Silobreaker Daily Cyber Digest – 01 July 2019
Author of Silex malware takes C2 server offline
- The C2 server leveraged by the previously reported Silex malware has been taken offline by the author.
- According to Larry Cashdollar, the original purpose for the malware was because the author, Light Leafon, was ‘trying to take down targets for other script kiddies who might be looking to build botnets and he was just getting sick of it.’
- Cashdollar suggests Light Leafon did not like the attention he was receiving, which made him stop the malware from spreading.
OSX/CrescentCore Trojan pretends to be Adobe Flash Player installer
- Researchers at Intego observed the OSX/CrescentCore Trojan being delivered on a [.]dmg disk image hidden as an Adobe Flash Player installer. The malware is distributed through various sites, primarily those hosting pirated content including cracked copies of software and pirated films.
- When the malware runs it checks to see if it is running inside a Virtual Machine. If the malware determines that no VM is present, it installs a LaunchAgent. Researchers also observed the Trojan installing rogue software called ‘Advanced Mac Cleaner’ as well as installing a malicious Safari browser extension.
- The authors of the malware identify themselves as ‘Lights’, the Apple developer ID can be traced to a user called ‘Sanela Lovic’.
Source (Includes IOCs)
Malicious spam campaign targeting Japanese users with URSNIF
- The Fortiguard SE group have discovered a phishing campaign targeting Japan and the Netherlands. It makes use of a malicious Excel attachment that includes anti-analysis and obfuscation techniques, in addition to an undocumented Excel variable called ‘xlDate’.
- The initial infection vector is Japanese spam emails masquerading as an invoice, with a spreadsheet containing malicious macros attached. Upon execution, an obfuscated PowerShell script will run, contacting a domain hosted in Russia to download and save a PE file. The file appears to be an URSNIF variant.
- A variety of Italian IP addresses are associated with the distribution of this spam – many of which have been spotted in other malicious campaigns. A proportionally significant amount of spam is also targeting the Netherlands, and this coincides with an uptick in URSNIF activity in this region.
Source (Includes IOCs)
New Dridex variant evading many antivirus solutions
- eSentire has reported on an ongoing campaign leveraging variants of Dridex that display polymorphism in DLL files, randomly generated URL directories and variables, giving them a low detection rate amongst AV solutions on VirusTotal.
- Initial access occurs via spam emails containing attachments with malicious macros. The macros use an application whitelisting bypass technique described in 2018 by Casey Smith. Successful execution will download a Dridex installer.
Source (Includes IOCs)
New blogname hacking attack targeting WordPress sites
- Sucuri analyst Kaushal Bhavsar discovered a new campaign that adds ‘1800ForBail’ or ‘1800For Bail – One+Number’ keywords to the titles of vulnerable WordPress sites. The majority of sites were hacked after June 12th, 2019.
- This new type of ‘blogname attack’ is similar to the recently observed ‘siteurl attacks,’ in which hackers exploit vulnerabilities in WordPress plugins to change URLs of static resources, which allows for malicious code to be loaded instead of legitimate scripts.
- This campaign comprises two separate attacks, the first one redirecting visitors to scam sites, such as tech support or push notification scams, whilst the other uses the black hat SEO technique of changing the titles of blogs to gain more visibility for the brand of the ‘bail service,’ an approach recently observed in a Korean spam campaign.
Extortion scam attempts to trick users into believing their system is infected with a RAT
- Bleeping Computer reported that scammers are sending emails claiming that the EternalBlue exploit has been used to install a RAT on a target’s device. The email contains the subject line ‘Security Alert. Your account was compromised. Password must be changed’ and claims that users have been recorded via their webcam whilst they have been watching pornography.
- The extortionist behind the campaign demands $600 in cryptocurrency to erase the ‘collected’ data. The Bitcoin wallet associated with the scam shows that there has already been one payment of $600.
Android Horror game app phishes for sign in details
- Wandera researchers discovered the ‘Scary Granny ZOMBYE Mod: The Horror Game 2019’ stealing users’ details. The app has over 50,000 downloads on Google Play Store and was available up until June 27th, 2019.
- The malicious functions of the app were contained behind a time release function and only ran on older versions of Android OS. When the malicious function activated, the app ran a phishing attack, overlaying the screen and asking users to sign into their Google accounts. If a user entered their information, the app proceeded to scrape the users Google account for their recovery email, recovery number, date of birth, and more.
- The app also displays persistent ads created by the app authors that pretend to be from Facebook, Amazon, Hulu, and more. Researchers believe that these fake ads are attempting to fool users into downloading additional malware.
