9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Locky: New distribution techniques

Locky ransomware is now spreading via Flash, Windows kernel exploit(s), malicious DLLs and even images on Facebook and Twitter!1 2 3 4 :-/

Note: “Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported”5 though this is technically possible.

Recommendations

In addition to csirt.sanren.ac.za/posts/160302-rm-locky.html

  • Educate users on the new risks – “Stop! Think! Connect…”
    • Don’t install/execute unknown browser add-ons / extensions especially from unexpected websites (e..g resulting from clicking on an image in a chat message)
  • Revisit and verify backup process, systems, etc.
  • Ensure that the latest patches are applied for anti-malware, web and email filtering, etc. products in use

Further reading

References

1Trend Micro: Locky Ransomware Spreads via Flash and Windows Kernel Exploits

2The Hacker News: Spammers using Facebook Messenger to Spread Locky Ransomware

3Blaze’s Security Blog: Nemucod downloader spreading via Facebook

4McAfee Labs: Locky Ransomware Hides Inside Packed .DLL

5Kaspersky Lab: Nemucod Infections Spreading Over Facebook

TR-06FAIL: Rise in Misfortune Cookie Exploitation Activity

A surge in activity has been detected1 2 of exploits targeting TR-0693, dubbed Misfortune Cookie4. This attack is aimed at home DSL routers commonly issued by ISP’s.

If possible, please block the following URL’s on any firewalls:

  • http://5.8.65.5/1
  • http://5.8.65.5/2
  • http://l.ocalhost.host/1
  • http://l.ocalhost.host/2
  • http://l.ocalhost.host/3
  • http://l.ocalhost.host/x.sh
  • http://p.ocalhost.host/x.sh
  • http://timeserver.host/1
  • http://ntp.timerserver.host/1
  • http://tr069.pw/1
  • http://tr069.pw/2

Recommendation

If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will “clean” the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.2

Further Reading

References

1SANS ISC: Port 7547 Activity

2SANS ISC: Port 7547 SOAP Remote Code Execution Attack Against DSL Modems

3broadband forum: TR-069 – CPE WAN Management Protocol

4CVE-2014-9222

DDoS Mitigation Techiniques

DDoS Attack Categories

DDoS attacks can be classified into five categories6:

  1. Network Device Level Attacks
  2. Operating System Level Attacks
  3. Volume Based Attacks
  4. Protocol Attacks
  5. Application Layer Attacks

From these, the three primary categories utilised in online media are:

  1. Volume Based Attacks attempt to disrupt services by flooding the target host with large amount of requests.
  2. Protocol Attacks attempt to exploit a feature of a communication protocol (eg. SYN flood) or a bug in an implementation of a protocol, thereby rendering the service unavailable.
  3. Application Layer Attacks attempts to render a service unusable by exploiting features of an application that may cause application lock, as is the case in an XML Denial-of-Service attack.

DDoS Mitigation Strategies

To minimise the effect of Volume Based DDoS attacks, one of the following methods can be used. The choice of DDoS mitigation method is ultimately determined by the level of risk versus desired control.

  • Geographically distributed cloud hosting services (e.g. Akamai1, CloudFare2, Level33) can ensure that a web presence remains accessible in the event that a specific site/location is targeted. Advantage: cloud redundancy and advanced DDoS protection (make sure this is in your package); Disadvantage: increased latency for local visitors as traffic usually goes overseas (+ potential privacy concerns). Tip: some providers have nodes in South Africa.
  • Network security devices that specialise in DDoS prevention, specifically devices capable of blacklisting known botnet and malicious IP ranges, can prevent DDoS traffic from entering or exiting a network (e.g. Arbor4, Ixia5). Modern firewalls can usually do this in a limited form. Advantage: local control; Disadvantage: depending on where it’s deployed, this only stops the malicious traffic at the “gate” – so your Internet/SANReN link can still be congested (effective DoS).
  • Failover site hosting through multiple independent ISPs as an alternative to distributed cloud hosting. E.g. DR at other institutions and/or data centres.

Further Reading

For self hosted sites: www.slideshare.net/intruguard/10-ddos-mitigation-techniques-presentation.

