Silobreaker Daily Cyber Digest – 07 June 2019
New HAWKBALL backdoor targets government sector in Central Asia
- FireEye researchers observed an attack targeting the government sector in Central Asia using a new backdoor, dubbed HAWKBALL, delivered via two Microsoft Office vulnerabilities tracked as CVE-2017-11882 and CVE-2018-0802.
- HAWKBALL is used to collect information from the victim as well as deliver payloads. It is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.
Source (Includes IOCs)
German cybersecurity agency finds backdoor in four smartphone models
- The German Federal Office for Information Security warned against a dangerous backdoor, tracked as Andr/Xgen2-CY, embedded in the firmware of at least four Android smartphone models sold in Germany. The impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus.
- The backdoor was first discovered by Sophos in October 2018. It is designed to start running once the smartphone is switched on, collect details about the infected device, communicate with its C2 server, and await further instructions. The malware has been described as ‘unremovable’ due to its ‘anchoring in the internal area of the firmware’. It can only be removed through a firmware update issued by the phone makers.
- At least 20,000 German IP addresses were observed connecting to the malware’s C2 server. Users in other countries are most likely impacted as well.
Google confirms Triada trojan was built into the firmware of several Android devices
- Google has confirmed that the details in a 2017 Dr. Web analysis that found the Triada trojan was built into Android devices, to be accurate.
- Triada was first discovered by Kaspersky Lab in 2016, with the main purpose of installing apps that could be used to send spam and display ads. As a response to Google strengthening defenses, Triada evolved from a rooting trojan into a backdoor with the purpose of executing code in another app’s context.
- In July 2017, Dr Web reported that researchers had discovered Triada was built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoors to download and install modules.
New phishing campaign pretends to be warning from email server
- Bleeping Computer spotted a new phishing campaign being deployed via email with the subject line ‘New Account Verification’. The email prompts targets to enter recovery phone numbers to ensure continued access to their email account.
- Users who click on the ‘Add Recovery Number Now’ link are redirected to a hacked WordPress site and will be asked to enter their password. Entered passwords are saved by the attacker’s scripts for later use.
Fortinet researchers study new variant of Emotet trojan malware
- The researchers documented a new variant of the Emotet malware, first observed in May, 2019. Emotet is capable of stealing sensitive data from targeted users and is primarily spread via spam emails.
- Fortinet’s report includes an analysis of the Malicious Word document used to propagate the malware, the first layer payload, the persistent payload, communication with the C2 server, and the encryption algorithm.
Source (Includes IOCs)
Researchers detect new MuddyWater exploits
- ClearSky researchers discovered a new and advanced attack vector used by MuddyWater to target government entities and the telecommunications sector.
- The first stage of the attack includes decoy documents exploiting CVE-2017-0199. This is followed by the second stage in which communication with hacked C2 servers occurs and files infected with macros are downloaded. According to the researchers, this is the first time MuddyWater used these two vectors in conjunction with each other.
New GoldBrute botnet brute forces 1.5 million RDP servers
- Researcher Renato Marinho discovered an ongoing campaign in which a new botnet dubbed GoldBrute was observed brute forcing approximately 1.5 million Remote Desktop Protocol (RDP) servers exposed on the Internet.
- It is currently unknown what the ultimate goal of the campaign is, however, it is suspected that the perpetrators are harvesting the compromised servers to sell as an access-as-a-service, or on hackers’ forums and marketplaces.
- According to Marinho, a Shodan search revealed that there are currently approximately 2.4 million exposed devices.
Windstream email service compromise allows malicious emails through
- Researchers at My Online Security observed that the Windstream email service was compromised to allow a malicious actor to send malicious emails that were bypassing all authentication checks. Researchers suggested that it is likely an individual was compromised, rather than the whole system.
- The subject of the email is titled as ‘Order Inquiry’, and file attached is listed as ‘Company Quotation’ and contains Pony trojan which is designed to steal information stored on the infected device.
Source (Includes IOCs)
Brazilian Justice Minister Sergio Moro’s smartphone hacked
- On June 4th, 2019, Justice Minister Sergio Moro had his phone hacked. The attack lasted for a period of six hours.
- The attackers had access to messaging Apps such as WhatsApp and Telegram, and messages were exchanged via Moro’s Telegram account.
Hackers target GateHub XRP Ledger wallets
- GateHub confirmed that an estimated 100 Ripple coin (XRP) Ledger wallets have been compromised, resulting in 23.2 million XRP ($9.5 million) stolen from customers.
- An increased amount of API calls, with valid access tokens from a small number of IP addresses, was observed, however it is unclear how the attackers gained access to the encrypted keys. Suspicious API calls were stopped after all access tokens were disabled by the company on June 1st, 2019.
Similarities found between APT34 and hacking tool Jason
- Security expert Marco Ramilli observed similarities between the code style of APT34 and the recently leaked hacking tool known as Jason – Exchange Mail BF, suggesting a possible connection. Jason is a graphic tool used to harvest emails and accounts information through Microsoft Exchange account brute-forcing.
Leaks and Breaches
Pizza Hut warns members of the dangers of reusing passwords
- Pizza Hut has warned members of their loyalty scheme ‘Hut Rewards’ not to reuse passwords following an incident in which hackers were able to access some customer accounts. The restaurant chain believes that hackers were able to access the Pizza Hut systems after they discovered the credentials elsewhere.
- Pizza Hut have identified approximately 100 impacted accounts.
