Kuwaiti government organization's website used as a watering hole by xHunt attackers.
Palo Alto Networks Unit 42 published new findings from their investigation into the xHunt campaign that's been targeting Kuwaiti transportation and shipping organizations. Unit 42 discovered that the website of an unnamed government organization in Kuwait contained injected HTML code that loaded a hidden image. This image was hosted on a command-and-control server used in the xHunt campaign, and the researchers believe its purpose was to harvest NTLM hashes from the website's visitors. They explain that "if the actor-controlled server specified in the URI is configured to emulate the NTLM handshake and the website’s visitor is on a local network that allows internal Windows networking protocols to reach the actor controlled server, such as Server Message Block (SMB) and NetBIOS, then the actors could capture NTLM hashes and other system information for that visitor." After this, the attackers could either crack the hash to get the password or use the hash in relay attacks.
SCPI devices shouldn't be connected to the Internet.
Researchers at Trend Micro found that high-end, precise sensor devices using the Standard Commands for Programmable Instruments (SCPI) protocol are vulnerable to potentially damaging attacks if connected to the Internet. SCPI is a simple protocol that was released in 1990 and is primarily used by test and measurement equipment. The protocol wasn't designed for use on the Internet, so it doesn't use authentication or encryption. Trend Micro explains that SCPI can be used with Ethernet, but many of the devices that support SCPI don't run conventional operating systems. As a result, these devices are sometimes configured with a direct connection to the Internet unbeknownst to network administrators.
If a device using SCPI is a power supply, the researchers explain that "overvoltage or overcurrent protection could be switched off, and the output can be hazardous to the [device under test], causing electric shock, or even worse, a fire in the labs." They didn't find any instances on Shodan where this could have occurred, but they did see expensive equipment that could have been damaged by tampering with the input parameters.
The researchers conclude that SCPI is a very useful protocol, but it's defenseless by design and therefore should never be exposed to the Internet.
Brute-forcing Zoom Meeting IDs.
Check Point discovered that anyone could join an active Zoom meeting if they knew the nine, ten, or eleven-digit Zoom Meeting ID, provided the meeting's organizer hadn't chosen to require a password or enabled the Waiting Room option. The researchers wrote a short Python script to test the validity of Zoom meeting URLs (which contain the Meeting ID), which was very successful in identifying active Zoom meetings. Check Point reported their findings to Zoom, and the company introduced some mitigations. Zoom will now require a password by default, and it won't automatically reveal the validity of a meeting without first loading the page, which should slow down attempts to brute-force Meeting IDs. The company will also monitor for brute-forcing attempts and temporarily block suspicious devices.
The Konni Group may have targeted a US government agency.
Researchers at Palo Alto Networks Unit 42 have been tracking a phishing campaign they've dubbed "Fractured Statue," which targeted an unnamed US government agency between July and October of 2019. The campaign is distributing the SYSCON remote access Trojan by way of the CARROTBAT downloader and a new downloader Unit 42 calls "CARROTBALL."
CARROTBAT and SYSCON have in the past been associated with the North Korea-linked Konni Group. The Fractured Statue campaign also used North Korea-themed phishing lures, which is a common feature in the Konni Group's operations, although this isn't strong evidence of Konni's involvement.
Unit 42 assesses with "moderate confidence" that this campaign is related to the Konni Group. They note that Konni's activities have been well-documented by researchers over the past several years, which increases the chances of the group's TTPs being used by copycats or false-flaggers.
Monitoring an ICS honeypot.
Trend Micro released a research paper outlining the results of running a realistic ICS honeypot between May and December of 2019. The researchers set up an industrial environment using real ICS hardware to simulate a factory, and they went to great lengths to create a fictitious company with an online presence to support the ruse. When the system went live, they left its HMI machine exposed online via Virtual Network Computing (VNC). The honeypot also contained some other lifelike security vulnerabilities, such as reused passwords across different machines. The honeypot was untouched for more than two months, and eventually the researchers removed the password from VNC to increase the likelihood of attacks. After this, they began to see activity.
On July 24th an attacker deployed a Monero cryptominer on the system. This attacker repeatedly came back to the honeypot throughout the experiment to restart the cryptominer.
The honeypot also experienced two ransomware attacks. On September 22nd, the system was hit by Crysis ransomware, with the attackers demanding $10,000 in bitcoin. The researchers strung the attackers along in an email conversation and got the ransom lowered to $6,000, then reset the honeypot to its original state. On October 21st, the honeypot was infected with Phobos ransomware. The ransom note in this case stated that the ransom amount would be based on how quickly the victim got in touch with the attackers.
On November 12th, a relatively unsophisticated attacker visited the system and began renaming files with a ".rnsmwr" file extension rather than encrypting them. After overcoming some technical difficulties, the attacker added a password to VNC and changed the desktop background to an image of a ransom note demanding $750 worth of bitcoin. The researchers obviously didn't pay the ransom, so the attacker returned to the system two days later and deployed a script that launched twenty tabs of a porn site, apparently in a bid to make the victim realize something was amiss.
On December 10th, an attacker used the HMI to start the factory, stop the conveyor belt, and then stop the factory. This attacker returned the next day and turned on the palletizer. Two days later, someone (perhaps the same actor) used the HMI to shut down the factory.
The researchers note that malicious activity in the honeypot increased over time. They acknowledge that "[f]or our honeypot to garner this kind of attention, we practically had to do everything wrong when it came to our faux company’s general security stance," but they note that such poor security posture isn't unrealistic or uncommon.