At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.

In this blog, I share the top cybersecurity threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:

1) Middle East in the Crosshairs of the DNSpionage Campaign

A new campaign targeting countries in the Middle Eastern including Lebanon and the UAE has been discovered by Cisco Talos, which has affected .gov domains and a Lebanese airline company.

The threat actors of this campaign, who are yet to be identified, use two fake websites containing job postings, which compromise targets via malicious Microsoft office documents with embedded macros. These malicious documents trick users into opening malicious websites disguised as “help wanted” sites for job seekers. The malware used in the campaign has been named DNSpionage and it is configured to make HTTP and DNS communications with the threat actors.

The Group has also been responsible for another campaign, wherein DNS redirection was done from legitimate .gov domains towards a malicious IP. During the process of DNS compromise, the attackers were found to generate Let’s encrypt X.509 certificates for the redirected domains to disguise targets during the attack process. The threat actors behind the campaign have executed five attacks this year, including one in the past two weeks.

Attack Description:

The threat actors utilize two malicious websites (hr-wipro[.]com) & (hr-suncor[.]com), which resemble legitimate job posting sites. The sites host a malicious office document named (Suncor_employment_form.doc), which is a copy of a legitimate file available on the website of Suncor Energy, a Canadian energy company. The attackers distribute links to the malicious websites through a spear- phishing campaign. Researchers believe these links might also be distributed through social media platforms, such as LinkedIn. Two different documents were gathered from the targets, one a word document and the other an Excel sheet. Both the documents were embedded with the same payload. The excel document contained text in Russian with title “service formula for hydraulic fracturing”. The macros of the analysed sample perform the following tasks to avoid sandbox detection:

  • When the document is opened, the macro will decode a PE file encoded with base64 and will drop it in %UserProfile%\.oracleServices\svchost_serv.doc.
  • When the document is closed, the macro will rename the file “svchost_serv.doc” to “svchost_serv.exe.” Then, the macro will create a scheduled task named “chromium updater v 37.5.0” to execute the binary. The scheduled task is executed immediately and repeatedly every minute.

The macros embedded in the Microsoft files are password protected, to stop victims from exploring their code. The payload is executed when Microsoft office is closed by the victim, with a remote administration tool named “DNSpionage” as the final payload. It is named so because it supports DNS tunnelling as a covert channel to communicate with the attackers’ infrastructure. The malware uses HTTP and DNS to communicate with the Command and Control (C2) server.

In the HTTP mode, a DNS request to 0ffice36o[.]com is performed with random data encoded in base64. This request registers the infected system and receives the IP of an HTTP server (185.20.184.138 C2 server). Once the malware receives the IP of the C2 server, it makes further http requests towards it, and receives commands to be executed to gather information including username, hostname and system information which it then sends to the C2 server.

In the DNS mode, the commands and responses are handled via DNS, as this will avoid proxies or web filtering by leveraging the DNS protocol. This option is dictated within the configure.txt file on the infected machine. Initially, the malware initiates the DNS query to request for commands. The C2 server replies with an answer to the DNS request- this will be an IP address, which is not a valid IP. For example, 0.1.0.3, where the first value (0x0001) is the command ID for the next DNS request and 0x0003 is the size of the command. The malware then performs a DNS query with the command ID, and a new IP is returned by the C2 server. When converted to ASCII, the command to be executed is returned. Finally, the result of the executed command is sent by multiple DNS requests.

DNS Redirection

Multiple nameservers belonging to companies in Lebanon and UAE were compromised and the hostnames under control were redirected to a malicious IP (185.20.187.8). During the process, the attackers created a certificate matching the domain name with the Let’s Encrypt service. The attackers were primarily found to be targeting email and VPN traffic to harvest additional information, such as email and/or VPN credentials.

