Silobreaker Daily Cyber Digest – 05 February 2019
SpeakUp backdoor trojan exploits vulnerabilities in six Linux distributions
- Check Point researchers discovered a new campaign exploiting Linux servers to infect victims with a new backdoor trojan dubbed SpeakUp. The trojan has predominantly targeted servers located in East Asia and Latin America.
- According to Check Point, the initial infection vector is a recently disclosed flaw in ThinkPHP tracked as CVE-2018-20062. The backdoor has been described as evading all security vendors and being able to propagate internally within the infected subnet and beyond to new IP ranges. Apart from infecting six different Linux distributions, SpeakUp also has the ability to infect Mac devices.
- The researchers suspect the perpetrator behind SpeakUp is a malware developer known as Zettabit.
Source (Includes IOCs)
Researchers discover new Cayosin botnet
- The researchers discovered that Cayosin is a botnet-for-hire comprised of Qakbot, Mirai and various other pieces of software.
- The botnet used marketing and support techniques by having subscribers sign up for an account when it was still in early development. Cayosin is marketed through social media platforms such as Instagram, as well as the dark web.
- Using the social media accounts allowed the hackers to support their operation through market research and customer support on a wide scale. Following the social media accounts led the researchers to more malware and botnets, including Yowai.
Qakbot malware being delivered as first-stage payload
- Researchers at Cofense have detected Emotet botnets delivering non-Emotet malware via phishing campaigns, as well as more precise targeting. They have been observed attempting to deliver the Qakbot trojan to employees of a US state-level government agency via use of internal signatures, targeted addressing and including previous threads.
New cyber espionage targets Tibet with ExileRAT
- Cisco Talos have recently observed a malware campaign targeting Tibet, delivering a malicious Microsoft PowerPoint document via a mailing list run by the Central Tibetan Administration (CTA), which represents the Tibetan government in exile. The malicious email contained a PPSX file attachment named “Tibet-was-never-a-part-of-China[.]ppsx”.
- The malicious PSSX file is a copy of a legitimate PDF that is available on Tibet[.]net, which abuses CVE-2017-0199, an arbitrary code execution flaw in Microsoft Office. An infected system will run ExileRAT, delivered by the attacker’s C&C server, which is capable of stealing information such as computer names, usernames, listing drives, and more, from the infected device, as well as pushing files and terminating processes.
- Cisco Talos assess that given the nature of the targets and the malware, the campaign is likely designed to provide the ability for nation state actors to spy on civilians for political purposes. The infrastructure used for C&C in this campaign has previously been linked to the LuckyCat trojan.
Source (Includes IOCs)
Alexa 500 sites targeted with adaptive malware
- The Media Trust has observed a large-scale malicious campaign targeting premium publishers using malvertising posing as legitimate advertisements for 44 popular adtech retailers. Researchers analysed over 600,000 attacks and found that most visitors didn’t need to click on any of the ads but were redirected to malicious content that asked for personal information just by visiting the sites.
- The authors behind the campaign created persistence by ensuring that as soon as one malware and supply chain route was identified and terminated, another attack would immediately begin using a different malware and alternative supply chain routes. 80% of the targeted devices were running iOS.
GoDaddy domains still used to propagate spam despite authentication weakness fix
- Following reports that GoDaddy had recently addressed an authentication weakness that was being used to propagate spam via legitimate, dormant domains, KrebsonSecurity has observed that scammers are continuing to use GoDaddy domains for recent malware spam campaigns.
- The flaw allowed anyone to add a domain to their GoDaddy account without having to validate that they were the domain’s owners. The spammers registered free accounts at GoDaddy and directed the company’s automated DNS service to allow the sending of any emails with those domains from an address controlled by the threat actors.
- KrebsonSecurity has stated that despite the fixes for this issue, the domains in the recent GandCrab campaign, reported last week by MyOnlineSecurity, all had their DNS records altered between January 31st and February 1st to allow the sending of emails from addresses associated with two ISPs identified with GoDaddy.
BEC campaign disguised as Doodle poll targets senior executives
- Discovered by GreatHorn researchers on January 31st, the business email compromise (BEC) campaign purports to be from the CEO of an organisation and claims that a planned board meeting needs to be rescheduled, requesting users to take part in a Doodle poll to set a new date.
- Once users click the link to the poll, they are redirected to a phishing site disguised as a Microsoft Outlook and Office 365 login page that steals victims’ login credentials.
- According to GreatHorn, the campaign remains active and users are advised to be on the lookout for emails with the subject line ‘New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)’.
South Korean bus apps discovered dropping malware
- McAfee has detected a new malicious Android app posing as plugins for a South Korean transportation application series. The applications include services such as Naver, KakaoTalk, Daum and SKT.
- When installed, the malicious app downloads an additional payload from hacked web servers that includes a fake plugin. After the fake plugin is downloaded and installed, it installs a trojan on the device that attempts to trick users into inputting their Google account password to completely take control of the device.
- The malware uses the native library to take over the device and then deletes the library to avoid detection. Three of the apps have been available on Google Play since 2013, and one from 2017, though all have now been removed.
Threat actors advertise access to websites of media organizations on the dark web
- Sixgill researchers detected that hackers are increasingly advertising stolen credentials to websites of news outlets on the dark web.
- One of the offers was found to be for the access to 1,400 US magazines, while another was found to be for access to a major Southeast Asian news wire.
- Although there is currently no evidence of the offers being legitimate, the access to news websites could potentially allow malicious actors to edit articles, spread disinformation or plant malware on the affected sites.