QR codes used in phishing campaign to avoid URL analysis
- Researchers at Cofense observed an email with the subject ‘Review Important Document’ which contained a QR code with an embedded URL. A target who scans the code will be redirected to the malicious site via their phone’s browser.
- The malicious site asks users to sign into AOL, Microsoft, or ‘other’ account services. The attack was targeted against Cofenese customers in the financial sector.
Trend Micro discover Golang-based spreader used in crypto-mining campaign
- Trend Micro researchers discovered that Golang-based malware is being used in a new campaign that propagates by scanning for machines running vulnerable software. The malware searches for several entry points to spread between systems using the common SSH service and several exploits.
- The Golang based spreader known as Goscan Trojan, scans for SSH, Misconfigured Redis servers, ThinkPHP exploits, Drupal exploits, and the Atlassian Confluence server exploit tracked as CVE-2019-3396. Once malware reaches the system, it connects to Pastebin to download the dropper component detected as Squell Trojan, which attempts to infect other systems via SSH, disabled security tools and clears command history and logs. In addition, Squell Trojan kills any other cryptomining activity and sets up a cron job that executes the latest version of malware from Pastebin, for persistence.
- The dropper downloads a TAR file that contains the miner payload, the Golang-based scanner and other components.
Source (Includes IOCs)
Campaign involving fake web browser updates detected
- A researcher at Malware-Traffic-Analysis detected a new campaign pushing the Chthonic banking trojan via fake Firefox, Flash and Google Chrome updates. By accepting the fake update, a malicious download installs the trojan on the victim’s device.
PreAMo malware puts mobile cryptocurrency users at risk
- Researchers at ESET have discovered a strain of PreAMo malware that had the potential of targeting millions of Android users. The malware was distributed through Android applications offered on the Google Play Store.
- The malware had the ability to read notifications on infected devices and thus bypass two-factor authentication methods. This specifically posed a threat to mobile cryptocurrency users, who mostly rely on two-factor authentication methods to approve their transactions.
- The application has been removed from the Play Store, but it is unclear how many users have been affected by it.
Leaks and Breaches
Summa Health informs patients of data breach
- Ohio-based health system Summa Health is informing its patients of a data breach that was discovered on May 1st, 2019. A total of four employee email accounts were accessed by an unauthorized party, the first two in August 2018 and the other two between March 11th and March 29th, 2019, potentially revealing personal information of more than 500 patients.
- Breached data includes the names, dates of birth, medical records, patient account numbers, as well as clinical and treatment information of Summa Health patients. A small number of patients’ health insurance information, including Social Security numbers, may also have been accessed.
Recruitment firm MEGT exposes sensitive data
- UK privacy advocate Gareth Llewellyn discovered an open Amazon Web Services S3 bucket belonging to the Australian-based recruitment and training group MEGT, which has left 143,000 records containing sensitive data about the firm’s apprentices exposed. The leaked data includes passport scans, visa details, employment agreements and performance warning. The bucket has been secured.
Data Management firm Attunity exposes data of Netflix, TD Bank, Ford, and more
- Researchers at UpGuard found three exposed Amazon S3 buckets on May 13th, 2019. The buckets were publicly accessible and named ‘attunity-it,’ ‘attunity-patch’ and ‘attunity-support.’
- Researchers downloaded about a terabyte of data from the ‘attunity-it’ bucket, this included 750 gigabytes of compressed email backups. OneDrive accounts, email correspondence, system passwords, project specification, and more were also available. The first sensitive data was uploaded to the bucket in September 2014, and files were being uploaded days prior to the researcher’s discovery.
- Software company Qlik acquired Attunity in May 2019, and stated that an investigation was underway and at this point it appears that the data was only accessed by UpGuard researchers.
Creator of gay dating app fined $240,000 for leaking private photos
- The company, Online Buddies Inc, has been fined $240,000 after the company failed to respond to a vulnerability report that its users’ private photos were publicly available for a year. The private photos, including nudes, were discovered open to the public on an AWS S3 server without a password or any security.
Homeless shelter targeted by ransomware attack
- Father Bill’s and MainSpring, a Brockton-based homeless shelter, announced on July 25th, 2019, that it had suffered from a ransomware attack earlier in the year on April 11th, 2019.
- The organisation’s anti-virus software managed to stop the attack before it could inflict any damage. According to CEO John Yazwinski, personal information stored on the shelter’s electronic devices were not compromised.
Karachi University alumni’s data supposedly leaked
- On July 1st, 2019, it was stated that Karachi University’s former examinations controller may have allowed unauthorized individuals to access ten years’ worth of former students’ examination details. The university’s vice chancellor has composed an inquiry committee in order to get more details on the allegation.
