NETWORK INTELLIGENCE SECURITY ADVISORYThe major security news items of the month - major threats and breaches. The advisory also includes IOCs and remediation steps.

DigestJune 2019, Edition 2.0

IN THIS EDITION:

Security Advisory Listing Severity

To know more about our services reach us at info@niiconsulting.com or visit www.niiconsulting.com

Critical

OilRig (APT34) Threat Actors found targeting Microsoft Exchange servers owned by Government, Telecom, Educational Institutions and IT service providers in the Middle East, Europe and Asia

A zero-day exploit code for Elevation of Privilege Vulnerability(CVE-2019-0841) in Microsoft Windows Products is being actively used to wipe off databases hosted on the Windows Platform

A critical Authentication Bypass vulnerability (CVE-2019-12498) inWordPress's WP Live Chat Support plugin might potentially cause data breach

TA505 Group - an APT Threat Actors found targeting Retailers, Banking and Financial Institutions in Latin America, East Asia and other countries on global scale

BlackWater Malware campaign from well-known APT group"MuddyWater" continued to target Government and Critical sectors in the Middle East

ALSO INSIDE

Data Breach Highlights

High

High

Critical

Critical

BlackWater Malware campaign from well-known APT group "MuddyWater" continued to target Government and Critical sectors in the Middle East

REMEDIATION

IMPACT

This poses a serious risk of data breach, financial loss, and might impact the reputation of an organization.

• Immediately apply Security Patch for Microsoft vulnerabilities CVE-20190734, CVE-2019-0892, CVE-20190936, and CVE-2019-0708, on Windows Workstation and Server. • Ensure Microsoft Windows Workstation and server are up-to-date with the latest Security Patch. • Kindly Block mentioned IP/Domain on security devices. • Kindly Block Hashes that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

INTRODUCTION

Severity: High

SECURITY ADVISORY

BlackWater Malware campaign from well-known APT group "MuddyWater" continue to target Government and Critical sectors in the Middle East. This attack is delivered via a highly obfuscated macro-enabled Word document received through a spear-phishing email. Once the victim opens this Word document, it will prompt the user to enable the macro. Once the victim clicks on "Enable Macro", the malicious code of BlackWater Malware will execute straight into the memory and injects PowerShell script into the "Run"registrykey, "KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding" to hold persistence onto the victim's computer. The injected PowerShell script will then call the file "\ProgramData\SysTextEnc.ini" every 300 seconds, where the file "SysTextEnc.ini" acts as a stager to reach out to the attacker's C2 server to receive further C2 instruction for deploying FruityC2 (an Open-Source tool) to enumerate connected computers within the network range.The injected PowerShell script then invokes Windows Management Instrumentation (WMI) for executing multiple queries to collect system information such as, Operating System (OS) version, OS Architecture, System Hostname, System Domain Name, User Account details and Public IP Address of the computer. This information is then sent onto the C2 server, which allows the attacker to decide further what exploits need to be run for gaining elevated access on the compromised computer and do lateral movement across connected computers within the range.

READ

Date: May 21, 2019

• Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques• MuddyWater Hacking Group Upgrades Arsenal to Avoid Detection

TARGETED CVE IDs

• CVE-2019-0734 • CVE-2019-0892• CVE-2019-0936• CVE-2019-0708

VULNERABILITY

Microsoft Windows Workstation and Server Products

A zero-day exploit code for Elevation of Privilege Vulnerability (CVE-2019-0841) in Microsoft Windows Products is being actively used to wipe off databases hosted on the Windows Platform

REMEDIATION

IMPACT

This poses a serious risk of data loss and might cause disruption in business operations.

• Immediately apply Security Patch for Microsoft vulnerability CVE-20190841, on Windows Workstation and Server. • Ensure Microsoft Windows Workstation and server are up-to-date with the latest Security Patch. • Kindly enable logging for Event ID: 4664 and ensure to monitor this event by creating Use-Case on SIEM.

INTRODUCTION

Severity: Critical

SECURITY ADVISORY

A zero-day exploit code for Elevation of Privilege Vulnerability (CVE-2019-0841) in Microsoft Windows Products is being actively used to wipe off databases hosted on the Windows Platform.This Elevation of Privilege Vulnerability exists due to Windows AppX Deployment Service (AppXSVC) improperly handles hard links. On successful exploitation of this vulnerability would allow attacker to run processes in an elevated context. An attacker could then install programs; view, change or delete data.For instance, attacker can integrate this exploit code into the modular-based malware, which would allow deployment of predefined intrusive scheduled task files (.job) into the system directory "C:\Windows\Tasks" of the victim's computer (running Windows 8 or higher version), followed by schtasks.exe and schedsvc.dll files (from Windows version earlier than Windows 8) to execute intrusive scheduled task files on Windows 10 or higher version through command such as “schtasks /change /TN taskname / RU username /RP password”. schedsvc.dll has a function called tsched::SetJobFileSecurityByName(), which sets permissions of job files in the directory "C:\Windows\Tasks" to give full permissions on the deployed intrusive job files.At the point where the SetSecurityInfo() function is called, the Task Scheduler service has the NT Authority\SYSTEM security token. This means that the Task Scheduler service can give full user access permissions to intrusive job files that may only be controlled by the SYSTEM or other privileged accounts.Intrusive job files may contain file/directory deletion instruction to wipe off important data or entire database file hosted on vulnerable Windows platforms.

