Silobreaker Daily Cyber Digest – 04 July 2019
Kaspersky Lab reveals that Sodinokibi ransomware exploits form Windows zero-day vulnerability
- The researchers published a detailed analysis of Sodinokibi Ransomware showing that the malware leverages CVE-2018-8453, a vulnerability in win32k[.]sys, to attain the highest level of privileges on the target system.
- Further analysis revealed that Sodinokibi encrypts victims’ files using Salsa20 stream cipher, and keys for the encrypted files are created with an elliptic curve asymmetric algorithm. The malware developers also built a backdoor decryption key into their malware which researchers dubbed the ‘public skeleton key’. This allows them to decrypt files behind distributors back.
- The majority of Sodinokibi victims are located in the Asia Pacific region, specifically in Hong Kong, Taiwan and South Korea.
Source (Includes IOCs)
Netlab researchers publish analysis of new Godlua Backdoor
- The researchers first discovered the Lua-based Godlua malware on April 24th, 2019. So far Godlua has been observed acting as a DDoS bot and was involved in an attack against a Liu Xiaobei fan site. The infection path is unclear, although some Linux users were infected via exploitation of CVE-2019-3396. Since the initial discovery, two strains of Godlua have been discovered, both sharing similarities whereby they retrieve the URL addresses of second and third stage C2s from text records.
- The first strain is older and focuses on Linux platforms and can execute Linux system commands and run custom files. This older version performs C2 communications via hardcoded domain names or a Github link. The second strain is more active and runs on both Windows and Linux. Additionally, the control module is implemented in Lua and five C2 commands are supported.
- Of primary concern is the way the malware uses DoH request instead of DNS requests. The DoH request is encrypted and invisible to third parties, cyber security software therefore fails to stop the malware connecting to malicious domains.
Fortinet researchers discover new wave of BianLian banking malware
- Updates for the BianLian malware for Android includes several new features such as a Screencast module and a Socks5 module. The Screencast module allows the malware to record the screen of the device while the Socks5 module creates a functioning SSH server on the devices Java Secure Channel. By using the Socks5 tool the malware establishes a proxy that can run an SSH session using remote port forwarding on port 34500, ensuring that C2 communication detection is more difficult.
- The researchers also discovered that BianLian drops an additional tool from a C2 that checks if Google Play Protect is active through the Google SafetyNet API.
Source (Includes IOCs)
New cookie stealing module included in Trojan Trickbot
- Researchers Brad Duncan first spotted the new cookie stealing module for the multipurpose Trickbot Trojan on July 2nd, 2019. Further analysis was performed by Vitali Kremez who found that the module’s build date was June 27th, 2019.
- Kremez found that the module targeted cookie storage databases on Chrome, Firefox, Internet Explorer and Microsoft Edge. The new cookie stealer function comes with its own configuration file and allows the attacker to control the module separately from other information stealing features.
Silence Group linked with $3 million attack against Bangla Bank’s ATMs in Bangladesh
- Group-IB researchers investigated the heist which was carried out at Dhaka on May 31st, 2019. CCTV footage showed Ukrainian mules making phone calls prior to withdrawing funds from the ATMs. The researchers concluded that the Russian-speaking cybercriminal Silence Group were involved.
- Head of Dynamic Analysis of Malicious Code at Group-IB Rustam Mirkasymov told ZDNet that they discovered IP addresses of Dutch Bangla Bank’s hosts had been communicating with Silence’s C2 since February 2019.
- The researchers concluded that this latest attack is evidence that the hacker group are expanding the geographic scale of their attacks to target the APAC market.
Multiple Chinese threat actors observed exploiting Equation Editor vulnerability
- Researchers at Anomali Labs found multiple Chinese threat actors using the known Equation Editor remote code execution vulnerability CVE-2018-0798 in their weaponizer, which can allow a threat actor to perform stack corruption. This discovery was made after an analysis of the Royal Road weaponizer, which is often used to exploit CVE-2017-11882 and CVE-2018-0802.
