Threat Report

Buckle up, we have a big threat report this week. First, let’s talk about the critical vulnerabilities everyone is talking about, then catch up on some APT news. Then, we’ll get to the fun stuff. Data from U.S. Customs and Border Patrol ended up on the dark Web and Radiohead makes hacking history with response to ransom demands.

Critical vulnerability: EXIM

If you weren’t aware there was a recently disclosed vulnerability to get code execution on Exim servers locally and remotely. Now we’re starting to see exploit attempts against that vulnerability.

On June 9, 2019, Twitter user @freddieleeman shared that they detected first attempts at exploiting CVE-2019-10149, a remote code execution vulnerability impacting Linux’s mail transfer agent Exim, along with a screenshot of the commands executed during the attempts.

The commands attempted to download a script from httx://173[.]212[.]214[.]137/s. On June 10, Twitter user @specig1 added that a version of the exploit downloads a script which in turn downloads a 32-bit binary that tries to connect to a remote host.

@freddieleeman also states that they have seen multiple variants of the exploit and that the latest versions directly download the malicious binary and run it, skipping the intermediary step of collecting system data.

Critical vulnerability: NTLM

Two critical vulnerabilities in Microsoft’s NTLM authentication protocol make it possible for attackers to run remote code and authenticate on machines running any Windows version.

Threat actors can “remotely execute malicious code on any Windows machine or authenticate to any Web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.”

The Windows NTLM (short for NT LAN Manager) Authentication Protocol is used for client/server authentication between remote users and services. Microsoft blocks NTLM relay attacks. However, researchers discovered several flaws in NTLM relay controls that can be exploited. NTLM relay attacks are a favorite for pentesters.

Microsoft added a Message Integrity Code (MIC) field to guarantee attackers cannot tamper with NTLM messages. However, a researcher found a bypass enabling attackers to remove the ‘MIC’ protection and alter various NTLM authentication flow fields.

The SMB Session Signing blocks “attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions” however, researchers also found a vulnerability allowing “attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution.”

Finally, Enhanced Protection for Authentication (EPA) was designed to stop potential attackers from “relaying NTLM messages to TLS sessions,” researchers discovered another bypass enabling hackers to alter “NTLM messages to generate legitimate channel binding information.”

This allows a user to authenticate to various Windows Web servers with a compromised user’s privileges to “read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers).”

APT news: FIN8 returns

After two years, cyber-espionage group FIN8 returns with improved tools and techniques targeting the hospitality sector.

FIN8 is known for targeting companies that run point-of-sale (POS) systems. The attacks in the new campaign of the FIN8 group leveraged the same malware used in the past with improved evasion and persistence features.

The threat actors infect victim machines with malware to steal payment card details to sell on the marketplace for profit. Additionally, the activities of the FIN8 show some similar intersections between the FIN6, FIN7, and FIN8 in the past.

The goal of the campaign is to increase attacks against POS systems around the globe.

Hashes

6353d7b18ee795969659c2372cd57c3d
4b9efd882c49ef7525370ffb5197ad86
dc162908e580762f17175be8cca25cf3
4beb10043d5a1fbd089aa53bc35c58ca

IP Addresses

37.1.204.87
104.193.252.162

Domains

telemerty-cdn-cloud[.]host
cdn-amaznet[.]club
Telemetry[.]host
Wsuswin10[.]us
Reservecdn[.]pro

APT news: ICE Fog malware

A Chinese APT malware dubbed Icefog, also known as Fucobha, has been spotted in a new wave of attacks with both new and upgraded versions, and used as an arsenal of multiple Chinese cyber-espionage groups.

Two malware strains tracked ICEFOG-P and ICEFOG-M, being used in attacks starting with 2014 and 2018. The ICEFOG-P variant used between 2014 and 2018 is not particularly advanced because the code is simple, and most samples were not even packed while the ICEFOG-M appeared in 2019 used a file-less payload to hide its infrastructure and to prevent detection.

Additionally, the new Icefog variants were not used in campaigns that could be associated with the original Icefog group, but they were spotted across a large number of attacks orchestrated by different groups. The spotted variant of the Icefog in the attacks targeting different sectors, however, it is unclear at present how the Icefog samples were shared.

Organizations should adopt security solutions that can track malicious activities to detect any potential attacks.

Domains

01transport[.]com
Accesscam[.]org
Appleleveno[.]com
Benzerold[.]com
blue-vpn[.]net
Comesafe[.]com
Compress[.]to
Crabdance[.]com
Dellnewsup[.]net
Dnsedc[.]com
dynamic-dns[.]net
Epac[.]to
Eyellowarm[.]com
Itemdb[.]com
Kaboolyn[.]com
Knightpal[.]com
Kozow[.]com
Kyssrcd[.]pw
Numnote[.]com
Sixth[.]biz
Sportsnewsa[.]net
Suverycool[.]com
Wha[.]la
Yahzee.eyellowarm[.]com
Zyns[.]com

U.S. CBP’s data breached twice. First by subcontractor and then by hackers.

We recently discussed the overwhelming amount of Personally Identifiable Information (PII) and sensitive data that is compromised in breaches. In another data breach, United States Customs and Border Control has lost control of some data too.

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said an agency statement.

A subcontractor breached CBP data and CBP was not aware they lost control of the data until the same data was breached a second time. Once CBP breached-data made it to the DarkWeb, they became aware of their security problem.

CBP declined to name the subcontractor that stole data from CBP, but in a following operational security failure CBP sent a filename containing Perceptics to the Washington Post.

Although the data only includes the videos/photos of travelers, when is this data alone enough to be considered sensitive information?

Between Amazon ring-based police surveillance networks and Amazon facial recognition deployed in prisons, the technology to track and identify the movement of a large number of people is available and in use. I bet every one of the 100,000 people pictured in the breached data can be personally identified by AWS or FB facial recognition.

Public and private sectors are actively cooperating in ways that are attempting to make the human face as unique an identifier as a social security number, driver’s license, birthday, and dad’s maiden name wrapped into one. A trip to a big box store is more of a privacy risk than ordering from a dot com now.

The ACLU issued the following statement, “This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers. This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”

Radiohead shrugs off ransom demands

When hackers demanded $150,000 USD after stealing 18 hours of music last week, Radiohead released the data publicly according to a tweet from Radiohead guitarist Jonny Greenwood on Tuesday.

The recordings were stolen recently from Radiohead front man Thom Yorke’s archive. The data in the archive was around the 1997 album, OK Computer. The recordings are available on Bandcamp for the next few weeks. We are living through hacking history right here and this will likely be a question on hacker Jeopardy in the future.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday June 5th 2019