We have recently noticed a run of what we were detecting as Turkish-language Adwind hitting UK and US enterprises in the transportation and IT industries. Adwind is a java-based, platform-independent RAT capable of infecting multiple platforms and has been established to be a further evolution of Unrecom and Frutas. You can see our previous Fidelis Threat Advisory on Unrecom here. In light of the recent discussions on njRAT building on research published by others and our Threat Advisories (FTA #1009, FTA #1010), we thought it would be worth noting global runs involving other malware popular in the Middle East. This post will highlight some of the tactics used and provide IOCs for the community to use.
The delivery mechanism is largely the same, filenames purporting to be purchase orders, lists, delivery notifications and more recently, tax-related lures ending with a .jar extension. In some cases, however, web-based infection models were seen. The Turkish language versions followed the same model and courtesy of Google Translate we were able to glean they used the same lures. Searching on those filenames indicates that this particular actor or actors have been sending these lures out since June 2014.
As of this blog post, VirusTotal reports a majority of AV vendors do not detect this threat.
By extracting the config files we were able to determine the C2 information of the various samples, mostly pointing to dynamic DNS hostnames.
The functionality is generally what you would expect for a RAT, keyloggers, capturing webcams, remote desktop and web browser password recovery. There are even tools to use this RAT on Android-based devices.
Here is a list of indicators for this post:
C2 hostnames (all these samples use port 1991 and 1992):
Cisco researchers have found a new breed of PoS malware, called “PoSeidon.” The new malware is built on top of the Zeus exploit kit and is an improved version of BlackPOS which was used in the 2013 Target breach. PoSeidon contains a loader that maintains persistence on infected boxes to survive reboots and user log-outs.
NJRat is making a comeback according to researchers at PhishMe. The malware is being delivered via email and contains a link to file stored on eDisk called “NSFW_Car_Changer.exe” which contains the malware. The executable is compiled with .NET 4.0 making it harder to decode than malware written in C/C++
Researchers from the Cyber Security Research Center at Israel’s Ben-Gurion University have shown that two air-gapped systems can be breached using heat and their built-in thermal sensors. The method, being called BitWhisper, is the first time researchers have been able to establish a bi-directional communication channel between two air-gapped systems.
Roughly half of all Android handsets are vulnerable to the “Android installer hijacking” vulnerability which allows hackers to replace seemingly benign apps with malicious ones that steal passwords and other sensitive data. The vulnerability only works when apps are being downloaded from third-party app stores or when a user clicks on an app promotion advertisement hosted by a mobile advertisement library.
Zero-day vulnerabilities rose from 14 in 2013 to 25 in 2014 according to Secunia. Flaws in Web browser software increased from 728 in 2013 to 1,035 in 2014. However, vendors are fixing the flaws faster with over 83 percent of the 15,435 vulnerabilities found in 2014 had a patch available by the time the flaw was publicly disclosed compared with 78.5 percent in 2013.
Last week, a US District Court initially approved a $10M settlement in a class action suit against Target for the Christmas 2013 hack that compromised millions of credit cards and the personal privacy information of 60 million customers. The impact of this settlement will be felt far beyond the $10M in damages provided by the settlement. In fact, the dollar value of the settlement pales in comparison to the incident response costs and fines assessed by the credit card issuers and government regulatory organizations (FTC, state attorney generals, etc.). Target had also taken action to comply with some of the requirements of the class action months ago when they established a CISO position and filled it last June.
One of the provisions of the settlement is extremely unusual and possibly unprecedented: allowing for payment of damages without documentation. Most settlements like this require individuals to provide proof of their losses. In this case, damages of up to $10,000 will first be paid to individuals who provide proof but then, the rest of the settlement funds will be divided among consumers who claim they suffered a loss, even if they don't have documentation.
An attorney for Target customers, Vincent Esades, said after the hearing that the settlement could end up costing Target substantially more than the $10M direct cap on settlements to the claimants. The total cost including attorneys’ fees and administrative costs could likely reach $25M.