- Chinese threat actors were using these exploits exclusively before it began appearing in commodity-malware campaigns, suggesting that the Chinese groups sold the exploit after using in their malicious campaigns.
- The threat groups may also have robust exploit developing capabilities, as CVE-2018-0798 is not reported on widely and not incorporated into publicly available weaponizers.
Source (Includes IOCs)
Leaks and Breaches
Boyd Group Inc reports ransomware attack
- In a press release, the Boyd Group Income Fund announced it had detected a ransomware attack on June 27th, 2019, on a subset of its IT systems. Temporary interruption in repairs is expected, however the company believes most processes will continue at normal or near normal levels.
- The investigation is still ongoing, but as of now no customer or employee information is believed to have been compromised.
Miami DFCS employee allegedly stole the PII of 2,000 Florida residents
- Bertanicy Garcia, an interviewing clerk at the Miami Department of Children and Family Services (DFCS) is believed to have accessed and fraudulently used personally identifiable information (PII) to make $260,000 in purchases.
- Garcia also allegedly worked together with six other accomplices who created fake credit cards and committed tax fraud using the PII she had collected. Two of the accomplices had previously been arrested and the investigation revealed information connecting them to Garcia. They have since disappeared after being released on bond.
Multiple vulnerabilities discovered in Lenovo products
- Swascan’s Cyber Security Team discovered nine vulnerabilities related to Lenovo’s servers and the application of Lenovo’s infrastructure, two of which were rated as high in severity. Lenovo has since fixed the vulnerabilities.
- If exploited, an attacker could execute arbitrary code, alter the intended control flow, read sensitive information or cause the system to crash, as well as execute dangerous commands directly on the operating system, or gain arbitrary control of a resource.
IBM patches critical and high severity flaws across a range of products
- The most critical vulnerability is tracked as CVE-2019-4087 and impacts the servers and storage agents used to protect IBM’s data security platform the Spectrum Protect. The flaw is a stack-based buffer overflow vulnerability that stems from improper bounds checking in the servers and storage agent.
- An additional flaw tracked as CVE-2019-4088 was also identified in the IBM Spectrum Protect that could be triggered by loading a specially crafted library via the ‘dsmqsan’ module. This could allow a local attacker elevated privileges on impacted systems.
- IBM Security Guardian also suffered from a high severity bug which could allow a remote attacker to upload files which could then be used to execute arbitrary code on the vulnerable web server. This vulnerability is being tracked as CVE-2019-4292.
Cisco releases patches for multiple products
- Security updates were released for multiple Cisco products to patch numerous flaws, including denial-of-service, memory corruption, and command injection vulnerabilities. Ten of the flaws are rated as high impact and if exploited, they could allow an attacker to gain control of the affected system.
Magento vulnerabilities allow attackers to redirect payments
- Researchers at Ripstech analysed how attackers can exploit vulnerabilities in Magento stores to fully take over a store and redirect payments. These vulnerabilities can be exploited on Magento stores using the built-in core Authorize.Net payment module.
- The researchers have ranked the severity of the exploit chain as high, as no knowledge or access to a Magento store and no social engineering is required. Patches have been released for versions 2.3.2, 2.2.9 and 2.1.18.
Firefox open to local file theft attacks
- Researcher Barak Tawily discovered that the vulnerability could be attributed to improper implementation of Same Origin Policy for file scheme URIs. The attack can be carried out on any supported OS.
- Tawily stated that this issue has a long history and a very similar vulnerability was reported almost 17 years ago.
VMware begins to patch list of products affected by SACK Panic and SACK Slowness
- The SACK Panic and SACK slowness vulnerabilities are tracked as CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479. The vulnerabilities were revealed by researcher Jonathan Looney in mid-June 2019.
- VMware revealed that 31 products were impacted and patches are currently pending for AppDefense, Container Service Extension, Enterprise PKS, Horizon, and more.
- A full list of the impacted products is available via the VMWare Security Advisory.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.