Cisco Patches Hard-coded Password in PCP Software
9.3.2018 securityweek

Cisco this week announced the availability of software updates to address a hard-coded password vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software.

Due to the existence of the hard-coded account password, an unauthenticated, local attacker could log into the underlying Linux operating system. The vulnerability can be abused to connect to the affected system via Secure Shell (SSH) using the hard-coded credentials.

According to Cisco, an attacker successfully exploiting the vulnerability could access the underlying operating system as a low-privileged user. However, the attacker could elevate privileges to root and take full control of the vulnerable system.

Because of the privilege escalation possibility, the vulnerability has a Security Impact Rating (SIR) of Critical, although it was also assessed with a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which would normally come with a SIR of Medium.

The vulnerability impacts Cisco PCP Software release 11.6 only and no prior builds were found to be affected by it, Cisco notes in an advisory. Impacted customers should update to Cisco PCP releases 12.1 and later, as no workarounds that address this vulnerability exist.

The company also notes that it is not aware of “any public announcements or malicious use of the vulnerability.”

This week, the company also addressed CVE-2018-0147, a Critical (CVSS base score of 9.8) vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS), which could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges,” Cisco explains.

The company also addressed a High risk (CVSS base score of 7.3) bug in the FTP server of the Cisco Web Security Appliance (WSA). Due to incorrect FTP user credential validation, an unauthenticated, remote attacker could exploit the bug to log into the server without a valid password or username.

This security issue affects Cisco AsyncOS for WSA Software running any release of Cisco AsyncOS 10.5.1 for WSA Software. Cisco AsyncOS 10.5.2-042 or later releases address the flaw.

Multiple Medium severity bugs were addressed in other Cisco products.

Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
9.3.2018 securityweek

In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank.
Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016.

“One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website

The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization.

The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document.
The bait document that appeared as sent on behalf of the European Central Bank
contained the code to trigger a vulnerability in the target systems.
In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs.

“The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.”

Raiffeisen cyber heist

According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution.

The bank confirmed that hackers did not access the customers’ account after the security breach.

CIGslip attack could allow hacker to bypass Microsoft Code Integrity Guard
9.3.2018 securityaffairs

Security experts devised a stealth attack technique dubbed CIGslip that could be exploited by attackers to bypass Microsoft Code Integrity Guard (CIG)
Security researchers at Morphisec discovered a discovered stealth attack technique dubbed CIGslip that could be exploited by attackers to bypass Microsoft Code Integrity Guard (CIG) and inject malicious libraries into protected processes.

“Morphisec researchers Michael Gorelik and Andrey Diment have discovered CIGslip, a new method which can be exploited by attackers to bypass Microsoft’s Code Integrity Guard (CIG) and load malicious libraries into protected processes such as Microsoft Edge.” reads the analysis published by Morphisec.

“The new attack vector manipulates the way CIG works to circumvent its controls without any in-memory unsigned image codepage injection, a technique with destructive potential if becomes popular.”

CIGslip has a very low footprint on the targeted system and it is currently able to bypass almost all security mechanisms.

The researchers developed an attack POC that takes advantage of a non-CIG enabled process, that represents the majority of process on Windows, to enter a malicious code in any kind of DLL, including a malicious one.

Morphisec reported the issue to Microsoft, but according to the tech giant software giant responded that the technique is outside the scope of the for Mitigation Bypass and Bounty for Defense Terms.

According to Morphisec, the situation is dangerous for “Windows users [that] are vulnerable in multiple ways.”

“The attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one,” continues the researchers.

The researchers explained that to compromise a targeted process, the attacker would have to perform a reflective memory based injection, but Microsoft added that generally this kind of attack can be detected and for this reason, it is out of the scope of bounty programs.

Researchers at Morphisec, however, are able to bypass Microsoft Code Integrity without any in-memory injection of unsigned image code pages, they demonstrated that it is possible to execute a non-protected CIG process that is used to inject back into the CIG protected process that launched it.

“Morphisec researchers identified a much easier method that breaks the CIG concept without any need for in-memory injection of unsigned image codepages.” continues the analysis. “The basic assumption is that we have the ability to execute a non-protected CIG process on disk. This assumption holds since there is no feasible way to protect all processes with CIG (e.g. Outlook would not load). Moreover, a CIG protected process may execute a non-CIG protected process, which will do the backward injection back into the CIG protected process.”

This means that an attacker would attempt to bypass the CIG verification in the backward injection when the section is created in the target process.

The attack is possible because section handlers that are managed by Kernel could be duplicated between processes.

“Since section handles are global objects managed by Kernel, handles could be duplicated between processes. Therefore, a section that correlated to a non-signed dll could be created within the context of the malicious process and then duplicated into the target process.” concluded the researchers.

