data breach highlights...global scale critical a remote code execution vulnerability (cve-2019-2725)...
TRANSCRIPT
NETWORK INTELLIGENCE SECURITY ADVISORYThe major security news items of the month - major threats and breaches. The advisory also includes IOCs and remediation steps.
DigestMay 2019, Edition 1.0
IN THIS EDITION:
Security Advisory Listing Severity
To know more about our services reach us at [email protected] or visit www.niiconsulting.com
Critical
Chinese-based Threat Actors found targeting Banking and FinancialInstitutions via QakBot Banking Trojan, on global scale
Muhstik Malware found exploiting Remote Code Execution vulnerability (CVE2019-2725) in Oracle WebLogic server, to launch CryptoJacking and DDoS Attacks
MegaCortex Ransomware found targeting organizations in United States, Canada, Netherlands, Ireland, France and others on a global scale
Critical
A Remote Code Execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server is widely exploited by Cobalt Hacking Group, to deliver Sodinokibi and GandCrab v5.2 Ransomware attacks
ALSO INSIDE
Data Breach Highlights
High
High
CriticalThreat Actors found targeting Oracle WebLogic Server vulnerability (CVE-20192725) and vulnerability in popular WordPress plugin WooCommerce Checkout Manager
A Remote Code Execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server is widely exploited by Cobalt Hacking Group, to deliver Sodinokibi and GandCrab v5.2 Ransomware attacks Severity: Critical
SECURITY ADVISORY
REMEDIATION
Date: May 2, 2019
•Kindly update Oracle WebLogic to the latest version higher than version 10.3.6.0.0 or 12.1.3.0.0.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Kindly update Apache Struts to the latest version (2.5.20, 2.3.37).• Kindly update Apache Tomcat to the latest version (9.0.19, 8.5.40, 7.0.94).• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise-wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE-20190786 on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.
IP ADDRESSES DOMAINS
• decryptor.top • arg0s-co.uk • arg0s.co.uk • projectstore.guru • abcfootballfoundation.org
• 188.166.74.218 • 45.55.211.79 • 91.214.71.139 • 89.108.103.107 • 68.183.35.146
A Remote Code Execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server is widely exploited by Cobalt Hacking Group, to deliver Sodinokibi and GandCrab v5.2 Ransomware attacks Severity: Critical
SECURITY ADVISORY
WORKAROUND
Date: May 2, 2019
If you have trouble retrieving security patch for Oracle WebLogic server or have scheduled patchdeployment on a later date, then kindly apply below temporary workaround to eliminate the risk for time being,• Delete the wls9_async_response.war and wls-wsat.war files , and then restart the Oracle WebLogicServer• Restrict access to URL Path /_async/* and /wls-wsat/* on Oracle WebLogic Server via the access policy
READ
• Sodinokibi ransomware exploits WebLogic Server vulnerability• Sodinokibi Ransomware Being Installed on Exploited WebLogic Servers• Oracle Security Alert Advisory - CVE-2019-2725
Muhstik Malware found exploiting Remote Code Execution vulnerability (CVE2019-2725) in Oracle WebLogic server, to launch CryptoJacking and DDoS Attacks Severity: High
SECURITY ADVISORY
REMEDIATION
Date: May 02, 2019
• Kindly update Oracle WebLogic to the latest version higher than version 10.3.6.0.0 or 12.1.3.0.0.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Kindly update Apache Struts to the latest version (2.5.20, 2.3.37).• Kindly update Apache Tomcat to the latest version (9.0.19, 8.5.40, 7.0.94).• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE2019-0786 on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.
• 165.227.78.159 • 156.172.95.153 • 170.13.217.222
READIP ADDRESSES
• Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks• Muhstik Botnet Exploits Recent Oracle WebLogic Vulnerability• Oracle Security Alert Advisory - CVE-2019-2725
Chinese-based Threat Actors found targeting Banking and Financial Institutions via QakBot Banking Trojan, on a global scale Severity: High
SECURITY ADVISORY
REMEDIATION
Date: May 03, 2019
• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Ensure IBM AIX is up-to-date with the latest security patches, and proper access controls are in place.• Ensure access controls are properly implemented and periodically evaluated for ATM Switch and SWIFT Network.• Ensure to closely monitor for any intrusion or suspicious activity on ATM Switch and SWIFT Network.• Ensure proper access controls are in place for NetBanking and Third-Party Payment Services.• Ensure to closely monitor for any intrusion or suspicious activity on NetBanking and Third-Party Payment services.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE2019-0633, CVE-2019-0630, & CVE-2019-0786 on Windows OS.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Immediately apply Security Patches for Microsoft vulnerabilities CVE-20190808, CVE-2019-0797, CVE-2019-0784, CVE-2019-0667, CVE-2019-0666, CVE-2019-0803, CVE-2019-0859, CVE-2019-0853, CVE-2019-0739, & CVE2019-0845 on Windows OS.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis. 15. Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on no administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.
