Silobreaker Daily Cyber Digest – 04 September 2019
Nemty Ransomware distributed from RIG Exploit Kit
- Security researcher Mol69 discovered Nemty malware being distributed in malvertising campaigns that use the RIG Exploit Kit. Bleeping Computer suggested that this indicates that Nemty’s operators have established a distribution deal.
- Following a successful infection, Nemty malware encrypts files, and the attackers demand approximately $1000 in Bitcoin for the decryption key. At present there is no free decryption tool available.
Campaign observed delivering TrickBot using Ostap
- Bromium researchers discovered a new campaign delivering TrickBot using the commodity JScript downloader Ostap, instead of the usual use of obfuscated Command shell or PowerShell commands. The campaign appears to be targeting businesses, rather than individuals, and Ostap uses several anti-analysis measures to prevent detection.
- Ostap is delivered via a Microsoft Word document with macros enabled, and contains both the VBA macro and Jscript, which is stored in white text in the body of the document. As an anti-sandbox measure, part of the macro only runs once the document has been closed. Once the script has been run, a fake Windows Script Host runtime error message occurs, most likely to avoid a user conducting a manual examination of the downloader.
- Although typical downloaders are small in size, Ostap is very large, containing nearly 35,000 lines of obfuscated code, a trend that has been observed in previous TrickBot campaigns.
Source (Includes IOCs)
New social engineering toolkit downloads NetSupport RAT
- Researchers at Malwarebytes Labs discovered a new toolkit, dubbed Domen, being used in recent social engineering campaigns. Domen tricks individuals into downloading fake updates that deliver NetSupport RAT.
- The toolkit’s framework is built around a client-side script, offering multiple fake update templates, which can be customized for desktop and mobile users and is available in 30 languages.
- The researchers found the campaign to be similar to the SocGholish campaign, discovered in 2018. Some hacked sites were found hosting both campaigns, which abuse a cloud hosting platform, download a fake update as ‘download[.]hta’ and deliver NetSupport RAT.
Phishing campaign targeting banks use SharePoint to evade perimeter detection
- Researchers at Cofense identified a phishing campaign that uses SharePoint to ensure that malicious URLs are not detected by Symantec email gateway and similar perimeter technologies.
- The attack, which targets the banking sector, begins with an email from a compromised account. The email purports to be a review proposal and contains a URL which redirects targets to a compromised SharePoint account. The SharePoint site hosts a malicious OneNote document which users are prompted to download. Targets who click the download link are shown a phishing page imitating a OneDrive for Business login portal. Victims are asked to provide their login details for Office 365 or any other email provider.
- The researchers identified that the phishing exploit kit used in this campaign is part of a series of hacking tools that are built and sold by BlackShop Tools.
Source (Includes IOCs)
New wave in malspam campaign pushes Remcos RAT
- Security researcher Brad Duncan observed a recent wave in a malspam campaign known to use password-protected Word documents to spread malware, this time pushing Remcos RAT. The resume-themed campaign has been ongoing since at least March 2017 and previously pushed a variety of malware, including IcedID ransomware and Nymaim.
Source (Includes IOCs)
JSWorm updated to version 4
- Researchers at Yoroi identified that JSWorm malware has been updated to version 4. The malware is an encryption ransomware which uses an AES key to encrypt a user’s files. The AES key starts from an embedded Base64 seed which is converted into a byte array through CryptStringToBinary API. The encryption is a mixture of fixed and random strings which result in each infected device having a different AES key.
- Files are equipped with a lengthy extension which contains information that the infected user needs to move onto the ransom payment phase.
- The ransomware also deletes shadow copies and other system restore points created by Windows, kills processes related to common programmes, and alters the autorun path to display the ransom note window following system reboot.
Source (Includes IOCs)
CrowdStrike state that ransomware attacks targeting US linked to Russian groups
- Researchers at CrowdStrike attributed the recent surge in ransomware attacks to Russian-based group Wizard Spider. Wizard Spider are known for operating Trickbot malware which is frequently associated with Ryuk ransomware. Ryuk has been identified as the encryption ransomware employed in at least 13 attacks since October, 2018.
