Client Zone

News and Updates for
Sherlock Customers

Sherlock Status

SOC Status

Date/Time:

Sherlock SOC: Online

Sherlock SIEM: Online
Sherlock Threat Scan: Online
Sherlock Decoy: Online

Scheduled Maintenance

None

Alerts

None

Recent Threat Briefs

7-18-2018

Malicious MDM used to spy on iPhone users 

Security researchers have discovered a campaign using malicious mobile device management (MDM) to install malware and data-gathering applications on iOS devices. After the MDM profile was installed, it allowed remote attackers complete control of the device, allowing them to wake it on demand, install applications, and view all data on the device. Mobile devices are often overlooked in a company’s vulnerability surface and should be secured by legitimate MDMs to mitigate compromise and secure data in case of device theft.

https://thehackernews.com/2018/07/mobile-device-management-hacking.html

 

Military secrets breached due to default password usage

While monitoring dark web sales sites, Recorded Future’s Insikt Group discovered the attempted sale of highly classified US Air Force and Army documents. The lack of patching on a previously disclosed FTP vulnerability in NETGEAR routers in 2016 caused the document breach. The captain of the Air Force base where the breach occurred had completed a course in cyber awareness training but missed the critical step of performing default password changes. 

https://thehackernews.com/2018/07/dark-web-military-drone_11.html

 

Open RDP to major airport systems listed for only $10

McAfee researchers uncovered a dark web sales campaign offering open remote desktop protocol (RDP) access to a compromised airport system for the bargain price of $10. The compromised system had already been prepared with a local administrator account ready for use after purchase. Other accounts on the system showed it was a remote terminal used by the airport’s own security vendors. External RDP should never be opened to the public Internet. Instead, always implement a VPN solution with multi-factor authentication, which will establish a secure connection to the system.

https://securityaffairs.co/wordpress/74371/deep-web/rdp-access-dark-web.html

7-11-2018

Typeform Data Breach

Survey company Typeform has confirmed attackers stole customer data by downloading partial data backups. Although they have been vague when asked about what data was stolen, Typeform stated that customer payment data and account passwords were not breached. If your business has used Typeform’s services prior to May 3rd, your data may have been included in this breach. Those affected should be wary of increased phishing scams and spam email. These campaigns are notorious for spreading malware and highlight the importance of verifying senders before downloading email attachments.

 

21 Million Affected in Timehop Data Breach

Timehop, the company behind the smartphone app of the same name, announced a data breach last week which affected all of its 21 million users. The company assured users that financial data, photos, and social media posts were not included in this compromise. Timeshop’s lack of multi-factor authentication (MFA) for an account with their cloud computing provider caused the breach. Sherlock recommends enabling MFA on all email and other accounts where sensitive data can be accessed to prevent similar breaches. An attacker could steal a password, but an MFA-enabled account would require a second form of identification to conduct an account breach.

 

New Strain of Rahkini Malware Discovered

A newly discovered strain of the Rakhini malware dynamically selects the payload used in an infection after profiling the system. From the attacker’s point of view, CrytpoMiners and ransomware both have benefits, risks, and desired targets so the malware selects the payload that best fits the attacker’s goals. The malware determines if the infected system is running Bitcoin software from the default install location and whether the system has more than one logical processor. If either condition is true, the malware will install the Minergate utility. Otherwise, the malware attempts to spread ransomware to other systems on the local network, killing active programs and encrypting system files.

7-3-2018

VPNFilter Affecting Further Devices

Last week Cisco’s Talos security team uncovered more information regarding the VPNFilter malware that has been infecting SOHO networking devices. The malware affects an even wider range of devices from the original vulnerability list, and now includes vendors from ASUS, D-Link, Huawei, Ubiquiti, and UPVEL. Finally, they discovered that this malware has the capability to execute a man-in-the-middle attack and deliver further exploits without the user knowing. If you are currently using networking devices from any of the above vendors, ensure your patches are up to date. If devices have been compromised, performing a hard reset/wipe of the device will remove the malware, but keep in mind this will also removes all custom configuration settings.

