At a glance.
- APTs exploit vulnerable Microsoft Exchange Servers.
- Iran's APT34 suspected in campaign against Lebanon's government.
- Guildma Trojan remains focused on Brazil's banks.
- Canadian researchers look into homomorphic encryption.
- Coronavirus phishing expected to continue as long as the epidemic does.
APTs are exploiting vulnerable Microsoft Exchange Servers.
ZDNet reports that multiple nation-state threat actors are exploiting a remote code execution vulnerability (CVE-2020-0688) in Microsoft Exchange Servers, which was patched in last month's Patch Tuesday updates. Researchers at Volexity explain that the vulnerability allows an attacker to pass SYSTEM-level commands to an Exchange Server with only a login credential for an account on the server. The researchers state that the attacker can use this credential to "access the Exchange Control Panel in order to collect the ViewStateKey from the authenticated session cookie as well as the __VIEWSTATEGENERATOR value from a hidden field within the page source."
Importantly, the compromised account doesn't need to have access to the Exchange Control Panel or possess high privileges, so attackers can target seemingly insignificant user accounts that aren't protected by multi-factor authentication. Trend Micro's Zero Day Initiative stresses that while an attacker needs to be authenticated in order to exploit this bug, "any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server....Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete."
The vulnerability is a result of Exchange Server's failure to generate unique cryptographic keys when the software is installed. Since attackers know these keys, they can run malicious code on the Exchange server's backend, and do so with system privileges that give them control over the server.
Volexity said it had tied some of the exploitation activity to known APT groups based on IP address overlap, although the company didn't name any specific groups. Likewise, a source in the US Department of Defense told ZDNet that "all the big players" were exploiting the flaw. Volexity says some of the attackers "appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use."
APT34 suspected in attacks against Lebanese government targets.
Researchers at Yoroi have observed a new version of the Karkoff malware deployed against government organizations in Lebanon. The Karkoff implant was first spotted by Cisco Talos in April 2019, and they linked it to the actors behind the DNSpionage campaign (which also targeted Lebanon). DNSpionage in turn has been linked, based on circumstantial evidence, to the Iran-associated group APT34 (OilRig). Italian security firm Telsy analyzed the same malware sample and similarly concluded that APT34 was a likely suspect.
Telsy researchers believe the attacker compromised a "Microsoft Exchange account of a sensitive entity related to Lebanese government" and used this account as a command-and-control server for the malware. The malware would search through the email account's inbox for messages with a specific subject line and extract Base64-encoded commands from these emails. Likewise, it would send the output of those commands in emails to the same account.
The malware is distributed via spearphishing emails with macro-laden Excel documents. The researchers say the campaign is ongoing, and Telsy thinks the attackers may have used their access to the government-owned mail server to compromise other related organizations.
Guildma banking Trojan remains focused on Brazilian targets.
ESET researchers describe the latest version of Guildma, a modular banking Trojan that exclusively targets Brazil. The researchers call Guildma "the most impactful and advanced banking trojan in the region. Besides targeting financial institutions, Guildma also attempts to steal credentials for email accounts, e‑shops and streaming services, and affects at least ten times as many victims as other Latin American banking trojans already described in this series."
In March 2019, Guildma's developers gave the malware the ability to target organizations outside of Brazil, but none of the malware's operators seem to have used those features. In September 2019, Guildma's international capabilities were removed, and the malware continues to go after Brazilian targets.
Canada looks to homomorphic encryption.
The Canadian Centre for Cyber Security (CCCS), a unit of Canada's Communications Security Establishment, told CBC News that it's working with industry experts and academics to look at how Canadian organizations could make use of homomorphic encryption. Fully homomorphic encryption allows data to be processed while remaining encrypted. Scott Jones, head of the CCCS, estimates that the agency is five to ten years away from rolling out this technology.
Brett Callow from Emsisoft noted to CBC News that homomorphic encryption won't ensure the availability of data—a ransomware attack against encrypted data could still make those data inaccessible—but it can help maintain the confidentiality of data.
Coronavirus phishing on the rise.
Numerous security firms continue to warn of widespread phishing activity capitalizing on coronavirus concerns. Check Point found that coronavirus-themed domains "are 50% more likely to be malicious than other domains registered at the same period." Check Point highlighted a phishing campaign targeting Italy that reached more than ten percent of Italian organizations. These emails contained documents with malicious macros that would install a Trickbot downloader.
Fortinet notes that South Koreans are being targeted with COVID-19-themed Word documents that deliver the BabyShark malware. BabyShark has been tied to North Korean actors in the past.
PhishLabs describes a campaign that poses as a work "absence census" for employees who've caught the virus. It relies on Microsoft Office Forms to host the malicious content rather than using a phishing site. PhishLabs expects to see new coronavirus phishing schemes for as long as the virus is relevant.
Cofense came across a well-written, official-looking phishing template that purports to come from the CDC and contains a malicious hyperlink disguised as a URL to the CDC's legitimate website. This link leads to a spoofed Microsoft Outlook login page designed to harvest credentials. If the user enters their password, they'll be redirected to the CDC's website. Of course, the hoods get the Outlook credentials.