This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
We are far enough along in 2016 to stop instinctively writing “2015” on checks, however the threat landscape is still bringing up the past. While self-modifying malware is more common, the classic static kinds of malware are still everywhere. For Anitian’s Sherlock Threat Intelligence team, this makes our jobs a bit easier. Static malware has indicators of compromise that are miles high, making them easier to spot, track, and stop.
Below are some notable hunts from the beginning of this year that our Sherlocks have added.
Crypto Ransomware Whoops
WHAT: After the sizable spike of crypto ransomware activity we saw in the prior few months, we saw the emergence of the RANSOM_CRYPTEAR.B. The thing about this crypto ransomware? It encrypts its own file encryption key file, making any affected data totally unrecoverable.
WHY: While this malware is not incredibly prevalent, the fact that affected data is completely unrecoverable is alarming. Typically, when ransomware hits, our default recommendation is to burn down the affected hosts and restore data from known-good backups. We certainly never advise paying the ransom as that will just reward the bad guys. However, with these kinds of ransomware recovery can be impossible. Fortunately, this malware has some telltale command and control site visits and does not seem to be self-morphing. As such we have added some specific hunts to catch this, and similar, ransomware before it spreads into the backups and creates a permanent loss.
Security Vendor Dogfood
WHAT: Around Christmas time, Santa was handing out plenty of coal to some well known security and technology companies. First Juniper, then Cisco, Fortinet, Lenovo, and Trane all were hit with revelations of hardcoded passwords in their devices. Fortinet got double lumps, as their initial announcement expanded to include even more devices. Hardcoded passwords in devices is an age old problem, that still manages to show up even today.
It goes without saying, if you have not already, patch any affected devices immediately.
WHY: This is an excellent example of a threat that your garden variety security appliance will never report, because the logins are technically legitimate. We specifically built a series of hunts to look for logins for these affected systems. However, it also required those logs to be there to look through. This emphasizes the importance of logging all administrative access to everything.
As to the hardcoded password practices? Those manufacturers know what they did.
WordPress Rampant Pwning
WHAT: We would like to have a month go by without mentioning Java, Flash or WordPress threats, but that will not happen this month. Java alone racked up eight different remote code vulnerabilities. But WordPress had the real doozies. WordPress was hit with iframe adware, and later malware. This lead to further malware injections originating from patched updated WordPress blogs. A WordPress patch was unavailable for several days during which blogs could be infected again, and again.
WHY: This came out of the blue, looking very much like a smash/grab style attack to get as far as quickly as possible without a lot of stealth. We sent out notices to admin teams to raise awareness of signs of blog infection, and gave a follow up notice when WordPress released the patch. In the meantime, we hunted for the Digital Ocean servers the malware seemed to work from, in case any workstation tripped across an infected site.
It can get really easy to let news about advanced persistent threats and fantastically complicated and sophisticated malware carry you into thinking that we have got nothing to look for but the most invisible threats. But just as endpoint antivirus still serves well the purpose of keeping endpoints safe from old malware, so do malware writers still rely on some quick, sloppy attack tactics. Those attacks can hide just as easily inside the mountains of big data, and must be handled with the same attention as the more sophisticated APT-style attacks.
As for hardcoded passwords from security vendors? Dogfood is good for you, guys.
We welcome any conversation on these topics in the comments below!
Check back next month for our March Sherlock report.