SymmetricalDataSecurity: May 2018

Thursday, May 31, 2018

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for ACH Services and Corporate Payment Services

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7 used by Financial Transaction Manager (FTM) for ACH Services and FTM for Corporate Payment Services (CPS). These issues were disclosed as part of the IBM Java SDK updates in April 2018.

CVE(s): CVE-2018-2800, CVE-2018-2783

Affected product(s) and affected version(s):

FTM ACH v3.0.6

FTM CPS v3.0.4

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22016697
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141956
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141939

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for ACH Services and Corporate Payment Services appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2J7zaS9

IBM Security Bulletin: IBM Connections Security Refresh (CVE-2017-1748)

IBM Connections security update to improve the default capabilities in login.jsp. This update adds the capability to whitelist the allowed domains for login redirects. Specifically, logic flow through the customizable login.jsp. The documentation on customizing the login.jsp is here. https://ift.tt/2L4ITcj

CVE(s): CVE-2017-1748

Affected product(s) and affected version(s):

The following versions of IBM Connections are impacted:

IBM Connections 6.0
IBM Connections 5.5
IBM Connections 5.0

The post IBM Security Bulletin: IBM Connections Security Refresh (CVE-2017-1748) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2LKvVBK

IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations)

There are multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager for Workstations). IBM Spectrum Protect for Workstations has addressed the applicable CVEs.

CVE(s): CVE-2016-0702, CVE-2018-1447, CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426

Affected product(s) and affected version(s):

The following versions of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations) are affected:

8.1.0.0 through 8.1.2.0
7.1.0.0 through 7.1.8.1

The post IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2xukwTk

Bitglass Security Spotlight: Twitter, PyRoMine, & Stresspaint

By Jacob Serpa, Product Marketing Manager, Bitglass

Here are the top cybersecurity stories of recent weeks:

—Twitter exposes user credentials in plaintext
—PyRoMine mines Monero and disables security
—Stresspaint malware hunts Facebook credentials
—MassMiner malware mines cryptocurrency
—Access Group Education Lending breached

Twitter exposes user credentials in plaintext

Despite the fact that Twitter doesn’t store or display users’ credentials in plaintext, the social media company recently had a security mishap. Passwords were stored in internal logs before they were successfully obfuscated, exposing them to employees in plaintext. While the information wasn’t made viewable to outside parties, it’s still a cause for concern for Twitter’s users.

PyRoMine mines Monero and disables security

New malware, PyRoMine, leverages a host of previously disparate capabilities featured in other strains of malware. For example, it uses NSA exploits while mining Monero, a cryptocurrency. Malware is continuing to grow more sophisticated, compelling organizations to adopt advanced anti-malware solutions.

Stresspaint malware hunts Facebook credentials

Disguised as a stress-relieving paint program, Stresspaint is a piece of malware that is attacking users in an attempt to gather their Facebook credentials. In particular, the malware is targeting influential users – those who manage Facebook pages or have numerous friends and followers. It is primarily distributed through emails and messages on Facebook.

MassMiner malware mines cryptocurrency

MassMiner is the latest in a slew of malware strains that engage in malicious cryptomining. This threat seeks to take advantage of known vulnerabilities in order to commandeer web servers and mine Monero – which continues to be a common target in malicious cryptomining.

Access Group Education Lending breached

Unfortunately for those who have used the organization’s services for their student loans, Access Group Education Lending has been breached. Nearly 17,000 borrowers had their information exposed when a loan processing vendor working for the group shared their information with an unauthorized, unknown company.

Fortunately for the enterprise, cloud access security brokers (CASBs) can defend against zero-day malware and countless other threats. To learn more, download the Zero-Day Solution Brief.

from Cloud Security Alliance Blog https://ift.tt/2stfrF7

Git repository vulnerability leads to remote code execution attacks

SpamCannibal blacklist service hijacked

Attackers Can Use Sonic and Ultrasonic Signals to Crash Hard Drives

Researchers have demonstrated how sonic and ultrasonic signals (inaudible to human) can be used to cause physical damage to hard drives just by playing ultrasonic sounds through a target computer's own built-in speaker or by exploiting a speaker near the targeted device.

Similar research was

conducted

last year by a group of researchers from Princeton and Purdue University, who demonstrated a denial-of-service (DoS) attack against HDDs by exploiting a physical phenomenon called acoustic resonance.

Since HDDs are exposed to external vibrations, researchers showed how specially crafted acoustic signals could cause significant vibrations in HDDs internal components, which eventually leads to the failure in systems that relies on the HDD.

To prevent a head crash from acoustic resonance, modern HDDs use shock sensor-driven feedforward controllers that detect such movement and improve the head positioning accuracy while reading and writing the data.

However, according to a new research paper published by a team of researchers from the University of Michigan and Zhejiang University, sonic and ultrasonic sounds causes false positives in the shock sensor, causing a drive to unnecessarily park its head.

By exploiting this disk drive vulnerability, researchers demonstrated how attackers could carry out successful real-world attacks against HDDs found in CCTV (Closed-Circuit Television) systems and desktop computers.

"An attacker can use the effects from hard disk drive vulnerabilities to launch system level consequences such as crashing Windows on a laptop using the built-in speaker and preventing surveillance systems from recording video," the research paper reads.

These attacks can be performed using a nearby external speaker or through the target system's own built-in speakers by tricking the user into playing a malicious sound attached to an email or a web page.

