The commonly observed threat category for the past week was various vulnerabilities. Security researchers identify new vulnerabilities and report it to the vendors, who then releases the updates with patches. It is important to keep up-to date with the patches to be protected against these vulnerabilities.
Figure 1: Threat Categories
The following graph represents the trend in different cyber threats as compared to previous week.
New Tech Support Scam Causes Chrome Browser to Use 100% of the CPU (December 22, 2018)
Recommendation: If affected by a tech support scam, terminate the browser process, make sure you do not allow Chrome, or any browser, to restore the previously open pages.
Fake Amazon Order Confirmations Push Banking Trojans on Holiday Shoppers (December 20, 2018)
Phishing and malspam campaigns are in high gear for the holidays and a new campaign pretending to be an Amazon order confirmation is particularly dangerous as people shop for holiday gifts. In a new malspam campaign discovered by email security company EdgeWave, attackers are sending email disguised as very convincing Amazon order confirmations. These fake order confirmations are being sent with subject lines that include “Your Amazon.com order”, “Amazon order details”, and “Your order 162-2672000-0034071 has shipped”.
Recommendation: Make sure the sender of the email is a known person, and if it looks remotely suspicious, simply delete the email as you can always login to the site in question to check an order status. In this case, while the emails themselves were spot on and looked identical to an Amazon order confirmation, the email address that it came from were clearly suspect. Something as simple as that should be the only reason you need to just delete the email.
Tags: Phishing, Campaign, Malspam, Banking Trojan
Windows Zero-Day PoC Lets You Read Any File with System Level Access (December 20, 2018)
For a third time in four months, a security researcher announces a zero-day vulnerability in Microsoft Windows and provides exploit code that allows reading into unauthorized locations. Known by the moniker SandboxEscaper, the researcher released details about a security vulnerability affecting ReadFile.exe, which, as its name indicates, allows reading data from specific locations.
Recommendation: Keep your system patched with the latest updates.
Tags: Windows, Vulnerabilities, 0day
Microsoft Releases Out-of-Band Security Update for Internet Explorer RCE Zero-Day (December 19, 2018)
Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google’s Threat Analysis Group when they saw the vulnerability being used in targeted attacks. According to Microsoft’s security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user.
Recommendation: Remove privileges to the jscript.dll file for the Everyone group. Wait for the patch release from Microsoft, and update with it once its released.
Tags: Windows, 0day, Code Execution
Remote Firmware Attack Renders Servers Unbootable (December 19, 2018)
Security researchers have found a way to corrupt the firmware of a critical component usually found in servers to turn the systems into an unbootable hardware assembly. The recovery procedure requires physical intervention to replace the malicious firmware. Achieving this is done via regular tools used to keep the baseboard management controller (BMC) up to date. BMCs are specialized microcontrollers (more like independent micro-computers) embedded on virtually all server motherboards; they are also present in high-end switches, JBOD (just a bunch of disks) and JBOF (just a bunch of flash) types of storage systems. Apart from getting information about the system health, administrators can use BMCs for remote management of the unit. They can configure the server as well as reinstall the operating system and update the host system firmware.
Recommendation: Keep your system with proper backup policies and infrastructure are in place, victims can recover from these attacks and minimize financial loss.
ASUS, GIGABYTE Drivers Contain Code Execution Vulnerabilities – PoCs Galore (December 18, 2018)
Four drivers from ASUS and GIGABYTE come with several vulnerabilities that can be leveraged by an attacker to gain higher permissions on the system and to execute arbitrary code. In total, there are seven vulnerabilities affecting five software products, and researchers wrote exploit code for each of them. Many of them might still be unaddressed. Two of the vulnerable drivers are installed by the Aura Sync software (v1.07.22 and earlier) from ASUS and the flaws they carry can be exploited for local code execution. The drivers from GIGABYTE are distributed with motherboards and graphics cards of the same brand as well as from the company’s subsidiary, AORUS. The vulnerabilities lead to privilege escalation via software like the GIGABYTE App Center (v1.05.21 and below), AORUS Graphics Engine (v1.33 and below), the XTREME Engine utility (v1.25 and earlier), and OC Guru II (v2.08).
Recommendation: Patches have been released for this vulnerability, so keep your system updated with patches.
Tags: Vulnerabilities, Code Execution
File Inclusion Bug in Kibana Console for Elasticsearch Gets Exploit Code (December 18, 2018)
Exploit code has been published for a local file inclusion (LFI) type of vulnerability affecting the Console plugin in Kibana data visualization tool for Elasticsearch; an attacker could use this to upload a malicious script and potentially get remote code execution. Kibana is a browser-based platform that makes it easy to work with the large volumes of data stored in Elasticsearch indices. It is useful for data analysis and visualization in a variety of forms. The Console plugin provides an easier way to interact (generate and send queries) with the REST API of Elasticsearch. It eliminates the need to use the terminal and provides direct access to the stored data.
Recommendation: Upgrade Elastic Stack to the newer versions 6.4.3 or 5.6.13. If this is not possible, users can disable the Kibana Console plugin until the upgrade time. This can be done from the configuration file (‘kibana.yml’) by setting “console.enabled: false.”.
Tags: Vulnerabilities, Code Execution
Shamoon Disk Wiper Returns with Second Sample Uncovered this Month (December 17, 2018)
Shamoon’s comeback early last week was not marked by one, but two occurrences of the data-wiping malware. The second sighting observed a different sample that could indicate a follow-up to the initial attack. The first report named Italy as the origin for the sample upload to VirusTotal, while a new detection of a different strain of the malware was noted on the same scanning platform three days later, on December 13, from the Netherlands.
Recommendation: Both variants of the data wiper are widely detected by antivirus engines on VirusTotal; Keep your antivirus solution updated.
References: Bleeping Computer
Tags: Campaign, Malware
Weekly Threat Briefing
DISCLAIMER: This product is provided “as is” for informational purposes only. Marlabs does not provide any warranties of any kind regarding any information contained within. Marlabs does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a community. TLP: GREEN information may not be released outside of the community.