Threat Report

Let’s see what’s poppin’ in this week’s threat report. Or, getting popped as it were. We’ve got ransomware in Texas, implanted code at Webmin, the return of a banking trojan that’s gone the way of polymorphic malware, and the 2019 mid-year breach update. Giddy-up, partner!

Texas Ransomware Massacre

In a coordinated ransomware massacre, at least 20 local government entities across the Lone Star state have been hit, and hackers are asking for $2.5M.

According to DIR resources, “the Texas Military Department, and the Texas A&M University System’s Cyber response and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions.”

Keene, Texas Mayor Gary Heinrich said that the threat actor deployed ransomware through the software from the managed service provider (MSP) used by the administration for technical support.

A company providing MSP service typically uses software that allows remote management of a client’s network. This way, the MSP can monitor the activity and fix problems, as well as install system updates or applications.

According to Heinrich, the City of Keene uses the same external company that provides IT support services to many of other impacted municipalities. MSPs have started to be a target for ransomware operators because a successful compromise offers access to multiple clients. This is why it’s important for MSPs to monitor their own house.

In a survey from Anomali, roughly one in five Americans (21%) have experienced a ransomware attack on a personal and/or work device; among those who experienced an attack on a work device, 46% say their company paid the ransom.

One thing you may not know about Perch is that our Security Operation Center is 100% Texan. So, this hits a bit close to home for us. We might need to round up a Texas Intel posse in response to this one.

Critical Webmin Vuln was implanted

At Defcon on August 10th, Turkish researcher Özkan Mustafa Akkuş publicly presented critical

remote code execution 0-day in popular hosting software Webmin. Akkuş also released a Metasploit module for this vulnerability that aims to automate the exploitation using the Metasploit framework.

With 3 million downloads per year, Webmin is one of the world’s most popular open-source Web-based applications for managing Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers. Webmin offers a simple user interface (UI) to manage users and groups, databases, BIND, Apache, Postfix, Sendmail, QMail, backups, firewalls, monitoring and alerts, and much more.

Following the public disclosure, the project’s maintainers revealed the vulnerability was not actually the result of a coding mistake made by the programmers. It was secretly planted by an unknown hacker who injected the backdoor into Webmin built infrastructure (some of that built infrastructure publishes to SourceForge). This persisted into various releases of Webmin (1.882 through 1.921) and remained hidden for over a year.

Bolik Banking Trojan is back

The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.

Previously, they hacked legitimate websites to hijack download links infected with malware, the hackers are now taking the easier route of cloning websites like NordVPN, Crytal Office, and Invoice360 to deliver banking Trojans onto unsuspecting victims’ computers. This allows them to focus more energy on updating their Trojan.

The cloned websites have a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.

“Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus,” according to Dr.WEB.

The infected NordVPN installers will actually install the NordVPN client to avoid raising suspicions while dropping the Win32.Bolik.2 Trojan malicious payload behind the scenes on the now compromised system.

“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”

Full List of indicators on GitHub.

C&C Domains

sync-time[.]info
munsys[.]icu
android-power[.]space
dns-master[.]club
juster[.]icu
normpost[.]club

Distribution domains

nord-vpn[.]club
clipoffice[.]xyz
invoicesoftware360[.]xyz

IPs

213.252.245[.]229
185.225.17[.]154
2.56.212[.]212
2.56.213[.]96
2.56.214[.]102
2.56.215[.]159
2.56.215[.]234

Big Breaches

The biggest breaches in the first six months of this year included one at Verifications.Io that exposed 983M records with sensitive information; another at First American Financial Corp that impacted 885M records; and one at an unknown organization that leaked personally identifiable information on some 275M Indian citizens.

Eight mega-breaches accounted for 3.2B, or 78.6%, of the total number of records that were compromised in the first half of this year. More than seven-in-10 (70.5%) of the breaches exposed email addresses, and 64.2% exposed passwords – a sign of the high-level of attacker interest in obtaining credentials for use in future malicious activities.

Only 11% of the exposed records during the first half of 2019 were SSNs, compared to 22% last year, and 27% in 2017. Similarly, just 8% and 11%, respectively, of the breached records involved birth dates and addresses, compared to 13% and 22% last year.

There were far fewer Web breaches (162) than there were incidents of unauthorized access to systems and services by external hackers (3,128). Yet, Web breaches were responsible for more than 80%, or 3.3B, of the records that were exposed in the first half of 2019.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday August 14th 2019