Chinese Iron Tiger APT is back, a close look at the Operation PZChao
3.2.2018 securityaffairs APT
Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.
Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.
The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.
“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”
It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).
The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.
The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.
The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.
Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “220.127.116.11” in South Korea and hosts the “down.pzchao.com”.
Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.
The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.
The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.
But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.
The most important component in the arsenal of the attacker remains the powerful Gh0sT RAT malware that allows controlling every aspect of the infected system.
“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,” concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”
Does The U.S. Need a National Cybersecurity Safety Board?
2.2.2018 securityweek BigBrothers
It is time, suggest two academics from Indiana University-Bloomington, for Congress to establish a National Cybersecurity Safety Board (NCSB) as an analogue of the National Transportation Safety Board (NTSB), to improve the level of cybersecurity in the U.S.
The argument is that the NTSB helped to improve the safety of air travel while still stimulating growth and innovation in the industry. "Today," they say in a paper published this week, "air travel is widely regarded as among the safest forms of mass transportation. Can the same feat be replicated in cyberspace?"
Scott J. Shackelford JD, PhD, and Austin E. Brady argue, in their paper "Is it Time for a National Cybersecurity Safety Board? Examining the Policy Implications and Political Pushback' that it is both time, and possible (although not immediately probable). "A NCSB is politically unlikely in the near term, but we believe that the creation of such a body is overdue... All that is needed is the political will to act, the desire to experiment with new models of cybersecurity governance, and the recognition that we should learn from history."
The paper argues that there have been many propositions for strengthening U.S. cybersecurity, "from federally sponsored cyber risk insurance programs to allowing companies to have a freer hand to engage in proactive cybersecurity measures." The former would allow the insurer to impose cybersecurity conditions, while the latter would allow 'active defense' or even the right to 'hack back' . Across most of these proposals, it suggests, "are more robust data breach investigation requirements."
This connection is not clearly established in the paper, although it precisely aligns with the transportation functions of the NTSB. The argument is that we can better prevent future cybersecurity breaches by more fully understanding past breaches, and that this process needs to be established by government.
There is an alternative model for improving cybersecurity that is not mentioned in this paper: an American Cybersecurity Association (ACA) that uses the American Medical Association (AMA) as the model. This argument argues that professionalizing the cybersecurity workforce in the same way that the AMA professionalized the medical profession would raise the standard and quality of organizations' cybersecurity.
The ACA approach has been described by Martin Zinaich, Information Security Officer at the City of Tampa, FL. In his paper, 'What does Information Security have in common with Eastern Air Lines Flight 401?', he argues, "The AMA accelerated the professionalization of medicine and the establishment of minimum standards in medical training, education and apprenticeship requirements to gain entry to the profession. The same could and should be done in the Information Security field with a similar cybersecurity national body and professional associations."
The difference between the two approaches is that one imposes regulations from outside of the profession, while the other generates standards from within the profession. Both, however, suffer from inertia, and Shackelford and Brady argue that Congress should force the issue by establishing a national safety board.
"Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams (CERTs), and aide in effective policy making at both the state and federal level given the lack of hard, verifiable data on the scope and scale of cyber attacks. The creation of a NCSB could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI. Along with the ISACs, this would be a boon to academics needing reliable data to undertake scholarly analysis, as well as national security organizations, and U.S. strategic partners around the world."
Interestingly, the authors spend some time looking at the European cybersecurity model depicted by the General Data Protection Regulation (GDPR) and the Network Information Systems Directive (NISD) both coming into force in May 2018. "Although neither the GDPR nor the NIS Directive includes a version of a regional Cybersecurity Safety Board, the elements it does include moves the EU in this direction, which could make an analogous U.S. body that much more effective," they write. "Such developments would be an important step on the long journey to a positive and sustainable cyber peace."
However, GDPR is far removed from any form of a national cybersecurity safety board. The authors say, "it centralizes data protection authority in the EU into a single regulatory body, as compared with the EU Data Privacy Directive’s (DPD) utilization of national data protection authorities for each Member State." This isn't strictly true -- each member state will retain its own regulatory body, and there are many areas within the regulation where national transposition has a degree of flexibility over implementation and interpretation. While GDPR is a unifying force, its application will still vary slightly between different member states.