In their experimental set-up, the researchers tested acoustic and ultrasonic interferences against various HDDs from Seagate, Toshiba and Western Digital and found that ultrasonic waves took just 5-8 seconds to induce errors.

However, sound interferences that lasted for 105 seconds or more caused the stock Western Digital HDD in the video-surveillance device to stop recording from the beginning of the vibration until the device was restarted.

"In the case that a victim user is not physically near the system being attacked, an adversary can use any frequency to attack the system," the researchers explain.

"The system's live camera stream never displays an indication of an attack. Also, the system does not provide any method to learn of audio in the environment. Thus, if a victim user were not physically near the system, an adversary can use audible signals while remaining undetected."

The researchers were also able to disrupt HDDs in desktops and laptops running both Windows and Linux operating system. They took just 45 seconds to cause a Dell XPS 15 9550 laptop to freeze and 125 seconds to crash when the laptop was tricked to play malicious audio over its built-in speaker.

VIDEO

The team also proposed some defenses that can be used to detect or prevent such type of attacks, including a new feedback controller that could be deployed as a firmware update to attenuate the intentional acoustic interference, a sensor fusion method to prevent unnecessary head parking by detecting ultrasonic triggering of the shock sensor, and noise dampening materials to attenuate the signal.

You can find out more about HDD ultrasonic acoustic attacks in a research paper [

PDF

] titled "Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems."

from The Hacker News https://ift.tt/2Laclh1

Dell Virtustream secures spot on Australia's certified cloud list

Wednesday, May 30, 2018

Jira bug exposed private server keys at major companies, researcher finds

Wyze wows again: $30 security camera offers 360-degree viewing

USN-3663-1: HAProxy vulnerability

haproxy vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.04 LTS

Summary

HAProxy could be made to expose sensitive information over the network.

Software Description

haproxy - fast and reliable load balancing reverse proxy

Details

It was discovered that HAProxy incorrectly handled certain resquests. An attacker could possibly use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS: haproxy - 1.8.8-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-11469

from Ubuntu Security Notices https://ift.tt/2J2inQn

Weird Google bug? Android users baffled by search that lists personal text messages

FBI issues alert over two new malware linked to Hidden Cobra hackers

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group was even

associated with the WannaCry ransomware

menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the

2014 Sony Pictures hack

, as well as the

SWIFT Banking attack

in 2016.

Now, the Department of Homeland Security (DHS) and the FBI have

uncovered

two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.

The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as

Joanap

and Server Message Block (SMB) worm called

Brambul

. Let's get into the details of both the malware one by one.

Joanap—A Remote Access Trojan

According to the US-CERT alert, "fully functional RAT" Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.

The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.

Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.

Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.

During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.

Brambul—An SMB Worm

Brambul is a brute-force authentication worm that like the

devastating WannaCry ransomware

, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.

The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims' networks by dropper malware.

"When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets," the alert notes.

"If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks."

Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim's system.

The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a "suicide script."

DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.

DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.

Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called

Delta Charlie

—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.

Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like

DDoS botnets

, keyloggers, remote access tools (RATs), and

wiper malware

from The Hacker News https://ift.tt/2Jf4LEF

IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-2783)

A vulnerability in IBM® SDK Java™ Technology Edition that is shipped and used by IBM Spectrum Control (formerly Tivoli Storage Productivity Center). The issue was disclosed as part of the IBM Java SDK updates for April 2018.

CVE(s): CVE-2018-2783

Affected product(s) and affected version(s):

The versions listed above apply to all licensed offerings of IBM Tivoli Storage Productivity Center and IBM Spectrum Control.

The post IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-2783) appeared first on IBM PSIRT Blog.

Affected Product	Affected Versions
IBM Tivoli Storage Productivity Center	5.2.0 – 5.2.7.1
IBM Spectrum Control	5.2.8 – 5.2.16

from IBM Product Security Incident Response Team https://ift.tt/2LJx7W4

IBM Security Bulletin: Multiple Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio

Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 used by WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio. These issues were disclosed as part of the IBM Java SDK updates in April 2018. These issues are also addressed by WebSphere Application Server Network Deployment shipped with WebSphere Service Registry and Repository.

CVE(s): CVE-2018-2783, CVE-2018-2800

Affected product(s) and affected version(s):

WebSphere Service Registry and Repository V8.5 and V8.0 and WebSphere Service Registry and Repository Studio V8.5 are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22016430
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141939
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141956

The post IBM Security Bulletin: Multiple Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2J2l98e

IBM Security Bulletin: API Connect is affected by a session management vulnerability (CVE-2018-1532)

API Connect has addressed the following vulnerability. IBM API Connect does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system.

CVE(s): CVE-2018-1532

Affected product(s) and affected version(s):

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22015978
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142430

The post IBM Security Bulletin: API Connect is affected by a session management vulnerability (CVE-2018-1532) appeared first on IBM PSIRT Blog.

API Connect	Affected Versions
IBM API Connect	5.0.0.0-5.0.7.2
IBM API Connect	5.0.8.0-5.0.8.2

from IBM Product Security Incident Response Team https://ift.tt/2LKRUsi

IBM Security Bulletin: IBM Content Navigator is affected by a cross site scripting vulnerability

IBM Content Navigator has addressed the following vulnerability.

