TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced

Systems Affected

Microsoft Windows with Apple QuickTime installed

Overview

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] [3]

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

References

Revisions

  • April 14, 2016: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Moxa NPort Device Vulnerabilities (Update B)

SUMMARY

This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page.

——— Begin Update B Part 1 of 2 ——–

ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT.

——— End Update B Part 1 of 2 ——–

ICS-CERT has notified Moxa of the report, and Moxa has validated all five of the reported vulnerabilities, which include 1) unauthenticated retrievable sensitive account information, 2) unauthenticated remote firmware updates, 3) buffer overflow allowing arbitrary remote code execution, 4) cross-site scripting, and 5) cross-site request forgery. Moxa has identified additional NPort models that are affected by the reported vulnerabilities.

ICS-CERT is issuing this updated alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included details about the vulnerabilities:

Vulnerability Type Remotely Exploitable Impact
Unauthenticated retrievable sensitive account information Yes Disclosure of sensitive information
Unauthenticated remote firmware update Yes Complete compromise of the affected system
Buffer overflow Yes Possible arbitrary remote code execution
Cross-site scripting Yes Web browser could execute malicious script
Cross-site request forgery Yes Unverified HTTP requests may allow attacker to trick user into making unintentional request

Moxa has confirmed that the following NPort devices are affected by the reported vulnerabilities:

  • Moxa NPort 5100 series,
  • Moxa NPort 5200 series,
  • Moxa NPort 5400 series,
  • Moxa NPort 5600 series,
  • Moxa NPort 5600-DT/DTL series,
  • Moxa NPort 5100A series,
  • Moxa NPort 5200A series,
  • Moxa NPort P5150A series,
  • Moxa NPort 5x50AI-M12 series,
  • Moxa NPort 6000 series, and
  • Moxa NPort 6110 series.

The publicly disclosed vulnerabilities in the Moxa NPort devices include unauthenticated retrievable sensitive account information, which may allow a remote attacker to gain administrator privileges on the affected systems. The firmware of the affected devices can be updated over the network without authenticating, which may allow a remote attacker to completely compromise the system. Exploitation of the buffer overflow vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely. The cross-site scripting vulnerability may allow an authenticated party to insert malicious code into webpages allowing malicious code to be executed by a web browser. The cross-site request forgery vulnerability may allow an attacker to trick a user into executing unwanted actions on a web application to which the user has authenticated.

At this time, ICS-CERT is not aware of publicly available exploit code that exploits the identified vulnerabilities.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, Russia, and Brazil.

FOLLOW-UP

ICS-CERT released the follow-up advisory titled ICSA-16-336-02 Moxa NPort Device Vulnerabilities on December 1, 2016, on the ICS-CERT web site.

MITIGATION

Moxa is planning to release a new firmware version in late-August 2016 that will address the five reported vulnerabilities in all the affected NPort devices, except for the NPort 6110. Moxa has reported that the NPort 6110 device was discontinued in December 2008 and will not have patches released to address these vulnerabilities.

Moxa recommends that customers using the NPort 6110 should upgrade the affected device.

——— Begin Update B Part 2 of 2 ——–

Moxa also recommends disabling Ports 80/TCP (HTTP), 443/TCP (HTTPS), 22/TCP (SSH), and 23/TCP (TELNET). Moxa indicates that users should ensure that Ports 161/UDP, 4800/UDP, and 4900/TCP are only accessible by trusted systems and that restricting access to Ports 4800/UDP and 4900/TCP will impact remote systems administration.

——— End Update B Part 2 of 2 ——–

ICS-CERT recommends that users should:

  • Set up access control to affected devices to prevent any unauthorized access.
  • Isolate affected systems from the Internet and all untrusted systems.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site (http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

TA16-091A: Ransomware and Recent Variants

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.

Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.