Cyber Security Weekly Briefing 28 November – 4 December

New version of the TrickBot malware

TrickBot botnet operators have added a new capability that allows them to interact with the BIOS or UEFI firmware of an infected computer. This new TrickBot module would increase the persistence of malware and make TrickBot survive even reinstallations of operating systems. Other applications of this new module would be to remotely block a device at the firmware level, avoid security controls such as BitLocker, configure tracking attacks by exploiting Intel CSME vulnerabilities or reverse updates that patch CPU vulnerabilities, among others. So far, the TrickBot module would only be checking the SPI driver to verify whether the BIOS write protection is enabled or not and has not been seen to be modifying the firmware itself. However, the malware already contains code to read, write and delete firmware, suggesting that its creators plan to use it in certain future scenarios.

More details: https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/

Advantech chip manufacturer ransomware victim

Operators of Conti ransomware claim to have compromised Advantech, one of the world’s largest manufacturers of chips for industrial environments (IIoT) and would be demanding a $14 million ransom to decrypt the affected systems and stop the leakage of stolen internal data. On November 26th, the group began publishing part of this internal data on its Deep Web site, with a 3.03GB file that corresponds to the 2% of the data they claim to possess. The Conti operators also claim that they have backdoors implemented in the company’s network that they will eliminate once the ransom is paid. Advantech has made no public statement about this attack so far.

All the info: https://www.bleepingcomputer.com/news/security/iiot-chip-maker-advantech-hit-by-ransomware-125-million-ransom/

Sale of access to high level executive email accounts

A threat agent has put passwords to access email accounts of senior executives on sale at a well-known underground forum. The credentials give access to Office 365 and Microsoft and their prices range from $100 to $1,500, depending on the size of the company and the user’s charge. Among the accounts marketed are those of CEOs, CFOs, presidents, vice presidents and other similarly qualified managers. A cyber security researcher, who prefers to remain anonymous, has confirmed the validity of the data offered for sale by acquiring several credentials belonging to the CFO of a European retail company and the CEO of a US software company. The origin of the credentials is not known with certainty, but it is possible that they could come from data recovered from AZorult infections, as the same threat agent had previously expressed an interest in accessing this type of information.

Learn more: https://www.zdnet.com/article/a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives/

Crutch, Turla’s cyber espionage tool

ESET security researchers have discovered a new malware with infostealer and backdoor capabilities linked to the Russian-speaking cyber espionage group APT Turla. The malware is actually a set of tools called “Crutch” that can elude security measures by abusing legitimate platforms, including the Dropbox file sharing service, to hide behind normal network traffic. This malware, used from 2015 to early 2020, was reportedly designed to exfiltrate confidential documents and other files to different Dropbox accounts controlled by Turla operators. Moreover, Crutch seems to be deployed not as a backdoor entry but after the attackers have already compromised the network of their victims. Researchers claim to have found this malware on the network of a Foreign Ministry in an EU country, suggesting that Crutch is being used for very specific purposes.

All the info: https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

Critical vulnerability, firewalls and ZYXEL’s VPN

Zyxel’s security teams have confirmed the finding of a critical vulnerability affecting their firewall and VPN access point solutions that would allow threat agents to run remote code on the victim’s system. Identified as CVE-2020-25014, this is a buffer overflow flaw that can lead to memory corruption problems by sending a specially designed Http packet. The vulnerability has been assigned a criticality of 8.5/10 based on CVSSv3. Experts consider it to be highly exploitable, although further details are unknown. All Zyxel products affected by the bug are compatible with Facebook’s WiFi feature. The bugs have been fixed in the V4.39 versions of the ZLD firmware and in the V6.10 and later versions of the Unified and Standalone series.

More: https://www.zyxel.com/support/Zyxel-security-advisory-for-buffer-overflow-vulnerability.shtml