Articles

Fresh information from the world of IT security

Activity Summary - Week Ending December 14, 2018 more articles »

Activity Summary - Week Ending December 14, 2018

Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us


Microsoft's Patch Tuesday came with 39 updates, with 9 rated critical and 1 under active attack. Two of this month's patches were vulnerabilities discovered by FortiGuard Labs researchers. Our researchers discovered both vulnerabilities in September this year, and have worked closely with Microsoft to ensure that the patch successfully addressed the weaknesses.

CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook. The vulnerability results from Microsoft Outlook's failure to properly handle objects in memory. To exploit this vulnerability, a user must open a specially crafted RWZ file with an affected version of Microsoft Office. Once an attacker is successful in exploiting the vulnerability they can perform actions in the security permissions context of the current user. FortiGuard Labs signature: MS.Outlook.CVE-2018-8587.Remote.Code.Execution

CVE-2018-8612 is a Denial of Service (DoS) vulnerability in Microsoft Universal Telemetry Client (UTC). UTC is a remote procedure call (RPC) services that is used to collect telemetry data from Windows 10 to identify security and reliability issues; this helps to improve the quality of Windows and related services, and to make design decisions for future releases. This DoS vulnerability is caused by insufficient user input validation sent to APIs exposed via UTC RPC interfaces that eventually lead to null pointer dereference. The vulnerability can be triggered by a local authenticated user to effectively terminate the service that can normally be done by administrative users. FortiGuard Labs signature: MS.RPC.UTC.DoS

Note that one of this month's vulnerabilities, CVE-2018-8611, is under active attack. This is a Win32K elevation of privilege flaw and likely being used for targeted attacks. The vulnerability requires an attacker to have an established presence on a target system. Consider this vulnerability a priority when developing your patching strategy.

For more details on this month's Patch Tuesday, visit: Microsoft Security Update Guide 

FortiGuard always practices responsible disclosure and will not publish details of any vulnerability we discover until the patch has been released. To find out more about our program, visit: FortiGuard Zero-Day Research.

 

Application Vulnerabilities / IPS

 

Rank

Name

Prevalence

1

MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow

26,970

2

Apache.Struts.2.Jakarta.Multipart.Parser.Code.Execution

21,713

3

D-Link.DSL-2750B.CLI.OS.Command.Injection

19,072

4

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities

18,491

5

PHPUnit.Eval-stdin.PHP.Remote.Code.Execution

18,629

 

SoftNAS.Cloud.snserv.recentVersion.OS.Command.Injection – A vulnerability exists in the SoftNAS Cloud product, which is a software-defined NAS file delivered as a virtual appliance that can be set up and run on private, public, or hybrid clouds. The software itself is pretty mature, with features such as snapshots, encryption, rapid rollbacks, and high-availability capabilities. The flaw relates to a PHP command injection vulnerability that was found on the web administration panel, located on the script named "snserv," which did not thoroughly sanitize inputted parameters before sending them to execution. All SoftNAS versions before 4.0.3 are vulnerable to this bug. More specifically, the "recentversion" parameter to the "snsrv" script is the one to blame. This function does not properly authenticate or validate sessions, allowing an unauthenticated attacker to execute payloads as the root user, since *wait for it* the web server runs Apache, and the Apache user has an entry on the sudoers file, allowing it to execute anything as the super user.

The researchers responsible for the discovery disclosed a simple HTTP GET parameter to get shell on a vulnerable server. We are seeing an enormous increase in the activity for this signature worldwide, with the last 24 hours of activity being 73% higher than the observed average for the last 30 days, and 34% higher than the last 7 days' average.

Signatures: SoftNAS.Cloud.snserv.recentVersion.OS.Command.Injection 

Avahi.NULL.UDP.Packet.DoS – Avahi, for those who are unaware, is a Linux service that facilitates local network service discovery via the mDNS/DNS-SD protocol suite. This is similar to Apple's Bonjour, where once connected to the network, other users, printers, and shares will appear on your local machine. It was discovered back in 2011 that Avahi (before 0.6.29) allowed remote attackers to cause a denial of service (via an infinite loop being triggered on the code path taken) on the Avahi daemon by simply sending it an empty mDNS IPv4 or IPv6 packet to the Avahi service port 5353. This has been assigned CVE-2011-1002 and has been exploited in the wild ever since. We are now seeing an increase in the amount of detections regarding this signature, with a 25% increase when comparing the last 7 days' average and the last 24 hours. If we compare the last 24 hours to the last 30 days' average, the jump is even higher, with 45% more triggers worldwide.

Signatures: Avahi.NULL.UDP.Packet.DoS

 

Malware Activity

 

Rank

Name

Prevalence

1

Android/Agent.FJ!tr

5,967

2

W32/Agent.AJFK!tr

4,471

3

MSOffice/CVE_2017_11882.A!exploit

3,739

4

W32/Kryptik.GLZZ!tr

3,629

5

W32/Agent.HTL!tr.rkit

2,419

 

More Hidden Cobra Hijinks! –  FortiGuard Labs is aware of a new campaign called "Operation Sharpshooter," which targets global defense organizations and critical infrastructure groups and is attributed to Lazarus/Hidden Cobra. Operation Sharpshooter leverages embedded shellcode that is called from a malicious macro to download a second-stage payload for further exploitation. The second-stage payload is downloaded from a remote site to %startup%mssynce.exe on the victim machine to ensure persistence for the downloaded second-stage implant. Another payload downloaded is a document that is likely a decoy to hide the malicious content. Once the decoy and second-stage payload are downloaded to the victim machine, they are executed using various commands.

