Monthly Cyber Summary – April 2016
Our Monthly Cyber Summary reports a selection of the top trending stories in cyber security from the last calendar month. Keep up to date with some of the most prominent and emerging malware, hacker groups, hacker ops, attack types, vulnerabilities and cyber stories with Silobreaker.
Microsoft’s threat hunter team discovered a new threat actor codenamed PLATINUM that it believes to be state sponsored.
The group has been active since at least 2009 and appears to be interested specifically in intellectual property owned by governments and telecoms, defence and intelligence organisations in Southeast Asia. PLATINUM is thought to have conducted several espionage campaigns since 2009, using spear-phishing to infect targets via private addresses, before moving onto their employers’ systems. The group uses custom malware and 0-days (now patched) while attempting to remain undetected by limiting malicious activity to working hours and making an effort to cover its tracks.
One of the more interesting techniques used by PLATINUM is a system feature called ‘hot patching’, which allows administrators to install updates to actively running processes without needing to restart them. This feature was discontinued in Windows 8 and subsequent versions, but has been used by the threat group to inject code into older system processes without alerting AV.
More information is available here.
A FireEye/iSIGHT investigation reported on FIN6, a hacker group conducting major attacks on point of sale (POS) systems.
FIN6 has been active since 2015, and has targeted the hospitality and retail sectors to steal millions of payment card details. The group makes its money by selling this information onto other actors via underground ‘card shops’.
It’s not quite clear how FIN6 gain initial access to systems. A Mandiant investigation discovered that the group used legitimate credentials on several occasions before moving laterally to reach their intended target. Vawtrak credential stealing malware (likely dropped by a phishing email) was found on one compromised machine, but there is no indication that it was used by FIN6. The group may simply have bought credentials that had been previously stolen by another actor.
FIN6 uses several publically available tools to extract database and password information as well as the FrameworkPOS (aka. TRINITY) to detect and steal payment card details. FireEye believes that the sale of these details is highly profitable for FIN6, not least because of the sheer volume of stolen numbers: one FIN6-linked dump contained 20 million cards.
More information available here.
TA530 Hacker Group
A large but previously unreported threat actor was identified as the source of a major spear phishing campaign targeting banks and their high level employees. Researchers at ProofPoint identified the TA530 Group as being behind a highly targeted spear phishing campaign that is operating across the US, UK and Australia.
TA530 adopt a highly personalised approach, utilising publicly available information such as employee names, roles and addresses to create legitimate looking emails. These emails are designed to trick the recipient into assuming the author is a credible source, which allows for the exploitation process to begin.
TA530 also use region and industry specific malwares to help increase their success. The group are known to have utilised a number of different malwares dependent on their target, with CryptoWall, Nymaim, Dridex and Ursnif all part of their arsenal. The spear phishing campaign is designed to allow the group to drop dangerous, and industry-specific payloads onto users’ machines.
The threat currently posed by TA530 is very high. Researchers at ProofPoint highlighted how diverse the group’s campaign appears to be; the graph below demonstrates the variety of industries TA530 are targeting. Whilst spear phishing campaigns are relatively common, they are rarely distributed with such high levels of personalisation.
Researchers at IBM X Force identified a highly sophisticated new trojan targeting major financial and retail institutions in the US and Canada. GozNym is a hybrid of the Nymaim ransomware and the Gozi banking trojan, and has been labelled a ‘double-headed beast’ by the researchers that discovered it.
The GozNym Trojan functions with the two original source codes operating in tandem, and is reliant upon the codes cooperating successfully for the malware’s operations to be carried out.
The original Gozi trojan had its source code leaked online in 2010 and 2015, whilst Nymaim’s original code is only known by the group’s authors. It can therefore be assumed that the Nymaim team obtained the leaked Gozi IFSB code and incorporated it into their own malware, probably in order to improve their capacity to attack financial institutions, which was the original Gozi’s specialty.
GozNym is thought to only have begun operation in April. Despite being so new on the market, it is known to have attacked at least 24 US and Canadian banks, and successfully stolen millions of dollars. GozNym is currently being delivered primarily via email messages, with so-called ‘poisoned macros’ in a malware-infected attachment. This grants the attackers the ability manipulate the victim’s browser, steal credentials and transfer money out of their accounts.
The successful hybridisation of two sophisticated and successful malware’s presents a major threat to financial institutions, large retailers and credit unions.
Limor Kessem, a researcher who helped uncover the Trojan explains that ”GozNym is as stealthy and persistent as the Nymaim loader, while possessing the Gozi ISFB Trojan’s ability to manipulate Web sessions, resulting in advanced online banking fraud attacks.”
A more in-depth technical study of the Trojan is available here.
GozNym is a hybrid of the Nymaim and Gozi ISFB malware, inheriting stealth and persistence from the former and fraud capabilities from the latter. GozNym appears to be targeting banks in Poland, Portugal and the United States, and makes use of redirection attacks to steal money from victims.
GozNym steals credentials by waiting until users attempt to access their bank’s website, then redirecting them to a fraudulent replica. Any information entered into data fields on the replica site will be collected and used at a later date by the malware’s controller to steal money from the account. The recent update of GozNym contained new redirection instructions for 17 bank brands and nearly 230 fake URLs.
The chief advantage of redirection attacks is that they completely avoid engaging with bank security; no penetration of the bank’s website is necessary and two-factor authentication does not protect victims. It’s suspected that the main infection vector for GozNym is (as per usual) malicious emails.
PWOBot Python malware
A new strain of malware dubbed PWOBot was discovered in the networks of several European organisations by Palo Alto Networks.
PWOBot is notable for being written entirely in Python. The malware is flexible and can download and execute files, log keystrokes, set up servers and even mine bitcoins. Twelve variants are believed to exist, and six have been discovered in the wild. Although it is currently not known precisely what vector is used to infect targets, several instances of PWOBot have been found masquerading as software programs.
Several organisations compromised by PWOBot are Polish and the use of this language in some malicious filenames could be a clue as to the nationality of the malware’s author(s). Because the malware is written in Python, its code can also be compiled to run on multiple operating systems.
Full write-up available here.
CryptXXX will scan for virtual machines and for mouse and keyboard input to avoid sandboxes. It also incorporates a timed delay before encrypting files, presumably to make it more difficult to figure out which sites are compromised by Angler.
The ransom price for CryptXXX is $500, which is fairly high. Given that Angler is the most commonly used exploit kit around and the payment page is available in numerous different languages, it’s a safe bet that the Reveton team are expecting a windfall.
The prolific Citadel botnet spawned from the trojan was particularly active from 2012 through 2013. In contrast to ZeuS, it stole information as well as money from businesses across Europe. By the time the malware’s creator was arrested, Citadel had infected 11 million machines and included around 7000 botted computers.
Atmos has rarely been seen in the wild, and is believed to be targeting French banks and delivering the Teslacrypt 4 ransomware.
Attack types & vulnerabilities
Four Element Sword malcode
Experts at Arbor Networks believe they discovered a malicious file builder used in targeted attacks against East Asian organisations. Named Four Element Sword by researchers, the tool is being used to create malicious Rich Text File (RTF) documents used by APT groups against human rights groups, Tibetans and Uyghurs.
The thread that ties these RTF documents to the Four Element Sword builder is their similarity in design and intended target. The documents leverage four separate vulnerabilities coupled with a malicious payload (normally spyware or a RAT) usually associated with Chinese actors. The RTF documents are then given a .DOC extension and sent as attachments in spear phishing emails.
Full write-up available here.
Boss Java Platform Backdoor
The SamSam ransomware distribution campaign that the FBI warned about in March, led to the discovery of a vulnerability in the JBoss Java application platform. As SamSam became popular, it was suspected that its authors were using flaws in the JBoss infrastructure to infect machines. It can now be confirmed that over three million web servers are currently running outdated JBoss platforms that contain this vulnerability.
Researchers at the security firm Cisco traced the vulnerability to the JBoss penetration testing tool JexBoss, which has been available as open source on Git-Hub. According to Cisco researchers, the vulnerability operates as a de-facto backdoor into the JBoss platform.
It is estimated that 2100 servers are already compromised and it is simply a matter of time before the SamSam authors deliver a ransomware payload to these machines. With over 3 million more machines thought to be running the affected JBoss platform, this is a vulnerability with high risk potential. US-Cert have issued a global advisory warning about the danger.
For a more technical analysis of the vulnerability, the Cisco report is available here.
Some Amazon products contain links to malware
Security researcher Mike Olsen found that a set of videocameras listed on Amazon would link users to a malicious website when they logged into the cameras’ prebuilt monitoring webpage.
While looking at the HTML of the monitoring page, Mike discovered a hidden iframe that linked to a site flagged by Sucuri for distributing malware.
Aside from the obvious questions of when and how this iframe came to be, this case sets an interesting precedent (as far as we know). Infecting products with malware and selling them at a discount on a major service like Amazon would probably be an effective if costly method of distribution.
RIP Quicktime (for Windows)
TrendMicro discovered two critical vulnerabilities in Quicktime for Windows. US-CERT has issued an alert, noting the the only effective mitigation technique is to uninstall Quicktime, given that Apple has started deprecating use of the software and will no longer provide bug fixes.
It’s curious that neither Apple nor Microsoft have been more open about Quicktime’s demise. The software is certainly ancient, but where would the harm have been?
Leak(s) of the month
Philippine voter database leak (update)
The voter database belonging to the Philippine’s Commission on Elections (COMELEC) that was posted online contains both encrypted and plain-text information, so a clear risk assessment is likely to take time. Though the risk has been played down by authorities so far, the breach is certainly one of the biggest so far.
Trend Micro’s investigation found 1.3 million records of overseas voters, including passport numbers (in plain text), as well as 15.8 million fingerprint records. A table named ‘ERB’ (which may stand for ‘Election Registration Board’) contains 54.28 million rows not marked as ‘disapproved’, a number that is very close to the amount of registered voters listed in 2016. It appears as though the data of overseas registrants was not encrypted, but the details of local voters in this part of the database were, with the exception of address and birthdate fields.
The COMELEC breach is highly worrying, given the obvious opportunity it presents for fraud and identity theft. With the elections on May 9th approaching, there is increasing pressure on COMELEC to secure their systems and make sure everything goes to plan.
The Daily Dot reported that 14.8 gigs of data belonging to Canadian mining firm Goldcorp have been stolen by hackers.
Sample data provided by the hackers contained correspondence, bank account and payroll details, phone numbers, email addresses and proprietary information. The hackers, who claim to be Russian but are as yet unidentified, have stated that more data dumps are on the way. These will include “14 months of company wide emails containing […] racism, sexism and greed.”
Golcorp has confirmed that the breach took place and the authorities have been notified.
Anonymous hit Kenyan government
Anonymous breached the foreign ministry of Kenya’s servers, stealing a trove of documents, some of which are confidential.
The attack took place as part of the #OpAfrica campaign, which is intended to protest against corruption and child abuse in African countries. According to one of the Anonymous hackers, the group stole a terabyte of data from Kenyan government servers and has released a part of that on the dark web. The leaked information includes internal business emails and security alerts from IT but not usernames or passwords.
It’s expected that a full release of these files will happen relatively soon.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.