Microsoft warns about malspam campaign targeting European users with backdoor trojan

Microsoft has issued a warning on an ongoing malspam campaign that drops a backdoor trojan by abusing an old MS Office vulnerability. This campaign targets European users with emails written in various European languages. The spam emails include malicious RTF documents that when opened, downloads a backdoor trojan without any user interaction. The RTF documents download the malicious payload by exploiting an already patched Office vulnerability and running multiple scripts of different types (VBScript, PowerShell, PHP, among others). “An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction,” Microsoft Security Intelligence tweeted. The Microsoft Office vulnerability (tracked as CVE-2017-11882) has been patched in November 2017, however, this vulnerability has been exploited ever since. This vulnerability has also been ranked as the third-most exploited vulnerability of 2018. This vulnerability allows attackers to execute code on users' device without any user interaction. However, the good news is that the backdoor trojan’s C&C server has been taken down since Microsoft issued a security alert. However, in order to avoid future exploit, it is wise to patch the vulnerability by updating the November 2017 Patch Tuesday security updates.

Google confirms new Triada adware variant came preinstalled on some Android phones

An analysis by Google Security has revealed that hackers in 2017 had cleverly loaded adware into Android devices by tampering the pre-installed software. A variant of Triada adware family, the malware was inserted through apps and programs built by third-party vendors. The main purpose of this novel hacking technique was to load the phones with spam and unwanted advertisements before it even reached to the customers. The process of installing the adware was done during the manufacturing process of Android phones. When phone manufacturers wanted to include features not approved by the Android Open Source Project - like a face unlock the program, they may hire it from unauthorized third-party companies. It is here that the hackers masqueraded as software vendors and provided the required software with preinstalled Triada adware variant. Research from the security vendor Dr.Web had disclosed that the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20 had been affected by the Triada variant. Triada adware was first discovered in March 2016. However, Google has observed a new variant of the adware was being used to infect the smartphones. The malware authors of Triada have evolved the malware to a pre-installed Android framework backdoor. “The changes to Triada included an additional call in the Android framework log function, demonstrated below with a highlighted configuration string,” explained the researchers from Google Security. The main aspect of this new backdoor version is to execute code in another app’s context. “The backdoor attempts to execute additional code every time the app needs to log something. Triada developers created a new file format, which we called MMD, based on the file header,” researchers added. The malware authors targeted two apps to perform the code injection: the System UI app and the Google Play app. Google has coordinated with the affected OEMs to provide system updates and remove traces of Triada variant. In addition, it is also scanning for Triada and similar threats on all Android devices. It has requested OEMs to ensure that all third-party code is reviewed and can be tracked to its source.

Evite confirms that its customer data was stolen and put up for sale in the Dark Web

The E-invitations platform Evite has admitted that it suffered a data breach in February and the stolen user data was put up for sale in the Dream Market marketplace by the infamous hacker ‘Gnosticplayers’. Evite has also provided additional details about the breach and the steps they’ve taken to remediate the incident in a security update. Evite became aware of the incident on April 15, 2019, after Gnosticplayers published almost 10 million Evite user data on the Dark Web, along with the user data from 5 other companies including Mindjolt, Wanelo, iCracked, Yanolja, and Moda Operandi. Upon which, the e-invitations platform hired a leading data security firm and launched an extensive investigation. The investigation revealed malicious activity since February 22, 2019. On May 14, 2019, Evite confirmed that an unauthorized third party gained access to an inactive data storage file that contained Evite user accounts prior to 2013. The data storage file contained user data such as users’ names, usernames, email addresses, passwords, dates of birth, and phone numbers. However, no financial information and Social Security numbers were compromised. Upon learning the incident, Evite notified the law enforcement authorities about the breach. The social planning website is working closely with leading security experts to review its systems and address any vulnerabilities. It has implemented additional security measures to detect and prevent any unauthorized access. The e-invitations service has also requested its customers to review their accounts for any suspicious activity and reset their Evite passwords. “We sincerely regret any inconvenience or concern caused by this incident. We are committed to protecting your information and maintaining your trust and confidence,” Evite concluded.

Vulnerability in SymCrypt could allow an attacker to perform DoS on any Windows server

A vulnerability researcher at Google, Tavis Ormandy, uncovered a vulnerability in the primary cryptographic library of Microsoft's operating system ‘SymCrypt’. The vulnerability could allow an attacker to perform Denial of Service (Dos) on Windows 8 servers and above. Ormandy tested the vulnerability using a specially crafted X.509 digital certificate that prevents completing the verification process and found out that any program on the system that processes the certificate will trigger the vulnerability causing deadlock. The researcher also found out that embedding the certificate in an S/MIME message, authenticode signature, and schannel connection could allow an attacker to perform DoS on any Windows server such as IPsec, Internet Information Services (IIS), and Microsoft Exchange Server, requiring the machine to be rebooted. Ormandy notified Microsoft about the issue in March 2019 with a 90-day disclosure deadline. Microsoft acknowledged the issue and promised to come up with the patch within 90 days. However, the Microsoft Security Response Center (MSRC) informed the researcher that a patch wouldn't be ready until next month’s release of security updates. This made the researcher release the details of the bug to the public as the 90-day time-frame has lapsed.

