Cyber Pulse the latest news stories from QA CYBER PULSE: EDITION 132 | 8 OCTOBER 2020

Trickbot botnet disruption
According to researchers, over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organisations.


On 22 September, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the internet address where hacked systems should download new updates to the malware.


But the new configuration file pushed on 22 Septembers told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public internet. It’s not known how many Trickbot-infected systems received the phoney update, but it seems clear this wasn’t just a mistake and that it happened again on 1 October, suggesting someone with access to the inner workings of the botnet was trying to disrupt its operations.


Exposing modular adware ManageX, written in Golang
Researchers have encountered a variant of Glupteba, which is a trojan type that has been involved with Operation Windigo in the past. We also reported its attacks on MikroTik routers and updates on its command and control (C&C) servers. Behaviourally, the variant shares many similarities with other Glupteba variants. Notable in this newly uncovered strain is the use of ManageX - a type of modular adware that researchers recently analysed. This entry also aims to emphasise the modularity and the cross-platform features of Glupteba as seen through the analysis of its code.

After unpacking the main dropper used in this attack, it has been confirmed that the malware variant is written in the open-sourced programming language Go, which is commonly referred to as Golang. Go is barely a decade old, and its use for creating malware is still quite uncommon, although it has been used in several variants of Glupteba, like the ones analysed by security researchers from Sophos and Cybereason


The use of the Go programming language for creating malware might be attractive to some cybercriminals due to various features that the language offers to help malware get into the target systems undetected. One such feature is that it can be compiled using only one repository on a system but remain executable across different operating systems. This is advantageous to malware types aiming to have multiplatform capabilities and payloads.


Fortigate MitM VPN weakness
Over 200,000 businesses are using Fortigate VPN with default settings, exposing them to the risk of a hack, according to researchers. In response to the spreading of Coronavirus across the world, many organisations deployed VPN solutions, including Fortigate VPN, to allow their employers to work from their homes. The configuration of the VPN solutions is important to keep organisations secure and to avoid dangerous surprises. The default settings allow an attacker to present a valid SSL certificate and carry out man-in-the-middle (MitM) attacks on employees’ connections.


The researchers set up a compromised IoT device that initiates a MitM attack using ARP Poisoning, then Forticlient initiates VPN connection. The compromised IoT device serves a signed Fortinet certificate extracted from legacy credentials and forwards the credentials to the original server while stealing them in the middle and spoofs the authentication process. Experts highlight that Fortinet’s client does not verify the server name at all, which means that any certificate will be accepted issued either by Fortinet or any other trusted CA. An attacker can re-route the traffic to his server, display his own certificate, and then decrypt the traffic.


BitLocker "tamper-resistant" vulnerability


A vulnerability in BitLocker’s “tamper-resistant” security technology can be exploited to break the full disk encryption technology that comes bundled with Windows devices. At the virtual Black Hat Asia security conference, researcher Seunghun Han introduced a tool that can be used to subvert BitLocker security protections. BitLocker is Microsoft’s implementation of full disk encryption. It is compatible with Trusted Platform Modules (TPMs) and encrypts data stored on disk to prevent unauthorised access in cases of device theft or remote attacks.
Han explained how the tool BitLeaker, built for Windows 10, can leverage a vulnerability in the ACPI S3 sleeping state to bypass full disk encryption. Leaking-secrets researchers first discovered CVE-2018-6622, a local vulnerability in the dTPM 2.0. The new bug – CVE-2020-0526 – was assigned a medium risk level, as it was found that the security bug could also lead to privilege escalation. 

 

Swatch group shut down in cyber attack
Swiss watchmaker Swatch Group shut down its IT systems in response to a cyber attack that hit its infrastructure over the weekend. The company turned off its systems to avoid other systems on its network from being infected. The Swatch Group Ltd is a Swiss manufacturer of watches and jewellery. The company employs about 36,000 people in 50 countries and in 2019, net sales were 9.6 billion Swiss francs (CHF). The group owns the Swatch product line and other brands including Blancpain, Breguet, Glashütte Original, Harry Winston, Longines, Omega, Tissot, and RADO. In an e-mail statement to the media, the company stated:
“The Swatch Group confirms that it has identified clear signs of a developing cyber attack on some of its IT systems during the weekend. For security reasons, the Group immediately took action and shut down precautionary some of its IT systems, which affected some operations.”
The company added that it has immediately launched an investigation into the incident and took implemented the necessary countermeasures and corrections. “The situation will return to normal as soon as possible,” Swatch added, without providing further details about the incident response procedures.

Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to the weekly Cyber Pulse newsletter here.