Abaddon RAT ! Sophisticated C2C

The new ‘Abaddon‘ remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC.

Threat actors abusing Discord for malicious activity is nothing new.

A new ‘Abaddon’ remote access trojan (RAT) could be the first malware that uses Discord as a full-fledge command and control server.

When started, Abaddon will automatically steal the following data from an infected PC:

  • Chrome cookies, saved credit cards, and credentials.
  • Steam credentials and list of installed games
  • Discord tokens and MFA information.
  • File listings
  • System information such as country, IP address, and hardware information.

Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below.

Receive a task from the Discord server

These commands will tell the malware to perform one of the following tasks:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malware will connect to the C2 every ten seconds for new tasks to execute.

Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer like encryption and decryption after paying ransom

With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.

Energetic Bear ! Strikes US

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks , said by advisory of CISA & FBI

Intruders identified as Russian hacker group, Energetic Bear a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

Networking Gear has been the target of attack

Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).

To move laterally across compromised networks, they used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.

Below are some of the details that are compromised and ex-filtrated by the group

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

This recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. But nothing known to be till now.

T-RAT ! via Telegram with some $

Security researchers have discovered a new remote access trojan (RAT) being advertised on Underground hacking network.Named T-RAT, the malware is available for only $45 via a Telegram channel,. Access to the infected machine will be grabbed at lighting high speed before it gets detected

It supports commands like, when typed inside the main chat window, allow the RAT owner to retrieve browser passwords and cookies, navigate the victim’s filesystem and search for sensitive data, deploy a keylogger, record audio via the microphone, take screenshots of the victim’s desktop, take pictures via webcam, and retrieve clipboard contents.

T-RAT owners can also deploy a clipboard hijacking mechanism that replaces strings that look like cryptocurrency and digital currency addresses with alternatives, allowing the attacker to hijack transactions for payment solutions like Qiwi, WMR, WMZ, WME, WMX, Yandex money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin, and Tron.

The RAT can also run terminal commands (CMD and PowerShell), block access to certain websites, kill processes , and even disable the taskbar and the task manager.

Distribution vector remains unknown
For now, the threat from T-RAT is relative low. It usually takes a few months before threat actors learn to trust a new commercial malware strain.

Bugs exploited most by Chinese Hackers

NSA released the top most bugs that are exploited actively by Chinese Hackers. Though all exploits are patchable and can be closed, it’s active still

Let’s see the top 25 exploits from recet to past

1) CVE-2019-11510 – Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords

2) CVE-2020-5902 – F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.

[3+4+5+6]CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. anonymous access is possible

7) CVE-2019-0708 (BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC protection.

12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.

13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object

16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware.

17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making to look a like legitimate.

22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root without credentials via shell metacharacters.