Threat Reports

Silobreaker Daily Cyber Digest – 01 October 2019

 

Malware

New strain of IoT malware discovered

  • Security researcher unixfreaxjp discovered a new malware, dubbed AirDropBot, that affects Linux-based IoT devices and spreads like a worm, currently targeting Lynksys tmUnblock[.]cgi routers.
  • AirDropBot was discovered when investigating binaries related to a denial-of-service bot client that is part of a distributed denial-of-service botnet. The malware has original coding, different from previously observed botnets. However, according to the researcher, it is not well developed yet.
  • A full technical analysis of the discovered binaries is available on the MalwareMustDie blog.

Source (Includes IOCs)

 

Ongoing Campaigns

Revenge RAT observed targeting Italian users

  • Researchers at 360 Total Security discovered a campaign targeting Italian users to deliver Revenge RAT. The campaign involves threat actors sending phishing emails containing malicious Excel documents, which use PowerShell to download the malicious script.
  • The malicious script is capable of tampering with Microsoft Office security settings, including the ‘Macro Settings’, as well as bypassing the Antimalware Scan Interface using the Patch AmsiScanBuffer function.
  • Once all security settings are bypassed, the script decrypts the malware’s remote-control function. Revenge RAT has multiple capabilities, including file management, remote desktop, recording, keylogging, command execution, and more.

Source

 

OpenDocument file format used to bypass antivirus detection

  • Researchers at Cisco Talos identified a series of attacks that employed the OpenDocument (ODT) file format to bypass antivirus detection and deliver malware. ODT is a ZIP archive with XML-based files and is used by Microsoft Office, Apache OpenOffice and LibreOffice.  Antivirus software views ODT files as standard archives and fails to properly check them for malware. The researchers also found that some sandboxes treat the files as an archive and fail to open them, allowing malware to pass undetected.
  • The researchers discovered an attack targeting Microsoft Office with ODT documents containing embedded OLE objects. The attackers were targeting Arabic and English speakers. Both campaigns deployed HTA files which connected to an Arabic file-hosting platform. Arabic speakers became infected with njRAT, whereas English speakers downloaded RevengeRAT.
  • A second attack also targeted Microsoft Office users with a ODT file containing an OLE object. When the OLE executed it delivered a series of packers to the victim’s machine before delivering AZORult.
  • A third campaign was discovered targeting OpenOffice and LibreOffice. Malicious code contained within StarOffice basic was used to download Metasploit payloads. The researchers stated that they failed to discover what the final payload was.

Source (Includes IOCs)

 

New IoT botnet discovered targeting European users

  • SecNiche Security Labs researchers discovered a new IoT botnet, called Gucci, that is targeting devices in Europe to engage them in a DDoS-capable botnet. Multiple architectures are targeted by the malware, including ARM, x86, MIPS, PPC, M68K, and others.
  • The binaries observed by the researchers also showed that they originate from a server located in the Netherlands and that the operators removed all debug symbols from them, reducing their size. However, all the binaries were obfuscated.
  • The researchers managed to gain access to Gucci botnet’s C2, which showed that the botnet was designed to support multiple types of DDoS attacks, including HTTP null scan, UDP flood, SYN flood, and more. According to the researchers, the botnet is still in its early stages of development, yet is capable of launching targeted and broad attacks.

Source

 

PDFex attack can be performed on desktop and web PDF viewers to extract encrypted PDF data

  • A team of academics developed two attack methods that can be used to extract data from encrypted PDF files. The attack recovers plaintext data by using exfiltration channels based on standard-compliant PDF encryption processes.  
  • The researchers tested their attacks against 27 desktop and web PDF viewers including Adobe Acrobat, Chrome, and Firefox’s PDF viewer. Their findings showed that all 27 readers were vulnerable to at least one of the two attack types. In some cases, the attack could be performed without user interaction.
  • A complete analysis of both attacks is available on the researcher’s blog and in their paper ‘Practical Decryption exFiltration: Breaking PDF Encryption’.

Source 1 Source 2

 

eGobbler malvertising group infects over 1 billion adverts

  • Researchers at Confiant discovered a threat actor, dubbed eGobbler, employing a new exploit that targets the WebKit browser engine on Safari and older versions of Chrome. 
  • The group’s activity typically lasts for a short period of time during which they buy adverts and inject them with malicious code. The code allows them to then perform malicious actions inside a user’s browser such as displaying pop-up ads or redirecting users to malicious sites or downloads. 
  • The WebKit flaw exploits the ‘onkeydown’ JavaScript function that executes on each keypress. The group have been exploiting this to display pop-ups to targets as soon as they interact with a site by pressing a key. eGobbler is primarily targeting users in Europe and has shipped malvertising code with up to 1.16 billion impressions between August, 1st, 2019 and September 23rd, 2019.
  • The group previously exploited a vulnerability, tracked as CVE-2019-5840, in Chrome on iOS. This flaw was patched with the release of Chrome 75 in June 2019. 

Source 1 Source 2 (Includes IOCs)

 

Leaks and Breaches

Wood Ranch Medical due to close following ransomware attack

  • California-based Wood Ranch Medical announced it will close its office on December 17th, 2019, after a ransomware attack that occurred on August 10th, 2019, resulted in the loss of their patient records and backups.
  • The clinic’s notification states that the clinic does not believe any patient information was stolen, however, potentially accessed data includes patients’ names, addresses, dates of birth, medical insurance and related health information.

