Cyber Pulse: Edition 115 | 8 June 2020

Here is our cyber security round-up of the week:

SMBGhost/CoronaBlue – Windows 10 exploits emerge

Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1). More refined versions of the exploit are expected to emerge, especially since at least two cybersecurity companies created exploits for the vulnerability and have been holding back the release since April.

Known by various names (SMBGhost, CoronaBlue, NexternalBlue, BluesDay), the security flaw can be leveraged by an unauthenticated attacker to spread malware from one vulnerable system to another without user interaction. Microsoft patched it in March, warning that exploitation is “more likely” on both older and newer software releases and that it is as critical as can be: maximum severity score of 10.

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has just confirmed that it is aware of "publicly available and functional" proof of concept (PoC) exploit code. All an attacker would need to do to exploit it is send a specially crafted packet to a targeted SMBv3 server. The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.

After the vulnerability leaked in March, security researchers started to find a way to exploit SMBGhost but the results were limited to local privilege escalation (LPE) and denial of service (blue screen). Cybercriminals have been leveraging the vulnerability to escalate local privileges and deliver malware pieces (1, 2) such as the Ave Maria remote-access trojan, with keylogging and info-stealing capabilities. While LPE can help attackers in a post-compromise stage, remote code execution (RCE) would get them in and around, making it game over for vulnerable systems.

From an attacker’s standpoint, though, the code does not have to be 100% reliable. A crash is nothing but a longer wait for the next attempt as Windows typically reboots after the memory dump finishes. If the code simply fails, nothing is stopping the attacker from trying until they achieve the desired effect. When targeting a vulnerable machine, the bad guys just need to be patient and insist until the code works.

Fraud-detection scripts on eBay and other popular websites raise privacy concerns

The eBay website was found to be running port scans against visitors' computers. A researcher found that the site runs a script that uses WebSockets to scan for a number of ports known to be used by remote administration tools, including VNC, RDP, and Ammy Admin. These are legitimate tools, but they're commonly abused by malware to control compromised systems.

The script apparently belongs to ThreatMetrix, an online fraud detection platform owned by LexisNexis, and its purpose is presumably to flag potentially illegitimate users. While eBay's desire to prevent fraud is understandable, most observers seem to agree that scanning a user's local machine without their knowledge is a violation of privacy. Port-scanning is an adversarial technique frequently used by penetration testers and hackers to scan internet-facing machines and determine what applications or services are listening on the network, usually so that specific attacks can be carried out.

It's common for security software to detect active port scans and flag it as potential abuse. Most home routers don't have any open ports, so scanning an internet user's IP address is unlikely to return any meaningful data. However, many users run software on their computer that listens on ports for various reasons – online gaming, media sharing, and remote connections are just a few things that consumers might install on a home PC. A port scan can give a website information about what software you are running. Many ports have a well-defined set of services that use them, so a list of open ports gives a pretty good view of running applications. eBay responded saying it is "committed to creating an experience on our sites and services that is safe, secure and trustworthy" but the company didn't comment on privacy or security concerns.

Researchers at DomainTools were able to identify several hundred additional sites that appear to be using the ThreatMetrix script. These include websites belonging to Citibank, TD Bank, Ameriprise, Chick-fil-A, Lendup, BeachBody, and Equifax. Some of the sites perform a port scan immediately, while others only port scan users when they attempt to log in or check out. Should you be concerned, it is possible to install extensions that attempt to block this kind of phenomenon in your browser, generally by preventing these types of scripts from loading in the first place.

Maze seeks to form a ransomware cartel

Researchers have released a report that states attackers using the Maze ransomware have stolen sensitive information from Westech International, a US defence contractor that provides engineering and maintenance support for the Minuteman III ICBM. Westech reports its systems have been encrypted and the company is still trying to determine which data have been stolen.

The attackers have already published some of the stolen information, which includes emails, payroll data, and personal information. Maze operates under an affiliate model, so attacks are carried out by multiple different groups while the malware's developers sit back and receive a cut of the profit. The developers do act as the mouthpiece of the ransomware via their data leak website, leading the formation of a "ransomware cartel" by teaming up with other ransomware gangs to share resources.

Evidence of this was first spotted when Maze published data that had been stolen by LockBit, a separate ransomware-as-a-service operation. The Maze operators confirmed that they're collaborating with LockBit, and added that they are in talks with other ransomware gangs to join their enterprise. "We all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies," the criminals said. "Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors."

ICT solutions provider NTT Com discloses security breach

NTT Communications (NTT Com), a subsidiary of the tech giant NTT Corp, disclosed a data breach that impacted hundreds of customers. NTT Com provides network management, security and solution services to consumers, corporations and governments. It has more than 30 companies in the Asia-Pacific region, Europe and the Americas. The company launched an investigation after discovering unauthorised access to some systems on May 7, then this week it confirmed that threat actors may have been stolen.

“NTT Communications (hereafter NTT Com) detected an unauthorized access to our equipment that has been made by an attacker on May 7, and the possibility that some information may have leaked to the outside was confirmed on May 11,” reads the data breach notification. Experts at NTT Com initially noticed suspicious activity on an Active Directory server, then they discovered that threat actors have breached an operational server and an information management server that stored customer information. The internal investigation revealed that attackers initially targeted a server in Singapore, then used it for lateral movements and reach the infrastructure in Japan.

In response to the incident, the company shut down impacted servers to avoid the malware from spreading and communicating with external servers. According to NTT, the security breach could impact 621 companies whose information was stored on the information management server.

Java-based Tycoon ransomware difficult to detect

A particularly nasty strain of ransomware is spreading throughout the networks of schools and software developers. According to researchers, the Tycoon attack can be difficult to detect, thanks to it being written in Java and deployed within its own Runtime Environment. The infection works with both Windows and Linux systems, but thanks to some sloppy coding, victims may have options other than paying the ransom demand or losing their data.

The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small- to medium-sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom. To achieve persistence on the victim’s machine, the attackers had used a technique called Image File Execution Options (IFEO) injection. IFEO settings are stored in the Windows registry. These settings give developers an option to debug their software through the attachment of a debugging application during the execution of a target application.

A backdoor was then executed alongside the Microsoft Windows On-Screen Keyboard (OSK) feature of the operating system. However, due to the reuse of a common RSA private key, it may be possible to recover data without the need for payment in earlier variants.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.