The Verodin Behavioral Research Team (BRT) has released a new content pack that demonstrates adversary behaviors related to the most recent Malware Analysis Report (AR19-129A) from the Department of Homeland Security (DHS), which provides technical details on the new tool ELECTRICFISH, used by North Korean APT group HiddenCobra.
Additionally, the most recent content pack adds several behaviors related to other emerging threats, including the recent weaponization of the Oracle WebLogic vulnerability (CVE-2019-2725) by active ransomware campaign and Flash Player vulnerability (CVE-2018-15982) added to the Fallout Exploit Kit (EK) and to the new Spelevo EK.
Please see below for more information on all the new behaviors added in the content pack.
US-CERT Malware Analysis Report (AR19-129A) – North Korean Tunneling Tool: ELECTRICFISH
On May 9th, the Department of Homeland Security (DHS) released a Malware Analysis Report (AR19-129A) with technical details for a new tool named “ELECTRICFISH” that, according to the DHS and the FBI, is used by North Korean APT Group Hidden Cobra (also known as Lazarus and Guardians of Peace).
Verodin BRT has added a new Action to test your network controls for download and transfer of the ELECTRICFISH malware binary. The Verodin Security Instrumentation Platform (SIP), enables users to easily modify the Action for HTTPS and variety of archiving algorithms (e.g., ZIP, RAR, 7ZIP, etc.).
WebLogic Deserialization Remote Code Execution Vulnerability (CVE-2019-2725)
CVE Published:04/26/2019 CVSS: 9.8
CVE-2019-2725 is a deserialization vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. The vulnerability allows remove code execution without authentication. It was first reported by a Chinese cybersecurity company, KnownSec, following an out-of-band patch from Oracle on April 26, 2019.
On April 30, Cisco’s Talos Intelligence team published a blog detailing active exploitation of the vulnerability to install new ransomware, Sodinokibi and GandCrab.
Verodin BRT has added several new Actions to test your network and endpoint controls against the direct exploitation of the vulnerability, as well as download, execution, and command and control (C2) beaconing for Sodinokibi and GandCrab.
Flash Player RemoveCode Execution Vulnerability (CVE-2018-15982)
CVE Published:01/29/2019 CVSS: 9.8
CVE-2018-15982 is a use after free vulnerability affecting Flash Player versions 220.127.116.11, 18.104.22.168, and earlier. The vulnerability allows arbitrary code execution and was first identified in late November 2018 by researchers from Gigamon and Qihoo 360 CoreSecurity, as part of an investigation into a spearphishing campaign dubbed “Operation Poison Needle” that appears to have targeted Russian state healthcare clinic.
Adobe released an update to patch the vulnerability on December 05, 2018.
Since its release, CVE-2018-15982 has been added to several exploit kits, including Fallout EK, Underminer, and a new Spelevo EK.
Verodin BRT has added several new Actions to test your network and endpoint controls against the direct exploitation of the vulnerability, as well as the download of Spelevo EK, and DNS queries related to Fallout EK.
FBI FLASH: Indicators of Compromise Associated with Ryuk Ransomware
On May 2nd, the Federal Bureau of Investigation (FBI) released a Flash report regarding Ryuk ransomware. Ruyk is a ransomware that first emerged in August 2018 and has since been connected to over 100 incidents against U.S. and international organizations. According to Crowdstrike, its operators carry out targeted attacks that solely victimize large enterprises. The malware is likely propagated via TrickBot campaigns, although exact infection method is unknown at this time, partially due to several observed techniques like spearphishing and gaining access directly via Remote Desktop Protocols (RDPs) with brute force attack.
Verodin BRT has added several new Actions to test your network and endpoint controls against Ryuk ransomware, including, download, execution, and command and control (C2).