Security Bulletin #125 – 12 June 2017
Warning! Hackers Started Using ``SambaCry Flaw`` to Hack Linux Systems
At the end of May, a seven-year-old remote code execution vulnerability affecting all versions of the Samba software since 3.5.0 was patched by the development team of the project. The team of researchers from Kaspersky Lab have captured a malware campaign that is exploiting SambaCry vulnerability to infect Linux computers with cryptocurrency mining software. Another security researcher, Omri Ben Bassat, independently discovered the same campaign and named it ``EternalMiner.`` According to the researchers, an unknown group of hackers has started hijacking Linux PCs just a week after the Samba flaw was disclosed publicly and installing an upgraded version of ``CPUminer,`` a cryptocurrency mining software that mines ``Monero`` digital currency. After compromising the vulnerable machines using SambaCry vulnerability, attackers execute two payloads on the targeted systems: 1) INAebsGB.so — A reverse-shell that provides remote access to the attackers. 2) cblRWuoCc.so — A backdoor that includes cryptocurrency mining utilities – CPUminer. Mining cryptocurrencies can be a costly investment as it requires an enormous amount of computing power, but such cryptocurrency-mining malware makes it easier for cybercriminals by allowing them to utilize computing resources of compromised systems to make the profit. The attackers behind SambaCry-based CPUminer attack have already earned 98 XMR, which worth 5,380 today and this figure is continuously rising with the increase in the number of compromised Linux systems.
US Defense is working on new multifactor authentication systems
According to a report published by American Security Today, the DARPA High-Assurance Cyber Military Systems (HACMS) program is designing technology for the creation of safe and secure cyber-physical systems. DARPA is currently developing a multifactor authentication system that aims to replace the current common access card (CAC) which leverages two-factor authentication. The solution will verify the identity of the person using biometrics and behavioral analysis. The Department of Defense (DoD) plans to adopt multi-factor authentication solutions including biometrics and other “patterns of life” technologies to replace access cards in the next months. Lt. Gen. Alan R. Lynn, who leads DISA and Joint Force Headquarters, Department of Defense Information Network (JFHQ-DODIN), announced that both agencies are searching for any solutions that could help to stay ahead of cyber adversaries. DISA representatives will discuss new cyber tools for the creation of safe and secure cyber-physical systems at the AFCEA International’s Defensive Cyber Operations Symposium, to be held June 13-15 at the Baltimore Convention Center.
First-Ever Data Stealing Malware Found Using Intel AMT Tool to Bypass Firewall
It's not hard for a well-funded state-sponsored hacking group to break into corporate networks and compromise systems with malware, but what's challenging for them is to keep that backdoor and its communication undetectable from a firewall and other network monitoring applications. However, a cyber-espionage group known as ``Platinum,`` that is actively targeting governmental organizations, defense institutes, and telecommunication providers since at least 2009, has found a way to hide its malicious activities from host-based protection mechanisms. Microsoft has recently discovered that the cyber-espionage group is now leveraging Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) channel as a file-transfer tool to steal data from the targeted computers without detection. Moreover, Linux systems with Intel's chips and AMT enabled may also be exposed to Platinum's malware. Platinum does not exploit any flaw in AMT, instead, requires AMT to be enabled on infected systems. Microsoft notes that SOL session requires a username and password, so either the hacking group is using stolen credentials to make its malware remotely communicate with the C&C servers, or ``during the provisioning process, PLATINUM could select whichever username and password they wish.`` The Platinum hacking group has been using zero-day exploits, hot patching technique and other advanced tactics to penetrate in their target systems and networks in South Asian countries, but this is the first time someone is abusing legitimate management tools to evade detection.