Threat Report

This week we’re looking at some crime stats related to the rise of ransomware, a DHS directive on patch management, a new strain of ransomware that leveraged a 0-day, the return of Magecart, and finally a vulnerability and IoT devices that could help Mirai-variants grow up strong.

The rise of Ransomware

Cybercriminals have focused on businesses during Q1 2019, with consumer threats decreasing by 24% year over year while businesses have seen a 235% increase in the number of cyber-attacks.

This trend is also backed by FBI’s Internet Crime Complaint Center (IC3) annual Internet Crime Reports (2013, 2014, 2015, 2016, 2017, 2018) which show that while ransomware has definitely seen a decrease in the number of incidents since 2016, the total losses have increased despite a decreasing number of complaints.

This likely happened because cybercriminals switched targeting home users to targeting commercial organizations which have resources to pay larger ransoms with more valuable data to unlock.

The 2018 edition of IC3’s Internet Crime Report also underlined that not all ransomware victims report the incident, thus leading to an “artificially low ransomware loss rate.”

DHS doubles down on patching

With all these threats floating in the ether, your vulnerability management game must be strong to avoid rising threats like ransomware.

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued the binding operational directive (BOD) 19-02 which requires federal agencies to remediate critical security vulnerabilities within 15 days of the initial detection.

As explained by CISA, “A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.”

According to the federal agency responsibilities presented within the Code of Laws of the United States of America (U.S. Code), the agencies are required to adhere to DHS-developed directives.

This binding operational directive named “Vulnerability Remediation Requirements for Internet-Accessible Systems” supersedes and revokes BOD 15-01 from May 2015 known as “Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems.”

BOD 19-02 requires federal agencies to review CISA-issued Cyber Hygiene reports and act accordingly to remediate both critical and high severity security issues as detailed by the following rules:

• Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
• High vulnerabilities must be remediated within 30 calendar days of initial detection.

Sodinokibi ransomware leverages Oracle 0-day

Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called “Sodinokibi." Sodinokibi encrypts data in a user’s directory and deletes shadow copy backups to make data recovery more difficult. Not even quick patching could have helped you here.

Attackers have been making use of this exploit in the wild since at least April 17. Oracle patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This gave attackers over a nine-day head start. The vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.

After finishing deploying Sodinokibi ransomware inside the victim’s network, the attackers followed up with an additional CVE-2019-2725 exploit attempt approximately eight hours later. However, this time the attackers chose to distribute Gandcrab.

The attackers likely deployed a different ransomware to double down on the pay day and not waste the unpatched 0-day without giving the victim a bad taste in their mouth. Why would they pay again if they thought the attacker would just re-infect?

This attack is notable because previous ransomware infections take advantage of unpatched systems to install and laterally propagate ransomware, this 0-day exploitation method could work on otherwise fully-patched systems.

Indicators of Compromise (IoC)

Ransomware samples:

0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d 
34dffdb04ca07b014cdaee857690f86e490050335291ccc84c94994fa91e0160 
74bc2f9a81ad2cc609b7730dbabb146506f58244e5e655cbb42044913384a6ac 
95ac3903127b74f8e4d73d987f5e3736f5bdd909ba756260e187b6bf53fb1a05 
fa2bccdb9db2583c2f9ff6a536e824f4311c9a8a9842505a0323f027b8b51451

Distribution URLs:

hxxp://188.166.74[.]218/office.exe 
hxxp://188.166.74[.]218/radm.exe 
hxxp://188.166.74[.]218/untitled.exe 
hxxp://45.55.211[.]79/.cache/untitled.exe

Attacker IP:

130.61.54[.]136 

Attacker Domain:

decryptor[.]top

Magecart back again

This isn’t the first time we’ve written about Magecart and it won’t be the last. Magecart groups have been active since 2015 and represent the continuously evolving cyber threat behind attacks against high profile international organizations like Ticketmaster, British Airways, OXO, and Newegg, as well as various small retailers like MyPillow and Amerisleep.

These malicious campaigns are still going strong given that security outfit Group-IB discovered 2,440 websites during early April which had been compromised and infected with payment card skimming scripts.

A new Magecart skimmer with support for 57 payment gateways, ranges from the highly popular Stripe to local payment processors from Germany, Australia, Brazil, the United States, UK, and many others.

The payment card scraper script “consists of two components: a polymorphic loader, and a sophisticated exfiltration mechanism that supports dozens of payment gateways.” This modular architecture allows the crooks to inject the skimmer within almost any checkout page, on any website, and start scraping card info without the need of customizing it for every store they manage to compromise.

Among the payment gateways supported by the payment card skimming script, de Groot found the following 21 which he could identify:

Adyen (NL), Stripe (US), Pin Payments (AU), eWAY Rapid (AU), Heidelpay (DE), Generic CC payment, Fat Zebra (AU), Radweb (UK), Braintree (US), Pagar.me (BR), Cryozonic Stripe (UK), Cartoes (ES), Authorize.Net (US), Cielo (BR), Secure Trading (UK), Paymetric (US), Moip (US), Ebanx (BR, MX), MundiPagg (BR), PagSeguro (BR), Payment Express (AU).

De Groot also discovered that the Magecart scraper uses the jqueres[.]com domain for hosting both the script loader and the exfiltration server used by its operators to store the payment data they steal. “The sophistication of this skimmer clearly demonstrates the automated workflow of skimmers. It also suggests a collaborative effort: there is no way that a single person could study all of these localized payment systems in such detail,” De Groot speculated.

Prediction: We will see a two million strong bot net

“Over 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,” said Paul Marrapese, a security engineer who discovered the flaws, in a post last week. “Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.”

An authentication vulnerability (CVE-2019-11220) allows remote attackers to intercept user-to-device traffic in cleartext, including video streams and device credentials.

Independent security researcher Paul Marrapese discovered vulnerabilities in IoT-equipment of dozens of Chinese manufacturers that can be used for MitM attacks and interference with the operation of devices. According to expert estimates, more than 2 million IP cameras, smart doorbells, baby monitors, and other IoT devices are at risk. The main part of insecure devices is concentrated in China (39%), followed by European countries (19%), and by the United States (7%).

It will not be difficult for actors to find vulnerable devices and intercept the information that they send to the control servers. This will allow them not only to pry the owner of the hacked camera, but also to create extensive IoT botnets like Mirai variants.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday April 24th 2019