Netizen Blog and News

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Remote Keyboard App Vulnerability
2. Cisco Switch Flaw
3. Mirai Botnet
4. Matrix Ransomware
5. Auth0 Bypass Vulnerability

1. Remote Keyboard App Vulnerability

Overview

A popular Android and iOS app known as Intel Remote Keyboard has come under siege as it has been discovered that local attackers can actually inject keystrokes into a remote keyboard session when the application is in use. The app is compatible with Intel’s min-PC platform called Next Unit of Computing (NUC) as well as Intel’s Compute Stick.

The Intel Remote Keyboard application allows Android and iOS users to control their NUC and other Compute Stick devices with their smartphone or tablet using what is known as the peer-to-peer (P2P) network Protocol via Wi-Fi Direct. It was later discovered that a critical escalation of privilege vulnerability was possible in all versions of the Intel Remote Keyboard app. This critical vulnerability would allow an attacker to inject keystrokes as if they were a local user.

Recommendations

In addition to the main vulnerability, two other bugs had been found, granting the attackers the access to execute arbitrary code as a privileged user. Despite the rollout of patches in response to these glaring threats, Intel has intentions of discontinuing the application. There is still a product page for Remote Keyboard, and it is still available for download despite Intel’s statement. We recommend not downloading this app to completely prevent the risk of keyboard injections. If the application is already downloaded, we recommend entirely deleting the app altogether.

2. Cisco Switch Flaw

Overview

Hackers haven begun to exploit and abuse a flaw in misconfigured Cisco switches in an effort to gain a point of entry into organizations across the world. A prior US-CERT advisory had warned that “Russian government cyber actors” and have targeted and infiltrated active organizations in the US energy grid, among other critical infrastructure networks. It is believed that the most recent exploitation of these Cisco switches are related to the same group.

The attack itself targets the Cisco Smart Install (SMI) Client functionality of the Cisco switches. SMI is a legacy utility that is designed to allow a no-touch installation of Cisco switches. The SMI feature has since been superseded by the Cisco Network Plug and Play solution. The problem, however, is not inherent in the switches themselves, but rather in how they are configured. Many Cisco switch owners do not configure or disable the Smart Install protocol, which leaves the SMI client to run and wait in the background for installation or configuration commands. This overlooked switch configuration allows hackers to:

• Modify TFTP server setting to exfiltrate configuration files via the TFTP protocol
• Modify the switch general configuration file
• Replace the IOS operating system image
• Set up local accounts to let attackers log in and execute any IOS commands

Recommendations

Cisco has released the information that over 168,000 SMI-enabled Cisco devices still exist and are exposed on the Internet. We recommend disabling the SMI feature on the Cisco switch if at all possible; SMI operates on port 4786. Instructions for disabling the functionality can be found here: http://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.html

If SMI cannot be disabled for operational reasons, the switch should then be updated to its most recent OS version, which fixes this flaw as well. If it is unknown whether or not SMI-enabled devices exist on the local network, a port scan of the LAN should be able to discover any that allow this utility.

3. Mirai Botnet

Overview

A botnet variant, known as Mirai, was used in at least one major attack against a financial sector company this past January. This is quite possibly the first time an Internet of Things (IoT) botnet has been observed to use a Distributed Denial of Service (DDoS) attack since a previous Mirai botnet takedown of multiple websites in 2017.

The first attack, DNS amplification, occurred in late January of this year. A DNS amplification attack is a reflection-based DDoS attack; look-up requests are spoofed to DNS servers to hide the source of the exploit and direct the response to the target. The second attack targeted a financial sector company which had experienced a DDoS attack, likely using the same botnet.

The companies affected were not identified, however it was disclosed that they are Fortune 500 firms. It was discovered that at least seven IP addresses acted as the controllers for the botnet and more likely than not were involved in the coordination of the attack. One of the companies had their customer services temporarily disrupted, but the full extent of financial or network damage is currently not yet known.

Recommendations

While this is the first botnet DDoS this year, it is reported that creators of a botnet made of infected home and small office routers are selling DDoS attacks for just $20 per target. Popular website and leading software development platform, Github, was also struck with a massive DDoS attack this past March. We recommend implementing the following strategies to any organizations using IoT devices to mitigate the risk of their devices being hacked by a botnet:

• Always replace default manufacturer passwords immediately upon use.
• Keep the firmware for devices current and up to date.
• For IP camera and similar systems that require remote access, invest in a VPN.
• Disable unnecessary services (e.g., Telnet) and close ports that are not required for the IoT device.

