//Week in review - 3 Aug 2018

AusCERT Week in Review for 3rd August 2018


As another week comes to a close, give yourselves a pat on the back, because Aussies are almost immune from ransomware attacks!! All the more reason to not let our guard down and keep looking for and applying threat indicators to prevent and detect ransomware activity.

Also this week, more ransomware authors seem to be joining forces to deliver their respective malware in a one-two punch using the sample malspam runs. Potential motives: Economies of scale? Easier propagation?

This however, undoubtedly remains the year of the cryptojacker.  

Hope you enjoy reading this week’s selection of articles:

New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign

 Date Published: 30/07/2018
Authors:  Proofpoint staff
Excerpt: “AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.


Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common [1], and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack.”

Massive Coinhive Cryptojacking Campaign Infects 170,000 MikroTik Routers
Date Published: 02/08/2018
Author: Catalin Cimpanu

Excerpt: “According to Kenin, the attacker used one of those PoCs to alter traffic passing through the MikroTik router and inject a copy of the Coinhive library inside all the pages served through the router.


We know it’s only one threat actor exploiting this flaw because the attacker used only one Coinhive key for all the Coinhive injections he performed during the past week.


Furthermore, Kenin says that he also identified some cases where non-MikroTik users were also impacted. He says this was happening because some Brazilian ISPs were using MikroTik routers for their main network, and hence the attacker managed to inject the malicious Coinhive code in a massive amount of web traffic.


In addition, Kenin says that because of the way the attack was performed, the injection worked both ways, and not necessarily only for traffic going to the user. For example, if a website was hosted on a local network behind an affected MikroTik router, traffic to that website would also be injected with the Coinhive library.”

Australians almost immune from ransomware, topping lists for data safety
Date Published: 31/07/2018
Author: Richard Chirgwin

Excerpt: “Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks.

Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks.

However, given the MyHealth Record debate in Australia, the statistics paint a grim picture: the health sector recorded the most notifiable breaches from April to June.

The OAIC data, published today, is the first full quarter of data breach statistics since the notification regime came into force on 22 February 2018.

Breach notifications rose in each of the months covered by the report, which probably indicates rising business awareness of the legislation:

there were 65 notifications in April, 87 in May, and 90 in June, a total of 242 in the quarter.”

Bisonal Malware Used in Attacks Against Russia and South Korea
Date Published: 31/07/2018
Author: Kaoru Hayashi and Vicky Ray
Excerpt: “Attacks using Bisonal have been blogged about in the past. In 2013, both COSEINC and FireEye revealed attacks using Bisonal against Japanese organizations . In October 2017, AhnLab published a report called “Operation Bitter Biscuit,” an attack campaign against South Korea, Japan, India and Russia using Bisonal and its successors, Bioazih and Dexbia. We believe it is likely these tools are being used by one group of attackers.


Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks.

Common features of attacks involving Bisonal include:


Usually targeting organizations related to government, military or defense industries in South Korea, Russia, and Japan.

In some cases, the use of Dynamic DNS (DDNS) for C2 servers.

The use of a target or campaign code with its C2 to track victim or attack campaign connections.

Disguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file.

The use of a decoy file in addition to the malicious PE file

In some cases, code to handle Cyrillic characters on Russian-language operating systems.

We observed all these characteristics in the latest attacks against both Russia and South Korea.”

Blueprints for 3D printed guns stay offline for now — but we should still be worried

Date Published: 01/08/2018
Authors:  Abhimanyu Ghoshal
Excerpt: “The truth is that the aforementioned legal battles don’t matter a whole lot right now: DD actually made the files available last Friday on its DEFCAD site, so they’ve already fallen into the hands of those who want them. There’s also a GitHub repository maintained by a group called FOSSCAD, where you can find designs for a range of pistols, rifles, and ammo.


All this points to the fact that we’re getting rather uncomfortably close to a future where anyone with access to a 3D printer could fabricate an untraceable plastic gun that fires real bullets – and could do real damage.”

Here are this week’s noteworthy security bulletins:

1) ESB-2018.2201 – [Linux] IBM QRadar : Multiple vulnerabilities

IBM’s QRadar SIEM had multiple updates this week that addressed multiple vulnerabilies introduced by Apache Tomcat, Java and OpenSSL components.

2) ESB-2018.2218 – [Win][Linux][Solaris][AIX] IBM Security Identity Manager: Execute arbitrary code/commands – Remote/unauthenticated

IBM’s Security Identity Manager also had an update addressing a remote code execution vulnerability introduced by Apache Commons.

3) ASB-2018.0188 – [Appliance] Intel Puma: Denial of service – Remote/unauthenticated 2018-08-01

A serious vulnerability was identified in Intel Puma chipsets, widely used in Home Gateways and Cable modems. The vulnerability potentially allows a remote attacker to starve the processors of resources by sending crafted network traffic to the device, giving rise to a denial of service situation. The vendor is apparently working with device manufacturers to roll out a fix.

Stay safe, stay patched, keep warm and have a good weekend!