Security Intelligence FeedWe’ve got your back, even when you don’t know it.

Our analysts are on top of the latest developments in cyber security. This feed is our way to share our findings and research to help you better understand the ever-changing security landscape while continuing to give you the peace of mind that Covalence is always protecting you.

Get the RSS Follow us on Twitter

Renewed Emotet Activity

There have been indications of renewed Emotet activity since 14 November 2021. Emotet is a prolific botnet operation, where computers infected with malware are leveraged to perform cyber-attacks. We recommend reminding everyone in your organization to follow industry guidance on best cyber security practices and exercise caution when using email.

Details

In January 2021, Europol reported on a multi-agency effort to “severely disrupt the Emotet infrastructure”. However, similar to their breaks in activity observed in 2019 and 2020, it appears that it only led to a temporary interruption of Emotet operations.

Various cybercriminal groups have been using Emotet since 2014 as a loader available through a Malware-as-a-Service (MaaS) offering. It is typically used as first-stage malware that provides initial access to victims’ systems, thereby enabling threat actors to deploy ransomware, keyloggers, banking trojans, and other types of malicious software on the infected systems.

Emotet has a distributed botnet structure. The malware infects end-user systems and forms bots out of individual hosts. These bots would then form groups with each cluster controlled by a botmaster that instructs the infected hosts on further actions. Depending on the available modules, it could instruct the bots to infect other computers on the same network or deploy other types of malware on an infected host.

Researchers track Emotet botnet’s activity by several subgroups, called “Epochs”, where each subgroup has its own command-and-control (C2) servers, payloads, target locations, spam templates, and delivery methods. There are five known Epochs, labelled Epoch 1 through to Epoch 5, with Epoch 4 and 5 currently reported being active in Japan, Germany, Latin America, Italy, Spain, and other parts of the world.

In the past, Emotet has had an ability to infect a system and perform additional functions through its modules allowing self-propagation, elevation of privileges, brute-forcing, data exfiltration and more.

Previous and current Emotet infections by Emotet typically start with a victim opening a malicious email containing a URL in the body or a malicious attachment that could be an Excel spreadsheet, a Word document, a PDF, or a password-protected ZIP archive. It can also be delivered from other infected computers on the same network or be a secondary infection from another malware.

Emotet has also been using thread hijacking. Emotet operators would take over email chains using already infected users to send authentic-looking emails to other recipients in the email chain. As these emails would appear legitimate to the recipient, they are often opened without hesitation, which enables the threat actors to conduct further attacks.

One change in the new Emotet activity appears to be the use of encrypted HTTPS C2 communications instead of HTTP. The hard-coded C2 communication destination is now obfuscated. Emotet is now also abusing the Windows 10 App Installer to imitate an Adobe update; a tactic recently observed used by other malware.

Recommendations

Emotet has been a persistent threat with threat actors regularly changing their infrastructure, spam templates, and malware code. Since the latest Emotet activity has started, our analysts have been tracking this threat activity and employing the latest indicators of compromise in our detections.

However, most of Emotet’s methods are well-researched and are used by multiple other threats. Detecting this threat through a signature and indicator-based approach would only provide partial protection.

Covalence stops Emotet before it is able to infect your system by reducing your threat surface, and enables timely blocking of similar threats. By focusing on abnormal behavior on endpoints, emails, network, and cloud, Covalence alerts on activity patterns that are indicative of malicious activity early on.

This is a good opportunity to remind everyone in your organization to follow the recommended cyber security practices and and exercise caution when using email. Some of the guidance can be found in the References section below.

References

CISA Guidance on Emotet
MS-ISAC Guidance on Emotet
SANS: Emotet Returns

Microsoft November Security Update Issues

Following Microsoft’s November 2021 Patch Tuesday, several issues have been reported associated with the installation of these updates. We recommend following Microsoft’s guidance to determine if you require additional measures prior to installing this month’s security updates.

Details

Kerberos Authentication Failures on Domain Controllers

On 14 November 2021, Microsoft issued emergency updates to address Kerboros authentication failures that occur after installing the 9 November 2021 security updates on Domain Controllers (DC) running certain versions of Windows Server.

These issues are related to Kerberos tickets acquired via Service-for-User-to-Self (S4U2self). Authentication fails when delegation scenarios rely on “the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service”.

The affected versions are: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 where the server is being used as a DC (there is no impact on those running only Active Directory).

These emergency updates are not available through Windows Update and must be downloaded as a standalone package available via Microsoft Update Catalog.

Microsoft recommends you install the latest Servicing Stack Update (SSU) for your operating system before installing the latest Cumulative Update (CU).

Users must have at least the 10 August 2021 SSU (KB5005112) before installing the CU.