CVE(s): CVE-2018-1496

Affected product(s) and affected version(s):

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22015420
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141219

The post IBM Security Bulletin: IBM Content Navigator is affected by a cross site scripting vulnerability appeared first on IBM PSIRT Blog.

Affected IBM Content Navigator	Affected Versions
IBM Content Navigator	2.0.3
IBM Content Navigator	3.0 Continuous Delivery

from IBM Product Security Incident Response Team https://ift.tt/2J3Nrze

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-1417, CVE-2018-2783, CVE-2018-2794)

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 8 that is used by IBM Cognos Command Center. These issues were disclosed as part of the IBM Java SDK updates for January and April 2018.

CVE(s): CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-1417, CVE-2018-2783, CVE-2018-2794

Affected product(s) and affected version(s):

IBM Cognos Command Center 10.2.4 All Editions

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22016473
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/137833
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/137854
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/137855
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/137885
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/138823
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141939
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/141950

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-1417, CVE-2018-2783, CVE-2018-2794) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2LKRPF0

IBM Security Bulletin: IBM Security Network Protection is affected by multiple vulnerabilities

Multiple security vulnerabilities (CVE-2018-1426, CVE-2018-1427, CVE-2018-1428, CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, and CVE-2018-1447) have been discovered in GSKit used with IBM Security Network Protection.

CVE(s): CVE-2016-0705, CVE-2017-3732, CVE-2017-3736, CVE-2018-1428, CVE-2018-1427, CVE-2018-1426, CVE-2018-1447

Affected product(s) and affected version(s):

IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.3

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22016549
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/111140
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/121313
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134397
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/139073
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/139072
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/139071
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/139972

The post IBM Security Bulletin: IBM Security Network Protection is affected by multiple vulnerabilities appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team https://ift.tt/2J2l6JA

IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Using Components with Known Vulnerabilities vulnerability

IBM Security Guardium Big Data Intelligence (SonarG) has addressed the following vulnerability.

CVE(s): CVE-2016-7103

Affected product(s) and affected version(s):

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22016514
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/119601

The post IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Using Components with Known Vulnerabilities vulnerability appeared first on IBM PSIRT Blog.

Affected IBM Security Guardium Big Data Intelligence (SonarG)	Affected Versions
IBM Security Guardium Big Data Intelligence (SonarG)	3.1

from IBM Product Security Incident Response Team https://ift.tt/2LKRLFg

IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise are affected by a vulnerability in IBM HTTP Server (CVE-2017-12618)

IBM HTTP Server that is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise is affected by a Apache APR vulnerability. IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise have addressed this vulnerability.

CVE(s): CVE-2017-12618

Affected product(s) and affected version(s):

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg2C1000383
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134048

The post IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise are affected by a vulnerability in IBM HTTP Server (CVE-2017-12618) appeared first on IBM PSIRT Blog.

Principal Product and Version(s)	Affected Supporting Product and Version
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3, V2.5.0.4, 2.5.0.5, 2.5.0.6	IBM HTTP Server 8.5.5
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, 2.4.0.4, 2.4.0.5	IBM HTTP Server 8.5
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.3, V2.3.0.1	IBM HTTP Server 8.5

from IBM Product Security Incident Response Team https://ift.tt/2IZxv0E

Chrome 67 is out: Password-free logins get closer, plus bug fixes, better AR-VR support

Google patches reCAPTCHA bypass vulnerability

Security alert: FBI warns of password-stealing North Korean malware

Russia asks Apple to remove Telegram Messenger from the App Store

Russia's communications regulator Roskomnadzor has threatened Apple to face the consequences if the company does not remove secure messaging app Telegram from its App Store.

Back in April, the Russian government banned Telegram in the country for the company's refusal to hand over private encryption keys to Russian state security services to access messages sent using the secure service.

However, so far, the Telegram app is still available in the Russian version of Apple's App Store.

So in an effort to entirely ban Telegram, state watchdog Roskomnadzor

reportedly

sent a legally binding letter to Apple asking it to remove the app from its Russian App Store and block it from sending push notifications to local users who have already downloaded the app.

Roskomnadzor's director Alexander Zharov said he is giving the company one month to remove the Telegram app from its App Store before the regulator enforces punishment for violations.

For those unfamiliar with the app, Telegram offers end-to-end encryption for secure messaging, so that no one, not even Telegram, can access the messages that are sent between users.

However, despite being banned in April, the majority of users in Russia are still using the app via Virtual Private Networks (VPNs), and only 15 to 30 percent of Telegram's operations in the country have been disrupted so far, Roskomnadzor announced yesterday.

This failure leads the regulator to turn to Apple for help taking the app down.

"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company’s further actions to resolve the problematic issue," said Roskomnadzor in the letter.

The state regulator also says that the regulator is in talks with Google to ban the Telegram app from Google Play as well.

Roskomnadzor is a federal executive body in Russia which is responsible for overseeing the media, including the electronic media, mass communications, information technology and telecommunications; organizing the work of the radio-frequency service; and overseeing compliance with the law protecting the confidentiality of its users' personal data.

Roskomnadzor wanted Telegram to share its users' chats and encryption keys with the state security services, as the encrypted messaging app is widely popular among terrorists that operate inside Russia.

However,

Telegram declined to comply

with the requirements.

Apple has primarily expressed its support for encryption and secure data in the past, but we have seen the company complying with the local demands.

Last year,

Apple removed all VPN apps

from its App Store in China, making it harder for internet users to bypass its Great Firewall, and moved its

iCloud operations

to a local firm linked to the Chinese government.

Also, at the end of last year,

Apple pulled Skype

, along with several similar apps, from its App Store in China.

from The Hacker News https://ift.tt/2xnstKg

North Korean Malicious Cyber Activity

Original release date: May 29, 2018

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint Technical Alert (TA) that identifies two families of malware—referred to as Joanap and Brambul—used by the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

In conjunction with the release of this TA, NCCIC has released a Malware Analysis Report (MAR) that provides analysis on samples of Joanap and Brambul malware.

NCCIC encourages users and administrators to review TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm and MAR-10135536-3 – HIDDEN COBRA RAT/Worm. For more information, visit https://www.us-cert.gov/HiddenCobra.

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2kzoUXU

Yahoo Hacker linked to Russian Intelligence Gets 5 Years in U.S. Prison

A 23-year-old Canadian man, who

pleaded guilty

last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been

sentenced

to five years in prison.

Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.

Baratov had previously

admitted his role

in the

2014 Yahoo data breach

that compromised about 500 million Yahoo user accounts. His role was to "hack webmail accounts of individuals of interest to the FSB," Russia's spy agency.

In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.

According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.

The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.

However, Belan—who is already on the

FBI's Most Wanted Hackers list

—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.

Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person's webmail password by tricking them to enter their credentials into a fake password reset page.

According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.

As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts' passwords to Russian spy Dokuchaev in exchange for money.

The targeted attack allowed the four to gain direct access to Yahoo's internal networks, and once in, co-defendant hacker Belan started poking around the network.

According to the FBI, Belan discovered two key assets:

Yahoo's User Database (UDB) – a database containing personal information about all Yahoo users.
The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.

Belan then used the file transfer protocol (FTP) to download the Yahoo's UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.

According to Baratov's lawyers, at the time of the crime, Baratov had no idea he was working with Russian FSB agents.

from The Hacker News https://ift.tt/2L6hhDy

Tuesday, May 29, 2018

AR18-149A: MAR-10135536-3 - HIDDEN COBRA RAT/Worm

from US-CERT National Cyber Alert System https://ift.tt/2xmxBOL

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise.

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see https://ift.tt/1qJcHPA.

Summary

Description

This submission includes four unique files. The first is an installer for additional malware: a Remote Access Trojan (RAT) and a malicious Dynamic Link Library (DLL) that functions as a Server Message Block (SMB) Worm. The fourth file is another SMB worm in the form of a Windows 32-bit executable.

Both SMB worms attempt to spread locally and to random IP addresses on the public Internet by attempting to brute force vulnerable systems using a built-in list of common passwords. The RAT included with the SMB worm provides the attacker with the ability to deliver additional malware, run local commands, and exfiltrate data.

For a downloadable copy of IOCs see:

Emails (2)

misswang8107@gmail.com

redhat@gmail.com

Submitted Files (4)

077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885 (4731CBAEE7ACA37B596E38690160A7...)

a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717 (scardprv.dll)

ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781 (Wmmvsvc.dll)

fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16 (298775B04A166FF4B8FBD3609E7169...)

Findings

077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885

Tags

backdoortrojanworm

Details

Name	4731CBAEE7ACA37B596E38690160A749
Size	208896 bytes
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	4731cbaee7aca37b596e38690160a749
SHA1	80fac6361184a3e24b33f6acb8688a6b7276b0f2
SHA256	077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885
SHA512	9fdc1bf087d3e2fa80ff4ed749b11a2b3f863bed7a59850f6330fc1467c38eed052eee0337d2f82f9fe8e145f68199b966ae3c08f7ad1475b665beb8cd29f6d7
ssdeep	6144:M6atGpHk4NdSksOBbNUyb4ajb1TWiYW9ebYwtJEGLYMYR4:Msdk4NdSksOv
Entropy	7.731026

Antivirus

AVG	BackDoor.Generic14.ARHX
Ahnlab	Trojan/Win32.Npkon
Avira	BDS/Joanap.A.11
BitDefender	Gen:Variant.Barys.57573
ClamAV	Win.Trojan.Agent-1388737
Cyren	W32/Zegost.AA.gen!Eldorado
ESET	Win32/Scadprv.A trojan
Emsisoft	Gen:Variant.Barys.57573 (B)
F-secure	Gen:Variant.Barys.57573
Ikarus	Worm.Win32.Agent
K7	Backdoor ( 04c4b9d11 )
McAfee	W32/FunCash!worm
Microsoft Security Essentials	Backdoor:Win32/Joanap.J!dha
NANOAV	Trojan.Win32.Agent.crilzb
Quick Heal	Backdoor.Joanap
Sophos	Mal/EncPk-AGS
Symantec	Trojan.Gen.2
Systweak	trojan.agent
TrendMicro	BKDR_JOANAP.AC
TrendMicro House Call	BKDR_JOANAP.AC
Vir.IT eXplorer	Backdoor.Win32.Generic.ARHX
VirusBlokAda	Worm.Agent
Zillya!	Worm.Agent.Win32.3373
nProtect	Worm/W32.Agent.208896.AK

