Highlights
Email thread hijacking used in Emotet malspam, hex-encoded PowerShell scripts observed in new variants of the LodaRAT, and fake cracked software sites launched to push the Exorcist 2.0 ransomware are prime examples of how adversaries are evolving their raid arsenal.
In this edition of the newsletter we will cover:
- Fortinet VPN default SSL setting risks
- Zerologon vulnerability
- IPStorm botnet
- Emotet email thread hijacking
- Malicious UEFI firmware images
Fortinet VPN default SSL setting risks
Hundreds of thousands of businesses that are using the FortiGate VPN are at risk of a Man-in-the-Middle cyberattack due to a default Fortinet self-signed SSL certificate. The default certificate uses the router’s serial number as the server name. As the FortiClient does not seem to verify the name of the server to which it is attempting to connect, any third party can re-route the traffic to a command and control server, display a valid Fortinet or a trusted CA certificate, and then decrypt the traffic.
Recommendation: Purchase a certificate and change the default one.
Zerologon vulnerability
Cisco Talos analysts have seen a spike in exploitation attempts against a flaw (dubbed “Zerologon” and tracked as CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol which Windows domain controllers use for various authentication tasks. The vulnerability allows attackers with network access to a domain controller to compromise all Active Directory identity services.
Microsoft has issued a four-step plan to protect vulnerable environments which advises organizations to deploy the August 11th (or later) patch, to monitor the Windows event logs for devices that are making vulnerable connections, to address the non-compliant devices and to enable “enforcement mode” on the domain controllers.
IPStorm botnet
The Intezer Labs research team recently discovered that the IPStorm botnet, previously documented to only target Windows systems and to obscure its malicious traffic via the legitimate Peer-to-Peer network InterPlanetary File System, has started attacking various Linux architectures (ARM, AMD64, Intel 80386) and platforms (servers, Android, IoT).
Written in Golang, the IPStorm malware has historically enabled threat actors to execute arbitrary PowerShell commands on the victims’ Windows machines. The Linux variant has added some features such as SSH brute-forcing as a means to compromise its victims and fraudulent network activity abusing Steam gaming and advertising platforms.
Emotet email thread hijacking
Security experts from Palo Alto Networks’ Unit42 have detected an increase in malspam distributing the Emotet malware via a technique called email thread hijacking. Cyber crooks are utilizing legitimate messages exfiltrated from the email clients of infected computers to impersonate replies to addresses from the original message. This method has proven to be more effective than others in convincing victims to click on malicious links or to open rogue files.
Malicious UEFI firmware images
Kaspersky Labs have found rogue UEFI firmware images that contain code from a multi-stage modular framework – MosaicRegressor – aimed at cyber espionage and data gathering.
The multiple modules help attackers to conceal the wider framework from analysis and to deploy on demand components to the targeted machines.
The “Unified Extensible Firmware Interface”, prevalent on modern day computer systems and typically used to facilitate the machine’s boot sequence and to load the operating system, is ideal for malware persistence. A sophisticated attacker can tweak the firmware to launch malicious code after the operating system has loaded. Furthermore, such implanted malware will be resistant to OS reinstallation or hard drive replacement as the firmware typically ships within the flash storage soldered to the computer’s motherboard.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
Sources
Amatas, Cyware, The Hacker News, SAM, Sophos Naked Security, Threat Post, Data Breach Today, Cisco Talos, Palo Alto Networks, Intezer, Creative Commons