As you may have heard, this year RSA Conference has launched a crowdsourced speaking track, in short RSA has opened a number of speaking abstract up for a vote and the top 25 will have a shot at being included at the conference. Voting will be open until April 2 with the RSA program committee narrowing down the final 12 winners by April 9.
I’m honored, that my proposed session, “How-To: Aggressive Remediation in an APT World” is included in the voting pool and wanted to give our readers a preview of what my session would entail. Don’t worry, if you’re too busy to read the blog but trust that it’s a good session you can skip ahead and vote here.
The breaches we investigate reveal that APT hackers are often embedded for months or years before discovery and remediation is not as simple as ending the attack and fixing vulnerabilities. In order to address these advanced attacks, security staff needs to take an aggressive stance during incident response and focus not only containment but eradication of the threat.
When you break it down, any incident response program has three equally important parts:
As part of a settlement deal, Target will set aside $10 million to fund claims made by individuals who can prove they suffered financial losses as a result of the data breach at Target in 2013. Each individual is eligible for up to $10,000 in damages. As part of the settlement, Target will also take steps to minimize the risk of a similar breach in the future.
Premera announced a data breach that could impact more than 11 million people on March 17. Hackers may have had access to birth dates, member ID numbers, bank account info, social security numbers, medical claim records and clinical information. The investigation has not determined that any data has been removed but the breach began on May 5, 2014 and wasn’t discovered until January 29, 2015.
A hacker has threatened to share sensitive data belonging to South Korea’s power plants with other countries if a ransom is not paid. The attacker shared some information via Twitter on March 19 but the South Korean state-run Korea Hyrdro & Nuclear Power Co. believes it didn’t contain any sensitive information.
42 amateur cyber defenders took part in a cyber-terrorist attack simulation organized by the Cyber Security Challenge UK. The competition is in its fifth year and aims to plug the skills shortage currently affecting governments and UK businesses. Over the course of two days, the amateur cyber defenders were tasked with finding vulnerabilities and flaws placed in an operating system and regain control of a weapons system among other tasks.
OpenSSl released versions 1.0.1a, 1.01m, 1.0.0r and 0.98zf on March 19 to address 12 flaws, one of which was classified as high severity. The most serious vulnerability, CVE-2015-0291, can lead to denial-of-service attacks. This vulnerability only affects the 1.0.2 branch of OpenSSL.
Adobe has released new versions of its Flash Player to address 11 vulnerabilities. Windows and Macintosh users can update Flash Player to version 22.214.171.124 and Linux users can update to version 126.96.36.1991 for the latest versions. The update fixes issues in memory corruption, type confusion, integer overflow and use-after-free flaws.
Researchers at Google successfully exploited the previously theoretical attack technique known as “Rowhammer” where data written to a row of memory cells can flip a bit in an adjacent row to undermine security. The technique takes advantage of the physics of DRAM. The Google researchers found that 15 of the 29 laptops tested were vulnerable to the attack.
Point-of-sale system manufacture, NEXTEP is investigating a possible data breach at the northern U.S. and Canadian, soup restaurant, Zoup! The breach was discovered after law enforcement notified NEXTEP about a pattern on fraudulent use of credit cards used at various Zoup! franchise locations. NEXTEP has found security issues in its PoS devices but the problem does not appear to affect all of its customers.
Microsoft announced that a group clean-up effort between itself, Lenovo and other software makers has reduced the number of Lenovo PCs infected with the Superfish adware to below 1,000. This is a drop from 60,000 on February 21.
Microsoft issued a patch for a critical vulnerability that enabled the Stuxnet attack in 2010. Microsoft had originally issued a patch for the vulnerability known as CVE-2010-2568 in 2010 but researchers discovered it was not complete and the underlying vulnerability remained until the patch issued on March 10.
ICYMI Threat Geek Post of the Week: Tales from the Field: Responding to a Critical Infrastructure Breach by Pat Brooks
Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using #CyberScoop!