Silobreaker Daily Cyber Digest – 04 October 2019
Ramnit trojan targets Japanese shoppers
- IBM X-Force researchers observed Ramnit targeting Japanese e-commerce vendors, specifically major fashion brands from overseas.
- The trojan is being delivered by the Grandsoft Exploit kit. The campaign is specifically focused on fashion, however the configuration file loaded on to infected devices will also trigger the trojan’s injection mechanism if the victim attempts to do online banking, check their webmail or log in to their social media accounts.
Casbaneiro banking trojan targets banks and cryptocurrency services in Brazil and Mexico
- Researchers at ESET security identified a Latin American banking trojan, named Casbaneiro. The malware features backdoor capabilities and can take screenshots, simulate mouse and keyboard actions, record keystrokes, restrict access to websites, and more.
- Casbaneiro also targets cryptocurrency services by monitoring the content of the victim’s clipboard for data related to cryptocurrency wallets. Identified wallets are replaced with the attacker’s. The researchers discovered that the wallet used in the campaign had been paid into.
- The malware is distributed through malicious financial management software and through Re-Loader, a cracking tool which can be used to access Microsoft products.
- The researchers found that that the malware operators hid their C2 in Google Documents and in websites’ metadata. Additionally, they discovered the C2 address in the description of YouTube videos.
Source (Includes IOCs)
Reductor malware manipulate TLS certificates
- Researchers at Kaspersky identified a new malware, dubbed Reductor. The virus was first spotted at the end of April 2019 and targets victims in Russia and Belarus.
- The malware can access encrypted web traffic without having to intercept it. This is achieved by patching the pseudo-random number generator that is part of the transport layer security protocol (TLS). In addition to this feature, Reductor also contains typical RAT functions that allow it to upload, download, and execute files.
- Reductor has strong similarities to COMpfun, which Kaspersky ‘tentatively linked’ to the Turla APT. The victimology and malware similarities in this recent campaign also led the researchers to suggest that Turla are responsible for Reductor.
Source (Includes IOCs)
Spike observed in Lemon_Duck Powershell campaign
- Sophos researchers observed a spike in the crypto-mining campaign that targets enterprise networks and uses EternalBlue exploits in lateral movement infections. The group, known to use Lemon_Duck in its attacks, continuously upgrades its attack script with new offensive modules, most of which are from open-source repositories, and maintains persistence on Windows machines using Scheduled Tasks.
- The researchers suspect the attacks originated in Asia, but they have since spread to every continent.
Source (Includes IOCs)
- FIN7 operates out of Eastern Europe and has been involved in large point-of-sale compromises since 2015. The group uses a front company called ‘Combi Security’, reportedly based in Russia and Israel, to recruit new members. Despite multiple arrests in 2018, the group remains active.
Source (Includes IOCs)
macOS systems exploited in DDoS attacks
- According to ZDNet, DDoS-for-hire services are abusing macOS systems to execute DDoS attacks. The attacks are exploiting macOS systems where the Apple Remote Desktop (ARD) feature has been enabled and the device is accessible from the internet, without being located inside a local network or protected by a firewall.
- The attacks specifically use the Apple Remote Management Services Feature (ARMS) part of the ARD. Cybercriminals were observed abusing the ARMS service in DDoS amplification attacks. Up to 40,000 macOS systems were found to be exposed online.
Attackers use multiple methods to target Egyptians
- Check Point researchers built upon a report published by Amnesty International in March 2019, which tracked a campaign targeting dissidents in Egypt. Check Point researchers identified Arabic speaking attackers conducting an attack which utilised phishing pages, fake applications for email providers, and fake mobile applications, which could be used to track a target device.
- The campaign has been active since at least 2018. Identified targets included journalists, members of a non-profit, and social and political activists. The researchers stated that the campaign came from an Egyptian source or by an actor who had invested in planting sophisticated false flags.
SandCat linked to Uzbekistan’s State Security Service
- Researchers at Kaspersky have linked SandCat to the State Security Service (SSS), Uzbekistan’s intelligence agency, after discovering an email domain linked to ‘Military Unit 02616’, an investigative unit of the SSS. The IP address of the email domain and the one for the systems that SandCat uses were also found to be nearly identical.
- SandCat uses Kaspersky’s own antivirus software on the machines used to write new malware, which allowed the researchers to detect it before deployment. This included a newly developed interface called Sharpa, which showed developer notes in Uzbek.
- SandCat was first discovered in October 2018 in a campaign using a zero-day exploit to install Chainshot on Middle Eastern machines. Further research revealed an additional three zero-day exploits SandCat had purchased from third-party vendors, which the researchers believe were purchased from the Israeli companies NSO Group and Candiru. Other nation-state groups in Saudi Arabia and the United Arab Emirates were also found to be using the same exploits.
Researchers uncover possible link between Magecart Group 4 and Cobalt Group
- Malwarebytes and HYAS researchers found patterns in email addresses used by Magecart Group 4 and Cobalt Group.
Source (Includes IOCs)
New threat actor AVIVORE targets aerospace and defence industries in the UK and Europe
- Context Information Security researchers discovered a new threat actor, dubbed AVIVORE, responsible for a series of attacks against UK and European aerospace and defence entities. The researchers have been tracking AVIVORE since summer 2018.
- AVIVORE is described as a ‘previously unknown and untracked nation-state level adversary’. Their primary motivation is believed to be intellectual property theft. They have also been described as ‘highly capable’ in their masquerading techniques and operational security awareness. AVIVORE leveraged a technique known as ‘island hopping’ to chain activity across multiple business units or geographical locations within victim environments.
- Victims include large multinational firms and smaller engineering or consultancy firms within their supply chain. Other targets were from the automotive, consultancy, energy and nuclear, and space and satellite technology industries.
PKPLUG Chinese groups target Southeast Asia
- Researchers at Unit 42 identified a group, or collection of groups, dubbed PKPLUG, targeting victims in countries and regions throughout Southeast Asia. PKPLUG have been active for at least six years and use a range of custom and publicly available malware.
- The groups malware includes PlugX malware, the 9002 trojan, Poison Ivy, Zupdax, HenBox android app, and Farseer Windows backdoor. The tools used by the group suggest that their aim is tracking and information gathering.
- Assessing PKPLUG’s targets, malware content and infrastructure, led the researchers to assert with ‘high confidence that it has origins to Chinese nation-state adversaries’.
Source (Includes IOCs)
Leaks and Breaches
Toronto hospital targeted with Ryuk ransomware
- Toronto’s Michael Garron Hospital was targeted by a Ryuk ransomware attack on September 25th, 2019. However, rather than demanding a ransom, the threat actors appeared to attempt data exfiltration.
- As a result of the attack, the hospital’s email service was disrupted and some services had to be cancelled. The hospital’s firewall prevented any data from being stolen and no patient data has been compromised.
North Carolina State Bar hit by ransomware attack
- On September 30th, 2019, the North Carolina State Bar was hit by a ransomware attack that encrypted some of its servers, resulting in its website and Membership/CLE portal being unavailable. No indication was found that any data was stolen.
Kaiser Permanente patient data exposed in data breach
- An unauthorised individual gained access to a Kaiser Permanente email account, exposing the personal information, such as dates of service, ages, dates of birth, and more, of 990 Sacramento-area patients for about 13 hours. No Social Security numbers or financial information were in the emails and no evidence was found that the information was viewed, used or copied.
City of Cornelia hit by ransomware for third time in 2019
- The billing system of Cornelia, Georgia, was hit by a ransomware attack for a third time this year, which resulted in a day of lost productivity. The previous attacks shut down the city for multiple days. The city has approved the purchase of a new firewall to prevent any further attacks.
Goshen Health notifies patients of data breach
- Personal health information of 9,160 Goshen Health patients may have been exposed in a data breach that took place between August 2nd, 2018 and August 13th, 2018, during which an unauthorised individual gained access to two employee’s email accounts. On August 1st, 2019, Goshen Health determined that the email accounts stored patient information.
- Potentially exposed data includes names, addresses, dates of birth, physician names, health insurance information, limited clinical information, Social Security numbers and driver’s licenses. Goshen Health does not believe any patient data has been misused.
Four US restaurant chains had payment information compromised
- On October 2nd, 2019, Focus Brands subsidiaries McAlister’s Deli, Moe’s Southwest Grill, and Schlotzsky’s, announced that corporate and franchised restaurants had been impacted by a card security incident.
- The breach occurred at Schlotzsky’s on April 11th, 2019, and at Moe’s, and McAlister’s on April 29th, 2019. In all cases the intrusion was ended on July 22nd, 2019. Stolen information includes expiration dates, card numbers, internal verification codes, and in some cases the name of the cardholder.
