Menu

Daily Cyber Threat and Intel Report


Assignment Prompt:

Assume you are a security analyst for the National University System. You have been tasked with writing a daily cyber threat and intel report for the CIO.

Students will be assigned a specific date to generate their report. The brief should cover events over the 24-hour period starting at 12:00 noon and ending at 12:00 noon on the date assigned.

Malware

Threat 1: New ransomware includes PayPal phishing in its ransom note payment option 1/15

Overview

A new ransomware program under development has been found not only to encrypt your data and demand a ransom, as is typical with ransomware, but then offer you the option to pay the ransom through Paypal. If the target chooses the Paypal option, they are then sent to a phishing site which says that their account is locked, and they need to provide login information to access it. Once the target inputs their login information to “unlock” their account, they are redirected to their real Paypal account and told to login.
In this way, victims are not only having to pay a ransom for their file decryption, but also have their Paypal information stolen if they choose to pay through Paypal rather than Bitcoin.

Impact to the NU System

If a University employee’s Paypal login information is jeopardized through phishing and they have weak password security across their SSO or NU accounts, they may inadvertently provide access to the school system.

Recommendations

If the NU System falls victim to ransomware, the first option should be to boot from a system backup. Paying the ransom only continues to fund this form of hacking and reinforces the behavior in hackers.
If a backup can not be used, opt for paying in Bitcoin, since it will maintain user privacy. Also make sure to complete the purchasing of Bitcoin and payment of the ransom on a VPN-secured connection to avoid any more private information being shared.
Ensure the system antivirus protection is up-to-date and consider upgrading the package to include a VPN if pertinent.

References

https://www.bleepingcomputer.com/news/security/new-ransomware-bundles-paypal-phishing-into-its-ransom-note/

Threat 2: Malicious Word document attachments deliver NanoCore RAT 1/16

Overview

Fortinet researchers observed a phishing campaign involving malicious Microsoft Word documents that contain an auto-executable VBA code which installs NanoCore RAT on a victim’s system. The emails disguise themselves as purchase orders.
NanoCore RAT is downloaded onto the targeted system once macros are enabled in the malicious Word file. The malware can edit registries, controlling processes, upgrading, transferring files, stealing passwords, and more. It is a .Net framework program and was first detected in 2013.

Impact to the NU System

As is typical with businesses and universities, Microsoft Word is used daily, which means that a Word attachment on an email would not be suspicious in the least.
A malicious actor stealing passwords, transferring files, and controlling processes on the NU system would place staff and student personal information and identities at serious risk. This may even break HIPPA laws if employee medical or student disability forms are stolen.

Recommendations

As always, maintain a top recommended antivirus and malware product on the network and use it to scan attachments prior to download. Do not download suspicious attachments.
Keep all antivirus software up-to-date and run scans regularly to keep a healthy network.

References

https://www.fortinet.com/blog/threat-research/-net-rat-malware-being-spread-by-ms-word-documents.html

Vulnerabilities

Threat 3: Flaws in Schneider Electric’s vehicle charging stations patched 1/15

Overview

Three vulnerabilities in Schneider Electric’s EVlink Parking vehicle charging stations have been found and patched. The flaws affected EVlink Paring v3.2.0-12_v1 and earlier.
1. CVE-2018-7800 permits access with maximum privileges, enabling hackers to stop the charging process, switch the device to reservation mode and unlock the cable during charging.
2. CVE-2018-7801 allows attackers to execute arbitrary commands in the system.
3. CVE-2018-7802 enables hackers to bypass authorization and gain access to the web interface with full privileges.

Impact to the NU System

If any of the NU System campuses house Schneider Electric’s charging stations this would place school faculty and students at risk of hacking.

Recommendations

If any NU system campuses use Schneider Electric’s EVlink Parking vehicle charging stations, be sure to update the software to ensure the released patches are in effect.

References

https://www.ptsecurity.com/ww-en/about/news/297633/

Threat 4: Flaws found in PremiSys IDenticard building access control systems 1/15

Overview

Three vulnerabilities have been found in PremiSys IDenticard, an identification and building access management system.
1. CVE-2019-3906 relates to a hardcoded backdoor account that can provide attackers with administrative access to the system, allowing them to dump contents of the badge system database or modify its contents.
2. CVE-2019-3907 is linked to a weak encryption method used for hashing credentials and other sensitive data.
3. CVE-2019-3909 leads to the backups and the database, installed by the IDenticard service, using default passwords that can be easily obtained and cannot be changed by the user.

Impact to the NU System

If the NU system uses PremiSys IDenticard for the school security and a hacker were to use these vulnerabilities in conjunction with Threat 1 detailed above, they could gain access to the campus and install the ransomware into the campus system.
They could also use these vulnerabilities to access the campus for reconnaissance and intel gathering on the network.