Such minor differences are likely to be exacerbated by the concept of national security -- which again varies between different member states. "The extent of some of these obligations, however, is still unclear, as States may see cyber threats as falling in the realm of national security, and therefore outside the scope of this strata of EU governance," note the authors.
The interplay between national security and cybersecurity is not discussed within this paper; and yet it is fundamental to the way in which any overarching regulation -- whether the EU's GDPR or a proposed U.S. NCSB -- can actually operate. In the name of national security there will always be areas where intelligence agencies, and politicians, will seek to keep the true nature of events secret. There is likely to be considerable pushback from the intelligence agencies against any national body that has the independence of the NTSB, and the independence proposed for an NCSB.
How, for example, could an NCSB handle an investigation into a breach such as the Belgacom telco hack that was revealed in 2013? According to leaked documents (Snowden) it was undertaken by GCHQ using the NSA's 'quantum insertion' technology.
Martin Zinaich certainly has his concerns over an NCSB. "I support anything that might solidify a structuring of Information Security into a normalized business risk profile," he told SecurityWeek. "However, it seems to me a National Cybersecurity Safety Board might not be the best place to start. I also do not think a NCSB could be agile enough to keep pace.
"If there is one area where Cyber Security professionals excel," he continued, "it is in the identification of cyber-attacks and breaches. Too often, the cause is not a mystery where an investigative body would expose an unknown risk that could then be shared to make the industry safer (as does the current NTSB). No, too often the cause is well-known and age old. Take the 2017 Equifax breach. The vector was an Apache Struts vulnerability that had already been patched but the patch was not applied (and there are a lot of non-technical reasons why that can be so)."
Zinaich retains his belief that the best way to improve cybersecurity is by professionalizing the practitioners. "The issue is the integration of Information Security into the business at a level where it has an impact -- be the business a manufacturer of IoT devices or a credit lending institution. I still hold that professionalizing this field is the place to start, but I predict legislation will come first."
While there are strong arguments, as outlined in this paper, for the formation of a National Cybersecurity Safety Board, it is probably not achievable in the current geopolitical climate. Similarly, while there are strong arguments in favor of an American Cybersecurity Association, existing practitioners are generally too busy firefighting cybersecurity incidents to get it started.
The greater likelihood is that the current tendency for government to impose regulations to improve cybersecurity will probably just continue and gather pace.
Web Server Used in 100 ICS Products Affected by Critical Flaw
2.2.2018 securityweek ICS
A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.
The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.
According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.
Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.
“A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,” 3S-Smart Software Solutions explained in an advisory.
The vendor says that while there is no evidence that the flaw has been exploited in the wild, even an attacker with low skill may be able to exploit it remotely.
Related: Learn More at SecurityWeek’s ICS Cyber Security Conference
The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8. CODESYS v2.3 web servers running on any version of Windows (including Windows Embedded Compact) as stand-alone or part of the CODESYS runtime system prior to version 18.104.22.168 are affected. Version 22.214.171.124, which is also part of the CODESYS 126.96.36.199 setup, patches the vulnerability.
While 3S-Smart Software Solutions says it has not identified any workarounds for this security hole, the company has advised organizations to ensure that access to controllers is restricted through minimization of network exposure, and the use of firewalls and VPNs. The company has also published a white paper with general recommendations on security in industrial control applications.
Vulnerabilities in CODESYS components are not uncommon. Last April, industrial cybersecurity startup CyberX uncovered several critical flaws in the CODESYS web server. More recently, SEC Consult reported that a CODESYS component flaw exposed PLCs from WAGO and possibly other vendors to attacks.
Shodan has been crawling port 2455, which is specific to the CODESYS protocol, since 2014. The search engine currently shows more than 5,600 systems reachable via this port, with a majority in the United States, Germany, Turkey, China and France.
New Botnet Is Recruiting IoT Devices
2.2.2018 securityweek BotNet
A new botnet is recruiting Internet of Things (IoT) devices by exploiting two vulnerabilities already popular among IoT botnets, Radware has discovered.