Yara Rules

hidden_cobra_consolidated.yara

rule Enfal_Generic { meta: author = "NCCIC trusted 3rd party" incident = "10135536" date = "2018-04-12" category = "hidden_cobra" family = "BRAMBUL,JOANAP" MD5_1 = "483B95B1498B615A1481345270BFF87D" MD5_2 = "4731CBAEE7ACA37B596E38690160A749" MD5_3 = "CD60FD107BAACCAFA6C24C1478C345C8" MD5_4 = "298775B04A166FF4B8FBD3609E716945" Info = "Detects Hidden Cobra SMB Worm / RAT" strings: $s0 = {6D737373636172647072762E6178} $s1 = {6E3472626872697138393076393D3032333D30312A2628542D30513332354A314E3B4C4B} $s2 = {72656468617440676D61696C2E636F6D} $s3 = {6D69737377616E673831303740676D61696C2E636F6D} $s4 = {534232755365435632564474} $s5 = {794159334D6559704275415756426341} $s6 = {705641325941774242347A41346167664B6232614F7A4259} $s7 = {AE8591916D586DE4F6FB8EE2F0BBF1F9} $s8 = {F96D5DD36D6D9A87DD6D506D6D6D516D} $s9 = {43616E6E6F74206372656174652072656D6F74652066696C652E} $s10 = {43616E6E6F74206F70656E2072656D6F74652066696C65} $s11 = {663D547D75128D85FCFEFFFF5056} $s12 = {663D547D75128D85FCFEFFFF5056E88C060000E9A9000000663D557D7512} $s13 = {663D567D750F8D85FCFEFFFF5056E891070000EB7C663D577D} $s14 = {3141327A3342347935433678374438773945307624465F754774487349724A71} $s15 = {393032356A6864686F333965686532} condition: ($s0) or ($s1) or ($s2) or ($s3) or ($s4 and $s5 and $s6) or ($s7 and $s8) or ($s9 and $s10 and $s11) or ($s12 and $s13) or ($s14 and $s15) }

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2011-09-14 01:53:24-04:00
Import Hash	e8cd12071a8e823ebc434c8ee3e23203

PE Sections

MD5	Name	Raw Size	Entropy
bf69e0e64bdafa28b31e3c2134e1d696	header	4096	0.658046
27f1df91dc992ababc89460f771a6026	.text	24576	6.227301
249e10a4ad0a58c3db84eb2f69db5db5	.rdata	4096	4.367702
88b5582d4d361c92e9234abf0942ed9e	.data	4096	2.546586
a18b7869b3bfd4a2ef0d03c96fa09221	.rsrc	172032	7.969250

Packers/Compilers/Cryptors

Process List

Process	PID	PPID
077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885.exe	2628	(2588)

Relationships

077d9e0e12...	Dropped	a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717
077d9e0e12...	Dropped	ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781

Description

This 32-bit Windows executable file drops two malicious applications.

The first (a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717) is a fully functioning RAT.

The second application (ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781) is a SMB worm that will spread to local subnets and external networks.

a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717

Tags

backdoorbottrojanworm

Details

Name	scardprv.dll
Size	77824 bytes
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	4613f51087f01715bf9132c704aea2c2
SHA1	6b1ddf0e63e04146d68cd33b0e18e668b29035c4
SHA256	a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717
SHA512	37fa5336d1554557250e4a3bcb4ccfca79f4873264cb161dee340d35a2f8f17f7853fe942809bb343ac1eae0a37122b5e8fd703a9b820ec96abb65c8327c1b6a
ssdeep	768:qtT2AxNtcgpqLepcy2y6/chYdP8KuSFM+Cs5CBaho9S4AJKqBz8MZdVsrQVBnVGa:qwONtBqL1dDMrs5CN9S4A3HOYBnVL
Entropy	6.138177

Antivirus

AVG	Agent3.BAPF
Ahnlab	Trojan/Win32.Dllbot
Avira	TR/Gendal.6762100
BitDefender	Gen:Variant.Graftor.Elzob.3935
ClamAV	Win.Trojan.Agent-1388765
ESET	a variant of Win32/Scadprv.A trojan
Emsisoft	Gen:Variant.Graftor.Elzob.3935 (B)
F-secure	Gen:Variant.Graftor.Elzob.3935
Ikarus	Worm.Win32.Agent
K7	Trojan ( 0001659c1 )
McAfee	W32/FunCash!worm
Microsoft Security Essentials	Backdoor:Win32/Joanap.B!dha
NANOAV	Trojan.Win32.Agent.cwccco
Quick Heal	Backdoor.Duzzer.A5
Sophos	Mal/Generic-L
Symantec	Backdoor.Joanap
Systweak	malware.gen-20120501
TrendMicro	BKDR_JOANAP.AC
TrendMicro House Call	BKDR_JOANAP.AC
Vir.IT eXplorer	Trojan.Win32.Agent3.BAPF
VirusBlokAda	Worm.Agent
Zillya!	Worm.Agent.Win32.5702
nProtect	Worm/W32.Agent.77824.CJ

Yara Rules

hidden_cobra_consolidated.yara

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2011-09-14 01:38:38-04:00
Import Hash	f6f7b2e00921129d18061822197111cd

PE Sections

MD5	Name	Raw Size	Entropy
c745765d5ae0458d76c721b8a82eca52	header	4096	0.763991
f16ff24a6d95e0e0711eccae4283bbe5	.text	40960	6.506011
b89bb8a288d739a27d7021183336413c	.rdata	20480	6.655349
fcd7ede94211c9d653bd8cc776feb8be	.data	4096	4.326483
56dc69f697f36158eefefdde895f39b6	.rsrc	4096	0.613739
20601cf5d6aecb9837dcc1747847c5a2	.reloc	4096	4.068756

Packers/Compilers/Cryptors

Microsoft Visual C++ 6.0 DLL

Relationships

a1c483b0ee...