Over 40,000 unique container hosting devices maintain default container configuration
- Palo Alto Networks’ Unit 42 researchers conducted Shodan search queries revealing that Kubernetes and Docker each have over 20,000 instances of default container configuration that allows for quick identification. Maintaining default container names allows attackers to perform targeted reconnaissance.
- By searching Elastic, Kibana and MySQL databases within these containers, researchers were able to gain access to an unprotected Elastic database. This database belonged to an unidentified owner and contained user email addresses. Additionally, researchers found that the system hosted other databases which contained internal infrastructure IP addresses and logging information for a customer internal integration systems.
Cathay Pacific’s 2018 breach resulted from unpatched flaw
- A report released by The Hong Kong Privacy Commissioner for Personal Data Stephen Kai-yi detailed his findings on the Cathay Pacific breach in October 2018. The report stated that two groups targeted the company. The first dropped a keylogger onto a reporting system in October 2014, allowing them to move laterally through the network and gather credentials.
- The second group exploited an old flaw in an Internet-facing server, that allowed the group to bypass authentication and access admin tools on the server. Cathay were unable to patch the flaw because the application was incompatible with an Airbus fleet manual application.
- Wong stated that Cathay’s annual vulnerability scanning system was too lax and criticised the company for allowing admin tools to be accessed online.
American Medical Collections Agency suffers data breach
- The breach at the American Medical Collections Agency, may have exposed the data of over 20 million patients. The breach reportedly occurred between August 1st, 2018 and March 30th, 2019.
- Those affected include medical companies such as BioReference Laboratories, Quest Diagnostics, Labcorp and American Health Insurance provider Opko Health.
- The affected system includes patients’ names, dates of birth, addresses, phone numbers, dates of service, providers, balance information, credit card information and bank account information.
Sock company Bombas fined over data breach
- Online sock retailer Bombas has been fined $65,000 for failing to disclose a data breach for three years. The data breach occurred on September 27th, 2014, however the company did not inform its customers of the breach until May 2018.
- The breach affected 39,561 of its online customers. The company initially discovered the breach on November 29th, 2014 and fixed the breach on January 15th, 2015, before accidentally reintroducing the malware onto its website again. The malicious code was permanently deleted on February 8th, 2015.
Foreign government suspected to be behind ANU data breach
- According to The Sydney Morning Herald, authorities said the sophistication of the recent Australian National University (ANU) data breach suggests a foreign government was behind it, with China being one of the suspects.
VMWare fix two high-severity flaws in Workstation and Tools software
- CVE-2019-5522 is an out-of-bounds read issue in the vm3dmp driver in Windows guest machines affecting VMWare Tools.x on Windows. The flaw could be leveraged by a local attacker with non-administrative access to a Windows guest with VMWare Tools installed to leak kernel information or create a denial-of-service attack on the same machine.
- CVE-2019-5525 is a use-after free flaw that affects the advanced Linux Sound Architecture (ALSA) backend. An attacker with normal user privileges on the guest machine could exploit this issue in conjunction with other issues to execute code on the Linux host where Workstation is installed.
Australian Police raid the Australian Broadcasting Corporation
- The Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) was in response to allegations that ABC published classified information relating to stories reported in 2017.
- John Lyons, executive editor at ABC, claimed that the AFP downloaded 9,214 documents in the raid and had the power to delete or modify the documents within the seized cache.
Microsoft delete MS-Celeb-1M photo dataset
- Microsoft’s MS-Celeb-1M photo dataset, collected since 2016, contained around 10 million photos from 100,000 individuals. The dataset was supposed to contain photos of celebrities, but was found by researcher Adam Harvey to contain those of journalists, activists, artists, policy makers, academics, and more.
- During its lifespan the dataset was used to train facial recognition AI software. Despite pulling the dataset, Harvey stated that it was likely that it still existed within researchers’ hard drives and in repositories such as GitHub.
Cyber criminals increasingly selling hacking tools aimed at enterprises
- Researchers at Bromium and criminologists at the University of Surrey observed a substantial rise in bespoke malware and other hacking tools being sold on the dark web. Sellers often displayed extensive knowledge of networks, emails systems and cybersecurity protocols. Common attack types on sale included malware, DDoS botnets, trojans and keyloggers.
- Researchers calculated that since 2016, there has been a 20% rise in the number of dark web listings that can damage enterprises. Moreover, 35% of listings advertised tools to target banks and 20% advertised tools to target e-commerce.
- The study also uncovered vendors who offered access to specific enterprise networks via malware, stolen admin credentials or other backdoors into systems.
Komodo Platform hacks itself to keep funds safe
- On June 5th, 2019, the npm, Inc. security team informed Komodo Platform of a vulnerability in its Agama cryptocurrency wallet that could put some user funds at risk.
- Komodo Platform responded by using the same exploit to move funds from all affected wallets to a safe location before hackers could steal the funds.
- The attack consisted of getting a malicious package into the build chain for Agama and stealing the wallet seeds and other login passphrases. The company successfully moved 8 million Komodo coins and 96 Bitcoins, worth nearly $13 million.
US State Department proposes establishment of new cybersecurity-focused bureau
- The State Department sent a plan to Congress on establishing the Bureau of Cyberspace Security and Emerging Technologies (CSET) to ‘lead US government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.’
Huawei will build Russia’s first 5G wireless network
- An agreement with Russia’s largest carrier has been signed, which will facilitate the ‘commercial use of 5G networks in Russia in the very near future, but also contribute to the further development of economic ties between Russia and China.’
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.