Dubbed JenX, the threat is abusing the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP Command Execution) and CVE-2017–17215 (Huawei Router HG532 – Arbitrary Command Execution) vulnerabilities. Both of these security issues were previously abused by the Mirai variant Satori.
The new threat also uses techniques associated with the recently detailed PureMasuta variant of Mirai, which recently had its source code published on an invite-only dark forum.
The botnet’s command and control (C&C) server also provides gaming mod servers and distributed denial of service (DDoS) services, Radware's researchers discovered.
The DDoS feature includes attack vectors such as Valve Source Engine Query and 32bytes floods, TS3 scripts, and a Down OVH option (likely a reference the Mirai attack on a cloud hosting provider OVH in September 2016). The miscreants guarantee attack volumes of 290-300Gbps, supposedly leveraging the power of the new botnet.
JenX uses servers to perform the scanning and exploit operations, unlike previously observed IoT botnets such as Mirai, Hajime, Persirai, Reaper, Satori, and Masuta, which leverage infected systems for scanning and exploiting (which also fuels an exponential growth of the botnet).
Because it does not include scanning and exploit payloads, JenX’ code is unsophisticated and lighter on the delivery, Radware says. With centralized scan and exploit functionality, the operators also have increased flexibility to expand and improve the functionality without impacting the size of the bot.
Because there are fewer nodes scanning and exploiting, the botnet is less noisy and can better avoid being detected by honeypots. This also makes it more difficult to estimate the botnet’s size, without accessing the C&C server, the security researchers say. On top of that, the botnet only impacts the victim’s network connection when instructed to perform an attack.
“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” Radware notes.
The malware is protected with anti-debugging detection and its binary forks three processes obfuscated in the process table much like Mirai. All processes listen to a port bound to localhost while one opens a TCP socket to the C&C at 188.8.131.52 on port 127. The bot uses XOR obfuscation with the exact same key used in PureMasuta.
When executed, the malware connects to the C&C server located by the hostname ‘skids.sancalvicie.com’ using the TCP session (the domain is registered to Calvos S.L.). The server supposedly provides a command line interface.
The code has indicators of a Valve Source Engine Query attack payload, likely because of the GTA San Andreas multiplayer servers on the domain. The attack vector was included in the original Mirai code that went public in October 2016, and Radware believes the botnet is being built by the San Calvicie hacker group and served through their Clearnet website.
“Unless you frequently play GTA San Andreas, you will probably not be directly impacted. The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet! But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month,” Radware’s Pascal Geenens note.
Two providers informed on the issue have already taken down the exploit servers hosted in their datacenters, but some servers remain active and the botnet is still operational, Geenens says. However, should the attackers decide to move their exploit servers to the darknet, the botnet’s takedown would be much more difficult, as was the case with BrickerBot.
“JenX, in particular, can be easily concealed and hardened against takedowns. As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones. These providers do not care about abuse,” Geenens says.
Hundreds of ICS products affected by a critical flaw in CODESYS WebVisu
2.2.2018 securityaffairs ICS
Researcher discovered a critical vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product currently used in 116 PLCs and HMIs from many vendors,
Security researcher Zhu WenZhe from Istury IOT discovered a critical stack-based buffer overflow vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product that allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.
The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8, and the worst news is that it is quite easy to exploit.
The WebVisu product is currently used in 116 PLCs and HMIs from many vendors, including Schneider Electric, Hitachi, Advantech, Berghof Automation, Hans Turck, and NEXCOM.
An attacker can remotely trigger the flaw to cause a denial-of-service (DoS) condition and under some conditions execute arbitrary code on the web server.
“A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server. ” reads the security advisory issued by CODESYS.
According to CODESYS, there is no evidence that the flaw has been exploited in the wild.
The flaw affects all Microsoft Windows (also WinCE) based CODESYS V2.3 web servers running stand-alone or as part of the CODESYS runtime system prior version V184.108.40.206.
The company has released the CODESYS web server V.220.127.116.11 for CODESYS V2.3 to
address the flaw. This is also part of the CODESYS setup V18.104.22.168.
The vendor also recommends organizations to restrict access to controllers, use firewalls to control the accesses and VPNs.
