Silobreaker Daily Cyber Digest – 07 August 2019
Researchers analyse Baldr Infostealer
- Sophos researchers analysed the information stealer Baldr, which first appeared for sale on the dark web in January 2019 and has been purchased by over 200 customers. The reseller has since stopped all sales. Baldr was primarily observed targeting victims in Asia, particularly in Indonesia, as well as Brazil, Russia, the US, India and Germany.
- Baldr is used to scrape and steal credentials, cookies or cached data. After stealing information from a victim’s device, Baldr takes a screenshot and compresses the stolen data into one file, which is then encrypted and sent to its C2 server. The researchers found the C2 server to have multiple vulnerabilities, which allowed other criminals to easily gain access to the exfiltrated data.
- Code from other known malware families was found, including that from GrandSteal and AZORult, making Baldr ‘a Frankenstein’s monster of code bits,’ rather than an original malware.
Analysis published of new LokiBot variant
- Researchers at Trend Micro analysed a new LokiBot malware variant and found that the malware has improved its capabilities to remain undetected within a system. The authors have updated the malware’s persistence mechanism and have also employed steganography to hide code inside image files.
- The malware is spread through phishing emails containing a malicious Excel attachment. When the attachment is opened, an embedded VBS macro code executes. Alternatively, LokiBot can also be spread through spam emails containing a malicious Rich Text Format file attachment, embedded with an Excel OLE object that uses Windows Management Instrumentation and PowerShell to download and execute the malware.
- When downloaded, LokiBot can exfiltrate user information. The researchers found that the email they analysed was sent to at least 55 targets in multiple organisations.
Source (Includes IOCs)
Spoofing campaign discovered targeting Walmart and other major companies
- DomainTools researchers discovered a domain name spoofing campaign targeting multiple major companies by spoofing career, dating and movie sites, with the goal of stealing personal information from victims.
- Over 540 domains were identified, however, only 181 have been blacklisted by DomainTools to date. The majority of IP country codes are in the US, however, Pakistani addresses are shown in registrant details. As the research into this campaign is in its early stages, it is unclear how widespread the campaign is.
Echobot variant contains over 50 exploits to target range of IoT devices
- On August 6th, 2019, Carlos Brendel Alcañiz identified a new Echobot variant that uses 59 remote code execution exploits. The exploit code comes from multiple public exploit repositories. The malware author configured the botnet to target a range of IoT devices including, routers, cameras, smart home hubs, servers, and more. At present it is unclear what the attackers objective is.
Source (Includes IOCs)
Source (Includes IOCs)
Series of malicious campaigns could be attributed to the same threat actor
- Over the past few months, Yoroi researchers identified a series of attacks directed against education, business, automotive and media sectors, which shared similar TTPs. The first campaign, dubbed ‘Roma225’, targeted the Italian automotive industry and was spotted in December 2018. Similar attacks were launched against government entities and observed by Unit 42 researchers in April 2019.
- The campaigns have similar TTPs as attacks are delivered by malicious emails containing weaponized XLS documents. Additionally, the final payload is consistently RevengeRat malware. The attackers also abuse the Blogspot platform and legitimate DNS services.
- The researchers stated that the infection chain has become more complex and that the attackers now use Pastebin to host malicious code. The researchers tentatively suggested that the attacks may be linked with the APT Gorgon Group, but admitted that at present they ‘have no definitive evidence of this connection’.
Source (Includes IOCs)
Malicious plugin encrypts WordPress posts
- Sucuri researchers found a malicious plugin on WordPress, called WP Security, that was used to encrypt blog post content.
- Using the openssl_encrypt function, the plugin encrypted posts with the AES-256-CBC method which made the content impossible to decrypt without proper keys. The researchers were not able to decode the posts due to the strong encoding algorithm used but managed to recover them from a database backup.
- They also suggested the possibility of other websites being involved in this campaign, as the website appears to be a victim of an attack rather than an actual malicious website or a C2 server.
Leaks and Breaches
Community Psychiatric Clinic announces data security incidents
- Community Psychiatric Clinic, Seattle, suffered a data breach on March 12th, 2019, however no signs of data exfiltration were found. A second security incident, which took place on May 8th, 2019, involved malicious actors attempting to engage the clinic in a fraudulent wire transfer of funds. All potential unauthorized access was terminated by May 29th, 2019.
- Both incidents may have exposed personal information or protected health information of current and former clients and employees to a third party. However, at present, the investigation has found no unauthorized access beyond the initial compromised Office365 accounts.
6.2 million email addresses exposed for nine years on DSCC Amazon S3 bucket
- UpGuard researchers discovered a misconfigured Amazon S3 bucket on July 25th, 2019, containing the list of 6,235,397 email addresses. It was first uploaded by the Democratic Senatorial Campaign Committee (DSCC) in 2010 and references ‘Clinton’ in its bucket and file name, suggesting a connection to Hillary Clinton’s earlier runs for Senator of New York. It is unclear whether the bucket was accessed by any unauthorized parties and it has since been secured.
