Threat Report

Lot’s of big game hunting in this weekly threat report. Forbes.com just got popped by credit card skimming pro, MageCart. A number of nasty vulnerabilities are getting the spotlighted in WhatsApp, Windows Remote Desktop, and SQLite. And Hidden Cobra, aka Lazarus, drops a new tunneling tool titled Electricfish.

Forbes Magazine compromised: MirrorThief skims MageCarts’ modus operandi

We’ve covered MageCart a few different times over the last year, so I thought I’d make you aware of recent events in e-commerce skimming. You might remember them from skimming companies such as British Airways, Ticket Master, and NewEgg.

As disclosed by Troy Murch from Bad Packets, hackers have injected a MageCart style form skimmer into the website of Forbes Magazine. There is currently no public conclusion on how the attackers were able to inject this code hosted at fontsawesome[.]gq.

The injected script collects card numbers, expiration dates, and credit card CVV/CVC verification codes, as well as customers’ names, addresses, phone numbers, and emails.

The domain used by the attackers to collect the stolen payment information has been taken down using Freenom’s abuse API, which makes it possible to take down malicious domains immediately.

In another recent campaign, MageCart inspired group, MirrorThief, struck online campus books stores by injecting custom skimming code into the online checkout using PrismRBS’s PrismWeb.

“On April 26, 2019, PrismRBS became aware that an unauthorized third-party obtained access to some of our customers’ e-commerce websites that PrismRBS hosts.

Based on our review to date, PrismRBS determined that an unauthorized party was able to install malicious software designed to capture payment card information on some of our customers’ e-commerce websites.”

It is currently unknown how many users were impacted by credit card theft in these two attacks.

WhatsApp with nation-state level exploits being used to target human rights activists

A vulnerability in WhatsApp was exploited to inject spyware into victims’ smartphones with a single unanswered phone call. This is due to a buffer overflow in the Secure Real-time Transfer Protocol. This would give the attack complete control of the phone, which could be used to invade the user’s privacy or pivot to attack any network to which they are joined.

A fix has been released for this vulnerability and you should upgrade as soon as possible. Facebook posted an advisory earlier in the week.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” Facebook told the Financial Times, which broke the news. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.” It’s likely the NSO Group built the exploits and spyware used against WhatsApp users this month. The London-Israeli backed firm recently valued at $1B sells a highly mobile spyware package, dubbed Pegasus.

NSO says this is a tool for law enforcement. However, most publicized cases of Pegasus have been used by authoritarian and captured governments to monitor human rights activists and reporters. We have previously discussed NSO Pegasus in use in Turkey and Mexico. What liability should NSO have when misuse of their tools occurs? Governments are notoriously bad at holding on to their hack tools and preventing abuse of data. This is why built in backdoors, horded 0-days, and broad data collection are fine ways to make netizens less secure.

Worm-ready Remote Desktop vulnerability patched for EOL Windows

Microsoft recently took an unusual step by providing updates for end of life operating systems this past Tuesday to prevent another WannaCry style ransomware attack like the one in 2017.

CVE-2019-0708 is a remote code execution vulnerability that exists in Remote Desktop Services, formerly known as Terminal Services. This is pre-authentication vulnerability and requires no user interaction.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. An attacker who successfully exploits this can execute arbitrary code on the target system, game over.

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” wrote Simon Pope, director of incident response for the Microsoft Security Response Center.

Microsoft has published customer guidance for patching this vulnerability.

“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”

CVE-2019-0708 does not affect Microsoft’s latest operating systems — Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

There are no known IDS signatures at this time, but we’re expecting one soon from one of our community partners. If you have something, send it our way and we’ll deploy it in the Perch community and give you credit.

Remote code execution for popular SQLite

SQLite is a popular client-side base that is used when a fully featured powerful database is not necessary. Many software projects depend on SQLite databases.

SQLite contains an exploitable use-after-free vulnerability that could allow an attacker to gain the ability to remotely execute code on the victim’s machine. SQLite is a client-side database management system contained in a C programming library.

SQLite implements the Window Functions feature of SQL which allows queries over a subset, or “window” of rows. This specific vulnerability lies in that “window” function. An exploitable use-after-free vulnerability exists in the window function of SQLite3 <=3.27.0.

A specially crafted SQL command can cause a use-after-free vulnerability, resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.

For the curious, check out the complete write up here.

Lazarus debuts Electricfish tunneling tool

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a joint security advisory warning of a new strain of malware being used in North Korean cyberattacks.

Dubbed Electricfish, the malware was uncovered while the departments were tracking the activities of Hidden Cobra, aka Lazarus, a threat group believed to be state-sponsored and backed by the North Korean government. We’ve covered this group in past threat reports.

During their investigation, they discovered a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password which can be utilized to authenticate with a proxy server.

Hashes

8d9123cd2648020292b5c35edc9ae22e
a1260fd3e9221d1bc5b9ece6e7a5a98669c79e124453f2ac58625085759ed3bb

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday May 8th 2019