Vital AMP for WP Plugin Weakness Allows Any User to Gain Admin Rights

A recent critical WordPress plugin weakness has been identified that might let site users increase rights to admin level, providing them with the capability to add custom code to a vulnerable website or upload malware. The vulnerabilities is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.

Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.

The vulnerability was found by WordPress plugin developer Sybre Waaijer who clarified that the vulnerability would let any user read and download files, upload files, modify plugin settings, insert HTML content into posts, or load malware such as a cryptocurrency miner or install malevolent JavaScript. Although there were some safety checks carried out, in most instances unauthenticated users might easily carry out illegal activities on a site with the vulnerable plugin installed.

As per web safety company WebARX, the vulnrability is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.

The vulnrability has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin installed.

The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.

Stealthy sLoad Downloader Executes Massive Reconnaissance to Improve Quality of Infected Hosts

A latest PowerShell downloader has been discovered – the sLoad downloader – which is being utilized in quiet, highly targeted attacks in the UK and Italy. The sLoad downloader executes a wide variety of checks to find out a lot of information concerning the system on which it lives, before selecting the most suitable malevolent payload to position – if a payload is positioned at all.

The sLoad downloader was first identified in May 2018 when it was mainly being used to download the Ramnit banking Trojan, even though more lately it has been providing a much wider variety of malevolent payloads including Ursnif, PsiBot, DarkVNC, and Gootkit, as per safety scientists at Proofpoint who have been studying the danger.

The malware is assumed to be the work of a threat actor known as TA554 that Proofpoint has been tracing for over a year. sLoad is being used in greatly targeted attacks, mostly in the United Kingdom and Italy, even though the group also often targets Canadian companies.

sLoad is part of an increasing type of silent writings that are being developed to carry out silent attacks and improve the quality of infected hosts. Among the difficulties with infecting as many machines as possible is the attacks are loud and are quickly noticed, providing safety researchers plenty of time to study malware, add signatures to AV software, and develop repairs.

Although the spray and pray method of infecting as many end users as possible carries on, particularly by affiliates signed up to use ransomware-as-a-service, there has been a rising tendency over the last few months of a much quieter type of malware – Malware that stays under the detector for longer and goes to great lengths to discover more about a system prior to attacks are started.

Infection mainly happens through spam electronic mails, which are cautiously created, written in the targeted nation’s language, and contain tailored information such as the target’s name and address to add reliability. The most usual subjects and message subjects are missed package distributions and purchase orders, which are detailed in documents attached to the electronic mails. Hyperlinks are also utilized to connect to zip files having the documents. The documents have malevolent macros that start PowerShell writings, which download the sLoad downloader.

The threat group extensively utilizes geofencing at all points in the infection series. This limits infection to particular places as well as orders what actions are taken when a host is infected. This is specifically important when the final payload is a banking Trojan. Banking Trojans aim country-specific banks and use precise web injects for those attacks.

The sLoad downloader examines to define if specific safety procedures are running on a system, and will leave if those procedures are found. A list of all running procedures will be gathered and sent back to its C2 server together with details of Citrix-related .ICA files, Outlook files, and a wide variety of other system information. sLoad will also test browsing histories to decide whether the user has earlier visited banks that are being aimed and will report back on its findings.

If the infected appliance has been utilized to access a banking website that Ramnit is aiming, the banking Trojan will be downloaded, even though other malware variations can also be delivered depending on the information found during the reconnaissance stage.

“sLoad, like other downloaders we have described lately, fingerprints infected systems, letting threat actors better select objectives of interest for the payloads of their selection,” wrote Proofpoint. “Downloaders, although, like sLoad, Marap, and others, provide high levels of flexibility to threat actors, whether evading seller sandboxes, providing ransomware to a system that seems mission critical, or providing a banking Trojan to systems with the most likely return.”

Zero-Day Windows Data Sharing Facility Vulnerability Discovered

A Windows zero-day vulnerability has been discovered that lets hackers erase application dlls and cause a system to crash and possibly hijack systems. The vulnerability lets an attacker elevate rights and erase files that must only be accessible by management and takes benefit of a Windows facility that fails to verify approvals.

That facility, the Windows Data Sharing Facility – dssvc.dll, was launched in Windows 10, hence earlier Windows types are unaffected, even though the vulnerability is also existing in Windows Server 2016 and Server 2019.

In order to abuse the Windows Data Sharing Service vulnerability, the attacker would already require access to the system, so for the fault to be distantly exploitable it would need to be merged with one more exploit. This would restrict the possibility for it to be used in an attack.

Although it’s possible to abuse the vulnerability to run commands on a system, the most likely use is disruption, because it permits files to be erased which would render applications or systems unworkable.

The Windows Data Sharing Facility vulnerability was detected by safety scientist SandboxEscaper. SandboxEscaper also recently issued a proof-of-concept for a zero-day vulnerability in Windows Task Scheduler, which was later adopted by a variety of threat actors and utilized in real-world attacks.

