A Month In Breaches: January

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.


Trend Micro Anti-Virus Zero-Day Exploited

Japanese manufacturer Mitsubishi Electric disclosed that it had suffered a security breach which saw attackers gain access to employee’s personal data and other corporate materials. Chinese state-sponsored hacking group named ‘Tick’ exploited a zero-day vulnerability in one of the Trend Micro’s anti-virus product named Trend Micro Office Scan. 2000 employment applications, retired staff information and survey completion data all were compromised in this attack. The compromise was related to a CVE-2019-18187 which had a score of 8.2 and its severity was rated ‘High’.

The CVE-2019-18187 which affects versions of OfficeScan uses a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server which could lead to a potential remote code execution attack, however, this process would still require user authentication to a vulnerable machine. CTRL Group suggests a timely application of patches and updated solutions are adhered to, including a review of the remote access to critical systems and ensuring policies and permitter security are up to date.

 

Malicious Script Plagues WordPress Accounts and Redirects Visitors to Scam Sites

More than 2000 WordPress sites were compromised with the help of a malicious script that redirects visitors to scam websites. Attackers gained access to the affected sites by exploiting vulnerable plugins like “CP Contact Form with PayPal” and “Simple Fields” plugins. The malicious script also could gain unauthorised administrator access to the affected WordPress sites which helps attackers to inject malware. Attackers used obfuscation tactics to disguise the malicious codes which will mask the malicious redirected URL to look legitimate, which on clicking, will take the victim to a scam site and install malware in their system without their knowledge.

It is always recommended to scan your websites for malicious codes or malware and remove them. Malware can be injected into databases, htaccess files, themes and plugins. A manual or automated screening is recommended to detect any unauthorised access, URL redirection and the addition of any unknown plugins. Adhering to strong patch management as discussed earlier is also very essential in securing the websites and servers hosting them.

 

Netwire RAT Hidden in IMG Files Deployed in BEC

A business email compromise (BEC) scam in Germany targeted organisations by sending them emails with IMG file attachments hiding a Netwire Remote Access Trojan file (RAT). Netwire was also used in a series of phishing attacks involving fake PDF files. The attacker sent employees of the targeted organisation an email masquerading as a corporate request which contained fake sales quotation request saved as an IMG file attachment. When clicked, the Netwire RAT executes onto the victim’s machine. Once executed, the malware establishes persistence via scheduling tasks, creating registry keys for storing the C&C server’s IP address which communicates over TCP port 3012. Netwire can perform several actions including keylogging, screen capturing and information theft.

Cybercriminals have begun expanding the repertoire of techniques used in their BEC attacks to include tools such as RATs and keyloggers and are expected to utilize even more advanced technologies such as deep-fakes. Email recipients of business transactions or requests should always be on the lookout for red flags or any other any suspicious elements – for example, changes in email signatures or messages sent without proper context. Fund transfer and payment requests should always be verified, preferably by confirming the transaction with the sender. A secondary sign-off by someone higher up in the organization is also encouraged. CTRL Group also recommends users avoid clicking links or downloading attachments unless they are sure that an email is legitimate and sent from a non-malicious address.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK