Silobreaker Daily Cyber Digest – 07 February 2019
Researchers discover new JAR-based information stealer ‘Qealler’
- Zscaler ThreatLabZ researchers found a new information-stealing malware dubbed Qealler, written in Java and designed to silently steal sensitive information from the targeted device. The malware was first detected on January 21st, 2019.
- Qealler is distributed via malicious JAR files, and once executed, will attempt to steal credentials from a variety of software including browsers, chats, databases, games, mails, Wi-Fi, SVN, dumps from memory or sysadmin.
New ‘Lucky Draw’ smishing campaign asks for money in exchange for prize
- A new text message-based phishing campaign has been discovered targeting Nokia owners in India. The texts pose as legitimate messages from Nokia and state that the recipient has won either a Tata Safari car or 1,260,000 Indian Rupees. The scam then asks that the recipient calls them to pay 6,500 Rs in order to collect the prize.
- The text messages are filled with grammatical errors and are therefore unconvincing.
APT10 attacked Norwegian managed service provider and US firms in sustained campaign
- Researchers reported that Chinese threat actor APT10 hacked and stole data from at least three companies in the US and Europe including Visma, a Norwegian firm specializing in cloud-based software solutions for European businesses. The attacks occurred between November 2017 and September 2018.
- In all three incidents, APT10 used Citrix and LogMeIn remote access software to gain access to networks using stolen user credentials. In their attack against Visma, APT10 deployed Trochilus malware, whereas in the two other attacks the group used a unique version of the Anel backdoor.
- According to Visma’s official statement, the hackers managed to steal the company’s internal data, however, none of their clients’ systems were affected.
Phishing campaign exploits Google Translate to target multiple user accounts simultaneously
- Akamai researcher Larry Cashdollar reported on a recent phishing campaign targeting Facebook and Google accounts, and using Google Translate features to conceal the landing page.
- The campaign begins with fake emails stating that a user’s Google account was accessed from a new device and asks the user to click a link to verify this activity. Once clicked, the link will redirect the victim to a malicious domain that is loaded via Google Translate and asks the victim to input their credentials. Usernames, passwords, IP addresses and browser types are collected. In some cases, location and various level of personally identifiable information are also stolen.
- According to Cashdollar, a second stage of the attack follows, in which victims are redirected to a fake Facebook login page. The researcher notes that based on the visualization of the fake login pages, the campaign is designed to target mobile users.
Tech support scams leveraging PUAs
- Rather than calling a support hotline, tech support fraudsters are instead attempting to get users to install potentially unwanted applications (PUAs) after showing them a fake malware scan, stating that their system is infected. This allows them to perform a variety of actions on the victim’s computer, including, but not limited to, showing pop-up windows, changing search engines and default home pages, exfiltrating user information, and mining cryptocurrency in the background, thereby hogging system resources.
- All of these methods are used to generate revenue for the malicious actor. They can also earn revenue by maximising the number of PUA installs they perform.
Online retailers targeted with IcedID trojan
- IBM Security has warned that actors behind IcedID banking trojan are now using the malware to steal payment card credentials from websites of online retailers. The hackers are targeting victims in order to make purchases at that retailer, after having stolen all of the credentials required to check-out on their site.
- IBM has produced a complete report detailing and analysing the behaviours of IcedID against online retailers.
Magecart targets undisclosed flaws in Magento eCommerce third-party plugins and extensions
- Crowdstrike researchers observed that the Magecart Group has been targeting online stores running the Magento platform by exploiting undisclosed PHP Object Injection vulnerabilities in third-party plugins and extensions. The flaws allow an attacker to execute arbitrary code in the context of the vulnerable server.
Leaks and Breaches
Gay dating app ‘Jack’d’ leaked ‘private’ images and data via unsecured AWS S3 bucket
- The photos were uploaded to an Amazon Web Services S3 bucket via an unsecured web connection, identified by a sequential number. In order for the images to be accessible, a person must simply traverse the range of sequential values.
- As a result of the images being retrieved by the application via an unsecured web connection, it is also possible that they can be intercepted by anyone monitoring network traffic. In addition to the private images, location data alongside other metadata pertaining to users of the app were also accessible via the app’s unsecured interfaces to backend data.
- The dating app reportedly has 5 million users worldwide on iOS and Android. The flaw was fixed with a February 7th update, a year after the leak was initially disclosed to the company.
South African Eskom Group hit by security breach due to downloaded game
- The energy supplier has been hit by a double breach involving an unsecured database containing customer details, as well as an infected corporate computer that was hit by the AZORult information-stealing trojan.
- Security researcher ‘.sS!’ discovered the stolen data, which contains passwords for logging into Eskom’s internal network, corporate email accounts, a screenshot of the victim’s desktop during the trojan’s install and other information. The AZORult infection was found to be masquerading as a downloader for The Sims 4 game.
- Information exposed as a result of these breaches include credentials, customer information, sensitive business information and redacted customer credit card information. Eskom supply 95% of the electricity used in South Africa and approximately 45% of the electricity used in Africa.