Although the vulnerability is similar to the earlier discovered vulnerability, in the sense that it lets non-admins erase files as a consequence of a Windows facility failing to verify permissions, this vulnerability is much more difficult to abuse. SandboxEscaper clarified in an October 23 Tweet that it’s “a low-quality bug that is a pain to exploit.”

SandboxEscaper wrote, “Not the same bug I posted a while ago, this does not write garbage to files but really erases them… meaning you can erase application dll’s and hope they go look for them in user write-able places. Or erase stuff used by system services c:\windows\temp and hijack them.”

Mijja Kolsek, a co-founder of 0Patch, has verified the PoC works and 0Patch team has already issued a micropatch to rectify the “Deletebug” fault. The micropatch was developed within 7 hours of publication of the PoC. The repair will be automatically applied for users of the 0Patch Agent and is obtainable for others through 0Patch.

Microsoft is expected to deliver a solution to the vulnerability.

Exploits Published for LibSSH Vulnerability: Immediate Repairing Required

A lately discovered LibSSH vulnerability, that has been called as ‘comically bad’ by the safety scientist who found it, has been repaired. The vulnerability is extremely easy to abuse. Obviously, different scripts and tools have been published that permit vulnerable apparatuses to be found and the flaw to be abused.

If the LibSSH vulnerability is abused, which needs little expertise even without one of the published scripts, it would let an attacker start an attack and distantly execute code on a vulnerable system.

The LibSSH vulnerability, which would allow anybody to log in to a weak Linux/Unix server without having to provide a password, is as bad as it gets. The vulnerability was found by Peter Winter-Smith of NCC Group, who found that verification can be avoided by sending an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message. The server is expecting an SSH2_MSG_USERAUTH_REQUEST message but will suppose that verification has successfully taken place if the SSH2_MSG_USERAUTH_SUCCESS message is sent in its place.

As per the latest safety advisory published by LibSSH, “The SSH2_MSG_USERAUTH_SUCCESS handler is planned only for communication from the server to the customer.”

The vulnerability is being followed as CVE-2018-10933 and is present in LibSSH types 0.6 and later. The fault has been patched in types 0.8.4 and 0.7.6.

Even though the mistake is trivial to abuse, it is even easier using the scripts that have been issued. Leap Security has issued a script that searches for vulnerable appliances, and there are quite a lot of available that will abuse the vulnerability and permit any code to be run with absolutely no skill needed.

Although the mistake is of high-severity, luckily only a small number of appliances are vulnerable. Anybody running a vulnerable version must repair instantly. Failure to repair will almost certainly see the appliance compromised.

Microsoft Patches 49 Vulnerabilities Including One Actively Exploited Weakness

Almost 50 weaknesses have been repaired by Microsoft on October Patch Tuesday including one zero-day weakness that is being actively abused in the wild by the FruityArmor APT group.

The zero-day (CVE-2018-8453) is connected to the Win32k part of Windows and is an elevation-of-privilege weakness found by Kaspersky Lab. If abused, a threat actor might run random code in kernel mode and might create new accounts, install programs, or access, modify or erase data. The fault is present in all supported types of Windows and Windows Server 2008, 2012, 2016 and 2019.

The FruityArmor threat group is based in the Middle East, which is where the attacks have so far been aimed. The group is famous for utilizing zero-day faults for its attacks and has been aiming older type of Windows, even though Microsoft has alerted that the weakness might let attacks on the latest Windows types.

Kaspersky Lab notices that two years before, on October Patch Tuesday 2016, Microsoft also repaired a fault that was being actively abused by the FruityArmor group – CVE-2016-3393. Kaspersky Lab will announce more details of the fault this week.

Altogether 49 weaknesses have been repaired, 12 of which have been ranked critical. One of those critical weaknesses, CVE-2010-3190 is eight years old and has been repaired several times over the past eight years. The latest repair tackles the weakness in Exchange Server 2016. If abused, it would let an attacker take complete control of a weak system. The other critical repairs affect the Internet Explorer and Edge browsers, Hyper-V, and XML Core Facilities.

The latest repairs also tackle three weaknesses that were publicly revealed before repairs being released: A fault in the JET Database engine, Azure IOT, and Windows kernel. The patch for the JET Database Engine fault is specifically important, as last month sample exploit code was also circulated together with details of the weakness. As a consequence, companies were exposed for numerous weeks. It was a similar tale in August when a weakness and proof of concept code was circulated online for a weakness in Windows task scheduler which also left Windows users defenseless.

Most of the other patches in this round of updates were for Windows 10, the Edge browser, and connected Server types.

Adobe has also publicized patches this week, which tackle 16 weaknesses including four critical faults in Adobe Digital Edition. The critical faults allow distant code implementation, three of which are heap-overflow faults and one is a use-after-free weakness.

Phishers Using Azure Blog Storage to Host Phishing Forms with Legal Microsoft SSL License

Cybercriminals are utilizing Microsoft Azure Blog storage to host phishing forms. The site hosting the malevolent files has an authentic Microsoft SSL license which adds genuineness to the campaign. Similar methods have been used in the past for Dropbox phishing cheats and attacks that mimic other cloud storage platforms.