Dropped_By

077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885

Description

This 32-bit Windows DLL is written to disk and then loaded by the file "4731CBAEE7ACA37B596E38690160A749".

This malware has been identified as a RAT, providing a remote actor with the ability to exfiltrate data, drop and run secondary payloads, and provide proxy capabilities on a compromised Windows device. The malware binds to port 443 and listens for incoming connections from a remote operator, using the Rivest Cipher 4 (RC4) encryption algorithm to protect communications with its Command and Control (C2).

The malware also creates a log entry in a file named “mssscardprv.ax”, located in the %WINDIR%\system32 folder. The log entry includes the victim's Internet Protocol (IP) address, host name, and current system time.

ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781

Tags

backdoorbottrojanworm

Details

Name	Wmmvsvc.dll
Size	91664 bytes
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	e86c2f4fc88918246bf697b6a404c3ea
SHA1	9b7609349a4b9128b9db8f11ac1c77728258862c
SHA256	ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781
SHA512	f6097c66a526ba7a3c918b1c7fccae03c812046d642a4adb62ee7a24cbcee889c0348020ae7e2e82ee3f284b311f049ed596edb22b90153cadc11c646d4f9a45
ssdeep	768:9eY/pEwKWcwP/bY4XxlGLup3Tq1LpDLJkDcw3f9zj:MitnU4viJJDw3Z
Entropy	3.156854

Antivirus

AVG	PSW.Generic9.ACQQ
Ahnlab	Trojan/Win32.Dllbot
Avira	BDS/Joanap.A.8
BitDefender	Gen:Variant.Symmi.49274
ClamAV	Win.Trojan.Agent-1388727
Cyren	W32/Trojan.WXKV-0327
ESET	a variant of Win32/Agent.NJF worm
Emsisoft	Gen:Variant.Symmi.49274 (B)
F-secure	Gen:Variant.Symmi.49274
Ikarus	Worm.Win32.Agent
K7	Trojan ( 00515bda1 )
McAfee	Generic PWS.tr
Microsoft Security Essentials	Backdoor:Win32/Joanap.A!dha
NANOAV	Trojan.Win32.Agent.cqilax
NetGate	Trojan.Win32.Malware
Quick Heal	Backdoor.Joanap
Sophos	Mal/Generic-L
Symantec	W32.Brambul
Vir.IT eXplorer	Trojan.Win32.Generic.ACQQ
VirusBlokAda	Worm.Agent
Zillya!	Worm.Agent.Win32.3549
nProtect	Worm/W32.Agent.91664

Yara Rules

hidden_cobra_consolidated.yara

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2011-09-14 11:42:30-04:00
Import Hash	f0087d7b90876a2769f2229c6789fcf3
Company Name	Microsoft Corporation
File Description	Microsoft XML Encoder/Transcoder
Internal Name	xpsshrm.dll
Legal Copyright	© Microsoft Corporation. All rights reserved.
Original Filename	xpsshrm.dll
Product Name	Microsoft® Windows Media Services
Product Version	9.00.00.4503

PE Sections

MD5	Name	Raw Size	Entropy
037e97300efd533dd48d334d30bdc408	header	4096	0.759334
4b5019185bb0b82273442dae3f15f105	.text	24576	6.083997
9e5a1cfda72f8944cd5e35e33a2a73b0	.rdata	4096	3.267725
47982ac1b20cac03adcfd62f5881b79c	.data	49152	1.087883
b971ab49349a660c70cb6987b7fb3ed3	.rsrc	4096	1.140488
ad5750c9584c0eba32643810ab6e8a53	.reloc	4096	2.515288

Packers/Compilers/Cryptors

Microsoft Visual C++ 6.0 DLL

Relationships

ea46ed5aed...	Dropped_By	077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885
ea46ed5aed...	Connected_To	redhat@gmail.com
ea46ed5aed...	Connected_To	misswang8107@gmail.com

Description

This file is a malicious 32-bit Windows DLL that is written to disk then loaded by the file "4731CBAEE7ACA37B596E38690160A749".

When executed, the DLL attempts to contact all of the Internet Protocol (IP) addresses on the victim's local subnet. If the malware is able to connect to these IP addresses, it will attempt to gain unauthorized access via the SMB protocol on port 445 using a brute-force password attack. The malware contains an embedded password list consisting of commonly used passwords and generates random external IP addresses, which it attempts to attack.

If the malware successfully gains access to another system, it will send an email containing the system's IP address, hostname, username, and password to the following addresses:

--Begin email addresses--
redhat@gmail.com
misswang8107@gmail.com
--End email addresses--

The malware uses the victim's system folder to create a shared folder named "adnim$" by running the following commands via a remotely run service:

--Begin commands utilized to create SMB share--
cmd.exe /q /c net share adnim$=%SystemRoot%
cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL
--End commands utilized to create SMB share--

The malware will then copy itself to newly created shared folder as a file named "mssscardprv.ax". After copying the malware to the new system it then runs the file on the victim system using a malicious service. The adnim$ share will then be deleted from the remote system using the following command:

--Begin command used to delete share--
'cmd.exe /q /c net share adnim$ /delete'
--End command used to delete share--

The malware determines if Remote Desktop Protocol (RDP) is enabled by attempting to connect to port 3389. If it is able to connect to this port, the malware will report RDP is available on the compromised system. This information is provided to the operator using the malicious email address provided earlier.