The following are the DNS redirection instances identified and the attacker-generated certificates associated with each:

webmail.finance.gov.lb was redirected to 185.20.187.8 on Nov. 6 06:19:13 GMT. On the same date at 05:07:25, a Let’s Encrypt certificate was created.

 adpvpn.adpolice.gov.ae redirected to 185.20.187.8 on Sept. 13 at 06:39:39 GMT. The same date at 05:37:54, a Let’s Encrypt certificate was created.

mail.mgov.ae redirected to 185.20.187.8 on Sept. 15 at 07:17:51 GMT. A Let’s Encrypt certificate was also created at 06:15:51 GMT.

 mail.apc.gov.ae redirected to 185.20.187.8 on Sept. 24. A Let’s Encrypt certificate was also created at 05:41:49 GMT.

memail.mea.com.lb redirected to 185.20.187.8 on Nov. 14 at 11:58:36 GMT. A Let’s Encrypt certificate was created on Nov. 6, at 10:35:10 GMT.

Remediation:

  • Manually blacklist the hash value of the files listed in the Indicator of Compromise (IoC) on your security devices.
  • Always maintain patched and up-to-date DNS servers, Gateways and other network devices.
  • Regularly audit your DNS zones by exploring your DNS public records and IPs.
  • As a security practice, hide the BIND software version. An attacker knowing the bind version, could easily obtain the DNS server version by running a remote query.
  • Enable Domain Name System Security Extensions (DNSSEC). This is a security standard that allows the Domain owners to physically monitor traffic to their domain, verifying the authenticity of all DNS responses.
  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
  • Admins must monitor and control attachments, such as Microsoft Office files, that prompt users to enable macros.
  • Enable advanced account security features, like 2FA, multi-factor authentication and login notification.
  • Users must be trained on a regular basis regarding security policies/procedures that must be followed to minimize internal threats.
  • Restrict the use of scripts on endpoint machines whose users do not need that function for their daily tasks.

2) Spear-Phishing with a ‘Cannon’

Threat group Sofacy has been distributing a new malware sample known as Cannon via a spear-phishing attack which targets government organizations in North America, Europe and other regions. The Group relies on Word documents to load remote templates, embedded with a malicious macro code. One of the files was observed to retrieve a new tool that has not been seen in use by the Sofacy actor. The delivery method relies on an uncommon technique which prevents it from being detected in an automated sandbox environment.

Cannon’s capabilities include “adding persistence” and “creating a unique system identifier”, “collecting system details”, “grabbing snapshots of the desktop” and “logging into a POP3 email account to get access to its attachments”.

Attack Description:

The Cannon malware initiates its attack by sending emails via three accounts, which were observed to be hosted in the Czech Republic. These messages move to email address ‘sahro.bella7[at]post.cz’, which acts as its C2 point. The objective of this trojan is to use several email accounts to send system data including system information and screenshots, to the threat actors and to ultimately obtain a payload from the actors’ email.

It consists of a series of weaponized documents that use techniques to load remote templates containing a malicious macro. The weaponized documents have been found to target several government entities in North America, Europe, and a former USSR state. These types of documents are not uncommon but are difficult to identify by automated analysis tools due to their modular nature. If the C2 server is not available at the time of execution, the malicious code cannot be retrieved, thus rendering the delivery document largely benign.

Additional collection of related documents revealed a second first-stage payload that security researchers have named ‘Cannon’. Cannon has not been previously observed in use by the Sofacy group and contains a novel email-based C2 communication channel. Email as a C2 channel is not a new tactic, but it is generally not observed in the wild as often as HTTP or HTTPS.

Initially, a Microsoft Word document with the filename crash list (Lion Air Boeing 737).docx using the author name “Joohn” was observed. This document was used to target government organizations dealing with foreign affairs in Europe via spear-phishing. Once the user attempts to open this document, Microsoft Word immediately loads a remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document.

Once the victim clicks the “Enable content” button, the embedded macro is executed. This is a form of anti-analysis, as Word will not fully execute the malicious code until the user closes the document. On successful execution, the macro will install the complete payload and save a document to the system. The second delivery document is observed to have the same author from the crash list “.docx” document, as well as the 188[.]241[.]58[.]170 C2 IP to host its remote template. The observed sample was very similar to the initially analysed document, but with an entirely new tool in its payload.

