Cyber Pulse: Edition 108

Our cyber security round-up of the week:

German government loses millions of Euros in Covid-19 phishing attack

German news site Heise Online reported that the state of North Rhine-Westphalia failed to put in place a citizen verification procedure and allowed fraudsters to steal millions of euros.

It is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding. The funds were lost following a classic phishing operation. Cybercriminals created copies of an official website that the NRW Ministry of Economic Affairs had set up to distribute Covid-19 financial aid. Crooks distributed links to hundreds of sites using email phishing campaigns, lured users onto the sites, and collected their details. They then filed requests for government aid on behalf of the real users but they replaced the bank account where funds were to be wired. The scheme lasted from mid-March to April 9, when the NRW government suspended payments and took down its website.

Cisco fixes critical vulnerability in its IP Phone web server

Cisco stomped out a critical vulnerability in its IP Phone web server that could enable remote code execution by an unauthenticated attacker.

Cisco is warning of a critical flaw in the webserver of its IP phones. If exploited, the flaw could allow an unauthenticated, remote attacker to execute code with root privileges or launch a denial-of-service (DoS) attack. Proof-of-concept (PoC) exploit code has been posted on GitHub for the vulnerability (CVE-2020-3161), which ranks 9.8 out of 10 on the CVSS scale.

Cisco issued patches in a Wednesday advisory for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses. According to Tenable, who discovered the flaw, Cisco IP phone web servers lack proper input validation for HTTP requests. To exploit the bug, an attacker could merely send a crafted HTTP request to the /deviceconfig/setActivationCode endpoint (on the web server of the targeted device). This triggers a stack-based buffer overflow due to the lack of input validation. The end result is the attacker being able to crash the device, or even potentially execute code remotely.

However, Tenable found that the flaw could be exploited by an unauthenticated actor (previously Cisco said exploiting the flaw required authentication) and could potentially enable remote code execution as well as DoS (previously Cisco found it could only enable DoS).

Critical vulnerability announced in VMware vCentre Server

Cloud and data centre security solutions provider Guardicore made available technical information on a critical VMware vCenter Server vulnerability that can be exploited by an attacker to gain full control over the targeted VMware deployment.

VMware informed customers earlier this month that it has patched a serious vulnerability affecting vCenter Server 6.7 on Windows and virtual appliances. The flaw, related to the Directory Service (vmdir), has been described as an information disclosure issue that can be leveraged to obtain sensitive data that “could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.” VMware noted that the vulnerability, which it tracks as CVE-2020-3952, only impacts vCenter Server 6.7 installations if they were upgraded from a previous version, but not if the user directly installed version 6.7.

Few details have been made available by VMware so researchers at Guardicore have decided to analyse the patch in an effort to identify the changes made by the virtualisation giant to address the vulnerability. It’s worth noting that while the cybersecurity firm has released a detailed technical analysis of how this vulnerability can be exploited, it has not released a proof-of-concept (PoC) exploit. According to Guardicore, an attacker with network access to a vCenter Server LDAP service can create a user with full privileges on the vCenter Directory, which would give them full control over the VMware deployment. 

“This is enabled due to two critical issues in vmdir’s legacy LDAP handling code:  1) A bug in a function named VmDirLegacyAccessCheck which causes it to return ‘access granted’ when permissions checks fail;  2) A security design flaw which grants root privileges to an LDAP session with no token, under the assumption that it is an internal operation.”

VMware also informed customers this week that it has released patches for cross-site scripting (XSS) and open redirect vulnerabilities.

Google banishes 49 malicious browser extensions from its store

Google has kicked 49 malicious Chrome browser extensions, which were posing as cryptocurrency wallets to drain the contents of bona fide wallets, out of its Web Store. The extensions were discovered by researchers from MyCrypto – an open-source interface for the blockchain that helps store, send and receive cryptocurrency – and from PhishFort, which sells anti-phishing protection.

MyCrypto said that malicious browser extensions aren’t new, but the targets in this campaign are: they include the cryptocurrency wallets Ledger (57% of the bad extensions targeted this wallet, making it the most targeted of all the wallets, for whatever reason), Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.

MyCrypto said essentially “the extensions are phishing for secrets,” including users’ mnemonic phrases, private keys and keystore files, which are security files used for things like identifying app developers or in SSL encryption. Once a user entered those secrets, the malicious extensions sent an HTTP POST request to the backend, which is where the bad actors got their hands on the secrets and used them to vacuum out wallets.

