By Nyotron Security Research Team
Attacks on city’s infrastructures are not common, but an attack with the magnitude of Stuxnet was recently discovered. It took place on December 17, 2016 and shut down electrical power distribution to a large area of Kiev, affecting around 250,000 households.
This particular variant installs a backdoor on the compromised machine, and is able to report back to a C&C server. It also creates an innocent looking notepad process that is used as a secondary backdoor in case the main backdoor access is detected. In addition, it had a module that can be used to make the machine unbootable by deleting crucial registry keys.
The targeted machines communicate with ICS/SCADA devices, using known protocols in the normative way, which were not designed to be secured because these systems are supposed to be isolated. All that the malware writers need to know is how to communicate via these protocols and infect a machine that had access to such ICS/SCADA device.
From a quick review of the components of this attack, we block the malicious network it attempts to perform to the hardcoded local IP address 10.15.1.69:3128
Macro-less Office Exploit
Macros in Office documents are a neat thing, they are basically piece of code (VBA) that you can write in your Office document, which can save you time by performing automated tasks.
Since macros are basically code that is running in the background, there is the potential that it could be malicious code.
Macros are known to be dangerous in Microsoft Office applications, and are normally disabled or the application warns the user that the opened document contain macros. However, this new attack does not present the user with a macro warning, it simply uses a different method to run.
Normally, malicious macros run when the document is opened, but this attack executes once the user hovers over the hyperlink with the mouse (no clicking required), the robustness of the attack is sacrificed so that it can be stealthier.
In this example, you can see that on action “Mouse Over” will execute a hidden PowerShell that connects to hxxp://cccn.nl/c.php in order to download a variant of ‘Zusy,’ a banking trojan from 2012, therefore simply disabling macros is not enough for protecting the users from such social engineering attacks.
Since Paranoid recognizes these types of attacks (execution of a malicious PowerShell script) this attack is blocked on the abnormal network activity it performs via PowerShell.
Source: The Hacker News
Intel AMT Firewall Bypass
Intel’s AMT technology provides a Serial-over-LAN protocol to manage computers (mostly for IT personnel).
The vulnerability is categorized as a security mechanisms bypass. By design, the Serial-over-LAN traffic is forwarded to a separate embedded CPU, which bypasses security mechanisms such as firewalls on endpoints.
This protocol may be used as a direct line between an endpoint and some C&C server or may be used to bypass regular endpoint security defense mechanisms.
This attack requires advanced technical knowledge to implement. The vulnerable endpoints would be Intel AMT enabled machines, with access to the WAN. This design issue has been addressed by Microsoft, which forces the traffic to go through Windows Defender.
Paranoid is able to mitigate this design vulnerability, as TCP-connections are monitored by our driver. Our competitors are also highly likely to be able to monitor this design issue, as
TCP monitoring is the only requirement.
Source: The Hacker News
Outdated Third-Party Software
A recent study shows that about 50% of the third-party applications used are outdated, from web to desktop to mobile applications, including firmware and embedded software.
Once a version of an application is released to the world, its only a matter of time before hackers will find an exploit from which they will initiate attacks and gain control over compromised systems. This includes DB application which hackers can access and manipulate a secured DB without credentials, a web-server which hackers can gain access to sensitive configuration or any other application which may be installed and used in an organization.
New versions are released that address the discovered security breaches that inevitably contains security issues of their own, which is why it’s important for organizations to update their software constantly in order to prevent from old exploits and attacks to take place on their machines and network.
Source: InfoSecurity Magazine