Silobreaker Daily Cyber Digest – 06 November 2019
Malicious Wi-Fi hotspots discovered around Westminster
- According to the New Statesman, a survey by Zimperium found that at least 1,569 malicious Wi-Fi hotspots have been operating in London from August 2018 to August 2019, with the majority in the city’s busiest parts, such as Oxford Street, Regent Street and Tottenham Court Road, as well as Piccadilly Circus, Leicester Square and Trafalgar Square.
- A cluster of them were also found near the Palace of Westminster and areas where many MPs have their offices. Security experts have warned that this leaves MPs at a higher risk of cyberattacks. The survey’s findings do not suggest any particular individuals were targeted, nor were any attempted breaches successful.
Italian hacktivists target multiple websites as part of Million Mask March
- As part of the annual November 5th’s Million Mask March, also known as Operation Vendetta, Italy’s Anonymous branch claims to have hacked a number of websites, including the Chamber of Deputies, the Prefecture of Naples, the order of the lawyers of Arezzo, Grosseto and Perugia, the Regional Environmental Protection Agency Abruzzo and Puglia, and more.
- Additionally, LulzSecITA hacked the Italian site of Lycamobile, stole 5.4GB of documents and leaked ID cards, passports, driving licenses, telephone records, and credit card data. The authenticity of the data has not been confirmed. The hackers claim their activity is to demonstrate ‘the incapacity of those who have taken responsibility for protecting your privacy.’
Firefox window lock bug being actively exploited by attackers
- Malwarebytes security researcher Jérôme Segura discovered that malicious actors are purposely writing code to target a window lock bug in Firefox. The exploit works on Windows and Mac versions of Firefox.
- When a user visits a malicious site, a message, which states that the computer has been locked due to the presence of pirated versions of Windows, will automatically appear. The scammers attempt to convince the target to phone a toll-free number to get their system unlocked.
- Once the message appears the user will be unable to close the Firefox browser. The browser can however be terminated in Windows task manager or through Force Close in MacOS. Segura contacted Mozilla regarding the issue and the company stated that they are working on a fix.
Source (Includes IOCs)
MegaCortex ransomware upgraded to change user password and threaten file publication
- Researchers at MalwareHunterTeam identified a new variant of MegaCortex ransomware, which was further analysed by Vitali Kremez and BleepingComputer. The ransomware encrypts files with a previously unseen extension and leaves a note on the victim’s system. The note states that the target’s Windows password has been changed and that their data has been downloaded to a secure location.
- The researchers, who initially did not believe the message, confirmed that the malware does indeed change the password by executing the net user command. This means that if a victim reboots their system they will be unable to login to their device. To ensure that they can still contact the ransomware developers, the operators have configured a legal notice which displays their email address to appear before the login screen.
- The researchers were unable to confirm if the ransomware operators had actually copied the files, however, they stated that the ‘threat should not be dismissed’. If Megacortex is successfully copying files, then victims will have to start treating such incidents as data breaches.
Source (Includes IOCs)
Variety of malware campaigns contain political themes
- Researchers at Cisco Talos searched malware repositories for IOCs with political references and discovered a large number of ransomware, screenlockers, RATs, and other malware types. The researchers stated that many of the actors behind these campaigns were motivated by their political beliefs.
- Several instances of ransomware and screenlockers were found, some of which failed to properly encrypt victims’ systems. Among these samples were Donald Trump Ransomware, Donald Trump Screen of Death and Putin Lockware 2.0.
- Identified RATs included a Neshta campaign themed around Kim Jong Un, an NjRAT campaign that displayed a decoy image named Papa-Putin. A Konni attack also attempted to infect target machines via a Word document titled, ’12 things Trump should know about North Korea’.
- The researchers also discovered a malspam campaign delivering a malicious PE32 executable, named Trump, via RTF files. Malicious crypters, packers, process injectors, and malware loaders were also themed around figures such as Donald Trump, Vladimir Putin and Barack Obama.
Source (Includes IOCs)
Dual archive trick used to deliver NanoCore malware
- Trustwave researchers observed threat actors using a new method to deliver NanoCore malware. The malware is delivered via a typical courier themed spam campaign, yet contains an archive file ending with ‘pdf[.]zip’ that has a much larger file size than its uncompressed content.
- As a way to evade detection by scanning gateways, the ZIP file contains two file structures. One of the structures contains a decoy file with a JPG extension, which is actually a non-malicious PNG formatted image file. The second file contains version 22.214.171.124 of NanoCore RAT, a version that was offered for free on the dark web a few months ago.
Source (Includes IOCs)
Buran Ransomware evolved from VegaLocker
- Researchers at McAfee conducted an analysis of Buran ransomware, which was first identified in May 2019, and found that the malware is an evolution of VegaLocker ransomware.
