U.S. Government Issues Urgent Warning of DNS Attacks

/in , , /by

An emergency directive from the Department of Homeland Security provides “required actions” for U.S. government agencies to prevent widespread DNS hijacking attacks.

The Department of Homeland Security is ordering all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days.

The department’s rare “emergency directive,” issued Tuesday, warned that multiple government domains have been targeted by DNS hijacking attacks, allowing attackers to redirect and intercept web and mail traffic.

“[The Cybersecurity and Infrastructure Security Agency] (CISA) is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them,” said the alert.

The warning comes on the heels of a Jan. 10 FireEye report which detailed a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.

The Attacks

DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.

The DHS, for its part, said that the attacker begins by logging into the DNS provider’s administration panel using previously-compromised credentials.

The attacker then alters DNS records – including the address mail exchanger or name server records – and replaces the legitimate address of a service with their own address controls, thus redirecting traffic. Attackers can also alter and tamper with the traffic flows.

“This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose,” said the DHS in its advisory. “This creates a risk that persists beyond the period of traffic redirection.”

Since the attackers can set record values for the domain name systems, they can obtain valid encryption certificates for an organization’s domain names; this allows browsers to establish a connection without any certificate errors as the certificate can be trusted, FireEye researchers said. In the most recent campaigns, the attackers have used certificates from the Let’s Encrypt open certificate authority.

That valid certificate then enables the redirected traffic to be decrypted and exposes any user-submitted data.

Government Response

The emergency directive issued by the DHS provides “required actions” that government agencies must fulfill in the next 10 business days.

“To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires… near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains and detect unauthorized certificates,” said the report.

First, the DHS said all .gov domain admins must audit their DNS records over the next 10 days to verify if any traffic is being redirected.

The department also urged agencies to update their passwords for all accounts on systems that can make changes to agency DNS records, and to implement multi-factor authentication for accounts on DNS admin systems. Finally, agencies are being directed to monitor certificate transparency logs.

The warning comes as the U.S. government enters its 33rd day of a shutdown (as of Wednesday), a longstanding incident which has sparked concerns about its impact across the board when it comes to security.

Iran Attribution

Researchers assess “with moderate confidence” that the recent DNS hijacking activity is conducted by a group or groups in Iran, and that the activity aligns with Iranian government interests.

The attacks have been observed in clusters between January 2017 to January 2019, the researchers said in an analysis of the attacks.

Alister Shepherd, MEA director of Mandiant at FireEye, told Threatpost that the campaign is ongoing – but that there is no indication of how many credentials have been harvested thus far. However, researcher do state that the attackers had “a high degree of success” harvesting targets’ credentials.

This most recent DNS hijacking campaign “showcases the continuing evolution in tactics from Iran-based actors,” FireEye researchers stressed. “This is an overview of one set of TTPs that we recently observed affecting multiple entities.”

Cryptomining Malware Uninstalls Cloud Security Products

/in , /by

New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.

Researchers say they have discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud-security products. Instances of the malicious activity are tied to coin-mining malware targeting Linux servers.

Palo Alto Networks’ Unit 42, which published the report Thursday, said that the malware samples it found do not compromise, end-run or attack the security and monitoring products in question; they rather simply uninstall them from compromised Linux servers.

“In our analysis, these attacks did not compromise these security products: Rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” Xingyu Jin and Claud Xiao, Unit 42 researchers, said in a technical write-up.

Specifically, the malware samples set about uninstalling products developed by Tencent Cloud and Alibaba Cloud (Aliyun), two leading cloud providers in China that are expanding their business globally, researchers said. These security suites include key features such as trojan detection and removal based on machine learning, logging activity audits and vulnerability management.

“Palo Alto Networks Unit 42 has been cooperated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure,” Ryan Olson, vice president of threat intelligence for Unit 42, told Threatpost. “To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products.”

