Silobreaker Daily Cyber Digest – 04 December 2019
Multiple companies recently targeted by Ryuk ransomware
- The Texas-based end-to-end solutions provider for US emergency facilities T-System was hit by Ryuk ransomware in late November 2019. According to security researcher Germán Fernández, it appears the infection affected the company’s public segments, including DMZ, extranet, and helpdesk. The ransom note included the phrase ‘balance of shadow universe,’ suggesting a recent Ryuk sample, discovered in June 2019, was used in the attack.
- Fernández also discovered that the Spanish manufacturer TECNOL had been hit by Ryuk ransomware on November 1st, 2019, around the same time news emerged of a ransomware attack on Cadena SER, which some believe involved Ryuk.
- Additionally, Fernández discovered that the Spanish provider ASD Audit had received a ransom note with Ryuk markings, including the ‘balance of shadow universe’ phrase, in September 2019. Another Ryuk ransom note was found on Imperdeco’s systems on the same day.
IcedID Trojan used in recent TA2101 campaign employs steganographic payloads
- Researchers at Malwarebytes published their analysis of the IcedID trojan, which was recently observed by Proofpoint being deployed in a recent malspam campaign conducted by TA2101.
- The malware, which is delivered via Microsoft Word documents that purportedly come from the United States Postal Service, is chiefly known as a banking trojan, but can additionally exfiltrate a variety of an infected victim’s credentials. Additionally, IcedID can deliver other types of malware including TrickBot.
- The researchers stated that since September 2019 IcedID is being ‘delivered via steganography, as the data is encrypted and encoded with the content of a valid PNG image’. The malware also features a range of obfuscation techniques and methods to slow down attempts at static analysis.
Source (Includes IOCs)
New macOS malware identified with possible links to Lazarus group
- On December 2nd, 2019, malware researcher Dinesh Devadoss provided a hash for a macOS malware sample which has a very low detection rate. The malware, which loads Mach-O from memory and executes it, is packed as UnionCryptoTrader and hosted on a cryptocurrency trading platform.
- The website does not, however, contain a download link, and at present the malware lacks a valid certificate. This suggests that the malware has been detected before it could be properly deployed.
- Security researcher Patrick Wardle conducted an analysis of the malware and discovered some ‘clear overlaps’ with a recently discovered first-stage implant used by the Lazarus Group.
Source (Includes IOCs)
Trojanized Python libraries caught stealing SSH and GPG keys
- A malicious developer, operating under the moniker olgired2017, created two trojanised Python libraries from Python Package Index (PyPI), that were discovered stealing SSH and GPG keys from infected developers. The libraries, which mimicked the dateutil and jellyfish libraries, were discovered by developer Lukas Martini on December 1st, 2019.
- The library which imitated jellyfish downloaded a file from a gitlab repo which was decoded into a Python file and executed. The malicious file proceeded to attempt to steal SSH and GPG keys. The library had been available since December 11th, 2019.
- The fake dateutil library, which was created and uploaded on November 29th, 2019, did not contain malicious code but instead attempted to download the malicious jellyfish library. Both libraries have been removed by the Python security team and developers have been advised to review their projects.
Source (Includes IOCs)
Leaks and Breaches
Sycamore School District 427 hit by ransomware attack
- On December 3rd, 2019, the Sycamore School District 427 discovered it had been hit by a ransomware attack. The extent of the attack is currently being assessed. According to Superintendent Kathy Countryman, it did not affect the email system, phone system, website, student information systems or building alarm systems.
Personal data of plus-size women sold on dark web
- DynaRisk observed a hacker selling the personal data of thousands of plus-size women on a dark web forum. Discussions on the forum revolved around the monetizing of the data, in one instance by targeting the affected individuals with specific scams. According to DynaRisk, the hacker had gained access to the data via women’s clothing websites, and the data was exposed in late August 2019.
- DynaRisk CEO Andrew Martin notes that data breaches are fairly common, yet aggregating data on a specific demographic is not usually observed. This allows for very targeted spam campaigns. Martin adds that legitimate companies may end up using the personal data, for example by buying it from a ‘gray market’ provider who may have purchased it on the dark web.
Yodel app displays order details to incorrect users
- On November 30th, 2019, security researcher Akshay ‘Ax’ Sharma discovered that the Yodel app for Android contains a bug that displays the tracking information for other user’s parcels. Each time the feed is refreshed the app displays a new tracking number.
- Exposed information includes the parcel tracking number, driver’s location, name of the driver, destination of the package, estimated time of arrival, and more. Once the tracking number is divulged any user can re-schedule or cancel the delivery.
- Sharma contacted a live chat agent to inform Yodel of the issue, however, the agent denied that the bug existed. Yodel also initially ignored the researcher’s attempts to contact them via Twitter Direct Message. The issue was eventually acknowledged and fixed on December 3rd, 2019.
Microsoft Azure Account open to takeover
- Researchers at CyberArk identified a vulnerability in certain Microsoft’s OAuth 2.0 applications, that could allow an attacker to takeover Microsoft Azure Accounts.
- The issue stems from how OAuth applications trust domains and sub-domains can be registered by anyone. These apps are approved by default and a user can request an ‘access_token’. The researchers stated that the combination of these two factors could allow an attacker to gain access to AD resources, Azure resources, and more.
- The vulnerability was discovered by the researchers on October 29th, 2019. Microsoft acknowledged the issue and fixed the flaw on November 20th, 2019.
Mozilla removes certain Avast and AVG addons over privacy concerns
- Avast Online Security, AVG Online Security, Avast SafePrice and AVG SafePrice were removed from the Firefox addon site due to concerns over tracking users’ browsing activity. The extensions remain available on the Google Chrome Web Store.
- On October 28th, 2019, security researcher Wladimir Palant had reported that the extensions collect data that ‘goes far beyond what’s necessary for the extension to function.’ The collected data includes URLs visited, page title, the referrer, a user’s OS version, a unique user identifier, country code, and more. Palant argues that such information could be used to reconstruct a user’s browsing history.
Stopping Grinch Bots Act introduced to US Congress
- The bill aims to stop the use of Grinch bots, which use automation technology to bypass security measures, allowing for larger orders of products, typically the most sought-after toys. These are then re-sold at inflated prices. The bill was introduced by Senator Richard Blumenthal on November 29th, 2019.
- The Stopping Grinch Bot Act would use the same structure as the BOTS Act, signed into law in 2016, to ban bots bypassing security measures on online retail sites.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.