Threat Intelligence Brief – March 2017

THIS MONTH’S THREAT:

Improper Patch Management

Engineering a completely secure product is almost impossible: Some bugs will still get through regardless of how robust an internal testing regimen is. That’s the nature of the software business. With time and effort, security researchers, admins, users and hackers find vulnerabilities within software that can compromise the integrity of the application or even the entire system. These vulnerabilities are often taken seriously by the application developer who will then attempt to get a patch out the door to their customers to neutralize the threat posed by the vulnerability.

Unfortunately, many organizations don’t have a fully developed patch management system or are averse to patching their live systems unless they have no choice but to update.

Each time a new vulnerability or exploit makes the news we are inundated with recommendations as to how we can protect ourselves from the threat. A reoccurring theme is to test and apply appropriate updates in a timely manner.

The Making Of A Major Exploit

Applying a patch directly to a production environment is not advisable; if at all possible, deploy the patch to a test environment to prevent service interruptions. Some of the most successful exploits available are attributed to software vulnerabilities that are years old and continue to be targeted due to poor patch management. Don’t make attackers’ jobs easier, patch your software!

A patch management process is not something you can set and forget. It’s essential to manage the process and keep it flowing smoothly with periodic assessments of effectiveness. According to Microsoft, a sound patch management process contains the following elements:

  • Detection – Identify missing patches and updates
  •  Assessment – Analyze for patch address issues that could potentially affect your environment
  • Acquisition – Download applicable patches that are deemed necessary
  • Testing – Test the patch for potential issues prior to deploying the patch to your production environment
  • Deployment – Deploy to production environment once the testing process is complete
  • Maintenance – Make adjustments as needed to the process to ensure that patches are being deployed correctly and you have the whole picture on the state of your system’s security

Malicious IPs Targeting WordPress

WordPress attacks compose a significant amount of the monthly blocked activity against our customers, especially the REST API exploit. In addition to website defacement campaigns, we’ve also noticed an uptick in CGI exploit attempts recently. As always, when we identify malicious activity against our customers, we take steps to ensure the attackers are blocked from accessing other customer environments.

IPAttack SignatureIP Address Geo Location
5.196.111.154WordPress REST APIFrance
37.59.9.55CGI ExploitFrance
43.252.91.133WordPress REST APIIndia
51.254.132.62WordPress REST APIFrance
82.165.15.246WordPress REST APIGermany
89.34.99.143WordPress REST APIGreat Britain
94.102.60.76WordPress REST APISeychelles
104.243.42.250 WordPress REST API & SQLIUnited States
108.178.71.34CGI ExploitUnited States
173.254.28.105WordPress REST APIUnited States
176.10.98.131CGI ExploitSwitzerland
180.191.134.55WordPress REST APIPhilippines
185.17.106.190WordPress REST APIItaly
185.31.160.54WordPress REST APIRussia

SECURITY TRENDS AND INSIGHTS

WORDPRESS REST API VULNERABILITY

Hackers wasted little time in launching a massive website defacement campaign following the revelation that WordPress had a content injection vulnerability. The latest tally was more than 1.5 million websites affected, many of which displayed images attributing the defacement to the hacker who got there first, or in several cases, the most recent hacker to utilize the vulnerability to deface the vulnerable websites. The REST API vulnerability was patched by WordPress on January 26th, and the news of the update went public on February 1st. Multiple hacking campaigns ensued. The most successful of which was performed by the hacker MuhmadEmad with more than 400k websites defaced, followed by SA3D HaCk3D with 280k+ defacements. The campaigns are still ongoing, but as more and more sites update their WordPress, the success rates continue to drop. This extended campaign mirrors many major vulnerability announcements: there is a mad dash to exploit as many vulnerable machines as possible before the administrators have time to patch, while some will remain unpatched for years.

Read More

SELF-HEALING MALWARE

Self-healing is great for comic book heroes, but terrifying when malware has it. This particular malware was discovered by Magento developer, Jeroen Boersma, and afflicts Magento-powered online stores. The malware is executed inside the database and written in SQL. Each time it executes, the malware checks to ensure its code can function properly. This way, it has the ability to heal from admin countermeasures. While in place, the malware can intercept the customer’s credit card data and send it back to the attacker. This is a departure from the normal JavaScript code used to steal information during credit card transactions. Unfortunately, the solutions are not as straightforward. In fact, one possible solution advocated is that malware detection should include database analysis.

Learn More

GHOSTADMIN, DATA THEFT VIA BOTNET

Botnets are generally associated with various forms of denial of service attacks, now, thanks to the researchers at MalwareHunterTeam, we can add data theft to their repertoire. The newly discovered piece of malware, GhostAdmin, masquerades as a legitimate antivirus tool, downloaded by an unsuspecting user. What they actually install is a new form of malware that quietly ships off their private data to a waiting botnet who will then route it back to the botnet owner. GhostAdmin attempts to appear as a legitimate antivirus (Symantec, Avast, Avira) while hiding its actions from the user by cleaning up logs and making itself persistent in order to survive a reboot. In addition to data theft, there are more commands available for the malware to carry out on the target machine. These include installation of other software, hijacking other devices and monitoring user activity on the device. Effective user training can reduce the likelihood of a risky download taking place.

Read More

YAHOO CEO PUNISHED FOR HANDLING OF BREACH

The fallout of the massive breach of Yahoo users in 2014 amounts to a fine for the Yahoo CEO, Marissa Mayer. She and her leadership team were found to have improperly handled the breach when it was initially discovered. As a result of the investigation’s findings, Mayer lost her stock award and cash bonus. The CEO was not the only one affected. Yahoo’s top lawyer, Ronald Bell, resigned without severance pay for how he and his team handled the response. The company’s handling of the breach and its disclosure is the subject of two federal investigations as well as more than 40 lawsuits. The direct expense of the breach investigation cost Yahoo more than 14 million dollars. However, the total cost of the breach is much higher. With the Verizon takeover looming for Yahoo, valuation of the company has dropped by $350 million. This clearly demonstrates the business impact of a breach. Hopefully, others will see this as a prominent reminder of the impact to a company’s bottom line when security and incident response are not properly addressed.

Learn More