The Trojan initially functions as a downloader and then relies on emails to communicate with the C2 server. In order to communicate with these C2 servers, the Trojan sends emails to specific email addresses via SMTPS over TCP port 587. This tool also relies on EventHandlers with timers to run its methods in a specific order and thus potentially increasing its evasion capabilities.

Remediation:

  • Blacklist the attacks indicators of compromise (IoCs).
  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails.
  • Admins must monitor and control attachments, such as Microsoft Office files, that prompt users to enable macros.
  • Enable advanced account security features, like 2FA, multi-factor authentication and login notification.
  • Restrict the use of scripts on endpoint machines for those users who do not explicitly require it for their daily tasks.
  • For those who require tools for the execution of scripts, admins must restrict their activities to a virtual environment, if possible.
  • Use of encrypted email communication is mandatory to minimize similar attacks.

3) SQL Injection Vulnerability in Cisco Prime License Manager

It has been discovered that the Cisco Prime License Manager is prone to an SQL injection vulnerability. This vulnerability occurs as the manager fails to sufficiently sanitize user-supplied data before utilizing it in an SQL query.

The weakness was addressed as CVE-2018-15441 on a confirmed advisory. The attack may be launched remotely with no form of authentication required for exploitation. Exploiting this vulnerability could allow an attacker to compromise the application, access/modify data, or exploit vulnerabilities in the underlying database. Attackers can exploit this vulnerability via a browser.

Although, no exploitation of this vulnerability has been observed till date, an attacker could use this to exploit the vulnerability by sending out crafted HTTP POST requests which contain malicious SQL statements to a compromised application.

The vulnerable products are:

Cisco Prime License Manager 11.5.1

Cisco Prime License Manager 11.0.1

Cisco Prime License Manager 11.5

Vulnerability Description:

Cisco has recently disclosed a SQL injection vulnerability in the Prime License manager, which is designed to help administrators manage user licenses on an enterprise-wide scale.

Potential remote attackers could execute various arbitrary SQL queries on vulnerable machines after the exploitation of CVE-2018-15441. The issue results from the “lack of proper validation of user-supplied input in SQL queries.” Hackers who manage to use an exploit to compromise a vulnerable target could also delete or modify any data within Prime License Manager’s database, and obtain shell access with necessary system privileges of the Postgres user account.

At present, there are no known workarounds available to mitigate this vulnerabilit, but Cisco has released software updates which patch this vulnerability (“ciscocm.CSCvk30822_v1.0.k3.cop.sgn”.)

The CVE-2018-15441 security issue impacts the Cisco Prime License Manager 11.0.1 and later versions only, with both “Coresident” and “Standalone” deployments being affected. In coresident configurations, the Cisco PLM solution is installed as part of the Cisco Unified Communications Manager and Cisco Unity Connection suites. Since Cisco PLM is not included within versions 12.0 or later of Cisco Unity Connection and Cisco Unified Communications Manager, these versions are not impacted by this SQL injection vulnerability.

To identify which release of the Cisco Prime License Manager is running in your environments, log in to the Cisco Prime License Manager GUI and then click “About” in the top-right corner of the screen.

Recommendations:

  • As a best security practice, keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up-to-date with the latest security patches.
  • Patches/updates released must be installed via the recommended path, as advised by the vendor.
  • When considering/performing software upgrades, customers should consult the relevant vendors to identify non-vulnerable versions of their respective products.
  • Help AG recommends performing a comprehensive assessment of assets within your environment for the presence of this vulnerability, followed by the application of appropriate patches.
  • Ensure the devices to be upgraded contain sufficient memory and the current hardware and software configurations will continue to be supported properly by the new release/patch.
  • Validate user-supplied input for expected data types, including input fields like dropdown menus or radio buttons and not just fields that allow users to type in input.
  • Configure proper error reporting and handling on the web applications.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.

Blog By:

Ben Abraham, CSOC Lead at Help AG