Cyber Security Threat Intelligence Report – Week Ending 19 Sep 2020

A cyber security researcher has released an exploit for the Windows Netlogon vulnerability (CVE-2020-1472) on GitHub. This exploit allows an attacker to gain control of a Windows domain. It is highly recommended to install the patches as fast as possible because Microsoft has rated this vulnerability as critical with a 10/10 score. "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network." More details and the Microsoft patches can be found here.

Virtual patching should be considered an integral component of every organization's patch management strategy. They not only protect against new threats but also provide an effective coverage for other scenarios, such as the one discussed above. With virtual patching, business-critical applications and data can be better secured as a virtual patch can quickly eliminate the window of exploit opportunity and thereby minimize the risk for the business by shutting down the avenue to exploitation. This enables organizations to reduce their exposure to vulnerabilities across the board, and scale their responses and coverage accordingly with appropriate defenses that can be put in place within minutes or hours.
 
The transition to the teleworking / remote working model opens users and companies up to myriad security threats including malware, all forms of phishing attacks, and many more. Ashco Systems innovation and cost effective cyber security solutions and services addresses remote worker scenarios with three primary levels of connectivity. If you have technical questions or need assistance, contact us at info@ashcosystems.com.

Synology.Photo.Station.Unauthenticated.Arbitrary.File.Upload: 
​CVE-2017-11151 indicates an attack attempt to exploit an Arbitrary File Upload vulnerability in Synology Photo Station. The vulnerability is due to insufficient sanitizing of user supplied inputs in the application. A remote attacker may be able to exploit this to upload arbitrary files into specific directories, leading to possible further attacks. The impact can lead to remote attackers bypassing security features of vulnerable systems. The affected products are Photo Station before versions 6.7.3-3432 and 6.3-2967. Ashco Systems security experts recommend updating their vulnerable devices.

Winnti Group and the Shadowpad Backdoor – The Winnti Group is a sophisticated threat actor with Chinese origins that has been active for at least 10 years. They mainly focus on the gaming industry but have expanded their scope of targets over time. The group is motivated by financial gain and espionage purposes. Security researchers discovered that Winnti's infrastructure is growing rapidly. They have compromised many environments and have added new types of malware to their arsenal. The latest findings reveal a backdoor called xDll and new malware samples, including ShadowPad and Python backdoors. ShadowPad is also known as a backdoor used in attacks on CCleaner and ASUS. They are placing those backdoors on the computers used by people who are working at home due to the COVID-19 pandemic.
 
AV Signatures:
Riskware/Lsadump Riskware/Mpacket Riskware/ReconTool
W32/APosT.JRH!tr W32/APosT.KCV!tr W32/APosT.KPI!tr W32/APosT.KXI!tr
W32/Agent.FBA!tr.dldr W32/Agent.MYTSMS!tr.bdr W32/Agent.UDE!tr
W32/Agentb.JQCO!tr W32/Androm.EGQQ!tr.bdr W32/Androm.RSPY!tr.bdr
W32/Backdoor!tr W32/Dllhijacker.BB!tr W32/Dloader.X!tr
W32/Generik.EFITIZG!tr W32/Inject.ALNQV!tr W32/Invader.D!tr
W32/PossibleThreat W32/Shadowpad.C!tr W64/Kryptik.BWC!tr

Indicator(s):
1d59968304f26651526a27dabd2780006ebd14925c9e00093acfa2443a223675
b5227a12185a6fef8bb99ac87eefba7787bbf75ff9c99bdc855a52539b805d2e
d81ba465fe59e7d600f7ab0e8161246a5badd8ae2c3084f76442fb49f6585e95
169c24f0ad3969fe99ff2bf205ead067222781a88d735378f41a9822c620a535
59759bbdfc1a37626d99dd260e298a1285ff006035ab83b7a37561e2884fd471
87a57f5bb976644fce146e62ee54f3e53096f37f24884d312ab92198eb1e6549
06d20fb5894c291fca07021800e7e529371372abff6db310c0cbc100cf9ad9f9
8ac21275d0db7f3e990551f343e16ac105d6a513810ff71934de4855999cc9c5
a77613cbb7e914796433bf344614e0c469e32a1d52fbaf3df174bf521a3fc6b7
aa7b1d13a96f90bf539455f25ef138d5e09e27b7da6bf7f0c2e48821d98cf476
 
Web Filtering:

Baka JavaScript Skimmer Stealing Credit Card Data:
The top payment card provider, Visa, has issued a warning to its customers regarding a new credit card skimmer called "Baka." This skimmer can evade all the traditional detection methods, making it highly dangerous. This skimmer evades detection by avoiding loading automatically. It will remove itself from browser memory after stealing the credit card data, or if it detects the user is using developer tools to view the source code. Moreover, the skimmer code isn't hardcoded in the compromised websites' source code. Instead, a script tag with the URL to the skimmer file is dynamically injected into the compromised website, and the skimmer JavaScript file will then be downloaded from a C2 server when the compromised page is loaded. Using this method, the skimmer cannot be detected by static malware scanners that scan website source code for malicious scripts. Visa has provided a list of mitigation actions that should prevent threat actors from compromising ecommerce stores with credit card skimmers.

Indicator(s):
jquery-cycle[.]com
b-metric[.]com
apienclave[.]com
quicdn[.]com
apisquere[.]com
ordercheck[.]online
pridecdn[.]com

Our Research & Insights:

Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic

Whitepaper: The Essential Guide to Securing Remote Access​

Secure Devops: Learn how to make security integral into your DevOps process.

​E-Book: Effective Security Strategies for Devops & Application Services

​E-Book: How to Build a Next Generation Security Operations Center