Top threats January – February 2019

At SecureLink, we create two lists of top threats every month. One is curated for the monthly reports that go out to all of our SecureDetect customers. It’s written by CDC analysts and researchers, such as Aistè Skog, Diana Selck-Paulsson and Victor Nedström. The top threats blog, typically written by researchers or myself, uses that report as input, but arbitrarily replaces some threats with “interesting” pieces which aren’t threats in a literal sense. An example is the Austrian Encryption Law (Australia data encryption laws explained – BBC News). Famously, Malcolm Turnbull, Australian PM, was quoted: “The laws of mathematics don’t apply in Australia”.

Finally, a bunch of SecureLinkers flock together near the end of the month to discuss all of these, in our ThreatBuster podcast. We know the podcast might not have the highest production value, but we enjoy it. It brings some perspective, and people often find little nuggets of humor and wisdom in them. For example, if you don’t know who “Fat Brian” is, listen from the top and you’ll find Brian recurring in our banter.

The thing is, by then it’s already almost the next month. And we’re still discussing the previous one. Which is a little bit… weird. So, without further ado, from this month, we’ll be addressing the top threats happening so far, and the threats we discuss, may not actually be threats at all.

Makes sense? Great! Here we go:

Emotet, Trickbot & Ryuk

Emotet was traditionally a banking trojan, which means it messes with your browser to steal money through fraudulent transactions.

During the December holidays, its activity was pretty low. This is explained by the fact that the criminals went skiing for Christmas. By mid-January it was back with a vengeance, with new tricks. Some of these centered around spam detection evasion. Further research shows Emotet acting as a loader for other malware, such as Trickbot (the notorious descendant from the old Dyre malware, in turn a successor of GameOver Zeus, and a “cousin” to Dridex). Finally, Trickbot now has new payload download capabilities. Ryuk is the ransomware observed to be installed by Trickbot. So, as we can see, there seems to be connections from banking fraudsters to other criminals, which is pretty normal. GameOver Zeus spawned Cryptolocker ransomware years ago, and Dridex often dropped Locky ransomware. Beware of malware replacing itself with other malware. Like Forrest Gump says, you never know what you’re gonna get.

SC Media: Ryuk ransomware linked to Emotet and TrickBot

Bleeping Computer: Emotet Returns from the Holidays With New Tricks

Image Source: US-CERT

RCE in APT/APT-get

For all nation state threat lovers out there, there’s an APT that’s just a benign package manager tool. It has nothing to do with Persistent Threats, advanced or not. The thing is, a package manager requires quite some privileges to manage the packets, so when it’s pwned, its pwned hard. A Remote Code Execution flaw is one of the worst flaws, and this was a pretty nasty one. A malicious package could mess with HTTP response codes, and ultimately trigger the execution of an arbitrary payload. The vulnerability was responsibly disclosed, and updates for APT are available. However, if for some reason, you’ve not updated your APT managed distribution, go right ahead and type “sudo apt-get upgrade” in your console.

Remote Code Execution in apt/apt-get

36-year-old vulnerabilities

I love it when a vulnerability is older than me. In this case, it isn’t – although it’s very old indeed. Several ancient vulnerabilities in the Secure Copy Protocol (SCP) implementation surfaced in mid-January. Secure Copy is a network protocol that allows users to securely transfer files across networks. SCP is based on Remote Copy Protocol (RCP) and relies on the authentication and encryption features of Secure Shell (SSH). The flaw can be abused by malicious servers or man-in-the-middle attackers to drop or overwrite arbitrary files on a victim system. All client applications using SCP, including OpenSSH, PuTTY and WinSCP, are affected by the vulnerability. You might think, what’s another few weeks on top of 36 years? A lot. Patching is key.