 

Prowli Malware Infects Thousands

A new botnet consisting of more than 40,000 servers, modems, and IoT devices was discovered last week by researchers from the GuardiCore security team. Known as Operation Prowli, this botnet leverages various techniques and exploits to infect devices, including password brute-forcing, malicious code injection, and taking advantage of weak security configurations. Among the list of affected devices and services are Drupal and WordPress CMS servers, DSL modems, NFS servers, PhpMyAdmin installs, and vulnerable IoT devices. Once infected, a cryptocurrency miner and worm are installed on the system, which then performs an SSH brute force attack to infect other devices on the network. In addition to cryptocurrency mining, the botnet has been observed installing malicious extensions on infected devices. To protect against Prowli, follow basic security best practices, like keeping all systems up to date, segmenting your network, and performing system hardening at the OS level.

 

Flash Player Zero Day

A new zero-day vulnerability was discovered in Adobe Flash Player (the second so far this year) by the security team at Qihoo360. This vulnerability allows an attacker to take complete control of the affected system through the use of a Microsoft Office document which remotely transfers the malicious Flash content. This differs from similar attacks using Flash in that the content is not embedded directly in the file and therefore does not contain malicious code itself. Adobe has released an emergency patch for all platforms addressing this issue (version 30.0.0.113). We highly recommend patching as soon as possible.

6-13-2018

VPNFilter Affecting Further Devices

Last week Cisco’s Talos security team uncovered more information regarding the VPNFilter malware that has been infecting SOHO networking devices. The malware affects an even wider range of devices from the original vulnerability list, and now includes vendors from ASUS, D-Link, Huawei, Ubiquiti, and UPVEL. Finally, they discovered that this malware has the capability to execute a man-in-the-middle attack and deliver further exploits without the user knowing. If you are currently using networking devices from any of the above vendors, ensure your patches are up to date. If devices have been compromised, performing a hard reset/wipe of the device will remove the malware, but keep in mind this will also removes all custom configuration settings.

 

Prowli Malware Infects Thousands

A new botnet consisting of more than 40,000 servers, modems, and IoT devices was discovered last week by researchers from the GuardiCore security team. Known as Operation Prowli, this botnet leverages various techniques and exploits to infect devices, including password brute-forcing, malicious code injection, and taking advantage of weak security configurations. Among the list of affected devices and services are Drupal and WordPress CMS servers, DSL modems, NFS servers, PhpMyAdmin installs, and vulnerable IoT devices. Once infected, a cryptocurrency miner and worm are installed on the system, which then performs an SSH brute force attack to infect other devices on the network. In addition to cryptocurrency mining, the botnet has been observed installing malicious extensions on infected devices. To protect against Prowli, follow basic security best practices, like keeping all systems up to date, segmenting your network, and performing system hardening at the OS level.

 

Flash Player Zero Day

A new zero-day vulnerability was discovered in Adobe Flash Player (the second so far this year) by the security team at Qihoo360. This vulnerability allows an attacker to take complete control of the affected system through the use of a Microsoft Office document which remotely transfers the malicious Flash content. This differs from similar attacks using Flash in that the content is not embedded directly in the file and therefore does not contain malicious code itself. Adobe has released an emergency patch for all platforms addressing this issue (version 30.0.0.113). We highly recommend patching as soon as possible.

6-7-2018

Remote Code Execution Vulnerability in Git Software

Git released details on a critical vulnerability (CVE 2019-11235) that leads to remote code execution.  The vulnerability is exploited when a user clones a repository that contains malicious hooks which are not meant to be included in the workflow.  This allows an attacker-controlled remote server to provide code that is executed locally.  Git released patches to their software to mitigate the vulnerability.  We highly recommend updating your git installations as soon as possible.  

 

Java: Exploiting “Unreachable” JRMP/RMI/JMX Endpoints

A security researcher released details and PoC code to exploit a vulnerability in the Java Remote Method Protocol (JMRP).  Attackers could take advantage of the lack of authentication to send requests to sites on a local network.  Coupled with social engineering attacks against the user, this exploit allows full compromise of the internal site and leads to remote code execution.  Java patched this vulnerability during the April 2018 critical patch update.  It is highly recommended to validate your Java installations are fully patched.

