At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures for some of the largest enterprises in the region. As a result of this, we have our eyes keenly fixed on the cyber security threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, I share the top three cyber security threats that our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) Russian Cyber Espionage Group Sets Sights on Middle East

Sednit, a Russian-linked cyber espionage group known for targeting NATO countries and the Ukraine, has begun carrying out similar campaigns against the Middle East and Central Asia. The Group which is also known by the names APT28, Fancy Bear, Pawn Storm, Sofacy and Strontium has been operating since 2004 and primarily targets accounting firms, science and engineering centers, industrial organizations, ministries, embassies and consulates, national security and intelligence agencies, press and translation services, and NGOs. The objective of this group is to steal confidential information from specific targets.

Zebrocy, a family of malware comprising downloaders and backdoors written in Delphi and AutoIt, has been heavily used by the Sednit group over the last two years. Analysis of the many new variants that have appeared on a regular basis since 2017 clearly indicates that Zebrocy is being actively maintained and improved by its authors.

Attack Description:

In 2015, it was found that a new component was being deployed by the Group, which is a downloader for the main Sednit backdoor named ‘xagent’, described by Kaspersky Lab as ‘Zebrocy’ in the APT Trend Report in 2017. The Zebrocy family consists of three components, a Delphi downloader, an AutoIt downloader and a Delphi backdoor.

Like other malware groups, Sednit, also sends phishing emails to targeted users to lure them into opening attachments that can either be Microsoft documents or an archive. Malicious documents used by Sednit download the first stage payload via Visual Basic for Applications (VBA), exploits or even the Dynamic Data Exchange (DDE). This document contains a VBA macro that creates a randomly-named file in %TEMP%. The malware executable is then decoded and written into this file, which is then executed via a PowerShell command or via Scriptable Shell Objects.

Other campaigns by the Group have used an archive to drop the first stage of malware onto the victim’s computer as an email attachment. All first stages of the Zebrocy family are executables with an icon and a document-like filename intended to trick the victim. When the user clicks the email attachment, the malware is launched, and a splash window pops up with a bogus error message and the filename of the dropped binary. For example, if the filename is abc.exe, the filename that appears in the splash window will be abc.doc.

The Delphi downloader is the first stage of the Zebrocy family, which upon malware execution creates a file under %TEMP% with a filename hardcoded in the binary. To gather information, the malware creates a new process using the Windows API CreateProcess function with cmd.exe /c SYSTEMINFO & TASKLIST as lpCommandLine argument. Once the information is retrieved, it sends the result via a HTTP POST request to the C&C server hardcoded in the binary. Once the request has been sent, the C&C server responds by sending the next stage which is written into the file created earlier and executed.

Once the malware is set up, it executes callback functions via the Windows API function SetTimer. These callbacks allow the operator to handle the many features and commands of the backdoor.

Recommendations:

  • Inform users not to open unexpected emails, and to report to the IT security team any unexpected or suspicious emails that arrive.
  • Ensure proper controls, such as usage of sandbox technology to scan incoming emails, are in place to scan inbound emails.
  • Review mail security and gateway blocking effectiveness.
  • Ensure AV at endpoints is being properly and regularly updated. It is also worth checking if the AV has signatures for all the hashes.
  • All software updates should be pushed from an authorized server (SCCM).
  • Restrict giving Admin privileges to end user machines without a satisfactory justification.
 2) Oracle WebLogic Patch Still Leaves Users Vulnerable to Attack

We got to know that the recently addressed vulnerability for the Oracle WebLogic server installations can be bypassed, which could allow attackers to easily gain complete control of a vulnerable server. With the proof of concept exploit for the original Oracle WebLogic Server vulnerability being already made public on Git-hub, there is a high risk of the flaw being exploited by bypassing the patch.

Currently it is unclear when Oracle would release a new security update to address this issue that has re-opened CVE-2018-2628 flaw. Currently the versions of WebLogic that are affected by this flaw are

  • 3.6.0
  • 1.3.0
  • 2.1.2
  • 2.1.3
Attack Description

One of the 254 issues addressed by the Riddle vulnerability described in this advisory from April 2017 was ‘CVE-2018-2628’, which is a critical remote command execution flaw affecting versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server. While a patched system should be protected against this attack, security researchers claim that the fix implemented by Oracle can be bypassed and exploit the WebLogic vulnerability again.

The WebLogic Server acts as a middle layer between the front-end user interface and the backend database of a multi-tier enterprise application. It provides a complete set of services for all components and handles details of the application behavior automatically. Initially discovered by the NSFocus security team, unauthenticated attackers can exploit this vulnerability remotely via the network access over TCP port 7001. If successfully exploited, the flaw could allow a remote attacker to completely take over a vulnerable Oracle WebLogic Server.

Recommendations:

  • Kindly check the affected versions and see if the patch released by Oracle in April has been installed on the servers.
3) APT Group ‘Energetic Bear’ Resurfaces

As per the latest threat report published by Kaspersky Lab, there is an active campaign from the known APT group– ‘Energetic Bear / Crouching Yeti’.

Successful exploitation could result in external malicious users connecting to remote server over the SMB protocol and extracting the user IP, user name, domain name, and NTLM hash of the user’s password from the sessions.

Compromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, and sqlmap.

As per the Kaspersky Lab report, the total number of known victims is 2,800 worldwide. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities. In most cases, the Group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.

Attack Description:

The ‘Energetic Bear attack’ relies on three methods to infect victims:

  • Spear-phishing email using pdf doc embedded with an Adobe Flash Exploit
  • Trojanized software installers
  • Waterhole attacks using a variety of pre-existing exploits

Execution of exploits through spear phished email, malicious installers or waterhole attacks results in establishing connection with remote server over SMB followed by privilege escalation.

Recommendations:

  • Keep all the application software up to date as the Energetic Bear Group is found to be using preexisting exploits.
  • Ensure the security solution is configured and updated to prevent virus infections.
  • Consider implementing security controls like application whitelisting to detect and block malicious programs.
  • Inform users not to open unexpected emails, and to report to the IT security team any unexpected or suspicious emails that arrive.
  • Specifically focus on educating users about spear phishing emails.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.

Blog By:

Ben Abraham, CSOC Lead at Help AG