Silobreaker Daily Cyber Digest – 06 June 2019
Fake trading site pushes crypto-stealing malware
- Malware researcher Fumiko_ discovered that malware distributors have created a copy of the Cryptohopper trading platform’s website. Visitors to the site will automatically download the Vidar Trojan, which masquerades as a ‘Setup.exe’ executable with the Cryptohopper logo.
- Upon execution, Vidar will download a set of libraries and install two Qulab Trojans – one which mines cryptocurrency, and one which acts as a clipboard hijacker. Persistence is achieved via a scheduled task that launches the Trojans every minute.
- The clipboard hijacker can recognise ten different currencies and substitutes the malware author’s wallet addresses for the intended recipient’s. Vidar will steal information including browser cookies and history, saved login credentials, text files and form autofill data.
RIG exploit kit infecting victims with Buran ransomware variant
- Researcher nao_sec, observed a malvertising campaign that redirects users to the RIG exploit kit, which then drops Buran ransomware. Buran is a variant of the Vega ransomware which ESET previously delivered via Russian malvertising campaigns.
- The encryption process is largely shared between Buran and Vega, with only a few minor changes. At present, there is no known way to decrypt Buran ransomware free of charge.
Source (Contains IOCs)
Cofense Intelligence observes campaign targeting Windows 10
- Cofense Intelligence recently observed a new campaign targeting Windows 10 operating systems running the Windows Anti-malware Scan Interface (AMSI).
- Phishing emails containing a Microsoft Excel Worksheet with a Word macro are the infection vector. They deliver the FormGrabber keylogger via a PowerShell script and multiple layers of compilation and encryption, allowing attackers to bypass AMSI. Once AMSI is disabled, explicitly malicious code is loaded. A patch for the AMSI bypass already exists.
PCASTLE malware re-targets China with new propagation techniques
- Trend Micro researchers noted an uptick in attacks targeting Chinese systems, and leveraging an obfuscated Powershell script named PCASTLE to deliver cryptomining malware. The attacks began on May 17, 2019 and have continued since.
- The campaign uses several propagation methods, a multilayered approach, and executes payloads in memory only. Malicious routines include brute-forcing, pass-the-hash and the EternalBlue SMB exploit. XMRig is the miner module.
- Although a previous, similar campaign spread beyond China to target Japan, Australia, Taiwan, Vietnam, Hong Kong and India, 92% of detections for this campaign are in China. No specific industry appears to be targeted.
Source (Includes IOCs)
Kaspersky Lab discovers new activity by PLATINUM
- Kaspersky Lab discovered a new campaign related to the PLATINUM group after analysing samples found across South and Southeast Asian countries during June of 2018.
- Targets were diplomatic, governmental and military entities. The campaign, dubbed EasternRoppels, may have started as early as 2012, and used a backdoor with a previously unseen steganographic technique to hide C2 communications.
Source (Includes IOCs)
Scattered Canary revealed to be behind a multitude of scams
- Researchers at Agari Cyber Intelligence Division charted the rise of a Nigerian cybercriminal organization, dubbed Scattered Canary.
- Since 2008 the group has had at least 35 members and has run multiple concurrent scams including, BEC scams, romance scams, tax fraud, social security fraud, employment scams, and more.
Threats from Vietnamese hackers on the rise
- IntSights researchers reported that restrictive government legislation are increasingly pushing Vietnamese citizens to the dark web and exposing them to potential involvement in cybercrime.
- Researchers also warned of the threat posed by the so-called OceanLotus group, also known as APT32. OceanLotus is one Asia’s most powerful cybercrime groups, the groups often attacks foreign and domestic enemies of the Vietnamese government. Although not officially tied to the government the actions of the group often align with those of the state.
Leaks and Breaches
EU Embassy in Moscow hacked
- A leaked document revealed that the EU Embassy in Moscow was hacked in February 2017, but the attack was only discovered in April 2019. The European External Action Service (EEAS) did not disclose the incident publicly and, according to BuzzFeed News, EU leaders and member states were not informed of the breach.
- At least two computers were compromised, however it is unclear what and how much information was stolen. Russian groups are believed to be behind the attack.
Qualys issue security alert on Exim vulnerability
- Exim is a mail transfer agent which runs on the majority of mail servers visible on the internet. Qualys discovered the remote command execution vulnerability – tracked as CVE-2019-10149 – in Exim versions 4.87 to 4.91. The issue was patched in version 4.92, but not identified as a vulnerability, meaning that many operating system may still be affected.
- Local exploitation by an attacker present on the email server is instant, whereas remote command execution is possible if the attacker keeps a connection to the server open for seven days. The vulnerability has been named “the Return of the WIZard”, due to its similarity to the 1999 Sendmail WIZ vulnerability.
Cisco patches high severity flaws in Network Director and Unified Presence
- CVE-2019-1861 is a remote code execution vulnerability in Cisco’s Industrial Network Director (IND). Exploitation could allow arbitrary code execution with elevated privileges. There are no workarounds available, but software updates have been issued starting with IND 1.6.0.
- CVE-2019-1845 is a flaw in the Unified Presence authentication service. It could allow an unauthenticated, remote attacker to trigger a denial of service condition for users on vulnerable servers. The vulnerability has been patched in releases X12.5.3 and later for Expressway Series and TelePresence VCS. Users of Unified Communications Manager IM&P should update to one of the versions specified by Cisco.
