Silobreaker Daily Cyber Digest – 04 April 2019
Malicious applications discovered on Microsoft Store
- Researchers at Symantec found 81 applications available for download, that disguised themselves as sports, games, news and utility apps. Identified as potentially unwanted apps, they secretly install malware allowing a malicious actor to later display malicious content. They also display adult and gambling content, but were not advertised in this manner.
- Symantec researchers found that these 81 applications all have a similar file structure, and share the same servers. This makes it likely that they are all published by the same group of developers.
- Microsoft is investigating the applications, with some of them already removed from the app store.
Updated BashLite malware discovered
- The latest version of Bashlite, also known as Gafgyt, Qbot and LizardStresser, has been designed to add IoT devices to a DDoS botnet. It also no longer relies on specific vulnerabilities and instead abuses a publicly available remote-code-execution Metasploit module. Further DDoS commands, such as the capability to launch multiple different types of floods at once, cryptomining functionality, and backdoor capabilities, have also been added. Bashlite can also brick other existing malware on a device.
Source (Contains IOCs)
New Xwo malware scans internet for exposed web services
- AT&T Cybersecurity researchers discovered Xwo and found it is likely related to the Xbash and MongoLock malware families.
- Both Xwo and MongoLock use similar Python-based code, C&C domain-naming, and have an overlap in C&C infrastructure. However, unlike MongoLock, Xwo does not possess ransomware or exploitation capabilities. Instead, it collects and sends stolen credentials and service access back to its C&C server. Additionally, Xwo’s Python script was found to contain code copied from Xbash.
- Although it is still unclear how Xwo began spreading or how it gains access to internet-connected devices, it is designed to conduct reconnaissance and send back information to the C&C server via an HTTP POST request.
- It collects information on the use of default credentials in services including GTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, and Tomcat. It also collects information on Default SVN and Git path, Git repository format version content, PhP admin details, and more. The researchers warn that this may suggest an upcoming larger cyberattack is on its way.
Phishing attacks capitalise on the US tax season
- Proofpoint researchers released a report illustrating how new phishing campaigns are using the US tax season in their campaigns, with realistic phishing emails and malicious attachments.
- In January 2019, Proofpoint discovered a campaign targeting accounting firms with malicious emails from a fake taxpayer. The emails pretended to contain information requested by an accounting firm to prepare the taxpayers tax return.
- The fake documents attached included a W-2 form, a 1099-R from UBS and a mortgage interest 1098 form. When the recipient enabled macros the attached documents would download and install Remcos RAT, potentially giving the attackers full access to numerous individuals’ information by infecting one computer.
Kaspersky Lab researchers report on new activities by group behind Roaming Mantis
- According to the researchers, the threat actor continues to seek ways to compromise iOS devices and has built a new landing page for iOS users. This landing page is used to redirect victims to malicious iOS mobile config installations.
- Once the mobile config is installed, the phishing site opens in a web browser and sends information including DEVICE_PRODUCT, DEVICE_VERSION, UDID, ICCID, IMEI and MEID to the threat actor’s server. The phishing site then asks the victim to input their Apple ID and password, after which the hackers attempt to log in to the account from Hong Kong. After imputing their credentials, victims are also asked to provide their two-factor authentication code sent to the device.
- For Android users, the threat actor infects their devices with Roaming Mantis malware, also known as MoqHao. The researchers found that the hackers have updated the decryption algorithm for encrypted payloads in the Trojan-Dropper module, as well as the stored destination and accounts for getting real C&C.
- Victims of this campaign were discovered in Russia, Japan, India, Bangladesh, Kazakhstan, Azerbaijan, Iran and Vietnam.
Source (Includes IOCs)
Several credit card skimming scripts infect thousands of sites
- A number of Magecart groups have drawn the attention of several security companies such as Group-IB and BleepingComputer, after they discovered several JS-Sniffers were present on victims’ websites. BleepingComputer analysed 15 of the 38 JS-Sniffer families discovered and found that 2,440 websites had been infected. At least eight of the families analysed had not been discovered before.
- Some of the JS-Sniffers steal credit card data from different payment systems and do not need to make specific adjustments per website. G-Analytics and WebRank collect information from a hardcoded list of HTML elements, and other families such as PreMage, MagentoName, FakeCDN and Post Eval target e-commerce websites using Magento, Shopify, OpenCart CMS, or the WooCommerce plugin for WordPress.
- Group-IB’s in-depth report provides further details on the JS-Sniffers, assessing advanced techniques, prices and targets.
CIA porn scams use password protected PDFs
- A new form of CIA porn investigation email has been discovered putting extortion payment instructions in password protected PDF attachments. The new campaign delivers emails with the subject line ‘[Your email has been verified [Central Intelligence Agency – Case #55662513 – 24-03-2019] Your family counts on your intelligence’ and contains a password for the attached PDF.
- If the PDF is opened and the recipient enters the password, the document displays instructions to send $5,000 to the enclosed Bitcoin address, which is a newer segwit address, different to the traditional Bitcoin addresses often seen associated with these scams.
F-Secure researchers analyse Twitter amplification
- Andy Patel, a researcher at F-Secure, has investigated how actors are able to amplify their disinformation campaigns and the promotion of their ideology by gaming Twitter. A Twitter crawler was produced to discover interesting users and their behaviours were then analysed.
- In his investigation, Patel primarily focused on pro-Brexit and MAGA-related accounts and found that accounts in these circles were in-part operated by human beings. They often retweet and converse with each other, however, many of these accounts are actually operated by the same people. Individuals create multiple accounts to make their network larger, giving their political content further reach across Twitter.
