This week’s Shadow Talk discusses a Cisco Smart Install Client flaw exploited in disruption attack, an information leak vulnerability discovered in Microsoft Outlook, details on OpIcarus and OpIsrael, Verizon DBIR, and why you still should be excited about the RSA Conference.


Cisco Smart Install Client enabled mass disruption

Attackers abused a legitimate Cisco Smart Install Client protocol to target Iranian and Russian switches in a disruptive operation. Through defacements left on start-up configuration of affected devices and statements to journalists, the perpetrators claimed to have acted in defense of the integrity of United States elections, although their identity and origin remains unknown. This activity occurred within the context of escalating political tensions between the United States and the impacted nations. The tools needed to identify and exploit the flaw are readily available, potentially allowing exploitation by attackers with even low capabilities. System administrators should disable the Smart Install Client function and limit access to Port 4786/tcp to mitigate exposure.

New ATM malware variant discovered

A potentially new variant of automated teller machine (ATM) malware, “ATMJackpot”, was documented by security researchers. Its operators attempt to steal cash from ATMs by connecting to cash dispensers and other peripheral devices via a piece of middleware called eXtension for Financial Services (XFS) Manager. Because the initial infection vector for ATMJackpot is not known, a full assessment of its threat cannot be made at the time of writing. If the malware was installed via network intrusion, that would typically require technical capability and would indicate that the wider attack campaign represents a high level of threat. However, if it was installed via physical access to ATMs, fewer skills would be needed and the financial impact would likely be significantly lower. Given the lack of details, the discovery of ATMJackpot does not necessarily represent a dramatic escalation in threat.


Microsoft Outlook flaw allows theft of password hashes

A Microsoft Outlook flaw enables attackers to abuse the way the software renders email messages containing Object Linking and Embedding (OLE) objects, and gather user password hashes and other sensitive information. A patch has been released for this vulnerability (CVE-2018-0950); without it, if an OLE object is hosted on a remote server and embedded in a message, Outlook initiates a connection via Server Message Block (SMB). The result is unauthorized information disclosure, with greater consequences if the technique is combined with other exploits. Digital Shadows (now ReliaQuest) has not seen reports of the vulnerability’s exploitation in the wild, although it would not require a high level of capability. Implementing the patch and blocking inbound/outbound SMB connections to the network perimeter, where possible, can be effective.


Film service customers victims of payment data breach

On 09 Apr 2018, multiple media outlets reported on an allegedly targeted attack against food-service and facility-management company Sodexo’s cinema voucher program, Filmology. Sodexo stated that credit cards used on its website between 19 Mar 2018 and 03 Apr 2018 may have been compromised, and that it continues to investigate. However, a Filmology representative allegedly claimed that “the hack on the payment page was carried out over 2 months and involved many accounts”. Customers of Sodexo’s Filmology service should monitor for fraudulent charges to their credit cards and consider replacing those used during the date range stated by the company.


Compromised websites delivered NetSupport Manager RAT

On 05 Apr 2018 researchers at security company FireEye reported on a campaign delivering the commercially available “NetSupport Manager” remote-access tool (RAT). Threat actors used compromised websites to prompt visitors to download fake Flash, Chrome and Firefox updates. These were JavaScript files that ultimately fetched the RAT payload from a remote server. Digital Shadows (now ReliaQuest)’ research into the IP address used in the campaign demonstrated it has likely been used to distribute malware since at least November 2017. The threat actors have likely had some success, given the duration of activity. Their motive is unknown. Indicators of compromise can be found on the Digital Shadows (now ReliaQuest) online portal.


New activity sparked by OpIsrael and OpIcarus

Beginning on 07 Apr 2018 multiple hacktivists tweeted attack claims, as part of OpIsrael, an “Anonymous” collective-affiliated operation in support of Palestine. Attack claims typically included website defacements. However, Twitter user LorianSynaro also claimed to have obtained databases of 83 Israeli universities; a sample uploaded to code-sharing website Hastebin contained no sensitive information and was likely obtained from open sources. More OpIsrael claims are likely in the short-term future (within three months). Moreover, an operational announcement has called for a new phase of the OpIcarus hacktivist campaign in June 2018. The type of activity was not stipulated, but will highly likely include denial of service (DoS) attacks and data breach claims against financial entities. Recent iterations of OpIcarus have attracted scant threat actor involvement; thus, this new phase poses a very low risk at this time.


New botnet scanning activity targeting Brazil

Security company Trend Micro identified and reported on scanning activity targeting vulnerable internet of things devices in Brazil. The scanning originated with several compromised devices in China and mirrored the behavior of previously identified “Mirai” botnets, which used default and weak credentials to hijack devices. Mirai’s source code was publicly released in October 2016, which has enabled numerous threat actors to develop their own botnets of varying size. Targeting weak credentials is a common tactic used to create botnets; users should replace these with complex passwords.