In December 2017, security researchers at SEC Consult discovered a flaw in version 22.214.171.124 of the CODESYS runtime which is included on PFC200s with firmware version 02.07.07. The CODESYS runtime is commonly included on PLCs to allow for easy programming by users. 17 models of WAGO PFC200 Series PLC were found vulnerable to remote exploit.
A PLC flaw can be a serious threat to production and critical infrastructure
Back to the present, querying the Shodan search engine for port 2455 used by CODESYS protocol we can find more than 5,600 systems are exposed online, most of them in the United States, Germany, Turkey, and China.
DDG, the second largest mining botnet targets Redis and OrientDB servers
2.2.2018 securityaffairs BotNet
Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.
A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.
According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.
“Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG.” reads the analysis published by Netlab.
The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.
Yesterday I wrote about the greatest mining botnet called Smominru that has infected over 526,000 Windows machines, its operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).
The malware exploits the remote code execution vulnerability CVE-2017-11467 to compromise OrientDB databases and targets Redis servers via a brute-force attack.
Crooks are focusing their efforts on attacks against servers that usually have significant computing capabilities.
The attack chain described by the researchers from Qihoo 360’s Netlab is composed of the following steps:
Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
Stage 1: Attackers modify local Crontab scheduled tasks, download and execute i.sh (hxxp: //126.96.36.199:8443/i.sh) on the primary server and keep it synchronized every 5 minutes
Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker’s wallet.
The following image shows the DDG Mining Botnet attack process:
The researchers conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections is in China (73%), followed by the United States (11%), the botnet is mainly composed of compromised Redis databases (88%).
Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).
“The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where “Total Paid” is not consistent with the summary of all tractions’ amount. We cannot confirm which number is more accurate, so we show both numbers here.” continues the analysis.
Further information including the IoCs are included in the technical report published by Qihoo 360’s Netlab.
It's Time For Machine Learning to Prove Its Own Hype
2.2.2018 securityweek IT
Machine Learning is a Black Box that is Poorly Understood
2017 was the year in which 'machine learning' became the new buzzword -- almost to the extent that no new product could be deemed new if it didn't include machine learning.
Although the technology has been used in cybersecurity for a decade or more, machine learning is now touted as the solution rather than part of the solution.
But doubts have emerged. Machine learning is a black box that is poorly understood; and security practitioners like to know exactly what it is they are buying and using.
The problem, according to Hyrum Anderson, technical director of data science at Endgame (a vendor that employs machine learning in its own endpoint protection product), is that users don't know how it works and therefore cannot properly evaluate it. To make matters worse, machine learning vendors do not really understand what their own products do -- or at least, how they come to the conclusions they reach -- and therefore cannot explain the product to the satisfaction of many security professionals.
The result, Anderson suggests in a blog post this week, is "growing veiled skepticism, caveated celebration, and muted enthusiasm."
It's not that machine learning doesn't work -- it clearly does. But nobody really understands how it reaches its decisions.
Anderson quotes Ali Rahimi. "He compared some trends, particularly in deep learning, to the medieval practice of Alchemy. 'Alchemy ‘worked’,' Ali admitted. 'Alchemists invented metallurgy, ways to dye textiles, our modern glass-making processes, and medications. Then again, Alchemists also believed they could cure diseases with leeches, and turn base metals into gold'."
"If the physicist’s mantra is Feynman’s 'What I cannot create, I do not understand'," he continues, "then the infosec data scientist should adopt, 'What cannot be understood, should be deployed with care.' Implied, but not spoken, is 'if at all'.
This problem of not understanding how a conclusion is reached could become much worse if a possible interpretation of Article 22 of the EU's General Data Protection Regulation (GDPR) is enforced to its full potential. This states, "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
This should not directly affect machine-learning malware detection because data subjects are not directly involved, but could have implications for other applications used by both IT and security departments.
GDPR's Recital 71 clarifies the requirement. It adds, "In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision."
Right now, suggests Anderson, this would be largely impossible. "The point is that although some models may reach impressive predictive performance, it may not be clear what information in the data directly determine the decisions. Ironically, machine learning is such that even with full access to the source code and data, it may still be very difficult to determine 'why' a model made a particular decision."