 

Apple Patches Buffer Overflow Vulnerabilities

Apple recently released security updates for macOS, iOS, Safari, and other applications.  Two high-profile buffer overflow vulnerabilities (CVE 2018-4241 and CVE 2018-4243) that Google security engineer Ian Beer discovered were included.  Both vulnerabilities are kernel-level, and allow an application to execute arbitrary code with kernel privileges.  In an effort to provide users the chance to update and protect their devices, Apple is currently not releasing a changelog on the vulnerabilities. It is highly recommended to test and deploy the updates in your environment ASAP.

5-23-2018

Red Hat Users Urged to Patch Critical DHCP Client Vulnerability

Google researcher Felix Wilhelm disclosed a critical vulnerability affecting any RedHat or RedHat derivative such as CentOS or Fedora.  Exploiting the vulnerability, which affects devices using NetworkManager to obtain network configurations via DHCP, allows an attacker to execute arbitrary commands as root.  However, the attacker needs access to the internal network to send malicious DHCP replies to unpatched machines.  We highly recommend immediate patching of all affected devices.

 

Mirai Evolving with at Least Four New Exploits

Mirai, the botnet-creating malware best known for DDoS attacks against DYN in 2016, is now targeting new devices.  Several Netgear routers, such as the DGN1000, DGN2200v1, R7000, and R6400, are among the affected products, along with many different brands of CCTV camera/DVR systems.  We highly recommend patching your systems and disabling any unneeded external access to these systems.

 

Cisco Releases Security Update for New Security Flaws in DNA Center

Cisco released a security update for users of its DNA Center appliance addressing several issues.  One of the more severe vulnerabilities allows unauthorized persons to log in using an undocumented, static, and default administration account.  This allows the attacker to execute arbitrary code against the affected device.  Another flaw allows attackers to bypass authentication and gain unauthorized access to privileged areas.  Due to the severity of these vulnerabilities, we highly recommend applying the security update as soon as possible.

5-17-2018

Two Recently Patched Microsoft Vulnerabilities Actively Exploited

Attackers are exploiting two vulnerabilities that Microsoft patched during the May 8th “Patch Tuesday” release. The first vulnerability resides in the VBScript engine and allows for remote code execution with the current user’s permissions using an RTF Microsoft Office document as the initial phase of the attack. The second vulnerability allows attackers to escalate their permissions to kernel mode, letting them circumvent all permission systems on the target machine. New patches to correct these vulnerabilities have since been released. Both attacks, and 66 other vulnerabilities, should be patched immediately using Windows Update.

 

AWS Config to Monitor S3 Buckets

Times are changing. No longer is information contained within a company infrastructure. More and more companies now store their information in the cloud. Sometimes, that information is left in a state that allows access to unauthorized persons. One example attackers are constantly looking for is Amazon Simple Storage Service (S3) buckets that are misconfigured to allow public read and/or write access. Thankfully, Amazon has released AWS Config which can be used to detect and alert on these misconfigurations. If you or your company uses S3 to store data, please give the article below a brief read and validate that secure permissions are set for your S3 buckets.

https://aws.amazon.com/blogs/security/how-to-use-aws-config-to-monitor-for-and-respond-to-amazon-s3-buckets-allowing-public-access/

 

Signal Messaging App Vulnerability Allows Remote Code Execution

Security researchers recently discovered a critical vulnerability within the popular messaging app Signal. An attacker could send a simple message with a malicious payload that executes on the target system without any user interaction. A proof of concept video was posted to Twitter showing successful exploitation within the affected version. Signal has since released a stable version which mitigates this vulnerability. If you are using Signal in your environment we highly recommended patching your software as soon as possible.

5-8-2018

Spectre Vulnerability Returns with Eight New Variants

Security researchers discovered eight new Spectre vulnerabilities affecting Intel CPUs. Each of these new vulnerabilities, dubbed “Spectre-Next Generation,” have similar outcomes to that of its predecessor. However, one vulnerability allows an attacker to escape a virtual environment and attack the host. Technical details of these new variants are not yet public, but Intel categorized four of the vulnerabilities as “high risk.” It is estimated that Intel will release patches in two waves, the first in May and the second in June. It is highly recommended to patch your environment once each wave is released and proper testing is completed.

