CVE-2017-9805:A critical vulnerability in Apache Struts

Security researchers at lgtm.com have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source MVC framework for developing web applications in the Java programming language which supports REST, AJAX, and JSON, allowing a remote attacker to run malicious code on the affected servers.

The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.

All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable.

At least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework. Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.

The vulnerability is incredibly easy for an attacker to exploit , all an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.

Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.

This flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution.

Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.

Advertisements

HoeflerText Popups Targeting Google Chrome Users

Researchers spotted a new EITest campaign leveraging HoeflerText Popups to target Google Chrome users and push NetSupport Manager RAT or Locky ransomware.

Security researchers with both the SANS Internet Storm Center and Palo Alto Networks’ Unit 42, has spotted a malware campaign leveraging bogus popups that alert users to a missing web-font.

The attackers are targeting Google Chrome and Firefox browser users, the researcher discovered the popups contain a malicious JavaScript file that delivers either the NetSupport Manager remote access tool (RAT) or Locky ransomware.

Many similarities with the EITest malware campaign have been discovered.

“The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser. In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.” reads the post published by PaloAlto Networks. “However, by late August 2017, this campaign began pushing a different type of malware.  Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential shift in the motives of this adversary.”

Victims are lured to a compromised website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because their browser hasn’t the correct “HoeflerText” font and suggest them to fix the issue downloading a Chrome Font Pack.

Hoefler-campaign-malware

However, when the same links were tried in Google Chrome, they displayed a fake notification stating: The “HoeflerText” font was not found.

These notifications also had an ‘update’ button. When they were clicked , a JavaScript file named Win.JSFontlib09.js was recieved. That JavaScript file is designed to download and install Locky ransomware.

In another case, the same Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file that delivers and installs NetSupport Manager RAT.

The expert tried different browsers and observed mixed behaviors, Tor and Yandex browsers both returned the same results as IE 11 and Microsoft Edge when viewing those fake Dropbox pages.  Opera and Vivaldi returned the same HoeflerText notifications seen in Google Chrome.

Victims using Internet Explorer or Microsoft Edge on bogus webpages did not trigger the HoeflerText’ popup,  rather, victims will get a fake anti-virus alert with a phone number for a tech support scam.

“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” post concluded.

Gazer:A backdoor targeting Ministries and Embassies

ESET security researchers have discovered a new malware campaign targeting consulates, ministries and embassies and is believed to be carried out by Turla advanced persistent threat (APT) hacking group.

Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer,written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers.

The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:

  • Targeted organizations are embassies and ministries;
  • Spearphishing delivers a first-stage backdoor such as Skipper;
  • A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
  • The second-stage backdoor receives encrypted instructions from the gang via C&C servers and evades detection by using compromised using compromised, legitimate websites as a proxy.
Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.

Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.

Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network.
So far ESET researchers have identified four different variants of the Gazer malware in the wild.
Earlier versions of Gazer were signed with a valid certificate issued by Comodo for “Solid Loop Ltd,” while the latest version is signed with an SSL certificate issued to “Ultimate Computer Support Ltd.”
ssl-certificate
Certificates used to sign the malware variants

According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.

Full technical analysis of the malware can be found here.

LabVIEW vulnerability allows malicious code execution

Security researchers from Cisco’s Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.

LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation.

Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.

Talos researchers explain “An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW. A specially crafted VI file can cause an attacker controlled looping condition resulting in an arbitrary null write. An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution.”

Talos researchers have successfully tested the vulnerability on LabVIEW 2016 version 16.0, but National Instruments has refused to consider this issue as a vulnerability in their product and had no plans to release any patch to address the flaw.
However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.
Since there is no patch available, the LabVIEW users are left with only one option—be very careful while opening any VI file you receive via an email.
Full technical analysis is available here.

WireX Android DDoS Botnet

A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones.

Dubbed WireX, detected as “Android Clicker,” the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks.

Researchers from Akamai, CloudflareFlashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet. Evidence indicates that the botnet may have been active as early as August 2nd, but it was the attacks on August 17th that drew the attention of these organizations when multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks.

The first available indicators of the WireX botnet appeared on August 2nd as minor attacks that went unnoticed at the time. It wasn’t discovered until researchers began searching for the 26 character User-Agent string in logs.

WireX is a volumetric DDoS attack at the application layer. The traffic generated by the attack nodes is primarily HTTP GET requests, though some variants appears to be capable of issuing POST requests. In other words, the botnet produces traffic resembling valid requests from generic HTTP clients and web browsers.

ua26-uniques-1
Estimated growth of the botnet based on the count of unique IPs per hour observed participating in attacks.

During initial observation, the majority of the traffic from this botnet was distinguished by the use of an HTTP Request’s User-Agent string containing the lowercase English alphabet characters, in random order.

