Silobreaker Daily Cyber Digest – 01 April 2019
Researchers decrypted Qrypter malware
- Cybaze-Yoroi ZLab researchers recently detected a new campaign targeting Italian-speaking victims and infecting them with Qrypter malware.
- In a blog post, the researchers provide a technical analysis of Qrypter, noting that this sample makes intensive use of reflection techniques and a state-machine approach.
Source (Includes IOCs)
Phishing kit discovered hosted on Nigerian government website
- For over two weeks the Nigerian National Assembly’s (NASS) site has been hosting a fraudulent page that asks for DHL credentials. The phishing resource is present on several legitimate websites that have been hacked to host it, in addition to domains that appear to have been registered for DHL phishing purposes.
- Many of the sites triggered the ‘Deceptive site’ warning in Chrome and Firefox, however, not all the sites have yet been indexed as unsafe. The only fields available to fill in are for entering login data for DHL accounts, which, when submitted, trigger a pop up stating that the password may be incorrect.
- MalwareHunterTeam discovered a history of malicious URLs available on the official NASS website domain. In this instance, the phishing kit is older, dating back to June 2017, and is present on hundreds of websites.
BatMobi adware discovered affecting Google Play apps
- Malwarebytes Labs has been alerted to an issue with ad redirects, which they have linked to the adware BatMobi. BatMobi is an ad SDK that connects applications to ad networks, by being inserted into an app’s code, with the goal of gaining revenue through ads.
- The newly discovered BatMobi variant was located in Google Play, popping up whenever an app was updating or installing in Google Play. BatMobi uses Chrome Custom Tabs in its code to open websites in Google Play when triggered.
- The websites that BatMobi redirected to aren’t malicious in themselves but are a nuisance for users.
Man from Georgia hacks into hundreds of Apple accounts
- Kwamaine Jerell Ford of Dacula, Georgia, has admitted to tricking victims into revealing their Apple account passwords and accessing their accounts to steal sensitive data. Ford targeted college and professional athletes, including NBA and NFL players and rappers, with a phishing scheme.
- The phishing scheme involved spoofing the legitimate Apple customer service, and sending thousands of phishing emails to victims, asking for login details. Once accounts were accessed, Ford changed the account passwords and contact email addresses, forcing victims to contact Apple to prove their identity.
- Ford reportedly stole several credit card numbers and spent thousands of pounds on athletes’ accounts. In addition, hundreds of unauthorised logins to Apple accounts were recorded.
Trend Micro assess attacks using Emotet against hospitality industry
- Trend Micro has detected Emotet malware distributing Nymaim malware, which subsequently loads Nozelesn ransomware. In this instance, Emotet was detected on monitored endpoints in the hospitality industry.
- Trend Micro’s analysis found that a malicious document was propagated via email, which opened in Microsoft Word and downloaded via Google Chrome. The malware continuously connected to multiple IP addresses to download further malware that it executed on the system.
- Two files were created with random filenames, which were identified as Nymaim and Nozelesn ransomware. Trend Micro assess that it is possible that Nymaim was used in this case to download Nozelesn ransomware, using fileless execution to load it to the machine’s memory.
Source (Includes IOCs)
Hackers using hacked WordPress and Joomla sites to drop malware
- Zscaler security researchers found a malware campaign targeting websites running on WordPress and Joomla content management systems, infecting them with Shade ransomware.
- According to the researchers, attackers are making use of a hidden directory on HTTPS and exploiting vulnerabilities in extensions, plugins, and themes installed on the website to compromise them and ultimately infect them with Shade ransomware, adware, and coinminers, or to create duplicate phishing pages.
- The targeted HTTPS directory is used by website owners to verify their domain’s ownership by providing certification authority with a code for validation purposes.
Source (Includes IOCs)
Leaks and Breaches
Toyota security breach exposes data relating to 3.1 million clients
- Multiple Toyota and Lexus sales subsidiaries have suffered a data leak that has resulted in the compromise of roughly 3.1 million Toyota customers’ data.
- A press release has stated that unauthorised access was detected on the computer systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla. The data leaked does not include credit card details.
- Security researchers have assessed that this breach is part of a wider large scale coordinated operation by APT32.
Earl Enterprises admit data breach affecting 2 million customer payment cards
- Brian Krebs from KrebsOnSecurity first discovered the data breach in February 2019 when Buca di Beppo’s customers’ debit and credit cards were being auctioned on the Joker’s Stash underground marketplace. Upon discovery, Krebs alerted the Italian restaurant chain, which is a subsidiary of Earl Enterprises.
- The parent company has now confirmed that a 10-month data breach has been fixed and was the result of malware installed on point-of-sale systems between May 2018 and March 2019.
