Zero-Day VirtualBox Vulnerability and Exploit Published

Particulars of a zero-day VirtualBox vulnerability have been published online together with a step by step activity.

The vulnerability in the Oracle open source hosted hypervisor was published on GitHub by Russian safety scientist, Sergey Zelenyuk, instead of being disclosed to Oracle to permit the bug to be repaired. The decision was affected by an earlier vulnerability that he found in VirtualBox that was disclosed to Oracle but took the company 15 months to repair.

Zelenyuk described the decision to go public with the vulnerability and exploit was because of frustration with Oracle and the bug revelation and bug bounty procedure – “I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The purpose is my disagreement with current state of infosec, particularly of safety research and bug bounty,” wrote Zelenyuk.

The vulnerability is a series of bugs that can be abused to allow malevolent code to dodge the virtual machine and perform on the original operating system. The exploit activates a buffer surplus situation using packet descriptors which allow malevolent code to be run in kernel ring 3, which is used for most user programs. It is possible to merge the exploit with kernel privilege growth bugs to gain access to kernel ring 0.

As per Zelenyuk, the exploit is 100% dependable and works irrespective of the host or original operating system and affects all VirtualBox releases.

The vulnerability is specifically disturbing for malware scientists as VirtualBox is a popular selection for studying and reverse engineering malware in a secure atmosphere. If malware authors were to insert the exploit into their malware, it would be possible to flee the VM and infect the safety researcher’s machine.

It remains to be seen how swiftly VirtualBox will be repaired. With the vulnerability and abuse now in the public domain, it is possible that Oracle will not wait 15 months to create a repair.

WordPress GDPR Compliance Plugin Vulnerability Being Actively Abused

Websites with the WordPress GDPR Compliance plugin fitted are being hijacked by hackers. A vulnerability in the plugin is being abused, allowing attackers to change site settings and record new user accounts with admin rights.

The vulnerability can be distantly abused by unauthorized users, a lot of whom have automated misuse of the vulnerability to hijack as many sites as possible prior to the vulnerability is rectified.

The vulnerability was found by safety scientists at Defiant, who noted that in a number of attacks, after abusing the vulnerability the attackers have rectified the vulnerability. Defiant’s scientists propose that this method makes sure other hackers are banned from hijacking compromised sites. In some instances, after access to a vulnerabile site is gained, a PHP webshell is uploaded to give the attackers complete control of the website. Some attackers have added in backdoors via the WP-Cron schedule. This technique of attack makes sure the persistence of the backdoor.

Compromised websites can be utilized for phishing and other cheats, or the sites might have exploited kits uploaded to silently downloaded malware onto visitors’ appliances. An examination of compromised websites has not exposed any payload at this phase. Defiant scientists propose that the initial goal is to compromise as many sites as possible before the
vulnerability weakness is rectified. Compromised sites might be sold or the attackers could be biding their time before the attack stage is launched.

After WordPress became aware that the WordPress GDPR Compliance plugin vulnerability was being actively abused in the wild, the plugin was removed from the official WordPress store and the developer was informed. A new type of the plugin has now been released and the plugin has been revitalized on the official WordPress store.

Any website proprietor that has the WordPress GDPR Compliance plugin installed should make sure it is updated to version 1.4.3, which was released on November 7, 2018. Site proprietors must also check their sites for any indication of illegal modifications and checks must be carried out to see if any new admin accounts have been produced.

49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

Marriott Announces 500 Million-Record Breach of Starwood Hotel Guests’ Files

The Marriott hotel chain has announced it has suffered a massive data breach that has resulted in the theft of the personal information of up to 500 million guests of the Starwood Hotels and Resorts group.

Marriott identified the data breach on September 8, 2018, after an alert was generated by its internal security system following an attempt by an unauthorized individual to access the Starwood guest reservation database. Third-party computer forensics experts were called in to assist with the investigation, which confirmed that the Starwood network was first gained in 2014. It is currently unclear howthe hacker breached security defenses and gained access to the network.

The hacker had encrypted data on the network which hampered efforts to investigate the breach and determine what data had been accessed. It took until November 19, 2018 for Marriott to decrypt the data and determine what the files contained.Only then was Marriott able to confirm that the database contained information on previous Starwood Hotels guests.

