Silobreaker Daily Cyber Digest – 01 November 2019
APT41 target SMS traffic with MESSAGETAP malware
- Threat Researchers at FireEye identified an APT41 campaign, beginning in 2019, that targeted four telecommunication network providers with a 64-bit ELF data miner named MESSAGETAP. The Chinese APT group have previously been involved in state-sponsored espionage attacks and financially motivated operations.
- This recent campaign was discovered following an intrusion into a telecommunication network. The targeted network used a cluster of Linux servers as Short Message Service Centre (SMSC) servers. SMSC servers are used to route SMS messages to recipients or store them until they can be sent to the end-user. APT41 installed MESSAGETAP onto these SMSC servers.
- The malware monitors all network connections to the server and detects International Mobile Subscriber Identity (IMSI) numbers and specific phone numbers. MESSAGETAP also monitors for SMS messages which contain keywords which would be of interest to Chinese intelligence.
Source (Includes IOCs)
QNAP NAS devices targeted with QSnatch malware
- Researchers at NCSC-FI issued a reported on a new malware, dubbed QSnatch, that is designed to target QNAP NAS devices. The German Computer Emergency Response Team (CERT-Bund) reported that 7,000 infections have been reported in Germany.
- The infection method is unclear; however, the researchers did discover that following the initial compromise, malicious code is injected into the firmware of the targeted system.
- Code is then run as part of normal operations; domain generation algorithm proceeds to retrieve additional malicious code from the attackers C2. QSnatch can perform a range of functions including the exfiltrating usernames and passwords, preventing QNAP MalwareRemover app from running, and more.
New phishing campaign targets users with fake salary increase emails
- Cofense researchers detected a new phishing campaign involving emails claiming that an employee’s salary was increased. The emails contain what appears to be a link to a spreadsheet containing details on the increase. In reality, the link redirects victims to a fake Office365 login page that attempts to phish their credentials.
Emotet Trojan operators attempt to lure victims with Halloween party invite
- Security researchers at Cryptolaemus and Cofense Labs identified a series of Halloween themed party emails distributing Emotet trojan. The spam emails state that the details of the party are contained within an attached Microsoft Word document.
- Targets who attempt to open the email will be prompted to ‘Enable Content’. Users who comply with the request will install Emotet trojan on their device. Emotet can install other malware on the victim’s computer and send spam from the infected machine.
Android keyboard app found to be performing unwanted purchases
- Upstream researchers discovered that the popular Android keyboard app, ai.type, has been making unauthorized purchases of premium digital content without users’ knowledge. The app contains software development kits with hardcoded links to ads and will automatically perform clicks to subscribe unsuspecting users to premium services.
- The app conducts its malicious activities in the background, and was observed disguising itself as other popular apps such as Soundcloud. Suspicious activity was detected in 13 countries, with the largest volumes detected in Egypt and Brazil.
- The app has since been taken down from the Google Play Store but remains available on other Android app marketplaces. It has been downloaded over 40 million times.
Gafgyt botnet abuses range of vulnerabilities in IoT devices to target gamers
- Researchers at Palo Alto Networks Unit 42 identified an undated variant of the Gafgyt botnet, which is currently being utilised to attack servers hosting popular games such as Fortnite. The updated botnet attempts to exploit vulnerabilities in Zyxel, Huawei, and Realtek routers and add them to the botnet.
- The impacted models are the ZYXEL P660HN-T1A which is impacted by CVE-2017-18368, Huawei HG532 which contains CVE-2017-17215, and the Realtek RTL81XX Chipset which contains CVE-2014-8361.
- The botnet can perform multiple DoS attacks simultaneously. Attack types included HTTP flooding attacks, HTTPCF attacks which targets CloudFlare, KILLER and KILLATTK attacks which kill rival botnets, and VSE attacks which target servers running the Valve Source Engine.
- The researchers found that botnet operators were using Instagram to sell a ‘spot’ on their servers for prices ranging from $8 to $150. Buying a ‘spot’ would allow a purchaser to add IP addresses which the botnet will then launch DoS attacks against.
Source (Includes IOCs)
New Calypso APT targets state institutions
- Researchers at Positive Technologies discovered a new advanced persistent threat (APT) dubbed Calypso. They first detected Calypso activity in March 2019 and believe the group has been active since at least September 2016.
- The APT is suspected to be of Asian origin and has targeted governmental institutions in Brazil, India, Kazakhstan, Russia, Thailand and Turkey. Their primary goal is the theft of confidential data.
- In one attack, Calypso was spotted using their own unique malware called Calypso RAT, along with PlugX trojan and Byeby trojan. The researchers provide a full technical analysis of the observed attacks.
Source (Includes IOCs)
Leaks and Breaches
Marriott International notifies associates of data breach
- On October 30th, 2019, Marriott International began to notify associates that their personal information may have been exposed in a data breach incident. The company stated that an unknown party gained access to confidential information contained on the system of an outside vendor. The vendor handled official records such as subpoenas, and court orders for Marriott. The company became aware of on September 4th, 2019, at least 1,552 individuals are impacted by the breach.
Six service providers suffer ransomware attacks
- Researchers at Armor have reported on six different breaches against managed and cloud based service providers across the US. These include SchoolinSites, TrialWorks, MetroList, CorVel, Billtrust and another unnamed MSP. Each of these providers serve thousands of different companies and organisations, with some MSPs issuing public statements.
- MetroList reportedly paid a $10,000 insurance deductible toward a ransom payment, and the unnamed MSP also submitted an undisclosed ransom. TrialWorks’ reported that 5% of their customers were prevented from accessing their platform for several days, whilst BillTrust stated that whilst they could not disclose the ransomware strains, their security and back-up procedures are instrumental to restoring services.
Online tutorial platform Vedantu accused of data breach
- The Bengaluru-based platform have been accused by the data breach notification service Have I Been Pwned, of exposing 687,00 records in July 2019. The information exposed includes IP and email addresses, names, phone numbers, genders and hashed passwords.
- Vedantu are investigating the accusation.
Virginia Department of behavioural health notified 1,400 patients of data breach
- The information was allegedly exposed when patients applied for aid via the department’s Individual and Family Support Program.
- The 1,442 people have been notified of the breach. Specific details on the breach information have not yet been reported.
Google patches Chrome zero-day flaw exploited in the wild
- Google released an urgent update addressing an actively-exploited vulnerability, tracked as CVE-2019-13720, in Chrome’s audio component. The flaw is a use-after-free issue discovered by researchers at Kaspersky Lab.
- Google’s security update also patched a use-after-free bug in PDFium, tracked as CVE-2019-13721.
US Department of Homeland security publish report on Hoplight trojan
- The Department of Homeland Security, Federal Bureau of Investigation and the Department of Defence discovered a variant of Hoplight trojan being used by the North Korean Government, also known as Hidden Cobra, or Lazarus Group.
- The Malware Analysis Report includes descriptions of the identified malware, suggested responses and recommended mitigation. In addition, the report contains the analysis of 20 malicious executable files, 16 of which are proxy applications that disguise traffic between the remote operators and malware.
Source (Includes IoCs)
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.