Silobreaker Daily Cyber Digest – 02 July 2019
New version of WannaLocker targets banks in Brazil
- Avast threat researcher Nikolaos Chrysaidos discovered a new triple threat version of the WannaLocker ransomware, often referred to as the mobile copycat version of WannaCry, targeting four major banks in Brazil. This new version combines spyware, remote-access trojan malware and a banking trojan malware.
- Once a device is infected, the user is prompted to enter log-in details to address an issue, allowing the malware to collect data such as hardware information, call logs, text messages, phone numbers, photos, contact lists, GPS locations, microphone audio data, and more.
- It is unclear how this new version gets into phones, but Chrysaidos suspects it to be via malicious links or third-party stores.
Go-compiled malware steadily rising
- Researchers at Palo Alto Networks’ Unit 42 discovered approximately 10,700 unique malware samples written in Go. Of the samples assessed 92% were written for Windows OS, 4.5% were compiled for Linux, and the remainder for OSX.
- Analysts also identified 53 unique malware families, the most prominent being Veil, GoBot2, HERCULES. Researchers grouped the malware families by attribute and purpose determining that the majority were used for penetration testing activities,whilst the second largest group were RATs and the third were backdoors.
- Researchers concluded that instances of Go malware are still low but steadily rising, growing by 1944% between January 2017 and March 2019.
Source (Includes IOCs)
Researchers analyse APT32’s ‘Ratsnif’ trojans
- Researchers at Blackberry Cylance analysed four samples from the Ratsnif remote access trojan family used by the OceanLotus Group to leverage new network attack capabilities. The group, also known as APT32, is believed to be linked to the Vietnamese government.
- Ratsnif trojans have been under development since 2016 and combine various capabilities, including packet sniffing, gateway or device ARP poisoning, DNS poisoning, HTTP injection and MAC spoofing.
- Researchers found that all samples borrow heavily from open-source code and have deemed the overall development to be poor, especially campared to the usual high standards found in OceanLotus malware.
Source (Includes IOCs)
Facebook malware campaign targets Libyans
- Researchers at Check Point discovered a campaign utilizing Facebook pages to distribute malware to mobile and desktop users. The campaign infected tens of thousands of users, primarily in Libya but also in Europe, the US and Canada.
- Researchers began their analysis by examining a Facebook page impersonating Libyan Field Marshal Khalifa Haftar. The page posted URLs to downloadable files marked as leaks from Libyan intelligence units. The links contained malicious VBE or WSF files for Windows and APK files for Android. Users who downloaded files were infected with RATs such as Houdini, Remcos, and SpyNote.
- Analysts found over 30 Libyan themed Facebook pages, some with over 100,000 users, involved in similar attacks. In total more than 40 malicious links were used by attackers and identical links were often used by multiple pages. Moreover, all applications and VBE scripts shared by the initial page linked to the same C2. Researchers linked the attacks to a Facebook profile named ‘Dexter Ly’.
Source (Includes IOCs)
Adware campaign concealed in 182 games and camera apps
- Trend Micro researchers discovered the campaign being conducted via free to download apps hosted on the Google Play Store and third party stores. Of the 182 apps, 111 were found on the Google Play Store. The campaign has been active since 2018 and the apps involved have a collective download count of 9,349,000. Despite having different developers researchers asserted that the apps belong to the same campaign.
- The malicious apps share code and exhibit similar behaviors. The adware hides the malicious apps’ icon and displays full screen ads that cannot be immediately closed or exited. The highest frequency pop up occurred every five minutes. Additionally, ads also appear even when the apps were not in use. Researchers also observed the adware displaying evasion techniques, for example, recent versions ran ads after 24 hours had elapsed allowing the adware to avoid sandbox detection.
- All the malicious apps hosted on the Google Play Store have now been removed.
