Threat Reports

Silobreaker Daily Cyber Digest – 05 September 2019

 

Malware

Researchers publish analysis of Winnti trojan 4.0

  • Carbon Black researchers released an analysis of the newest version of Winnti trojan, version 4.0. Winnti was first discovered in 2011 and is known to be used by multiple Chinese threat actors, including APT41.
  • Version 4.0 was first observed in 2016 and differences to version 3.0 are that its initial component is a loader and DAT file, rather than a dropper, and that it uses the AES encryption algorithm instead of DES.
  • The researchers found that the implementation in particular has changed from version 3.0, making the worker code acquisition more difficult, which could explain the lack of public information on this variant. A full technical analysis is available on Carbon Black’s site.

Source (Includes IOCs)

 

New Android malware FunkyBot found targeting Japanese users

  • Researchers at Fortinet discovered a new Android malware family, dubbed FunkyBot, deployed by the same actors distributing Android malware FakeSpy. FakeSpy was first observed in a phishing campaign targeting Japanese service providers in 2018.
  • The researchers found multiple samples of FunkyBot that were not fully developed or lacked some functionalities, suggesting that the malware is still under development. However, they also warned that the malware should not be underestimated, as they have already observed significant improvements in only a short period of time.

Source (Includes IOCs)

 

Researchers analyse Sodinokibi ransomware

  • Researchers at Cybereason published an analysis of Sodinokibi ransomware, which was first discovered in late April 2019, initially exploiting vulnerabilities in servers and other critical business assets. It has since added new infection vectors, including phishing and exploit kits, and become the 4th most common ransomware.
  • The researchers found similarities in the language, countries whitelist, and URL-generation routine used by Sodinokibi and GandCrab ransomware. They also came across a ‘revengeful’ targeting of products from security vendor AhnLab, a company the GandCrab author was reportedly ‘bitter with’. These findings support the previously voiced suspicions that the threat actor behind Sodinokibi is the same as the one behind GandCrab.
  • A full technical analysis is available on Cybereason’s blog.

Source (Includes IOCs)

 

Ongoing Campaigns

The Joker malware has over 472,000 installs from the Google Play Store

  • Researchers at CSIS identified 24 apps infected with The Joker malware on the Google Play Store, that have been collectively installed over 472,000 times. The UI of the C2 panel and some of the bot’s code comments are written in Chinese. 
  • The Joker delivers a second stage component which simulates interactions with advertising websites by performing clicks and signing victims up to subscription services. The malware also steals SMS messages, contact lists, and device information. Additional features include the ability to receive dynamic code and commands over HTTP and run code via JavaScript-to-Java callbacks.  
  • The majority of apps hosting Joker contain a list of Mobile Country Codes and the victim must be using a SIM card from a listed country to receive the second stage payload. The majority of targets are in the EU and Asia. Some apps will however target users in any country. 

Source (Includes IOCs)

 

SMS phishing attack against Android smartphones can be performed with cheap USB modem

  • Researchers at Check Point identified an advanced phishing attack that takes advantage of over-the-air (OTA) provisioning to access Android smartphones. Vulnerable vendors include Samsung, Huawei, LG and Sony.
  • OTA provisioning is used by cellular network operators to deploy network-specific messages. The industry standard for OTA provisioning, Open Mobile Alliance Client Provisioning (OMA CP), features poor authentication methods which mean that an attacker can pose as a network operator. An attacker can send an OMA CP message with a GSM modem, the message is sent as a binary SMS message and can be composed with a simple script or off-the-shelf software. If a target accepts the CP message, an attacker can change a victim’s MMS message server, proxy address, mail server, and more. 
  • The attack is most dangerous when used against Samsung devices as they require no authenticity checks for the attacker to pass. On other affected products an attacker would need the target’s International Mobile Subscriber Identity (IMSI) number. IMSI numbers are widely available from commercial sources. 
  • Check Point disclosed the issues to the affected vendors in March 2019. Samsung and LG have released fixes for the issue and Huawei plans to release a patch. Sony refused to acknowledge the issue.

