Silobreaker Daily Cyber Digest – 06 August 2019
New version of MegaCortex now self-executes
- iDefense engineers analysed a new version of MegaCortex and found that the authors redesigned the malware to self-execute and have also removed the password that was previously required to install it. Anti-analysis features were also incorporated in the main malware module, as well as the capability to stop numerous security products and services.
- The original version of MegaCortex used a custom password, only available during infection, to protect its main payload, which made it difficult to analyse. However, this feature also prevented the malware from being widely distributed. The researchers believe the features in the new version could potentially lead to an increase in MegaCortex distribution.
- MegaCortex has been used in post-exploitation, targeted attacks, with a ransom request between 2 and 600 Bitcoins, equivalent to roughly $20,000 to $5.8 million.
Cofense release database of 200 million compromised accounts being targeted in sextortion scam
- In June 2019, researchers at Cofense discovered a ‘for rent’ botnet that was being used to conduct an extensive sextortion scam. The botnet reuses old credentials, dating back to at least 10 years ago, in an effort to make the scam appear legitimate.
Botnet targets FiberHome routers
- Netlab 360 researchers discovered an IoT botnet, dubbed Gwmndy, targeting FiberHome AN5506 routers in Thailand and the Philippines. The botnet is used to set the routers up as SSH tunneling proxy nodes and create a Socks5 proxy service locally.
- Rather than seeking to infect as many victims as possible, the botnet only targeted a total of 200 victims before stopping to seek out more. It has also not engaged in any of the typical activities botnets engage in, such as DDoS, cryptojacking, spamming, or information stealing.
- It is unclear how Gwmndy malware initially spread, however some Fiberhome router Web systems are known to have weak passwords and RCE vulnerabilities.
Source (Includes IOCs)
Machete malware used in new cyberespionage operation
- ESET researchers uncovered a new cyberespionage operation using the most recent version of Machete malware. During 2019, the malware has been used to target the education, police, military and foreign affairs sectors in Venezuela, Colombia, Nicaragua, and Ecuador. More than half of the compromised devices belonged to the Venezuelan armed forces.
- Machete is installed on victims’ devices through spear phishing emails which include malicious documents that link to, or attach, a compressed self-extracting archive.
- As the threat actor is interested in obtaining specific files from their victims, the malware is designed to exfiltrate common office suite documents, specialised file types used by geographic information systems software, cryptographic keys, and more. The malware can also log keystrokes, take screenshots, access the clipboard, detected newly inserted drives and copies, and more.
Source (Includes IOCs)
- The spam campaign distributes emails pretending to be a subscription notification involving advertising. The attached Microsoft Word document contains the malicious script, with the JS script hidden in the document itself, rather than the macro.
- As seen previously, Trickbot then gathers system information. However, this variant also harvests application credentials and browser credentials. It also deletes certain files in removable and network drives, replacing them with a copy of the malware.
- The variant also drops a proxy module to create fraudulent bank transactions. According to security researcher Brad Duncan, the module shares similarities with IcedID, a banking trojan that redirects victims to fake online banking sites.
Source (Includes IOCs)
Russian APT Strontium targets IoT devices to gain network access
- In April 2019, Microsoft Threat Intelligence Centre researchers discovered that Russian APT Strontium were attempting to compromise IoT devices to gain network access. The group were targeting popular products such as a VOIP phone, office printers and video decoders.
- On three occasions Strontium gained access to corporate networks. In two instances access was gained through devices which contained the manufacturer’s default password, in the third instance access was gained because the device had not been updated with the latest security patch.
- Following the compromise of IoT devices, the attackers ran tcpdump to detect network traffic on local subnets and dropped simple shell scripts to ensure their persistence as they moved across networks. By moving through the network, the attackers were able to gain access to higher-privilege accounts and more sensitive data.