Source (Includes IOCs)
‘Heaven’s Gate’ loader used in new campaign to deliver RATs and stealers
- Cisco Talos researchers discovered a new campaign delivering the Hawkeye Reborn keylogger and other malware through a complex loader. The loader takes advantage of several techniques including ‘Heaven’s Gate’ that allows 32-bit malware running on 64-bit systems to hide API calls by switching to 64-bit environments. Additionally, anti-virus software struggles to pick up on the malware as it is never written to disk but instead is hidden inside the loader.
- The malware is distributed through emails containing Microsoft Excel or Microsoft Word documents that exploit CVE-2017-11882. When opened by the user the malware connects to servers which host the malware payload. Moreover, these campaigns are ongoing, new emails are being sent on a regular basis and new binaries are continually hosted.
Source (Includes IOCs)
Leaks and Breaches
Orvibo exposes 2 billion logs containing user data
- vpnMentor researchers discovered an open database containing over 2 billion logs linked to Orvibo Smart Home products. The company, known for manufacturing smart home devices, including for home security, was informed of the data breach on June 16th, 2019, however no action has been taken.
- The data breach affects millions of users globally and exposes usernames, email addresses and passwords, precise locations, and more. With access to such data hackers could potentially disrupt users’ homes and businesses.
Courts in the US State of Georgia targeted by ransomware attack
- Georgia’s Judicial Council and Administrative Office of the Courts (AOC) has fallen victim to a ransomware attack on July 1st, 2019. Not all systems are believed to have been affected, however all systems have been taken offline as a precaution. The AOC website is also currently offline.
- According to Ars Technica, reports have linked the attack to the Ryuk ransomware campaign that has been targeting various US state and local agencies over the past month.
1TB of police body camera footage found on unprotected databases
- Jasun Tate, CEO of Black Alchemy Solutions Group, informed The Register of his team’s discovery of 1TB of police body camera footage on unprotected MongoDB and mySQL databases. The majority of footage belongs to the Miami Police Department and other US police departments and dates from 2018 to present.
- According to Tate, the operators of the databases are five individual cloud service providers working with various police departments.
- The databases have since been secured and the footage is no longer publicly accessible, however Tate believes the footage may have been copied and potentially sold on hacker forums already.
Android security update addresses four remote code execution (RCE) flaws
- The July 2019, security update fixes three critical RCE flaws in the Media framework and another vulnerability, tracked as CVE-2019-2111, in the Android system.
- CVE-2019-2106, CVE-2019-2107 and CVE-2019-2109 relate to the Media framework and ‘could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.’ The vulnerabilities exist on all Android 7.0 or later devices, however, CVE-2109-2109 does not affect Android 9.0 devices.
- A complete list of the 33 patched security vulnerabilities is available via the ‘Android Security Bulletin’.
Open PGP certificates poisoned by threat actors
- Two high profile community contributors, Robert J. Hansen and Daniel Khan Gilmor had their OpenPGP certificates poisoned. By taking advantage of the lack of limit on signatures that can be placed on an OpenPGP certificates, attackers spammed the contributor’s public certificates with tens of thousands of signatures.
- This caused a problem with GnupG, a popular package used to implement OpenPGP certificates. GnupG does not deal well with certificates with large numbers of signatures and stops working when importing a heavily signed certificate.
- The poisoned certificates ended up in the SKS keyserver network ensuring that anyone attempting to import the poisoned certificate into a vulnerable OpenPGP would break their installation. Hansen stated that ‘given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned’.
SICK controllers open to remote attack
- Researcher Tri Quach of Amazon’s Customer Fulfilment Technology Security discovered a vulnerability, tracked as CVE-2019-10979, in SICK’s MSC800 modular system controller. The bug could allow low skilled attackers to remotely reconfigure the product due to the existence of hard coded credentials in MSC800 controllers running versions of firmware prior to 4.0.
- SICK was not aware of any public exploits targeting the vulnerability and recommended customers to minimize the device’s exposure and access to the network.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.