Thought leadership. threat analysis, news and alerts.
Control Access Before Bad Actors Do
Leaving your door wide open invites bad actors. Like in real life, leaving your organization’s devices, networks or cloud accounts wide open similarly invites malicious actors. Controlling access to these devices, networks or cloud accounts controls the threat both from insiders and outsiders.
Misconfiguration, in general, is the configuration of digital system’s settings in such a way that the system behaves contrary to what it’s expected to do. Repercussions resulting in misconfigurations include exposure of sensitive data or could allow attackers to gain privileged access – the ability to perform an action with security consequences.
Misconfiguration happens because these digital systems themselves allow the sharing of data to the public or they allow privileged access. For instance, current cloud service providers allow clients to either configure or set stored data in the cloud to be shared to the public. Server operating systems, meanwhile, can be configured to allow certain individuals to have privileged access. Misconfiguration, therefore, is an internal problem that originates from within the IT infrastructure of any organization.
In recent months, security researchers have discovered troves of sensitive data stored in the cloud easily accessible to the general public. Researchers at UpGuardrecently discovered that two partners of Facebook, Mexico-based media company Cultura Colectiva and the now defunct “At the Pool” misconfigured their cloud accounts, exposing a total of hundreds of millions of Facebook customer data. According to UpGuard, the exposed customer data were each stored in Cultura Colectiva and At the Pool’s respective Amazon Simple Storage Service (Amazon S3) bucket configured to allow public download of files.
“Amazon customers own and fully control their data,” Amazon said in response to the exposure of millions of Facebook customer data. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”
In February 2018, researchers at RedLockdiscovered that malicious actors accessed Tesla’s Kubernetes – a tool for managing a network of virtual machines – console as this wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said. As a result of the data exposure, the malicious actors performed cryptocurrency mining from within one of Tesla’s Kubernetes pods.
According to Gartner, through 2020, 99% of firewall breaches will be caused, not by flaws but by simple firewall misconfigurations. A firewall is a network security device that monitors outgoing and incoming network traffic and decides whether to block or allow certain traffic based on a defined set of security rules. Firewalls are often configured with an open policy, that is, allowing from any source to any destination as system administrators at the outset don’t know what they want to block or allow, and never get around changing this configuration, leaving the network exposed to attackers.
A case in point in the value of effective firewall configuration is the 2017 case in which a malware infiltrated the North Carolina transmission plant’s computer networkvia email. The malware spread through the plant’s network, stopping production as users were locked out from their computers. According to the plant’s information technology manager, while data on some computers were lost, the malware was blocked by a firewall when it tried to exit the plant’s network.
Another ransomware incident in 2017, this time in the Northern Lincolnshire and Goole NHS Foundation Trustwas attributed to the “misconfiguration of the firewall”. The ransomware took a Northern Lincolnshire and Goole NHS Foundation Trust hospital offline for four days and resulted in the cancellation of 2,800 patient appointments.
Best Practices & Prevention
Here are some cybersecurity measures in order to prevent or mitigate the effects of misconfigurations:
Apply the Principle of “Least Privilege”
Least privilege is the concept and practice of restricting access to accounts and computing processes only to certain individuals based on their job necessities. Restricting a certain group in your organization from installing and running software application can prevent a malware from infecting your organization's network, for instance, in case this malware is unwittingly downloaded by one of your organization’s staff onto his or her computer workstation.
The Microsoft Vulnerabilities Report 2019, an analysis of Microsoft security updates in 2018 conducted by BeyondTrust, showed that of the 189 critical vulnerabilities discovered last year, 154 or 81% of the vulnerabilities could have been prevented if administrator rights had been removed.
Administrator rights, also known as admin rights, means that a user has privileges to perform virtually all functions within an operating system on a computer. These privileges include the installation of software and hardware, installation of updates and configuring or changing system settings.
Regularly Update Firewall Configuration
Regularly update your organization’s firewall to block data from certain locations, applications or ports, while at the same time allowing certain relevant and necessary data through.
Monitor for Suspicious User Behavior
Another way to prevent or mitigate the effects of misconfiguration is by monitoring suspicious user behavior. In monitoring suspicious user behavior, your organization needs to have a baseline normal user data. From this baseline data, suspicious behavior can then be detected, such as geolocation-based anomalies, time-based anomalies and event-based anomalies.
The best way to evaluate your current access controls is to perform an independent IT audit. Most IT and business executives are surprised by the results and are able to take an immediate action moving toward better security controls.
Reduce the IT risks today by speaking with one of our cybersecurity experts. Connect with ustoday.
Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection
Researchers at Trend Micro have discovered a new malicious software (malware) that uses the AutoHotkey – a Microsoft Windows tool initially aimed at providing easy keyboard shortcuts, enabling attackers to avoid detection, steal certain information and even gain remote control to a compromised computer.
