Hey Guys It’s your host Lauro with Exploit Brokers, back with episode 08.
IT Multinational Corporation Cognizant hit with Ransomware, COVID-19 Scams in April, Pulse VPN Patch is not patchy enough, and over 700 developer libraries contains malicious code We have some interesting stuff to cover, so let’s login.
Maze ransomware hits Cognizant
The Multinational Corporation Cognizant known for providing IT services has been hit by malware. In an article by BleepingComputer titled, “IT services giant Cognizant suffers Maze Ransomware cyber attack“, Cognizant has informed the public of a Maze ransomware attack.
The article by bleeping computer indicates a few Indicators of Compromise including some IP Addresses of servers and file hashes for kepstl32.dll, meme.tmp, and maze.dll files. These are IP and files known to be used in Maze ransomware attacks.
The article also indicated a Yara rule that was released by an InfoSec researcher Vitali Kremez. For my readers who may not be familiar with YARA. YARA is a cyber security tool to help researcher identify and classify malware and a YARA Rule is a way to define what to flag as an identified malware.
Although it appears BleepingComputer reached out to Maze Operators to discuss the attacks nothing promising has come of it yet.
There is something that distinguishes Maze ransomware from other ransomware. Maze likes to steal files before the ransom process begins. This is done to be able to release some files to increase urgency to pay the ransom. It also appears as though this practice is becoming more prevalent among ransomware operators.
To clarify for some of my listeners ransomware is a type of malware. Ransomware encrypts a victim’s computer and puts up a ransom to be able to recovery the precious data. It can not be stressed enough the importance of creating backups locally and offsite.
As more is released, I will report on it in a future episode.
Furthemore, I want to point a few ways you can strength yourself or your network assets from ransomware attacks.
- Firstly, use strong passwords, don’t reuse passwords, and always make sure default passwords are changed.
- Secondly, Make backups as often as makes sense and make sure you have offsite backups. You don’t want your backup machine to be encrypted because you’re still out of luck if your backups get encrypted too.
- Thirdly, Use anti-ransomware protection as often as possible.
- Fourthly, Cautiously patch and keep up to date as many of your systems as possible. Sometimes patches cause a lot of trouble but in general patching can help prevent previously effective malware from taking over an asset.
- Lastly, lock down Remote Desktop Protocol or RDP to prevent abuse. Minimize who can and how to access RDP on windows machines. Try using 2 factor or rdp within a VPN to help improve security.
COVID-19 April Scams
So the US is receiving stimulus checks and Scammers are trying to take those checks. It’s a game of Cat and Mouse but with a new target, stimulus money.
In an article by Tripwire titled, “COVID-19 Scam Roundup – April 20, 2020″, tripwire discusses the latest COVID-19 scams found in April 2020.
In a report by the FTC there was 22,853 COVID-19 complaints reported between Janurary 1st 2020 and April 20th 2020. During that period was was a total fraud loss of 17.53 million and a median fraud loss of $533. Let’s break down the types of scams that were being used.
Firstly, there is a phishing email, found by inky.com, that opens up a digital twin of the White Houses’s official COVID-19 informational website. Once you open up that fake twin there is a download button that proceeds to download a malicious Microsoft word documents. If you’ve listened to previous episodes then you are already familiar with malicious word documents. When the victim opens the word document and enables or has enabled macros, then the malicious document proceeds to download malware and infect the computer.
Next up is another malicious email found by Bitdefender. The malicious email pretends to be from a health related sender and is themed around being sent to a business related email. It uses wording similar to hey your staff is infected click a malicious file. Although the scam email uses similar techniques to the previously noted attack, the file in question is disguised as an image file. The image file is actually a malicious file that mounts as a DVD and has a malicious executable to find the victim’s machine.
In addition to the previous email scams the next one is primarily aimed at older individuals. The scam refers to a U.S. Emergency Grants Foundation but instead of an email relies on Facebook posts to spread the malicious payload. Once a victim clicked the link it would redirect to a website labeled as the “U.S. Emergency Grants Federation” and touted that it could help individuals apply for funds to help their situation amidst the current pandemic that is spreading. In reality a victim who gives the fraudulent website their social just opened themselves up to identity fraud and other attacks at a later point.
Next up is a scam that is interesting if you travel frequently. A fake email was being sent to unsuspecting victims masquerading as a canceled flight refund. The email had a link that would redirect to a website where users could submit personal information. Among the personal information collected included mobile phone number, email address, and payment information. Once a user submitted the form the malicious actor would harvest the data to fraudulently charge the card or attempt to steal a victim’s identity.
