Trend Micro

Trend Micro: Sodinokibi Ransomware Group Adds Malvertising as Delivery Technique

June 25, 2019

Attackers behind a relatively new ransomware family called Sodinokibi (detected by Trend Micro as RANSOM.WIN32.SODINOKIBI.A) have been continuously exploring different delivery vectors since April: malicious spam, vulnerable servers, and even managed server providers (MSPs). Given the aggressive experimentation with distribution, this ambitious new player in the ransomware landscape seems to be trying to gain momentum and spread quickly. On June 23, threat analyst nao_sec found the ransomware using another new delivery technique — it was being distributed by malvertising that also directs victims to the RIG exploit kit.

Nao_sec reported to Bleeping Computer that the malicious advertisements pushing Sodinokibi were on the PopCash ad network, and certain conditions would redirect users to the exploit kit. The analyst was also able to demonstrate how the ransomware was installed via malvertising.

Past Sodinokibi incidents

In late April, it was reported that a hacking group was trying to abuse a critical vulnerability in Oracle’s WebLogic server to spread the Sodinokibi ransomware. This was particularly dangerous because the ransomware didn’t require user interaction — it usually involves tricking a victim into enabling a malicious macro or click a link to download the ransomware. In this case, the hackers simply used the vulnerability to push the ransomware onto WebLogic servers. In May, a malicious spam campaign was seen targeting German victims. The spam was camouflaged as foreclosure statements. The urgency of the mail pressures victims into enabling macros to access a malicious attachment which downloads the ransomware.

Earlier this month, a hacking group abused MSPs to deploy the ransomware onto customer networks. According to reports, three major MSPs were breached through exposed remote desktop endpoints (RDPs). From these compromised endpoints, the hackers were able to move further into the compromised systems. They were able to uninstall AV products and abuse the management software (used by MSPs to oversee workstations) to execute malicious script on remote workstations and install the Sodinokibi ransomware.

[READNarrowed Sights, Bigger Payoffs: Ransomware in 2019]

How to defend against ransomware

Sodinokibi is now using an array of vectors to infect victims. Patching and updating is important in defending against this ransomware, particularly because most of the vulnerabilities they are abusing already have available fixes. Users need to update their systems and equip themselves with the latest versions of their software and hardware.

Since Sodinokibi also relies on other techniques, such as sending spam or phishing emails, and continues to add more delivery methods to their arsenal, it is important for organizations to implement security best practices:

  • All of the organization’s users should back up their data regularly to ensure that data can be retrieved even after a successful ransomware attack.

  • Users should be wary of suspicious emails; avoid clicking on links or downloading attachments unless the recipient is certain that it came from a legitimate source.

  • Restrict the use of system administration tools to IT personnel or employees who need access.

Kubernetes Vulnerability CVE-2019-11246 Discovered Due to Incomplete Updates from a Previous Flaw

Kubernetes, which offers a container orchestration system widely used by DevOps practitioners, announced the discovery of CVE-2019-11246, a high-severity vulnerability affecting the command-line interface kubectl,during an ongoing third-party security auditExploitation of this vulnerability could lead to a directory traversal — allowing an attacker to use a malicious container to create or replace files in a user’s workstation.

Incidentally, the new flaw emerged due to incomplete updates for CVE-2019-1002101, a related vulnerability which was disclosed back in March.

[ReadPreviously Patched, Still Potentially Critical: Kubernetes’ Path Traversal Vulnerability]

The details of CVE-2019-11246 are similar to the previously-patched CVE-2019-1002101. However, due to the incomplete nature of the update, some flaws remained, resulting in the discovery of the new exploit method.

CVE-2019-11246 specifically involves kubectl cp, the command responsible for copying files between containers and user machines. As part of its copying routine, Kubernetes creates an archive by running a tar binary inside the container. It will then copy the binary over the network, after which it will be unpacked on the user’s machine by kubectl.

An attacker could exploit this by using a malicious tar binary to write files to any path on the target machine whenever kubectl cp is called. This could result in the adding of malicious files or overwriting of existing ones to compromise the environment.

CVE-2019-11246 is a client-side vulnerability, and thus requires user interaction to be exploited.

[Read: Container Security: Examining Potential Threats to the Container Environment]

Users can check whether their client version is vulnerable to the bug by running kubectl version --client. Client versions older than 1.12.9, 1.13.6, and 1.14.2 are vulnerable. Users should update their clients at the soonest possible time.

Best practices to defend against possible attacks that exploit CVE-2019-11246

To protect enterprise resources from attackers aiming to take advantage of vulnerabilities such as CVE-2019-11246, organizations should implement the following best practices:

  • Apply updates as soon as they are available to lessen the likelihood of an exploitation attack. This applies not only to container machines but to all software programs in general.

