Silobreaker Daily Cyber Digest – 02 November 2018
New Trickbot variant adds password grabber module
- Trend Micro researchers have detected that the Trickbot malware is newly using a password grabber module called ‘pwgrab32’. The module steals credentials and other information such as cookies, browsing history or autofills from several applications and browsers including Microsoft Outlook, Filezilla, WinSCP, Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.
- According to Trend Micro, Trickbot is usually distributed through malicious spam campaigns. The malware is capable of disabling Microsoft’s built-in antivirus Windows Defender.
- Victims of this campaign are predominantly located in the US, Canada and Philippines.
Source (Includes IOCs)
Fortiguard publish summary on APT27
- Researchers at Fortinet have published a summary on APT27, a threat group that has been active in South and Southeast Asia. Their use of remote access trojans is notable, in particular NewCore and Sisfader, as well as malicious office documents exploiting CVE-2012-0158, CVE-2017-11882 and CVE-2012-0158 as a delivery technique.
Source (Includes IOCs)
Leaks and Breaches
FIFA suffers another data breach
- The football governing body stated that it had been hacked in March 2018. Officials from the organization were targeted with phishing emails. The group Football Leaks reportedly obtained leaked internal documents, and are likely to publish revelations obtained this Friday, November 11th.
Australian defense contractor and shipbuilder Austal breached
- The company’s data management systems were breached, and unclassified ship design drawings as well as some staff email addresses and mobile phone numbers were stolen.
- Austal reported that its operations were unaffected and that no information concerning national security or commercial operations was stolen. The hacker reportedly attempted to sell data on the internet as well as extort the company.
Former Chicago Public Schools employee stole 80,000 people’s information
- The former employee was arrested for stealing personal data on workers, volunteers and vendors from a school district database. Data stolen included names, phone numbers, addresses, birth dates, and criminal arrest histories.
Threat actor offers 81,000 Facebook users’ private messages for sale
- BBC Russian Service has reported that an unknown threat actor has compromised and attempted to sell private messages from at least 81,000 Facebook users’ accounts. The attacker also claimed to possess details from a total of 120 million Facebook accounts. The advert offering the compromised accounts was first discovered in September 2018 and has since been removed.
- According to BBC’s report, Facebook has stated that its security has not been compromised. It is suspected that the data may have been gathered through a malicious browser extension.
- The victims include users mainly from Ukraine and Russia, with some from other locations such as the UK, US and Brazil.
Millions of wifi access points have two critical vulnerabilities dubbed BleedingBit
- Security firm Armis has stated that access points sold by Cisco, Meraki and Aruba have two critical vulnerabilities (CVE-2018-16986 and CVE-2018-7080) that could allow hackers to run malware inside networks that use the vulnerable devices.
- The flaws were discovered in Bluetooth Low Energy chips manufactured by Texas Instruments, which can be used to hack the access points that embed them. If the BLE chip is turned on and device scanning enabled, the vulnerabilities allow an attacker to take over the chip, allowing privileged access to the access point bypassing authentication.
- An attacker can leverage the vulnerabilities by sending advertising packets containing code that will be triggered without detection later on. These are stored in the device memory. An overflow packet with its header enabled is then sent, creating a mismatch that results in the chip leaking parts of memory that the attacker can use to execute code. An attacker can then install a backdoor or further execute code, giving them full control of the device.
Vulnerability in Microsoft Live subdomain allowed session hijacking
- CyberInt has developed a proof-of-concept (PoC) attack that demonstrates how a threat actor could gain access to a user’s Microsoft Live webmail session without possessing the victim’s credentials.
- A high-severity vulnerability was found in a Live.com subdomain called ‘Windows Live’, hosted on the Azure cloud platform, which an attacker could exploit to perform a full account takeover. The subdomain was found to lack an updated DNS configuration.
- The issue has since been fixed.
Five vulnerabilities fixed by Mozilla
- The updates addressed issues in both Mozilla Firefox and Thunderbird, with one of them, CVE-2018-12390, rated critical. Discovered by Mozilla developers and community members, the vulnerability is a memory safety bug existing in Firefox 63, Firefox ESR 60.3 and Thunderbird 60.3 that could potentially be exploited by an attacker to run malicious code.
- The other bugs included CVE-2018-12389, memory safety bugs that exist in all three products, CVE-2018-12393, an out-of-bounds writer vulnerability, CVE-2018-12392, that could result in a crash, and CVE-2018-12391, a bug that allows audio data to be accessed across origins.
Windows defender bug makes users believe sandbox is enabled when it isn’t
- Microsoft reported last week that users can enable a feature that protects their computer from vulnerabilities by adding Windows Defender to a sandbox.
- To enable the feature, a user creates a system environment variable named MP_FORCE_USE_SANDBOX and sets it to 1, then restarts Windows.
- Didier Stevens discovered that if the user shuts down the computer rather than restarts it, then the sandbox feature will not activate.
Cisco Talos develop exploit for Sophos HitmanPro.Alert vulnerability
- On Thursday, Cisco talos reported on two vulnerabilities in Sophos HitmanPro.Alert found in the ‘hmpalert.sys’ driver’s IO control handler. Cisco have now developed and reported on a method of exploitation for one of the flaws (CVE-2018-3971).
- The exploitation process used is based upon research presented by Morten Schenk at the Black Hat conference in 2017, and includes some modifications.
Source code exploiting zero day in Apache Hadoop released
- Released by 0x20k of Ghost Squad Hackers, the full source code is able to exploit a zero day in Apache Hadoop, and was used to build the FICORA Botnet. 0x20k claims that the zero day is a remote code execution bug, allowing him to execute an x86 binary in one of Hadoop’s directories.
New report finds USB devices to remain as top attack vector for industrial control systems
- Honeywell has released a new report highlighting the persistent threat that USB storage devices pose to industrial control systems (ICS).
- Their study revealed that USB devices remain as a top threat vector for industrial control systems. Furthermore, they found the malware used to be ‘highly potent’, with the potential to cause major disruptions. 16% of the detected malware samples were also found to be specifically designed for targeting ICS or IoT systems.
- Other findings include that 15% of the sampled malware belongs to Mirai, Stuxnet, TRITON and WannaCry families.
US charge Chinese and Taiwanese firms for trade espionage
- US Attorney Jeff Sessions has announced charges against Chinese state-owned Fujian Jinhua Integrated Circuit Co. and privately-owned United Microelectronic Corporation of Taiwan (UMC) for the theft of an estimated $8.75 billion worth of trade secrets from U.S. semiconductor firm Micron.
- The two companies are being charged for stealing trade secrets related to DRAM chips used in computer processors.
- The Department of Justice also filed a civil lawsuit to block imports of any UMC and Fujian Jinhua products that use the stolen Micron intellectual property.
U.S. Election Assistance Commission (EAC) voting standards not high enough
- Coalfire has reported that pen tests undertaken in voting systems in ten statements have revealed several vulnerabilities. In addition, they were able to reverse engineer voting media and replace voting system software with an emulations program that ‘adds malicious logic to record malicious votes.’
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.