Novinky

FortiGuard Labs researchers recently discovered a Cross-Site Scripting vulnerability in Magento that could allow a remote attacker to execute arbitrary code on a victim's browser, granting them access to sensitive data, or take control of the vulnerable website. This XSS vulnerability affects Magento Commerce 2.1 prior to 2.1.16 and Magento Commerce 2.2 prior to 2.2.7. Magento is the second largest e-commerce platform in the world so impact due to exploitation could be severe. For deeper dive into this vulnerability read: Magento Commerce Widget Form (CORE) XSS Vulnerability

January Patch Tuesday - Microsoft is starting off 2019 by releasing 49 patches and two advisories. 7 of the fixes are rated critical severity as they could allow a remote attacker to execute commands on a vulnerable computer and take full control. It is advised to make these patches a priority. For more details read the Microsoft Security Update Guide. FortiGuard Labs researcher, Honggang Ren, discovered one of the vulnerabilities patched this month: CVE-2019-0538, a remote code execution vulnerability that exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. 

More importantly is the out-of-band patch Microsoft released in mid-December. CVE-2018-8653 is a remote code vulnerability that exists in the way the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This could mean potential access to administrative user rights where the attacker could exploit the vulnerability and take full control of the affected system. Or in a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through IE and then convince the user to view the website, possibly by utilizing a phishing email. This vulnerability affects all versions of IE including Windows 7, Windows 10, Windows Server 2008 (with IE9), Windows Server 2012 (IE10), Windows Server 2016, and windows Server 2019. This vulnerability is being exploited in the wild. You are strongly encouraged to apply the patch for this vulnerability as your # 1 priority.

And not to be outdone, Adobe started off 2019 with an unscheduled update for Adobe Acrobat and Reader. The update, released on January 3rd, fixes two critical CVEs (CVE-2018-16011, CVE-2018-16018) that were both reported through the Zero Day Initiative program. Adobe also updated Adobe Flash, Connect, and Adobe Digital Editions in their regular January release.

Application Vulnerabilities / IPS

Java.Management.Extensions.Insecure.Remote.Access -- Java Management Extension is used extensively in various technology products such as Cassandra/Apache, HP OpenView, IBM Director, Zabbix, and SolarWinds. The technology allows for management and monitoring of applications, devices, and system objects, which are represented as what is called MBeans (Managed Beans), which are resources running in the Java virtual machine, and can be used to perform a variety of tasks such as collecting statistics like resource usage and/or getting or setting application parameters on the fly.

The Java Virtual Machine uses MBeans to expose specific details of the configuration and functionality of the system where it runs, allowing for external agents to peek and set configurations remotely. The JMX was found to be exposing a service with insecure configurations, which would gladly accept the loading of classes from a remote system. These configurations (com.sun.management.jmxremote.authenticate=false) and (javax.management.loading.MLet=true), if enabled, the JMX process becomes insecure. An attacker then is able to create a javax.management.loading.MLet8 MBeans and is able to create new MBeans from an arbitrary URL. Ultimately, this allows an attacker to remotely execute arbitrary code upon a target system. There is exploit code available on popular websites as well as scripts integrated into popular exploitation frameworks at the time of this writing. We have observed increased activity for this specific signature where it currently sits at the top 10 of our telemetry charts.

Signatures: Java.Management.Extensions.Insecure.Remote.Access

Drupal.Symfony.HTTP.request.header.Security.Bypass -- Symfony is a popular PHP framework that is used to create web applications and websites. It has a very active community of users and developers. Its webpage cites more than 48 million downloads and more than 3,000 contributors and is used in Drupal and Zend Framework.

Back in August 2018, researchers discovered that Symfony had support for a legacy IIS header that allowed users to override the path requested on the HTTP URL request via the X-Original-URL or X-Rewrite-URL, which had the effect of a user requesting a certain URL (as specified on the GET/POST parameter) and have Symfony return a different one, which could bypass access restrictions set by the system administrator. The fix was to drop support for these legacy features, as was included in versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3. We have observed increased activity for this signature, which now ranks within our top 50 with and increased rate of hits seen to date.

