make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Threat Intelligence Updates: May 2018

05/10/2018  |  By: Jessica Mantz

Share

Social Logo Social Logo Social Logo Social Logo

We continue to see a rise in cryptominers, which silently utilize its victims’ processing power to mine for cryptocurrency. According to Comodo’s Global Malware Report, cryptominers overthrew ransomware and became the number one threat in the first quarter of 2018. Researchers have also found that the majority of cryptocurrency miners' preferred target is no longer Bitcoin, but is now Monero. It is believed that this is due to Monero’s additional clandestineness in comparison to Bitcoin. Monero cannot be tracked, blacklisted, or linked to previous transactions, and it also hides transaction amounts and parties. It also provides more opportunities for a successful attack, as it creates blocks every two minutes. LBMC Information Security has also detected a variety of browser-based cryptominers that have been targeting Monero.  

Many cryptocurrency miners began as a legitimate way for companies to monetize their websites without utilizing advertisements. However, several antivirus vendors have been classifying them as malware due to websites’ lack of warnings for its visitors. Attackers began leveraging the same cryptominers by embedding the code into compromised websites, browser extensions, malicious advertisements, and similar (typosquatted) domains to that of legitimate websites.  

Because cryptocurrency miners are often tolerated or undetected by users, attackers continue to utilize them for their personal gain. Security researchers have discovered cryptocurrency miners that leverage infamous exploits and vulnerabilities, such as EternalBlue and the recently disclosed Drupalgeddon2 remote code execution vulnerability, to propagate to other systems. For example, MassMiner, a Monero-based cryptominer, leverages the EternalBlue exploit to spread to other systems. It then delivers itself by exploiting the same Apache Struts vulnerability that was leveraged in the Equifax data breach. The malware also has the ability to brute-force access to Microsoft SQL servers and install. To mitigate this risk, we recommend regularly scanning and patching vulnerable systems. We also recommend using an antivirus solution as well as ad-blocking browser extensions that will prohibit cryptominers from running.  

More information on cryptocurrency miners can be found at:

Orangeworm Attack Group Targeting Healthcare Industry

Security researchers at Symantec have identified an attack group known by the name “Orangeworm” targeting the healthcare sector in the U.S., Europe, and Asia. The group was first identified in January 2015 conducting attacks against organizations that serve the healthcare industry. Currently, the group has been observed installing Kwampirs, a custom backdoor, within healthcare organizations after they gain a foothold in their target’s environment. The backdoor Trojan allows them to remotely access a compromised system and gather basic information about it. The backdoor also copies itself to any open network shares to infect other systems.

More information on this can be found at: 

Twitter Self-Reports Security Issue Involving User Passwords 

Twitter urged 330 million users to change their passwords after a glitch in its password storage system exposed users’ passwords in plaintext in an internal log. The social media company stated that all passwords are hashed and all logins are validated without revealing each user’s password. However, due to a bug, passwords were written to an internal log before the hashing process completed. The company identified the issue and is in the process of implementing changes to prevent the issue from occurring again. Twitter also stated that there is no evidence of a data breach or misuse. The company is advising all users to change their passwords as a precaution.

For more information on this, please visit: 

Attackers Using New Method to Bypass Microsoft Office 365 ATP Safe Links

Avanan, a cloud security company, has reported that attackers have discovered a method of bypassing Microsoft’s Office 365 Advanced Threat Protection (ATP) solution, Safe Links. Safe Links checks any URL included in an email to see if it has been blacklisted by Microsoft or an ATP customer, or if it redirects to malware. If Safe Links determines that the link is malicious, it will replace the link and alert users if they click on the link. According to Avanan, attackers are now evading Safe Links by splitting the malicious URL using a <base> tag in the HTML header. This tricks Safe Links into analyzing the domain and ignoring the rest of the URL, deeming the malicious URL safe and not replacing the link to protect users. The attack method is now known as baseStriker and is said to work against Outlook clients, including mobile, browser-based, and desktop applications.

For more information on this attack method, please visit:

Threat Intelligence Updates: May 2018

Related People

  • Jessica Mantz