Lastly, if any of my listeners use Internet Explorer then be careful with a new Malicious Advertising Campaign also known as Malvertising. Malicious actors registered the domain “covid19onlineinfo[dot]com and multiple other domains to host an exploit kit on. The use of multiple domains is used as a tactic to attempt to evade Anti-Virus detection. The exploit kit attempted to use a vulnerability found in older IE browsers. The exploit kit attempted to install Kpot v2.0, a virus intended to steal credentials such as personal information and passwords.
That wraps up the COVID-19 wrap up. Again as I’ve noted in previous episodes to my listeners. Please help spread the world about these scams and any information you find important to non-technical and non-security oriented users. There are many people who fall victims to these scams and it’s up to the security oriented and security interested community to help those who are not as security or technically inclined.
Pulse VPN Patches May Not Be Enough
So Virtual Private Networks or VPNs are generally not a new concept to many people. Whether using or managing a VPN, it’s become a vital part of many corporate environments. This widespread adoption and underlying value of a VPN makes it a high value target for hackers to try to compromise.
An article by SecurityWeek.com titled, “Patching Pulse Secure VPN Not Enough to Keep Attackers Out, CISA Warns” covers details and critical information about a Pulse Secure VPN related issue.
In 2019 10 major vulnerabilities were disclosed to Pulse Secure. One of the vulnerabilities being a CVSS or Common Vulnerability Scoring System score of 10/10. The reason it scored so high is that it allowed a remote and unauthenticated user to execute arbitrary code. In general Remote Code Execution ranks a CVSS high. For my users who may be wondering why, allowing a random person to run a malicious program on a company server can cost the company lots of money and can wreak havoc on the network.
To further make this a problem, in August of 2019 the NSA found that 14,500 servers were vulnerable and sent out alerts. Furthermore as recent of January 2020, it was found that cyber-criminals were still trying to exploit the vulnerability and were trying to distribute ransomware.
The Cybersecurity and Infrastructure Agency, also known as CISA, noticed that although servers were patched compromised credentials were being used months later. If the administrator applied a patch but did not change the credentials then the attacker may still be able to get in, even though the underlying vulnerability was patched.
The attackers use Tor and Virtual Private Servers or VPSs to avoid being detected and many would create a persistent connection. The persistent connection involved scheduled tasks, Remote Access Trojans also known as RATs, and using legit software like TeamViewer to keep a line to the compromised victims. Many hackers opted to execute ransomware or steal data to sell.
There is good news. CISA was able to create a tool to determine if a network was compromised before they could have been patched. CISA recommends administrators use the tool to validate and find any possible Indicator of Compromise to finish clearing their systems of malicious actors and malware.
Ruby Developers Beware
So if any of my listeners develop on Ruby I have an interesting warning for you. In an article by threatpost.com titled, “Bitcoin Stealers Hide in 700+ Ruby Developer Libraries“, new malicious libraries are brought to light.
Hackers are using typos to spread malicious libraries. Close to 760 malicious libraries were found. These libraries were found to sniff around trying to snatch some Bitcoin. Researchers at ReversingLabs found that simple mistakes or slightly off wording could leads unsuspecting users to download and use the library. Simple things like replacing a letter i with a 1 could lead to an erroneous download and use of the malicious library.
It didn’t seem to be targeted and was more geared as a spray tactic. The malicious library developers used ruby’s extensions system to execute malicious code on a victim’s computer. Ruby’s extension system essentially wraps C code and libraries in a ruby wrapper for execution within ruby. In one of the researcher’s finding there was a malicious extension file that would rename an image file that was included in the library to a dot exe and would execute it on windows. The malicious program would extract a Vb-script that would create a new Vb-script and create an auto-run registry key. The primary focus of the malware was to replace a cryptocurrency address in a user’s clipboard data with the attackers address. This would eventually lead to someone transferring currency to the attacker’s wallet instead of the intended address.
Although the researcher’s reached out to the RubyGems security team, the attacks seem to keep cropping up on more malicious ruby libraries. The signature file path and cryptocurrency motive point to the thought that all the attacks are coming from a consolidated source. Only time will tell as more data is revealed. The researches also noticed they found compromised libraries in NPM and PyPI in the past.
To all my developer listeners, remember to vet and carefully use external libraries. Although adding functionality using an import statement is useful it is a double edged sword that can easily cut you.
There are more libraries being attack and the researchers are still working to report malicious libraries.
To wrap up, we’ve discussed several interesting hacking events occurring. Keep security on the back of your mind as we traverse this unique time in our history. Lastly, It’s always going to be a back and forth fight between security White hats and malicious actors.
This has been Lauro your host, i’m signing off until next time!