Source

 

Glupteba operators upgrade their malware with a browser stealer component 

  • Trend Micro researchers discovered a malvertising campaign that distributed Glupteba trojan. The researchers identified two new components, a browser stealer and router exploit, that had not previously been observed in the trojan.
  • The new browser stealer can exfiltrate browsing history, website cookies, account names, and passwords. Stolen information is then sent to a remote server. The router exploit leverages CVE-2018-14847 to target MikroTik routers in local networks. Triggering the vulnerability allows attackers to retrieve administrator credentials and configure the router as a SOCKS proxy to relay malicious traffic. The researchers also found that the malware can retrieve the latest C2 domain from Bitcoin transactions. 
  • Trend Micro concluded that Glupteba still seems to be ‘evolving and adding capabilities’ and warned users and enterprises to remain vigilant. 

Source (Includes IOCs)

 

Researchers analyse Magecart attacks

  • Trustwave researchers analysed two recently observed Magecart attacks. Magecart attacks target online shopping carts and usually involve client-side JavaScripts inserted into compromised e-commerce websites.
  • The first observed attack exploited a local inclusion vulnerability in the Magento Mass Importer, using PHP scripts instead of JavaScripts, to intercept sensitive data. The attackers then planted a WSO web shell to access the files and maintain persistent access.
  • The second attack targeted two online stores based in Australia by injecting JavaScripts into the websites. They were both externally hosted on a domain that appears to be a compromised website based in Iran. According to ESTsecurity, the domain had also previously hosted a malicious file linked to Lazarus Group.

Source (Includes IOCs)

 

Leaks and Breaches

Data leak exposes millions of Facebook users’ phone numbers

  • Security researcher Sanyam Jain discovered an unprotected server containing 419 million records across multiple databases, exposing Facebook IDs and users’ phone numbers. Some records also contained usernames, gender and location by country.
  • According to Facebook spokesperson Jay Nancarrow, much of these records are duplicates and the actual number of affected accounts is about half of that figure. Phone numbers have not been public on Facebook since April 2018 and, according to Nancarrow, the data included in the databases appears to have been scraped before this change in policy.
  • It remains unclear who the server belonged to or when and why the data was scraped. The databases have since been taken offline and no evidence that Facebook accounts have been compromised was found.

Source 1 Source 2

 

Vulnerabilities

Critical vulnerabilities found in EZAutomation software

  • The two high-severity vulnerabilities could be exploited for remote code execution. The first vulnerability, tracked as CVE-2019-13518, is a stack-based buffer overflow that affects versions 2.1.0 and prior of the human-machine interface EZTouch Editor. 
  • The second is a memory corruption flaw in its EZPLC Editor. The vulnerability, tracked as CVE-2019-13522, affects versions 1.8.41 and prior and could also allow for arbitrary code execution.
  • According to CISA, the company has since provided updates, however they do not appear to be available for download at present.

Source

 

Blynk-Library impacted by information disclosure vulnerability

  • Researchers at Cisco Talos identified the vulnerability, tracked as CVE-2019-5065, in Blynk-Library v0.6.1. The vulnerability exists in the packet parsing functionality of the Blynk-Library and can be triggered with a specially crafted packet. Successful exploitation can result in information disclosure.

Source

 

Year-old Samba vulnerability allows attackers to escape share root directory

  • Researcher Stefan Metzmacher and the Samba Team identified the vulnerability in Samba 4.9.0 which was disclosed on September 13th, 2018. 
  • The flaw, tracked as CVE-2019-10197, is exploitable if the ‘wide link’ option is set to ‘yes’, if ‘unix extension’ equals to ‘no’, or if ‘allow insecure wide links’ is set to ‘yes’.  The vulnerability is caused by a failure to reset the cache that tracks successful directory changes. Successful exploitation could allow an attacker to bypass file-sharing permissions and escape the share root directory.
  • Samba have patched the issue in Samba versions lower than 4.9.13 and 4.10.8. Additionally, the vulnerability can be fixed by installing Samba 4.11.0 RC3.

Source

 

Android patch resolves critical vulnerabilities but not zero-day flaw

  • On September 3rd, 2019, Google released their monthly security patch for Android devices. The patch resolved two critical vulnerabilities, tracked as CVE-2019-2176 and CVE-2019-2108, in the Media Framework. The exploits could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
  • The security patch did not address a vulnerability that enables increasing permission to kernel level. The vulnerability is classed as a high-severity zero-day and exists in the driver for the Video For Linux 2 (V4L2) interface.
  • The flaw was discovered by Trend Micro Researchers and reported to Google through the Zero Day Initiative program. The company acknowledged the issues but have not provided a date for delivering a patch.

Source 1 Source 2

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch