25 Jan 2018

Week in review

AUSCERT Week in Review for 25th January 2018

Greetings,

It’s hard not to include a bunch of crypto currency related articles because it’s all happening in that sphere right now. Malware authors have targeted individuals who are keen to get into the crypto currency market. South Korea isn’t the only country taking action against crypto currency operators. Some cybercrime organisations have really got their house in order when it comes to managing their business operations.

Though it’s taken a backseat to the Bitcoin wars, ransomware is by no means less of a threat this year, with new variants popping up every week.

Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week:

Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More

Date Published: 24/01/2018
Authors:  CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin and Razor Huang
Excerpt: “Few cybercrime groups have gained as much notoriety—both for their actions and for their mystique—as the Lazarus group. Since they first emerged back in 2007 with a series of cyberespionage attacks against the South Korean government, these threat actors have successfully managed to pull off some of the most notable and devastating targeted attacks—such as the widely-reported 2014 Sony hack and the 2016 attack on a Bangladeshi bank—in recent history. Throughout the Lazarus group’s operational history, few threat actors have managed to match the group in terms of both scale and impact, due in large part to the wide variety of tools and tactics at the group’s disposal.”
—–

Large Scale Monero Cryptocurrency Mining Operation using XMRig
Date Published: 24/01/2018
Author: Josh Grunzweig

Excerpt: “Palo Alto Networks Unit 42 has observed a large-scale cryptocurrency mining operation that has been active for over 4 months. The operation attempts to mine the Monero cryptocurrency using the open-source XMRig utility. Based on publicly available telemetry data via bitly, we are able to estimate that the number of victims affected by this operation is roughly around 15 million people worldwide. This same telemetry provides insights into the most heavily targeted areas involving this campaign, which impacts southeast Asia, northern Africa, and South America the most.”
—–

Fake cryptocurrency wallet carries ransomware, leads to spyware
Date Published: 23/01/2018
Author: Zeljka Zorz

Excerpt: “The fake wallet is apparently being advertised on a variety of online forums. The link takes users to a page explaining what SpriteCoin is and offers a link to download the wallet.

Once the victim downloads and installs the offered executable (spritecoind.exe), they are asked to enter a password for the wallet and to wait until the app downloads the blockchain:

 

Unfortunately for the victims, there is no real SpriteCoin, and the software does not download a blockchain.”
—–

Onecoin’s Bulgarian Offices Raided by Law Enforcement, No Arrests Made
Date Published: 22/01/2018
Author: JP Buntinx
Excerpt: “Surprisingly, this initiative was not something Bulgarian officials undertook on their own initiative. Instead, they were asked by German officials, where the Onecoin founder Ruja Ignatova has been taken to court. However, Ignatova was born in Bulgaria, which makes this raid a logical course of action. It is evident there are still plenty of skeletons in the closet of this company, and it is now up to law enforcement to bring them to light. Ignatova stepped down as the CEO of Onecoin a while ago, a move that clearly showed she knew what was eventually coming.

With over three million people subscribing to the Onecoin “packages”, it is evident there is a very real chance that every single one of them has lost money in the process. This alone is a very worrisome thought, but it is also possible that the total number of defrauded victims is a lot higher. In Bulgaria, the company is suspected of money laundering, illegal payments, and commercial fraud. With this in mind, it seems to make little sense that no one has been arrested so far. At the same time, it is unclear if authorities are looking for specific individuals who may or may not work at the Bulgarian Onecoin office at this time”
—-

A Look into the Lazarus Group’s Operations

Date Published: 24/01/2018
Authors:  Trend Micro Blog
Excerpt: “What do the 2014 Sony hack and the 2016 Bangladeshi bank attacks have in common? Aside from being two of the most noteworthy cybercrime incidents of the past few years, these seemingly unrelated attacks are tied together by a common thread: their perpetrator, a cybercrime group called Lazarus.

Few cybercrime groups throughout history have had as much disruptive power and lasting impact as the Lazarus Group. Ever since their first attacks, which involved DDoS operations against various organizations across different industries, the group has managed to step up their attacks even further. Two of the group’s most notable campaigns include the 2014 Sony hack, which involved sensitive company and personal information, and the 2016 Bangladeshi bankattack that stole millions of dollars from the financial institution.”
—–

desuCrypt Ransomware in the Wild with DEUSCRYPT and Decryptable Insane Variants
Date Published: 22/01/2018
Author: Lawrence Abrams
Excerpt: “When desuCrypt is executed, it will display a console windows that displays the current status of the encryption process. This window will stay open until the ransomware has finished encrypting the computer.

According to Michael Gillespie, the creator of ID-Ransomware, at least the Insane variant of desuCrypt is encrypting files using RC4 encryption. This RC4 key is further encrypted using an embedded RSA-2048 key and then embedded at the end of each encrypted file.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.0236 – [Apple iOS] Apple iOS: Multiple vulnerabilities
Apple released security updates for numerous products, including this one for iOS. It contains a number of security fixes including one for a privilege escalation vulnerability that could grant root privileges to an attacker.

2) ESB-2018.0241 – [Win] Advantech WebAccess/SCADA: Multiple vulnerabilities
Advantech released updates for its WebAccess/SCADA browser-based Human Machine Interface products, that are vulnerable to SQL injection attacks. Successful attacks could allow attackers to obtain confidential information from SCADA infrastructure.

3) ASB-2018.0036 – [Win][UNIX/Linux] Mozilla Firefox ESR: Multiple vulnerabilities
Mozilla released updates for Firefox and Firefox ESR to address a large number of vulnerabilities in the web browsers. The most severe of these vulnerabilities could lead to remote code execution. These fixes have been incorporated into OS updates for RedHat, Debian and Ubuntu.

Stay safe, stay patched, stay cool and have a good weekend!

Nicholas