  • Avoid running containers using root privileges and instead only use them as application users. This is especially applicable in this situation given that CVE-2019-11246 is a client-side vulnerability. By limiting access to the entire cluster, the possibility of user errors could result in vulnerability exploitation is minimized.

Hacker Groups Pounce on Millions of Vulnerable Exim Servers

June 14, 2019

Multiple groups are launching attacks against exposed Exim mail servers, trying to exploit a vulnerability that could give them permanent root access. Exim servers reportedly run almost 57% of the internet’s email servers, and recent Shodan searches show millions of vulnerable machines still running. 

The attackers are exploiting CVE-2019-10149, a vulnerability also called “Return of the WIZard.” It was published on June 5 by security firm Qualys as a Remote Command Execution vulnerability affecting Exim versions 4.87 to 4.91. The vulnerability makes it possible for attackers to remotely run arbitrary commands as root on successfully exploited Exim servers.

These attacks are ongoing, but not unexpected. There were already reports of the vulnerabilitylast week; and the large number of Exim servers meant that cybercriminals had a substantial amount of targets. However, Exim users should note that a patch has been available since February. The developers addressed the security flaw with version 4.92.

Exim attackers

Two groups have been seen attacking Exim servers, both using the vulnerability named above. One of the attacks was discovered by Freddie Leeman, who posted his findings on Twitter.

From Leeman’s report, it seems the hackers dropped malicious script from a public server on the normal web. According to BleepingComputer, the dropped script will download another script, which then deploys multiple binary payload variants on the exploited hosts. Multiple versions of this exploit were developed in the days succeeding the discovery, which shows that the attackers were still fine-tuning their techniques.

Another team of attackers was seen by security researcher Magni Sigurðsson, who told ZDNetthat the objective of this particular attack is to create a backdoor on the mail servers by downloading a shell script that adds a Secure Shell (SSH) key to the root account. These attackers hosted their script on the Tor network, making it harder to identify them.

Solutions and recommendations

Many Exim users have patched and updated their mail servers since the patch was released and news of the vulnerability has spread. Those who have not applied the patch should update to version 4.92.

Patching is still a problem for many enterprises, and this a known issue. Many cybercriminals actively abuse vulnerabilities for which patches have already been released. Some attackers exploit vulnerabilities that have been patched for almost a year, assuming that many users do not apply available updates quickly, or even at all.

Technologies like virtual patching and application control can help organizations avoid the burden of ad hoc patching. An audit tool can also help organizations include the important patches in a scheduled patch cycle to help ease the burden of planning and deployment.

The Trend Micro™ Deep Security™ solution provides virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications. Deep Security™ and Vulnerability Protection protect systems and users via the following Deep Packet Inspection (DPI) rule:

  • 1009797 - Exim 'deliver_message' Command Injection Vulnerability (CVE-2019-10149)

The Trend Micro™ TippingPoint® system provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. Customers are protected from threats and attacks that may exploit this vulnerability via this MainlineDVfilter:

  • 35520: SMTP: Exim Internet Mailer Command Injection Vulnerability

The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.

HTTPS Protocol Now Used in 58% of Phishing Websites

Unlike most types of cyberattacks that have evolved over time, phishing has rarely strayed from the traditional formula of combining social engineering with malicious files or links. Nevertheless, this has not stopped cybercriminals from making even more convincing attempts, going as far as abusing tools supposedly for security. One example is setting up phishing sites that use the HTTPS (Hypertext Transfer Protocol Secure) protocol — a tactic which has been on the rise in phishing attacks, now up to 58% according to the Q1 2019 report from the Anti-Phishing Working Group (APWG).

HTTPS, which has become the standard protocol for secure communication over a computer network, works by encrypting traffic between a browser and a website, ensuring that no third parties are privy to the data that is being exchanged. The use of HTTPS is especially important with websites that ask users for personal information or credentials, such as login pages.

Due to the widespread adoption of HTTPS, current browsers are now designed to notify usersthat they are browsing an “unsecure” website when it lacks the protocol. The presence of a lock icon in the URL bar typically signifies that the user is entering a safe domain while websites without the icon imply the opposite. Wily cybercriminals take advantage of this by creating phishing websites that use HTTPS, thus making a site appear safe to the user’s browser despite its malicious purpose.

Using the HTTPS protocol is enabled by Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates. These certificates have traditionally been purchased, and this previously meant that phishing websites that use HTTPS were an expensive option for cybercriminals. However, a number of services now provide TLS and SSL certificates for free, meaning it is now easier for anyone (even cybercriminals) to add HTTPS to their websites. Alternatively, cybercriminals can actually hack legitimate websites to use as phishing sites, making it even more difficult for potential victims to distinguish between what’s safe and what’s not.