READ

Date: May 24, 2019

• CVE-2019-0841 | Windows Elevation of Privilege Vulnerability• Demo Exploit Code Available for Privilege Escalation Bug in Windows• Microsoft Windows Task Scheduler privilege escalation vulnerability

TARGETED CVE IDs

• CVE-2019-0841 VULNERABILITY

• Windows 10 Version 1703 for 32-bit & x64-based Systems• Microsoft Windows 10 Version 1709/1803/1809 for 32-bit, 64-based & ARM64-based Systems• Microsoft Window Server 2016 and Server Core installation• Microsoft Windows Server 2019 and Server Core installation• Microsoft Windows Server, version 1709/1803 (Server Core Installation)

OilRig (APT34) Threat Actors found targeting Microsoft Exchange servers owned by Government, Telecom, Educational Institutions and IT service providers in the Middle East, Europe and AsiaSeverity: High

SECURITY ADVISORY

REMEDIATION

Date: June 04, 2019

• Immediately apply Security Patch for Microsoft Exchange vulnerabilities CVE2019-0686, CVE-2019-0724, and CVE-2019-0586.• Ensure Microsoft Exchange Server follows Security Hardening guideline.• Ensure a strong password policy is implemented on the Microsoft Exchange server.• Ensure to closely monitor for any intrusion or abusive attack on Microsoft Exchange Server.• Strictly use least privilege accounts throughout the enterprise-wide network.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure PowerShell and Remote Desktop features are Disabled on nonadministrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain/URL on security devices.• Kindly Block Hashes that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

IP ADDRESSES • 202.183.235.31 • 202.183.235.4 • 122.146.71.136 • 59.124.43.229 • 202.134.62.169 • 202.164.27.206 • 213.14.218.51 • 88.255.182.69 • 95.0.139.4 • 1.202.179.13 • 1.202.179.14 • 114.255.190.1 • 180.166.27.217

• 180.169.13.230 • 210.22.172.26 • 221.5.148.230 • 222.178.70.8 • 222.66.8.76 • 58.210.216.113 • 60.247.31.237 • 202.104.127.218 • 132.68.32.165 • 209.88.89.35 • 114.198.235.22• 114.198.237.3 • 185.10.115.199

• 195.88.204.17 • 46.235.95.125 • 51.211.184.170 • 91.195.89.155 • 82.178.124.59 • 83.244.91.132 • 195.12.113.50 • 78.100.87.199 • 110.74.202.90 • 211.238.138.68 • 213.189.82.221 • 205.177.180.161 • 77.42.251.125

• 202.175.114.11 • 202.175.31.141 • 213.131.83.73 • 187.174.201.179 • 200.33.162.13 • 202.70.34.68 • 197.253.14.10 • 41.203.90.221

DOMAINS

• myleftheart.com

A critical Authentication Bypass vulnerability (CVE-2019-12498) in WordPress's WP Live Chat Support plugin might potentially cause data breach

REMEDIATION

IMPACT

On successful exploitation of this vulnerability, would allow a remote attacker to cause exfiltration of chat logs and manipulate chat sessions. This vulnerability poses a serious risk of unauthorized access to and data breach of, consumers data such as customer names, contact details, support queries, etc.

INTRODUCTION

Severity: Critical

SECURITY ADVISORY

A critical Authentication Bypass vulnerability (CVE-2019-12498) in WordPress's WP Live Chat Support plugin version 8.0.32 and earlier, could allow a remote attacker to gain unauthorized access to the REST API functionality without having valid credentials in place. This vulnerability is due to improper validation of user provided credentials and its associated permissions by "wplc_api_permission_check()" function. On successful exploitation of this vulnerability, would allow remote attacker to cause exfiltration of chat logs and manipulate chat sessions, not limited to extracting the entire chat history for all chat sessions, injecting arbitrary messages into active chat sessions by posing as an agent, editing injected messages to retroactively conceal what any injected messages contained, and arbitrarily ending active chat sessions as part of a denial of service (DoS) attack. This vulnerability poses a serious risk of unauthorized access to and data breach of, consumers data such as customer names, contact details, support queries, etc.

