The commonly observed threat category for the past week was various vulnerabilities and botnets. Security researchers identify new vulnerabilities and report it to the vendors, who then releases the updates with patches. It is important to keep up-to date with the patches to be protected against these vulnerabilities.
Figure 1: Threat Categories
The following graph represents the trend in different cyber threats as compared to previous week.
IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks (September 27, 2018)
The Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the FBI, have issued a security alert regarding attacks being conducted through the Windows Remote Desktop Protocol. While the most publicized attacks over RDP are related to ransomware, attackers also hack into exposed RDP services for corporate theft, installation of backdoors, or as a launching point for other attacks. “Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP Access,” stated the alert from US-Cert.
Recommendation: The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.
Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover (September 28, 2018)
Facebook disclosed a security vulnerability that affected 50 million people on the social media network and allowed malicious third parties to potentially access the affected users account. In a blog post, Facebook’s Guy Rosen, VP of Product Management explained that the attackers exploited a vulnerability associated with Facebook’s “View As” feature that allowed them to steal Facebook access tokens. These tokens could then be used to take over people’s accounts.
Recommendation: Update the firmware to patch the vulnerability.
New Iot Botnet Torii Uses Six Methods for Persistence, Has No Clear Purpose (September 27, 2018)
Security researchers discovered a new IoT botnet that is in a league superior to the Mirai variants that rise and fall daily. The developers of the botnet seek wide coverage and for this purpose, they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence. Communication with the command and control (C2) servers is encrypted and capabilities include exfiltration and, command execution. According to research from Avast, the malware has been active since at least December 2017 and it targets devices on several CPU architectures: like MIPS, ARM, x86, x64, PowerPC, and SuperH. Although multi-platform support is common among Mirai-based threats, the researchers say Torii supports one of the largest sets of architectures they’ve seen so far.
Recommendation: Keep your system patched with latest updates; make sure to check the files to ensure no persistency is established, monitor for any unknown traffic.
APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild (September 27, 2018)
Security researchers tracking the operations of a cyber-espionage group found the first evidence of a rootkit for the Unified Extensible Firmware Interface (UEFI) being used in the wild. The threat actor, known in the infosec community by the names Sednit, Fancy Bear, APT28, Strontium, and Sofacy, was able to write a malicious component into a machine’s UEFI firmware. According to ESET, the threat actor embedded the rootkit in the SPI flash module of a target computer, which gives persistence not only against reinstallation of the operating system but also when the hard drive is replaced. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year. That hijacking operation of the legitimate software was also the work of ATP28.
Recommendation: Enable the Secure Boot mechanism; Make sure the motherboard has the latest firmware version from the manufacturer.
Hide and Seek Botnet Adds Infection Vector for Android Devices (September 26, 2018)
Since its discovery early this year, the Hide and Seek IoT botnet has been increasing its infection capabilities with new vectors. The latest samples look for Android devices with the wireless debugging feature enabled. While IoT botnets appear and go away daily, Hide and Seek first attracted attention through its rapid growth to over 90,000 devices. The new infection mechanism observed in the latest version does not exploit a vulnerability, but a misconfiguration of the devices, which ship with an active Android Debug Bridge connection over WiFi.
Recommendation: The infection vectors Hide and Seek uses now include telnet scanning and brute-forcing, exploiting a vulnerability in AVTECH IP Camera, NVR and DVR; exploiting a vulnerability in Wansview NCS601W camera, and scanning for open TCP port 5555, specific to ADB connections; make sure to patch all these vulnerabilities with the latest updates.
Over 80 Cisco Products Affected by FragmentSmack DoS Bug (September 25, 2018)
Cisco is currently looking into its product line to determine which products and services use Linux kernel 3.9 or above, which is vulnerable to the FragmentSmack denial-of-service (DoS) bug. The networking hardware manufacturer already assembled a list of more than 80 products that are affected by the vulnerability. Many of them expect a fix by February 2019. The products currently under investigation are from the routing and switching category, designed for enterprises and service providers. More specifically, the company is looking at the Application Policy Infrastructure Controller Enterprise Module (APIC-EM). APIC-EM delivers software-defined networking and allows automation of policy-based application profile for quick deployment of devices across the network or adapt to new challenges.
Recommendation: Use rate limiting measures, like access control lists (ACL), to control stream of fragmented packets reaching an interface, off-device mitigations for controlling the flow of IP fragments.
macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files (September 24, 2018)
A security researcher shows on Mojave’s release day that Apple’s latest privacy protection implementations in macOS are not sufficiently strong. In a minute-long clip, Patrick Wardle shows that the security in the dark-themed macOS can be bypassed to reach sensitive user data, such as the information in the address book.
Recommendation: Not Available.
References: Bleeping Computer, 360Netlab
Tags: 0Day, Mac
Weekly Threat Briefing
DISCLAIMER: This product is provided “as is” for informational purposes only. Marlabs does not provide any warranties of any kind regarding any information contained within. Marlabs does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a community. TLP: GREEN information may not be released outside of the community.