Compatibility Issues with Intel SST Drivers and Windows 11

On 15 November 2021, Microsoft reported incompatibility issues for Windows 11 and certain versions of Intel Smart Sound Technology (Intel SST) drivers. Devices with Intel SST versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier may receive a Blue Screen error when installing Windows 11.

Microsoft applied a compatibility hold on devices with the affected Intel SST drivers from being offered Windows 11.

The company recommends checking with your device manufacturer (OEM) for an updated driver and installing it, if available. The updated versions of the Intel SST drivers are 10.30.00.5714 and later or 10.29.00.5714 and later. If the driver update is not offered by OEM, it can be installed manually from Intel website.

To determine if you are using the affected Intel SST driver, use Device Manager > System Devices to look for filename IntcAudioBus.sys with file versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier.

Microsoft Installer Issue

On 18 November 2021, Microsoft reported that installing KB5007215 or later updates could cause failures with Microsoft Installer (MSI) repairing or updating some apps.

The company suggested uninstalling an affected app and installing the latest version of that same app in order to mitigate this issue. A complete resolution for the issue is expected to come in a future update.

This issue is reported for the following platforms:

  • Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1.
  • Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2.

Recommendations

We recommend reviewing the guidance in the References section below to determine if you are running one of the affected systems prior to installing November 2021 Microsoft security updates.

References

Microsoft Guidance on Kerboros Authentication Failures
Authentication Failure Scenarios
Microsoft Update Catalog
Microsoft’s Known Issues

Siemens’ November Security Advisories Include Critical Flaws

On 9 November 2021, Siemens published 29 security advisories and updates with five of them rated Critical (CVSS score range of 9-10). We recommend installing the latest updates and applying the mitigations as soon as possible.

Details

Two of the critical advisories are related to a set of 13 vulnerabilities that affect the TCP/IP stack of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS), as well as its related services (FTP, TFTP).

Nucleus RTOS is a real-time operating system produced by the Embedded Software Division of Mentor Graphics, a Siemens Business. The operating system is designed for real-time embedded systems for medical, industrial, consumer, aerospace, and internet-of-things uses.

The flaws, dubbed by researchers NUCLEUS 13, could be leveraged to obtain Remote Code Execution (RCE) on vulnerable devices, create a Denial-of-Service (DOS) condition, or obtain sensitive information. The most critical of the 13 is CVE-2021-31886, an Improper Null Termination flaw that could lead to a stack-based buffer overflow. This may result in DoS conditions and RCE. CVSS v3.1 Base Score: 9.8.

  • The SSA-044112 advisory lists products affected by NUCLEUS 13 as: all versions of Capital VSTAR,  all versions of Nucleus NET, Nucleus ReadyStart V3 < V2017.02.4, Nucleus ReadyStart V4 < V4.1.1, and Nucleus Source Code.
  • The SSA-114589 advisory addresses multiple vulnerabilities in APOGEE and TALON products that are based on Nucleus RTOS.

Another critical advisory, SSA-840188, addresses three vulnerabilities in SIMATIC WinCC. They also affect SIMATIC PCS 7 distributed control system (DCS); SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system integrated into SIMATIC PCS 7.

  • The most critical vulnerability in this advisory carries a CVSS v3.1 Base Score of 9.9. Tracked as CVE-2021-40358, it is a Path Traversal vulnerability. Legitimate file operations of the affected systems do not properly neutralize special elements within the pathname. This could allow an unauthorized party to read, write or delete critical files in a restricted directory on the server.

SSA-917476 describes six vulnerabilities in SCALANCE W1750D devices. The flaws could allow someone to execute code on the affected device(s), read arbitrary files, or perform a DoS.

  • The most critical of the six flaws, tracked as CVE-2021-37726, is a remote buffer overflow vulnerability in wireless access point HPE Aruba Instant (IAP) used by SCALANCE W1750D. Successful exploitation could allow for unauthenticated remote code execution, potentially resulting in the execution of arbitrary code as a privileged user on the underlying system. CVSS v3.1 Base Score: 9.8.

The SSA-675303 advisory is a minor update to an advisory published in July 2021, addressing WIBU Systems CodeMeter Runtime vulnerabilities in Siemens products.

Recommendations

If you are using any of the vulnerable products, apply the latest updates and/or the recommended mitigations as soon as possible.

Follow recommended security practices for each product in the applicable Siemens advisory.

References

Siemens Security Advisories
CISA Advisory on NUCLEUS 13 Flaws

Microsoft’s November 2021 Updates Fix Two Actively Exploited Flaws

On 9 November 2021, Microsoft released updates to address 55 vulnerabilities, two of which are currently exploited. We recommend applying the latest updates as soon as possible.

Details

  • Microsoft’s November 2021 Patch Tuesday updates include six vulnerabilities classified as Critical, as well as four that were publicly disclosed, and two actively abused flaws.
  • The two actively abused flaws are:
    • CVE-2021-42321 – an issue with improper validation of cmdlet arguments in Exchange Server versions 2013, 2016, and 2019. The vulnerability requires an authenticated user role on the Exchange Server in order to exploit it. Microsoft reported that it is currently being used in “limited targeted attacks”. The issue only affects on-premises instances of Exchange Server, including servers used by customers in Exchange Hybrid mode. CVSS 3.1 score: 8.8.
    • CVE-2021-42292 – a Security Feature Bypass vulnerability in Excel. The code execution does involve user interaction via specially-crafted files, but does not require prior authentication. The updates for Office 2019 for Mac and Office LTSC for Mac 2021 are not immediately available but are expected to be released shortly. CVSS 3.1 score: 7.8.
  • Current updates also fixed four flaws that were publicly disclosed:
    • Two vulnerabilities in 3D Viewer, both rated with CVSS 3.1 score of 7.8. They are tracked as CVE-2021-43208 and CVE-2021-43209; both require user interaction and no prior authentication for exploitation.
    • Two Information Disclosure vulnerabilities in Remote Desktop Protocol (RDP), tracked as CVE-2021-38631 and CVE-2021-41371. Both are noted as low severity and are rated with CVSS 3.1 score of 4.4.
  • The vulnerabilities that were labelled as Critical are:
    • CVE-2021-26443, a Virtual Machine Bus (VMBus) vulnerability due to a VM guest failing to properly handle communication on a VMBus channel. Successful exploitation requires authentication and a specially-crafted communication on the VMBus channel from the guest VM to the host. CVSS 3.1 score: 9.
    • CVE-2021-3711, a bug in the implementation of the SM2 decryption code reported in the third-party component, OpenSSL. CVSS 3.1 score: 9.8.
    • CVE-2021-38666, a vulnerability in Remote Desktop Client (RDC) that could allow someone with control of a Remote Desktop Server to trigger a remote code execution (RCE) on the vulnerable RDP client machine. The execution requires a victim to connect to the malicious server with the vulnerable RDC. CVSS 3.1 score: 8.8.
    • CVE-2021-42279, a memory corruption vulnerability in Chakra Scripting Engine that requires user interaction but no privileges to exploit. CVSS 3.1 score: 4.2.
    • CVE-2021-42298, an RCE vulnerability in Defender that can be triggered with user interaction. Microsoft marked the the exploitation likelihood as “more likely”. CVSS 3.1 score: 7.8.
    • CVE-2021-42316, a vulnerability in Microsoft Dynamics 365 (on-premises) that requires user interaction and low privileges to perform RCE. CVSS 3.1 score: 8.7.

Recommendations

  • We recommend expedited updates for the noted Microsoft flaws as publicly disclosed and exploited flaws make it more likely for vulnerable systems to become targets of exploitation.
  • In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.

References

Two NPM Libraries Published with Malware

On 4 November October 2021, GitHub released security advisories on two NPM libraries having been published with malicious code. We recommend applying the mitigations in the advisories as soon as possible.

Details

  • NPM is the default package manager for the JavaScript runtime environment Node.js.
  • On 4 November, GitHub community started reporting on suspicious versions of NPM package Command-Option-Argument (COA). COA is a command-line options parser for Node.js projects.
  • On the same day, another NPM package, the RC configuration loader, was found to have been compromised with malware.
  • Initial reports indicate that threat actors used a banking trojan that has capabilities to steal credentials, and gained access to NPM package maintainer’s account. As a result, the packages were distributed with malware.
  • The following NPM packages are affected:
    • COA 2.0.3 and above.
    • RC 1.2.9, 1.3.9, and 2.3.9.
  • According to available advisories, computers with the affected versions of COA parser and RC configuration loader installed should be considered “fully compromised”.
  • NPM removed the compromised versions and blocked new versions from being published temporarily.

Recommendations

  • If you are using any of the vulnerable packages, we recommend implementing the mitigations from the GitHub advisories below.
  • Passwords, keys and tokens stored on a computer running the affected packages should be changed.
  • Users of COA 2.0.3 and above are recommended to downgrade to 2.0.2 as soon as possible and check their systems for suspicious activity.
  • Users of affected RC versions are recommended to downgrade to 1.2.8 as soon as possible and check their systems for suspicious activity.
  • The presence of such files as compile.js, compile.bat, and sdd.dll is associated with this threat activity.

References