Silobreaker Daily Cyber Digest – 02 October 2019
GhostCat-3PC malware targets publishers
- Researchers at The Media Trust discovered a new malware, named GhostCat-3PC, that targets mobile browsers in the US and Europe. The attackers used the malware to launch 13 attacks against hundreds of well-known publishers.
- The malware hid from signature based ad-blockers by using obfuscated code and delivery patterns. Before running on a users device, GhostCat-3PC checked to ensure it was on a mobile device, inside a mobile browser, running in a targeted country, and not inside a virtual machine.
- If these checks pass, the malware displays a fraudulent pop-up which redirects victims to malicious content.
Researcher analyses VBA Macros used for attacks using malware documents
- Security researcher Marco Ramilli analysed a sample of VBA Macros that were used to weaponize malware documents. The analysis shows a general overview of how VBA Macros are used in attacks. In many attack scenarios, Microsoft Excel or Microsoft Word documents are used as droppers that download and execute a third-party payload.
- Ramilli notes that, in recent years, threat actors have been observed re-using code, rather than building malware from scratch, which is also common for VBA Macros, meaning that similarities will most likely be found when analysing other malware documents.
Fake browser updates used to deliver Trojans and ransomware
- Between May and September 2019, researchers at FireEye identified a financially motivated threat actor using compromised websites to infiltrate enterprise victims’ environments. The attack is similar to a fake update campaign that was first discovered in April 2018, however, the recent campaign includes new techniques and a post exploitation toolkit.
Emotet now spread with fake Microsoft Office Activation Wizard
- Security researcher ps66uk discovered that attackers using Emotet Trojan are now attempting to deliver the malware through a fake Microsoft Office Activation Wizard attachment. The researcher stated that this was the first time they had seen Emotet use this document type.
- The malicious document prompts targets to ‘Enable Editing’ and ‘Enable Content’ in order to activate Microsoft Office. Targets who click on these prompts will enable macros which run a script to download and install Emotet.
Source (Includes IOCs)
Adwind RAT variant with new obfuscation techniques used to target US petroleum industry
- Researchers at netskope identified a new sample of Adwind RAT being used in a campaign that targets the petroleum sector in the US. The malware was hosted on multiple URLs belonging to Australian ISP Westnet.
- The variant of Adwind RAT that the researchers analysed featured a new obfuscation technique that employs multiple embedded JAR archives before delivering the final payload.
- Besides these obfuscation features, Adwind RAT remains largely unchanged. The malware can be used to capture webcam images, monitor system status, scan hard-drives for files based on extensions in the RATs configuration, and more.
Source (Includes IOCs)
KovCoreG behind malvertising campaign distributing Novter
- Researchers at Trend Micro observed Novter malware, also known as Nodersok or Divergent, being distributed by KovCoreG. KovCoreG has been active since 2011 and was known for spreading Kovter botnet malware, mainly via malvertisements and exploit kits. The Kovter botnet was taken down at the end of 2018.
- Following the take-down of the Kovter botnet, KovCoreG started the new malvertising campaign involving Novter, which was first observed in March 2019. The current campaign has expanded its reach beyond the US by also targeting European countries, yet the websites used in the malvertising attacks are the same as the ones that were abused by Kovter.
- A full technical analysis is available via Trend Micro’s blog.
Source (Includes IOCs)
Leaks and Breaches
Tax records of 20 million Russian exposed on unsecured server
- Comparitech researchers discovered an unprotected Amazon Web Services Elasticsearch cluster that contained personally identifiable information of over 20 million Russian citizens. The owner, who is based in the Ukraine, took the database offline on September 20th, 2019, after being notified of the leak. Besides the geo-location, it is unclear who the owner is.
- The data spanned from 2009 to 2016 and exposed information included full names, addresses, residency status, passport numbers, phone numbers, Tax ID numbers, employer names and phone numbers, and tax amounts. Most of the affected individuals are Russian citizens located in Moscow and the surrounding area.
Several Alabama Hospitals forced to shut down after ransomware attack
- DCH Health System announced that the DCH Regional Medical Centre, Northport Medical Centre and Fayette Medical centre have all been impacted by a ransomware attack. A statement on the DCH website says that all three health systems are closed to new patients as a result of the attack.
Critical vulnerability found in Jamf Pro
- MacOS network administrators are advised to update to version Jamf Pro 10.15.1, after a critical vulnerability in Jamf Pro was found. The flaw could be exploited by sending network packages to a vulnerable box, which could allow for file deletions or remote code execution. Mac and iOS devices managed by Jamf are not vulnerable, as the flaw only impacts the Jamf Pro server.
Multiple vulnerabilities discovered in the OS of Android’s VoIP
- A team of researchers discovered eight vulnerabilities in the operating system of Android’s Voice-over-IP (VoIP), which could be exploited to make unauthorised VoIP calls, spoof caller IDs, deny voice calls, and execute malicious code on the victim’s device. Some flaws have already been fixed.
- The most critical flaw, tracked as CVE-2018-9475, and which could allow attackers to execute malicious code via a VoIP call, affected all Android version up to version 9/Android Pie. The vulnerability was fixed in 2018 in Android Oreo.
Vulnerability in Cisco Webex and Zoom allow attackers to unprotected meetings
- Researchers at Cequence Security identified an enumeration attack which can be used to target web Cisco Webex and Zoom video conferencing platforms. The researchers used a bot to discover valid numeric meeting IDs which were accessible due to users failing to enable security functions and passwords.
- The vulnerability could allow attackers to listen or view active meetings. Additionally, an attacker could store a targets personal meeting ID for further use.
Vulnerability in NSA’s Ghidra tool can be used by remote attackers to compromise exposed systems
- The open-source Ghidra reverse engineering tool released by the National Security Agency contains a vulnerability when Ghidra’s experimental mode is enabled. The issue, tracked as CVE-2019-16941, ‘allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document’.
FDA warns patients of URGENT/11 vulnerabilities that could affect medical devices
- The US Food and Drug Administration (FDA) issued a warning to patients regarding vulnerabilities found in medical devices using the third-party software component IPnet. The 11 vulnerabilities, first discovered end of June 2019 and dubbed URGENT/11, could allow a remote attacker to take control of medical devices and change its function, cause a denial of service, or cause information leaks or logical flaws.
- Affected versions of operating systems include VxWorks, Operating System Embedded, INTEGRITY, ThreadX, ITRON, and ZebOS.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.