4. Matrix Ransomware

Overview

Two new variants of Matrix Ransomware have recently been revealed. The malware is being installed through hacked Remote Desktop services (RDP). Both of these variants encrypt your computer’s files, characteristic of ransomware, however one of these variants is a bit more advanced and debugs more messages and uses ciphers to wipe free space disallowing victims the ability to use file recovery tools to recover their files.

According to reports, this particular strain of ransomware is currently being distributed to victims by way of brute force attacks on Remote Desktop services connected directly to the internet. Once the attackers gain access to a computer, they can then proceed with uploading the Matrix Ransomware installer and then execute it.

As mentioned previously, the two variants of the malware are being installed over a hacked RDP session where they then encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and then encrypt the filenames.

Recommendations

When protecting a company from ransomware, it is always good practice to use proper computing habits and security software. If computers running Remote Desktop services are connected directly to the Internet, make sure they are behind VPNs so that they are only accessible to those with VPN accounts on the company network. It would be useful to employ lockout policies to avert any brute force attack attempts over RDP. A strong defense would also include the implementation of an Antivirus software that operates based on recognized signatures or behaviors. We also recommend:

• Employ routine backups
• Do not open attachments if you do not know who sent them.
• Do not open attachments until you confirm that the person actually sent you them,
• Scan attachments with tools like VirusTotal.
• Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors, therefore it is important to keep them updated.
• Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if you’re willing to stick with it, could have the biggest payoffs.
• Use hard passwords and never reuse the same password on multiple sites.

Matrix Ransomware variant hashes:

• Variant 1: a26087bb88d654cd702f945e43d7feebd98cfc50531d2cdc0afa2b0437d25eea
• Variant 2: 996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9

Associated Files:

• #Decrypt_Files_ReadMe#.rtf
• !ReadMe_To_Decrypt_Files!.rtf

Associated email addresses:

• RestorFile@tutanota.com,
• RestoreFile@protonmail.com
• RestoreFile@qq.com
• Files4463@tuta.io
• Files4463@protonmail.ch
• Files4463@gmail.com

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding this week’s most critical threats and preventative measures to lessen the chances of a breach:
1. BranchScope Intel Processor Vulnerability
2. Multiple PHP Vulnerabilities
3. KOVTER Fileless Malware
4. Thieving Android Malware

1. BranchScope Exploit

Overview

Yet another vulnerability has been discovered in Intel processors, known colloquially as BranchScope. This newest threat surfaces in the wake of the Meltdown and Spectre exploits that would, in a manner of speaking, allow an attacker to bypass security measures and steal sensitive data by way of a computer’s processor.

BranchScope in particular resides in a processor’s speculative execution; the method that a processor uses to predict where its current computational task will end. This process enhances the CPU’s speed, letting the chip “speculate” as to what might need to be done later in the command chain. The ultimate goal of speculative execution is to finish the overall task as quickly as possible. With this subtle flaw exploited, hackers with access to the computer will be able to pull data that has been stored from memory that would otherwise be inaccessible to all other applications and users.

Recommendations

BranchScope is currently operating across three generations of Intel processors, grabbing this think-ahead speculative technology and steering it in the wrong direction; exposing critical data and information. With the new exploit, hackers do not even need to have administrator privileges to access where they want to. Data can even be pulled from private regions of memory, known as enclaves, that have been locked away by the processor’s Software Guard Extensions (SGX).

While the exploit is similar to its parent processor vulnerabilities, its ability to take advantage of speculative execution sets it apart, thus paving the way for a slew of new patch and hardware updates in the future. Previous updates and patches in response to Meltdown and Spectre will likely have no effect on BranchScope, however, Intel believes that its current patches should address the BranchScope issue.

Until further fixes are distributed, we recommend staying up to date with software and hardware patches, while also monitoring for any malicious or suspicious activity to systems and hosts.