READ

Date: June 11, 2019

• WordPress Chat Plugin Bug Lets Hackers Inject Text, Steal Logs• Alert Logic Researchers Find Another Critical Vulnerability in WordPress WP Live Chat – CVE-2019-12498 TARGETED CVE IDs

• CVE-2019-12498

VULNERABILITY

WordPress's WP Live Chat Support plugin version 8.0.32 and earlier, are affected.

• Kindly upgrade to WordPress's WP Live Chat Support plugin version 8.0.34, as well as update respective PHP platform to stable version 7.3.6 (for PHP 7.3.x), 7.2.19 (for PHP 7.2.x), and 7.1.30 (for PHP 7.1.x).• Ensure proper access controls are in place on Web Application Server, in case of any interconnected databases such as MariaDB, MongoDB or MySQL.

TA505 Group - an APT Threat Actors found targeting Retailers, Banking and Financial Institutions in Latin America, East Asia and other countries on global scale Severity: Critical

SECURITY ADVISORY

REMEDIATION

Date: June 13, 2019

• Ensure IBM AIX is up-to-date with the latest security patches, and proper access controls are in place.• Ensure access controls are properly implemented and periodically evaluated for ATM Switch and SWIFT Network.• Ensure to closely monitor for any intrusion or suspicious activity on ATM Switch and SWIFT Network.• Ensure proper access controls are in place for NetBanking and Third-Party Payment Services.• Ensure to closely monitor for any intrusion or suspicious activity on NetBanking and Third-Party Payment services.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise-wide network.• Immediately apply Security Patches for Microsoft vulnerabilities CVE-2019-0960, CVE-2019-1069, CVE-2019-0943, CVE-2019-1040, CVE-2019-1014, CVE2019-1017, and CVE-2019-1053 on Windows OS.• Kindly ensure Security Patches for Microsoft SMB vulnerabilities CVE-20190633, CVE-2019-0630, & CVE-2019-0786 are deployed on Windows OS.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS. • Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on nonadministrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windo

TA505 Group - an APT Threat Actors found targeting Retailers, Banking and Financial Institutions in Latin America, East Asia and other countries on global scale Severity: Critical

SECURITY ADVISORY

IP ADDRESSES

Date: June 13, 2019

• 159.69.48.50 • 169.239.129.103 • 94.156.133.183 • 103.73.66.137 • 109.234.38.177 • 116.203.180.29 • 158.255.208.175 • 160.202.162.147 • 163.172.84.54 • 167.179.119.235 • 169.239.128.168 • 169.239.128.169 • 172.104.104.166 • 172.104.117.15 • 195.123.227.20 • 27.102.118.143 • 45.76.206.149 • 45.76.223.177 • 45.77.16.211 • 5.149.254.25 • 66.42.45.55 • 92.38.135.134 • 92.38.135.88

DOMAINS

• amenyan.zouri.jp • angelmariotti.xyz • billyjimmyer.top • canyoning-austria.at • citroenmehari.dk • dannysannyer.top • datdepot.net • fjiisiis33.icu • furhatsth.net • globe-trotterltd.com • gohaiendo.com • govhotel.us • homeone.co.kr • houusha33.icu • kabatas.ch • kupitorta.net • lecmess.top • losabetos.com.sv • profan.es • slemend.com • statesdr.top • tommyhalfigero.top • topdalescotty.top • traveser.net • tunnelview.co.uk • vairina.top • velquene.net • waiireme.com • kerrison.com • zonaykan.com

READ

• Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns

Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site May 15, 2019

NEWSLETTER

DATA BREACH HIGHLIGHTS

June 2019, Edition 2.0

Flipboard Confirms It Was Hacked Twice: 150M Users At Risk As Passwords Stolen

• Hackers had access to the company systems between June 2, 2018, and March 23, 2019, and again on April 21-22, 2019. On April 23, the internal staff noticed suspicious activity in its infrastructure.• Hackers have exfiltrated more than 145 million users’ records include names, usernames, password hashes, email addresses, and for some users’ digital tokens used to access Flipboard through third-party services.• Flipboard has not found any evidence the hackers accessed third-party accounts connected to users’ accounts, anyway as a precaution, the company replaced or deleted all digital tokens, as well as forced a password reset for all its users.

May 29, 2019

Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online May 23, 2019

• Magecart hackers have installed malicious JavaScript skimmer on forbesmagazine.com to siphon payment card data entered into the site by subscribers.• Crooks injected an obfuscated JavaScript in the HTML code of the payment section.• Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet. • During the weekend, the forensic expert discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online. • Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script. • Thousands of other companies that are customers of Picreel are at risk.

• Perceptics, a leader in license plate readers (LPRs), license plate recognition systems and vehicle identification products. The company was hacked, and attackers stole data and offered business plans, financial documents, and personal information for free on the dark web.