- Hy-Vee also released an update about a point-of sale attack that was disclosed in August 2019. The newly released information reveals that six HyVee locations may have been compromised since November 9th, 2019, and in one location the compromise may have lasted until August 2nd, 2019. Additionally, HyVee fuel pumps may have been compromised since December 14th, 2019.
Critical vulnerability found in numerous D-Link routers
- Fortinet researchers discovered a critical command injection vulnerability, tracked as CVE-2019-16920, in D-Link products that could result in unauthenticated remote code execution. The flaw affects DIR-655, DIR-866L, DIR-652 and DHP-1565.
- A full analysis of the vulnerability is available on Fortinet’s website.
Cisco release patches for vulnerabilities in three of its networking and security products
- Cisco’s newest security advisory addresses 18 high severity flaws in Cisco Adaptive Security Appliance Software, Cisco Firepower Management Center and Cisco Firepower Threat Defense Software.
- Successful exploitation of the flaws could permit an attacker to gain unauthorised access, gain elevated privileges, execute arbitrary commands, or cause a DoS condition on affected devices.
- A full list of the vulnerabilities and relevant updates can be found on Cisco’s website.
Android zero-day impacts Pixel, Samsung, Huawei and Xiamoi devices
- Researchers at Google Project Zero identified a zero-day vulnerability, tracked as CVE-2019-2215, in system kernel code of Android’s operating system. The vulnerability was originally patched in December 2017, however it has reappeared on newer versions of Android OS.
- The bug is a local privilege escalation vulnerability that can fully compromise a target device. The researchers stated that ‘If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.’
- The researchers stated that they believed that the exploit has been developed by the Israeli-based company NSO Group.
Athena IDProtect smart cards vulnerable to Minerva attack
- Academics from the Centre for Research on Cryptography and Security at the Masaryk University discovered a new side-channel attack technique, called Minerva, which allows an attacker to recover private keys that are used to sign operations on smart cards and cryptographic libraries. Using the private key, an attacker can then spoof any smart cards or sign other cryptographic operations.
- The attack was tested on Athena IDProtect smart cards, however, the researchers believe other smart cards may also be vulnerable, including Valid, SafeNet and TecSec. Only Athena IDProtect smart cards with an Inside Secure AT90SC using the Atmel Toolbox 00.03.11.05 cryptographic library are vulnerable, and all cards manufactured after 2015 are safe.
- Open-source libraries are the most impacted. Impacted projects, such as Libgcrypt, wolfSSL and Crypto++, were informed of the vulnerability and have issued patches. MatrixSSL patched some issues, yet remains vulnerable, as does Oracle’s SunEC library.
Emsisoft releases GalactiCrypter decryptor
- Emsisoft released a free decryptor tool for the GalactiCrypter ransomware strain. GalactiCrypter was first distributed in 2016 and uses AES-256 to encrypt victim’s files.
- Emsisoft advises victims not to pay the ransom and use the decryptor instead.
Researcher demonstrates how adversaries can harvest intelligence on US critical infrastructure
- Using his own free tool Kamerka and open source intelligence, a researcher known as Wojciech showed how threat actors could search for industrial control systems (ICS) in the US, map them to geographic locations, and identify critical infrastructure targets.
- Kamerka uses Shodan to scan the internet for ICS devices and protocols including Siemens 7, Tridium, General Electric, Mitsubishi Electric, Omron, PC WORX, Red Lion, Modbus, BACnet, HART-IP, DNO3, EtherNet/IP, Codesys, ProConOS and IEC 60870-5-104. The researcher’s search revealed about 26,000 ICS devices in the US exposed online.
- Wojciech also discovered exposed login pages, admin panels and human-machine interfaces, including those used by US government organizations, which could be accessed on non-ICS ports 80 and 8080.
Ukrainian police shut down bot farms across the country
- Ukrainian police launched raids against bot farms in Kiev, Odessa, Lviv, Nikolaev, Rivne, and Kherson. The botnets were constructed with multi-SIM card modems. Connections were ran through VPN and the Tor network. The botnet was used to register accounts and send spam, phishing messages, and scam campaigns.
- The equipment was also allegedly used to send false reports about mine clearing in the eastern part of Ukraine. The botnet operators are due to be prosecuted for terrorist acts, extortion, and threatening citizens security by disseminating false reports.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.