Attack Process

The new malware is being actively used by the Rocke threat group. Rocke was first reported by Cisco Talos in July 2018, and pegged as an increasingly formidable Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.

To deliver the malware to the victim machines, Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion, Unit 42 researcher said.

Once the malware is downloaded, it establishes a command and control server connection and downloads a shell script called “a7” on the system.

That shell script begins to execute an array of malicious activities, including killing other cryptomining processes on the system, downloading and running a coin-miner, and hiding its malicious actions from Linux through using the open source tool “libprocesshider.”

It is at this stage where the latest malware samples flaunt a function that deploys the never-before-seen trick: they can uninstall cloud workload protection platforms, the agent-based security protection solutions for public cloud infrastructure.

That includes the Alibaba Threat Detection Service agent, Alibaba CloudMonitor Agent, Alibaba Cloud Assistant agent; as well as the Tencent Host Security agent and Tencent Cloud Monitor agent.

The Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud security products; researchers said it appears the new malware samples used by Rocke group follow these official uninstallation procedures.

Neither Tencent Cloud nor Alibaba Cloud responded to Threatpost’s request for comment.

Malware Origins

As for the malware itself, Unit 42 researchers also suspected that the family appears to be developed by the Iron cybercrime group (the payload for Iron and Rocke’s malware are similar, and the malware reaches out to similar infrastructure, Talos researchers said in their report).

The malware is also associated with the Xbash malware, a sophisticated family in the wild disclosed by Unit 42 researchers in September, which wrecks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining.

However, this sample’s ability to uninstall security tactics on systems brings it a step further when it comes to targeting public cloud infrastructure.

“The variant of the malware used by Rocke group is an example that demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure,” researchers said in their report. “We believe this unique evasion behavior will be the new trend for malwares which target at public cloud infrastructure.”

WORDPRESS DELIVERS SECOND PATCH FOR SQL INJECTION BUG

/in /by

A bug exploitable in WordPress 4.8.2 and earlier creates unexpected and unsafe conditions ripe for a SQL injection attack, exposing sites created on the content management system to takeover.

WordPress released WordPress 4.8.3 Tuesday, which mitigates the vulnerability.

“This is a security release for all previous versions and we strongly encourage you to update your sites immediately,” according to WordPress. The vulnerability is not tied to the WordPress Core, rather plugins and themes that could be used to trigger a SQL injection attack, WordPress said.

The 4.8.3 update fixes a previous release made available on Sept. 19.

“Worst case would be remote code execution where they could take over installs of WordPress and the servers they are running on,” said Anthony Ferrara, the researcher who identified the flawed WordPress 4.8.2 patch.

The roots of the SQL injection date back to a vulnerability (CVE-2017-14723) first reported on Sept. 17, 2017. WordPress then attempted to mitigate the vulnerability with WordPress 4.8.2. That patch did not fix the issue, worsened the underlying security vulnerability and “broke” a large undisclosed number of third-party WordPress plugins.

“Our plugin broke,” said Matt Barry, a lead developer at WordFence. “The initial WordPress fix created huge headaches for plugin developers like us.”

On Sept. 20, Ferrara reported through the HackerOne bug bounty platform the fix was incomplete.

“I filed a security vulnerability report and notify them the fix isn’t a fix and suggest they should revert and fix properly (with included details on how to fix),” according to a post outlining the disclosure on Ferrara’s personal blog.

After going back and forth with WordPress for weeks, Ferrara said on Oct. 16 he announced his intent for public disclosure. More back and forth ensued, and on Oct. 20 he said WordPress told Ferrara it was “working on it” and discussing details of the fix. After 11 more days of hammering out the technical details of that fix, on Oct. 31 the 4.8.2 patch was released.

The vulnerability itself affects WordPress versions 4.8.2 and earlier. The issue occurred because where “$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection,” describes WordPress.

The root issue is that the prepare system is poorly designed and needed to be fixed, Ferraray said. He said a patch to remove the “double prepare” from meta.php was eventually delivered, mitigating the vulnerability.