The practice of abusing HTTPS in phishing attacks has become so widespread that the FBI issued a public service announcement earlier this month to warn users.  

Best practices to defend against phishing attacks

Fortunately, despite the large number of phishing sites that use HTTPS, some of the best methods users can do to combat phishing remain relatively simple:

  • Be cognizant of what phishing attacks look like and how they work. Misspellings, out-of-context messages, and even different-looking signatures should be red flags.

  • Take everything into consideration before clicking a link or downloading an attachment. Just because a website uses the HTTPS protocol and looks legitimate does not automatically mean that it is safe. For example, a seemingly authentic bank website may be spoofing the legitimate site.

Malicious Spam Campaign Uses ISO Image Files to Deliver LokiBot and NanoCore

As cybercriminals become more creative with their spamming techniques, it shouldn’t be surprising to see more unusual file types being employed as file attachments, as was the case with an April campaign discovered by Netskope that used ISO image files to deliver two notorious Trojans: LokiBot and NanoCore.

The malicious spam comes in the form of a fake invoice email which states that the recipient can access the billing by opening an ISO image attachment. This is notable because invoices are usually sent as Word documents or Excel files. Thus, the use of an ISO image as an invoice is highly unusual. Adding to the suspicious nature of the attachment is the file size. Samples were roughly 1MB to 2MB — again uncommon given that typical ISO images tend to have larger file sizes.

Contained within the image is the executable payload —either LokiBot (detected as TrojanSpy.Win32.LOKI.THFBFAI) or NanoCore (detected as Backdoor.Win32.NANOBOT.SMY)— which is downloaded onto the system when a user clicks on the attachment.

The technique used in this campaign confirms that cybercriminals are using a larger variety of file types for their email attacks. Trend Micro detections of advanced email threats in 2018 included malware-ridden spam with IQY and ARJ file attachments. ISO files are automatically mounted upon clicking, and email security solutions usually whitelist it, so it makes sense that cybercriminals are experimenting with its use.

LokiBot and NanoCore

LokiBot is a sophisticated malware family that has information stealing and keylogging capabilities. Often advertised in the underground as a tool used for stealing passwords and cryptocurrency wallets, it has extensively been used in a wide variety of campaigns.

The variant used in this particular campaign has a number of capabilities that help it detect where it is loaded. It uses the function IsDebuggerPresent() to detect if it is running inside a debugger and it also measures the computational time difference between CloseHandle() and GetProcessHeap() to check if it is running inside a virtual machine. In addition to gathering data, which includes web browser information and login credentials, it also checks for the presence of web and email servers as well as remote administration tools.

The other payload, NanoCore, is a Remote Access Tool (RAT) that has high modularity and customizability thanks to various plugins which expand its capabilities.

Like LokiBot, it is sold in underground forums, making it available for other threat actors to use in their own attacks. In this malspam campaign, NanoCore creates a mutual exclusion object (mutex), performs process injection, and uses the registry for persistence. Similar to the LokiBot payload, it also tries to detect the presence of a debugger. The goal of NanoCore is to capture clipboard data and keystrokes and steal information from document files.

How to stay safe from malicious emails

While both LokiBot and NanoCore are fairly advanced malware, malspam is their primary delivery method. Therefore, best practices for detecting and preventing malicious emails remain effective in helping users avoid malware.

  • Be wary of grammatical and typographical errors. Business emails, especially communications between a business and its suppliers, will usually be written in a professional manner. An email that contains blatant grammatical or typographical errors could be a sign that it is a malicious email.

  • Double check the email address of the sender. The easiest way to determine if an email is authentic is to check the sender’s email address. If it doesn’t use the official domain of the sender’s organization, or uses an unusual email, that’s a red flag.

  • Context, context, context. If the email content fails to provide context regarding the discussion (such as a one-liner) and also includes a link or an attachment, then there is a high chance that it is a malspam attempt.

  • Don’t click or download. Even if an email looks legitimate, it’s still prudent to avoid clicking on any links or downloading any files until the source is verified to be legitimate. Hacked email accounts have previously been used for spear phishing.

Trend Micro email security solutions powered by machine learning

To make it easier for organizations to protect their employees from phishing and advanced email threats, they can consider email protection like the Trend Micro™ Cloud App Security™ solution, which uses machine learning (ML) to help detect and block attempts at spam and phishing. It can detect suspicious content in the message body and attachments as well as provides sandbox malware analysis and document exploit detection.

Real Time Web Analytics