2. Multiple PHP Vulnerabilities

Overview

Multiple vulnerabilities have been discovered in PHP (Personal Home Page). PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

While there were several vulnerabilities discovered, one of the most severe allows an attacker to execute arbitrary code in the context of the effected application. Different applications offer different level of privilege; depending on the application, a hacker could install programs, view, change, or delete data, or create new accounts with full user rights. If an attacker fails to exploit an application, the attempt could result in a denial-of-service (DoS) condition.

Recommendations

Affected systems include:

• PHP 7.2 prior to 7.2.4
• PHP 7.1 prior to 7.1.16
• PHP 7.0 prior to 7.0.29
• PHP 5.0 prior to 5.6.35

Details of the particular vulnerabilities, are below:

Version 7.2.4

• Bug #62545 (wrong unicode mapping in some charsets).
• Bug #73957 (signed integer conversion in imagescale()).
• Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).
• Bug #75867 (Freeing uninitialized pointer).
• Bug #75873 (pcntl_wexitstatus returns incorrect on Big_Endian platform (s390x)).
• Bug #75961 (Strange references behavior).
• Bug #75969 (Assertion failure in live range DCE due to block pass misoptimization).
• Bug #76025 (Segfault while throwing exception in error_handler).
• Bug #76041 (null pointer access crashed php).
• Bug #76044 (‘date: illegal option — -‘ in ./configure on FreeBSD).
• Bug #76068 (parse_ini_string fails to parse “[foo]nbar=1|>baz”with segfault).
• Bug #76085 (Segmentation fault in buildFromIterator when directory name contains a n).

Version 7.1.16

• Bug #76025 (Segfault while throwing exception in error_handler).
• Bug #76044 (‘date: illegal option — -‘ in ./configure on FreeBSD).
• Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).
• Bug #73957 (signed integer conversion in imagescale()).
• Bug #76088 (ODBC functions are not available by default on Windows).
• Bug #76074 (opcache corrupts variable in for-loop).
• Bug #76085 (Segmentation fault in buildFromIterator when directory name contains a n).
• Bug #74139 (mail.add_x_header default inconsistent with docs).
• Bug #76068 (parse_ini_string fails to parse “[foo]nbar=1|>baz” with segfault).

Version 7.0.29

• Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).

Version 5.6.35

• Bug #75605 (Dumpable FPM child processes allow bypassing opcache access controls).

Currently, there have been no recorded exploits in the wild. To lessen the chance of a breach, we recommend:

• Upgrade to the latest version of PHP immediately, after appropriate testing.
• Verify no unauthorized system modifications have occurred on system before applying patch.
• Apply the principle of Least Privilege to all systems and services.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.

3. Kovter Fileless Malware

Overview

Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.

Kovter is no stranger to the malware game. In fact, it has been around for several years. However, since its creation, is has evolved many times, more recently becoming fileless and was the top most used malware last month.

Fileless malware is malicious coding that exists in memory, rather than having to be installed to the target computer’s hard drive. Fileless malware is directly to a computer’s RAM (Random Access Memory), and is then injected into some running processes.

Recommendations

Since its most recent evolution, Kovter has become much more difficult to detect and mitigate. There are, however, steps that organizations can take to help mitigate and prevent a breach from Kovter:

• Due to its arrival via spam mail, the organization should look into implementing policies that protect against email threats.This includes setting up anti-spam filters that can block malicious emails before they can even reach the endpoint user.
• One of the simplest and most effective ways to stop fileless malware is to apply security updates as soon as they are available. Organizations should ensure that their systems have the latest updates to prevent being infected by fileless malware—especially those that exploit vulnerabilities.
• PowerShell is frequently abused by fileless malware, thus organizations should take necessary precautions to secure this component. This includes implementing steps on properly utilizing PowerShell in operational or cloud environments. Organizations can also list triggers for detection, which can be based on commands known to be used by malicious PowerShell scripts. Threat actors, for instance, often use the “^” symbol to obfuscate their command prompt parameters when invoking PowerShell. Organizations can also consider disabling PowerShell itself if necessary.
• While fileless malware is more difficult to detect, organizations should still put in the effort to monitor and secure all their endpoints. Using firewalls and solutions that can monitor inbound and outbound network traffic can go a long way towards preventing fileless malware from infecting an organization.

4. Thieving Android Malware

Overview

A new Android Trojan masquerading as an antivirus app called Naver Defender, has been secretly recording private phone calls and stealing personal data. Labeled, KevDroid, the malware is what is known as a remote administration tool (RAT) which allows hackers to be able to perform the aforementioned criminal acts, as well as a few other intrusive methods.

