EmoCrash: stopping Emotet for almost 6 months
Emotet’s comeback after a 6 month-period absence has hinted that the hiatus in the malware’s operations could be due to the discovery of researcher and malware analyst James Quinn, who detected a flaw in Emotet’s software in early February. According to Quinn, he spotted slight changes in the persistence mechanisms used by Emotet, mainly in the creation of a Windows registry key in which a XOR cipher key was saved.
This discovery, among other flaws, led Quinn to develop a PowerShell script “vaccine” that leads to a buffer overflow in the registry key, causing the malware to crash and thus, being known as EmoCrash. During the past 6 months, EmoCrash was secretly distributed to CERTs up until Emotet’s developers changed again the persistence mechanism and started a new malicious campaign on the first days of August.
PoC for RCE vulnerability in Apache Struts 2
Security researchers have released a proof of concept that can be used to exploit the remote code execution vulnerability (CVE-2019-0230) in Apache Struts 2, released on Thursday, August 13. This problem is due to an error in the evaluation of the attributes of the tags when using non-validated inputs that allow injecting malicious OGNL expressions. Some versions of Struts incorporate controls to mitigate these attacks, but only after version 2.5.22.
The vulnerability can be mitigated with proper validation of user input or if the syntax for writable user input is not used. Although the target of the published PoC is the CVE-2019-0230 vulnerability, Apache recommends also mitigating the CVE-2019-0233 bug, which would allow DoS attacks to be carried out on the vulnerable server.
Critical Jenkins Server Vulnerability
Developers Jenkins, a popular open-source automation server software, published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. Tracked as CVE-2019-17638, the flaw has a CVSS3.1 rating of 9.4 and impacts Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521—a full-featured tool that provides a Java HTTP server and web container for use in software frameworks.
According to the company, the vulnerability may allow unauthenticated attackers to obtain HTTP response headers that may include sensitive data intended for another user. After the security implications were disclosed, the vulnerability was addressed in Jetty 9.4.30.v20200611, released last month. Jenkins, which bundles Jetty via a command-line interface called Winstone, has patched the flaw in its utility in Jenkins 2.243 and Jenkins LTS 2.235.5 released on Monday. It’s recommended that Jenkins users update their software to the latest version to mitigate the buffer corruption flaw.
Software glitch in ATMs
In recent days, more than 50 suspects have been arrested on charges of cashing-out Santander ATMs by using a software glitch. These acts of theft have been perpetrated in several cities of the United States, where several groups of criminals used fake debit cards or valid preloaded debit cards to withdraw more funds from ATMs than the cards were storing. Initially this software glitch remained a secret, although it ended up being shared on several social networks, which led to the exploitation of the glitch by more criminal groups, causing a sudden spike in ATM cash withdrawals, which triggered alarms and an investigation.
On Tuesday, all ATMs were closed to prevent further robberies, and as of yesterday they were open only for bank customers for the time being. The bank has verified that its clients’ accounts have not been affected, and that the bug has been fixed. After knowing the issue, the two major ATM manufacturers, Diebold Nixdorf and NCR, have released software updates to correct these bugs. On the one hand, Diebold Nixdorf patched CVE-2020-9062, an issue impacting ProCash 2100xe USB ATMs running Wincor Probase software; on the other hand, NCR patched CVE-2020-10124, a bug in SelfServ ATMs running APTRA XFS software.
Both vulnerabilities allowed an attacker to intercept and modify messages regarding the amount of money or value of currency deposited, since ATMs do not encrypt or authenticate the integrity of messages between the ATM and the host computer. Therefore, in a two-step process, an attacker could deposit a sum of money, modifying the messages as to the amount of money or the value of the currency, and then proceed to withdraw the money with the value or amount entered in the message. Both companies have already implemented software updates to protect communications between the ATM and the host computer.