- The researchers reported that in the last 12 months Microsoft delivered 1,400 notifications to users who have been compromised or targeted by the group. Strontium targets entities worldwide, with 20% of attacks directed against non-governmental organisations, think-tanks, or politically affiliated groups. The other 80% of attacks are primarily made against targets in the IT, military, defence, engineering, and government sectors.
Source (Includes IOCs)
New Zealand Institute of Directors’ website offline after being defaced
- The New Zealand Institute of Directors has taken its website offline after it was defaced by a hacker known as VandaTheGod. The threat actor left a generic anti-government message on the website.
- Members were asked to change their password after one of the Institute’s technology partners said that there was a small chance that a list of emails and passwords were compromised.
- It is not known if the threat actor mistook the Institute of Director’s site as being part of the New Zealand government website or if the attack was simply part of its broadly targeted global campaign.
Leaks and Breaches
Monzo asks customers to change pin after banking information left exposed to staff
- On August 2nd, 2019, Monzo discovered that user PINs were being sent to the wrong part of their internal system. This information was encrypted but was still accessible by certain staff members.
- Monzo stated that the issue was a ‘bug’ that was triggered when mobile app users entered their PIN to request a reminder of their card number or cancelled a standing order.
- The company said that about 480,000 users were impacted and instructed all customers to update their mobile app.
Phishing attack breaches data of Presbyterian Healthcare patients
- 183,000 patients from Presbyterian Healthcare Services, New Mexico, have potentially been affected by a data breach caused by a month-long phishing attack. On June 6th, 2019, staff discovered that a hacker had access to several employee email accounts since May 9th. The accounts were secured soon after their discovery.
- Breached data included names, dates of birth, Social Security numbers, health plans, clinical information, and more. Officials stated that Presbyterian’s electronic health records and billing system was unaffected by the attack.
Vulnerabilities in Qualcomm chips allow hackers to attack Android devices
- Researchers at Tencent discovered two vulnerabilities in Qualcomm’s Snapdragon system-on-a-chip (SoC) WLAN firmware. The flaws can be used to compromise the modem and Android kernel over the air and can be exploited by attackers on the same Wi-Fi network. The vulnerabilities affect any unpatched phone that runs either of the two SoCs.
- CVE-2019-10538 is a buffer overflow that impacts the Qualcomm WLAN component and Android Kernel. The flaw can be triggered by sending specifically-crafted packets to a device’s WLAN interface. An attacker who successfully performs this attack can run code with kernel privileges.
- CVE-2019-10540 is also a buffer overflow in the Qualcomm WLAN and modem firmware that ships with Qualcomm chips. This flaw can be exploited by sending specially-crafted packets to an Android’s device mode, which allows an attacker to perform code execution on the target machine.
Vulnerabilities in VMware ESXi, NVIDIA Windows GPU Display Driver, Workstation and Fusion
- VMware ESXi, Workstation and Fusion are affected by an out-of-bounds vulnerability, tracked as CVE-2019-5521, that can be triggered using a specially-crafted shader file. A VMware guest can use this flaw to perform a DoS attack and crash processes on VMware host.
- If a system is using an NVIDIA graphics card this VMware DoS attack can be escalated into a code execution flaw, tracked as CVE-2019-5684. This is due to security flaws in NVIDIA’s Windows GPU Display Driver.
- Two further out-of-bound vulnerabilities can be triggered by a specially-crafted shader file and could lead to arbitrary code execution in NVIDIA Windows GPU Display Driver. A comprehensive list of all the vulnerabilities is accessible via Cisco Talos.
ECh0raix ransomware decryptor allows victims to recover files on QNAP NAS devices
- Security researcher BloodDolly released the decrypter which allows victims who were infected before July 17th, 2019, to retrieve their QNAP NAS files. The decryption works by brute forcing ech0raix’s decryption key.
- ECh0raix malware has been active since June 2018 and has steadily infected victims for the past 14 months. The ransomware brute forces passwords and exploits vulnerabilities to gain access to a user’s device. Following compromise, the malware encrypts all files and demands a Bitcoin ransom in exchange for decryption.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.