Phishing campaign targets Office 365 users
- Researchers at Kaspersky Lab have stated that the phishing campaign has been going on since summer 2018, and involves hackers tricking employees into sharing their Office 365 credentials in a campaign dubbed PhishPoint.
- The phishing email does link to a legitimate document in OneDrive for Business, but the ‘Access Document’ link at the bottom of the email links to a third-party site, masquerading as an access request. Once the user enters their credentials to this phishing page, an attacker will retrieve them and leverage them to perform malicious actions.
CoAP used for DDoS amplification
- Netscout has warned that the Constrained Application Protocol (CoAP) is being used by attackers for the amplification of distributed denial-of-service attacks. The attacks are hitting targets that are ‘geographically and logically well distributed, with little commonality between them.’ The attacks have around 100 packets a second, and last around 90 seconds overall.
- Around 388,344 CoAP devices have been found on the Internet, with 81% of these located in China and others in Brazil, Morocco, the US and South Korea.
Leaks and Breaches
Huddle House restaurant chain discloses point-of-sale data breach
- According to Huddle House’s official statement, threat actors compromised a third-party point-of-sale (POS) vendor’s data system and exploited the vendor’s assistance tools to gain remote access to some of Huddle House’s corporate and franchisee’s POS systems.
- Customers who have used a payment card at a Huddle House location between August 1st, 2017 and February 1st, 2019 may have been affected. Information including cardholder names, credit and debit card numbers, expiration dates, CVVs and service codes may have been breached.
European Commission recalls ENOX children’s smartwatches
- Safe-KID-One watches made by German firm ENOX were recalled following reports that they do not comply with the Radio Equipment Directive and pose serious risks to its users.
- The mobile application accompanying the watch was found to use unencrypted communication with its backend server, enabling unauthenticated access to data. This data includes location history, phone numbers or serial numbers, which could be retrieved and altered.
- Moreover, a malicious actor could send commands to any watch and force it to call a number of their choosing, communicate with the child wearing the device, or locate the child using GPS.
Crosby Independent School District hit by ransomware
- It is believed no data has been compromised in the ransomware attack that affected the Texas school district’s IT systems.
Hackers steal card details of thousands of Great British Florist customers
- The UK commerce site said that credit card details were most likely scraped when entered into online payment forms. Great British Florist was alerted to the breach on January 30th after customers’ card details were used in fraudulent payments.
- The firm previously detected the presence of malware on its website in early December 2018 and believes it was re-infected soon after.
Roper St Francis Healthcare hit by cyber attack
- The breach notification stated that someone gained access to thirteen employee emails between November 15th and December 1st, 2018. Some patient information could have been in those emails, including names, dates of birth and medical information pertaining to care at Roper St Francis.
Severe vulnerabilities discovered in Tightrope Media Systems’ digital signage software
- The flaws discovered by security researcher Drew Green are the result of the use of a default administrator password, a bug tracked as CVE-2018-18929. After gaining access to the web interface, Green found online references to an arbitrary file read (LFI) vulnerability, tracked as CVE-2018-14573, in the software’s RenderingFetch API function.
- Another flaw, tracked as CVE-2018-18931, was found and permitted the researcher to escalate privileges on a user account to a local administrator.
Vulnerability discovered in Ubiquity devices
- Nearly half a million Ubiquity devices may be affected by the vulnerability, which is being actively exploited in the wild. The vulnerability is a denial-of-service issue, that is being targeted by attackers via a discovery service on UDP port 10001. When exploited, it leaves the devices inoperable until they are rebooted.
- Security firm Rapid7 have revealed that they have been monitoring suspicious port 10001 traffic for at least a year. Ubiquity are aware of the issue and are currently working on a firmware update.
UK Student Loans Company (SLC) hit by almost 1 million cyber attacks in the last year
- Following a request for information by the think tank Parliament Street, it was revealed that the organisation was hit by 965,639 separate attacks in the 2017/18 financial year. The attempted attacks included SQLi attempts.
- Further to this, SLC also defended against 323 malware attempts and 235 malicious emails and calls. 127 of these were not blocked and therefore were treated as ‘incidents’, however only one attack resulted in an actual breach, in which the SLC website was infected Monero cryptocurrency mining malware via a third-party plugin.
Chinese software manager exploits ATM loophole to steal $1 million
- Qin Qisheng was employed in Huaxia Bank’s software and technology development centre and discovered a flaw in the bank’s ATM system that allowed him to make unrecorded ATM withdrawals around midnight.
- Qin developed a number of scripts that allowed him to make regular withdrawals and send them to his bank account. Despite claiming he was simply performing ‘internal security tests’, Qin was sentenced to ten and a half years in prison in December 2018.
Palo Alto Networks release all IOCs associated with AP10
- Palo Alto Networks’ Unit 42 published all Indicators of Compromise (IOCs) associated with APT10 alongside details of relevant malware and attack infrastructure.
- This follows the US Department of Justice’s indictment of two individuals, believed to be members of APT10, on December 20th, 2018, on charges of computer hacking, conspiracy to commit wire fraud and aggravated identity theft.
- The charges are brought forward from evidence based on Operation Cloud Hopper, a lengthy campaign that began in 2014 and targeted Managed Security Providers (MSPs) to steal intellectual property and leverage networks for further attacks.
Hacker responsible for theft of $5 million through SIM swapping sentenced to 10 years in prison
- 20-year-old Joel Ortiz plead guilty in Santa Clara County to stealing over $5 million in cryptocurrency after hijacking phone numbers of roughly 40 individuals. Californian authorities believe Ortiz is the first person ever to be convicted of SIM swapping.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.