This latest malware, according to Trend Microresearchers, initially infects a computer via a spear phishing attack, a form of a targeted cyber-attack that uses an email as a weapon. The malicious email used by the attackers contains a malicious attachment in the form of a disguised legitimate Excel file.
According to the researchers, at first glance, this disguised Excel file has only one filled sheet. Upon scrutiny, however, this file has another sheet with two blank columns. Upon closer look, the attackers had written malicious code on these two columns using white font, hiding the code in plain view.
Once the email receiver enables macro to open the disguised Excel file, AutoHotkey is then dropped onto the victim’s computer. The researchers said that the legitimate tool AutoHotkey allows the attackers to connect to the server that they control every 10 seconds to download, save and execute script files.
AutoHotkey, in this case, downloaded and executed TeamViewer, a software that allows attackers to gain remote control over the compromised computer. The researchers noted that AutoHotkey can download and execute other script files depending on the command it receives from the server controlled by the attackers.
Other malicious acts activated via AutoHotkey in this newly discovered malware include the creation of a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart, and the sending of the volume serial number of the C drive, which allows the attacker to identify the victim’s computer.
“We have yet to conclude this attack’s exact purpose,” researchers at Trend Micro said. “For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.”
History of AutoHotkey
AutoHotkey software is a free, open-source scripting language that was initially developed at providing easy keyboard shortcuts for Windows. This software, later on, evolved into something more than providing easy keyboard shortcuts as it allows Windows users to automate any desktop tasks, including monitoring programs, setting up scheduled tasks, and automating repetitive operations inside third-party software. The software was initially released 10 years ago, with the stable release of the software done only in November 2018.
The evolution of AutoHotkey made it an attractive tool for attackers. AutoHotkey, also known in the online gaming community as AHK, has been used numerous times in creating online game cheating tools. Beyond the gaming world, cyber attackers with varied criminal intents have made AutoHotkey as an addition to their attack arsenal.
An example of malware that abuses AutoHotkey is the malware called “Win32/Ahkarun.A”, an AutoHotKey compiled script that spreads itself without any human interaction through removable drives and sends the user's IP address to a remote server. According to Microsoft, which reported about the malware in June 2008, Ahkarun uses the common icon resembling a Windows file folder in order to trick a user into opening and executing the malware.
Once executed on the victim’s computer, this malware then awaits connections of removable media such as USB thumb drives, and when this happens the malware copies itself and components to the removable drive, and as a result performing malicious actions such as identifying the IP address of the infected machine and sending the obtained IP address to a predefined email account.
In February 2018, the research team at Ixiareported two cases of AutoHotkey-based malware, one distributing an cryptocurrency mining malware and the other distributing a clipboard hijacker. In cryptocurrency mining, an attacker hijacks the computing power of someone else’s computer for cryptocurrency mining. In clipboard hijacking, meanwhile, in the AutoHotkey-based malware discovered by the Ixia research team stays in the compromised computer’s memory and awaits for any activity in the clipboard. When a user inputs into the clipboard a cryptocurrency wallet address, the malware replaces the user’s cryptocurrency wallet address to the address owned and controlled by the attacker, thus tricking the victim into sending cryptocurrency to the attacker instead.
In March 2018, researchers at Cybereasondiscovered an AutoHotkey-based malware they called “Fauxpersky” as this malware masquerades as Kaspersky Antivirus and spreads through infected USB drives. Fauxpersky has a keylogging feature, recording every keystroke made by a computer user, exfiltrating the data recorded through Google Forms and depositing it in the attacker’s inbox.
As shown in the above-mentioned examples of AutoHotkey-based malware, criminals are starting to abuse legitimate Windows tool AutoHotkey. Being a legitimate Windows tool, often used by system administrators, AutoHotkey flies under the radar and drops a varied range of payloads – part of the malware that performs malicious actions – without triggering any anti-malware alarms.
One of the reasons why we see lesser abuses of AutoHotkey by cyber attackers, to date, is due to the fact that this software isn’t pre-installed on Windows computers. Attackers, therefore, have to take an extra step of dropping the software onto the victim’s computer and executing it in order for this tool to work.
Training your organization’s staff to recognize, avoid and report suspicious emails is one approach that could prevent AutoHotkey abuses. As exemplified in the newly discovered AutoHotkey-based malware, attackers initially infect their victims through phishing attacks, a type of cyber attack that utilized emails as a weapon.
Another approach in preventing AutoHotkey abuses is by disabling your organization’s active content (data connections or macros). When active content is disabled, the next time your organization’s staff receives an active content via email, this content can’t be opened and the Message Bar with the notice "Macros have been disabled” will then appear as an alert that the active content may contain malware and other security hazards that could harm your organization’s computer or network.
Why TajMahal Is the Most Alarming Malware to Date
The discovery of the malware called “TajMahal” is alarming, not because it attacked a certain diplomatic organization but because of the high number of malicious acts that it can do, totaling 80, and the malware’s stealth capability, evading discovery for nearly 5 years.