- Analysis of the email addresses suggests they belong to ordinary citizens. The most common consumer email domains were present, as well as multiple from universities, government entities and the military.
Twitter discloses two ad-related privacy issues
- Twitter announced that it has patched a bug that exposed data of its users to its advertising partners from May 2018 to August 5th, 2019, without the users’ consent. Data shared included country codes, device types and ad details of users who clicked or viewed an ad for a mobile application and later interacted with the specific application.
- Additionally, Twitter disclosed that, since September 2018, its advertising platform fine-tuned ad delivery to its users’ devices without their consent. According to Twitter, ‘the data involved stayed within Twitter and did not contain things like passwords or email accounts.’
CafePress breach exposes roughly 11.5 million passwords
- Analysis by security researcher Jim Scott showed that approximately half of the 23 million affected users in the CafePress data breach had their passwords exposed. The passwords were encoded using one-way encryption method, base64 SHA-1.
- Users who accessed CafePress via Facebook, Amazon, or other third-party applications did not have their passwords compromised.
SWAPGS attack bypasses Spectre and Meltdown defenses
- Bitdefender researchers identified a side channel attack, named SWAPGS, that bypasses all previous mitigations for Spectre and Meltdown defenses. The attack, tracked as CVE-2019-1125, takes advantage of Intel speculative execution of specific instruction, which is when the CPU makes educated guesses about the instruction before it is required. Unpatched Windows systems that run on 64-bit Intel hardware are susceptible to this attack.
- Attackers who successfully perform this attack can leak portions of kernel memory space and expose sensitive information from OS kernel. Attacks can also search values in kernel memory or leak values from kernel addresses.
Easily exploitable KDE 4&5 zero-day vulnerability can be triggered by opening a folder
- Security researcher Dominik Penner disclosed the KDE 4&5 zero-day that affects the Linux KDE desktop environment. The flaw is a command injection vulnerability in the KDesktopFile class that can be exploited with a specially crafted desktop file. Malicious code contained within the file can be executed when a user opens a folder, or in certain instances, when they extract an archive to desktop.
- Almost all Linux distributions are currently using vulnerable versions of KDE, at present there is no way to mitigate the flaw.
Source (Includes IOCs)
Serious security bugs discovered in Cisco switch brand
- The three vulnerabilities were found in the Cisco Small Business 220 Series of smart switch products. They included an authentication bypass, tracked as CVE-2019-1912, a remote code execution tracked as CVE-2019-1913, and CVE-2019-1914, a command injection issue. As the first two could be exploited by remote attackers not needing to authenticate themselves on the device itself, they were rated as critical vulnerabilities.
- On August 6th, 2019, Cisco released firmware version 18.104.22.168, patching all mentioned vulnerabilities. Alternatively, device owners can turn off their web management interface to remain protected against the bugs.
North Korea allegedly stole $2 billion via cyberattacks to fund its weapons programme
- A leaked United Nations (UN) document claims that the North Korean government launched sophisticated cyberattacks to steal funds from financial institutions and cryptocurrency exchanges. The UN is currently investigating 35 cyberattacks and experts are also investigating North Korea’s cybermining activity.
- The report also states that North Korea has violated UN sanctions by illicit ship-to-ship transfers and obtaining items related to weapons of mass destruction.
Millions of AT&T phones installed with unauthorized hardware in scam involving company insiders
- The US DoJ alleges that from 2012 to 2017, Pakistani national Muhammad Fahd paid AT&T employees to install malware and unauthorized hardware on more than 2 million devices.
- Three former customer service representatives, who worked at AT&T’s Bothell, Washington, call centre already plead guilty to government charges and are scheduled to testify against Fahd. The employees also agreed to compensate AT&T for amounts ranging from $155,032 to $441,500. Fahd was arrested in Hong Kong on February 4th, 2018 and extradited to the US on August 2nd, 2019.
‘Warshipping’ attacks used to infiltrate corporate networks
- Researchers at IBM X-Force developed a new attack, dubbed warshipping, that can be launched to breach corporate networks. The attack, a spiritual successor to wardialling and wardriving, involves constructing a small 3G enabled signal board computer that can remotely perform close-proximity attacks.
- The device is about the size of a small cell phone and can be hidden in packages which are then shipped to the target location. The device transmits its GPS location to the attacker’s C2, and can be remotely activated when it reaches its destination.
- When at its destination, the device can passively or actively attack the target’s wireless access. The goal of the attack is to obtain data such as hashes which can be sent back to lab systems. Attackers can also launch an evil twin Wi-Fi network via the device and gain a targets credentials, such as usernames and passwords. In a test attack, the researchers were able to gain full access to a target system.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.