Chinese Hackers has a big eye on exploits 👀..

CISA comes with a warning of Chinese state sponsered hackers targetting some age old bugs from various security devices and servers.

Crisp details of those bugs given below

CVE-2020-0688: This bug exists in Exchange Control Panel (ECP) component of Microsoft Exchange Server and could enable an attacker to perform remote code execution on the server with SYSTEM privileges.

Microsoft patched the bug in February, but less than 15 per cent of vulnerable systems had either been patched or remediated after one month, according to security researchers from Kenna Security. The researchers also found that the bulk of installs were 2016 versions, with some 74 per cent found to be ‘vulnerable’ and 26 per cent ‘potentially vulnerable’.

CVE-2019-19781: This flaw impacts Citrix Gateway (formerly NetScaler Gateway) and Citrix Application Delivery Controller (formerly NetScaler ADC) servers and could allow remote unauthenticated attackers to run commands to gain access to a network. In January, researchers at Positive Technologies warned that the flaw could put more than 80,000 organisations at risk.

CVE-2020-5902: This vulnerability in F5 Network’s Big-IP Traffic Management User Interface (TMUI) allows remote cyber threat actors to run arbitrary system commands, disable services, create or delete files, and execute Java code, without authentication.

To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration. As of July, nearly 8,000 users of BIG-IP family of networking devices had not applied the patch to secure their systems against the critical flaw.

CVE-2019-11510: This bug in Pulse Secure VPN appliances lets a remote, unauthenticated attacker to send a specially crafted URIs to establish a connection with vulnerable servers and read files containing user credentials. The attacker can use the information to take full control of an organisation’s systems.

In February, security researchers revealed that nearly 2500 Pulse Secure VPN servers worldwide were still vulnerable to CVE-2019-11510, more than six months after the security flaw was first publicised.

“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” .

Zeppelin Ransomware

After a six-month hiatus, the Zeppelin ransomware variant returned in late August, according to Juniper Threats Labs. The malware now uses an updated Trojan downloader to better hide its activities from security tools.

Zeppelin was first spotted in late 2019, when it primarily targeted IT and healthcare firms, according to the report. It’s distributed using the ransomware-as-a-service model.

The ransomware appears to be a variant of another type of crypto-locking malware called Buran, according to Juniper. Buran is a variation of another type of ransomware strain called VegaLocker, according to previous research published by McAfee

In the latest campaign that started in August, the Juniper researchers found that the operators of Zeppelin use the same type of phishing lures as in previous attacks, although they use a new downloader that helps obscure a Trojan for implanting the ransomware code.

Hiding & Attack

A Zeppelin ransomware attack starts when a targeted victim receives a phishing email disguised as an invoice, according to the Juniper report.

The phishing emails are sent with an attached Microsoft Word document, portrayed as an invoice, that hides malicious VBA macros. Once the attachment is opened, the macros are enabled and the initial attack starts, according to the report.

The attached Word document helps obscure what appears to be junk code but actually contains Visual Basic scripts hidden in the text, the report notes. This code is part of an obfuscation technique that helps hide a Trojan that starts the ransomware infection.

Once the malicious macros are enabled, the text is extracted and written to a file at c:wordpressabout1.vbs, according to the report. When the document is closed, a second round of macros runs, which further helps hide the attack.

The second macro string eventually downloads a Trojan that then installs the Zeppelin ransomware within a compromised device. Before it starts working, the malware “sleeps for 26 seconds in an attempt to out-wait dynamic analysis in an automated sandbox and then runs the ransomware executable,” according to the report.

The Juniper report does not shed light on the threat actors behind Zeppelin, but the report and other analyses find that if the ransomware comes across an infected device that has an IP address linked to Russia, Belarus, Kazakhstan or Ukraine, the attack is stopped.

The report notes that it “is difficult to assess how many targeted computers resolved the [command-and-control] domain, but there were only 64 confirmed DNS queries to its authoritative name server, which suggests the attacks might be targeted and not widespread.”

Red Dawn 👹 Emotet 🎃

The notorious Emotet went into the dark since start ofc 2020, but after months of inactivity, the infamous trojan has surged back in 2nd half of this year with a new massive spam campaign targeting users worldwide.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be invoices, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Upon opening the documents, they will prompt a user to ‘Enable Content’ to execute that malicious embedded macros that will start the infection process that ends with the installation of the Emotet malware.

Emotet botnet

To trick a user into enabling the macros, Emotet botnet operators use a document template that informs them that the document was created on iOS and cannot be properly viewed unless the ‘Enable Content’ button is clicked.

The Red Dawn template displays the message “This document is protected” and informs the users that the preview is not available in the attempt to trick him/her to click on ‘Enable Editing’ and ‘Enable Content’ to access the content.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

Emotet continues to be one of the most widespread botnets and experts believe it will continue to evolve to evade detection and infect the larger number of users as possible.

Grandoreiro Trojan

Operators behind the Grandoreiro banking trojan, which is popular in Latin America, have been using emails posing as the Agencia Tributaria to trick victims into installing the malware.

The campaign began on August 11th, 2020, when many Spanish people receiving messages claiming to be from the Agencia Tributaria. The emails attempted to trick users into believing they were a communication from the tax agency, the messages used sender info like “Servicio de Administración Tributaria” and come from the email address contato@acessofinanceiro[.]com.

The message includes a link that points to a ZIP archive that claims to contain a digital tax receipt and inform the users that they have to fill a document to be submitted to the Agencia Tributaria along with a fee to pay.

“Although the message offers no guarantee of being an official communication, it is likely that some recipients have been tricked into downloading the linked ZIP file via the provided link.”.

“The link redirects to a domain that was registered on the same day. A service that provides identifying information about domain name registrants – the registrant’s country is listed as Brazil, which could perhaps indicate the whereabouts of the operators of this campaign.”

The malicious file has been hosted by threat actors either on a compromised domain or in a cloud storage service like Dropbox. In the case of the cloud storage, the link points to a Dropbox folder containing the ZIP file.

“This ZIP payload contains an MSI file and a GIF image. Homing in on the properties of the MSI file reveals that it was compiled the day before. It should also be noted that the ZIP filename has the country code “ES” at the end.

Researchers also detected other files in Dropbox with very similar sizes and dates of compilation, but with different country codes – possibly indicating that this campaign is targeting victims in various countries at the same time.

The MSI file is as a variant of Win32/TrojanDownloader.Delf.CYA, which is a downloader employed in other campaigns spreading Latin American banking trojans, including Grandoreiro, Casbaneiro, Mekotio and Mispadu.