This particular type of malware uses an open-source library, readily available on GitHub, which grants the ability to record both incoming and outgoing calls from the compromised Android device. KevDroid has also exhibited the ability to:

• Record audio
• Steal web history and files
• Gain root access
• Steal call logs, SMS, emails
• Collect device location at every 10 seconds
• Collect a list of installed applications

All of this stolen data is then collected and sent to an attacker-controlled command and control (C2) server, hosted on PubNub, a global Data Stream Network, using an HTTP POST request.

Recommendations

The stolen data retrieved off of an individual’s Android could spell disaster. Personal information of that type could lead to possible kidnapping, blackmail by way of images or secret information, credential harvesting, MFA access, banking/financial information, access to privileged accounts, compromised email, etc.

This is what we recommend to keep an Android device secure:

• Never install applications from 3rd-party stores.
• Ensure that you have already opted for Google Play Protect.
• Enable ‘verify apps’ feature from settings.
• Keep “unknown sources” disabled while not using it.
• Install anti-virus and security software from a well-known cybersecurity vendor.
• Regularly back up your phone.
• Always use an encryption application for protecting any sensitive information on your phone.
• Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
• Keep your device always up-to-date with the latest security patches.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:
1. Mabna Intrusion
2. Leaky etcd Servers
3. Atlanta City Government Breached

1. Mabna Intrusion

Overview

Malicious cyber actors have been detected from the Iran-based Mabna Institute. These threat actors were conducting numerous password spray attacks against organizations worldwide, including the United States. Password spray attacks work much like brute force attacks in that they bombard logins with different passwords, trying for one that works. Brute forcing can be halted, somewhat, but lockout functionalities; spray attacks circumvent this lockout functionality by trying only a few of the most common passwords against multiple user accounts.Common symptoms among victims included a lack of multi-factor authentication (MFA), missing preventative network activity alerts, and the permitted use of easy-to-guess passwords.

The Mabna threat actors mainly targeted organizations utilizing single sign-on (SSO) capabilities and cloud-based applications that use federated authentication protocols (Secure Shell, SSL/TLS, HTTPS, Kerberos). The malicious efforts seemed largely focused on Microsoft Office 365 (O365). Once a victim has been compromised, the threat actors would then use inbox synchronization to obtain unauthorized access to the organization’s email directly from the cloud; this would then allow them to download user mail to locally stored email files. Mabna could then also implement inbox rules for the forwarding of sent and received messages in email clients like MS Outlook.

Recommendations

Mabna targets SSO simply because there is a single point of compromise, letting them access large amounts of intellectual property. A good sign that is indicative of a password spray attack would be a massive spike in attempted logons to the company portal or other web-based applications; also, employee logins from IP addresses that resolve out to locations that are inconsistent with their normal locations. We recommend the following:

• Enable and utilize MFA capabilities as an added layer of security.
• Review password policies to ensure the complexity of employee passwords. They should not be dubbed “easy-to-guess”.
• Review IT Helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT Helpdesk password procedures may not align to company policy, creating a security gap Mabna can exploit.
• Employ end-user awareness and training. The more that employees are versed in basic cyber-security principles, the safer the organization will be.

2. Leaky etcd Servers

Overview

Thousands of etcd servers have been leaking near 750mb worth of passwords and keys; etcd servers are types of databases that computing clusters and other types of networks use to store and distribute passwords and configuration settings needed by various servers and applications. Thousands of these servers, which are operated and utilized by various businesses and organizations, now have been discovered to be openly sharing credentials. These openly shared credentials may allow anyone on the Internet to log in, read, or modify potentially sensitive data stored online.

Etcd (or /etc distributed) servers contain an interface that responds to simple queries that, by default, return administrative login credentials without first prompting authentication. The passwords, encryption keys, and other credentials can be used to access MySQL and PostgreSQL databases, content management systems (CMS) such as WordPress, as well as other production servers. One of the biggest concerns would be a threat actor gaining root access to one of these databases or systems.

Recommendations

Data retrieved from these numerous servers included:

• 8,781 passwords. For obvious reasons, this is incredibly bad for threat actors to obtain. This is especially true if the only thing protecting the etcd server is a simple password.
• 650 Amazon Web services access keys. An end-user needs these access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
• 23 secret keys. Secret keys are pieces of information, or parameters, that are used to encrypt and decrypt messages in either symmetric or secret-key encryption.
• 8 private keys. Private keys are used to decrypt a public key encrypted message. A stolen private key could be used to decrypt intercepted data.

Many of the servers were also found with very poor security practices, including simple easy-to-guess passwords. The following recommendations should be considered with etcd servers:

• Use MFA when possible to prevent credentials from being used on their own to gain access to the servers they protect.
• Whenever possible, etcd servers should not be exposed to the Internet.
• Admins should change their default settings so that the servers pass credentials only when users authenticate themselves.
• Anyone maintaining an etcd server should consider changing the default behavior to require authentication. Making authentication optional and turning it off by default is never a good idea, however, users will often deploy systems with default settings.
• Configure a firewall rule to avoid unauthorized individuals from querying the etcd server.
• Perform security reviews and checks for all externally facing infrastructure.

3. Atlanta City Government Breach

Overview

The Atlanta City Government has been breached with a large-scale ransomware attack that has since locked down and encrypted several departmental systems containing sensitive data. Ransomware is a type of malware that encrypts a victim’s files on their computer. Upon discovery of the locked down files, a message appears demanding a ransom be paid (typically in the form of bitcoin) in which the files will then be decrypted. In this Atlanta case, the threat actors demanded a ransom of $6800 dollars per unit or $51,000 to unlock the entire system; again, all in bitcoin. Officials are still assessing the scope and entirety of the attack.

This most recent exploitation was launched in the wake of the similar Allentown City Government breach. In February, Emotet, a banking trojan malware, was used to steal financial information by injecting computer code into the shared folders and drives of connected computers on the Allentown City network. While it is not certain if the attacks are linked, both would have required a considerable amount of skill from an organized group and have similar methods of attack and operation.

Recommendations

To prevent a ransomware attack, we recommend:

• Implement MFA (Multi-Factor authentication).
• Employ account lockout policies and user permission/restriction rules to create a resistance to Brute Force Attacks.
• Utilize encryption channels to help prevent attackers from snooping on remote connections.
• Back up your files/data offsite in a secure location. Should you fall victim to ransomware, you will at least have a backup. It is also good security practice to verify the integrity of that backup process.
• Audit logs for all remote connection protocols.
• Audit logs to ensure all new accounts were intentionally created.
• Scan for open or listening ports, and mediate.
• Update and patch systems regularly.
• To prevent ransomware by way of social engineering, conduct regular meetings to inform and educate employees on proper cyber-hygiene (how to spot a phishing email, using complex passwords, lock your computer when leaving the workstation).

If already infected:

• Disconnect from the internet, so as not to infect other machines.
• Report to law enforcement.
• Seek help from a technology professional who specializes in data recovery to see what options you have.
• Do not pay the ransom. It is not guaranteed that you will get your data back, as these people are criminals, and your funds to the threat actors will only supplement their illegal activities.

How can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. IoT Risks in Healthcare
2. Text Editors Plugin Vulnerability
3. Leaky VPNs

1. IoT Risk in Healthcare

Overview

IoT, or Internet of Things, is a system of physical things that are embedded with software, sensors, electronics, and network connectivity. IoT functions by exchanging information with other connected devices, internet-based systems, or other types of control systems. IoT is especially prevalent in the Healthcare industry where it is used for inventory tracking, various medical devices (life support, inhalers, pacemakers, etc.) and remote patient monitoring equipment to name a few.

Like anything connected to a network, there are risks. IoT devices in the Healthcare industries often lack proper security implementations, if there are any at all. Healthcare organizations have a very important need to protect their IoT devices from cyberattacks, especially since the lives of people are on the line should something go wrong.

Recommendations

Solutions for IoT devices are not always the easiest to implement—however there are actions that an organization can take to better protect their healthcare equipment and people:

• Identify all IoT devices on the network, no matter how long it has been there. You cannot protect what you don’t know is there.
• Data flows should be documented to ascertain what is needed and what is unnecessary and does not add value. With this knowledge, the network can be segmented appropriately—firewalling off any unneeded traffic.
• Control the acquisition and implementation process—smart tv’s, fridges, etc. could open subtle channels for attackers to use to gain entry inside of the network. This happened in the well-known Target breach several years ago where a smart refrigerator was used to inject malware into the network and steal credit card numbers.
• Perform regular vulnerability assessments on internal and external networks to reveal any hidden weaknesses or openings into environment. These risks should then be reviewed at regular intervals, implementing mitigation strategies as feasible.
• Have a structured plan for the organization. Identify key stakeholders, establish security objectives, and coordinate actions to implement controls across the IoT spectrum.

