Threat Reports

Silobreaker Daily Cyber Digest – 05 June 2019

 

Malware

New adware BeiTaAd discovered hidden in app store

  • BeiTaAd is an advertising plugin that is well obfuscated and was found hidden in several popular applications in the Google Play Store. The plugin forces the display of ads on lock screens, triggers video and audio advertisements and displays out-of-app ads that affect the user’s interaction with other apps on their device.
  • Lookout discovered 238 unique applications that include the plugin in the Google Play store. The affected apps were installed over 440 million times. BeiTaPlugin has now been removed from the store.

Source

 

New ‘aggressive’ malware hijacks macOS Mojave users’ browser sessions

  • AiroAV Labs researchers discovered a strain of ‘extremely aggressive’ malware that contains a new method for hijacking browsers by installing a man-in-the-middle (MITM) proxy.
  • The malware masquerades as an installer for an Adobe Flash plugin. The fake installer asks victims to input their macOS account username and password, which it uses to install a local web proxy and configure the system so that all web browser requests are routed through it.
  • A root security certificate is also added to the Mac’s keychain, permitting the proxy to generate SSL/TLS certificates for requested websites. This allows the attackers to potentially intercept and tamper with encrypted HTTPS traffic.
  • When a user runs a Google search on a compromised device, the local proxy will also inject the Google results page with an HTML iframe containing Bing results for the same query. It is suspected the Bing results generate revenue for the perpetrators.

Source 1 Source 2

 

Highly targeted ‘Frankenstein’ campaign attempts to deliver malware to users

  • Researches at Cisco Talos observed a campaign running between January and April 2019, attempting to install malware on users’ machines via highly personalized malicious Microsoft Word documents.
  • The first vector relies on a trojanized document to fetch a remote template, and then uses an unknown exploit. The second vector uses a trojanized document that prompts the victim to enable macros and run a visual basic script, which checks if specific applications are running on the targeted machine.
  • Once evasion checks are complete MSBuild is used to execute an actor-created file containing a stager that is able to communicate with the C2 to trigger the launch of Powershell Empire agent, which looks for specific personal information.
  • The campaign has been dubbed the ‘Frankenstein’ campaign as the threat actors behind the attack have utilized four different open source techniques to construct the tools used in the attack. Researchers believe that the actors behind the campaign are moderately sophisticated and highly resourceful.

Source (Includes IOCs)

 

Cylance Threat Research Team publish technical analysis of AZORult infostealer malware

  • AZORult malware is an information stealer which exfiltrates browsing history, cookies, ID/passwords, cryptocurrency information, and more.
  • The malware commonly infects users systems via exploit kits or emails, and can also be downloaded via other malware families such as Ramnit and Emotet.  Although primarily an information stealer, AZORult can also be customized to download and run additional payloads such as banking trojans.
  • Researchers also discovered a builder website and administrator panels which allowed for attack customisation. A description of the malware, which listed several improvements, was written in Russian.

Source (Includes IOCs)

 

Ongoing Campaigns

Magecart skimmers discovered on Amazon CloudFront CDN

  • Malwarebytes Labs reported that they observed JavaScript libraries injected with web skimmers on the Content Delivery Network (CDN) Amazon CloudFront. The skimmers are reportedly a continuation of a campaign undertaken by Magecart threat actors attempting to widen their attack surface to include different CDNs.
  • One example shows a skimmer that has been appended to the original code and used obfuscation to conceal itself in a JavaScript library hosted on an AWS S3 bucket. A second example demonstrates that the skimmer was injected into several libraries contained within the same directory. A final example showed a skimmer injected in various scripts loaded from a custom CloudFront URL.

Source (Includes IOCs)

 

German users of Windows 10 targeted by adverts that blockers fail to stop

  • German users of Windows 10 are reporting instances of their browser’s opening to sites pushing tech support scams, sweepstake surveys and prize wheels. The issue affected users of Microsoft News, Microsoft Jigsaw, and other Microsoft Advertising supported apps.
  • The issue is caused by scammers purchasing ad campaigns in the Microsoft Advertising network, that use JavaScript to launch scam sites automatically launch sites in a new window.
  • Due to the ads being displayed because of ad-supported apps, any ad blockers installed will not stop the pages loading.

Source

 

Leaks and Breaches

11 million photographs leaked in exposed database

  • The photographs were exposed after the Theta360 photo sharing system run by Ricoh was breached. Some of the photos exposed were ones that users had requested to keep private.
  • Usernames, captions, users’ names and each photo’s universal unique identifier were also exposed in the leak. The data was accessible between 14th and 16th May.