Signatures: Drupal.Symfony.HTTP.request.header.Security.Bypass

Malware Activity

Getting Crabby! -- FortiGuard Labs is aware of a new malvertising campaign utilizing the Vidar infostealer and GandCrab. This latest distribution mechanism highlights the bad actor's ulterior motive, which is to make money at all costs. While malvertising campaigns aren't new and their use of exploit kits is known, it is more common to see an exploit kit dropping malware on the victim machine, whether it is ransomware or a Trojan, to make it part of a botnet. As ransomware appears to be an easier way to make money fast for attackers (versus finding someone specifically interested in leasing a botnet for DDoS attacks), this has been a more lucrative endeavor.

This malvertising campaign utilizes the Fallout exploit kit, which then drops the Vidar infostealer, which is capable of stealing anything from details about the victim machine (IP address, geolocation information) to credit card data and various cryptocurrency wallets. Vidar also has the capability to download files. Once the attacker has deemed the victim machine to be no longer useful, and to add insult to injury by making a bad infection already worse, the last step in this infection chain is the download of the GandCrab ransomware, where it will present the usual GandCrab wallpaper notification along with the encryption of various targeted file extensions.

Signatures: W32/GenKryptik.CVJJ!tr, W32/Vidar.BE!tr.pws

Indicator(s):
kolobkoproms[.]ug
ovz1[.]fl1nt1kk[.]10301[.]vps[.]myjino[.]ru

Relationships with ChinaZ Lurking in Honeypots -- FortiGuard Labs is aware that recent activity of ChinaZ, a prolific threat actor, reveals relations to other known threats in China. This was first discovered by researchers in honeypots and documented earlier this week. ChinaZ is a well-known APT group that has been active since 2014. The most common strategy used by ChinaZ is DDoS botnets distributed to both Windows and Linux systems. The servers linked to ChinaZ seem to be using Chinese HTTP File Server (HFS) and are well maintained. The data in the honeypot showed a series of steps made by a ChinaZ botnet on a Linux system:

1. Various attempts to change file permissions with chmod command,
2. Attempted execution of the same file, or
3. Attempted execution of the same file as a background process, and
4. If not successful after several attempts, will move file to the /tmp directory.

The new discovery that was made now shows correlations of ChinaZ to other threat actors:

Nitol Botnet (Active since 2010): ChinaZ appears to be using a hijacked lpk.dll file that shows striking similarity to the one distributed by Nitol.

MrBlack Botnet (Active since 2015): ChinaZ appears to be reusing the code of the MrBlack botnet.

Tiger APT (Active since 2010): Gh0st RAT variant used by both groups share similarities inclusive of the same RC4 encryption key and code body.

Although these discoveries cannot conclude these threat actors are affiliated, it does draw attention to the ties between threat groups and the potential of APTs leveraging existing tools in their campaigns.

Signatures: W32/Parite.C, W32/ServStart.MK!tr, Linux/ChinaZ.F!dos, Linux/Znaich.A!dos, ELF/Ganiw.A!tr, W32/Agent.QRW!tr, Linux/ChinaZ.BO!dos, W32/Packed.2D18!tr

Indicator(s):
hxxp://ak-74[.]top

Web Filtering Activity

Spyware: Disguised Android Apps in Google Play Store -- FortiGuard Labs Web Filtering Team has observed MobSTSPY passing off as legitimate android applications on the Google Play Store. Earlier this week, researchers found Android applications in the Play Store that were covertly gathering information from users. Applications such as Flashlight, Win7imulator, and Win7Launcher were suspended by Google Play in early 2018. Yet some of these applications are still available on the Google Play Store and have recorded over 100,000 downloads by users globally.

MobSTSPY shows code that can steal user information such as location, SMS conversations, call logs, and clipboard items. It appears to use Firebase Cloud Messaging (FCM) to send information to the server. After confirming network availability, the app will receive configurations from a C2 server and then send some device details to the server. Once the C2 server is notified, these malicious apps may continue to collect credentials, call logs, contacts, and photos to upload to the C2 server. Apart from stealing private information from a user, MobSTSPY can also display fake Facebook and Google pop-ups to phish for the user's account details. FortiGuard Labs Web Filtering Team has blacklisted all the associated IOCs.

Indicator(s):
hxxp://www[.]mobistartapp[.]com
hxxp://www[.]coderoute[.]ma
hxxp://www[.]hizaxytv[.]com
hxxp://www[.]seepano[.]com