Report

Weekly Threat Report 9th June 2017

Created:  09 Jun 2017
Updated:  09 Jun 2017
NCSC building with logo
This report is drawn from recent open source reporting

Fireball malware

More than 250 million computers worldwide have been infected with malicious adware called Fireball, according to recent reporting.  Produced by Rafotec, a Beijing-based digital marketing firm, the malware is spread mostly via bundling. That is, when a user downloads a product they want, the Fireball malware is ‘bundled’ in without the user’s knowledge or consent.

Once infected, Fireball hijacks the user’s browser, installs extra plug-ins and manipulates the user’s web traffic. By redirecting traffic to Rafotec’s fake search engines, Fireball is able to generate additional advertising revenue for the company. A greater concern is the fact that Fireball can, in theory, be repurposed to serve as a fully functioning malware downloader.

Should Fireball be repurposed for further malicious activity it could be used to harvest sensitive data, such as financial credentials, medical records, or corporate business plans for example. Whilst estimates are that Indonesia, India and Brazil have the highest infection rates at present, other countries have been impacted.

In line with NCSC guidance, make sure you only install software from trusted sources.

Single Sign On provider OneLogin is compromised

In late May, OneLogin, an online access and identity manager, experienced a security breach where sensitive customer data in its US region may have been compromised.  OneLogin primarily provides Single Sign On (SSO) and identity management services for corporate customers using cloud based applications.  It is not yet clear how the unauthorised access happened nor the impact, but it is suspected that a threat actor obtained access to Amazon Web Store (AWS) keys and used them to gain access to the AWS Application Programme Interface (API) via another smaller provider in the US.  The actor was then able to access database tables containing information about users, apps and various types of keys.  This may have included the ability to decrypt encrypted customer data.

To minimise damage OneLogin issued advice to customers which included generating new keys, authorisation tokens, security certificates and credentials and updating passwords.

This is not the first time an SSO or similar service has been targeted.  Although, like password managers, they are increasingly considered to be a better way of managing accesses, they are a tempting target for attackers, and the consequences of compromise can be severe.

A new variant of Qakbot malware is bringing down enterprise networks

A new variant of the Qakbot (aka Qbot or PinkSlip) trojan, first seen in 2009, is stealing user information and installing backdoors on Microsoft Windows operating systems. Qakbot malware is used to target online bank accounts of businesses and individuals. Victims are initially infected through an exploit kit, phishing campaign or malicious download.

This new variant has worm-like, self-replicating capabilities similar to WannaCry but it is not ransomware and does not encrypt user hard drives. In its attempts to steal or brute force login details it can cause mass Active Directory lockouts. Some organisations have had thousands of users prevented from using corporate systems as a result.

According to researchers, Qakbot code has been totally re-written and is even more advanced and effective. The new features make it difficult to detect by using obfuscating code and constantly evolving file structure and signatures.

We assess it likely that other malware campaigns will make use of these antivirus avoiding techniques. Users should stay on their guard against suspicious emails and activity and keep their systems up-to-date to help prevent infection.

Vulnerabilities

This week’s summary starts with Google and multiple flaws fixed in both Chrome and Android leading to URL spoofing, obtaining of sensitive information and remote code execution.

Cisco released updates for a number of different products; TelePresence, AnyConnect, Email Security Appliance, Prime Data Center Network Manager, NX-OS, Content Security Management  Appliance, and 8800 Series IP phones, to address cross-site scripting, bugs that cause the target to crash, allow unauthorised access or remote code execution.

IBM released updates for their Security Access Manager Appliance, Spectrum Project (IBM Tivoli Storage Manager) and Domino TLS Server to prevent elevation of privilege, the viewing passwords, obtaining of sensitive information, and obtaining of authentication credentials.

Elsewhere this week there were updates for Wireshark, Apache Tomcat, VMware vSphere and Irssi.

Debian specific updates this week came from perl, nss and zookeeper.

ICS specific updates for Digital Canal Structural Wind Analysis and Rockwell Automation PanelView.

Was this report helpful?

We need your feedback to improve this content.

Yes No