A partial solution for infosec practitioners would come from the increased involvement of the machine learning industry with third party testing. This would at least enable the practitioners to understand how effective the algorithms are, even if not how they work. Although some machine-learning, so-called next-gen, endpoint protection vendors have been slow and reluctant to embrace third-party testing, Endgame is not one of them.
"Fortunately," writes Anderson, "there are technique-agnostic methods to compare solutions. We have previously argued that AV can be compared apples-to-apples to ML by comparing both false positive and true positive rates, for example, whereas 'accuracy' is wholly inadequate and may hide all manner of sins... In the endpoint security space, vendors are beginning to offer holistic breach tests rather than AV-only tests, which help customers value a broader protection landscape."
But ultimately, it is the lack of visibility into the working of machine learning and AI algorithms that must change. "My call for 2018," says Anderson, "is to continue to address what is still particularly needed in ML infosec research: more cross-pollination between academia and industry, more open community engagement from security vendors, and more open datasets for reproducible research. By doing this, we’ll continue to move ML in infosec from the dark arts of Alchemy to rigorous Science."
Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under current CEO Nate Fick's leadership, it has grown its commercial offering using more than $100 million in funding, including a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.
Crypto-Mining Botnet Ensnares 500,000 Windows Machines
2.2.2018 securityweek BotNet
Focused on mining Monero crypto-currency, a new botnet has managed to ensnare over half a million machines to date, Proofpoint reports.
Dubbed Smominru, the botnet managed to infect over 526,000 Windows hosts to date, most of which are believed to be servers. After conducting a sinkholing operation, the security researchers discovered that the infected machines are distributed worldwide, with the highest numbers in Russia, India, and Taiwan.
The Monero miner, which is also known as Ismo, has been observed since the end of May 2017 spreading via EternalBlue, the National Security Agency-linked exploit that targets a vulnerability (CVE-2017-0144) in Windows’ Server Message Block (SMB) on port 445. The exploit was previously used in other global attacks, including WannaCry and NotPetya.
The miner itself has been detailed numerous times before, and was associated with various attacks, including those perpetrated by an established Chinese crime group (Hex Men).
What makes it stand out in the crowd is the use of Windows Management Infrastructure for infection, a method recently noticed in the WannaMine crypto-mining worm too (which also uses EternalBlue to spread).
The hash power associated with the Monero payment address for Smominru reveals that the botnet was likely twice the size of Adylkuzz, the first crypto-mining botnet to abuse EternalBlue. According to Proofpoint, Smominru’s operators already mined around 8,900 Monero (between $2.8 million and $3.6 million), at a rate of around 24 Monero per day.
In a recent report diving into the huge financial gains crypto-miner operators register, Talos revealed that an adversary controlling 1,000 systems would make around $90,000 per year. The security firm also says it “has observed botnets consisting of millions of infected systems,” which “could be leveraged to generate more than $100 million per year theoretically.”
While investigating Smominru, Proofpoint discovered that at least 25 of the hosts were attempting to infect new machines via EternalBlue (the hosts are placed behind the network autonomous system AS63199).
Last week, NetLab 360 security researchers published a post on what they call the MyKings botnet, which appears to be none other than Smominru, based on the used Monero address. NetLab revealed that the mining operation was performed by a sub-botnet, while another was focused on scanning and spreading, capable of mobilizing over 2400 host IP addresses.
According to Proofpoint, some of the distribution attacks are likely performed using MySQL, while others supposedly leverage the NSA-linked exploit EsteemAudit (CVE-2017-0176).
Both NetLab and Proofpoint findings fall in line with GuardiCore’s report on the Hex Men, a group using three malware families, namely Hex, Hanako and Taylor, each targeting different SQL servers with its own goals, scale and target services.
The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, Proofpoint’s security researchers have discovered. The company was informed on the issue.
MineXMR was also contacted regarding the Monero address associated with Smominru, and the mining pool banned the address. This prompted the botnet operators to register new domains and mining to a new address on the same pool. This switch apparently resulted in the operators losing control over one third of the bots.
“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” Proofpoint notes.
