The Hurricane Labs Foundry: Volume 11, The Candy-Coma Edition

The goal of this publication is to serve as a sort of newsletter containing information about the latest cybersecurity trends and news that you may want to be aware of. These could be threat intel reports, high-profile vulnerabilities, newly released tools and resources, information regarding the latest Splunk and/or information security trends, news on the latest security breaches to be aware of, along with a host of other subjects.

Threat Intel

Emotet malware family obtains email harvesting capabilities

The Emotet malware family and botnets have been around for years, and have widely been considered banking trojans — that is, malware that provides access to infected hosts as well as stealing banking information from victims.

It has been discovered that the malware has new functionality in the latest versions seen in the wild. Emotet has a new DLL module that will collect and exfiltrate email from infected hosts.

Previous versions of the malware would extract the sender’s username and email address, as well as the destination’s username and email address. This new functionality will also extract both the subject and body of emails from the victim’s systems, and exfiltrate this data.

It is unclear at this time why new versions of Emotet have this functionality, but it is believed that this new email exfiltration functionality makes it a cyber espionage threat as well.

This diagram above, produced by Kryptos Logic, describes how the new email exfiltration module is delivered to existing Emotet infections, and how the module collects and exfiltrated data.

IOCs/Detection:

Email extraction module:
SHA-1:
6CD44F2D00B43D80C08922D99D51CCE804A59A54
D75E7595b642456411672782A333A00E0B38A94D
9334DF07172856D7E058F1f8239C282BFB46967D
SHA-256:
C6e7e4077e700e5e9bdac8a288b97cfe4c3a146f0857cad9bb80063d5abfe1c4
E7c90ef7557dd2e08ac15613310eb2049d2e26c9657805cb6463da04cdcc095d

Latest C2 IP Addresses (as of 11/1):

70[.]62[.]224[.]226:80
202[.]175[.]188[.]154:8443
105[.]226[.]215[.]238:8443
37[.]139[.]27[.]102:8080
198[.]199[.]96[.]164:443
172[.]248[.]199[.]224:990
174[.]85[.]59[.]17:80
54[.]38[.]43[.]230:80
192[.]186[.]96[.]122:443

TORII IOT Malware

TORII is the name of a new strain of malware that is targeting IoT devices. Initially discovered by Dr. Vesselin Bontchev (aka @vessonsecurity on Twitter), this malware is more than just another IoT cryptocoin miner or Mirai clone. This malware is capable of running on a multitude of different hardware architectures (x86, x64, 68k, ppc, MIPS, ARM, etc.), and has a multitude of different persistence methods for ensuring that infected hosts stay infected.

Like most other IoT botnets, it will attempt to gain initial access by brute forcing systems and exploiting weak credentials. However, unlike other IoT botnets, TORII doesn’t attempt to scan for additional hosts to compromise after infecting a victim, contributing to its lower network profile, and persistence.

According to a blog post (see above) by antivirus company AVAST, it is currently believed that this malware may have emerged some time in 2017. The AVAST blog post has an in-depth analysis of how the malware functions and persists.

IOCs/Detection:

C2 Domains and IP addresses:
184[.]95[.]48[.]12
104[.]237[.]218[.]82
104[.]237[.]218[.]85
66[.]85[.]157[.]90
top[.]haletteompson[.]com
сloud[.]tillywirtz[.]com
trade[.]andrewabendroth[.]com
press[.]eonhep[.]com
editor[.]akotae[.]com
web[.]reeglais[.]com

Vulnerabilities

Thousands of Applications Vulnerable to RCE via jQuery File Upload

jQuery File Upload is a popular open-source package that allows users to upload files to remote systems. It’s both feature rich, and can be deployed on almost any server-side web platform such as PHP, Python, Ruby on Rails, Java and/or Node.js. Recently, it was discovered that there was an issue with the PHP version of jQuery file upload affected all versions prior to version 9.24.1, running with Apache 2.3.9 or greater

The vulnerability was the result of assumptions being made by jQuery File Upload utility assuming that .htaccess configuration options were being honored. However, as of Apache 2.3.9, .htaccess configuration file support is disabled by default. The provided link is to the jQuery File Upload GitHub project. It includes confirmation that the issue has been patched, as well as remediations that can be taken if you cannot patch your system immediately.

Trivial Exploit for X.org Server leads to local privilege escalation

X.org is the backbone for desktop environments on most Linux and BSD systems. On 10/25, a notification for CVE 2018-14665 was made public, and a proof of concept was published by a security research by the handle @hackerfantastic. The proof of concept was able to be fit into a tweet of under 280 characters, underlining how trivial it is to exploit.

This vulnerability affects X11 server versions from 1.19.0 through 1.20.2. X.org has released a security advisory that details patch availability, as well as recommend steps to mitigate the vulnerability in the event you are unable to patch your systems immediately.

Information Security trends

Proofpoint has released the latest edition of their quarterly threat report for Q3 2018. Here is a rundown of some of the things that have caught my eye:

• Email continues to be the top vector for malware distribution and phishing.
• Banking Trojans are the dominant category of malware being distributed today — with Emotet and Panda being the most popular banking trojans.
• Emails featuring malicious URLs (that often direct users to download malicious. documents and/or macro-enabled documents) are replacing emails that directly attach malicious attachments and/or macro-enabled documents).
• Ransomware has all but disappeared, accounts for only 1% of all observed malware.
• Exploit kits have also mysteriously vanished, being replaced by social engineering (e.g. convincing users to download/install fake extensions or antivirus), and/or cryptojacking.

Data Breaches

The CIA’s communications suffered a compromise that started in Iran

In 2013, the CIA worked to contain a compromise of their covert communications system. The breach of their communications system, which spanned from 2009 through 2013, was due the utilization of the system far beyond its intended scope. The root cause of the compromise comes from the website having been indexed by Google, and Iranian actors crafting complex queries through Google’s search engine that allowed them to identify sites containing sensitive data relating to CIA operations.

It has been suggested that IT personnel in the agency warned that this system was flawed, and provided alternatives and other recommendations for replacing their current messaging system, and was met with punishment, and assurances that the current system was impenetrable.

Until Next Time

Keep an eye out for the next edition of The Hurricane Labs Foundry. Typically these will be released every two weeks. In the meantime, follow us on Twitter @hurricanelabs for updates!