“In-order to inject malicious dll (“non-signed”) into a target process, all we need to do is to hook the createsection method within the target process, so that it will not go down to Kernel and will return the duplicated section handle.”

Dofoil Trojan used to deploy cryptocurrency miner on more than 500,000 PCs in a few hours
9.3.2018 securityaffairs

Microsoft experts observed more than more than 500,000 computers infected with Dofoil Trojan used to download a cryptocurrency miner.
A few days ago, researchers at Microsoft announced that Windows Defender Antivirus blocked more than 80,000 instances of several malicious code that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods.

According to Microsoft, the malware were new variants of Dofoil (also known as Smoke Loader), a small application used to download other malicious codes, in these specific attacks a coin miner. The cryptocurrency miner payload was used to mine Electroneum coins.

In Just 12 hours from the discovery, the experts observed more than 400,000 instances, most of them in Russia (73%), Turkey (18%) and Ukraine (4%).
Totally more than 500,000 computers were infected within just 12 hours.

The Dofoil trojan uses an old code injection technique called ‘process hollowing’ that was recently observed by researchers at CSE CybSec implemented in evolutive versions by another malware.

“The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.” reads the analysis published by Microsoft.

“The Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware.”

The analysis of the Dofoil malware revealed it uses a customized mining application that supports NiceHash allowing infected systems to mine different cryptocurrencies even if the samples Microsoft analyzed mined Electroneum coins.

The malware gain persistence on an infected system through the Windows registry, hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. The malicious code then creates/modifies a registry key to modify an existing one to point to the newly created malware copy.

Threat actors behind the Dofoil campaign used a command and control (C&C) server hosted on decentralized Namecoin network infrastructure.

“The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.” states Microsoft.

Microsoft confirmed that its Windows Defender Antivirus is a crucial component for detecting and blocking advanced threats.

New Attack Bypasses Microsoft's Code Integrity Guard
9.3.2018 securityweek

Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.

Dubbed CIGslip, the new attack vector relies on manipulating the manner in which CIG functions, thus bypassing its controls without the need to inject unsigned image code pages into memory. With a low footprint on the targeted system and likely to go unnoticed, the attack has great damaging potential.

The security researchers have already reported their findings to Microsoft, along with a proof-of-concept, but the software giant responded that the technique is outside the scope of CIG. Because of that, Morphisec believes that “Windows users are vulnerable in multiple ways.”

“The attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one,” the researchers say.

By abusing CIGslip, an attacker could insert browser malware or adware, Morphisec claims, arguing that it is difficult for third-party security solutions to defend CIG protected process without Microsoft-signed DLLs.

Introduced in Windows 10 as an improved protection for Microsoft Edge, CIG would prevent the “injection of DLLs into the browser unless they are Windows components or signed device drivers.”

According to Morphisec, the mechanism is efficient at blocking malware and adware already on the computer, but also makes it “harder for third party security vendors to apply runtime protection for any CIG protected processes.”

In order to compromise a targeted process, one would have to perform reflective memory based injection, which works against CIG protected processes too, the security researchers say. This technique, however, can generally be detected and Microsoft does not consider it within the scope of bounty programs.

According to Morphisec, however, CIG can be bypassed without any in-memory injection of unsigned image code pages. The newly discovered method, the security firm says, mimics natural Windows DLL loading from disk.

The technique is based on the assumption that the attacker can execute a non-CIG protected process on disk, given that “there is no feasible way to protect all processes with CIG.” Since a CIG-protected process is able to execute a non-CIG protected process, the attacker would focus on backward injection, attempting to bypass “the CIG verification during the section create in the target process.”

“In order to detour the code integrity verification, we would need to hijack the control when the section is created within the targeted process,” Morphisec notes.

The section handlers are managed by Kernel and could be duplicated between processes, the researchers explain. Thus, “section that correlated to a non-signed DLL could be created within the context of the malicious process and then duplicated into the target process.”

Thus, Morphisec discovered that the injection of a malicious, non-signed DLL into a target process would require hooking the createsection method within the target process to return the duplicated section handle. Given that createsection returns an already existing verified section handle, the verification of the section is successful and the targeted process maps the DLL code page into its memory.

“The risks inherent in this new technique, which can be used or is possibly in use already, are high as the attack has very low footprint on the system and will go undetected by almost all security mechanisms,” Morphisec says.

Olympic Destroyer, alleged artifacts and false flag make attribution impossible
9.3.2018 securityaffairs
Attack  APT

According to Kaspersky Lab, threat actors behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malicious code.
On February 9, shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

Hackers used the so-called Olympic Destroyer, a strain of malware that allowed the attackers to wipe files and make systems inoperable.

olympic destroyer

Experts discovered that the malware leverages the EternalRomance NSA exploit to spread via the SMB protocol.

