Silobreaker Daily Cyber Digest – 08 February 2019
Danabot updated with new C2 communication
- New variants with updated communications protocols are being delivered to existing victims as updates, and via malspam in Poland, according to researchers at Eset.
- Danabot now uses AES and RSA encryption for C2 communication, breaking existing network signatures. New versions also leverage a loader component (registered as a service), in place of the downloader that previously executed the main module.
Source (Includes IOCs)
Spyware discovered in anti-censorship applications
- Triout is an Android malware framework that was bundled with Psiphon, an anti-censorship application, before being distributed via non-official channels. The Google Play version of Psiphon is unaffected, and has been downloaded over 50 million times. The unofficial version functions exactly the same as the official one, but with malicious capabilities.
- Triout’s malicious capabilities include recording phone calls, taking photos and videos, logging text messages, and collecting GPS coordinates. This data is then exfiltrated to the attackers C2 server, which, according to researchers at BitDefender, currently traces back to a French discount retail website of unknown legitimacy.
Phishing campaign targeting North American banking customers
- Excel documents are being utilised by malicious actors against North American banking customers to infect them with a TrickBot variant. The phishing emails that are distributed appear to be from JPMorgan Chase and Bank of America. Upon opening the attachment and enabling macros, the Trickbot payload is downloaded from a compromised website.
- This new variant is capable of stealing credentials of cryptocurrency wallets and is capable of targeting POS systems. It also uses a new encryption technique to protect the PowerShell command used by the macro.
New hacker groups holding MongoDB databases to ransom
- ZDNet reporters have stated that new hacker groups have been copying malicious behaviours of their predecessors, by holding a MongoDB database to ransom and attempting to extort money out of companies. The attackers find a vulnerable database, take a copy, and delete data from the original server, before trying to sell it back to the targeted company.
- This practice is not as lucrative as it originally seems, as groups observed have been sloppy in their tactics, forgetting to delete databases, whereas other companies may already have a backup. Three new groups that have appeared have only made a measly $200 between all of them.
Leaks and Breaches
Historical breach discovered by Trakt
- Trakt, a movie and TV-tracking service, appears to have only just discovered a breach that occured in December 2014. Trakt emailed their subscribers informing them that a PHP language exploit in December 2014 was used to capture user data.
- Affected information includes user emails, usernames, encrypted passwords, names and stored locations. They reassured users that payment information has not been impacted, as it is stored separately.
Two iOS zero-days exploited in the wild
- Google researchers have revealed that CVE-2019-7286 and CVE-2019-7287 were exploited in the wild before Apple released iOS 12.1.4.
- The former vulnerability exploits a memory corruption bug to elevate privileges. The latter is also a memory corruption issue that allows arbitrary code execution with kernel privileges. Users are advised to update as soon as possible.
Multiple vulnerabilities in Lifesize Products
- Simon Kenin of SpiderLabs discovered multiple Authenticated Remote OS Command Injection vulnerabilities in Lifesize Team, Room, Passport and Networker. Combined with a privilege escalation found by another researcher, it becomes possible to gain persistent root privileges on affected devices.
- After initially declining to fix the issues because the products were End of Life, Lifesize has now asked all 220 Series customers to contact support for a hotfix. A PoC exploit for the vulnerabilities will be released on February 21st.
Multiple vulnerabilities in Kunbus gateway
- Applied Risk researcher Nicolas Merle found five vulnerabilities in Kunbus PR100088 Modbus gateways running 1.0.10232 and possibly earlier versions. Two are rated critical and two high severity, allowing an unauthenticated user to gain full control of the device.
- Kunbus has released Security Update R02 to address four of the flaws. R03 will address the fifth and is scheduled for release at the end of February.
Google patches critical vulnerability in Android update
- February’s security update contains fixes for CVE-2019-1986, CVE-2019-1987 and CVE-2019-1988, a flaw which allows a remote attacker to execute arbitrary code on Android 7.0 to 9.0 if the user opens a malicious PNG.
Vulnerability in FaceTime patched
- The previously reported ‘FacePalm’ vulnerability in Apple’s FaceTime allowed users to eavesdrop on audio without a user accepting the call. The bug has since been patched, and iOS and macOS users have been urged to install it as soon as possible.
Australian government resets network after incident
- The federal government confirmed that a security incident affected everyone with an Australian Parliament House email address. According to the Department of Parliamentary services, all users with network access had their passwords reset.
- Investigations are ongoing, but there is currently no evidence that data has been taken or accessed, or that the incident was an attempt to influence parliamentary or political processes.
Germany’s Federal Cartel office bans Facebook from combining user data without permission
- Germany’s Bundeskartellamt banned Facebook from combining it’s Messenger, Whatsapp and Instagram platforms without explicit user permission, as well as banning them from gleaning user data from third-party sites unless there is voluntary consent.
20 individuals indicted in international online fraud scheme
- The case, led by US Secret Service agents, investigated a scheme where fraudsters post fake advertisements for expensive items on websites such as eBay and Craigslist. Victims would send money, normally cryptocurrency, to the fictitious profiles, and the items would never show up.
- Most of the suspects are based in Romania, and around a dozen have already been extradited to the US for trial.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.