J2SECOPS WEEKLY NEWS: Everything from being and Enterprise of Anything to SWIFT not ready for blockchain

How many devices are misconfigured… or not configured?

I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways.

Having “played” with Shodan.io, again, recently it astounded me how many devices out there have default credentials, and were I inclined to do so, I could connect to devices within the “IOT” or as I like to call it the “Enterprise of Anything”.


SWIFT says blockchain not ready for mainstream use

SWIFT, the Brussels-based messaging system which handles around half of all high-value cross-border payments has been playing around with blockchain. It says that while the test went extremely well, it concluded that further progress is needed on the blockchain. Watch this space.

The secret life of your login credentials

When your data leaves your machine, where does it go? What happens to it along the way? And what systems have been put in place to ensure that your information is kept private as it travels, and after it arrives at its final destination?
The short answer is: quite a lot. So strap in as we take you on a tour of the secret life of your username and password in order to expose the trials and tribulations of keeping a secret on the web.


New Detection Technique – TSCookie

TSCookie malware has appeared in several targeted attacks since 2015. TSCookie is commonly spread by email, and has recently been observed in fake messages from the Ministry of Education and Sports in Japan. 

TSCookie serves as a downloader. It communicates with C&C servers using HTTP and downloads a module and its loader. The malware contains an encrypted DLL that is loaded on memory. The DLL performs core functions such as communicating with C&C servers in an RC4 encrypted channel.

TSCookieRAT is the final malware downloaded and executed on a TSCookie infection. It can perform actions such as executing arbitrary shell commands, sending system information, and retrieving browser passwords. All communications are performed over HTTP, and encrypted separately.

We've updated the 'Malware Infection – Trojan' correlation rule to detect TSCookie activity.


New Detection Techniques – Mobile Trojan Infection

We've added the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Syricka.GEN6254, HiddenApp.EN, Agent.AMP, Arukas.A!tr, RiskTool/Dnotua.olg, SMS-Flooder/Agent.l, Trojan/Agent.on, and Trojan/Triada.cx families.


New Detection Technique – Malware SSL Certificates

We've updated the ‘Malware Infection – Malicious SSL Certificate’ correlation rule to include the list of certificates identified to be associated with malware or botnet activities. 


Updated Detection Technique – AZORult

AZORult has made recent appearances in the crime cyberspace, spread in spam mail campaigns. Recent malicious emails have impersonated DHL deliveries.

The malicious emails contained a single RTF file, which carries three different exploits in form of .exe files and OLE objects. The vulnerabilities exploited are CVE 2017-8759, CVE 2017-11882, and CVE 2017-0199. These vulnerabilities affect several Microsoft Windows products, such as .NET framework and Office suites. If any of the exploits successfully execute, the system is infected with AzorUlt version 2.

AzorUlt is a trojan horse with spy and C&C capabilities. It can perform actions such as stealing passwords from web browsers and email inboxes, collect wallet.dat files from popular bitcoin clients, and gather other sensitive information like the Skype message history, list of installed programs, file extensions, etc. Applying the proper patches to the affected Windows modules is enough to prevent AZORult from infecting the machine in this campaign.

We've updated the 'Malware Infection – Trojan' correlation rule to detect AZORult activity.

  • Hits: 662

J2SECOPS WEEKLY NEWS: Everything from Androids dreaming of Electric Sheep to Every Mov(ie) You Make… I’ll Be Watching you…

J2SECOPS WEEKLY NEWS:

Everything from Androids dreaming of Electric Sheep to Every Mov(ie) You Make… I’ll Be Watching you…

MoviePass Subscription Service Tracks More Than Your Viewing Habits

The CEO of MoviePass recently revealed the full extent of its tracking functionality, which was originally thought to use your location to find a nearby theatre. The application can track any user from their home to the theatre, and then onward through the rest of their journey, keeping notes on businesses and restaurants the user may visit. While this data is said to only be used to help enhance the user’s evening, it does seem to be a massive breach of privacy given that there is nothing in the terms of service that mentions the full extent of the tracking.


Does ALEXA Dream of Electric Sheep?

Multiple people have been spooked by Amazon's virtual AI assistant, Alexa, laughing on its own. Amazon has promised it will implement changes to avoid similar incidents in the future, but it's good to look at what we could learn from all of this. First, let’s set a couple of things straight. Alexa laughing at seemingly random moments, coupled with little acts of defiance, sure sounds chillingly familiar — but this (probably) isn’t a sign of an AI takeover. What it is, rather, is a chance to reconsider some of the realities of living with virtual AI assistants today, and in the future.


