Weekly Comments

9 - 16 October 2018

The recent attacks on financial institutions, healthcare institutions, and government organisations in Singapore and around the world have thrust APT groups into the limelight again.
This week’s reports on the use of Drupalgeddon 2.0 vulnerabilities to deliver Shellbot malware and the modification of a well-known exploit chain to install Agent Tesla and other information-stealing malware without triggering anti-virus detection have come to our attention. This is because both campaigns once again reflect the allure of known vulnerabilities to threat actors and their creativity to make small changes to an exploit chain to maximise attack surface. The use of known vulnerabilities cost less money and time for threat actors as compared to the use of zero-days, and it is still an attractive tool because many users tend to delay patching known vulnerabilities.

Since mid-August, financially motivated threat actors have been scanning Drupal websites that are vulnerable to Drupalgeddon 2.0 (CVE-2018-7600 and CVE-2018-7602) to install Shellbot malware. They scan for the /user/register and /user/password pages in the installation phase and attempt to brute-force into the websites using the discovered information. Once they succeed, they install Shellbot, which uses an IRC channel as its command and control server and performs various functions such as DDoS attacks and searching for SQL injection vulnerabilities.

Meanwhile, threat actors modified an exploit chain previously used to deliver Formbook malware to now deliver Agent Tesla and other information-stealing malware without triggering anti-virus detection. The latest campaign to distribute Agent Tesla exploits a Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to download and open an RTF file from a malicious Microsoft Office Word document. Since most RTF parsers typically ignore what they do not know, highly obfuscated RTF files are able to hide exploit codes.

We advise our customers to install patches as soon as they are available to avoid falling prey to attacks that exploit known vulnerabilities. Our customers are also recommended to stay abreast of the latest cyber threats and adopt good security practices to protect against potential attacks. 

[1] Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers
[2] Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence