A Month In Breaches: October

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.

 

Linux Wi-Fi Bug Allows System Compromise (CVE-2019-17666)

The severity of the CVE-2019-17666 was classified as critical. This flaw was specifically found in the software component of Realtek Wi-Fi Modules (rtlwifi driver) used in Linux machines to communicate with Linux OS. The vulnerability arises due to a buffer overflow attack possible on rtlwifi drivers, which allows the attackers to crash the vulnerable Linux devices or to take full control. The bug was discovered on 14th October, by a principal security engineer at GitHub. The problem lies within a feature of the driver called Notice of Absence protocol. It does not check the Notice of Absence packets for length. Hence, additional information could be added at the end of those packets leading to a system crash.

A patch was released which mitigates the buffer overflow vulnerability. This fix is presently under revision and has not yet been incorporated with the Linux kernel. CTRL Group suggests updating the security patch as soon as it will be made available, and to use safe string handling functions and secure coding practices.


Cryptomining Infection at Major European Airport

A Monero cryptomining attack has infected more than 50% of all computer systems at an international airport in Europe. The presence of the malware was detected by Cyberbit’s Endpoint Detection and Response team while deploying their security solution. The malware was a modification of a previously known cryptojacking infection called Playerz. The attacker made changes in the MD5 hash but kept using the same tools and file names of Playerz; however, this was enough for defence evasion from most anti-virus products. The business impacts were limited to increased power consumption, performance degradation and service interruptions. Cyberbit was able to discover that the attack launched PAExec (redistributable version of legitimate Windows PsExec), a utility for remote execution. PAExec was used for privilege escalation and launched player.exe. This also enabled attackers to inject malicious DLL capable of bypassing any hard drive-based checks on the payload.

Cyberbit used its own security software to detect and remediate the Monero-based malware at European international airport. Having a good preventive measure in place for cryptojacking is indispensable. Most of the crypto attack scripts are delivered using phishing or ads, hence keeping emails and web filtering tools updated will assist to defend your environment. In addition, use industry accepted web-extensions to block ads. Lastly, CTRL Group suggests using up to date end point protection capable of identifying known cryptominers.


German Manufacturer attacked by Ransomware

Pilz, a German company making automation tools was infected with the Bit-Paymer ransomware on October 13. All the company’s 76 locations across different countries were attacked. It took Pilz staff three days to regain access to its email service, and another three days to restore email service for its international locations. The ransomware was deployed to infect high-value targets hoping to extort huge profits from the ransom. With its entire computer system offline and its website working sporadically, Pilz is barely fulfilling orders with clients and is struggling to respond to inquiries. The company has implemented a Crisis Management group to manage the communications around the expectations of their key stakeholders, and to direct and support the technical team in their remediation actions.

Pilz fell victim to a typical attack by the BitPaymer gang. The usual strategic ploy that attackers take is to send seemingly innocent emails with malicious attachments to users. Once opened, the document downloads another strain of malware named Dridex which gets downloaded from the attacker’s Command and Control center, compromises the system and opens up the victim for more infections like ransomware. Phishing emails are predominantly the root cause of a ransomware. Employees should be vigilant of emails they are opening. If any suspicious emails are seen, the IT team must be alerted. It is important to not open the suspicious emails, or any attachments or links associated to it. CTRL Group also suggests having an incident response plan that includes what to do during a ransomware event.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYST, M-Singh