Initially, experts blamed North Korea for the attack, later intelligence officers attributed the cyber attack to Russia.

According to Talos team, there are many similarities between the Pyeongchang attack, which they are dubbing ‘Olympic Destroyer”’, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.” reads the analysis published by Talos.

Kaspersky experts found samples of the malware at several ski resorts in South Korea, even if they analyzed the malicious code they were not able to attribute the attack to a specific actor.

olympic destroyer 2

The experts identified a unique “fingerprint” associated with the North Korea-linked Lazarus APT, but other evidence collected by the experts revealed important inconsistencies suggesting a false flag operation.

“What we discovered next brought a big shock. Using our own in-house malware similarity system we have discovered a unique pattern that linked Olympic Destroyer to Lazarus. A combination of certain code development environment features stored in executable files, known as Rich header, may be used as a fingerprint identifying the malware authors and their projects in some cases. In case of Olympic Destroyer wiper sample analyzed by Kaspersky Lab this “fingerprint” gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab.” reads the analysis published by Kaspersky.

Kaspersky also found evidence that would suggest the malicious code was developed by the Russia-linked Sofacy APT (aka Pawn Storm, Fancy Bear, APT28, Sednit, Tsar Team, and Strontium.).

“we have seen attackers using NordVPN and MonoVM hosting. Both services are available for bitcoins, which make them the perfect tool for APT actors. This and several other TTPs have in the past been used by the Sofacy APT group, a widely known Russian-language threat actor.” continues Kaspersky.

Is it possible that Russian APT attempted to frame Lazarus? Maybe.

Another possible scenario sees Lazarus using false flag in the Olympics attack.

“There are some open questions about the attacker’s motivation in this story. We know that the attackers had administrative accounts in the affected networks. By deleting backups and destroying all local data they could have easily devastated the Olympic infrastructure. Instead, they decided to do some “light” destruction: wiping files on Windows shares, resetting event logs, deleting backups, disabling Windows services and rebooting systems into an unbootable state.” concluded Kaspersky.

“When you add in the multiple similarities to TTPs used by other actors and malware, intentional false flags and relatively good opsec, it merely raises more questions as to the purpose of all this.”

This case demonstrates the difficulty in the attribution of APT attacks.

Group-IB supported law enforcement in dismantling Ukrainian DDoS crime gang
9.3.2018 securityaffairs

Ukrainian Police supported by security firm Group-IB and other security firms dismantled a DDoS crime gang that blackmailed numerous companies worldwide.
Another example of successful collaboration between law enforcement agencies and security firms in the fight against cybercrime, the case sees Ukrainian Police supported by security firm Group-IB and other security firms dismantling a DDoS crime gang that had been launching distributed denial-of-service (DDoS) attacks with extorsive intents against companies for over two years.
“The investigation department of Group-IB, an international company focused on cyber-attack prevention and data security products development, has helped to suppress the criminal activity of an organized group that had been involved in launching DDoS attacks and extortion for over two years.” reads the announcement published by Group-IB.
The investigation started in September 2015, after the group launched a DDoS attack on international online dating service AnastasiaDate demanding $10,000 for stopping the assault. The site of the company was taken down for hours.

“Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services.” continues Group-IB.

“In particular, the victims of the Ukrainian fraudsters included Stafford Associated, an American company leasing data center and hosting facilities, and PayOnline online payment service. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000.”

The cybersecurity experts at Group-IB identified the attackers and linked the group to another attack powered by two Ukrainian individuals, Gayk Grishkyan and Inna Yatsenko. According to the investigators the duo had also previously targeted American leasing company Stafford Associated and the PayOnline payment service.

The two suspects later contacted the online dating service to demand ransom and threaten new DDoS attacks.

“In March 2017, the hackers’ apartments and offices were searched, and their computers and mobile phones confiscated. The forensic analysis that the data stored on the confiscated devices constituted an irrefutable evidence of Yatsenko and Grishkyan’s involvement in the extortion cases of 2015 and 2016.” concluded the announcement.

Now a court pleaded guilty to the crimes the two members of the DDoS crime gang and sentenced them to a five-year conditional sentence.

“We are satisfied with the successful outcome of the prosecution and the blow we have struck against cybercrime in Ukraine. The collaboration with our security partners has guaranteed the integrity of our services and helped reinforce our defenses for the future.” said AnastasiaDate’s US-based director, Lewis Ferro.

“It has been of the utmost importance to our international partners. It is another example of AnastasiaDate’s trustworthiness and diligence when it comes to member security, tackling fraud, and preventing criminal activity.”