Source

 

CHI Health Lakeside Hospital hit by ransomware attack

  • CHI Health Lakeside Hospital suffered a ransomware attack on August 1st, 2019, that targeted a database storing electronic health records of its orthopaedic clinic patients prior to April 2016.
  • The hospital does not believe any patient information has been misused, however, potentially exposed data included names, dates of birth, Social Security numbers, phone numbers, addresses and medical information.

Source

 

FBI investigates cyberattack against Meridian Lightweight Technologies

  • Local authorities have involved the FBI in an investigation into a cyberattack on the Ontario-based Meridian Lightweight Technologies. Employees have been asked to refrain from connecting laptops to the company’s network, however,further details of the nature of the attack remain unknown. The company stated that it continues to operate normally.

Source

 

Data of over 170,000 Comodo Forum users stolen

  • A vulnerability in vBulletin software, which is used to power one of Comodo Forum’s boards, was exploited by hackers on September 29th, 2019. It was exploited to steal the details of over 170,000 users. Exposed information includes usernames, names, email addresses, potentially social media usernames, and more.
  • The stolen data then appeared on a site where users sell or exchange data gathered from breaches or leaks. The user who advertised the database stated that it contained passwords that were hashed using the MD5 algorithm. Bleeping Computer viewed a portion of the database and confirmed its authenticity.
  • ITarian forum, which uses vBulletin and is also by Comodo, posted a similar notice which warned users of a data breach incident. The forum has 45,300 users.

Source

 

Victorian hospitals impacted by ransomware attack

  • On September 30th, 2019, hospitals in the Gippsland Health Alliance and the South West Alliance of Rural Health were hit by a ransomware attack. The incident affected patient records and booking and management systems. Impacted hospitals have disconnected from the internet in an attempt to isolate the malware.
  • The Victorian Department of Premier and Cabinet stated that at present there is no evidence to suggest that patient information has been accessed.

Source

 

Vulnerabilities

High-risk vulnerability found in PHP

  • The Center for Internet Security’s MS-ISAC warned of a vulnerability found in PHP that could allow an attacker to execute arbitrary code to install programmes, view, change or delete data, or create new accounts with full user rights. Failed exploitation of the flaw could also lead to a denial-of-service condition. Users are advised to upgrade to the latest version of PHP.

Source

 

Two vulnerabilities found in QNX operating system

  • Security researchers discovered two vulnerabilities, tracked as CVE-2019-8998 and CVE-2019-13528, in BlackBerry’s QNX operating system that a local user could exploit to escalate their privileges. The flaws affect BlackBerry QNX SDP versions 6.5.0 SP1 and earlier.
  • The QNX operating system is used in Tridium’s Niagara products and the vulnerabilities affect Niagara AX 3.8u4, Niagara 4.4u3 and Niagara 4.7u1. Tridium released updates for the affected products.

Source 1 Source 2

 

Exim patch critical vulnerability that could cause a DoS or RCE attack

  • QAX-A-TEAM identified a critical vulnerability, tracked as CVE-2019-16928, in Exim mail transfer agent software versions 4.92 to 4.92.2.
  • The flaw is caused by a ‘heap overflow in string_vformat’ that can be exploited by an attacker who creates an EHLO message. Successful attackers can crash the Exim process that receives messages and could gain the ability to perform remote code execution.
  • The issue can be resolved by updating all vulnerable Exim servers.

Source 1 Source 2

 

Foxit PDF Reader contains remote code execution vulnerability

  • Researchers at Cisco Talos identified a vulnerability, tracked as CVE-2019-5031, in the JavaScript engine of Foxit PDF Reader. The memory corruption flaw exists in version 9.4.1.16828. A mishandled out-of-memory condition can be triggered by an attacker who tricks a user into opening a specially crafted PDF document.

Source

 

General News

Cyber-attack on Demant A/S expected to cost up to $95 million

  • On September 3rd, 2019, hearing healthcare provider Demant A/S reported that their ‘internal IT infrastructure’ was impacted by a ‘critical incident’ which resulted in the shut down of IT systems across multiple sites.
  • Demant A/S did not disclose the nature of the incident, however local Danish media sources speculated that the company suffered a ransomware attack. The attack impacted facilities in Poland, Mexico, Denmark, France, and the entire Asia-Pacific network. The company estimated that losses will fall within the range of $80 million to $95 million.
  • In a statement released on September 26th, 2019, the company stated that the recovery process is still underway.

Source 1 Source 2

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Daily Alert – 10 December 2019

    Daily Alert: The Impact of Healthcare Data Breaches on Florida Patients...
  • Daily Alert – 09 December 2019

    Daily Alert: 2019 in review: data breaches, GDPR’s teeth, malicious apps, malvertising and more...
  • Silobreaker Daily Cyber Digest – 06 December 2019

    Ongoing Campaigns US Cybersecurity and Infrastructure Security Agency issue warning over Dridex malware On December 5th, 2019, the US Cybersecurity and Infrastructure Security Agency...
View all News

Request a demo

Get in touch