2. Text Editors Plugin Vulnerability

Overview

Text editors like Sublime, Vim, Emacs, Gedit, and pico/nano are used by developers, editors and writers to edit things like files and documents. Advanced editors, like the aforementioned, offer users extendibility by allowing the installation and running of third-party plugins to extend the editor’s functionality and scope.

However, there’s inadequate separation of regular and elevated modes when loading plugins for these editors. For example, technical users will often need to edit “root-owned” files, requiring an editor with those elevated privileges and this could allow attackers to run malicious code on a victim’s machine, possibly taking full control of a targeted system.

Recommendations

Until developers of text editors change the folders and file permission models to complete the separation between regular and elevated or provide a manual interface for users to approve the elevated loading of plugins, we recommend:

• Utilize open-source, host-based, intrusion detection systems (OSSEC, Snort, Kismet).
• Actively monitor system activity, files integrity, logs, and processes.
• If at all possible, avoid loading third-party plugins when the text editor is in an elevated state of permission.
• Deny “write” permissions for non-elevated users.

3. Leaky VPNs

Overview

Three popular VPN services were discovered to be leaking sensitive data. HotSpot Shield, PureVPN, and Zenmate contain vulnerabilities that could compromise a user’s privacy—including real IP addresses and their actual locations—allowing governments, hostile organizations, or other individuals to see this information.

Three separate vulnerabilities were found HotSpot Shield, which has since been fixed by the company in later updates:

• Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim’s web traffic to a malicious site.
• DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users’ original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
• Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user’s real location and the ISP. the issue occurred because the extension had a loose whitelist for “direct connection.” Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and ‘type=a1fproxyspeedtest’ in the URL bypass the proxy and leaks real IP address.

It should be noted that these vulnerabilities were found in HotSpot Shield’s free Chrome plugin, and not in their desktop or smartphone apps. It is likely that there are similar vulnerabilities in the Chrome plugins of PureVPN and Zenmate but they have not yet been formally disclosed and no patches have been made to fix them. These risks may be prevalent in other VPN services outside of the three listed here.

Recommendations

If using any of these services, we recommend:

• Check with the vendor as to the status of the vulnerabilities—have they been fixed? Is anything being done?
• Do no use the Chrome plugin associated with these services—it is not secure.
• If using HotSpot Shield, apply current patches.

For the time being, discontinue VPN services with Zenmate and PureVPN—at least until patches have been released for the leaks.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Threats:

Listed below is information regarding three of this week’s most critical threats and preventative measures to lessen the chances of a breach:

1. Fruitfly/Quimitchin Malware
2. Chrome WebUSB Vulnerability
3. Slingshot Router Vulnerability

1. Fruitfly/Quimitchin Malware

Overview

The Fruitfly Malware, discovered primarily in macOS systems, is using antiquated code to help run undetected and has been reported to attack biomedical research institutions. Some of the code involved also shows signs of running on Linux as well.

Fruitfly, known as OSX.Backdoor.Quimitchin when detected, is used to access user information, log keystrokes to gather credentials, and pivot into other systems and services. It contains just two files: one hidden script is used to communicate back to servers—taking screenshots and reporting system uptime—the second script grants the malware the ability to hide its icon from showing in the macOS Dock. The malware’s primary intention is to grab screenshots and gain webcam access.

Antiquated software Fruitfly runs on includes: SGGetChannelDeviceList, SGSetChannelDevice, SGSetChannelDeviceInput, and SGStartRecord.