- The researchers identified two variants, of which version 2 contains new functions which delete shadow copies, the backup catalog, and system state backup. The malware is predominantly delivered through the Rig Exploit Kit and is configured to avoid machines in the Russian Federation, Ukraine, and Belarus.
- A full analysis of the ransomware is available via McAfee.
Source (Includes IOCs)
Newly discovered Capesand Exploit Kit employs range of exploits and tools
- In late October 2019, researchers at Trend Micro discovered a new exploit kit names Capesand, delivering njRAT. The newly identified EK is almost entirely composed of reused-open source code found in its packing techniques, obfuscation methods, and exploits.
- At present Capesand attempts to take advantage of CVE-2018-8174 in Microsoft Windows, CVE-2019-0752 and CVE-2015-2419 in Microsoft Explorer, and CVE 2018-4878 and CVE-2018-15982 in Adobe Flash Player.
- The researchers found that the exploits are not included in the frontend exploit kit source code package. Instead they are delivered as a service through a remote API, this ensures that the exploits are kept private and ‘reusable across different deployment mechanisms’.
- Despite still being in development, the Capesand exploit kit is being actively deployed against victims.
Source (Includes IOCs)
DarkUniverse group discovered during analysis of ‘Lost in Translation’ data dump
- While performing analysis of code contained in the ‘Lost in Translation’ dump, which was stolen from the NSA and published by the ShadowBrokers in April 2017, researchers at Kaspersky identified a script that checked for traces of APTs in compromised systems.
- The researchers discovered an APT, dubbed DarkUniverse, that was active between 2009 and 2017. Evidence was found that showed that the group targeted civilian and military organisations in at least 20 countries, however, the researchers believed that the number of undiscovered victims is far higher.
- The custom malware used by the group was distributed via spear phishing campaigns. The group consistently updated their malware and framework over the eight-year period in which they were active. The malware could perform a number of functions including, keylogging, collecting email conversations and victim credentials, taking screenshots of the user’s screen, collecting system information, and more.
- Noting unique code overlaps led the researchers to assess with medium confidence, that DarkUniverse is most likely associated with a threat actor known as ItaDuke.
Leaks and Breaches
Asus app data leak leaves users vulnerable to attacks
- vpnMentor researchers discovered a data leak in AsusWRT, which could give an attacker access to a user’s home network, allowing them to hijack connected devices, such as Amazon Alexa. The leaked data includes users’ names, IP addresses, device names, usage information, longitude and latitude coordinates, location, and commands. Asus has since closed the leak.
- Once an attacker has hijacked a smart device, they could issue commands via the database, meaning any apps using smart device commands become vulnerable. This includes banking apps, potentially leaking a user’s login credentials.
- Additionally, the leaked data could enable an attacker to install malware on any device connected to a router using AsusWRT, enabling them to compromise users’ email addresses and personal accounts, which could be used to obtain personally identifiable information for further exploitation, financial fraud and extortion.
California DMV data breach allowed improper access to Social Security information
- On August 2nd, 2019, the California Department of Motor Vehicles (DMV) discovered that seven US federal agencies had improper access to Social Security information of 3,200 individuals for four years. This included the US Department of Homeland Security, Internal Revenue Service, the Small Business Administration, and district attorneys in San Diego and Santa Clara counties. The access error has since been corrected and the DMV has sent notices to impacted individuals.
Three UK exposes personal and billing data of customers again
- Three UK customers are able to view other customers’ data via the My3 Home area, a login-protected part of its website containing personal details and billing information. The Register reported on a similar issue with the homepage in February 2019. The telecommunications provider’s website was offline for several days at the end of October 2019, however it remains unclear whether the incidents are related.
- According to Three UK, fewer than 10 customers have reported being able to access other users’ account information and no sensitive financial information was exposed. The matter is currently being investigated.
Vulnerability found in Libarchive
- A vulnerability in Libarchive, tracked as CVE-2019-18408, could allow an attacker to execute code on a user’s system using a malformed archive file. The flaw was first discovered in June 2019. Patches have been released.
- The compression library is included by default in many operating systems. Those affected include Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD, and NetBSD. Windows and macOS systems are not affected. A full list of affected devices is available on Github.
Indian Space Research Organisation also targeted in Dtrack malware attack
- Following reports of a Dtrack malware attack on India’s Kudankulam Nuclear Power Plant, reports suggest that the Indian Space Research Organisation (ISRO) was also alerted to a malware attack on September 4th, 2019. ISRO has not issued a statement on the matter.
- Kaspersky Labs has attributed the malware to the North Korean APT Lazarus Group and, according to IssueMakersLab, the malware had previously been used in an attack against the South Korean military’s internal network in 2016.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.