Recommendations

Since the latest versions of the software have not been tested due to access limitations, if any NU system campuses use PremiSys IDenticard, be sure to increase campus security overnight and consider alternate forms of security until patches are provided for the vulnerability. Be sure to keep software up-to-date for the latest security.

References

https://www.tenable.com/security/research/tra-2019-01

Threat 5: Intel issues patches for vulnerabilities in Software Guard Extensions 1/15

Overview

1. CVE-2018-18098 is an improper file verification that allows an escalation of privilege via local access.
2. CVE-2018-12155 is a data leakage in cryptographic libraries that could allow an attacker with local access to retrieve information used by Intel IPP.

Impact to the NU System

Any Intel devices without the security patch would run a risk of allowing hackers full access to the system through escalation of privilege. Threat 3 would provide a hacker such local access to the NU system networks.

Recommendations

Even if Threat 3 is not pertinent to NU, local access can be gained in many ways. Staff-wide training on common social engineering tactics would assist them in better identifying when a social engineering technique is being used on them. This would therefore make it less likely that a hacker would successfully piggyback into campus or use any combination of tactics and techniques to manipulate a target into providing them access to the network.

References

https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00203.html

Threat 6: Multiple flaws found in popular web hosting platforms 1/1

Overview

Websites hosted on Bluehost, Dreamhost, HostGator, OVH or iPage could be compromised with one click client-side vulnerabilities. At least one vulnerability was found on each of these platforms.
The most severe flaw relates to a misconfiguration of cross-origin-resource-sharing in Bluehost, which could allow a domain, controlled by a malicious actor, to send requests to a legitimate domain, permitting the harvesting of data.
Other flaws discovered on these platforms could lead to man-in-the-middle attacks, cross-site scripting or account takeover.

Impact to the NU System

Even though NU is hosted through Automattic, malicious actors seeking out vulnerabilities across hosting platforms may dig deeper across platforms in general in order to find exploitable vulnerabilities.

Recommendations

Keep abreast of website hosting platform vulnerabilities since universities such as professional universities such as NU with nearly all their student PII, financial, and educational information being sent online run the risk of having countless terabytes of employee, student, and financial information being stolen.
Also, perform periodic event log scanning to search for any unexpected data transfers on the network.

References

https://www.websiteplanet.com/blog/report-popular-hosting-hacked/

Threat 7: Remote Code Execution vulnerability in Microsoft Windows VCard files 1/16

Overview

A vulnerability was discovered that could allow remote attackers to execute arbitrary code on Microsoft Windows installations. An attacker can exploit the vulnerability due to crafted data in a VCard file causing Windows to display a malicious hyperlink.

Impact to the NU System

The NU system network runs on Microsoft Windows and as such would be at risk for this vulnerability. Malicious hyperinks can link to anything including Trojans, ransomware, and spyware so the university would be at a significant risk if exposed to any of these forms of malware.

Recommendations

Perform regular antivirus and malware scans to keep the network healthy and safe.
Also update the OS regularly in case any patches or security updates are released.

References

https://www.zerodayinitiative.com/advisories/ZDI-19-013/

Threat 8: Windows security patch breaks PowerShell remoting 1/16

Overview

A security update for an elevation of privilege flaw, CVE-2019-0543, inadvertently broke Windows PowerShell and PowerShell Core 6 WinRM-based remoting for a specific PowerShell remoting scenario.
According to a Microsoft spokesperson, ‘the fix is preventing WinRM (which PowerShell uses as a remoting transport and host) from successfully creating the remote session host’. However, the issue will only occur on devices ‘where the endpoint configurations have been modified for very specific use cases where non-admin users require access to local loopback remoting’.

Impact to the NU System

If the NU system IT department uses PowerShell, they may have a difficult time accessing and maintaining the system and its security.

Recommendations

Verify the endpoint configurations on your system to ensure you are not at risk for this vulnerability.
Modify network-wide settings to maintain utmost security and least privilege access.

References

https://www.bleepingcomputer.com/news/security/windows-security-patch-breaks-powershell-remoting/

Ongoing Campaigns

Threat 9: Business email compromise scammers divert employee payrolls 1/16

Overview

Agari researchers observed an increase in business email compromise attacks in which threat actors divert employee payrolls to their own accounts through the use of social engineering techniques.
These attacks consist of threat actors creating fake email accounts impersonating employees of an organization and using them to contact HR and finance departments with the request of changing direct deposit account details.
Agari notes that the criminals will aim to avoid using any online third-party HR systems or verification and advise businesses to evaluate current processes for updating payroll details.

Impact to the NU System

Since the NU system uses business email accounts, employees would be particularly vulnerable to this attack.

Recommendations

Staff-wide training on common social engineering tactics would assist them in better identifying when a social engineering technique is being used on them. Ensure that staff are maintaining employee privacy through email and verifying personal information before discussing HR information.

References

https://www.agari.com/email-security-blog/bec-gangs-payroll-scams/