The use of standalone coin miners and coin mining modules in existing malware has proliferated rapidly over the past year, fueled by the surge in value crypto-coins such as Bitcoin and Monero have registered. With Bitcoin resource-intensive to mine outside of dedicated mining farms, Monero has registered massive interest from cybercriminals.
Smominru’s operators have likely registered significant profits from their operation and the resilience of the botnet and its infrastructure suggest that the activities will continue, the researchers say. The potential impacts on infected nodes will continue as well, and other botnets featuring similar purpose and methods might emerge as well, the researchers say.
“We repeatedly see threat actors ‘follow the money’ - over the last several months, the money has been in cryptocurrency and actors are turning their attention to a variety of illicit means to obtain both Bitcoins and alternatives,” Kevin Epstein, VP Threat Operations, Proofpoint, said in an emailed comment.
“This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe. Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching,” Epstein concluded.
The Price of Cybercrime: 9 Years in One Case, 6 Months in Another
2.2.2018 securityweek Crime
Travon Williams, 33, was sentenced by the District Court for the Eastern District of Virginia to 9 years in jail for his role in a credit card fraud and identity theft scheme.
For more than two years, Williams led a gang that purchased thousands of stolen credit and debit card numbers from the dark web. The numbers were then encoded onto fraudulent cards and used to purchase merchandise such as gift cards and cigarette cartons. The cigarettes were sold on to buyers from New York City, who drove down to Northern Virginia to transport the cigarettes.
Williams is one of 12 defendants arrested in August 2017. He obtained $415,000 in proceeds from his crimes.
All 12 defendants have pleaded guilty for their roles in the scheme. Williams is the sixth to have been sentenced. The remaining six are due to be sentenced in February and March.
One day earlier, Thursday, Jan. 25, the DOJ announced that Jonathan Powell had been sentenced to six months in jail, 2 years supervised release and a restitution payment of $278,855 for computer fraud. He had obtained access to more than 1,000 email accounts from a New York City university in order to download sexually explicit photos and videos.
Powell had earlier pleaded guilty to the charge on August 9, 2017 in Manhattan federal court.
"Jonathan Powell used his computer skills to breach the security of a university to gain access to their students’ personal accounts," said U.S. Attorney Geoffrey S. Berman. "Once Powell had access, he searched the accounts for compromising photos and videos."
Specifically, he used the password reset utility to change email account passwords. He then used control over the email accounts to request password resets for the victims' online accounts such as iCloud, Facebook, Google, LinkedIn and Yahoo. "POWELL then logged into the Linked Accounts and searched within the Linked Accounts, gaining access to private and confidential content stored in the Linked Accounts," reports the DOJ announcement. "In one instance, POWELL searched a University-1 student’s linked Gmail account for digital photographs and for various lewd terms."
Subsequent analysis of logs showed that Powell had accessed the password reset utility approximately 18,640 times between October 2015 and September 2016, attempting 18,600 password changes in connection with more than 2000 unique email accounts -- succeeding in making 1378 changes to 1035 unique accounts.
After his arrest, he admitted to compromising email accounts at other educational institutions in Arizona, Florida, Ohio and Texas.
Researchers discovered several zero-day flaws in ManageEngine products
2.2.2018 securityaffairs Vulnerebility
Security experts at Digital Defense have discovered several vulnerabilities in the products of the Zoho-owned ManageEngine.
The list of vulnerabilities discovered includes a flaw that could be exploited by an attacker to take complete control over the vulnerable application.
The flaws affect ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.
ManageEngine has more than 40,000 customers worldwide and provides complete solutions for IT management.
Researchers also discovered several blind SQL injection vulnerabilities that could be triggered by an unauthenticated attacker to take complete control of an application.
These ManageEngine products are also affected by an enumeration flaw that can be exploited to access user personal data, including usernames, phone numbers, and email addresses.
“[Digital Defense] announced that its Vulnerability Research Team (VRT) uncovered multiple, previously undisclosed vulnerabilities within several ManageEngine products, allowing unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.” reads the press release issued by the company.
“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”
ManageEngine promptly released security updates to address the vulnerabilities discovered by researchers at Digital Defense report.