The backdoor exfiltrates data to the command and control about the victim endpoint, and provides network adapter info, computer name, username, IP address information, native system information, and OS information. It also sends data to a remote server using HTTP POST. The back door also has the capability to execute commands, get drive information, launch processes from the Windows binary, get process information, terminate process, get file timestamp info, read files, clear process memory, write file to disk, delete file, remote connection via IP address, and change file attributes and folder properties.

Signatures: W32/WildPositron.A!tr, VBA/Agent.KPH!tr

Indicator(s):
34[.]214[.]99[.]20/view_style[.]php
137[.]74[.]41[.]56/board[.]php 
kingkoil[.]com[.]sg/board[.]php
hxxp://208.117.44.112/document/Strategic Planning Manager.doc 
hxxp://208.117.44.112/document/Business Intelligence Administrator.doc 
hxxp://www.dropbox.com/s/2shp23ogs113hnd/Customer Service Representative.doc?dl=1
 

Sofacys Choice –
 FortiGuard Labs is aware of a new campaign by the Sofacy Group. Discovered by researchers earlier this week, this new campaign leverages interest in the recent fatal Lion Air crash. This new campaign reveals that a maliciously crafted Word document with the title "crash list (Lion Air Boeing 737).docx" is sent to unsuspecting victims, via spear phishing. The majority of the documents lure victims to enable the macros, as they are hoping that less than sophisticated victims would be enticed and compelled to open the file based on the file name alone. Other themes observed were Brexit named documents, and Israel rocket attacks as well. The first-stage payload downloaded by these weaponized documents was the Zebrocy downloader, which interestingly enough, was seen developed in multiple languages such as Delphi, C#, and VB.NET. Also observed being distributed via these documents was the use of the Cannon back door, which can take screenshots, gather system information, and connect to a C2 server to specific email addresses over port 587 to evade detection.

Signatures: MSOffice/Agent.LBE!tr

Indicator(s):
hxxp://188[.]241[.]58[.]170/local/s3/filters[.]php 
hxxp://185[.]203[.]118[.]198/en_action_device/center_correct_customer/drivers-i7-x86[.]php 
hxxp://145[.]249[.]105[.]165/resource-store/stockroom-center-service/check[.]php 
hxxp://109[.]248[.]148[.]42/agr-enum/progress-inform/cube[.]php

Web Filtering Activity


More Cyber Monday Scams – Recently, the FortiGuard Labs Web Filtering team has observed a campaign distributing Emotet targeting the UK with a particularly effective email lure pretending to be a Cyber Monday Voucher from Amazon.co.uk. The threat actors use email addresses and subjects that persuade or entice a user to read the email and follow the links and download the malicious Word document at the end. The downloaded Word docs are given very convincing names such as "cyber_monday_coupon," which contain the nefarious Emotet malware. FortiGuard Labs Web Filtering Team has blacklisted all the IOCs.

Indicator(s):
hxxp://pcgestion[.]com/En/Clients_CM_Coupons 
hxxp://mexathermal[.]co[.]uk/EN/CyberMonday2018

 

Source : https://fortiguard.com/resources/threat-brief/2018/12/14/fortiguard-threat-intelligence-brief-december-14-2018

Why to choose us?

Credibility

We have been on the market since 2008 and our credibility can be approved by partnership with prominent companies in the field of IT and mostly by lots of satisfied customers who use our services. We are not freshmen. Our team knows what your IT infrastructure needs and we will be happy to provide it to you. Our quality is also reflected in certification of the management systems according to the ISO 9 001 standard.

Professional attitude

Your data should not be protected by inexperienced people. Therefore, ask for a professional partner. Our rich experience is attested by trainings which our employees attend on a regular basis so that they can give you adequate advice and ensure fluent running of your infrastructure. We are owners of the 27 001 certification, which means your data are secured.

Efficiency

We do not offer you unnecessary solution just to earn money at your expense. Our purpose is not to impose a robust solution you will be using at the minimum level. However, this does not mean we do not take structure design seriously. We also consider possible plans of your company’s development. Your satisfaction and data security are our main priority.

References

Ringier Axel Springer SK
Motor-Car Group
Ministerstvo školstva, vedy, výskumu a športu SR
UNIPHARMA – 1.slovenská lekárnická akciová spoločnosť
Mercedes-Benz Slovakia, s.r.o.
Saneca Pharmaceuticals a.s.

Articles more articles »

Activity Summary - Week Ending January 4, 2019

Activity Summary - Week Ending January 4, 2019

22.02.2019 | Our partner Fortinet publishes a report every week about exposed threats. You can review the weekly report below. If you have questions, do not hesitate to contact us

Read more »

Contact


ReFoMa, s.r.o.
Dolné Rudiny 1
010 01 Žilina, Slovakia

+421 41/202 88 80 – front office
+421 41/202 88 80 – sales department
Company No.: 43892345
TAX No.: 2022541378
VAT No.: SK2022541378
Bank account (IBAN):
SK13 1100 0000 0026 2582 3735