Researchers at Kaspersky Labrecently revealed that a diplomatic organization belonging to a Central Asian country, a type of organization that’s often subject to cyber-attack due to its line of work, was a victim of the malicious software (malware) TajMahal. This malware, the researchers said, remained undetected in the diplomatic organization’s network for nearly 5 years, with the first known legitimate sample timestamp from August 2013 and the last one from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is in August 2014. The researchers said they first discovered the malware on the victim’s machine in the autumn of 2018.
Old and New Hacking Tools
According to Kaspersky Lab researchers, TajMahal malware comes in two packages, one package is named “Tokyo” and the other “Yokohama”. Tokyo and Yokohama, the researchers said, share the same code base found on all infected computers of the said diplomatic organization. The Tokyo package facilitates the first stage of the malware infection, while the Yokohama package facilitates the deployment of the staggering 80 malicious cyber activities.
The Tokyo package uses PowerShell script, an old and tested strategy used by cyber attackers. McAfee Labsreport found that PowerShell attacks increased between 2016 and 2017, and IBM X-Forcealso noted the growth of PowerShell attacks from October 2017 to October 2018.
PowerShell is a legitimate tool used by system administrators in simplifying and automating the management of Microsoft Windows and Windows Server. Malicious actors, meanwhile, use PowerShell to hide their malicious code as the code is executed directly from the computer memory, making the attack fileless and thus stealthier than other types of attacks. PowerShell also allows remote access – the ability to access a computer from anywhere in the world so long as the computer is connected to the internet.
Yokohama, meanwhile, unleashes payloads – the portion of the malware which performs malicious actions, of which 80 of them were uncovered by Kaspersky Lab researchers. Old hacking techniques that form part of the Yokohama package include keylogging and audio, screen and webcam grabbing. In keylogging, every keystroke made by a computer user is recorded and sent to the malicious actors. In audio, screen and webcam grabbing, screenshots, audio or video, for instance, from VoIP audio or video calls, are covertly recorded and the sent to malicious actors.
Aside from the slew of time-tested hacking tools, Yokohama package, in particular, and TajMahal in general, packed the following new hacking capabilities:
Intercepting documents from print queue and stealing data from CD burnt and USB stick are particularly alarming as documents that are typically printed or copied to a CD or USB stick are sensitive and important. Any data stolen by the malware, whether text, audio, video or image, is then sent to the command and control server, a computer controlled by the attackers in the form of an XML file called "TajMahal" – the origin of the name of the malware.
According to the researchers at Kaspersky Lab, it’s not known how the TajMahal malware initially infected the diplomatic organization belonging to a Central Asian country. It isn’t also known is who is the individual or groups behind the TajMahal malware as this malware bears no resemblance with other known malware, which means that the attacker or attackers created this malware using new code base to evade detection. Anti-malware solutions typically block malware that bears small resemblance with other known malware.
To date, the only known victim of the TajMahal malware is the diplomatic organization. According to the researchers at Kaspersky Lab, it’s unlikely that the attackers went all that trouble of creating a new malware just for one victim, and that the likely theory is that there are other victims that have yet to be identified. The researchers said that this theory is supported by the fact that they “couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected”.
TajMahal malware is a type of malware that shows the characteristics of an advanced persistent threat (APT), a cyberattack in which the attacker or attackers gain unauthorized access to a network and remain undetected for a prolonged period. The usual suspects of APT attacks are nation-state actors – individuals who have the “license to hack” on behalf of a particular nation or state to gain access to valuable data or intelligence and can create cyber incidents that have international significance.
In recent years, however, common cyber criminals, those whose motive is simply for profit, have gotten hold of the APT tools used by nation-state actors, making these APT tools part of their arsenal in attacking, not just large organizations but also small and medium-sized organizations – attacks that rendered these organizations vulnerable.
For instance, the APT hacking tool called “EternalBlue” has joined a long line of reliable favorites of common cyber criminals. EternalBlue is one of the hacking tools leaked publicly in 2017 by the group known as “Shadow Brokers”. This hacking tool is believed to be created by the U.S. National Security Agency (NSA) for its surveillance activities. A month before the public release of EternalBlue, Microsoft issued a security update, fixing the vulnerability exploited by EternalBlue.
This particular security update, however, wasn’t timely installed on hundreds of thousands of computers worldwide, leading to the successful unleashing of WannaCry, a malware that uses the EternalBlue hacking tool in exploiting the vulnerabilities in the Windows SMBv1 server (patched by Microsoft a month earlier), remotely encrypting files and locking users out of their own files and spreading it to other computers within a network without user interaction. Since the EternalBlue leak, many malware integrated the EternalBlue feature.
Combating malware and ATP threats has become a daily reality for many organizations. It requires specialized skills and resources. When your organization needs help, our cybersecurity experts a phone call away. Contact ustoday.
Steve E. Driz, I.S.P., ITCP