Latest Crypto-Miner Introduces Kill List for Competitive Processes

A new cryptocurrency miner has recently been discovered that seems to have an edge over its competition: the ability to terminate conflicting processes to maintain control over the device’s processing power. While the use of a ‘kill list’ isn’t new to malware in general, this does seem to be the first program that uses it for mining purposes, rather than continuing to propagate.


MacOS Users Getting Browsing Security Update

Within the last week, Google has announced it will begin rolling out a new security feature for MacOS that will give Chrome users additional warnings when attempting to access malicious or compromised websites. While these features have been functional for Windows users for quite some time, it will begin implementing them for MacOS in April of this year. As Mac malware continues to proliferate, the necessity of these features grows right alongside it.


New Detection Technique – Memcrashed

Cybercriminals used Memcached servers in a campaign called Memcrashed. The purpose is to execute DDoS attacks over 51,000 times more powerful than their original strength, which could knock down major websites and Internet infrastructure. The Memcrashed amplification attack works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim's IP.

The easiest way to prevent a Memcached server from being used as a reflector is blocking UDP on port 11211. Internet service providers (ISPs) can also help to mitigate these and other types of amplification attacks by fixing vulnerable protocols and trying to prevent IP spoofing.

We've updated the 'Delivery & Attack – DDOS' correlation rule to detect Memcrashed activity.


New Detection Technique – Chafer

Chafer is a trojan first exposed by Symantec in early 2015. It is now supported by new campaigns targeting the Middle East. Its activity is focused on information-gathering and creating backdoors, targeting important software services in the region such as airlines, telecom companies, engineering, etc. Some countries affected by these campaigns are Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. 

The infection vector is an Office Excel document spread by email. When opened, it downloads a malicious VBS file that in turn runs a PowerShell script. Some hours later, a dropper appears on the compromised computer. The dropper installs three files on the computer: an information stealer, a screen capture utility, and an empty executable.

Some tools added to Chafer include Remcom, Non-sucking Service Manager (NSSM), SMB hacking tools, and a custom screenshot/clipboard capture tool, among others.

We've updated the 'Malware Infection – Trojan' correlation rule to detect Chafer activity.


New Detection Technique – Cannibal RAT

Cannibal RAT is a new remote administration tool, written entirely in Python, that was exposed by Talos group in February 2018. Samples of two versions of this malware (3.0 and 4.0) were detected, both sharing most of the same packages and behaviors; however, version 4.0 uses obfuscation techniques to avoid detection. Recent campaigns target Brazil, specifically the INESAP (Instituto Nacional Escola Superior da Administração Pública).

The malware is distributed in py2exe format, with the python27.dll and the python bytecode attached as a PE resource. The C&C uses the DNS technique Fast Flux, allowing the hosts to quickly change their resolution. The C&C is linked to four hostnames which always point to IP addresses hosted within the same ASN.

Version 4.0 of the RAT was hosted at inesapconcurso[.]webredirect[.]org and filebin[.]net. After installation, the malware creates a PDF file with HTML code embedded, mimicking an official document from the INESAP. Afterwards, it will start Chrome to open the created PDF.

We've updated the 'Malware Infection – RAT' correlation rule to detect Cannibal RAT activity.


New Detection Technique – Malware SSL Certificates

We've updated the ‘Malware Infection – Malicious SSL Certificate’ correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. 


New Detection Techniques – Trojan Infection

We've added the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Icefog, Know Malicious Redirector, Sality.AE, SteamStealer, and W32/Kutaki families.


New Detection Techniques

Additional correlation rules were added as a result of recent malicious activity.


Updated Detection Technique – Asacub

The trojan Asacub, discovered in 2015, is considered an evolution of the CoreBot trojan. Distributed for Android devices, it was first classified as spyware, although it was later found to share connectivity with C&C servers used by Windows banker trojans.

The malware's banking functionality is based on displaying a bank phishing window, enabling call forwarding, and running specified Unstructured Supplementary Service Data (USSD) requests. In the last several years, it has mutated at least three times, adding capabilities such as GPS tracking and taking snapshots.

Recent campaigns started during December 2017, with a high traffic rate, infecting thousands of devices in Russia. The SMS spam campaigns infected more than 6,500 unique users in this country.

We've updated the 'Malware Infection – Mobile Trojan' correlation rule to detect Asacub activity.


Updated Detection Techniques – Trojan Infection

We've updated the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Bitcoin Miner, KovCoreG, Linux.Mirai, LokiBot, Nitol, Oilrig, SmokeLoader, and SmsThief.jz trojan families.


Updated Correlation Rules

Additional correlation rules were updated as a result of recent malicious activity.

 

  • Hits: 461

J2 CSC September 4th Weekly Briefing

This week, threat Intelligence Update for our Cybersecurity Platform –Be Vigilant, Be Informed and Be Safe!

