Silobreaker Daily Cyber Digest – 03 April 2019
New version of XLoader discovered
- Researchers at Trend Micro discovered a new version of XLoader that disguises itself as an Android security application. Labelled as XLoader v6.0, and detected as AndroidOS_XLoader.HRXD, the latest variant is delivered via fake websites, one in particular masquerading as a Japanese mobile phone operator’s website.
- On Android, once a user is tricked into downloading a fake APK and it passes the security settings, it will be installed on a user’s device. On iOS, a user is prompted to install a malicious iOS configuration profile and upon installing it, an Apple phishing site will open. XLoader abuses Twitter to encode C&C addresses in Twitter usernames, which are only revealed once decoded.
- Trend Micro found that the operators behind XLoader continue to change and adjust their features, such as deployment infrastructure and techniques. They also linked XLoader to FakeSpy, stating that their techniques, infrastructure, naming conventions and the way they conceal their C&C server is mirrored.
Source (Contains IOCs)
Verizon customers targeted in mobile-focused phishing campaigns
- Researchers at the mobile security company Lookout have observed phishing campaigns aimed at stealing credentials from Verizon customers. The link that delivers the phishing kit includes the ‘ecrm’ abbreviation, which is used by Verizon as a sub-domain for its Electronic Customer Relationship Management Platform.
- Desktop versions of the phishing page look suspicious, however on mobile devices the page looks genuine. The malicious links masquerade as Verizon Customer Support and ask for the recipient’s phone number or user ID and password.
- The first campaign was detected in late November 2018, followed by one in February this year, and an intensified period of activity in March, in which three waves of emails were detected in two consecutive days. Over 50 domains used in the campaign were registered in the past three months.
Phishing campaign uses ‘broken file’ attachment to infect users with malware
- Cofense researchers detected a new phishing campaign that delivered a seemingly broken executable that became fully weaponized once within the victim’s environment.
- The executable was found to lack an MZ header, allowing it to remain undetected by a majority of antivirus engines. Once it is dropped, the malicious file exploits CVE-2017-11882 to download and execute the contents of a .hta file. The script within the .hta file ultimately infects the victim with malware.
Source (Includes IOCs)
APT32 discovered using steganography to load backdoors
- The Cylance Research and Intelligence Team discovered that APT32, also known as OceanLotus, is using a steganography algorithm to conceal an encrypted malware payload within PNG images. This technique is being used by the group to load a version of Denes backdoors and an updated version of Remy backdoor.
- The two malware loaders use side loaded DLLs and an ‘AES128 implementation from Crypto++ library for payload decryption’. The research team assessed that the complexity of the shellcode and loaders demonstrates that the group has invested heavily in the development of these bespoke tools.
- The obfuscated loaders are decoded, decrypted and executed to load one of the two backdoors. The backdoor DLL and C&C communication DLLs are heavily obfuscated, making analysis and debugging more difficult.
New campaign delivers Emotet, TrickBot and Ryuk
- According to Cybereason researchers, Emotet is used as a dropper for TrickBot, and TrickBot subsequently steals sensitive information and downloads Ryuk ransomware. The campaign was observed targeting companies in Europe and the US.
- In this campaign, TrickBot’s capabilities include password collection, detection evasion measures including attempts to disable Windows Defender, the use of EternalBlue to spread, and the termination of multiple services and processes related to anti-malware products. In comparison, Emotet is solely used as an infrastructure to deliver TrickBot.
Leaks and Breaches
Arizona Beverages suffers ransomware attack
- According to TechCrunch, the beverage supplier was affected by iEncrypt ransomware last month, resulting in the wiping of over 200 Windows computers and servers, and effectively shutting down the company’s sales operations for days.
- Due to improper configuration of its backup system, Arizona Beverages’ was required to effectively rebuild its entire network from scratch following the attack.
Philippines Armed Forces investigate data breach
- According to the Manila Bulletin, roughly 20,000 military personnel had their data exposed. This data includes names, serial numbers, units, positions, courses, classes, injuries, and data on whether the individual failed their mission, cheated in exams, or were absent.
- The data breach was allegedly carried out by Pinoy LulzSec as part of the annual LulzSec three-day hacking operation known as ‘April Lulz’.
Security expert discovers thousands of unsafe Kibana instances exposed online
- A researcher known on Twitter as ‘@InfoSeclta’ discovered over 26,000 Kibana installs exposed online, predominantly in the US and China. Kibana is an open source data visualisation plugin that provides visualisations for content indexed on ElasticSearch clusters.
- The majority of the exposed instances are hosted on cloud services from Amazon, Alibaba, Microsoft Azure and Google Cloud. Kibana installs usually belong to large companies, including banks, and parking management to hospitals and universities.
- One of the affected installs belonged to a company that builds automotive technology, which resulted in the exposure of data from every camera they have sold, worldwide.