MyCrypt identified 14 unique command-and-control servers (C2s) receiving data from compromised systems. After running fingerprinting analysis on the servers, the researchers found that some of them were linked. That means they likely had common bad actors pulling multiple servers’ levers. While some of them sent the phished data back to a GoogleDocs form, most hosted their own backend with custom PHP scripts.

The best advice:

• Install as few extensions as possible and, despite the above, only from official web stores.
• Check the reviews and feedback from others who’ve installed the extension.
• Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
• Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

US government post $5 million for knowledge on North Korean hackers

Know anything about North Korean hackers and their activities in cyberspace, past or ongoing? The FBI and the US Departments of State, Treasury, and Homeland Security (DHS) put out an advisory about the persistent threat from cybercriminals sponsored by the Democratic People’s Republic of Korea (DPRK).

The advisory was based on a report, prepared for the United Nations Security Council last year, which claimed that North Korea has launched increasingly sophisticated cyberattacks targeting the financial industry, including banks and cryptocurrency exchanges. The UN Security Council’s 2019 mid-term report stated that dozens of suspected DPRK cyber-enabled heists were being investigated at the time.

It further stated that the attacks had attempted to pull off about $2 billion in cyber heists. The US didn’t divulge how much of that money the cybercriminals actually got away with, though it did say that whatever money Pyongyang got its hands on has been used to develop weapons of mass destruction. It’s got the talent to pull off those attacks and far more.

In the advisory posted to US-CERT on Wednesday, the US said that the DPRK has a fully staffed set of state-sponsored cyber actors, including hackers, cryptologists and software developers who conduct espionage, and those who run politically motivated operations against foreign media companies. North Korean cyber actors are allegedly behind extortion campaigns, including both ransomware and mobster-like protection rackets. In the report’s list of big, dreaded, infamous cyberattacks attributed to North Korea, is one such devastating ransomware: WannaCry.

Linksys DNS routers hacked

Linksys asks users to reset their smart Wi-Fi passwords after DNS routers were hacked. Linksys told its customers to reset their passwords when they log in and see a confusing message about “The COVID-19 Malware ". Linksys, a router developing firm asked its users to reset passwords to their smart wifi accounts after some of the accounts were hacked and illegally accessed to direct users to a COVID-19 themed malware.

The reset took place after all accounts were locked in order to prevent further hacking. The hackers changed the home routers' DNS server settings and prevented users from accessing various domains. The global PR veep of Linksys's parent firm, Belkin, told The Register that "the original illicit access to customer routers through their cloud-hosted Smart Wi-Fi accounts was a successful credential-stuffing attempt using login details harvested from previous breaches elsewhere."

On the Linksys QA page about the data breach, Linksys elaborated a little: "If you downloaded a 'COVID-19 Inform App', your network is infected. You need to get rid of this as soon as possible to prevent further impacts to your network."

Android backdoor that survives a factory reset

In February, a researcher detailed a widely circulating Android backdoor that’s so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The malicious Android app poses as a performance enhancer that removes old and unneeded files. Antivirus provider Malwarebytes has detected it on 33,000 devices, mainly located in the United States, while AV from Russia-based Kaspersky Lab found it on 50,000 devices. There's no evidence xHelper has ever been distributed through Google Play.

Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights. Besides that, the backdoor has access to sensitive data, including browser cookies used to sign in to sites automatically. Once the backdoor is installed, the fake cleaner app disappears from the main screen and program menu and can only be viewed by inspecting the list of installed apps in the system settings.

Kaspersky Labs published a post that filled in some of the gaps. The reinfections, he said, were the result of files that were downloaded and installed by a notorious trojan known as Triada, which ran once the xHelper app was installed. “Devices that are attacked by this malware could lack OS security fixes and stay vulnerable for rooting and installing this kind of malware. Moreover, it’s very hard for users to remove this malware once it is installed. This means the user base of xHelper can rapidly grow and xHelper can stay active on attacked devices for a long time.”

You can disinfect devices by using their recovery mode, when available, to replace the infected libc.so file with the legitimate one included with the original firmware. Users can then either remove all malware from the system partition or, simpler still, re-flash the device.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.