TOP MIDDLE EAST CYBER THREATS-07 JUNE 2018
In this blog, I share the top cyber security threats our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
1) Hidden Cobra Bares its Fangs
According to reports by trusted third parties, cybercrime group HIDDEN COBRA has been targeting victims across the globe from sectors that include aerospace, finance, and critical infrastructure. They have been doing so via two primary methods:
- A remote access tool (RAT), commonly known as Joanap
- A Server Message Block (SMB) worm, commonly known as Brambul.
Joanap Overview
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other malicious operations. The Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include file management, process management, creation and deletion of directories, and node management.
Joanap typically infects a system via a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments.
Brambul Overview
This malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. The Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol to gain access to a victim’s networks.
Analysis of a newer variant of the Brambul malware has identified that its built-in functions for remote operations include harvesting system information, accepting command-line arguments, generating and executing a suicide script, propagating across the network using SMB, brute forcing SMB login credentials, and generating Simple Mail Transport Protocol email messages containing target host system information.
Impact of the Attacks
A successful network intrusion can have severe impact, particularly if the compromise becomes public. Possible outcomes include
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to regular operations
- Financial losses incurred to restore systems and files
- Potential harm to an organization’s reputation
Recommendations:
Users and Administrators should follow these best practices as a preventive measure against HIDDEN COBRA’s attacks:
- Keep operating systems and software up-to-date with the latest patches
- Maintain up-to-date antivirus software, and scan all software downloaded from the internet before executing
- Restrict users’ abilities (permissions) to install and run unauthorized software applications, and apply the principle of least privilege to all systems and services
- Scan for and remove suspicious email attachments. Enterprises and organizations should consider blocking email messages from suspicious sources that contain attachments.
- Follow safe practices when browsing the web.
- Disable Microsoft’s File and Printer Sharing service, if not required by the user’s organization. If this service is required, use strong passwords or Active Directory authentication.
- Enable a personal firewall on organization workstations and configure it to deny unsolicited connection requests
2) Cobalt Group Executes Well-Crafted Phishing Campaign
It is estimated that in just 6 months since it started its ongoing campaign, ‘Cobalt Group’ has sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries. The Group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser.
The security company Group-IB says the campaign’s spear phishing emails represent themselves as coming from Kaspersky Lab. The bogus emails inform the recipient that their computer has been named in an unspecified complaint involving violations of unspecified regulations. The victim is instructed to “view complaint” and provide a detailed explanation regarding this issue.
In several respects, the phish bait is well-crafted. Once touched, the email tells the recipient not to reply, as it was sent from a notification only account that does not accept incoming messages. If the victim doesn’t reply within forty-eight hours, the email says, “we will be entitled to take action and impose sanctions to your web resources.” It’s the sort of threat that a poorly informed employee can easily fall for. The phishing emails have been found to be delivered from the following mailboxes-
Recommendations:
- Educate users on Social engineering and Phishing/Spear Phishing emails. Unexpected emails should not be opened, but rather reported to IT security.
- Beware of urgent or threatening language in the subject line with the display name in the emails.
- Ensure proper controls are in place to scan inbound emails. For more on this please refer to our blog on email security.
- Review mail security and gateway blocking effectiveness.
- Ensure AV at endpoints are properly getting updates and it is worth to check if AV has signature for all the hashes
- Timely installation of security updates (both applications and operating systems)
- All software updates should be pushed from an authorized server(SCCM)
- Limit the provision of admin privilege access to end-users’ machines
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
Blog By:
Ben Abraham, CSOC Lead at Help AG