Analyzing such a huge database to determine which customers have had their information compromised has naturally taken some time. Marriott is still in the process of deduplicating the database to determine the exact number of guests impacted.

Marriott believes up to 500 million individuals who had previously made a reservation at Starwood Hotels and Resorts have been affected. They also include individuals who made reservations at Sheraton Hotels & Resorts, Four Points by Sheraton, Element Hotels, Le Méridien Hotels & Resorts, W Hotels, St.Regis, Westin Hotels & Resorts, Aloft Hotels, The Luxury Collection,Tribute Portfolio, Design Hotels that are part of the Starwood Preferred Guest program, and its Starwood branded timeshare properties.

The types of data present in the stolen database include the names of guests, mailing addresses, email addresses, and other information. Around 327 million past guests may also have had the following information stolen: SPG account information, birth date, gender, reservation date, arrival date, departuredate, their communication preferences, and potentially, their passport number.

Marriott has not yet confirmed whether the hacker stole payment card information. Payment card data were encrypted with the AES-128 algorithm, but the two bits of information that would allow the data to be decrypted may also have been stolen.

The data breach, which occurred two years before Marriott acquired the Starwood Hotels and Resorts Group, has been reported to law enforcement. Marriott is currently working with leading security firms to improve security and prevent any further data breaches.

Marriott is in the process of notifying all affected individuals by email. All breach victims have been offered free enrolment in WebWatcher for one year. WebWatcher monitors the Internet for instances of user information being shared and issues alerts. U.S. guests are also being offered fraud consultation services and reimbursement coverage. Since email addresses have been stolen, breach victims have been warned to be alert for phishing attacks that attempt to obtain sensitive information. All official communications are coming from the starwoodhotels@email-marriott.com, although care should still be taken with any emails that appear to have been sent from that email address as sender field could be spoofed.

Vital AMP for WP Plugin Weakness Allows Any User to Gain Admin Rights

A recent critical WordPress plugin weakness has been identified that might let site users increase rights to admin level, providing them with the capability to add custom code to a vulnerable website or upload malware. The vulnerabilities is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.

Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.

The vulnerability was found by WordPress plugin developer Sybre Waaijer who clarified that the vulnerability would let any user read and download files, upload files, modify plugin settings, insert HTML content into posts, or load malware such as a cryptocurrency miner or install malevolent JavaScript. Although there were some safety checks carried out, in most instances unauthenticated users might easily carry out illegal activities on a site with the vulnerable plugin installed.

As per web safety company WebARX, the vulnrability is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.

The vulnrability has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin installed.

The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.

Stealthy sLoad Downloader Executes Massive Reconnaissance to Improve Quality of Infected Hosts

A latest PowerShell downloader has been discovered – the sLoad downloader – which is being utilized in quiet, highly targeted attacks in the UK and Italy. The sLoad downloader executes a wide variety of checks to find out a lot of information concerning the system on which it lives, before selecting the most suitable malevolent payload to position – if a payload is positioned at all.

The sLoad downloader was first identified in May 2018 when it was mainly being used to download the Ramnit banking Trojan, even though more lately it has been providing a much wider variety of malevolent payloads including Ursnif, PsiBot, DarkVNC, and Gootkit, as per safety scientists at Proofpoint who have been studying the danger.

The malware is assumed to be the work of a threat actor known as TA554 that Proofpoint has been tracing for over a year. sLoad is being used in greatly targeted attacks, mostly in the United Kingdom and Italy, even though the group also often targets Canadian companies.

sLoad is part of an increasing type of silent writings that are being developed to carry out silent attacks and improve the quality of infected hosts. Among the difficulties with infecting as many machines as possible is the attacks are loud and are quickly noticed, providing safety researchers plenty of time to study malware, add signatures to AV software, and develop repairs.

Although the spray and pray method of infecting as many end users as possible carries on, particularly by affiliates signed up to use ransomware-as-a-service, there has been a rising tendency over the last few months of a much quieter type of malware – Malware that stays under the detector for longer and goes to great lengths to discover more about a system prior to attacks are started.