Microsoft Detects Massive Dofoil Attack
8.3.2018 securityweek

Mid-day Tuesday (PST), Microsoft's Windows Defender blocked more than 80,000 instances of several new variants of the Dofoil (aka Smoke Loader) downloader. The signatureless machine learning capabilities of Defender detected anomalous behavior, and within minutes had protected Windows 10, 8.1 and 7 users from the outbreak.

Over the next 12 hours, more than 400,000 instances of this malware were recorded -- 73% of them in Russia, 18% in Turkey, and 4% in Ukraine.

Microsoft describes how the Dofoil downloader works, and how it was detected. Noticeably, it does not explain how the computers were compromised in the first place. The malware performs process hollowing, which involves spawning a new instance of a legitimate process -- in this case, explorer.exe -- and replacing the good code with malware. The hollowed explorer.exe then spins a second instance which drops and runs coin mining malware masquerading as the legitimate binary, wuauclt.exe.

Defender detected the issue, writes Microsoft, since, "Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious."

The downloader communicates with a C&C server, vinik.bit, inside the Namecoin distributed framework. Doctor Web researchers described Namecoin as, "a system of alternative root DNS servers based on Bitcoin technology.” Namecoin describes itself as a key/value pair registration and transfer system based on Bitcoin technology. "Bitcoin frees money -- Namecoin frees DNS, identities, and other technologies."

Fittingly, what Dofoil downloads is a cryptominer that supports NiceHash; allowing it to mine different cryptocurrencies. "The samples we analyzed mined Electroneum coins," writes Microsoft.

Electroneum is an interesting choice when most malware miners seem to go for Bitcoin and increasingly Monero. The criminals will always, however, go after maximum profit from minimum effort. On Monday this week, one day before the Dofoil outbreak, Jason Evangelho wrote in Forbes, "I'm enthusiastic about Electroneum and I've been diverting my mining rigs from Nicehash or Ethereum to this one because I believe it will explode in popularity by the end of 2018." This may be precisely the same reasoning as the criminals.

Natural price growth in any currency will likely be boosted by the number of operational miners. In a report titled Monero Mining Malware (PDF) published today, NTT researchers suggest that there is a symbiotic relationship between legal and malware-driven mining, with both processes driving the increase in value.

The decision to used Dofoil to drop Electroneum mining malware may be jointly driven by the apparent potential growth in the currency bolstered by a massive campaign trying to infect nearly half a million PCs specifically to drive up the value.

"As demonstrated," writes Microsoft, "Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network."

This is true as far as it goes; but not everyone believes it goes far enough. All such reports are fundamentally marketing documents and will inevitably portray the company concerned in the best light possible. "The way I read it," comments ESET Senior Research Fellow David Harley, "Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do."

F-Secure security advisor Sean Sullivan agrees that many anti-malware products would have had a similar success in stopping the campaign. "Other antivirus products would also block this campaign," he told SecurityWeek. "Some of the details may differ, but the result would be similar."

Luis Corrons, technical director at PandaLabs, is more reserved. "If you read [the report] carefully, you see they have no clue on how the threat compromised those computers," he told SecurityWeek. "So, we are talking about an 'outbreak' (their own words) infecting thousands of computers protected by Microsoft."

Corrons' concern is that relying solely on behavioral patterns will only detect the malware after it has already infected the computer. This is true in this case since the downloaded malware, disguised as wuauclt.exe was detected because it was in the wrong location. "After being compromised they were able to detect it -- which is great, but it would have been better if they could have stopped the infection in the first place. The problem is," he continued, "that if they really have no idea of how the attack compromised those computers, the same attack could work against all Microsoft AV users leaving them just with the hope that their 'great' machine learning technology is able to detect it (once they have been infected)."

This last is an interesting comment, since reliance on machine learning algorithms can only be as effective as the algorithms and the data from which they learn. Almost two years ago there was a huge argument between the original anti-virus industry and the evolving 'next-gen' machine learning endpoint protection systems -- with the former accusing the latter of frequently 'stealing' their malware intelligence via VirusTotal.

One of the figures in the Microsoft report depicts the 'alert process tree' used to determine the presence of the malware. Noticeably, this includes a VirusTotal hash with the comment, "VirusTotal detection ratio 38/67." Since more than half of the anti-malware engines supported by VirusTotal already classify the file as malware, it is a fair assumption that it really is malware.

A cynic might then wonder just how much of the 'Big Data Analytics' underpinning Defender's machine learning algorithms actually depends upon the opinions of other anti-malware researchers as displayed by VirusTotal.

Related: Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft

Related: "Illusion Gap" Attack Bypasses Windows Defender