This malware can communicate with the RAT identified as "scardprv.dll" (4613f51087f01715bf9132c704aea2c2). The communication is protected with the Rivest Cipher 4 (RC4) encryption protocol. When attempting to propagate, the malware uses the following three usernames combined with a password brute-force attack:

--Begin malicious usernames used by SMB worm--
Administrateur
Administrador
Administrator
--End malicious usernames used by SMB worm--

Although the malware uses numerous embedded passwords in its brute force attacks, within our environment the malware consistently used the following "Lan Manager Response" in its SMB attacks:

--Begin static Lan Manager response--
8C15084FA541079A000000000000000000
--End static Lan Manager response--

This hexadecimal value may be useful in detecting this worm as it communicates over port 445 and attempts to spread. Specifically, when the malware attempts to run a remote service to create the "adnim$" share, the following network traffic is generated:

--Begin network signature--
ASCII: cmd.exe /q /c net share adnim$=%SystemRoot% /GRANT:Administrator,FULL
HEX: 636D642E657865202F71202F63206E65742073686172652061646E696D243D2553797374656D526F6F7425202F4752414E543A41646D696E6973747261746F722C46554C4C
--End network signature--

fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16

Tags

backdoortrojanworm

Details

Name	298775B04A166FF4B8FBD3609E716945
Size	86016 bytes
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	298775b04a166ff4b8fbd3609e716945
SHA1	2e0f666831f64d7383a11b444e2c16b38231f481
SHA256	fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16
SHA512	adc9bb5a2116134ddf57d1b1765d5981c55828aa8c6719964b0e2eeb6c9068a2acaa98c2e03227a406a4fbfa2f007f5eb9f57a61e3749b8eb0d73b1881328fbf
ssdeep	768:i+cDn8nAQ5Toz4c0+u5jrdXs+W+aCNkiC8xeC3cs:i+M8ndTozOn5jxF/US0s
Entropy	2.873816

Antivirus

ClamAV	Win.Trojan.Agent-1388727
ESET	a variant of Win32/Agent.NVC worm
McAfee	GenericRXCB-TI!298775B04A16
Microsoft Security Essentials	Backdoor:Win32/Joanap.A!dha
Symantec	Heur.AdvML.B

Yara Rules

hidden_cobra_consolidated.yara

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2018-01-05 01:22:45-05:00
Import Hash	9f298eba36baa47b98a60cf36fdb2301

PE Sections

MD5	Name	Raw Size	Entropy
8a5b06109c3bd4323fa3318f9874d529	header	4096	0.703885
413f30d4d86037b75958b45b9efbe1de	.text	20480	6.302858
82b41fefc9aa74a2430f1421fd5fe5b3	.rdata	4096	3.748024
b6f17870ca5f45d4c75e18024e6e1180	.data	53248	1.067897
cda5ef1038742e5ef46b9cfa269b0434	.rsrc	4096	0.608792

Packers/Compilers/Cryptors

Microsoft Visual C++ v6.0

Process List

Process	PID	PPID
fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16.exe	2436	(2408)

Description

This file is a malicious 32-bit Windows executable file designed to scan the local network and the Internet for machines that are accessible and have open SMB ports. Once the malware gains access to a remote machine, it will deliver a malicious payload. This file accepts the following command-line arguments for execution:

--Begin arguments--
-i ==> Create service
-u ==> Control and delete service
-s ==> Start service
-r ==> Run not as a service
-k ==> ControlService
--End arguments--

When executed with the "-i" argument, the malware installs and executes itself as the following service:

--Begin service information--
ServiceName = "RdpCertification"
DisplayName = "Remote Desktop Certification Services"
DesiredAccess = SERVICE_ALL_ACCESS
ServiceType = SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
StartType = SERVICE_AUTO_START
BinaryPathName = "%current directory%\298775B04A166FF4B8FBD3609E716945.exe"
--End service information--

The malware creates a mutual exclusion (Mutex) object named "PlatFormSDK20150201", then generates a list of IP addresses using a domain generation algorithm (DGA). The DGA uses the system time in the algorithm to create the list of IP addresses.

It generates network traffic over Transmission Control Protocol (TCP) ports 80 and 445 via the victims' IP addresses and the generated IP addresses.

Sample HTTP request:

--Begin HTTP request--
OPTIONS / HTTP/1.1
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600
Host: 159.154.100.0
Content-Length: 0
Connection: Keep-Alive
--End HTTP request--

Once successfully connected to other Windows hosts or the generated IP addresses using port 445, the malware attempts to use a hard-coded list of passwords for SMB connections. If the password is correctly guessed, a file share is established. The malware uses the following methods to access shares on the remote systems:

To gain access to remote systems it uses ($IPC) share via “\\remote system IP\$IPC”
It checks for existing shares by using “\\hostname\adnim$\system32”

It will create a new share named "adnim$" using the following command:

--Begin new share command--
“cmd.exe /q /c net share adnim$=%SystemRoot%”
“cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL”
--End new share command—

Once a file share is successfully established, the malware uploads a copy of a payload "C:\WINDOWS\TEMP\TMP1.tmp" and installs it as a service. The malware payload that is uploaded and then run on the newly infected host was not available at the time of analysis.