Recommendations

The attack vector for Fruitfly includes these externally facing services:

• Apple Filing Protocol (AFP, port 548)
• RDP or other VNC
• SSH (port 22)
• Back to My Mac (BTMM)

The following are network indicators of Fruitfly/Quimitchin presence:

• eidk.duckdns.org
• h8cnq8.duckdns.org
• hh4de2.duckdns.org
• hlkmm2.duckdns.org
• hnqi24.duckdns.org
• fejose2.duckdns.org
• fovdim2.duckdns.org
• eidk.hopto.org
• eutq.hopto.org
• tmp1.hopto.org
• tmp2.hopto.org
• h8cnq8.hopto.org
• hh4de2.hopto.org
• hlkmm2.hopto.org
• hnqi24.hopto.org
• fejose2.hopto.org
• fovdim2.hopto.org

Mac host-based indicators:

• ~/Library/LaunchAgents/com.client.client.plist
• ~/Library/LaunchAgents/com.adobe.ARM.<16 random alphanumeric characters>.plist
• ~/.tmp
• ~/.client
• ~/fpsaud
• ~/Library/Application Support/<16 random alphanumeric characters>
• ~/.cr or ~/.cr2

Windows host-based indicators:

• Path of %PROGRAMFILES%\Sophos Suite for NT\
• Custom (per infection) executable with ‘SAVCleanupService.exe’ or ‘SAVservice.exe’
• C:\a.exe
• C:\ab.exe
• C:\client.exe

Our recommendations will vary in response to different networks, however, system credentials should be both strong, complex, and updated at regular intervals. It is also important to keep antivirus software up to date for the best possible chance of catching malware. It would also prove beneficial to conduct a vulnerability assessment of the local network in its entirety to discover deep rooted malware, such as this, that may be hidden without knowledge.

2. Chrome WebUSB Vulnerability

Overview

Multifactor Authentication (MFA) has been widely used as an added layer of security for credentials and logins. A common example of MFA would be logging into a work account and after entering the password, a verification notification is sent to a user’s phone by way of app or text message to confirm the valid sign-in. While this method is common, there are many other methods—one of which is YubiKey.

YubiKey utilizes a token system, in which a USB device is inserted very much like a regular key. To login, a user would enter their username, plug in their YubiKey and physically press the key to gain access—meaning you cannot log into this account without that key—making this incredibly useful against phishing attempts. Sounds secure right?

A new browser feature in Google Chrome, known as Chrome WebUSB (or WebUSB, is being exploited to potentially bypass the account protections of any victim using a YubiKey.

With a carefully crafted phishing website, a hacker can trick a victim into typing their username and password—which is just standard phishing—but will then send a query directly from their malicious site to the victim’s YubiKey, using that response to unlock that person’s account.

Recommendations

Chrome WebUSB allows websites to directly connect to USB devices, and until a patch is released, we recommend:

• If feasible do not use tokens like YubiKey on Chrome
• Verify the sites that you are using are legitimate. It is worth noting that these hackers have to prompt the victim’s permission to enable WebUSB access to their YubiKey as well as the physical touch of the key. Do not enable if you do not trust the site.
• Be aware of phishing attempts, often appearing as trustworthy emails which contents may be intimidating or even threating—asking for account/billing updates—claiming a consequence if the required materials are not met.

3. Slingshot Router Vulnerability

Overview

A new cyber-threat, known as Slingshot, is a form of cyber-espionage that targets routers and uses them as a launch pad to attack other computers within a network—collecting screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, clipboard data and more, although its kernel access means it can steal whatever it wants. This new Slingshot campaign utilizes a wide variety of tools and techniques, making it a much more complex attack than most other malware.

During the configuration process of the router, the router’s managements software downloads and runs the malicious module on the administrator’s computer. As it currently stands, the method of hacking is currently unknown.

Once the router is infected, Slingshot then downloads a range of additional malware modules onto the device—most notably, Cahnadr and GollumApp. The two pieces of malware link together to support each other in gathering information. Cahnadr, in particular, initiates a kernel-mode program that executes malicious code without crashing the entire file system. The complexity of Slingshot itself is indicative of a highly organized group—if not an entity that is state sponsored.

Recommendations

As it appears, individual victims are the main focus rather than organizations, however, there have still been some government institutions being targeted. Current research suggests that MikroTik routers are the only devices affected, although some victims could have been infected through other means.

We recommend to all MikroTik users to upgrade their routers to the latest firmware version as soon as possible. We recommended other brands of routers be upgraded/updated as well, and to also keep all antivirus software current and up to date. Finally, workstation’s and systems should be patched accordingly, as some vulnerable services on these system may have also allowed Slingshot to enter the network.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.