Security Weekly News Episode 29 - 2020-04-28
Fullaudio - None
Visit https://www.securityweekly.com/swn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweeklyLike us on Facebook: https://www.facebook.com/secweekly
Doug White's Content:
Jason Wood's Content:
News - Shade Ransomware, FBI Warnings, & SCADA Attacks
Doug White's Content:
- Shade Ransomware End of Life.
- Microsoft vulnerability in Teams can allow hijacking of accounts.
- Two spaces after a period now decreed a "typo".
- Scientific Case for Two Spaces after a Period.
- Israel reports attacks on SCADA Water Systems.
- COVID-19 may create a revolution in the digital identity realm due to demand.
- FBI warnings to work at home workers.
- Microbes have memory, the use of biofilm to create a biological computing environment.
- Encoding Membrane-Potential-Based Memory within a Microbial Computer.
Jason Wood's Content:
Who wants to take the time to investigate something old and rusty looking when there’s always something new and sexy? It turns out that Jan Kopriva did and it turned up some interesting things to consider. Kopriva is a handler at the SANS Internet Storm Center and an incident response lead at his employer. As part of his work, Kopriva was doing some analysis of phishing emails that have been blocked at his email gateway. Here is what he found.
Kopriva noticed a number of phishing messages that contained the same attachment type that were all sent by the same sending email address. He then checked to see how long these messages had been coming in. The answer was since March 2019. Over 1 year and the attacker hasn’t bothered to change the attachment file type nor the sending email address. Weird.
One of the oddities he discovered is that the sending email address as diamond@tnt[.]com, but that the messages hadn’t failed any SPF checks. It should have, since the email definitely wasn’t being sent from tnt[.]com email addresses. Kopriva then checked the SPF policy for the domain and found the problem. Someone had made a syntax error in their SPF record and configured it to allow any IP address to send emails for their domain. At the end of their record, they had a ?all instead of -all set. The difference between a ? and a - is huge in SPF records. One is neutral, meaning that it may or may not be bad. The - causes marks any server not previously specified to fail the check. He notified them of the issue and they plan to fix it soon.
Next, he looked at the attachments themselves. Each of them contained an ACE fie (a compressed archive type) that then contained some kind of executable. The messages themselves weren’t very inspiring. “Hey, here is the invoice for the the package that will be delivered today.” Boring. Kopriva ran a number of these through some analysis engines and found them to all be droppers for the Agent Tesla malware. He wrote all this up and posted it to the ISC blog.
What is the Agent Tesla malware? This is an older bit of spyware that is sold as a quasi-legitimate way of remotely accessing and monitoring your own computer. According to Brian Krebs, their site tells purchasers that they are not to use the software on any computer but their own. However, their support forums have numerous messages about avoiding anti-virus and other security controls. The messages on their site is a dodge against someone saying their software is intended for malicious activity. The tool itself allows for keystroke logging, screen caps, web cam control, and other ways to get at data on the host.
So if this is so run of the mill, why talk about it. Well first, I think it’s interesting that the attacker found and took advantage of an SPF misconfiguration for over a year and it just kept working. Next, they didn’t even bother to change their message in any substantial way. This implies that the attacker was having enough success that they were happy with just letting it ride as is. It may not be an advanced threat, but it was very persistent. They just kept plugging along in spite of any pressures to change.
The moral of the story is that not all attacks have to be new and exciting to be effective. Sometimes things just continue to work. Someone obviously noticed this and stuck with it. Keep an eye out for stuff like this and maybe go do some analysis on your logs around blocked messages. You may find a security misconfiguration that someone accidentally made and they don’t even know about it. Nice work to Jan Kopriva for his analysis and blog post.