MPs targeted by new phishing campaign following hack of government whip account
- Dozens of MPs have reportedly been added to a WhatsApp group named ‘Hack warning 1’ that appeared to be linked to the personal phone number of Tory MP Mike Freer. Freer later announced in a Facebook update that his email account has been compromised.
- Freer warned that if anyone received a message asking them to download a viber to have a secure call, they should delete it. The Whip’s Office followed by stating that the hack aims to access the victim’s contacts list so that it can send texts and emails to private contacts.
The Californian Bayside Covenant Church suffers data breach
- In a statement, the church said that unauthorised personnel gained access to certain email accounts between August 3rd, 2018 and October 20th, 2018. Information exposed includes names, addresses, Social Security Numbers, passport numbers, drivers’ license numbers, financial account information, medical information, health insurance information, usernames and passwords for online accounts, as well as emails and passwords.
- Further details of the breach are currently unknown and an investigation is ongoing.
Passenger data exposed by airline check-in links
- Wandera’s threat research team found that check-in links sent by several major airlines across the globe can allow attackers to obtain passengers’ personal information – as the connection is initiated over HTTP rather than HTTPS. An attacker could intercept the user’s traffic and gain access to their check-in page, such as the ‘record locator’, origin, and destination, via the data unencrypted in the URL.
- Affected airlines include Southwest in the US, KLM and Transavia in the Netherlands, and Thomas Cook in the UK. The airlines have been notified, and some have stated that they are investigating the issue, but no fixes have yet been deployed.
Cal Poly Pomona College of Science suffers data leak
- On January 28th 2019, the computer science department accidently exposed 4,557 active student records in an erroneous email that was sent out to other students. As well as sending students an email containing their individual academic records, a spreadsheet was sent to all recipients containing the academic details of everyone in the college of science.
- Leaked data included student records, their current academic standing and their Grade Point Average.
Security researcher Linus Henze declined to share zero-day macOS exploit with Apple
- Henze demoed a zero-day macOS exploit that impacted the Keychain password management system, which is used to store passwords for applications, servers, and websites, as well as other sensitive information related to bank accounts. The data stored on the Keychain app is automatically encrypted.
- Henze discovered a flaw in the Keychain’s access control in Apple’s macOS operating system, that could allow an attacker to steal Keychain passwords from any local user account on the Mac, without needing admin privileges or the Keychain master password.
- The flaw can be exploited as long as the Keychain is unlocked, and impacts all macOS versions up to 10.14.3 Mojave. The vulnerability has not been made public, or reported to Apple, due to a lack of a bug bounty program in macOS.
Microsoft confirms high severity flaw in Microsoft Exchange
- The vulnerability, dubbed ‘PrivExchange’, is an elevated privilege flaw in the Exchange Server that could allow a malicious actor to impersonate an administrator.
- According to Microsoft’s security advisory, a threat actor would need to perform a man-in-the-middle attack to forward an authentication request to an Exchange Server to successfully impersonate an administrator. A planned update addressing this vulnerability is currently under development.
Flaw in Marvell Avastar SoCs leave some models open to Wi-Fi attack
- CVE-2019-6496 affects the Marvell Avastar wireless system-on-a-chip (SoC) models including 88W8787, 88W8797, 88W8801 and 88W8897. The flaw can be exploited to cause an overflow condition, which results in overwriting specific block pool data structures due to a block pool memory overflow.
- The flaw can be leveraged by an attacker if they are within Wi-Fi range and use a series of specially crafted Wi-Fi frames to execute arbitrary code on a system that is running one of the vulnerable processors. Following this, an attacker could use the compromised SoC to intercept network traffic or achieve code execution on the host system.
- A patch has been issued.
Ukrainian hacker sentenced to 13 years in prison for theft of $15 million from Russian banks
- According to law enforcement officials, Yury Lysenko was involved in a criminal group specializing in the theft of funds from commercial banks. Victims include Promsvyazbank, Bank Uralsib, Trust Bank and Bank Zenit. The banks were targeted over a six-month period in 2014.
- The group used ‘special software’ which permitted illegal withdrawals from accounts belonging to customers and then proceeded to restore the customers’ account balances at the expense of the banks themselves. It is also believed the criminals used devices to tamper with ATMs.
Hackers find new ways to unlock iCloud-linked iPhones
- Motherboard reports that criminals have found ways to bypass Apple’s attempts at making Apple devices less prone to theft by linking them to a single iCloud account. The iCloud security feature enables the owner of the phone to remotely lock the phone and find its location via their iCloud account.
- Criminals have reportedly been bypassing this feature by removing iCloud. To achieve this, the attacker phishes the phones’ original owners, or scams employees at Apple stores, who have the ability to override iCloud locks.
- Dark web services also offer thieves the opportunity to unlock iPhones using illegal iCloud unlocking companies. These companies use fake receipts and invoices to pose as the legitimate owners of the phones, and also supply custom phishing kits for sale that are designed to steal iCloud passwords from a phone’s legitimate owner.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.