Cyber Round-up

Cyber Round-up for 24th August

Welcome to this week’s Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.

The Ransomware train keeps on rolling

Although there appears to have been a slow down in the number Ransomware attacks in comparison to last year, there is still a steady stream of news that tells us that Ransomware is not going away any time soon.

We reported a couple of weeks ago on the success of the SAMSAM ransomware that continues to wreak havoc and roll in the cash. This week the Malware Hunter team have highlighted a new strain called RYUK via their twitter feed, that has targeted a handful of victims in the US & Germany, which includes a healthcare related organisation.

https://twitter.com/malwrhunterteam/status/1030706039144906752

RYUK’s recent activity appears to have already pulled in over $600,000 in Bitcoin. BleepingComputer have published a blog about this new RYUK strain, which when infected, encrypts all files on the target system.

https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/

NOTE: currently there is no publicly available decryption tool available for RYUK.

Ironshare and Ransomware

This week Ironshare engaged with a new client who has been the unfortunate victim of a Ransomware attack. We have assisted the company and their IT service provider, with their response and recovery from this incident. During the investigation we discovered that this was their second attack in the last couple of years, and they did not have the necessary controls, processes and practices in place to protect them.

The Ransomware has been identified as a variant of the Crysis/Dharma family, which uses the extension ‘.combo’. The Crysis/Dharma family of Ransomware have been the most common variants we have come across in the last 12 months.

We highlight this in the hope that organisations can learn from the misfortune of others, by ensuring they have the right controls & practices in place that can protect them from this type of attack:

  • Management protocols such as RDP (Remote Desktop) should not be accessible from the internet.
  • If you need to use management tools such as RDP, always use a remote access VPN service to connect to the internal network before making the connection.
  • Ensure you take regular full system backups so you can restore in the event of an attack.
  • Implement an offline backup plan that does not store backups on your internal network, where they too could become encrypted.
  • Perform routine tests of your backup restore processes, so that you have the confidence they will work when you need them.
  • Ensure that firewall policies are effectively configured allowing access only to required IPs, ports and protocols.
  • Implement an effective patch management process that regularly applies security updates to your endpoints and infrastructure.

If you think that you may have been the victim of an attack, need help with your investigation, identifying and closing gaps or getting back to business as usual, please get in touch .

Apache Struts Round 2

Almost a year on since the Equifax mass data breach, where an unpatched Apache Struts vulnerability saw the company lose the personal details of 147 million customers, Apache have published a security notice advising of a new remote code execution bug in their Struts 2 web component.

Apache Struts is a widely adopted, open source platform for Java based web development, which basically means that any web applications that have been developed using Apache Struts are potentially vulnerable to exploit.

The bug, discovered by researchers at Semmle, results in a remote code execution vulnerability (ranked as one of the most dangerous), allowing bad actors to completely compromise a vulnerable system over the internet, putting both the network and data at significant risk. By sending the right requests to the system using simply a web browser, the actor can run any commands they wish.

It is highly recommended that any organisation that uses Apache Struts 2 reviews and upgrades their Struts web components immediately. It is understood that code to exploit this vulnerability is already in the wild.

Keep in mind that the Equifax breach mentioned above was carried out within days of the previous vulnerability being disclosed, so please DO NOT DELAY.

See below for Semmle’s write up for a more complete run down on the vulnerability.

https://semmle.com/news/apache-struts-CVE-2018-11776

Serious Flaw in Belkin IOT Smart plugs

A flaw in the popular Belkin Wemo Insight Smart Plug has been disclosed recently, that can allow attackers to gain a foothold of control on the home network. Smart plugs, via connection to the homes Wi-Fi, allows a home user to automate functions such as controlling lights and household appliances through either a smart phone, or integration with Amazon Alexa for voice activated control.

The identified buffer overflow vulnerability, if unpatched, allows a malicious actor to take control of the Smart Plug, allowing it to be turned on or off. As most home networks are flat with limited segmentation, the compromised Smart plug could then be used to compromise other devices on the home network, such as computers, TV’s and internet routers.

Once in control of the Smart plug remote code execution can then be used to install malware on to connected home devices. This is a common technique, that can result in adding the infected device to a botnet or to participate in cryptomining activities (as witnessed with the Mirai IOT botnet and the VPNFilter campaign).

As with all computer devices you should ensure that everything on your home network, including IOT devices, are kept up to date with the latest security patches, which will help to minimise your exposure to these attacks.

For more information see the ThreatPost blog:

https://threatpost.com/belkin-iot-smart-plug-flaw-allows-remote-code-execution-in-smart-homes/136732/

Talos: Remcos Botnet-in-a-box

The latest blog post released by the Talos team this week, describes multiple tracked campaigns that make use of so-called legitimate software that has been combined to create a malicious botnet.

Remcos is a Remote Access Tool (RAT), sold by the website Breaking-Security.net as legitimate remote management software, that provides full remote control of any Windows operating system.  Combined with the use of other tools on sale by Breaking Security, which include a key logger, encryption tool, and a mass mailer tool for large scale spam and phishing email distribution, you can see that an actor has all they need to create a new botnet.

Where the lines really blur is in some of the stated features of these tools, which include software hiding techniques, Anti-virus evasion, Vmware detection (to identify if they are in a sandbox environment) as well as base-64 encoding and RC4 encryption of data. This seriously questions the legitimacy of the software.

Talos describe how they have observed multiple malware campaigns in the wild that are related to the Remcos botnet, making use of targeted spear phishing emails that contain malicious Word and Excel document attachments. These attachments are embedded with macros to carry small executable files which are used to deploy the Remcos malware once enabled.

Interestingly Talos also focus on attribution in this post, giving insight into who might be behind the Breaking Security website and the development / sale of the Remcos software.

Awareness of the threat posed by Remcos helps organisations to protect themselves from attack. Combining advanced endpoint and email security, with users receiving good security awareness regarding phishing attacks, will significantly improve an organisations security posture in relation to this threat.

https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

 

That’s it for this edition but please tune in for our next instalment.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList

You can also follow us using the social media links provided.

If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview

 

Ironshare – Security Simplified

 

Edition #5 – 24th August 2018