Infection mainly happens through spam electronic mails, which are cautiously created, written in the targeted nation’s language, and contain tailored information such as the target’s name and address to add reliability. The most usual subjects and message subjects are missed package distributions and purchase orders, which are detailed in documents attached to the electronic mails. Hyperlinks are also utilized to connect to zip files having the documents. The documents have malevolent macros that start PowerShell writings, which download the sLoad downloader.

The threat group extensively utilizes geofencing at all points in the infection series. This limits infection to particular places as well as orders what actions are taken when a host is infected. This is specifically important when the final payload is a banking Trojan. Banking Trojans aim country-specific banks and use precise web injects for those attacks.

The sLoad downloader examines to define if specific safety procedures are running on a system, and will leave if those procedures are found. A list of all running procedures will be gathered and sent back to its C2 server together with details of Citrix-related .ICA files, Outlook files, and a wide variety of other system information. sLoad will also test browsing histories to decide whether the user has earlier visited banks that are being aimed and will report back on its findings.

If the infected appliance has been utilized to access a banking website that Ramnit is aiming, the banking Trojan will be downloaded, even though other malware variations can also be delivered depending on the information found during the reconnaissance stage.

“sLoad, like other downloaders we have described lately, fingerprints infected systems, letting threat actors better select objectives of interest for the payloads of their selection,” wrote Proofpoint. “Downloaders, although, like sLoad, Marap, and others, provide high levels of flexibility to threat actors, whether evading seller sandboxes, providing ransomware to a system that seems mission critical, or providing a banking Trojan to systems with the most likely return.”

Zero-Day Windows Data Sharing Facility Vulnerability Discovered

A Windows zero-day vulnerability has been discovered that lets hackers erase application dlls and cause a system to crash and possibly hijack systems. The vulnerability lets an attacker elevate rights and erase files that must only be accessible by management and takes benefit of a Windows facility that fails to verify approvals.

That facility, the Windows Data Sharing Facility – dssvc.dll, was launched in Windows 10, hence earlier Windows types are unaffected, even though the vulnerability is also existing in Windows Server 2016 and Server 2019.

In order to abuse the Windows Data Sharing Service vulnerability, the attacker would already require access to the system, so for the fault to be distantly exploitable it would need to be merged with one more exploit. This would restrict the possibility for it to be used in an attack.

Although it’s possible to abuse the vulnerability to run commands on a system, the most likely use is disruption, because it permits files to be erased which would render applications or systems unworkable.

The Windows Data Sharing Facility vulnerability was detected by safety scientist SandboxEscaper. SandboxEscaper also recently issued a proof-of-concept for a zero-day vulnerability in Windows Task Scheduler, which was later adopted by a variety of threat actors and utilized in real-world attacks.

Although the vulnerability is similar to the earlier discovered vulnerability, in the sense that it lets non-admins erase files as a consequence of a Windows facility failing to verify permissions, this vulnerability is much more difficult to abuse. SandboxEscaper clarified in an October 23 Tweet that it’s “a low-quality bug that is a pain to exploit.”

SandboxEscaper wrote, “Not the same bug I posted a while ago, this does not write garbage to files but really erases them… meaning you can erase application dll’s and hope they go look for them in user write-able places. Or erase stuff used by system services c:\windows\temp and hijack them.”

Mijja Kolsek, a co-founder of 0Patch, has verified the PoC works and 0Patch team has already issued a micropatch to rectify the “Deletebug” fault. The micropatch was developed within 7 hours of publication of the PoC. The repair will be automatically applied for users of the 0Patch Agent and is obtainable for others through 0Patch.com.

Microsoft is expected to deliver a solution to the vulnerability.

Exploits Published for LibSSH Vulnerability: Immediate Repairing Required

A lately discovered LibSSH vulnerability, that has been called as ‘comically bad’ by the safety scientist who found it, has been repaired. The vulnerability is extremely easy to abuse. Obviously, different scripts and tools have been published that permit vulnerable apparatuses to be found and the flaw to be abused.

If the LibSSH vulnerability is abused, which needs little expertise even without one of the published scripts, it would let an attacker start an attack and distantly execute code on a vulnerable system.

The LibSSH vulnerability, which would allow anybody to log in to a weak Linux/Unix server without having to provide a password, is as bad as it gets. The vulnerability was found by Peter Winter-Smith of NCC Group, who found that verification can be avoided by sending an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting an SSH2_MSG_USERAUTH_REQUEST message but will suppose that verification has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent in its place.

As per the latest safety advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is planned only for communication from the server to the customer.”

The vulnerability is being followed as CVE-2018-10933 and is present in LibSSH types 0.6 and later. The fault has been patched in types 0.8.4 and 0.7.6.

Even though the mistake is trivial to abuse, it is even easier using the scripts that have been issued. Leap Security has issued a script that searches for vulnerable appliances, and there are quite a lot of available that will abuse the vulnerability and permit any code to be run with absolutely no skill needed.

Although the mistake is of high-severity, luckily only a small number of appliances are vulnerable. Anybody running a vulnerable version must repair instantly. Failure to repair will almost certainly see the appliance compromised.

Microsoft Patches 49 Vulnerabilities Including One Actively Exploited Weakness

Almost 50 weaknesses have been repaired by Microsoft on October Patch Tuesday including one zero-day weakness that is being actively abused in the wild by the FruityArmor APT group.

The zero-day (CVE-2018-8453) is connected to the Win32k part of Windows and is an elevation-of-privilege weakness found by Kaspersky Lab. If abused, a threat actor might run random code in kernel mode and might create new accounts, install programs, or access, modify or erase data. The fault is present in all supported types of Windows and Windows Server 2008, 2012, 2016 and 2019.

The FruityArmor threat group is based in the Middle East, which is where the attacks have so far been aimed. The group is famous for utilizing zero-day faults for its attacks and has been aiming older type of Windows, even though Microsoft has alerted that the weakness might let attacks on the latest Windows types.

Kaspersky Lab notices that two years before, on October Patch Tuesday 2016, Microsoft also repaired a fault that was being actively abused by the FruityArmor group – CVE-2016-3393. Kaspersky Lab will announce more details of the fault this week.

Altogether 49 weaknesses have been repaired, 12 of which have been ranked critical. One of those critical weaknesses, CVE-2010-3190 is eight years old and has been repaired several times over the past eight years. The latest repair tackles the weakness in Exchange Server 2016. If abused, it would let an attacker take complete control of a weak system. The other critical repairs affect the Internet Explorer and Edge browsers, Hyper-V, and XML Core Facilities.

The latest repairs also tackle three weaknesses that were publicly revealed before repairs being released: A fault in the JET Database engine, Azure IOT, and Windows kernel. The patch for the JET Database Engine fault is specifically important, as last month sample exploit code was also circulated together with details of the weakness. As a consequence, companies were exposed for numerous weeks. It was a similar tale in August when a weakness and proof of concept code was circulated online for a weakness in Windows task scheduler which also left Windows users defenseless.

Most of the other patches in this round of updates were for Windows 10, the Edge browser, and connected Server types.

Adobe has also publicized patches this week, which tackle 16 weaknesses including four critical faults in Adobe Digital Edition. The critical faults allow distant code implementation, three of which are heap-overflow faults and one is a use-after-free weakness.

Phishers Using Azure Blog Storage to Host Phishing Forms with Legal Microsoft SSL License

Cybercriminals are utilizing Microsoft Azure Blog storage to host phishing forms. The site hosting the malevolent files has an authentic Microsoft SSL license which adds genuineness to the campaign. Similar methods have been used in the past for Dropbox phishing cheats and attacks that mimic other cloud storage platforms.

A usual phishing situation involves an electronic mail being transmitted with a button or hyperlink that the user is requested to tick to access a cloud-hosted file. When the link is clicked they are led to a website where they are needed to enter login identifications – Such as Office 365 identifications – to retrieve the file.

At this stage, the scam often falls down. Oftentimes the webpage that is visited seems strange, doesn’t begin with HTTPS, or the site has an illegal SSL certificate. Although visiting such a domain a large red flag will be raised. Nevertheless, if the user visits a usual looking domain and the SSL credential is legal and has been allotted to a trustworthy brand, the possibility of the user continuing and entering login identifications is far higher.

That is precisely the case with Azure blog storage. Although the domain might seem unknown, it’s a legal Windows domain finishing with .blob.core.windows.net and is safe with an SSL credential. An additional check will disclose that the certificate is legal and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will emerge and identifications will need to be entered to get access to the document – electronic mail and password. This is likely to appear entirely reasonable since the user is retrieving a Microsoft document hosted on a Microsoft site.

Nevertheless, entering in identifications into the login box will see that information transmitted to a server managed by the attackers. The user will be informed that the document is being opened, even though they will be guided to a different Microsoft site. Although this is a red flag, by this time it is too late as the user’s identifications have already been thieved.

In this instance, it was Office 365 identifications that the attackers were trying to get, although the scam might similarly be conducted to get Azure identifications or other Microsoft logins.

Avoiding email-based phishing attacks is easiest with anti-phishing controls to safeguard the electronic mail gateway and avoid messages from reaching inboxes. An advanced spam filtering solution will make sure that the bulk of electronic mails are obstructed. Office 365 users must strongly consider extending Microsoft Office 365 with a third-party spam filter for better safety.

No anti-phishing solution will avoid all phishing electronic mails from reaching inboxes, so it is crucial for workers to be taught safety best practices and to get specific anti-phishing training. Besides providing training on the most common phishing cheats, it is important for end users to be educated on phishing cheats that misuse cloud facilities and object store URLs to make sure cheats like this can be identified as such.

Persistent New LoJax Rootkit Survives Hard Disk Substitution

Oct 7, 2018

Security researchers at ESET have identified a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are difficult to detect and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is detected, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to be theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the installation of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to install the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit installed. The rootkit was installed on an older appliance which had several other kinds of malware installed. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for detecting malware at the UEFI/BIOS level.”

Enhanced Remote Desktop Protocol Attacks Prompts IC3 to Issue Alert

The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to companies concerning the misuse of distant administration tools such as Remote Desktop Procedure. The warning was prompted by a substantial increase in attacks and darknet marketplaces vending RDP access.

Remote Desktop Protocol was first launched into Windows in 1996 and has proven to be a valuable tool. It allows workers to connect to their office computer distantly and IT divisions to access computers to install software or provide help.  When connected through RDP, it’s possible to gain access to the Desktop, convey mouse and keyboard commands, and distantly take complete control of a computer.

Obviously, RDP has been an attractive aim for hackers who use it to steal data, download malevolent software, fit backdoors, or even damage computers.

Every now and then, vulnerabilities are identified in RDP which can be abused by hackers, therefore it is important to make sure systems are completely patched and modern. Nevertheless, attacks happen by getting login identifications. This is typically achieved through brute force attacks to predict vulnerable passwords. Several possible password and username blends are tried until the right one is predicted.

Passwords can also be obtained via man-in-the-middle attacks, such as when workers login to their work computers through RDP on public WiFi hotspots. Several businesses leave RDP ports open and accessible over the Internet (port 3839 particularly) which makes it much easier for RDP to be hacked.

Latest attacks have seen cybercriminals gain access through RDP and steal data or install ransomware, with the latter particularly common. The threat actors behind SamSam ransomware mainly use RDP to gain access to business computers to install ransomware.  This method has also been used to disperse ransomware variations such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and a lot more.

IC3 has advised all companies to carry out an audit to decide which appliances have RDP enabled, including cloud-based virtual machines, and to disable RDP if it’s not needed. If RDP is essential, strong passwords should be set, 2FA used, and rate limiting must be applied to obstruct IPs that have made too many failed attempts to log in. Patches must be applied quickly to make sure vulnerabilities cannot be abused.

Companies must make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to contact it through the firewall. Obviously, strong passwords must also be used for the VPN and the latest type of VPN software used.

Since RDP is frequently used to install ransomware, it is vital to regularly back up data and to test standbys to make sure files can be recovered in the event of a tragedy.

Danabot Banking Trojan Utilized in U.S. Campaign

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign targeting clients of Australian Banks. More campaigns were later noticed targeting clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being targeted.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an embedded hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been identified which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign targeting U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails intercepted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”