Source

 

LabCorp’s client data exposed by billing provider

  • LabCorp is among the companies affected by American Medical Collection Agency’s (AMCA) data breach that took place between August 1st, 2018 and March 30th, 2019. The breach exposed the personal and financial data of 7.7 million LabCorp clients.
  • Potentially exposed data includes clients’ first and last names, dates of birth, addresses, phone numbers, dates of service, medical providers and balance information.

Source

 

Dating app JCrush exposes sensitive user data

  • Noam Rotem and Ran Locar of the vpnMentor research team discovered a publicly available Mongo database belonging to the dating app JCrush on May 30th, 2019. The database has since been secured.
  • The database contained 18,454 GB of unencrypted records, including private correspondence between users, which revealed personally identifying information. The exposed data also included full profiles and photos, private media, Facebook profiles and tokens, and more.

Source

 

Vulnerabilities

Chrome 75 is released to the Stable desktop channel fixing 42 flaws

  • Out of the 42 security fixes that come with Chrome 75.0.3770.80, two of them were considered high severity. CVE-2019-5828 is a use-after-free flaw in ServiceWorker and CVE-2019-5829 is a use-after-free flaw in Download manager.

Source

 

Remote Desktop zero-day flaw allows attackers to hijack sessions

  • The zero-day flaw, tracked as CVE-2019-9510, could allow a threat actor to hijack existing Remote Desktop Services sessions to gain access to a computer. The flaw could be exploited to bypass the lock screen on a Windows machine, even if the machine has two factor authentication mechanisms.

Source

 

Privilege escalation vulnerability discovered in Rapid7 InsightIDR

  • Researcher Florian Bogner found a local privilege escalation flaw, tracked as CVE-2019-5629, in Rapid7’s InsightIDR intruder analytics solution. The vulnerability has since been patched.
  • The flaw is related to ir_agent, a Windows service associated with InsightIDR. A potential attacker would require non-administrator privileges to the targeted system and could exploit the flaw to obtain full SYSTEM-level access to the device.

Source

 

Hackers reveal tools capable of bypassing two-factor authentication

  • Security researchers Michele Orru and Giuseppe Trotta demonstrated how an automated phishing attack can be used to bypass two-factor authentication (2FA) in a recently published video on GitHub. The attack was first demonstrated during a presentation at the Hack in the Box Security Conference in Amsterdam in May 2019.
  • During the video, the two tools Muraena and NecroBrowser work together to automate the attack. Muraena acts as a proxy between the victim and the legitimate website, prompting users to enter their login credentials, including their 2FA code. Once Muraena authenticates the session’s cookie, NecroBrowser takes over and can create windows to track private accounts of thousands of victims.

Source

 

Nginx flaw vulnerable to Remote code execution

  • Researcher Alisa Esage reported that there is at least one remote code execution flaw in Nginx nJS.  The vulnerabilities have been described as an array overflow and an integer overflow.
  • Esage disclosed the vulnerabilities via trend Micro’s Zero Day Initiative (ZDI) disclosure platform.

Source

 

Android devices targeted with malicious programs distributed via Google Play

  • Researchers at Dr. Web observed malware targeting Android devices throughout May, 2019.  These included Android.SmsSpy(.)10206 and Android.SmsSpy(.)10203, which are both spyware trojans from the Android.SmsSpy(.) family.
  • The trojans are disguised as banking software and download via Google Play, once downloaded the malware attempts to assign itself as the default SMS manager. If permission is granted by the user, all incoming text messages can be transferred to the attacker’s server.
  • Researchers also discovered the Android.HiddenAds(.)1396 trojan on Google Play which displayed advertising banners that made operating the phone difficult.

Source

 

FireEye researchers publish analysis of Component Object Models (COM)

  • FireEye researchers observed that COM objects can be used to allow task scheduling, command execution and fileless download and execute.
  • COM objects can be used by malicious actors to perform lateral movements which defeat detection methods such as command line arguments, PowerShell logging and heuristic detections.

Source

 

Stolen Weare Police Department data for sale on the dark web

  • The Weare Police department disclosed that they were the victim of a malware attack launched between 6th March to the 13th March, 2017.
  • The department were informed of the attack after analysts at Wapack Labs found confidential data in January 2018.
  • The confidential data, which was being sold for 1 bitcoin, included files labeled ‘sex offender registration’, ‘payroll’ and ‘Chief Kelly employment agreement’.

Source

 

General News

Flashpoint report that cyber criminals are continuing to target online gambling platforms

  • Flashpoint reported that it is likely that the growth of the online gambling will encourage cybercriminals to target the industry in the coming years.
  • Threats facing this industry include cash out schemes, fraudulent account creation, partnerkas and traffic arbitrage, attempts to bypass security controls and DDoS attacks.

