Threat Report

As if the week couldn’t get any longer, we have a few key threats we want to get you up to speed on.

We’re covering:

• The pervasive exposure of Microsoft Exchange Server to a 10-year-old vulnerability
• A new version of PowerShell Empire
• Two password dumps that’ll get recycled into credential stuffing attacks
• A tag team by baddies looking to body slam enterprise retail point-of-sale systems

Let’s get this party started.

Microsoft Exchange Servers Largely Exposed

Over 80% of Microsoft Exchange servers currently on the internet (roughly 350,000 servers) are vulnerable to exploitation due to CVE-2020-0688, a critical remote code execution flaw in the exchange control panel (ECP) component that’s enabled by default and impacts all Microsoft Exchange server versions.

After the Zero Day Initiative discovered and posted a technical description of the vulnerability, researchers have been hard at work dissecting the report. Multiple proofs-of-concept (POCs) have now been published for CVE-2020-0688, including a Metasploit module.

Rapid7 reports that there are over 31,000 Exchange 2010 servers that haven’t been updated since 2012, and nearly 800 Exchange 2010 servers that have never been updated.

Multiple nation-state actors are now exploiting this vulnerability. However, Microsoft patched CVE-2020-0688 on February 2020 Patch Tuesday. If you’re still running your own exchange server, patch now!

New Version of PowerShell Empire Evades Defender

BC-Security announced the release of Empire 3.1.4 on Twitter. Empire is a PowerShell and Python post-exploitation agent used by red teams and attackers. For example, after attackers use one of the CVE-2020-0688 POCs, they could drop Empire to move laterally in the network.

The original Empire maintainers abandoned the project approximately eight months ago, but BT-Security maintains a fork of Empire and continues to add features.

Some of the significant changes in this version include:

• The macro stager payload and HTTP listener have improved obfuscation to evade new signature-based detection in Windows Defender. However, this may not fool behavior analysis.
• importlib replaced a deprecated package used to preload Empire’s modules at runtime. This makes it easier for users to create and import modules to the tool.

Italian Email Service Provider Compromised

On April 5, 2020, attackers going by the name of NN (No Name) Hacking Group claimed responsibility for an intrusion that occurred in January 2018.

Their website, according to ZDNet, reads, “We breached Email.it Datacenter more than 2 years ago and we plant ourself like an APT. We took any possible sensitive data from their server and after we chosen [sic] to give them a chance to patch their holes asking for a little bounty. They refused to talk with us and continued to trick their users/customers. They didn’t contacted their users/customers after breaches!”

On February 1 2020, the hackers attempted to extort Email.it and asked for “a little bounty.” An Email.it spokesperson told ZDNet that the company declined to pay and notified the Italian Postal Police (CNAIPIC).

As a result, the hackers publicly advertised the company’s data in an attempt to sell it for anywhere between 0.5 and 3 Bitcoin (approximately $3,500 and $22,000), claiming to have dumped 46 databases belonging to Email.it. The hackers stated that the databases contain plaintext passwords, security questions, email content, and email attachments for all users who signed up and used the service between 2007 and 2020. They also claimed to have plaintext SMS messages sent through Email.it’s SMS-sending service as well as the source code of all Email.it’s web apps, including admin and customer-facing applications.

Email.it has not confirmed or denied all of the hacker’s claims but stated that they stored no financial information on the compromised server: “The attack only concerned a server with administrative data (billing addresses and data for service communications).” The company also stated that they immediately patched the server and are working with authorities.

Dailymotion Password Dump

Underground forums now host a cracked password dump from a Dailymotion breach, including two downloadable files of usernames, email addresses, and passwords. The threat actor claims they “paired the [password] hashes with cracked ones from hashes.org.” They describe the entire database as being more than 85 million lines, but only “6% of the hashed lines have been cracked.”

Dailymotion suffered a breach in January 2020 that compromised some customer accounts. However, the reference to 85 million records likely means these password hashes are from a breach in December 2016, and not this new breach.

FIN6 and WIZARD SPIDER Team Up

On April 7, 2020, researchers at the security firm IBM X-Force identified a partnership between FIN6 and Trickbot operators known as WIZARD SPIDER. The duo teamed up with the end goal of targeting point-of-sale (POS) machines with the use of WIZARD SPIDER’s malware framework “Anchor.” The attack initially starts through malicious spam campaigns that deliver the Trickbot malware. Once Trickbot infects the targeted organization, Anchor is used to spread laterally.

Anchor malware communicates over the Domain Name System (DNS) used in targeted attacks on enterprise networks, including POS systems, following the initial infection by Trickbot. Researchers connected FIN6 and WIZARD SPIDER based on recent findings of security firms SentinelOne and Cybereason.

Additionally, an investigation into “More_eggs” samples used in recent attacks show they are similar to those FIN6 used and share a command-and-control (C2) infrastructure.

Hashes

d9a245f1fb502606c226c364aa1090f25916e68f5ff24ef75be87ad6a2e6dcc9
dcf714bfc35071af9fa04c4329c94e385472388f9715f2da7496b415f1a5aa03

URLs

https://drive.staticcontent[.]kz/drive/info
https://host.moresecurity[.]kz/host/info
https://metric.onlinefonts[.]kz/metric/inf

That’s it for this one. Check out our other blogs and stay tuned for next week’s threat report. Stay safe, healthy, and keep it Perchy!

- Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday April 1st 2020