Threat Report

We’ve got a quick update for you this week on some news that’s getting attention. APT34 leaks hack tools, Common VPN software has a critical vulnerability patched, and Microsoft underestimates the exploitability of a remote code execution vulnerability. Additionally, an information technology firm from India has been compromised and is being leveraged in attacks against their own customers. Let’s get going.

APT34 hacking tools leak

As reported by zdnet, yesterday some of the tools used by OilRig attack group have been leaked by a group of Iranian hackers called “Lab Dookhtegan”. Lab Dookhtegan started leaking information about the operations of APT34 / OILRIG which supposedly would be the Iranian Ministry of Intelligence. However, this could be false attribution as well. The tools include:

• Glimpse (newer version of a PowerShell-based trojan that Palo Alto Networks names BondUpdater)
• PoisonFrog (older version of BondUpdater)
• HyperShell (web shell that Palo Alto Networks calls TwoFace)
• HighShell (another Web shell)
• Fox Panel (phishing kit)
• Webmask (DNS tunneling, main tool behind DNSpionage)

The full leak and tools were published on Lab Dookhtegan Telegram Channel with 30 members and can be downloaded here. Please make sure you use proper security steps such as sandbox and isolated environments. Open these files at your own risk. You can check more write up details on this GitHub page.

The origin of the leaked files is unknown and was not inspected for 0-day traps.

Pass: vJrqJeJo2n005FF*

VPN applications insecurely storing session cookies

Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. As disclosed in a recent CERT advisory, multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.

• CWE-311: Missing Encryption of Sensitive Data

The following products and versions store the cookie insecurely in log files:

• CVE-2019-1573: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0
• CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure (for Network Connect customers) 9.0R2 and earlier, 8.3R6 and earlier, and 8.1R13 and earlier

The following products and versions store the cookie insecurely in memory:

• CVE-2019-1573: Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0
• CVE-2019-11213: Pulse Desktop Client 9.0R2 and earlier and 5.3R6 and earlier; Pulse Connect Secure (for Network Connect customers) 9.0R2 and earlier, 8.3R6 and earlier, and 8.1R13 and earlier
• Cisco AnyConnect 4.7.x and prior

Microsoft underestimates exploitability of DHCP bug

Microsoft has given the DHCP bug a low criticality score. However, a researcher on a Russian forum has posted information showing how the vulnerability can be exploited for remote code execution on a DHCP client. A rogue DHCP server in your environment could exploit this to hack all of your machines. Microsoft has offered updated guidance on the vulnerability.

Wipro hacked and targeting their own customers

Brian Krebs reported that Indian information technology firm, Wipro, has likely been compromised and hackers are using their foothold to attack Wipro customers.

KrebsOnSecurity heard independently from two trusted sources that Wipro, India’s third-largest IT outsourcing company was dealing with a multi-month intrusion from an assumed state-sponsored attacker.

Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital phishing expeditions targeting at least a dozen Wipro customer systems.

The security experts said Wipro’s customers traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network.

One source familiar with the forensic investigation at a Wipro customer said it appears at least 11 other companies were attacked, as evidenced from file folders found on the intruders’ back-end infrastructure that were named after various Wipro clients. That source declined to name the other clients.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday April 4th 2019