NETWORK INTELLIGENCE SECURITY ADVISORYThe major security news items of the month - major threats and breaches. The advisory also includes IOCs and remediation steps.

DigestMay 2019, Edition 1.0

IN THIS EDITION:

Security Advisory Listing Severity

To know more about our services reach us at info@niiconsulting.com or visit www.niiconsulting.com

Critical

Chinese-based Threat Actors found targeting Banking and FinancialInstitutions via QakBot Banking Trojan, on global scale

Muhstik Malware found exploiting Remote Code Execution vulnerability (CVE2019-2725) in Oracle WebLogic server, to launch CryptoJacking and DDoS Attacks

MegaCortex Ransomware found targeting organizations in United States, Canada, Netherlands, Ireland, France and others on a global scale

Critical

A Remote Code Execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server is widely exploited by Cobalt Hacking Group, to deliver Sodinokibi and GandCrab v5.2 Ransomware attacks

ALSO INSIDE

Data Breach Highlights

High

High

CriticalThreat Actors found targeting Oracle WebLogic Server vulnerability (CVE-20192725) and vulnerability in popular WordPress plugin WooCommerce Checkout Manager

A Remote Code Execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server is widely exploited by Cobalt Hacking Group, to deliver Sodinokibi and GandCrab v5.2 Ransomware attacks Severity: Critical

SECURITY ADVISORY

REMEDIATION

Date: May 2, 2019

•Kindly update Oracle WebLogic to the latest version higher than version 10.3.6.0.0 or 12.1.3.0.0.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Kindly update Apache Struts to the latest version (2.5.20, 2.3.37).• Kindly update Apache Tomcat to the latest version (9.0.19, 8.5.40, 7.0.94).• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise-wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE-20190786 on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

IP ADDRESSES DOMAINS

• decryptor.top • arg0s-co.uk • arg0s.co.uk • projectstore.guru • abcfootballfoundation.org

• 188.166.74.218 • 45.55.211.79 • 91.214.71.139 • 89.108.103.107 • 68.183.35.146

A Remote Code Execution vulnerability (CVE-2019-2725) in Oracle WebLogic Server is widely exploited by Cobalt Hacking Group, to deliver Sodinokibi and GandCrab v5.2 Ransomware attacks Severity: Critical

SECURITY ADVISORY

WORKAROUND

Date: May 2, 2019

If you have trouble retrieving security patch for Oracle WebLogic server or have scheduled patchdeployment on a later date, then kindly apply below temporary workaround to eliminate the risk for time being,• Delete the wls9_async_response.war and wls-wsat.war files , and then restart the Oracle WebLogicServer• Restrict access to URL Path /_async/* and /wls-wsat/* on Oracle WebLogic Server via the access policy

READ

• Sodinokibi ransomware exploits WebLogic Server vulnerability• Sodinokibi Ransomware Being Installed on Exploited WebLogic Servers• Oracle Security Alert Advisory - CVE-2019-2725

Muhstik Malware found exploiting Remote Code Execution vulnerability (CVE2019-2725) in Oracle WebLogic server, to launch CryptoJacking and DDoS Attacks Severity: High

SECURITY ADVISORY

REMEDIATION

Date: May 02, 2019

• Kindly update Oracle WebLogic to the latest version higher than version 10.3.6.0.0 or 12.1.3.0.0.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Kindly update Apache Struts to the latest version (2.5.20, 2.3.37).• Kindly update Apache Tomcat to the latest version (9.0.19, 8.5.40, 7.0.94).• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE2019-0786 on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

• 165.227.78.159 • 156.172.95.153 • 170.13.217.222

READIP ADDRESSES

• Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks• Muhstik Botnet Exploits Recent Oracle WebLogic Vulnerability• Oracle Security Alert Advisory - CVE-2019-2725

Chinese-based Threat Actors found targeting Banking and Financial Institutions via QakBot Banking Trojan, on a global scale Severity: High

SECURITY ADVISORY

REMEDIATION

Date: May 03, 2019

• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Ensure IBM AIX is up-to-date with the latest security patches, and proper access controls are in place.• Ensure access controls are properly implemented and periodically evaluated for ATM Switch and SWIFT Network.• Ensure to closely monitor for any intrusion or suspicious activity on ATM Switch and SWIFT Network.• Ensure proper access controls are in place for NetBanking and Third-Party Payment Services.• Ensure to closely monitor for any intrusion or suspicious activity on NetBanking and Third-Party Payment services.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE2019-0633, CVE-2019-0630, & CVE-2019-0786 on Windows OS.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Immediately apply Security Patches for Microsoft vulnerabilities CVE-20190808, CVE-2019-0797, CVE-2019-0784, CVE-2019-0667, CVE-2019-0666, CVE-2019-0803, CVE-2019-0859, CVE-2019-0853, CVE-2019-0739, & CVE2019-0845 on Windows OS.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis. 15. Ensure web browsers are updated to the latest release.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on no administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

Chinese-based Threat Actors found targeting Banking and Financial Institutions via QakBot Banking Trojan, on a global scale Severity: High

