Universities take a course in ransomware
In this week’s usually weekly threat report, we’re covering a few hot topics:
- New trickbot propagation module
- NetWalker targeting EDUs
- Malware hunting NetBeans IDE
- Hackers actively exploiting Exim
- Bonus Suricata signatures for recent PoCs
Trickbot releases new nworm module
On May 28, 2020, Trickbot operators updated its propagation methods with a new module, “nworm,” that uses evasion techniques while infecting vulnerable Windows Domain Controllers.
Trickbot uses three modules to spread to a domain controller running in an Active Directory (AD) environment: “mworm,” “nworm,” and “tab.”
Once installed, Trickbot will recon the environment that it’s running in and download various modules to perform malicious activity within the compromised environment
The new nworm module runs in memory, leaves no artifacts on infected domain controllers, and disappears after reboot or shutdown; however, as domain controllers are rarely restarted, persistence through a reboot isn’t an issue.
URLs:
http://107.172.221[.]106/ico/VidT6cEr
http://107.172.221[.]106/images/cursor.png
http://107.172.221[.]106/images/imgpaper.png
http://23.95.227[.]159/ico/VidT6cErs
http://23.95.227[.]159/images/cursor.png
http://23.95.227[.]159/images/imgpaper.png
NetWalker ransomware hits 3 EDUs
NetWalker ransomware hit three higher education schools this week.
University of California San Francisco, Columbia College Chicago, and Michigan State University were all ransomed by NetWaker ransomware. So far, none of the schools have paid the ransom. As a result, the ransomware group threatened to release data exfiltrated from the breaches on NetWalker’s Tor leak site.
If the schools don’t pay the leak extortion in 7 days, the data will be dripped publicly. The ransomware group has already begun posting data from Michigan State University. Columbia College is up next, and then UCSF.
This ransom leak strategy is all part of a new 2020 strategy by ransomware authors to improve their win/loss ratio and/or get additional money from victims.
The leaks contain sensitive student information like passport/driver’s license scans, social security numbers, telephone numbers, and addresses.
I think we’re going to hear about more schools being hit by NetWalker in the near future.
If you’re in education, this is a great example of why you should join an information-sharing group, like REN-ISAC, that can notify you about threats other organizations in education are seeing.
26 NetBeans Projects on GitHub Backdoored by Octopus Scanner
On May 28, 2020, details were released on a new piece of malware, dubbed “Octopus Scanner,” which compromised GitHub NetBeans IDE projects.
Octopus Scanner is capable of identifying NetBeans project files and embedding a malicious payload in the project files and Java Archive (JAR) files.
This allows threat actors to directly target developers and gain access to sensitive information, such as additional projects, production environments, as well as database passwords and other critical data.
According to GitHub researchers, the malware will look for NetBeans Integrated Development Environment (IDE) on a developer’s system and inject a backdoor on NetBeans project builds.
The malware hides as an “ocs.txt” file, but it’s really a JAR file. The JAR contains the first stage dropper, which allows the second stage payload, “octopus.dat,” to be executed on the victim’s system.
Once executed, the repositories are cloned or separated on development systems, and the malware will inject a backdoor on the NetBeans projects built. It then spreads a remote access trojan (RAT) and beacons to command-and-control (C2) servers.
GitHub uncovered 26 open source projects that were infected by the Octopus Scanner. GitHub is reportedly working to improve the integrity and security of Open Source Software (OSS).
Review your old logs for activity related to these IOCs to see if one of your users installed a trojan project.
Domains
ecc.freeddns[.]org
openprojectsurls[.]xxx
eln.duckdns[.]org
projectui[.]properties
san.strangled[.]net
Sandworm charming with the WIZard
Since August 2019, Russian hacker group Sandworm has been actively exploiting CVE-2019-10149 (“The Return of the WIZard”), according to an NSA press release published in May 2020.
The flaw, patched in June 2019, lets attackers run remote commands on servers with Exim 4.87 through 4.91. Attackers exploit the flaw by sending the target a crafted email with a command added to the “MAIL FROM:” field.
At the time of this writing, nearly one million Exim servers are currently exposed. Software like cPanel and Plesk bundle in Exim. Outdated web host administration software may contain vulnerable components.
Sandworm abuses two additional security bugs in unpatched Exim servers, both of which are critical and can be exploited remotely without authentication to run code or applications with root privileges:
- CVE-2019-15846 — affects all Exim versions up to and including 4.92.1, reported in July 2019 and patched in early September 2019
- CVE-2019-16928 — affects all Exim servers 4.92 through 4.92.2, received a fix in late September 2019
The following IP addresses and domain name are associated with Sandworm activity:
95.216.13[.]19
103.94.157[.]5
hostapp[.]be
Exim 4.93 is considered a safe release.
Perch Labs
At Perch labs, we’re conducting threat research to detect and respond to customer threats. Here’s some extracurricular reading on a few PoCs and Suricata signatures to go with:
Tomcat deserialization RCE – CVE-2020-9484
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security] Apache Tomcat PersistentManager Filestore Session Check (CVE-2020-9484)"; flow:established, to_server; content:"JSESSIONID="; http_cookie; nocase; content:"|2e 2e 2f|"; distance:0; reference:url, https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/; reference:cve, 2020-9484; classtype:web-application-attack; sid:900083; rev:2;)
Liferay RCE Exploit– CVE-2020-7961
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"[Perch Security]
Liferay JSONWS Unauthenticated Remote Code Execution (CVE-2020-7961)";
flow:established, to_server; content:"POST"; http_method; content:"/api/jsonws";
http_uri;
content:"com|2e|mchange|2e|v2|2e|c3p0|2e|WrapperConnectionPoolDataSource";
reference:url,https://github.com/mzer0one/CVE-2020-7961
POC/blob/ee0756f417bea998c7f8c752ac96f19bb939d253/poc.py;
reference:url,https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve
2020-7961-quick-journey-to-poc.html; reference:cve,2020-7961; sid:900082; rev:1;)
Unvalidated IP-in-IP encapsulation – CVE-2020-10136
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"[Perch Security] Inbound IP-in-IP
Tunneling Detected"; ip_proto:4; reference:url,https://github.com/CERTCC/PoC
Exploits/tree/master/cve-2020-10136; reference:cve,2020-10136; sid:900078; rev:1;)
Cybercriminals are using blockchain DNS
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Perch Security]
HTTP Traffic to '.bazar' Domains"; flow:established, to_server; content:".bazar";
http_host; reference:url, https://www.digitalshadows.com/blog-and-research/how
cybercriminals-are-using-blockchain-dns-from-the-market-to-the-bazar/; sid:900079;
rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Perch Security]
HTTP Traffic to '.coin' Domains"; flow:established, to_server; content:".coin"; http_host;
reference:url, https://www.digitalshadows.com/blog-and-research/how-cybercriminals
are-using-blockchain-dns-from-the-market-to-the-bazar/; sid:900080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"[Perch Security]
HTTP Traffic to '.bit' Domains"; flow:established, to_server; content:".bit"; http_host;
reference:url, https://www.digitalshadows.com/blog-and-research/how-cybercriminals
are-using-blockchain-dns-from-the-market-to-the-bazar/; sid:900081; rev:1;)
That’s all for this week. Stay safe and keep it Perchy!
- Paul
We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com
Next: The DBIR 2020 Lowdown
Share this on: