Alerts

Security researchers from ESET published a detailed analysis of a recently discovered cyber espionage group tracked as GreyEnergy.

Security experts from ESET published a detailed analysis of a recently discovered threat actor tracked as GreyEnergy, its activity emerged in concurrence with BlackEnergy operations. ESET researchers have spotted a new strain of malware tracked as Exaramel that links the not Petya wiper to the Industroyer ICS malware. Experts from ESET speculate the BlackEnergy threat actor evolved into two separate APT groups, namely TeleBots and GreyEnergy.

 

Following this attack, the BlackEnergy group evolved into at least two subgroups: TeleBots and GreyEnergy. ”  Read the report.

“The main goal of the TeleBots group is to perform cybersabotage attacks on Ukraine, which are achieved through computer network attack (CNA) operations.”

 

GreyEnergy conducted reconnaissance and cyber espionage activities in Ukraine and Poland, it focused its activities on energy and transportation industries, and other high-value targets.

The APT group leverage the GreyEnergy malware, a malicious code that implements a modular architecture to extend its capabilities by adding the appropriate modules.

“Like many complex threats, the GreyEnergy malware has a modular architecture. The functionality of the malware can be easily extended with additional modules. A GreyEnergy module is a DLL file that gets executed by calling the function with the first ordinal. Each module, including the main GreyEnergy module, accepts text commands with various parameters.” continues the analysis.

 

The list of available modules includes components for file extraction, screenshot capturing, keylogging, password, and credential stealing, and of course a backdoor.

Experts pointed out that they haven’t found modules that specifically target Industrial Control Systems software or devices. ESET pointed out that GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers.

In one case, hackers used a disk-wiping component to disrupt operating processes on the target systems.

GreyEnergy attackers in one case also used a valid digital certificate, likely stolen from Taiwanese company Advantech, to sign a sample.

One of the most intriguing details discovered during our research is that one of the GreyEnergy samples we found was signed with a valid digital certificate that had likely been stolen from a Taiwanese company that produces ICS equipment. In this respect, the GreyEnergy group has literally followed in Stuxnet’s footsteps.” states ESET.

 

Attackers spread the malware by carryout both spear phishing campaigns and compromised self-hosted web services, in this latter case attackers hack into public-facing web services running on a server that is connected to an internal network. In this was attackers will attempt to compromise the server and make lateral movements in the internal network.

GreyEnergy also used other backdoors, mostly PHP backdoors, and malware implementing several layers of obfuscation and encryption to hide the malicious code.

The spear-phishing messages first drop a lightweight first-stage backdoor tracked as GreyEnergy mini (aka FELIXROOT) to gather information on the target network and gather admin credentials using tools such as Nmap and Mimikatz.

The stolen credentials are used to deploy the main GreyEnergy malware into the target network with administrator privileges.

The malware is written in C and compiled using Visual Studio, it is deployed two ways:

  • in-memory-only mode without implementing persistence;
  • Service DLL persistence;

ESET experts also discovered a worm dubbed Moonraker Petya that is similar to NotPetya, they speculate it is a predecessor of the infamous wiper.

Moonraker Petya has limited spreading capabilities and like NotPetya it is able to make machines unbootable, the malware was used against a small number of organizations.

Moonraker Petya may be the result of a collaboration between TeleBots and GreyEnergy APT groups.

GreyEnergy is an important part of the arsenal of one of the most dangerous APT groups that hasbeen terrorizing Ukraine for the past several years. We consider it to be the successor of the BlackEnergy toolkit. The main reasons for this conclusion are the similar malware design, specificchoice of targeted victims, and modus operandi,” ESET concludes.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

Splunk Enterprise solution allows organizations to aggregate, search, analyze, and visualize data from various sources that are critical to business operations.

The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” reads the advisory published by Splunk.

The most severe issue fixed by the company is a high severity cross-site scripting (XSS) flaw in the Web interface, tracked as CVE-2018-7427, that received the CVSS score of 8.1.

Another severe vulnerability is a DoS flaw tracked as CVE-2018-7432 that could be exploited using malicious HTTP requests sent to Splunkd that is the system process that handles indexing, searching and forwarding. This issue was tracked as “medium severity” by the company.

The company also addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-7429, that could be exploited by an attacker by sending a specially crafted HTTP request to Splunkd.

The last flaw addressed by the vendor, tracked as CVE-2018-7431, is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app. The vulnerability has been rated “medium severity.”

Affected versions:

  • Cross Site Scripting in Splunk Web (CVE-2018-7427)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Denial of Service (CVE-2018-7432)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Path Traversal Vulnerability in Splunk Django App (CVE-2018-7431)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Splunkd Denial of Service via Malformed HTTP Request (CVE-2018-7429)
  • Affected Product Versions: Splunk Enterprise versions 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14 and Splunk Light before 6.5.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.

The vendor declared it has found no evidence that these vulnerabilities have been exploited in attacks in the wild.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password.

The security vulnerability, tracked as CVE-2018-10933, is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years.

But before you get frightened, you should know that neither the widely used OpenSSH nor Github’s implementation of libssh was affected by the vulnerability.

The vulnerability resides due to a coding error in Libssh and is “ridiculously simple” to exploit.

According to a security advisory published Tuesday, all an attacker needs to do is sending an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.

Due to a logical flaw in libssh, the library fails to validate if the incoming “successful login” packet was sent by the server or the client, and also fails to check if the authentication process has been completed or not.

Therefore, if a remote attacker (client) sends this “SSH2_MSG_USERAUTH_SUCCESS” response to libssh, it considers that the authentication has been successful and will grant the attacker access to the server, without needing to enter a password.

Although GitHub uses libssh, it confirms that its official website and GitHub Enterprise are not affected by the vulnerability due to how GitHub uses the library.

“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with the libssh server is not relied upon for pubkey-based auth, which is what we use the library for,” a GitHub security official said on Twitter.

“Patches have been applied out of an abundance of caution, but GHE [GitHub Enterprise] was never vulnerable to CVE-2018-10933.”

Shodan search shows that around 6,500 internet-facing servers may be impacted due to the use of Libssh one or the other way.

The security bug was discovered by Peter Winter-Smith from NCC Group, who responsibly disclosed the issue to Libssh.

The Libssh team addressed the issue with the release of its updated libssh versions 0.8.4 and 0.7.6 on Tuesday, and the details of the vulnerability were also released at the same time.

If you have Libssh installed on your website, and mainly if you are using the server component, you are highly recommended to install the updated versions of Libssh as soon as possible.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.