Medtronic plc recalls insulin pumps due to serious vulnerabilities
- The pumps were recalled due to concerns over their safety following security alerts from the Food and Drug Administration (FDA) and ICS-CERT. The pumps contain an improper access control vulnerability that reportedly cannot be fixed with a software patch.
- The flaw results in the wireless RF communication protocol, that the pumps use to communicate with companion devices, failing to properly authenticate or authorise users. These devices include blood glucose meters, glucose sensor transmitters, remote controllers and CareLink USB devices.
- The flaw could be exploited by threat actors to interfere with wireless communications and allow them to connect to the devices, read sensitive data, change pump settings and control insulin delivery. The affected pumps are the MiniMed508 and MiniMed Paradigm series pumps, which are used by approximately 4,000 patients.
Ultraloq smart lock by U-tech found to be insecure
- Researchers have discovered that the keyless smart door lock Ultraloq could allow attackers to track down the location of the lock, which they could easily pick, virtually and physically. Ultraloq is a Bluetooth fingerprint and touchscreen door lock that allows users to use their fingerprints or a PIN to enter buildings, with an app that can be used locally or remotely to gain access.
- Researchers from Pen Test partners discovered that the API used by the mobile app leaked enough personal data from the user account for an attacker to discover the physical location of the Ultraloq device being used. U-tech fixed the issue, however, a Bluetooth Low energy issue remained that could allow an attacker to crack open the lock using a brute force credential attack.
- The flaws could lead to a full compromise of all Ultraloq locks connected to the cloud service and allows attackers to retrieve the BLE encryption key and possibly all user PINs. In addition to these flaws, the physical lock itself is reportedly also easily picked using a ‘thin pick’.
At least one vulnerability found in every fifth Docker container
- Looking at the top 1,000 containers from Docker Hub, security researcher Jerry Gamblin found that a large number of the most popular Docker containers have vulnerabilities, with 20% of the files having at least one vulnerability considered to be high risk.
- The Docker with the highest amount of vulnerabilities had a total of 2,004, whilst the oldest container had over 431 open vulnerabilities. Generally, the Docker files containing the majority of vulnerabilities seem to be abandoned or end-of-lifed.
Microsoft Teams desktop app can be used to download and run malicious software
- Security researchers Adam, Mr.Un1k0d3r and Reegun Richard all reported the vulnerable endpoint that was exploitable in Microsoft Teams.
- The application runs on the open source Squirrel project which is used to install and update routines which use the NuGet package manager to create files. The researchers discovered that using the update command allowed for executions of an arbitrary binary in the context of the current user. This allowed a payload to be added to the Microsoft Team folder which could be automatically executed.
- On GitHub, WhatApp, and UiPath the exploit partially works, as the payload can be downloaded from a remote server, but it cannot be executed.
Bulgarian police arrest IT expert after demonstration of security flaw
- IT expert Petko Petrov was arrested by the Bulgarian police after he publicly demonstrated exploiting a flaw in the software used by local kindergartens. Petrov exploited the flaw to download the details of 235,543 citizens of Stara Zagora, Bulgaria. He then published a video of his proof-of-concept on Facebook, and posted a link to a Github repository containing the POC code.
- The Department Civil Registration and Administrative Services (GRAO) stores personal information of citizens including names, addresses, deaths, parentage, passport data, marital statuses, nationality and relatives.
- Petrov is accused of illegally obtaining government information under Article 319A of the Bulgarian Criminal Code. He was arrested and detained for 24 hours before being released.
German authorities shut down major online narcotics market
- German authorities announced on June 28th, 2019 they had shut down Germany’s largest online narcotics market ‘Chemical Revolution’ and arrested 11 suspects ‘for the purchasing, packaging, transport and distribution of narcotics’. Chemical Revolution started operations in September 2017.
- The group behind the website is believed to have also sold illicit drugs on Wall Street Market, the world’s second-largest Darknet forum that was shut down by German authorities in May 2019.
Bitsane crypto exchange disappears
- Account holders’ first reported issues in May, stating that they were unable to withdraw Bitcoin, XRP, and other cryptocurrencies. On June 17th, 2019, the company’s website, Twitter and Facebook disappeared. Users were also unable to contact the company via email.
- Users in the Bitsane Telegram and Facebook group reported losing up to $5,000. Forbes spoke to one US user who claims to have lost $150,000 worth of XRP.
- Bitsaine had 246,000 registered users on May 30th, 2019 and as of March 31st, 2019, had a daily trading volume of $7 million.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.