Threat Intelligence Brief – May 2017

THIS MONTH’S THREAT:

News Alert: WannaCry Ransomware

By now, you’ve likely seen headlines about the global ransomware attack that has affected 230,000 users in nearly 150 countries and knocked the likes of UK’s National Health Services (NHS), Spain’s Telefonica and FedEX out of commission. The attack utilized multiple exploits and post-exploitation tools based on alleged NSA data released by the Shadow Brokers.

The good news is, none of the exploitable vulnerabilities are zero-day exploits. Patches for these vulnerabilities were provided by software manufacturers prior to the Shadow Brokers’ release.

Armor is monitoring the attack and has already taken multiple steps to protect against this vulnerability.

Stay up-to-date on the attack with our ransomware response kit.

Tech Talk

Recent Cyber Security Trends

In October, the Threat Resistance Unit at Armor performed an experiment regarding the state of IoT Security. (The full results of this experiment are available on DarkReading.) One of the conclusions from the research was the incredibly short window for initial exploitation attempts: less than 10 minutes.

With more and more threat actors automating mass scanning and exploitation efforts in order to find targets, the sheer volume of traffic directed at internet-facing services can be difficult to sift through. Making actionable decisions is a major challenge. Buried in all the noise we can find interesting patterns about what adversaries want. Armed with this knowledge, we can take simple steps to minimize the likelihood that attacks succeed.

  • Common Trends
    Common trends from the past month have included efforts to exploit known flaws in server applications, blind exploitation attempts against content management systems (and their associated plugins/extensions), and an uptick in the number of attempts to blindly upload web shells via PHP POST methods.
  • We Still Suck at patching
    Now more than ever, ensuring that your underlying software is patched and up-to-date is critical. Attackers can quickly identify a list of potential targets when a new vulnerability is disclosed with readily available information at sites such as Shodan, Censys , and ZoomEye. Ensuring that your software is current is often your only line of defense.
  • Mind your CMS
    Similarly, if you’re utilizing a content management system (CMS), it’s critical your underlying CMS and plugins/extensions are kept up-to-date. Fortunately, many of these applications can be set to automatically update both the core CMS and plugins/extensions as soon as newer versions become available.
  • Blind POST attempts
    The last, and most surprising trend was the increase in blind POST attempts. In many instances, it appears that automated scripts were sending POST requests to upload well-known web shells to websites, regardless of whether or not the PHP page targeted contained logic to handle a POST request.

Whether this was due to a misconfiguration or threat actors misunderstanding a script is unknown. While this activity doesn’t pose a threat, as PHP deletes the temporary file and no execution occurs, it can certainly be annoying. Access controls should be implemented in the .htaccess or site configuration files to prevent blind uploading to unintended PHP pages.

Malicious IPs

We’ve seen the following IPs involved in various malicious activity, and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It is prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IP Attack Signature IP Address Geo Location
63.128.163.28 WordPress Rest API Attack United States
46.161.46.8 WordPress Rest API Attack Russia
223.157.193.62 Targeting known Web Shells China
103.248.223.84 Targeting known Web Shells China
198.204.224.58 Targeting known Web Shells United States
93.73.211.181 Brute force attacks Ukraine
222.180.162.81 Targeting known Web Shells China
23.238.131.14 Targeting known Web Shells United States
185.85.238.244 WordPress Rest Attack Turkey
217.182.132.146 SEO Botnet Node France
217.182.132.73 SEO Botnet Node France
217.182.132.73 SEO Botnet Node France

Security Trends and Insights

566% percent growth of compromised records in 2016

IBM has released their 2017 X-Force Threat Intelligence Index. The report documents an explosive growth in compromised records. For example, 2016 saw a 566% increase in compromised records and the total number of breached records at more than 4 billion. These compromised records included standard PII as well as financial information. The report highlights a shift in cybercriminal strategies to target financial services more than healthcare providers.

Read more

Felismus Remote Access Tool represents new malware threat

Security researchers at Forcepoint have identified a new RAT (remote access trojan), Felismus. Researchers identified a reference to Tom & Jerry in the only human-readable encryption key used by the author. The name Felismus is Latin for “cat and mouse.” The authors of the malware have not been identified, its purpose appears to be cyber espionage. Felismus is self-updating, which helps it to evade detection. While dangerous, Felismus is still extremely rare. Most experts believe it’s only used in highly targeted campaigns.

Learn more

New and improved Locky is on the loose

Locky, one of the most widespread forms of ransomware, has made an unwelcome return. It now includes a few key upgrades that make it even more difficult to detect. Cyber security experts have made a concerted effort to counter the threat after a 2016 surge in Locky infections. While this counteroffensive initially slowed the rate of infection, Locky is just too profitable for threat actors to abandon. Now upgraded, Locky is being distributed via the Necurs botnet. Researchers at Cisco Talos observed a surge of more than 35,000 phishing emails distributing the new Locky in the span of just a few hours. Locky now resides in an infected PDF file rather than a tainted Office document. Threat actors using Locky have also increased ransom demands (average decryption price is $1,200). From history we know that many companies are more than willing to pay this ransom to avoid losing critical data.

Read more

Cyber extortion campaigns target Netflix

TheDarkOverlord recently made headlines after claiming responsibility for publishing 10 unaired episodes of the Netflix hit “Orange is the New Black” after Netflix refused to pay a ransom. While analysts believe this incident did not cause financial damage to Netflix, the same cannot be said for other organizations that find themselves on the receiving end of an extortion threat. We have seen successful extortion campaigns in the past, most notably with the Ashley Madison hack. Users of the site were exposed and threatened with public disclosure if they refused to pay. These incidents demonstrate that companies and individuals value keeping their secrets out of the public eye and are willing to pay large sums of money to do it. We expect cyber extortion campaigns to continuously evolve. They’ll soon become a favorite tool at the disposal of criminal organizations.

Learn more