SecureData: Cyber Threat Advisory Summary
Published 27 May 2016
Panda Banker – 29 April 2016
Some of the code behind the notorious Zeus banking trojan has been repurposed for a new malware campaign targeting victims in the United Kingdom and Australia. Panda Banker works in much the same fashion as Zeus, operating on the same file system and utilizing the same data extraction technique, leveraging an Automated Transfer System (ATS) to deliver fake banking login pages to its victims. Unlike Zeus, Panda makes use of a technique known as ‘fast-flux DNS’ to obfuscate its tracks through various proxies and hosts, which makes finding their C2 servers a serious challenge. The Panda Banker malware is capable of stealing sensitive data from users, much in the same way as its predecessor, Zeus.
The threat group behind the new Panda Banker malware have been specifically targeting users in Australia and the UK. We are giving this a Medium Severity Rating, as the malware has already been analyzed to understand how the attack process takes place, which means that banks and other financial organizations can now take the necessary precautions to ensure such an attack would not be successful in the future.
ImageTragick – 05 May 2016
A vulnerability in the ImageMagick image processing software suite has been seen exploited in the wild. ImageMagick is a package that is commonly used by web services to handle images, and the underlying code is used as a foundation for many similar packages, for example in PHP imagick, Ruby rmagick and nodejs imagemagick. The attacker can craft a malicious image and, when it is processed by vulnerable versions of ImageMagick, force a web server to execute code. This vulnerability is currently being exploited in the wild, and several valid Proof of Concept (POC) code snippets have been published to demonstrate how an attacker could use this vulnerability to gain access to a webserver with no input from an end-user.
We are giving this exploit a Critical severity rating as many social media sites, blogging sites and content management systems make use of this Image-processing package. According to the creators of ImageMagick, these vulnerabilities will be addressed in versions 7.0.1-1 and 6.9.3-10, with the patch being released before the end of the week. In the meantime, the ImageMagick policy.xml file should be edited with a few lines of code provided in the appendix to address this till the patch release.
ArubaVuln – 11 May 2016
There have been reports of 26 new vulnerabilities affecting ArubaOS, Airwave Management Platform (MP) and Aruba Instant access point (IAP). Most of the vulnerabilities have a low severity rating, but there have been a few more serious vulnerabilities discovered affecting the Aruba PAPI Protocol. The PAPI Protocol is used in Aruba products to manage access points, and as such any compromise of these channels will enable an attacker to modify the Access Points as he sees fit.
The Airwave MP have four security pitfalls that include exposure to the RabbitMQ Management interface, the use of a weak calculation algorithm for cross-site request forgery (CSRF) and a code/command injection flaw affecting the NTP configuration file.
The largest trove of vulnerabilities discovered were in Aruba’s Instant Access Point (IAP) range, that are plagued by 22 vulnerabilities that include transmission of login credentials via HTTP, default accounts, a few remote code execution flaws, information disclosure issues and lastly a few firmware related weaknesses.
There have been two different CVEs assigned to the vulnerabilities disclosed, CVE-2016-2031 for all IAP vulnerabilities and CVE-2016-2032 for the Airwave MP vulnerabilities. We are giving this a Low Severity rating, for the reason being that an attacker should have authenticated access for the largest span of these vulnerabilities to exploit them.
7Zip RCE – 12 May 2016
Two vulnerabilities have been found in the popular 7Zip compression library which would allow an attacker to remotely execute code on a machine. The compression library, due to its free nature, is often implemented in other programs such as PeaZip. As such, the consequences of these vulnerabilities are a lot more serious than previously considered. We are giving this threat a Medium Severity Rating. While there is a patched version of the 7zip software now available (Version 16.00), there is no guarantee that other programs making use of the 7zip compression library will update in a timely manner.