New Detection Technique - Datper

Datper has been observed in targeted attacks against Japanese organizations since around June 2016.

Datper infects systems either through drive-by download attacks or by exploiting vulnerabilities in asset management software.

Datper communicates with Command and Control servers using the HTTP protocol, limiting its communications to a specific time window.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Datper

#Datper  #Trojan infection


New Detection Technique - Koadic

Koadic is a Windows post-exploitation toolkit, similar to other penetration testing tools such as Meterpreter and Powershell Empire.

What makes Koadic unique is that it performs most of its operations using Windows Script Host (JScript/VBScript), with compatibility in the core to support multiple versions of Microsoft operating systems from Windows 2000 through Windows 10.

We have added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Koadic

#Kodiac #Trojan infection


New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We have added IDS signatures and the following correlation rules to detect new ransomware families:

  • System Compromise, Ransomware infection, SyncCrypt

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Mole
  • System Compromise, Ransomware infection, Spora

#SyncCrypt #Cerber #Mole #Spora


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/HookUp
  • System Compromise, Trojan infection, StressHub

#MSIL/HookUp #StressHub


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.

When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.

This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
  • Exploitation & Installation, Malicious website - Exploit Kit, Disdain EK

#Exploit Kits #Malicious redirection #Disdain


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:

The updated correlation rules use this information to detect command and control communications related to several malware families, including:

  • System Compromise, Command and Control Communication, Known malicious SSL certificate

#Malware SSL Certificates #Known malicious SSL certificate


Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware.

Often this last step includes a Remote Administration Toolkit (RAT) used to gain control to the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

  • System Compromise, Malware RAT, KONNI
  • System Compromise, Malware RAT, NanoCore

#RAT #KONNI #NanoCore


Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added IDS signatures and updated the following correlation rules to detect the ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Defray
  • System Compromise, Ransomware infection, Spora
  • System Compromise, Ransomware infection, Torrentlocker

#Cerber #Defray #Spora #Torrentlocker


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Malicious Document
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MSXMLHTTP Request
  • Exploitation & Installation, Service Exploit, Samba Username Map Script RCE (CVE-2007-2447)
  • Exploitation & Installation, WebServer Attack, PHP-CGI exploit followed by web shell
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Targeted Malware, APT.9002
  • System Compromise, Trojan infection, Generic PowerShell
  • System Compromise, Trojan infection, Hancitor

#Phishing activity #Malicious Document #MSXMLHTTP Request #Samba Username Map Script RCE (CVE-2007-2447) #PHP-CGI exploit followed by web shell #CoinMiner #APT.9002 #Generic PowerShell #Hancitor

  • Hits: 793

J2 CSC September 30th Weekly Briefing

 

This week, threat Intelligence Update for our Cybersecurity Platform –Be Vigilant, Be Informed and Be Safe!

New Detection Technique - Synology PhotoStation RCE

By chaining together 4 different vulnerabilities, CVE-2017-11151 through CVE-2017-11155, an attacker can gain arbitrary code execution on a vulnerable Synology PhotoStation NAS.

We've added IDS signatures and the following correlation rule to detect this activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Synology PhotoStation

#Synology  #PhotoStation


New Detection Technique - Trojan.MSIL.ProxyChanger.AK 

Trojan.MSIL.ProxyChanger.AK is a trojan that primarily targets the Windows platform.

This malware modifies the local system proxy and redirects all traffic to an attacker-controlled system.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Trojan.MSIL.ProxyChanger.AK

# Trojan.MSIL.ProxyChanger.AK #Trojan infection


New Detection Technique - Amnesia

Amnesia is a new variant of the IoT/Linux botnet known as "Tsunami."

Amnesia botnet targets an unmatched remote code execution vulnerability in the DVR (digital video recorder) devices made by TVT Digital, which was publicly disclosed over a year ago in March 2016. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise,  Backdoor, Amnesia

#Backdoor #Amnesia


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, Oiram

#Oiram #Trojan


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads."

Undetectable by normal users, these kits are embedded in websites by attackers.

When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.

This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, RIG EK
  • Delivery & Attack, Malicious website - Exploit Kit, EITest EK
  • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection

#Exploit Kits #Malicious website #RIG EK #EITest EK #Malicious redirection


 Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, StrongPity SSL activity
  • System Compromise, C&C Communication, Upatre SSL activity

#Malware SSL Certificates #Known malicious SSL certificate


Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added  IDS signatures and updated correlation rules to better detect the following ransomware families:

  • System Compromise, Ransomware infection, Cerber
  • System Compromise, Ransomware infection, Locky

#Ransomware #Cerber #Locky


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Emotet
  • System Compromise, Trojan infection, Bancos
  • System Compromise, Trojan infection, Corebot
  • System Compromise, Trojan infection, Kryptik
  • System Compromise, Trojan infection, MP-FormGrabber
  • System Compromise, Trojan infection, Retefe
  • System Compromise, Trojan infection, SpyBanker
  • System Compromise, Trojan infection, Unknown trojan
  • System Compromise, Worm infection, DELF

#Phishing activity #Emotet #Bancos #Corebot #Kryptik #CoinMiner #MP-FormGrabber #Retefe #SpyBanker #DELF

  • Hits: 617

J2 CSC August 21st Weekly Briefing

This week’s threat Intelligence Update for our Cybersecurity Platform – Be Vigilant, Be Informed and Be Safe!