Security researcher warns against unpatched vulnerabilities in Vidimensio GPS watches
- Christopher Bleckmann-Dreher discovered flaws in the mechanism through which Vidimensio GPS watches communicate with their backend API server. The flaws could permit attackers to eavesdrop and track users, but also alter data stored on the API server and issue various commands to users’ watches.
- The researcher reported the flaws to the vendor in December 2017. Now, after the vendor has continuously failed to address these flaws, Bleckmann-Dreher decided to raise awareness on the issue by inserting fake GPS coordinates into users’ location history. The coordinates spelled the word ‘PWNED!’ when opened on the location history map.
New research finds built-in vulnerabilities in major mobile financial apps
- Aite Group researchers analysed 30 different financial services applications on the Google Play Store and found that nearly all of the apps were easily reverse engineered, revealing a lack of binary protections, unintended data leakages, insecure data storages, weak encryptions and insecure random-number generation.
- Retail banking apps were found to have the largest number of critical vulnerabilities, while auto insurance apps were found to have the greatest number of severe flaws. Other common flaws observed across the apps were hard-coded SQL statements and hard-coded private certificates.
Apache bug allows users to gain remote privileges via scripts
- A privilege escalation flaw, tracked as CVE-2019-0211, has been discovered in Apache HTTP server and allows those with the ability to write and run scripts, to gain root on Unix systems, and subsequently execute arbitrary code via scoreboard manipulation. The flaw impacts all Apache HTTP server releases from 2.4.17 to 2.4.38.
- Two further control bypass security flaws were also fixed in the Apache HTTP server 2.4.39 release. CVE-2019-0217 impacts all httpd releases from 2.4.0 to 2.4.38 and enables users with valid credentials to authenticate using a different username to bypass configured access control restrictions due to a race condition in mod_auth_digest, when running in a threaded server.
- CVE-2019-0215 affects Apache 2.4.37 and 2.4.38, and allows clients ‘supporting Post-Handshake Authentication to bypass configured access control restrictions’ as a result of a flaw in mod_ssl ‘when using per-location client certificate verification with TLSv1.3’.
Critical vulnerabilities discovered in Google Android
- Twelve vulnerabilities were patched in Google’s April Android update, including three critical remote execution bugs. Two of the flaws, identified as CVE-2019-2027 and CVE-2019-2028, exist in Media framework and could allow an attacker to execute arbitrary code by sending a maliciously crafted file. Further technical details regarding these vulnerabilities are not yet available.
- Another patch level was released to fix 78 other CVEs, all related to Qualcomm, including CVE-2018-11940, a critical flaw in the WLAN host.
Chinese woman carrying thumb drive with malware arrested at Donald Trump’s Mar-a-Lago Club
- As reported by The Washington Post, Yujing Zhang was arrested after bypassing layers of security and gaining access to the reception area of the resort owned by US President Donald Trump. According to the criminal complaint, a ‘Protective Zone’ had been set up around the property in preparation for the visit of President Trump.
Taiwanese government will block Chinese streaming services ahead of election
- The Taiwanese presidential election will take place in 2020, leading the government to prepare to block streaming services to prevent propaganda being pushed from Beijing.
- Chiu Chiu-Cheng, the deputy minister of Taiwan’s Mainland Affairs Council, stated, ‘We are concerned that streaming media services that have close ties with Beijing could have cultural and political influences in Taiwan…’
- Among those set to be blocked are Tencent Holdings and Baidu.
Half of cyber-attacks use supply chain techniques
- Carbon Black’s Quaterly Incident Response Threat Report has revealed that half of cyber-attacks use the ‘island hopping’ technique to infect supply chain partners on the way to a higher value target. The highest target for these attacks is the financial sector at 47% followed by manufacturing at 42% and retail at 32%.
- The most common supply chain attacks are network-based attacks which tend to occur via a compromised Managed Security Services Provider (MSSP). Wateringhole attacks are also widely used. In addition, Carbon Black also highlight a new tactic, named the ‘reverse BEC’, in which attackers compromise the mail server of an organisation and use it to spread fileless malware to trusted partners.
Authorities raid residence of Orcus RAT author
- Last week Canadian police raided the home of the Toronto software developer behind Orcus RAT, John ‘Armada’ Rezvesz, who maintained and sold the alleged Remote Access Trojan (RAT) under a company named Orcus Technologies.
- The search warrant was jointly executed by the Royal Canadian Mounted Police and the Canadian Radio-Television and Telecommunications Commission. Several hard drives were seized, containing a large amount of information on Orcus Technologies’ business and practices.
- Rezvesz maintains that Orcus is a legitimate Remote Administration Tool that is being abused. However, experts have argued that the tool includes several features typical of RAT malware.
NSA Ghidra tool examined using AZORult payload
- Researchers at Yoroi ZLAB analysed AZORult using the newly released Ghidra tool from the US National Security Agency (NSA), in an attempt to ‘test’ it.
- They found Ghidra’s decompilation capabilities particularly valuable. Researchers were able to conduct a thorough investigation into AZORult, examining the payload and associated behaviours.
Source (Contains IOCs)
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.