Researchers find RCE bug in older Diebold Nixdorf ATMs

ATM manufacturer Diebold Nixdorf is notifying customers about a remote code execution (RCE) vulnerability present in its older Opteva ATM models’ software. The vulnerability was spotted by a team of security researchers known as NightSt0rm. In a blog on Medium, the team described an OS service in these ATMs that could be remotely exploited with reverse shells to deploy malicious payloads. The researchers found a publicly exposed OS service called ‘Spiservice’ in older Opteva ATMs. This service was linked to a DLL library known as ‘MSXFS.dll’ which is specifically used in ATMs. They tested an ATM running Agilis XFS (Diebold XFS service) for Opteva version 4.1.61.1. When connected through a web browser, Agilis XFS called many libraries including one known as ‘VDMXFS.dll’. A remote configuration parameter is displayed as a result. This could be exploited to deploy reverse-shell payloads to have complete control over the vulnerable Opteva ATMs. In their blog, the researchers also provide successful exploit methods. After learning of this RCE vulnerability, Diebold Nixdorf is in the process of notifying all customers using older Opteva ATMs of the issue. In addition, its advising operators to update to the latest version(4.1.22) of the ATM software, as suggesting countermeasures. “While all Opteva systems come equipped with a terminal-based firewall installed, from the information we have, the terminal based firewall of the system was most likely not active during the evaluation. We have not received any reports of this potential exposure being exploited outside of a test environment,” read a security alert released by Diebold Nixdorf, shared with ZDNet.

Scammers abuse Google Calendar feature to trick users into revealing their personal information

Multiple cases of a sophisticated scam targeting consumers through unsolicited Google Calendar notifications has been observed recently. The main purpose of the scam is to trick users into sharing their personal information. According to Kaspersky, it has been found that the scammers are abusing a specific feature of a free online calendar service that adds invitations and events to users’ calendars’ automatically. This resulted in unsolicited pop-up calendar notifications appearing for Gmail users. The scammers are leveraging phishing attacks to target users in this scam. These phishing emails contain a link that exploits a common default feature of Google Calendar to include automatic addition and notification of unwanted events & invitations. “Kaspersky observed multiple, unsolicited pop-up calendar notifications appearing for Gmail users during May. This turned out to be a result of a blast of sophisticated spam emails sent by scammers. The emails exploited a common default feature for people using Gmail on their smartphone: the automatic addition and notification of calendar invitations,” said the researchers. The phishing email that appears to be an unsolicited calendar invitation for the recipient, carries a link to a phishing URL. This URL redirects the user to a website that features simple questionnaires and offers prize money upon completion. The questions are framed in such a way that users who are unaware of the scam can end up in providing their personal and financial information. To avoid falling victim to such malicious spam, researchers have advised users to: Turn off the automatic adding of invitations on Google Calendar; Never share personal information on websites that are unsafe and look suspicious; Use a reliable security solution for comprehensive protection from a wide range of threats.

Attackers exploit major vulnerability in Oracle WebLogic Server to drop cryptominers

A security vulnerability in Oracle WebLogic Server was found to be actively exploited by cybercriminals to install cryptocurrency miners. Security researchers from Trend Micro discovered that the malware used in the attack hid in certificate files and later dropped Monero miners in the system. Tracked as CVE-2019-2725, the vulnerability is a deserialization remote code execution (RCE) flaw, which could allow unauthenticated attackers with network access to compromise WebLogic servers. In their blog, the researchers detailed the infection chain of the attack. The attack begins with the malware exploiting CVE-2019-2725 to execute a PowerShell command. This command is used to download a certificate file from a C2 server. The file, saved as ‘cert.cer’, is decoded using a Windows application called certutil. This decoded file is saved as ‘update.ps1’. Upon executing this decoded file, the certificate file is deleted. Parallelly, a PowerShell script is downloaded and stored in memory. This script downloads and executes the cryptocurrency miner payload and other components. The researchers suggest that the use of certificate files for hiding malware has been prevalent for a while. “The idea of using certificate files to hide malware is not a new one: a proof of concept was introduced late last year by Sophos in which they demonstrated placing an Excel file with an embedded macro inside a certificate file,” read their blog. “By using certificate files for obfuscation purposes, a piece of malware can possibly evade detection since the downloaded file is in a certificate file format which is seen as normal -— especially when establishing HTTPS connections,” added the researchers. Oracle has released an update to fix the issue in WebLogic. Users are advised to apply this update to stay protected from RCE and similar attacks.

Code execution flaw discovered in Vim and Neovim

An arbitrary code execution flaw was identified in popular text editors Vim and Neovim. Security researcher Armin Razmjou discovered this vulnerability in the older versions of the two applications. In a tweet, Razmjou mentioned that the vulnerability was the result of a feature known as ‘modelines’ in the application, which could enable attackers to execute arbitrary code and gain remote control over compromised systems. The flaw, tracked as CVE-2019-12735, is a result of a faulty getchar.c function which allows remote attackers to execute arbitrary code through the ‘:source!’ command in a modeline. It affects Vim versions prior to 8.1.1365 and Neovim versions prior to 0.3.6. According to Razmjou, this vulnerability is plainly evident in default configurations of Vim. The researcher has also released two proof-of-concept (PoC) exploits for this vulnerability. One of the exploits shows an attack scenario wherein a reverse shell is executed when he/she opens a malicious file on either of these applications. This permitted system access to the remote attacker.​ On top of mentioning patches available, Razmjou has advised other countermeasures such as disabling modelines, using a plugin called ‘securemodelines’ or to disable ‘modelineexpr’ option in modelines. Since Vim and Neovim are pre-installed in most of the Linux-based operating systems, Linux users are more prone to RCE attacks due to this flaw. Thus, they are advised to apply the patches available for the two applications.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 67

Cyber Pulse: Edition 66

Cyber Pulse: Edition 65

Cyber Pulse: Edition 64

Cyber Pulse: Edition 63

Cyber Pulse: Edition 62

Cyber Pulse: Edition 61

Cyber Pulse: Edition 60

Cyber Pulse: Edition 59

Cyber Pulse: Edition 58