New Detection Technique - OSX/Mughthesec

OS/XMughthesec is an adware attack that targets Mac users.

It is a modified strain of the known OperatorMac adware attack. OS/XMughthesec uses a legitimate Apple developer certificate (which has since been revoked by Apple) to bypass Apple's built-in security systems and install.

To the victim, the adware attack appears as an Adobe Flash installer (a common disguise for malware).

If the victim agrees to install the illegitimate Flash update, the adware executes a number of applications on the victim's device. 

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Mughthesec/SafeFinder/OperatorMac

#OS/XMughthesec  #OperatorMac #SafeFinder


New Detection Technique - Veil

Veil is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Veil

#Veil #Metasploit


New Detection Technique - Fynloski

Fynloski, a repackaged version of a remote access tool (RAT), uses code injection to make it harder to detect and remove.

Fynloski allows backdoor access and control to let a malicious hacker remotely access the infected machine and perform a number of malicious activities: capture video from the webcam, download and run files, control the mouse, record keystrokes, and much more.

We've added IDS signatures and the following correlation rule to detect this activity:

  • System Compromise, Trojan infection, Fynloski

#Fynloski #RAT


Microsoft/Adobe Patch Tuesday

This week's updates include Microsoft / Adobe's Patch Tuesday content. Adobe and Microsoft fixed multiple vulnerabilities in their products.

We've added IDS signatures and correlation rules to detect the following activity:

  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe EMF File Heap Overflow Vulnerability Inbound (CVE-2017-3121)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe EMF File Memory Corruption Vulnerability Inbound (CVE-2017-11241)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Type Confusion (CVE-2017-3106)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Information Disclosure (CVE-2017-3115)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Memory Corruption (CVE-2017-3122)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Security Bypass (CVE-2017-3118)
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Use After Free CVE-2017-3113
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Microsoft JET Database Engine RCE Inbound (CVE-2017-2050)

#Adobe #Patch Tuesday


New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

  • System Compromise, Trojan infection, MSIL/Agent.ATS
  • System Compromise, Trojan infection, MSIL/CoalaBot
  • System Compromise, Trojan infection, Ukodus

#MSIL #Agent.ATS #CoalaBot #Ukodus


Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers.

When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine.

This approach is a common attack vector and a major source of infections for end users.

Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added IDS signatures and updated the following correlation rule to improve exploit kit detection:

  • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK

#Exploit #Magnitude EK


Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

  • System Compromise, C&C Communication, Known malicious SSL certificate
  • System Compromise, C&C Communication, Gozi SSL Activity

#Malicious #SSL Certificate #Gozi #SSL Activity


Updated Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild.

We've added IDS signatures and updated the following correlation rules to detect the ransomware families:

  • System Compromise, Ransomware infection, GlobeImposter
  • System Compromise, Ransomware infection, Locky
  • System Compromise, Ransomware infection, Nemesis

#GlobeImposter #Locky #Nemesis


Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity:

  • Delivery & Attack, Malicious website, Phishing activity
  • Exploitation & Installation, Client Side Exploit - Known Vulnerability, HTA File containing Wscript.Shell Call
  • Exploitation & Installation, Suspicious Behaviour, Public IP lookup after download
  • System Compromise, C&C Communication, Query to a DGA Domain
  • System Compromise, Malware infection, CoinMiner
  • System Compromise, Malware infection, Upatre
  • System Compromise, Malware RAT, njRAT
  • System Compromise, Trojan infection, Banker
  • System Compromise, Trojan infection, Bitcoin Miner
  • System Compromise, Trojan infection, Meciv
  • System Compromise, Trojan infection, Unknown PowerShell
  • System Compromise, Trojan infection, Winnti
  • System Compromise, Trojan infection, Zyklon

#Phishing activity #HTA File containing Wscript.Shell Call #Public IP lookup after download #Query to a DGA Domain #CoinMiner #Upatre #njRAT #Banker #Bitcoin Miner #Meciv #Uknown PowerShell # Winnti #Zyklon

  • Hits: 629

Copyright © 2019 J2 Software | Powered By Cartmell