A Month In Breaches: August

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

Revamped Qbot Trojan

Qbot trojan has evolved where new techniques are used to steal information, which can be used to perform phishing attacks. This malware has the ability to get sensitive information such as email addresses, passwords, and credit card details of a user, and can also install malware such as ransomware on machines, or with the use of a Bot controller, connect to an affected user’s machine and perform bank transactions from the victim’s IP address.  Once the malicious file is executed, an “email collector module’ is activated to extract the victim’s email threads from Outlook, where these may be used for malspam campaigns as the email looks like from a legitimate email conversation. Recent phishing campaigns are related to Covid-19, tax-payment reminders and job recruitments which are being used as bait with respect to the current situation.

It is essential for users to be aware that this type of risk exists and educate users to pay attention to their emails for signs of phishing. Even if they come from trusted sources, an attacker may spoof the sender email address. Looking closely on suspicious email messages will contain suspicious attachments, especially ZIP files, as malicious payload may be hidden in the compressed file. CTRL Group recommends using mail filters which automatically blocks and quarantines phishing emails before it reaches the user. Also, if the organisation used Office 365, then the clients can benefit from the usage of strong ATP policies to strengthen the defense against phishing.

Google Chrome remote code execution flaws

The Google Chrome web discovered a high vulnerability that leads to execution arbitrary code. The flaw has been fixed in the Chrome 85 stable channel, set to be rolled out to users at the end of August 2020. The flaw (CVE-2020-6492) scored 8.3 CVSSv3 and affects Google Chrome versions 81.0.4044.138 (Stable), 84.0.4136.5 (Dev) and 84.0.4143.7 (Canary). It allows a remote malicious user to execute arbitrary code on the system, caused by a use-after-free when a WebGL component fails to properly handle objects in memory. By memory manipulation, an attacker can gain full control of this vulnerability which can lead to arbitrary code execution in the context of the browser process. A typical attack starts by the attacker to trick the victim into visiting a crafted web site containing malicious code that then runs on the victim’s web browser.

It is the age of remote working, and businesses are facing new and bigger cyber-risks. Keeping all applications up to date is one of the best ways to protect from being hacked. Google Chrome released Chrome 85 version which addressed 20 vulnerabilities each including security issues rated as critical and high severity. CTRL Group recommends implementing strong patch management. This will protect the network from any entry points due to existing vulnerabilities, which are considered as the exploit in any attack.

AWS Cryptojacking Worm

A cryptomining malware (worm) from the group called TeamTNT is propagating through the Amazon Web Services (AWS) cloud and gathering user credentials. After harvesting of the logins are completed, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency. The worm also deploys a number of openly available malware and offensive security tools, including “punk.py,” a SSH post-exploitation tool; a log cleaning tool; the Diamorphine rootkit; and the Tsunami IRC backdoor. The attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config. With increase of businesses moving onto cloud environments, it has opened doors for attackers to exploit misconfigured or vulnerable attack surfaces like these.

Researchers recommend that to overcome such attack it is important to identify which systems are storing AWS credential files and to delete them if they are not required. It is also advised to review network traffic for any connections to mining pools or those sending the AWS credentials file over HTTP; and, use firewall rules to limit any access to Docker APIs. HTTP is highly insecure and uses no encryption leading to clear-text transmission. Ensure the sensitive business operations are conducted over HTTPS rather than HTTP.