- CrowdStrike also stated that Ryuk are developed by a subsidiary of Wizard Spider known as Grim Spider. The researchers also asserted with ‘medium-high’ confidence the Grim Spider, similarly to Wizard Spider, operate out of Russia.
Leaks and Breaches
Sensitive data of over 2.5 million Yves Rocher customers exposed in Aliznet data leak
- Researchers at vpnMentor discovered an unprotected database belonging to Aliznet, a consulting company in the retail sector, exposing private customer and company data of Aliznet’s client company Yves Rocher.
- Affected customers were located in Canada and exposed data included first and last names, phone numbers, email addresses, dates of birth, postcodes, as well as FID numbers and customer ID numbers. Over six million Yves Rocher order records and internal client data was also exposed.
- The researchers also discovered they were able to access the API interface of an application created by Aliznet for Yves Rocher employees, which could give malicious actors additional information on the company and its customers, whilst the application could also be abused to tamper with data.
Vulnerabilities in Epignosis eFront allows attackers to perform RCE attack and SQL injection
- Researchers at Cisco Talos identified two vulnerabilities in Epignosis eFront LMS. The vulnerabilities are present in Epignosis eFront version 5.2.13. and have been resolved with the release of version 5.2.13.
- CVE-2019-5069 is a code execution vulnerability which can be triggered with a crafted web parameter. The flaw can cause unsafe deserialization which can potentially result in PHP code being executed.
- CVE-2019-5070 is an exploitable SQL injection vulnerability. Specially crafted web requests to login page can case SQL injections which can result in data being compromised. An attacker can trigger this vulnerability from a browser.
Multiple vulnerabilities found in Zyxel networking and security devices, and Wi-Fi access points
- Researchers at SEC Consult identified a DNS request issue in security and networking devices from the Zyxel USG, UAG, ATP, VPN and NXC product ranges. Impacted products can send DNS requests which allow an unauthenticated user to identify whether a domain is present via the web login interface. An IP address is embedded in the response when a host with corresponding domain is present.
- The researchers also discovered a second issue that relates to hardcoded FTP credentials in Wi-Fi access points from the NWA, NAP and WAC series. An attacker could move to protected networks by using these credentials to log on the APs FTP server and steal SSIDs and passwords from the configuration file.
Vulnerabilities found in BMCs of Supermicro servers
- Eclypsium researchers discovered multiple vulnerabilities, dubbed USBAnywhere, in the baseboard management controllers (BMCs) of Supermicro servers, which could allow an attacker to easily gain access to a server, enabling them to virtually mount a USB device to a server. This could be done remotely over any network, including the internet and corporate networks.
- The vulnerabilities were found in the way BMCs implement virtual media on Supermicro X9, X10 and X11 platforms and include allowing plaintext authentication, sending most traffic unencrypted or using weak encryption, as well as being susceptible to an authentication bypass. Supermicro has since released patches.
Huawei alleges that US government launched cyber attacks and targeted employees
- On September 2nd, 2019, Huawei released a statement which claimed that the US government targeted the company with ‘judicial and administrative powers, as well as a host of other unscrupulous means’.
- Huawei accused the US government of instructing law enforcement to threaten, detain, and arrest Huawei employees. The company also claimed that FBI agents pressured employees to collect information.
- Huawei also alleged that the US government launched cyber-attacks aimed at infiltrating Huawei’s intranet and internal information systems.
German bank Oldenburgische Landesbank AG loses $1.5 million following card cloning scheme
- The cloning attack targeted Oldenburgische Landesbank AG (OLB) customers who used Mastercard debit cards. The funds were stolen as a result of an organized gang using counterfeit cards and terminals. The money was withdrawn at terminals across Brazil.
- OLB stated that around 2000 customers were impacted and denied speculation that they had suffered a security breach. Mastercard also stated that neither Mastercard’s network or the EMC technology, which is used to protect cards, was compromised.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.