Source

 

Researcher creates module for BlueKeep flaw

  • The module, which has been kept private for now, is a Metasploit penetration testing framework that exploits the critical BlueKeep flaw, also tracked as CVE-2019-0708.  The developer, ‘Zǝɹosum0x0’, published a video demonstrating a successful exploitation of Windows 2008, showing the extraction of login credentials using Mimikatz and gaining full control of the machine.
  • The exploit works for Windows 7 and Server 2008 and has not been released due to the remaining vulnerability of unpatched machines.

Source

 

Australian police raid home of journalist who reported on government plan to spy on citizens

  • Journalist Annika Smethurst’s home was raided as part of an ‘investigation into alleged unauthorised disclosure of national security information.’
  • In April 2018, the journalist reported that Australian home affairs and defence ministries had prepared a plan that would enable the Australian Signals Directorate to secretly access emails, bank accounts and text messages of Australian citizens. Under existing law, this access was only granted to the Australian Federal Police and the Australian Security Intelligence Organisation.

Source

 

Russian internet firm Yandex under pressure to hand over encryption keys

  • Yandex has reportedly been asked by the intelligence agency FSB to hand over encryption keys to its email and file hosting services. The company has stated that concerns over national security should not infringe on user privacy.
  • The request follows the implementation of the 2016 law that requires data to be shared with Russian authorities if requested. Yandex has so far been unwilling to cooperate.

Source

 

Analysis of Carbanak attack on East European bank in 2018 offers new insights

  • According to Bitdefender researchers, it only took the Carbanak group two hours from initial compromise to fully established foothold in their attack on an East European bank in March 2018. The Carbanak campaign was first discovered in 2014 and managed to compromise 100 banks in 40 countries, stealing up to $1 billion.
  • Carbanak started the attack on the East European bank with multiple spearphishing campaigns to download malicious payloads, one of which was Cobalt Strike, a tool specific to Carbanak. This allowed the attackers to map the organisation’s internal network and discover admin-level credentials, enabling them to move across the network unnoticed and manipulate and withdraw funds from bank’s ATMs.

Source

 

Assange will not face charges for publishing Vault 7

  • The Justice Department has reported that Assange will not be indicted for his part in the release of the CIA’s Vault 7 hacking tools because it would require revealing information that could compromise intelligence agencies’ activities.
  • Assange was prosecuted by the government under the Espionage Act, which caused controversy, however, the charges for exposing the CIA’s hacking tools were thought to be conclusive.

Source

 

Former employee sues Citrix over failure to secure personal information and inform of breach

  • The plaintiff, Lindsey Howard, filed a class action lawsuit based on Citrix’s failure to protect employees PII data after collecting it as an employment condition and failing to inform employees of the data breach in a timely fashion.  
  • The data breach occurred between 13th October, 2018 and 8th March, 2019, during which time attackers used password spraying to access files which contained details of employees and in some cases beneficiaries or dependants. The data included, names, Social Security Numbers and financial information.
  • Class members assert that Citrix had inadequate monitoring in place which led to the FBI informing the company that their network had been breached.

Source

 

Kenyan Government websites targeted by the ‘Kurd Electronic Team’

  • The targeted websites included those for the National Youth Service, Department of Petroleum, Integrated Financial Management System, and more.
  • The so called, ‘Kurd Electronic Team’ defaced the websites with the logo of the group and disabled website functionality.

Source

 

Nearly half of phishing attacks are polymorphic

  • Research published by IRONSCALES showed that nearly half of phishing attacks were polymorphic, meaning that attackers implemented slight changes to an email’s content, copy, subject line, sender name or template, to trick signature-based email security tools.
  • IRONSCALES previously published research that found secure email gateways (SEGs) failed to stop 99.5% of non-trivial email spoofing attacks. Common spoofing techniques included sender name impersonation and domain look-alike attacks.

Source

 

Ex-NSA hacker offers free spear phishing protection to 2020 Presidential campaigns

  • Oren Falkowitz, ex-NSA hacker and founder of Area 1, offered the company’s security software for free to 2020 Presidential campaigns. Falkowitz cited the prohibitive cost of cyber security products as a motivating factor in his offer.
  • The Federal Election Commission (FEC) used a draft notice on 4th, June, 2019 that recommended that the commission vote against Area 1’s offer on the grounds that providing free product to a political campaign can be counted as corporate campaign contributions.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 17 June 2019

      Malware New variant of Houdini Worm discovered Researchers at Cofense discovered a new variant of the Houdini Worm which targets commercial banking customers....
  • Silobreaker Daily Cyber Digest – 14 June 2019

      Ongoing Campaigns Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers Trend Micro researchers discovered an ongoing cryptojacking campaign infecting...
  • Silobreaker Daily Cyber Digest – 13 June 2019

    Malware Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet Unit 42 have discovered a variant of the Hide ‘N Seek botnet...
View all News

Request a demo

Get in touch