The remote network share is removed after infection using the following command:

--Begin command--
“cmd.exe /q /c net share adnim$ /delete”
--End command--

Once the payload has been uploaded and executed, the malware uses Simple Mail Transfer Protocol (SMTP) to send collected data. The data provides infection status to a remote operator.

Displayed below are the domain names of the service providers used to send data:

--Begin SMTP domain information--
"http://www.hotmail.com"
--End SMTP domain information--

Displayed is the structure of the email sent:

--Begin email structure format--
SUBJECT: %s%s%s
TO: Joana <%s>%s
FROM: <%s>%s
DATA%s
RCPT TO: <%s>%s
MAIL FROM: <%s>%s
AUTH LOGIN%s
HELO %s%s
--End email structure format--

Displayed is a list of brute force passwords used to establish connections:

--Begin brute force password--
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*()
"KGS!@#$%"
0000
00000
000000
00000000
1111
11111
111111
11111111
11122212
1212
121212
123123
123321
1234
12345
123456
1234567
12345678
123456789
123456^%$#@!
1234qwer
123abc
123asd
123qwe
1313
1q2w3e
1q2w3e4r
1qaz2wsx
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
4321
54321
654321
6969
666666
7777
8888
88888
888888
8888888
88888888
Admin
abc123
abc@123
abcd
admin
admin123
admin!23
admin!@#
administrator
administrador
asdf
asdfg
asdfgh
asdf123
asdf!23
baseball
backup
blank
cisco
compaq
control
computer
cookie123
database
dbpassword
db1234
default
dell
enable
fish
foobar
gateway
guest
golf
harley
home
iloveyou
internet
letmein
Login
login
love
manager
oracle
owner
pass
passwd
password
p@ssword
password1
password!
passw0rd
Password1
pa55w0rd
pw123
q1w2e3
q1w2e3r4
q1w2e3r4t5
q1w2e3r4t5y6
qazwsx
qazwsxedc
qwer
qwert
qwerty
!QAZxsw2
root
secret
server
sqlexec
shadow
super
sybase
temp
temp123
test
test!
test1
test123
test!23
winxp
win2000
win2003
Welcome1
Welcome123
xxxx
yxcv
zxcv
Administrator
Admin
--End brute force password--

redhat@gmail.com

Details

Relationships

redhat@gmail.com

Connected_From

ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781

misswang8107@gmail.com

Details

Address	misswang8107@gmail.com

Relationships

misswang8107@gmail.com

Connected_From

ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781

Relationship Summary

077d9e0e12...	Dropped	a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717
077d9e0e12...	Dropped	ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781
a1c483b0ee...	Dropped_By	077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885
ea46ed5aed...	Dropped_By	077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885
ea46ed5aed...	Connected_To	redhat@gmail.com
ea46ed5aed...	Connected_To	misswang8107@gmail.com
redhat@gmail.com	Connected_From	ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781
misswang8107@gmail.com	Connected_From	ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781

Recommendations

NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate ACLs.

Additional information on malware incident prevention and handling can be found in NIST's Special Publication 800-83, Guide to Malware Incident Prevention & Handling for Desktops and Laptops.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact US-CERT and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the NCCIC at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to NCCIC? Malware samples can be submitted via three methods:

NCCIC encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the NCCIC/US-CERT homepage at www.us-cert.gov.

TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Original release date: May 29, 2018

Systems Affected

Network systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government:

a remote access tool (RAT), commonly known as Joanap; and
a Server Message Block (SMB) worm, commonly known as Brambul.

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.

See the following links for a downloadable copy of IOCs:

IOCs (.csv)
IOCs (.stix)

NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – RAT/Worm for the report and associated IOCs.

Description

According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report [1] in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities.

Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments.

During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows:

Argentina Belgium Brazil Cambodia China Colombia	Egypt India Iran Jordan Pakistan Saudi Arabia	Spain Sri Lanka Sweden Taiwan Tunisia

Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert.

Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

Technical Details

Joanap

Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include

file management,
process management,
creation and deletion of directories, and
node management.

Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time.

Brambul

Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.

Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.

Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations:

harvesting system information,
accepting command-line arguments,
generating and executing a suicide script,
propagating across the network using SMB,
brute forcing SMB login credentials, and
generating Simple Mail Transport Protocol email messages containing target host system information.

Detection and Response

This alert’s IOC files provide HIDDEN COBRA IOCs related to Joanap and Brambul. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.

When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible impacts include

temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.

Solution

Mitigation Strategies

DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:

Keep operating systems and software up-to-date with the latest patches. Most attacks target vulnerable applications and operating systems. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date antivirus software, and scan all software downloaded from the internet before executing.
Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of least privilege to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Scan for and remove suspicious email attachments. If a user opens a malicious attachment and enables macros, embedded code will execute the malware on the machine. Enterprises and organizations should consider blocking email messages from suspicious sources that contain attachments. For information on safely handling email attachments, see Using Caution with Email Attachments. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication. See Choosing and Protecting Passwords for more information on creating strong passwords.
Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests.

Response to Unauthorized Network Access

Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).

References

[1] Novetta’s Destructive Malware Report

Revision History

May 29, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

from US-CERT National Cyber Alert System https://ift.tt/2GZyD2I