Threat Report

Hello Perchy people. I’m happy to be back with the first threat report from Perch in 2020. I took a much-needed vacation, but the threats did not. This week we’re discussing an unpatched Citrix vulnerability with POCs available, a critical vulnerability in Microsoft’s CryptoAPI disclosed by the NSA, a recent emotet campaign targeting the United Nations, and a new strain of malware used by Iranian-linked APT34 dubbed POWDESK.

Citrix vulnerability running wild

In a research report published in December 2019, security researchers observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, which are vulnerable to attacks exploiting CVE-2019-19781.

The vulnerability impacts multiple Citrix products including, Citrix ADC and Citrix Gateway, ranging from versions 10.5 to 13.0 of all supported builds. In addition, at least 80K companies are potentially at risk, with the top five countries including the U.S., the UK, Germany, the Netherlands, and Australia. CVE-2019-19781 can allow unauthenticated attackers to perform arbitrary code execution via Directory Traversal if successfully exploited.

Perch began seeing exploitation attempts as early as January 8th. The first attempts at exploitation were sourced from China from the address 27.115.124.6.

Based on successful attacks observed by Perch, post-exploitation attackers have instructed compromised hosts to pull scripts from 185.178.45.221. Scripts from that host then instruct the compromised host to download netscalerd, a known ELF cryptominer executable, from 217.12.221.12.

On January 10, 2019, researchers from ProjectZero India (not to be confused with Google’s Project Zero) in response to TrustedSec released proof of concept on GitHub.

Citrix has not yet released a patch for this vulnerability, but users are advised to upgrade all the vulnerable appliances to a fixed version of the firmware when released. Until then, you should monitor network activity and logs from vulnerable hosts to determine if they have been successfully exploited. Additionally, you should follow Citrix’s mitigation techniques.

We’ve observed too many IPs scanning for this vulnerability to add directly to this threat report, so we’ve posted the full list of sources to pastebin.

Critical vulnerability in MS CryptoAPI (CVE-2020-0601)

The National Security Agency (NSA) alerted Microsoft to a significant issue affecting Windows 10. According to federal officials, the vulnerability resides in a Windows component known as crypt32.dll, a Windows module that handles “certificate and cryptographic messaging functions in the CryptoAPI.” The CryptoAPI enables developers to secure Windows-based applications using cryptography and includes functionality for encrypting and decrypting data using digital certificates.

The flaw allows attackers to create malicious software imitating Microsoft applications or tools, stage attacks on encrypted Web sessions in Edge and Internet Explorer and break into locked Windows computers.

It was unclear how long the NSA knew about the flaw before reporting it to Microsoft. The disclosure is a departure from past interactions between the NSA and major software developers like Microsoft. Historically, the NSA has kept major vulnerabilities secret in order to use them as part of the U.S. tech arsenal. This likely means that the NSA has known about the vulnerability for a while, weaponized it, and leveraged it. They would only disclose something like this if the vulnerability was discovered by other nation-state hacking groups and turned on U.S. targets.

The NSA has released a report containing further details of the exploit as well as patching.

Emotet is back after the holidays

Emotet operators have targeted the United Nations on January 13, 2020, with a phishing attack. The attackers purported to be the Permanent Mission of Norway and sent phishing emails to 600 unique email addresses at the United Nations.

The malicious email contained a Microsoft Word document attachment which prompted users to click on “Enable editing” to view the document. A malicious macro will then be executed that downloads Emotet on the victim’s computer.

Once infected, the email account configured to the system sends spam emails to other potential victims, which in turn will install a Trickbot trojan. TrickBot is known to open a reverse shell back to the operators of Ryuk Ransomware. These operators will proceed to infiltrate the network and ultimately deploy Ryuk to encrypt every device on the network.

PowDesk

Iranian-linked APT34 has been found using a new malware tool, called PowDesk, which is the new iteration of QUADAGENT. PowDesk specifically targets LANDesk users via the Powershell-based implant, to steal data about the victim host. This stolen data is exfiltrated over HTTP. The malware is not obfuscated in any manner, allowing defenders a chance to detect the malware upon its delivery.

The sample has been uploaded and scanned to the Virus Total repository for the first time on December 13th, 2019 from the U.S. through an API account.

File name: CBA8REINSTALL[1].EXE
File type: Win32 EXE
File size: 66.50 KB
Creation date: 21/01/2017

MD5: 2de2e528991ac2d85aa8f12fce5351ad
SHA-1: 7e14e661a577e7cb502717e9570c6651932ab4b8
SHA-256: 8406ca490c60ec41569b35f31f1860ff4663bba44d1daac64760ecdfe694203d

After the initial executable’s run, a PowerShell file is dropped in the %TEMP% folder. At every run of the initial file, the PowerShell file will be dropped under a different name which contains a combination of four random capital letters and numbers.

PowDesk contains a validation mechanism of the infected endpoint. The results of the check are sent to the attackers, and they decide whether to continue with the attack. The checks performed with this mechanism point to a very targeted attack against companies that use the LANDesk Management Agent. Below you can see the PowDesk run command:

The malware has been observed communicating with a command and control server with a URL like the following:

hXXp://lcepos[.]com/php/reclaimlandesk[.]php?devicename=$name&result=$result

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday December 19th 2019