Some of the User-Agent values seen:

User-Agent: jigpuzbcomkenhvladtwysqfxr  
User-Agent: yudjmikcvzoqwsbflghtxpanre  
User-Agent: mckvhaflwzbderiysoguxnqtpj  
User-Agent: deogjvtynmcxzwfsbahirukqpl  
User-Agent: fdmjczoeyarnuqkbgtlivsxhwp  
User-Agent: yczfxlrenuqtwmavhojpigkdsb  
User-Agent: dnlseufokcgvmajqzpbtrwyxih  

Variants of the malware have also been observed emitting User-Agent strings of varying length and expanded character sets, sometimes including common browser User-Agents. Here are some samples of other User-Agents observed:

User-Agent: xlw2ibhqg0i  
User-Agent: bg5pdrxhka2sjr1g  
User-Agent: 5z5z39iit9damit5czrxf655ok060d544ytvx25g19hcg18jpo8vk3q  
User-Agent: fge26sd5e1vnyp3bdmc6ie0  
User-Agent: m8al87qi9z5cqlwc8mb7ug85g47u  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729)  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20071018 BonEcho/2.0.0.7  
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_7; en-us) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2  

After further investigation, security researchers identified more than 300 malicious apps on Google’s official Play Store, many of which purported to be media, video players, ringtones, or tools for storage managers and app stores, which include the malicious WireX code.

Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.

Investigation of the logs from attacks on August 17th revealed previous attacks meeting the same signature implicated the first Android application, “twdlphqg_v1.3.5_apkpure.com.apk”.

Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected. At the launch of the applications, the nefarious components begin their work by starting the command and control polling service which queries the command and control server, most commonly g[.]axclick[.]store, for attack commands. When attack commands are received, the parsing service inspects the raw attack command, parses it and invokes the attacking service with the extracted parameters.

The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them. These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use. Antivirus scanners currently recognize this malware as the “Android Clicker” trojan, but this campaign’s purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS.

PREVENTION & MITIGATION

If your device is running a newer version of the Android operating system that includes Google’s Play Protect feature, the company will automatically remove WireX apps from your device, if you have one installed.

Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.

Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Education & Healthcare industries targeted by Defray Ransomware

A new ransomware has been discovered by researchers of Proofpoint used in targeting Education & healthcare organisations.

The ransomware used in the campaign was dubbed Defray, based on the command and control (C&C) server hostname used for the first observed attack:

defrayable-listings[.]000webhostapp[.]com

The ransomware is being spread via Microsoft Word document attachments in email.

The researchers observed two targeted attack on Aug. 15, and on Aug. 22, and both appeared to be designed for specific organizations.

The attack on August 15 targeted Manufacturing and Technology verticals, attackers used messages with the subject “Order/Quote” and a Microsoft Word document containing an embedded executable (also an OLE packager shell object).

defrayf1
The Word document, patient_report.doc, delivered in malicious email messages

The attack on August 22, aimed primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable (specifically, an OLE packager shell object). The attachment features a UK hospital logo in the upper right and purports to be from the Director of Information Management & Technology at the hospital.

defrayf2
Word document attachment, presentation.doc, delivered in malicious email messages

If the potential victim double clicks on the embedded executable, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the %TMP% folder and executed.

The ransomware contains a hardcoded list of file extensions, shown below, for files that it will encrypt (although we observed others such as .lnk and .exe encrypted that were not on this list). The file extensions of modified files were not changed. We observed that the modified files all end in bytes “30 82 04 A4 02 01 00 02 82 01 01 00 9F CF 52 84” for our sample.

Defray has been observed communicating with an external C&C server via both HTTP (clear-text, shown in Figure 4) and HTTPS, to which it will report infection information.

After encryption is complete, Defray may cause other general havoc on the system by disabling startup recovery and deleting volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers.

“Defray Ransomware is somewhat unusual in its use in small, targeted attacks. Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and pray” campaigns. It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely” concluded Proofpoint.

 

ROPEMAKER Email exploit

A new Email exploit has been discovered by security researchers at mimecast using which a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want.

Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) ,  it abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML).

This remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.

Since CSS is stored remotely, researchers say an attacker can change the content of an email through remotely initiated changes made to the desired ‘style’ of the email that is then retrieved remotely and presented to the user, without the recipient knowing about it.

switch-email-goodurl---edited-002
Switching a good URL
switch-email-badurl---edited-002
Switched to a Bad URL
Using this exploit attackers could replace a URL that originally directed the user to a legitimate website by a malicious one that sends the user to a compromised site designed to infect users with malware or steal sensitive info, such as their credentials and banking details.

While some systems are designed to detect the URL switch preventing users from opening up the malicious link, other users could be left at a security risk.

Another attack scenario, called “Matrix Exploit” by the Mimecast, is more sophisticated than the “Switch Exploit”, and therefore much harder to detect and defend against.

In a Matrix Exploit attack, attackers would write a matrix of text in an email and then use the remote CSS to selectively control what is displayed, allowing the attacker to display whatever they want—including adding malicious URLs into the body of the email.

This attack is harder to defend against because the initial email received by the user does not display any URL, most software systems will not flag the message as malicious.

“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” the report reads. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”
To protect themselves from such attacks, users are recommended to rely on web-based email clients like Gmail, iCloud and Outlook, which aren’t affected by Ropemaker-style CSS exploits, according to Mimecast.

However, email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.