Chinese-based Threat Actors found targeting Banking and Financial Institutions via QakBot Banking Trojan, on a global scale Severity: High
SECURITY ADVISORY
IP ADDRESSES
Date: May 03, 2019
• 173.247.241.209 • 192.249.112.44 • 162.144.132.223
IP ADDRESSES
• lg.prodigyprinting.com • hp.prodigyprinting.com • west.prodigyprinting.com • majesticairconditioning.com • novamolecular.com • layering.wyattspaintbody.net • haztek-software.com • asiantruckerclub.com.my • ap-concepts.com • mail.premier-elevator.com • kandmlogistics.com • premier-elevator.com • trueip.haztek-software.com • dynametrixdigital.com • allfaithazcremations.com • painting.duncan-plumbing.com • monmouthcountyspca.org
READ
• Qakbot levels up with new obfuscation techniques• Qakbot Assembles Itself from Encrypted Halves to Evade Detection
MegaCortex Ransomware found targeting organizations in United States, Canada, Netherlands, Ireland, France and others on global scaleSeverity: Critical
SECURITY ADVISORY
REMEDIATION
Date: May 07, 2019
• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft vulnerabilities CVE-2019-0808, CVE-2019-0797, CVE-2019-0784, CVE-2019-0667, CVE-2019-0666, CVE-2019-0803, CVE-2019-0859, CVE-2019-0853, CVE-2019-0739, & CVE-20190845 on Windows OS.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE2019-0786 on Windows OS.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control, and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.
DOMAINS
• yuemahui.f3322.org • gxga.3322.org • jjteng.3322.org • chenyunfei.3322.org • siestainterior.com • jrmodas.no-ip.org • saraevo.ddns.net • testbatasts.ddns.net • ocxchatnetwork.qc.cx • populire.servecounterstrike.com
Threat Actors found targeting Oracle WebLogic Server vulnerability (CVE-20192725) and vulnerability in popular WordPress plugin WooCommerce Checkout ManagerSeverity: Critical
SECURITY ADVISORY
REMEDIATION
Date: May 07, 2019
• Kindly update Oracle WebLogic to the latest version higher than version 10.3.6.0.0 or 12.1.3.0.0.• Kindly upgrade WordPress Plugin WooCommerce Checkout Manager to version 4.3.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Kindly update Apache Struts to the latest version (2.5.20, 2.3.37).• Kindly update Apache Tomcat to the latest version (9.0.19, 8.5.40, 7.0.94).• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE-20190786 on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.
IP ADDRESSES
• 185.161.70.34 • 202.144.193.184 • 205.185.122.99 • 165.22.155.69 • 188.166.74.218 • 107.174.47.156
DOMAINS
• decryptor.top • aplebzu47wgazapdqks6vrcv• 6zcnjppkbxbr6wketf56nf6aq• 2nmyoyd.onion
AeroGrow Discloses Data Breach of Customers’ Payment Card Information April 09, 2019
NEWSLETTER
DATA BREACH HIGHLIGHTS
March 2019, Edition 2.0
Data breach of unknown entity exposes private data of 80 million U.S. households
• The 24GB database which includes the number of people living in each household with their full names, their marital status, income bracket, age, and more got breached from unprotected Microsoft cloud server.
April 30, 2019
State-sponsored hackers target Amnesty International Hong Kong with sophisticated cyber-attack
• Amnesty International’s Hong Kong office got hit with a cyberattack launched by China-linked hackers.• Security breach report confirms that supporters’ names, Hong Kong identity card numbers and personal contact information were accessed by the hackers, and no financial data was compromised.• The organizations discovered the security breach on March 15, 2019 during a scheduled migration of the Hong Kong office IT infrastructure to its international network.
• AeroGrow discovered that attackers injected a Magecart skimmer into the website’s payment page, the malicious code remained undetected between October 29, 2018, and March 4, 2019. • The Magecart skimmer was able to syphon card number, expiration date, and CVV/CCV code provided by customers during the payment process
April 25, 2019
Buca di Beppo, Planet Hollywood Restaurants Hit by Card Breach April 01, 2019
• Earl Enterprises admitted that hackers have stolen payment card data from tens of its restaurants over a period of 10 months.• Crooks used a PoS malware to syphon payment card data from point-of-sale (PoS) systems at the affected locations. The malicious code was designed to capture card numbers, expiration dates and cardholder names.