Silobreaker Daily Cyber Digest – 07 November 2019
USCYBERCOM releases seven new malware samples
- The US Cyber Command released seven new malware samples on VirusTotal that threat actors are currently using for monetary purposes, remote access, beaconing, and malware command.
Researchers analyse the evolution of Emotet
- Emotet, initially a banking trojan but now also used as a downloader, had a short hiatus between May and September 2019. Researchers at Netscout analysed key differences in new versions since its return and found that much of its obfuscation techniques remained the same, some of which are also shared with Trickbot.
- New features include a new list of words used to generate process names and a new export function in Emotet binaries, which is usually only seen with DLL files rather than executable files.
Source (Includes IOCs)
Researchers analyse recent ransomware attack on Spanish company
- Researchers at Blueliv analysed the recent BitPaymer attack on Everis Group, one of two ransomware attacks on Spanish companies on November 4th, 2019, both carried out by different threat actors. The analysis looks at IOCs on VirusTotal, which Blueliv assess with high confidence were used in the attack. Everis has not officially confirmed this.
- The initial infection vector remains unclear, yet one hypothesis is that FakeUpdate applications were used to drop Dridex. The FakeUpdates campaign has previously been linked to SocGholish malware. After the Dridex infection, the attacker used PowerShell Empire to move laterally and execute BitPaymer.
- Both BitPaymer and Dridex are operated by INDRIK SPIDER. The group’s use of Dridex is typically not highly targeted. Instead, the group tends to search Dridex infected machines to check for strategically important organisations that can be targeted in more advanced attacks.
Source (Includes IOCs)
Dridex spread in large-scale German malspam campaign
- Virus Bulletin researchers observed a new malspam campaign delivering Dridex to German-language users via fake invoice notification emails containing a malicious Excel document. The researchers noted that malspam campaigns are usually small-scale and targeted, whereas this current campaign is large-scale, sent to a number of older spam traps and all emails contain the same attachment.
- Once macro is activated, part of the code checks for one of five locales, the locales being Switzerland, Luxembourg, Liechtenstein, Germany and Austria. It also revealed that the malicious document contains dozens of lines of obfuscated VBA code to evade detection and make it more difficult for researchers to analyse the code.
- The cells in the file contain string used to generate a shell command that decodes a base64 string, decompress it and load a PowerShell script that downloads the payload. The PowerShell script chooses between two methods to execute Dridex, a DCOM-based method and the typical use of rundll32.
Source (Includes IOCs)
Scammers pose as UK Ministry of Justice in new phishing campaign
- Researchers at Cofense identified a new phishing campaign that delivers Predator the Thief malware via malicious attachments purporting to be subpoenas from the Ministry of Justice. The campaign is directed against companies in the insurance and retail sector.
- The malicious attachment lead users to a Google document, which redirects to OneDrive, and finally to a Microsoft Word document that contains malicious macros. If a user enables macros, Predator the Thief is downloaded via PowerShell.
- The malware targets cryptocurrency wallets, FTP, email credentials and browser information. The researchers warned that Predator the Thief works on a wide range of web browsers.
Source (Includes IOCs)
Criminals use analytics platforms to improve phishing attacks
- Researchers at Akamai have reported that criminals who conduct phishing attacks are utilising software analytics products to improve the visibility of their malicious websites. 56.1% of websites uses web analytics, with Google Analytics ranked as the most widely used platform. Each analytic network customer is issued a unique identifier (UID) which the researchers used to track phishing sites.
- Scanning 62,627 active phishing URLs showed 28,906 unique domains, of which 874 used UIDs. The researchers stated that the UIDs were either used by the criminal for analytics purposes, were legitimate UIDs that were sinkholed by the company and now redirected to the original website, or were re-used UIDs that were duplicated from copied websites.
- During their analysis, the researchers discovered a number of previously undiscovered phishing campaigns including one which targeted LinkedIn users, and another which targeted AirBnB.
Leaks and Breaches
Trend Micro insider steals customer data
- On November 5th, 2019, Trend Micro revealed that a company insider stole and sold a database containing the details of customers who purchased consumer products. The theft impacts approximately 68,000 customers. The scammers only targeted English speakers, and the stolen data was for customers in predominantly English-speaking countries.
- The company first noticed an issue in early August 2019, when customers began to receive unsolicited phone calls from scammers posing as Trend Micro employees. However, it took until the end of October 2019 before conclusive evidence showed that the data had been stolen by an insider.
- The details on the stolen customer support database included names, email addresses, Trend Micro ticket numbers, and in some cases phone numbers.
Facebook states that Groups API Bug may have exposed user information
- On November 5th, 2019, Facebook disclosed that approximately 100 developers were found to have access to Group data such as names and profile photos. Such information was supposed to be inaccessible to developers following changes that were implemented in the wake of the Cambridge Analytica scandal.
- Facebook stated that at least 11 developers had accessed this information in the last 60 days. The company said that developer access to this information has now been revoked.
Australian fertility business hit by cyberattack
- The Australian-based Monash IVF Group is currently investigating a cyberattack on its servers. Its patient database does not appear to have been affected. According to the company’s chief executive Michael Knaap, patients were informed of the incident.
- A patient told ABC that she was not informed, but instead received a scam email from someone pretending to be the company, urging her to open an attachment.
Texas Health Resources files 15 data breach reports
- On August 23rd, 2019, Texas Health Resources discovered a misconfiguration of its billing system, which resulted in a data breach affecting nearly 83,000 patients. Due to the misconfiguration, billing information may have been mailed to someone other than the intended patient or guarantor between July 19th and September 4th, 2019. The data breach affects 15 of the company’s hospitals.
- Potentially exposed information includes patient names, account numbers, service dates, names of treating physicians, and more.
Marine service provider James Fisher hit in cyber attack
- On November 5th, 2019, James Fisher and Sons Plc disclosed that they had been hit by a cyber-attack. The company, which have not provided details of the attack, stated that affected systems have been taken offline as a precautionary measure.
NVIDIA fixes flaws in Windows GPU display driver and the NVIDIA GeForce Experience Software
- On November 6th, 2019, NVIDIA issued fixes for 12 vulnerabilities in the Windows GPU display driver and the NVIDIA GeForce Experience (GFE) software. The patched flaws are composed of four high, and eight medium severity vulnerabilities. If successfully exploited, the vulnerabilities could lead to an array of issues on Windows machines, including escalation of privileges, information disclosure, and code execution.
LEADTOOLS contains code execution vulnerabilities
- Researchers at Cisco Talos identified vulnerabilities in LEAD Technologies Inc’s LEADTOOLS software. The researchers discovered four vulnerabilities in LEADTOOLS 20, tracked as CVE-2019-5084, CVE-2019-5099, CVE-2019-5125, and CVE-2019-5100. The flaws could be exploited to execute code remotely, cause denial-of-service conditions, and more.
- Cisco Talos disclosed the issue to LEAD Technologies who released relevant patches.
Google patches critical vulnerabilities in Android
- On November 4th, 2019, Google released their monthly security bulletin for Android. The patch, which addressed nearly 40 vulnerabilities, included fixes for three critical flaws in the Android System component. The vulnerabilities are tracked as CVE-2019-2204, which impacts Android 9, CVE-2019-2205 and CVE-2019-2206, which both impact Android 8.0, 8.1, 9 and 10, and could lead to remote code execution.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.