Microsoft | Trickbot| Winnti | Satan

Alert ID: 
JMCIRT-AL-2019.027
Alert Date: 
Friday, May 24, 2019
Threat Level: 
High

Microsoft RDP Vulnerability

Original release date: May 21, 2019​​

Jamaica CIRT has become aware of a critical vulnerability in Remote Desktop Services that can lead to Remote Code Execution.

Overview

A remote code execution vulnerability exists in Remote Desktop Services, formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. Systems Vulnerable include Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows XP (Out of support), Windows 2003 (Out of support.

Recommendations

  • Ensure RDP is NOT open to the internet
  • Consider blocking RDP internally until all systems can be patched
  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Patch from only trusted sources

Trickbot Updates

Original release date: May 21, 2019​​

Jamaica CIRT has become aware of a change in a campaign that utilizes Trickbot, a well-known banking Trojan.

Overview

This change entails utilizing a Google domain to redirect victims to their malicious website. The URL string attached to the phishing emails looks similar to this: hxxps://google[.]dm:443/url?q=<trickbot downloader>. If a victim clicks on the masqueraded url, the browser will show a redirection notice that the user will have to click thru again to confirm redirection. This sends the victim to a page that is disguised as an over review page. This page will download a .zip file that contains a VBS script, which is the Trickbot downloader. This downloads the final stage malware Trickbot.

Recommendations

  • Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices.
  • Use updated anti-virus and ensure your current vendor has coverage for this campaign.
  • Search for existing signs of the indicated IOC's in your environment and email systems
  • Keep updated patches on all critical and non-critical systems.
  • Never visit links in unsolicited or unverified emails.

Winnti Linux Variant

Original release date: May 22, 2019​​

Jamaica CIRT has become aware of Linux variants of the Winnti malware.

Overview

The Linux version of Winnti leverages two components: a backdoor and a library. The backdoor is a userland rootkit used to hide the malware's activity. It does this by modifying the returns of certain functions and hides network connections tied to the malicious process. The main Winnti file is a backdoor that has a configuration defining the campaign and various C2 communication options. In addition to the use of multiple protocols for connections to the control server, some variants of the malware have a backup communication channel. This backup options would allow operators to initiate a connection directly to an infected host without an established C2 connection. This means that if access to the C2 servers is disrupted, access to the victim host would still be available

Recommendations

  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.

 

Satan Ransomware

Original release date: May 22, 2019​​

Jamaica CIRT has become aware of propagation techniques being leveraged by the Satan ransomware, including the addition of exploits for new vulnerabilities.

Overview

Satan ransomware uses several methods to propagate across both public and private networks. It implements multi-threading to increase the efficiency of the attacks. When propagating across private networks, a sweep is performed to identify all hosts on the victim network. For public networks, the C2 server defines the IPs that should be scanned by the spreader. Once targets are identified, exploit attempts begin by leveraging SSH brute force attacks and numerous web exploits. In the case of the Windows spreader, the EternalBlue exploit and Mimikatz are also used. After attempts are completed, the spreader notifies the C2 server of all executed exploits. The most recent variants of both the Windows and Linux spreaders added exploit payloads for Spring Data, ElasticSearch, and ThinkPHP vulnerabilities.

Recommendations

  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.