Leaks and Breaches
Georgia Tech announced breach exposing info of 1.3 million people
- A flaw in a web application allowed an attacker to gain access to personal information belonging to up to 1.3 million students, college applications, staff and faculty members.
- Georgia Tech developers were investigating a performance issue when they discovered that an unauthorised third party had accessed their server on December 14th, 2018. The information accessed includes names, addresses, Social Security numbers and birth dates.
- It is unclear what was causing the performance issue, though it is possible that the attackers were using the server for additional attacks on external servers, or installed malware such as mining software that used the server’s resources and impacted performance.
Council in South England leaks data on adopted abused children
- The unnamed council disclosed the personal information of children who suffered abuse, and were adopted, to their biological parents. In one case, location information was disclosed to a biological mother with a history of violence, leading the adoptive parents to fear for their family’s security.
Facebook user’s data leaked by third-party developers
- Over 540 million user records have been found publicly accessible via Amazon S3 buckets used by two third-party Facebook apps developed by Cultura Colectiva, a Mexico-based media company. The 146GB database named ‘cc-datalake’ is downloadable by anyone and includes comments, likes, reactions, Facebook IDs and account names.
- Another database, belonging to a company that went defunct five years ago, was discovered containing 22,000 records for another third-party Facebook app. This includes passwords used for their ‘On The Pool’ app, which may also belong to a linked Facebook account if users re-use the same passwords.
- UpGuard researchers subsequently contacted the relevant parties to secure access to the databases.
590 million resumes leaked via insecure databases
- Discovered by security researcher Sanyam Jain, it has been reported that within the first three months of 2019, Chinese companies running ElasticSearch or MongoDB have leaked approximately 590 million resumes. This is a result of their databases being poorly secured.
- The findings include 33 million Chinese users from a single ElasticSearch server, which was secured after being reported to CNCERT, and seven cases reported in March 2019 alone. The biggest current finding is an ElasticSearch server that is still currently exposed, holding 129 million resumes.
NVIDIA patch flaws in Linux4Tegra Driver for Jetson AI Supercomputers
- The security update for Jetson TX1 and TX2 patched flaws discovered in the Linux for Tegra driver package, that could enable local attackers with basic user privileges to elevate privileges and perform privilege escalation, denial of service, or information disclosure attacks.
- The flaws must be exploited remotely, potentially by planting malicious tools on a system running a vulnerable Tegra Linux Driver Package version. The highest severity flaws are tracked as CVE-2018-6269, CVE-2017-6278, CVE-2018-6267 and CVE-2018-6271.
Vulnerabilities in medical imaging equipment allow attackers to alter CT and MRI scan images
- Researchers from the Ben-Gurion University Cyber Security Research Center in Israel developed malware that could permit attackers to add realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them. In their research paper, the researchers detail how attackers can use ‘deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans’.
- In almost all cases, they were able to trick radiologists to misdiagnose patients whose CT lung scans were altered by the malware. Although their study focused on lung cancer scans, this attack could work for brain tumour, heart disease, blood clot, spinal injury, bone fracture, ligament injury and arthritis scans as well.
- The vulnerabilities that allow this form of attack reside in the equipment and networks hospitals use to transmit and store CT and MRI images. The images are sent to radiology workstations and back-end databases via the picture archiving and communication system (PACS). According to the researchers, the attack works because the scan images are not digitally signed to prevent them from being altered without detection and because hospitals do not use encryption on PACS networks.
Vulnerabilities discovered in Advantech WebAccess
- The vulnerabilities were discovered in WebAccess/SCADA affect version 8.3.5 and prior. Found by Mat Powell and Natnael Samson through Trend Micro’s Zero Day Initiative, three vulnerabilities were found in total – two critical and one high severity.
- CVE-2019-6552 is comprised of multiple command injection vulnerabilities as a result of a lack of proper validation of user-supplied data. This could result in remote code execution. CVE-2019-6550 is comprised of multiple stack-based buffer overflow vulnerabilities, also due to lack of input validation, which could result in remote code execution. CVE-2019-6554 is an improper access control flaw, which an attacker could abuse to cause a denial-of-service condition.
- All of these vulnerabilities have been patched in version 8.4.0 of WebAccess.
Test reveals UK universities’ defence systems can be hacked within two hours
- A team of ethical hackers, working for Jisc, conducted attacks against 50 UK universities and found that in every case they were able to access ‘high-value data’ within two hours. Specifically, they were able to access personal data, finance systems and research networks.
Analysis of manufacturing sector-related malware published
- Trend Micro have produced a report concerning security threats facing ‘smart factories’ and the use of Industrial Internet of Things devices. Researchers stated that as more devices and systems are connected in manufacturing, the entry points for attacks are also increasing.
A dozen US web servers spread 10 malware families
- Researchers at Bromium discovered over a dozen servers hosting 10 different malware families spread via phishing campaigns potentially tied to Necurs botnet. Bromium have monitored scams connected to this infrastructure between May 2018 to March 2019.
- The servers contained five families of banking trojans including Dridex, Gootkit, IcedID, Nymain and Trickbot, two ransomware variants including GandCrab and Hermes, and three information stealers including Fareit, Neutrino and AZORult. One of the servers belonged to a hosting service called ‘bulletproof’ and an additional 11 servers belonged to a company based in Nevada which sells virtual private server hosting.
- The malware hosted on these servers was distributed in multiple campaigns including mass phishing campaigns. In addition, email and hosting infrastructure has been separated from C&C systems, which could suggest that they are being used by distinct threat groups.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.