Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. UPnP Vulnerability
2. Microsoft Outlook Flaw
3. Gh0st Rat

1. UPnP Vulnerability

Overview

Over 65,000 home routers were discovered to proxy bad traffic for botnets, qualifying as an Advanced Persistent Threat (APT). Botnet operators as well as other cyber-espionage groups have been abusing the Universal Plug and Play (UPnP) protocol that has become standard among modern routers, to hide their real location from investigators.

UPnP is a contemporary feature that makes it easier to interconnect local Wi-Fi-enabled devices and forward ports and services to the Internet. UPnP has become a crucial service, however, it has proven to be woefully insecure for many years and has since been exploited several times. Hackers have newly exploited a flaw in the service that lets the router expose UPnP meant for inter-device discovery via their WAN (Wide Area Network (external Internet)) interface.

Misconfigured UPnP services may allow the injection of malicious routes inside of the router’s NAT (Network Address Translation) Tables, which is a set of rules that controls how IP addresses and ports from the routers internal network are mapped to the Internet. The custom NAT rules let an attacker connect to the router’s public IP with a specific port and then get redirected automatically to another IP and port; it is this vulnerability that hackers can exploit as a proxy server for their illegal operations.

Recommendations

Over 4.8 million routers are potentially vulnerable to the UPnP exploit. Around 400 models and 73 vendors have deemed vulnerable. While mass firmware updates would be ideal from vendors, there are steps that can be taken to mitigate the risks of becoming part of a botnet from the UPnP Proxy:

• If at all possible, disable UPnP
• Replace existing router models that are not affected
• Perform routine audits of NAT table entries for inaccuracies
• Affected models and vendors can be found here: https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf as well as a bash script that can identify vulnerable or actively exploited routers by way of SSH.

2. Microsoft Outlook Flaw

Overview

A serious vulnerability has come to light in the popular mailing application, Microsoft Outlook. The vulnerability would allow attackers to steal sensitive information, including users’ Windows login credentials; convincing victims to preview an email with Microsoft Outlook absent of any required additional user authentication and interaction.

The attackers exploit how Microsoft Outlook renders remotely-hosted Object Linking and Embedding (OLE) content when a Rich Text Format (RTF) email message is previewed and thus automatically initiates a Service Message Block (SMB) connection. SMB connections are used for sharing files.

Microsoft Outlook automatically renders OLE content automatically and will initiate an immediate authentication with the attacker’s own controlled remote server over SMB (445) protocol using the single sign-on (SSO) feature, thus handing over the victim’s username and the NTLMv2 (Microsoft LAN Manager) hashed password; this has the potential to let the attacker gain access to the victim’s system.

Recommendations

The exploitation may leak a user’s IP address, domain name, username, hostname, and password hash. Furthermore, if the user’s password is not complex enough, then an attacker may be able to crack a password in a very short amount of time.

While the patch is considered incomplete, there are still preventative measures one can take to protect their Microsoft Outlook account:

• Avoid clicking on UNC style links that start with “\\”. These likely will connect to an SMB server.
• Apply the latest MS Outlook update
• As feasible, block specific ports (445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp) used for incoming and outgoing SMB sessions.
• Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
• Always use complex passwords, that cannot be cracked easily even if their hashes are stolen (you can use password managers to handle this task).
• Most important, don’t click on suspicious links provided in emails.

3. Gh0st RAT

Overview

Gh0st RAT (Remote Access Terminal) is a trojan Remote Access Tool that is typically used on Windows platforms, and has since been used to hack into some of the most sensitive computer networks on Earth.

Gh0st RAT is capable of taking full control of the remote screen on the infected host. It also provides real time, as well as offline, keystroke logging. The malware is also known to:

• Provide live feed of webcam, microphone of infected host.
• Download remote binaries on the infected remote host.
• Take control of remote shutdown and reboot of host.
• Disable infected computer remote pointer and keyboard input.
• Enter into shell of remote infected host with full control.
• Provide a list of all the active processes.
• Clear all existing SSDT of all existing hooks.

Gh0st RAT consists of two components: client and server. The client is a Controller Application, which is often a Windows application that is used to track and manage Gh0st servers on remote compromised hosts. The main functions of this component is the management and control of Gh0st servers and the ability to create customized server install programs.

Recommendations

A Threat Group named “Iron Tiger” is one of the more prevalent crypto mining bot-farms currently in existence.  Iron Tiger is currently utilizing a variant of Gh0st RAT.

Some Gh0st RAT keywords to look out for:

• 7hero
• Adobe
• B1X6Z
• BEiLa
• BeiJi
• ByShe
• FKJP3
• FLYNN
• FWAPR
• FWKJG
• GWRAT
• Gh0st

For firewall traffic, be on the lookout for the following IPs:

• 23.227.207.137
• 89.249.65.194

Should you notice traffic to these IP addresses, check the offending machine for the following IOCs:

Malicious files directory:

• C:\ProgramData\HIDMgr
• C:\ProgramData\Rascon
• C:\ProgramData\TrkSvr

Malicious service name:

• HIDMgr
• RasconMan
• TrkSvr

Registry Key:

• ‘rundll32.exe_malicious_DLL_path’ in ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run’

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.