SECURITY ADVISORY

IP ADDRESSES

Date: May 03, 2019

• 173.247.241.209 • 192.249.112.44 • 162.144.132.223

IP ADDRESSES

• lg.prodigyprinting.com • hp.prodigyprinting.com • west.prodigyprinting.com • majesticairconditioning.com • novamolecular.com • layering.wyattspaintbody.net • haztek-software.com • asiantruckerclub.com.my • ap-concepts.com • mail.premier-elevator.com • kandmlogistics.com • premier-elevator.com • trueip.haztek-software.com • dynametrixdigital.com • allfaithazcremations.com • painting.duncan-plumbing.com • monmouthcountyspca.org

READ

• Qakbot levels up with new obfuscation techniques• Qakbot Assembles Itself from Encrypted Halves to Evade Detection

MegaCortex Ransomware found targeting organizations in United States, Canada, Netherlands, Ireland, France and others on global scaleSeverity: Critical

SECURITY ADVISORY

REMEDIATION

Date: May 07, 2019

• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft vulnerabilities CVE-2019-0808, CVE-2019-0797, CVE-2019-0784, CVE-2019-0667, CVE-2019-0666, CVE-2019-0803, CVE-2019-0859, CVE-2019-0853, CVE-2019-0739, & CVE-20190845 on Windows OS.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE2019-0786 on Windows OS.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure web browsers are updated to the latest release.• Ensure proper access control, and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

DOMAINS

• yuemahui.f3322.org • gxga.3322.org • jjteng.3322.org • chenyunfei.3322.org • siestainterior.com • jrmodas.no-ip.org • saraevo.ddns.net • testbatasts.ddns.net • ocxchatnetwork.qc.cx • populire.servecounterstrike.com

Threat Actors found targeting Oracle WebLogic Server vulnerability (CVE-20192725) and vulnerability in popular WordPress plugin WooCommerce Checkout ManagerSeverity: Critical

SECURITY ADVISORY

REMEDIATION

Date: May 07, 2019

• Kindly update Oracle WebLogic to the latest version higher than version 10.3.6.0.0 or 12.1.3.0.0.• Kindly upgrade WordPress Plugin WooCommerce Checkout Manager to version 4.3.• Ensure to Disable SMB version 1 (SMBv1) on Windows OS.• Kindly update Apache Struts to the latest version (2.5.20, 2.3.37).• Kindly update Apache Tomcat to the latest version (9.0.19, 8.5.40, 7.0.94).• Ensure Microsoft Windows Workstations and Servers are up-to-date with the latest security patches.• Strictly use least privilege accounts throughout the enterprise wide network.• Immediately apply Security Patches for Microsoft SMB vulnerabilities CVE-2019-0633, CVE-2019-0630, & CVE-20190786 on Windows OS.• Strictly restrict inbound communication on Ports 135, 139, 445, and 3389, from external networks (Internet).• Kindly restrict access on Ports 135, 139, 445, and 3389, for servers in production and access should only be granted when needed.• Ensure Antivirus Signature Database is up-to-date and Antivirus scan is run on a daily or weekly basis.• Ensure proper access control and email filtering are in place to protect Email Exchange Servers and Email Accounts.• Ensure PowerShell and Remote Desktop features are Disabled on non-administrative systems in the production environment.• Ensure VBScript execution in Internet Explorer is Disable on connected Windows System.• Ensure Macros are Disabled in Microsoft Office Product on connected Windows System.• Ensure ActiveX Control is Disable in Office files.• Ensure ActiveX Control is Disable in Internet Explorer.• Kindly ensure Adobe Flash Player is updated to the latest release.• Ensure internet facing devices, applications and services are using strong & complex passwords.• Kindly Block mentioned IP/Domain on security devices.• Kindly Block Hashes, that are not detected by your Antivirus Program or not known to your Antivirus Vendor.

IP ADDRESSES

• 185.161.70.34 • 202.144.193.184 • 205.185.122.99 • 165.22.155.69 • 188.166.74.218 • 107.174.47.156

DOMAINS

• decryptor.top • aplebzu47wgazapdqks6vrcv• 6zcnjppkbxbr6wketf56nf6aq• 2nmyoyd.onion

AeroGrow Discloses Data Breach of Customers’ Payment Card Information April 09, 2019

NEWSLETTER

DATA BREACH HIGHLIGHTS

March 2019, Edition 2.0

Data breach of unknown entity exposes private data of 80 million U.S. households

• The 24GB database which includes the number of people living in each household with their full names, their marital status, income bracket, age, and more got breached from unprotected Microsoft cloud server.

April 30, 2019

State-sponsored hackers target Amnesty International Hong Kong with sophisticated cyber-attack

• Amnesty International’s Hong Kong office got hit with a cyberattack launched by China-linked hackers.• Security breach report confirms that supporters’ names, Hong Kong identity card numbers and personal contact information were accessed by the hackers, and no financial data was compromised.• The organizations discovered the security breach on March 15, 2019 during a scheduled migration of the Hong Kong office IT infrastructure to its international network.

• AeroGrow discovered that attackers injected a Magecart skimmer into the website’s payment page, the malicious code remained undetected between October 29, 2018, and March 4, 2019. • The Magecart skimmer was able to syphon card number, expiration date, and CVV/CCV code provided by customers during the payment process

April 25, 2019

Buca di Beppo, Planet Hollywood Restaurants Hit by Card Breach April 01, 2019

• Earl Enterprises admitted that hackers have stolen payment card data from tens of its restaurants over a period of 10 months.• Crooks used a PoS malware to syphon payment card data from point-of-sale (PoS) systems at the affected locations. The malicious code was designed to capture card numbers, expiration dates and cardholder names.