Reported: December 11, 2017

Details: APT34, a an advanced persistent threat group based out of Iran, is using an exploit in Microsoft Office to gain access to systems based in the Middle East. The infection vecotr appears to be an rtf document which, when opened, downloads a powershell command to run code on the system.

Reference:

Description: In a blog published by FireEye, an incident response team from Mandiant recently responded to a security incident at an infrastructure organization. The attacker, or attackers, reportedly dispersed malware with the intent of manipulating industrial safety systems that provide shutdown capabilities for the organization’s industrial processes. It is their belief that the adversary, or adversaries, deliberately intended to develop the capability to create physical destruction to shutdown operations. At this point in time they have not linked the occurrence to a particular threat actor. They do suggest however, that this type of activity could be a precursor to a nation state preparing for an attack. The malware utilized was identified as TRITON, an “attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.” It is one of a few software families that target industrial control systems. This family would include other malicious software families such as Stuxnet and Industroyer. The main agenda is to ultimately cause a physical consequence to the infrastructure it is targeting. (IBM X-Force Exchange).

• Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network”;
• “Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events”;
• “Implement change management procedures for changes to key position. Audit current key state regularly”;
• “Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS”;
• “Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP”; and
• “Monitor ICS network traffic for unexpected communication flows and other anomalous activity”.

Reported: December 27, 2017

Details: A new malware family, dubbed GnatSpy, has been found which is believed to be a variant of VAMP. APT-C-23 is believed to be behind GnatSpy. Some of the same CnC servers used by VAMP are also being used by GnatSpy. Essentially, GnatSpy is a better version of VAMP, with more sophisticated tradecraft being utilized to try and reduce detection. It is highly likely that social engineering is being used to increase the chances of the malicious app is installed on a user’s device.

 References:

Reported: December 8 2017

Details:  Recam Redux, which is a variant of the Recam malware family, is being spread through a malicious word document. Once the document is opened, embedded VB code is used to drop a .NET executable. It then makes the code persistent on the infected machine and can survive a reboot. Once operationla, the malware runs a keylogger module, and sends back information to the CnC servers.

Solution: Apply security best practices in regards to phishing emails, and do not open attachments from an email you are not expecting. Additionally, consider hardening your employees by utilizing Security Awareness Training to reduce the chance of a successful social engineering attack.

References:

https://exchange.xforce.ibmcloud.com/collection/Recam-Redux-Spread-Via-Malicious-Word-Document-e989f4e6dc57bbcc12d6d88d7b9ff386