“These types of fixes can be tricky,” Barry said. Plugins are often the friendly-fire casualties for these types of WordPress patches, he said.

“The core issue is mitigated. My perspective of the interaction was frustrating at first, but got far better towards the end,” Ferraray said in his blog. “I was disappointed for a good part of the past six weeks. I’m now cautiously hopeful.”

CRYPTOCURRENCY MINING MALWARE HOSTED IN AMAZON S3 BUCKET

/in /by

As Bitcoin’s price continues to soar beyond $4,000 USD per, cybercriminals are responding in kind by using techniques long reserved for adware, click-fraud and spying to now drop cryptocurrency miners onto compromised computers.

The latest incident comes from a rash of drive-by downloads that are being used to install coin-mining malware called Zminer, according to researchers from Netskope.

The Zminer executable is being dropped from an exploit kit, which in turn connects with an Amazon S3 storage bucket to grab two payloads called Claymore CryptoNote CPU Miner and Manager.exe. Claymore is the mining utility used to produce Monero, an open-source cryptocurrency that goes to lengths to obfuscate its blockchain, making it a challenge to trace any activity. Manager oversees the mining and includes instructions for the Windows Task Scheduler, said Ashwin Vamshi, a security researcher at Netskope.

“We typically have observed that after a victim is infected by an exploit kit, for example, Neptune exploit kit, the victim’s machine is driven through these drive-by-download sites,” Vamshi told Threatpost. “At this time we did not find enough evidence of particular sites or category of sites leading to Zminer.”

One twist is that Zminer, once it’s up and running on a victim’s machine, seeks out and disables Windows Defender by adding several keys in the system registry. Vamshi said Netskope has not seen any version of Zminer trying to disable other antimalware or host-based intrusion prevention software.

“On the network side, given that the communication to download the payload is over HTTPS and the interaction with a managed cloud application Amazon AWS, if network-IPS does not have the capability to inspect encrypted channels and understand activity-level transactions of Amazon AWS, they would fail to protect enterprise customers,” Vamshi said.

Earlier this week, FireEye reported that attackers were using Neptune to spread miners through malvertising. FireEye said the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Some sites that convert YouTube videos to MP3s are also implicated in these attacks, all of which redirect to a site hosting a Monero miner download.

Netskope provided details on two separate operations that have netted 101 Monero, or $8,300 USD, and 44 Zcash, or $10,100 USD so far. Zminer uses Monero on 32-bit Windows systems, and Zcash on 64-bit.

“Since the mining operation usually involves a lot of computing power, the CPU usage will be extensively dominated by the miner. As a result, the machines or workstations start functioning abnormally slow,” Vamshi said. “We have only observed Zminer disabling Windows Defender and it used no other technique to evade detection of the CPU usage. Users should treat abnormal increase in CPU usage as a potential indicator for coin-mining malware.”

Netskope, meanwhile, has privately reported to Amazon the S3 URLs hosting the Zminer payloads, and Vamshi said it is awaiting a response.

“The attacker has chosen Amazon Simple Storage Service as it is easy to deliver the payload and make the victim believe the source is trusted,” Vamshi said.

In the meantime, coin mining continues to be a viable revenue-generating option for criminals. Even nation-state attackers from North Korea alleged to be behind May’s WannaCry ransomware outbreak used the NSA’s EternalBlue SMB exploit to spread the Adylkuzz miner.

“Coin mining allows anyone with access to the internet and suitable hardware to participate in mining and generate money,” Vamshi said. Cryptocurrency currently has a global market cap of $153 billion, and it’s climbing.

“Of late, we along with the rest of the security industry have seen a growing trend of crypto-mining malware,” Vamshi said. “We can only speculate that there are enough threat actors with a primary focus of generating money treading along this new path may be due to the fact that there is not a lot of money they are able to generate via ransomware.”