References

1Akamai: DDoS Mitigation

2CloudFlare: DDoS

3Level3: DDoS Mitigation

4Arbor Networks: DDoS Protection Products

5Ixia: ThreatARMOR

6 Douligeris, C. and Mitrokotsa, A., 2004. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44(5), pp.643-666.

Armada Collective Threats

One of our institutions received the following threatening email. Research attributed no attacks (only threats) to this group. The SANReN CSIRT assisted by providing a quick vulnerability assessment and advised patching one public facing system with a significant vulnerability. No further actions/incidents were reported.

Subject: “EXS” Armada-Collective Invoice “EXS”

We are a HACKER TEAM – Armada Collective

1 – We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete.
2 – We’ll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!
3 – We’ll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power
4 – We’ll run a security breach test of your servers through the determined vulnerability, and we’ll gain the access to your databases.
5 – All the computers on your network will be attacked  for Cerber – Crypto-Ransomware
6 – You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS:  ####removed####
7 – If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins
8 – You have time to decide! Transfer 1 bitcoin to ADDRESS: ####removed####

These kinds of emails are reportedly attempts to extort money from targeted institutions by coercion. Authoritative news articles indicate that these threats from “Armada Collective” are not carried out irrespective of whether the money is paid or not1 2. They can take various forms but follow a similar pattern3. (Note though that there was previously group called “DD4BC” which did carry out their threats but on a smaller scale. The Armada Collective may be a copycat group banking on DD4BC’s reputation.)

Recommendations

  1. Do not pay.
  2. Follow the advice on mitigating DDoS attacks as a precaution.
  3. Please forward the email to our team for further analysis and advice.
  4. Contact us for a vulnerability assessment.

References

1Cloudfare: Empty DDoS Threats: Meet the Armada Collective

2Recorded Future: DD4BC, Armada Collective, and the Rise of Cyber Extortion

3GovCERT.ch: Armada Collective blackmails Swiss Hosting Providers

Locky Ransomware

Locky is new encryption ransomware utilising macro scripts in malicious attachments (initially Word documents) to deliver the malware payload1 2. The payload proceeds to encrypt almost all local files as well as files on network shares. Instructions for purchasing the decryption key using bitcoins are then presented (originally 0.5 – 1 bitcoin(s) [~R3000-R6500 (03/16)])3. Paying the “ransom” seems to result in successful recovery of files though this reportedly isn’t always the case.

See references and further reading for more information including samples.

Means of infection

Macros in malicious email attachments, particularly Word files4. The emails are sent in the guise of invoices, but other variants have been seen. Various email addresses are used including spoofed ones.

Detection

“If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.”2

Recovery

Disconnect the infected PC immediately from the network. Unfortunately, besides from paying the ransom (which we don’t advocate), there is no known (to us) method of recovering encrypted files. Clean the malware and restore from backups. In the case where no backups are available (or backups appear infected – local/network share) some alternative approaches may work5.

Recommendations

  1. Backup local and shared drives regularly (daily/weekly?) and store backups off-line/off-net
  2. Educate users on spam and particularly not opening suspicious attachments
  3. Flag emails using spoofed addresses (inconsistent “source” and “from”)
  4. Disable macros by default. Only enable on trusted documents if required
  5. Make sure anti-virus and email security (if applicable) product definitions are constantly updated
  6. Verify that backups can be restored (i.e. are usable and working correctly)

Further reading

References

1PhishMe: Locky – New Malware Borrowing Ideas From Dridex and Other Ransomware

2Medium: Locky ransomware virus spreading via Word documents [Kevin Beaumont]

3Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

4Symantec: Locky ransomware on aggressive hunt for victims

5Comments @ Bleeping Computer: The Locky Ransomware Encrypts Local Files and Unmapped Network Shares [Lawrence Abrams]

DROWN Vulnerability

We would like to bring to your attention the latest SSL/TLS vulnerability known as the DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) attack1. Although there is much hype around such vulnerabilities it is rated as important and seems serious enough for us to send out this alert particularly as the tester identifies weak SSL configurations / vulnerable library versions which may be subject to other vulnerabilities.

For more information

Recommendation

Test your site(s) here and mitigate if vulnerable:

Generally mitigation involves disabling support for SSLv2 and possibly updating SSL libraries (e.g. OpenSSL). Shared keys/certificates with a vulnerable server also presents risk. For more specific directions please consult your specific OS reference (e.g.2).

Further reading

References

1CVE-2016-0800: Vulnerability Summary

2Red Hat: DROWN – Cross-protocol attack on TLS using SSLv2