Desktop 1.4.3-beta0, Atom 1.31.2, and Atom 1.32.0-beta3. The Git Project strongly recommends that all users upgrade to the latest version of the Git client, Github Desktop, or Atom to be protected from malicious repositories.
References: GitHub, Bleeping Computer
Tags: Vulnerabilities, Git
Mozilla Patches Critical Vulnerability in Thunderbird 60.2.1(October 04, 2018)
Mozilla has released Thunderbird version 60.2.1 to resolve numerous security updates in the mail program. One of these vulnerabilities is labeled as Critical as it could potentially lead to remote code execution. In total there were seven vulnerabilities fixed in this update, with 1 being critical, 2 high, 3 moderate, and 1 rated as low. According to Mozilla, the critical vulnerability was related to memory corruption that they felt could be exploited to perform code execution.
Recommendation: Update the firmware to patch the vulnerability.
References: Mozilla, Bleeping Computer
Tags: Vulnerabilities
DHS Warns of Cybersecurity Threats to Agriculture Industry (October 04, 2018)
A new report from the U.S. Department of Homeland Security called Threats to Precision Agriculture warns against the cybersecurity risks faced by the emerging technologies being adopted by the agricultural industry. Known as “precision agriculture,” the technologies include internet of things (IoT) devices such as remote sensors and global position systems (GPS) and the communications networks that support them. These devices generate large amounts of data which is then analyzed by machine learning systems to improve crop yield and monitor the health of livestock.
Recommendation: Adopt computer security best practices, develop industry-wide standards for equipment interoperability, data transfer between proprietary systems, and create privacy standards for users.
References: DHS, Bleeping Computer
Tags: IOT, Botnet
Phishing Attacks Distributed Through CloudFlare’s IPFS Gateway (October 04, 2018)
Cloudflare released an IPFS gateway that allows users to access content stored on the IPFS distributed file system through a web browser. As part of this implementation, all connections to the IPFS gateway are secured using SSL certificates issued by Cloudflare. By storing the html for phishing scams on IPFS, the attackers can then utilize Cloudflare’s IPFS gateway to display the stored HTML document.
Recommendation: Be cautious about the URL’s that comes in emails and make sure they are legitimate.
References: Bleeping Computer, VirusTotal
Tags: Phishing, IPFS
Zoho Heavily Used by Keyloggers to Transmit Stolen Data (October 03, 2018)
CRM software and free mail provider Zoho was taken offline by their domain registrar for alleged Phishing violations. This week, new research was released that states Zoho is being heavily used by keylogger distributors to transmit their stolen data. Keyloggers are malware that silently monitor a victim’s computer and collect account credentials, trade secrets, or spy on a user’s behavior. When stealing information, it can be done through monitoring and logging what is typed on the keyboard, recording webcams and microphones, taking screenshots of active windows, and performing other malicious activity. This information is then collected and either transmitted directly to a server under the attackers’ control or compiled into an email and sent to the attackers.
Recommendation: Be vigilant on phishing schemes, ensure the URL’s are legitimate before browsing.
References: Cofense, Bleeping Computer
Tags: Phishing, Keylogger, Malware
Danabot Banking Malware Now Targeting Banks in the U.S. (October 02, 2018)
The DanaBot banking Trojan traditionally ran campaigns that targeted Australia and European banks, but new research shows a new campaign that is targeting banks in the United States as well. DanaBot is a modular Trojan written in Delphi that attempts to
steal account credentials and information from online banking sites. It does this through a variety of methods such as taking screenshots of active screens, stealing form data, or logging keystrokes made on the computer. This stolen information is then collected and sent back to a central server, or command & control server, where it can then be accessed by the attackers.
Recommendation: Do not open any documents received from untrusted sources, especially when it ask to enable macro’s or to load remote content. Also, scan attachments before opening them using Virus Total or other trusted online scanning tools.
References: Proofpoint, Bleeping Computer
Tags: Malware, Botnet, Keylogger, Phishing, Macros
Report Ties North Korean Attacks to New Malware, Linked by Word Macros (October 01, 2018)
Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government. The latest findings indicate that the remote access Trojans (RAT) in the KONNI and DOGCALL families are the work of the same operator, tasked with spying organizations in the military and defense industry in South Korea, an entity in the Middle East that was doing business with the Pyongyang and politically-motivated victims in Eurasia.
Recommendation: Do not open any documents received from untrusted sources, especially when it ask to enable macro’s or to load remote content. Also, scan attachments before opening them using Virus Total or other trusted online scanning tools.
References: Bleeping Computer, Palo Alto Networks
Tags: RAT, Malware, Macros, Phishing
Feedback
CTI (Cyber Threat Intelligence) Labs @ Marlabs continuously strives to improve its products and services. You can help by sending your valuable feedback at the following email: ctilabs@marlabs.com
Weekly Threat Briefing
DISCLAIMER: This product is provided “as is” for informational purposes only. Marlabs does not provide any warranties of any kind regarding any information contained within. Marlabs does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a community. TLP: GREEN information may not be released outside of the community.