Silobreaker Daily Cyber Digest – 03 July 2019
Threat actor TA505 introduces new downloader malware dubbed AndroMut
- In June 2019, Proofpoint researchers discovered TA505 introducing a new downloader malware which they named AndroMut malware. AndroMut is written in C++ and has so far been observed dropping FlawedAmmyy RAT in two distinct campaigns.
- The first campaign targets users in South Korea, with victims receiving an email containing HTM or HTML links to download a Word or Excel file. This file then uses macros to execute a Msiexec command to download and execute the FlawedAmmyy loader, or drop AndroMut, which then loads FlawedAmmyy. The second campaign works in an identical manner but targets financial institutions in Singapore, UAE, and the US.
Source (Includes IOCs)
ZLab-Yoroi researchers publish analysis of LooCipher ransomware
- The researchers observed LooCipher ransomware being dropped through a macro-weaponized document. If a user enables macro execution the minimal macro code connects to a malicious URL and drops LooCipher.
- LooCipher proceeds to encrypt all victims’ files except for the system and program folders that are required to run Windows OS. During the encryption phase the malware copies the files but does not delete the original. Following encryption LooCipher creates a FAQ folder on the victim’s desktop with information on how to recover their files.
- Researchers also found that the ransomware’s C2 is hosted in the TOR Network, allowing the attacker to avoid installing TOR libraries on the victim machine. LooCipher is also capable of both encrypting and decrypting files.
Source (Includes IOCs)
US Cyber Command warns of malicious use of Outlook vulnerability
- The US Cyber Command discovered threat actors abusing the known Microsoft Outlook vulnerability CVE-2017-11774 and issued an alert via Twitter urging users to patch. The flaw allows an attacker to escape the Outlook sandbox and run malicious code on the underlying operating system.
- It is believed that the Iranian state-sponsored group APT33 is behind the attacks, as they had previously used this vulnerability in December 2018 to deploy backdoors on web servers. According to security researcher Brandon Levene, the malware samples shared by the US Cyber Command also seem to be related to Shamoon activity, which has also been linked to APT33.
Leaks and Breaches
US Virgin Islands suffer ransomware and BEC attack
- In April 2019, a ransomware attack targeted the US Virgin Islands police department servers on which internal affairs records, court documents and citizen complaints were stored. The department refused to pay the ransom fee and is currently cooperating with the FBI to decrypt the compromised files.
- Moreover, the Islands’ Water and Power Authority was separately hit by a business email compromise (BEC) attack. The St Thomas Source reported that an executive within the department informed a Senate committee that they lost $2.3 million as a result of the attack.
Two security vulnerabilities in Sonatype Nexus Repository expose thousands of artifacts
- Twistlock security researchers found that users frequently skip configuration steps and choose to run the software under default settings. Consequently, the default admin is always identical and unauthenticated users can read and download all resources from Nexus. These flaws are tracked as CVE-2019-9629 and CVE-2019-9630, respectively.
- The researchers found that the vulnerabilities exposed thousands of private artifacts across numerous industries including financial services, healthcare, government agencies, private companies, and more.
- Details on the bugs were passed on to Sonatype who disabled ‘the default admin user and fixed the permission issues on resources by requiring the admin to explicitly enable anonymous access when desired’.
Simple DirectMedia Layer open to two remote code execution vulnerabilities
- Researchers at Cisco Talos discovered the flaws in the function responsible for loading PCX files in the SDL2_image library. A specially crafted PCX file can cause a heap buffer overflow which can lead to remote code execution.
- The vulnerabilities are tracked as CVE-2019-5051 and CVE-2019-5052.
Vulnerabilities found in Arlo Base Station
- Researchers at Tenable discovered two vulnerabilities in the Arlo Base Station firmware, which allow malicious actors, with physical access to the device, to connect to the UART port via a serial connection. Once connected, the attacker can login with default credentials and execute commands as the root user.
- The flaws, tracked as CVE-2019-3949 and CVE-2019-3950, affect Arlo Base Station firmware 22.214.171.124_27940 and earlier. Arlo has since released a patch.
BlueKeep proof-of-concept attack allows remote control of devices
- Researchers at Sophos developed an attack which would allow attackers to gain remote system access without the need to employ malware. Additionally, the attack is completely fileless and doesn’t require an active session on the target side.
- The exploit was developed by reverse engineering the BlueKeep patch, which Microsoft released in May 2019. Due to security concerns, Sophos decided not to release details of the attack to the public.
Zero-day vulnerability discovered in Windows Error Reporting component
- While examining the Windows Error Reporting (WER) component zero-day disclosed by ‘SandboxEscaper’ in December 2018, researchers at Palo Alto Networks’ Unit 42 found an additional zero-day in WER tracked as CVE-2019-0863.
- By exploiting the ability of WER to alter file permissions, attackers can assign themselves read, write, edit and delete permissions to any other file by linking files in the report directory to different target files on the computer.
- CVE-2019-0863 was spotted in the wild and addressed with a Microsoft patch in May 2019.
Source (Includes IOCs)
Multiple vulnerabilities found in Zipato smart home products
- Security researchers Charles Dardaman and INIT_6 discovered three critical vulnerabilities, tracked as CVE-2019-9560, CVE-2019-9561, and CVE-2019-9562, in the ZipaMicro Z-Wave Controller Model ZM.ZWUS and Zipabox Z-Wave Controller Model 2AAU7-ZBZWUS.
- Two of the flaws are found in the design and implementation of the authentication mechanism in the Zipato API, whilst the third is embedded SSH private key for root. A patch has been released.
Report warns of dangers of satellite vulnerabilities
- A new report published by Chatham House looks at the potential vulnerabilities of space-dependent strategic systems to cyberattacks and warns of the challenges that could be posed if a network was attacked.
- It argues that multiple factors, including old IT equipment, failure to update software and potential weaknesses in supply chains, are leaving systems open to attack and recommends that NATO member states ensure their equipment is patched against vulnerabilities.
China installs spyware on phones of tourists crossing into Xinjiang region
- A joint report by the New York Times, the Guardian and Süddeutsche Zeitung, found Chinese border police secretly installing mobile surveillance apps and downloading the personal details of visitors entering the Xinjiang region from Kyrgyzstan. Reporters found that screening routinely took place at the Irkeshtam border crossing,
- The malware installed by the border police extracts emails, texts, contacts and information about the phone’s hardware. The malware searches for a wide range of information including terms associated with Islamic extremism and literature by the Dalai Lama.
- Those crossing the border were not told in advance what the software was looking for, or that their information was being exfiltrated.
AT&T customers unable to call emergency services during nationwide outage
- On July 2nd, 2019, multiple US police departments reported that AT&T customers were unable to reach emergency services. An AT&T spokesperson told Motherboard that the issue has been resolved.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.