A usual phishing situation involves an electronic mail being transmitted with a button or hyperlink that the user is requested to tick to access a cloud-hosted file. When the link is clicked they are led to a website where they are needed to enter login identifications – Such as Office 365 identifications – to retrieve the file.

At this stage, the scam often falls down. Oftentimes the webpage that is visited seems strange, doesn’t begin with HTTPS, or the site has an illegal SSL certificate. Although visiting such a domain a large red flag will be raised. Nevertheless, if the user visits a usual looking domain and the SSL credential is legal and has been allotted to a trustworthy brand, the possibility of the user continuing and entering login identifications is far higher.

That is precisely the case with Azure blog storage. Although the domain might seem unknown, it’s a legal Windows domain finishing with .blob.core.windows.net and is safe with an SSL credential. An additional check will disclose that the certificate is legal and has been issued by Microsoft IT TLS CA 5. A genuine-looking Office 365 login form will emerge and identifications will need to be entered to get access to the document – electronic mail and password. This is likely to appear entirely reasonable since the user is retrieving a Microsoft document hosted on a Microsoft site.

Nevertheless, entering in identifications into the login box will see that information transmitted to a server managed by the attackers. The user will be informed that the document is being opened, even though they will be guided to a different Microsoft site. Although this is a red flag, by this time it is too late as the user’s identifications have already been thieved.

In this instance, it was Office 365 identifications that the attackers were trying to get, although the scam might similarly be conducted to get Azure identifications or other Microsoft logins.

Avoiding email-based phishing attacks is easiest with anti-phishing controls to safeguard the electronic mail gateway and avoid messages from reaching inboxes. An advanced spam filtering solution will make sure that the bulk of electronic mails are obstructed. Office 365 users must strongly consider extending Microsoft Office 365 with a third-party spam filter for better safety.

No anti-phishing solution will avoid all phishing electronic mails from reaching inboxes, so it is crucial for workers to be taught safety best practices and to get specific anti-phishing training. Besides providing training on the most common phishing cheats, it is important for end users to be educated on phishing cheats that misuse cloud facilities and object store URLs to make sure cheats like this can be identified as such.

Persistent New LoJax Rootkit Survives Hard Disk Substitution

Oct 7, 2018

Security researchers at ESET have identified a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are difficult to detect and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is detected, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to be theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the installation of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to install the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit installed. The rootkit was installed on an older appliance which had several other kinds of malware installed. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for detecting malware at the UEFI/BIOS level.”

Enhanced Remote Desktop Protocol Attacks Prompts IC3 to Issue Alert

The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to companies concerning the misuse of distant administration tools such as Remote Desktop Procedure. The warning was prompted by a substantial increase in attacks and darknet marketplaces vending RDP access.

Remote Desktop Protocol was first launched into Windows in 1996 and has proven to be a valuable tool. It allows workers to connect to their office computer distantly and IT divisions to access computers to install software or provide help.  When connected through RDP, it’s possible to gain access to the Desktop, convey mouse and keyboard commands, and distantly take complete control of a computer.

Obviously, RDP has been an attractive aim for hackers who use it to steal data, download malevolent software, fit backdoors, or even damage computers.

Every now and then, vulnerabilities are identified in RDP which can be abused by hackers, therefore it is important to make sure systems are completely patched and modern. Nevertheless, attacks happen by getting login identifications. This is typically achieved through brute force attacks to predict vulnerable passwords. Several possible password and username blends are tried until the right one is predicted.

Passwords can also be obtained via man-in-the-middle attacks, such as when workers login to their work computers through RDP on public WiFi hotspots. Several businesses leave RDP ports open and accessible over the Internet (port 3839 particularly) which makes it much easier for RDP to be hacked.

Latest attacks have seen cybercriminals gain access through RDP and steal data or install ransomware, with the latter particularly common. The threat actors behind SamSam ransomware mainly use RDP to gain access to business computers to install ransomware.  This method has also been used to disperse ransomware variations such as CrySiS, ACCDFISA, CryptON, Rapid, Globelmposter, Brrr, Gamma, Monro and a lot more.

IC3 has advised all companies to carry out an audit to decide which appliances have RDP enabled, including cloud-based virtual machines, and to disable RDP if it’s not needed. If RDP is essential, strong passwords should be set, 2FA used, and rate limiting must be applied to obstruct IPs that have made too many failed attempts to log in. Patches must be applied quickly to make sure vulnerabilities cannot be abused.

Companies must make sure that the RDP connection is not open to the Internet and is only accessible through an internal network or using a VPN to contact it through the firewall. Obviously, strong passwords must also be used for the VPN and the latest type of VPN software used.

Since RDP is frequently used to install ransomware, it is vital to regularly back up data and to test standbys to make sure files can be recovered in the event of a tragedy.

Danabot Banking Trojan Utilized in U.S. Campaign

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign targeting clients of Australian Banks. More campaigns were later noticed targeting clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being targeted.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an embedded hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been identified which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign targeting U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails intercepted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”