 

Microsoft (MS) Edge Zero-Day Vulnerability

A zero-day critical vulnerability was found in Microsoft’s Edge web browser that could allow an attacker to collect sensitive information from unsuspecting users. When exploited, the vulnerability allows an attacker to “spoof” any web address they like and replace the contents of the page with their own. Once the attacker convinces an unsuspecting user to view the page, either with social engineering or a phishing attack, the user would be presented with what appears to be a legitimate version of the website they are visiting. This would allow an attacker to harvest login credentials or other types of sensitive information from the user. Currently the vulnerability only affects the latest version of Edge (42.17134.1.0). We recommend either typing each URL manually or using a separate browser entirely.

 

GitHub and Twitter Discovered Logs Storing Passwords in Plain Text

GitHub recently forced many of its users to change their passwords after it was discovered that their passwords had been logged to its internal audit system. A bug caused the passwords to be logged as plain-text rather than in its usual encrypted form whenever a user initiated a password reset. If you have development teams in your organization leveraging GitHub resources, we highly recommend rotating the password for their accounts. Twitter also announced this week that a bug accidentally allowed them to log user passwords in plain-text on much wider scale than GitHub. Twitter is asking all 330 million users to change their passwords. Be sure your marketing team is aware of this data leakage and responds accordingly.

5-1-2018

Drupal Patches Third Critical Vulnerability in the Last Month

Users who applied patches after Druapalgeddon2 are advised to update to the newest available version of Drupal to combat a recently-discovered remote code execution vulnerability.  The new vulnerability surfaced as researchers were exploring the Drupalgeddon2 patch and vulnerability.  Attacks surfaced hours after Drupal released the patch against this vulnerability, and it is highly recommended to patch your Drupal installations as soon as possible.

 

Amazon’s Route53 DNS Service Temporarily Highjacked

Attackers highjacked requests to Amazon’s Route53 DNS service for two hours on April 24.  The attack appeared to focus on redirecting traffic from the MyEtherWallet.com cryptocurrency site to a server the attackers owned.  This could have allowed the attacker to steal authentication details and cryptocurrency from the legitimate website, although it appears the attack was ended early as the number of requests the malicious server received overwhelmed available resources.  Additionally, the attackers used an illegitimate SSL certificate, which reduced the effectiveness of the attack.

 

SamSam Ransomware Targeting Entire Organizations

Sophos Security released a report depicting SamSam ransomware attacks as the newest in the enterprise space.  The attackers target the entire organization at once, with the goal of infecting as many of those targets as possible at the same time.  The attackers then offer the ability to either decrypt each individual device for a specific price, such as 0.5 BTC, or provide a master-key to decrypt all compromised devices for 5 BTC.  A best practice is to never pay a ransom;  instead, routinely maintain clean backups and restore from those in the event of ransomware attacks.

4-25-2018

Chrome Store Ad Blocker Extensions Contained Malicious Code

A total of 20 million users were exposed to browser extension trojans masquerading as legitimate adblockers according to AdGuard’s Andrey Meshkov. Attackers used malicious code hidden inside a modified jQuery library to send information about websites the user visits to a remote server. The remote server then sent commands to the extension, which allowed the attacker full control over the browser. The extensions have been removed from the Chrome Store but users must remove the extension manually if presently installed.

 

Steganography Increasing in Advanced Malware

Steganography is increasing in advanced malware families according to researchers from IBM, Kaspersky, and McAfee. This method of obscuring data transfer is increasingly used in every form of communication regarding the attack, since detection of the obfuscated data is very difficult and has a high risk of false positives.

 

Drupalgeddon 2 Attacks Weaponized

Weaponized versions of the exploit against the Drupalgeddon2 vulnerability have enabled mass exploitation attempts against vulnerable servers.  Sherlock is monitoring this firsthand on our own honeypot network.  Payloads from successful compromise include installation of backdoors, IRC Bots, and cryptocurrency mining malware.  It is highly recommended to isolate any outstanding unpatched Drupal installations, and give those servers a once-over to verify nothing suspicious or malicious is found.

Get Help Now

Phone

Toll-Free (888) 264-8426

Email

info@sherlockcloud.io

Resources

Get the New Workbook

 Free download:
The Official AWS PCI Workbook

Whitepaper

 Future SOC:
Will working at a Security Operations Center become easy?