Researchers create novel keystroke impersonation attack
- Researchers at Ben-Gurion University of the Negev have developed an attack dubbed ‘Malboard’, whereby an attacker can impersonate the keystrokes of a victim while evading detection tools in 83-100% of cases.
- Keystrokes are injected into the target machine in the form of malicious commands, and automatically match the victim’s behavioural characteristics. The researchers developed additional detection models to account for a Malboard attack, based on power consumption, keystroke sound and the user’s response to typographical errors.
Infomir products vulnerable to Remote Code Execution
- Over a year ago, Check Point Researchers discovered a critical vulnerability in Infomir IPTV set-top boxes. Now patched, the vulnerability was located in the dedicated PHP-based Ministra client management platform which is used to communicate with the set-top boxes.
- By using an authentication bypass, an attacker could perform SQL injection on the server. Escalating the issue to an Object Injection vulnerability, an attacker could then execute code on the server which could impact the provider and also allow access to client information, such as financial details.
- Although the amount of customers affected remains unknown, Check Point researchers found over 1,000 Ministra resellers around the world.
Akamai discover basic vulnerabilities in phishing kits
- After examining hundreds of phishing kits, Akamai have noted that several contain simple vulnerabilities based on poor construction and a reliance on outdated open-source code.
- Notable issues were kits that allow file uploads without checking file types, and kits with a removal script that fails to sanitise user input, allowing directory traversal. While there is no evidence of successful secondary attacks due to vulnerable phishing kits, the danger of further exploitation is a definite concern.
Source (Includes IOCs)
Possible zero-day vulnerability discovered in iOS 13
- Cybersecurity researcher ‘iBSparkes’ may have discovered a zero-day vulnerability in the recently released beta version of Apple’s iOS 13. In a video, the researcher demonstrates how the device crashes following the launch of an application that appears to contain POC code.
Google releases security vulnerability patches for 22 CVE-listed Android flaws
- CVE-2019-2093, CVE-2019-2094 and CVE-2019-2095 are critical vulnerabilities that impacted the Media framework. The vulnerabilities could enable a remote attacker using a specially crafted file the ability to execute arbitrary code within the context of a privileged process.
- CVE-2019-2097 was also listed as critical and impacted the Android System component, allowing remote attackers using a customised PAC file to execute arbitrary code within the context of a privileged process.
- Nine Qualcomm fixes were also released, CVE-2019-2269 was rated as critical and stemmed from a buffer overflow in the WLAN Host. CVE-2019-2287 is a critical flaw in the video codec.
ESET researchers report on Wajam’s transformation into adware
- The researchers documented Wajam’s transition from a social search engine application to widespread adware. They documented the adware’s traffic injection capabilities, its gathering of users’ personal information, its pay-per-install distribution mechanism and its use of obfuscation, code protection and anti-detection techniques.
Source (Includes IOCs)
Symantec reports on Twitter bots used to amplify messages in the 2016 US presidential election
- Symantec researchers conducted an analysis of Twitter activity in the run up to the election, finding that a core group of ‘fake news’ accounts published content that was amplified by a large group of auxiliary accounts masquerading as individuals.
- Campaigns were observed on both sides of the political divide and primarily came from the more disaffected wings of each group. They were also found to be highly planned, well resourced, professional and sophisticated.
Tennessee Valley Authority not compliant with Federal Directives
- The Tennessee Valley Authority (TVA) Inspector General found that 115 TVA-registered domains did not meet the Department of Homeland Security (DHS) standards for cybersecurity, including 20 TVA websites lacking adequate encryption, which left TVA open to attacks.
UK has not made sufficient progress in National Security Strategy
- According to the UK Public Accounts Committee, this is due to a failure in developing a business case for the programme and a lack of robust evidence needed to ‘make informed decisions’.
NSA urges users to patch BlueKeep vulnerability
- In its latest Cybersecurity Advisory, the NSA urges Microsoft Windows administrators and users to patch the BlueKeep vulnerability, tracked as CVE-2019-0708. Microsoft has previously warned that this flaw is potentially ‘wormable.’
Apple ends support of SHA-1 certificates in iOS 13 and macOS 10.15
- Apple announced that HTTPS traffic using TLS certificates signed with the SHA-1 algorithm will no longer be supported and all traffic is now required to use a certificate signed with at least the SHA-2 algorithm.
Ransomware tactics refined as criminals adopt targeted approach
- Researchers at Trend Micro observed ransomware campaigns decreasing in number from over 1 billion overall threats in 2016 to 55,470,005 in 2018. This change is brought about by the more targeted approach that criminals have adopted as they aim for high value targets.
- However, ransomware is on the rise in 2019 with 40,916,812 threats detected from January to April. Researchers attribute this to a possible growing effectiveness in infecting endpoints.
- Moreover, there have been 40 new ransomware families detected since January to April 2019.
Russia’s Unified State Exam system suffers DDoS attacks
- According to Russia’s Federal Education and Science Supervisory Department, the country’s Unified State Exam information systems were targeted with DDoS attacks on May 31st and June 1st, 2019, with the goal of influencing the results of final exams.
- Experts managed to keep servers running despite the attacks and no organisers or graduates were affected. Attacks are expected to continue throughout the exam period.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.