Updated: Aug 7, 2020
In the spotlight this week:
• FBI issues flash alert about Netwalker ransomware attacks
• Windows UAC bypass method discovered via DLL hijacking and mock folders
• The NSA has released a guide on how to deal with a new vulnerability dubbed "BootHole"
• CDP in Singapore among 3 organizations fined $47,000 in total for not securing personal data
The Central Depository (CDP) and two other organizations have been fined a total of $47,000 for breaching data privacy laws. The CDP mailed cheques containing personal information such as names and NRIC numbers to outdated addresses after it migrated its software system in December 2018. The data breach was revealed after an account holder complained in March last year that the CDP had sent a dividend cheque to an outdated address. This article is a clear example of the Singapore government’s increased vigilance on violations against the Personal Data Protection Act (PDPA). Adhering to security guidelines and patching vulnerabilities in various systems and software is crucial for businesses to maintain reputation and credibility.
The FBI has released an advisory regarding the ransomware Netwalker which has been seen in a number of high profile cases including the Toll Group breach in Australia. The threat actors using Netwalker have been observed gaining unauthorized access to networks by exploiting unpatched VPN devices, COVID-19-themed phishing emails, exploiting vulnerable applications, and brute-forcing weak passwords on RDP. Once inside the network, the threat actor utilizes a variety of malware to steal data and credentials while executing malicious PowerShell scripts to spread throughout the environment and encrypt endpoints.
A threat researcher has discovered and shared a novel way to bypass Windows User Access Control (UAC) using DLL hijacking. DLL hijacking is a form of attack whereby an adversary can make a program load a DLL it shouldn't. UAC is a method for preventing applications from performing activities beyond their level of permission. The kill chain for this exploit is relatively straight forward:
• Create mock folder "C:\Windows \System32"
• Copy original vulnerable executable from "C:\Windows\System32" to
• Copy malicious .dll file with a specific filename into a mock folder
• Run the vulnerable executable from mock folder
Following this, the adversary now has an admin shell on the affected endpoint. There are approximately 616 executables in Windows that automatically elevate privileges and could be utilized in this form of attack. Setting the UAC level to "Always Notify" will prompt the user when this form of attack is launched. In addition, a strong EDR solution and defense in depth security model increases the chances of the security catching and countering the adversary early.
The NSA has released a guide on how to deal with a new vulnerability dubbed "BootHole". This vulnerability affects the GRUB2 boot loader present in Linux operating systems and some Microsoft configurations. It is reported that billions of devices are at risk. If exploited, the vulnerability will allow the attacker covert persistence on the compromised hosts.
A recent study surveyed 22 million user actions surrounding phishing campaigns. Key findings include:
The average time for a phishing attack spans 21 hours from start to finish
A stolen password will be used for fraud within ~5 days
The breached credentials will be published or sold online within ~7 days.
This study can help inform the need for faster response times, and rapid detection of malicious links or installed programs following a successful phish.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.