- The breach affected 67 Buca di Beppo locations in the US, Earl of Sandwich locations, Planet Hollywood in Las Vegas, New York and Orlando, Tequila Taqueria in Las Vegas, Chicken Guy! in Disney Springs, and Mixology in Los Angeles.
Bithumb cryptocurrency exchange hacked for third time in past 3 years
- The South Korean cryptocurrency exchange admitted a hack that appears to have resulted in the theft of 3 million EOS, worth roughly $13.4 million, and 20 million Ripple coins, worth approximately $6 million.
- Bithumb told users that all stolen funds were from a company-owned wallet and that all user funds are safe.
- The exchange was previously hacked in July 2017 and June 2018. The second hack was attributed to the Lazarus Group.
Critical flaw discovered in Cisco WebEx browser extensions
- The flaw, tracked as CVE-2019-3823, could allow attackers to execute arbitrary code with the privileges of the affected browser on Windows PCs, that have specific browser extensions installed. Vulnerable extensions include Cisco WebEx Meetings Server and Cisco WebEx Centers including Meeting Center, Event Center, Training Center and Support Center.
- The flaw is the result of a design defect in an API response parser within the plugin. In order to exploit the flaw, an attacker only needs to convince an affected user to visit a malicious web-page or follow an attacker-supplied link with an affected browser.
Two zero-day flaws found in Microsoft Edge and IE browsers
- Security researcher James Lee discovered two vulnerabilities that allow an attacker to bypass same-origin policy on a victim’s web browser.
- According to Lee, ‘the issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection.’
- The researcher also released a proof-of-concept exploit for each of the vulnerabilities.
Authenticated arbitrary command execution on PostgreSQL
- CVE-2019–9193 allows specific database users to gain arbitrary code execution in the context of the user running the Postgres instance. The flaw affects all versions of PostgreSQL from 9.3 to the latest 11.2 on Windows, Linux and Mac operating systems.
- These versions include a new functionality for the ‘copy to/from program’, which allows the database superuser and any user in the ‘pg_read_server_files’ group to run arbitrary operating system commands. Therefore, there is no separation of privilege between a database superuser and the user running the database on the operating system.
Debian patches multiple flaws in Thunderbird mail client, and Twig and Dovecot packages
- The vulnerabilities could lead to denial of service, information disclosure and arbitrary code execution. In total, 8 flaws were patched in the Thunderbird mail client, one flaw in the Twig template engine for PHP, and one flaw in the Dovecot email server.
Skylight Cyber release MAC addresses targeted by ASUS supply chain attack
- The list includes most of the MAC addresses that were used by the hacker group behind Operation ShadowHammer to target ASUS customers with a backdoored version of the ASUS Live Update Utility, reported last week.
- Skylight were able to extract the MAC addresses by reverse-engineering the offline tool released by Kaspersky. In addition, Qihoo analysed the MAC addresses and published a chart detailing the network interface controller (NIC) vendors behind the MACs targeted in the attack.
- Following reports on Operation ShadowHammer, F-Secure have published an in depth analysis of the attack, including attack timelines and observations made from the targeted MAC addresses.
Former NSA contractor pleads guilty to top secret data theft
- Harold Martin III, of Glen Burnie in Maryland, has pled guilty to the ‘wilful retention of national defence information’, despite previously denying all charges. Martin worked at multiple private contracting companies from December 1992 to August 2016, possessing clearance to handle Top Secret and Sensitive Compartmented Information (SCI).
- Martin is allegedly guilty of stealing up to 50TB of data over a 20-year period, storing them in his home and his car. Connections have allegedly been made between Martin and The Shadow Brokers data dump of classified NSA hacking tools.
- In addition, he has allegedly attempted to communicate over Twitter with Kaspersky Lab, sending five cryptic messages requesting a meeting with the founder, Eugene Kaspersky. Kaspersky alerted the FBI to the messages, resulting in a raid on Martin’s home and the discovery of the stolen documents.
Investigator believes Amazon chief’s phone was hacked by Saudi authorities
- Gavin de Becker, who was hired to investigate the release of intimate images of Jeff Bezos, has concluded that Saudi authorities hacked the Amazon Chief’s phone to access his personal data. Becker also linked the attack to the coverage published by The Washington Post, owned by Bezos, of the murder of the Saudi journalist Jamal Khashoggi at the Saudi consulate in Istanbul.
- Bezos has accused Enquirer publisher American Media Inc of blackmail, for threatening to publish the stolen photos if he did not end the investigation. Bezos continued the investigation and published copies of emails from AMI.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.