Silobreaker Daily Cyber Digest – 08 November 2019
Researchers publish analysis of Glimpse malware
- The IronNet Threat Research Team analysed Glimpse malware, a malware written in PowerShell and associated with APT34. It is executed by Visual Basic script, yet how the script is initiated remains unclear.
- Glimpse malware is similar to the recently analysed PoisonFrog malware. For example, both use A resource records to communicate with their controller. Glimpse differs by its ability to use text mode as an alternative DNS resource record type. This allows it to provide tasking in fewer transactions. Additionally, instead of relying on existing .NET DNS libraries, it manually crafts its DNS queries and communicates directly with the controller.
Source (Includes IOCs)
Skimmer scripts found on WordPress sites
- Sucuri researchers analysed malware samples which showed that threat actors are injecting skimmer code into compromised WordPress sites. The current malware campaign is not a ‘fully automated mass infection.’ Instead, the threat actors use customised scripts for individual compromised sites.
- The malware used is ‘CMS agnostic’, meaning that it can be used on a number of types of websites, including Magento, WordPress, and other e-commerce CMS. For example, one WordPress skimmer script showed only a slight variation to one found on a Magento site.
Dropper malware found in Android apps
- Wandera researchers discovered seven apps containing dropper malware on the Google Play Store. Three of the apps were published by iSoft LLC and have since been removed from the Play Store. The remaining four were published by PumpApp and LizotMitis, and remain active.
- The apps successfully bypass security measures by obfuscating an embedded GitHub URL and only sending a request to GitHub after the initial start-up. The dropper then installs APKs, including adware, from a GitHub repository. The researchers note that, although only adware is dropped at the moment, a threat actor could easily replace the APKs with more dangerous malware types.
- The adware APKs display full-screen video ads, without the need of user interaction, which overlay other applications. If a device is not password-secured, the adware activates the ads in specific intervals, automatically turning on the screen and playing the ads. On password-secured devices the adware also activates and plays the ads, yet cannot bypass the passcode, meaning a user is unaware of the ads playing. The self-execution function and need of manual dismissal means a user’s device will suffer CPU spikes and high battery consumption.
Keitaro TDS leveraged by threat actors in several campaigns in Q3 2019
- In the third quarter of 2019, Proofpoint researchers observed multiple malicious email and malvertising campaigns linked to a number of malware types leveraging the Keitaro traffic distribution system (TDS) and other exploit kits, to avoid detection. Keitaro TDS is a legitimate software, making it more difficult to block malicious traffic. One of the campaigns from August 2019 redirected users to the Fallout exploit kit or RIG exploit kit and led to infections by AZORult, Predator the Thief, KPOT, SystemBC and more.
- Further trends observed by Proofpoint researchers can be found in their Q3 2019 Threat Report.
New adware apps in the Google Play Store contain evasion techniques
- Researchers at Trend Micro discovered 49 adware apps, with a collective download count of over 3 million, on the Google Play Store. The applications were primarily related to photography and gaming.
- The applications contain multiple tactics that make detection and termination difficult. The apps contain heavily obfuscated code, strings which are encrypted with base64 and custom algorithms, disguised icons, and more.
- Once installed on a user’s device, the adware will register as a foreground service which ensures that it runs regardless of user interaction. The apps display full screen adverts on the user’s screen which appear at regular intervals. These constant pop-ups will drain the device battery and impact memory.
- The researchers reported the malicious applications to Google which resulted in them being removed from the Play Store.
Store (Includes IOCs)
Leaks and Breaches
InterMed data breach impacts 30,000 users
- Healthcare provider InterMed, based in Portland, Maine, disclosed that an unauthorised party accessed an employee’s email account between September 4th, 2019, and September 6th, 2019. During an investigation into the breach, the company discovered that three additional emails accounts were access between September 7th, 2019, and September 10th, 2019.
- Messages and attachments in the email accounts displayed patient information, such as names, dates of birth, health insurance information, a select number of Social Security Numbers, and more. InterMed began the process of notifying impacted individuals on November 5th, 2019.
DNA-testing start-up Veritas Genetics hit by data breach incident
- The company disclosed that its customer-facing portal had been subject to a data breach. Details around the security incident are unclear as Veritas Genetics has not stated when the breach occurred or what information was compromised. The firm offers a service which sequences all 6.4 billion letters of a genome.
Georgia Institute of Technology inadvertently disclosed data of students
- A staff member at the Georgia Institute of Technology sent out an email which contained an attachment detailing the personally identifiable information of over 1,100 students. Disclosed data included names, ethnicities, GPAs, and school ID numbers.
Cisco patch flaws in Small Business Routers
- On November 6th, 2019, Cisco issued a series of patches for high and medium severity vulnerabilities in a range of its products. The most pressing of the vulnerabilities, tracked as CVE-2019-15271, is found in the web-based management interface of Small Business RV016, RV042, RV042G, and RV082 routers. The flaw is related to a lack of validation of HTTP payloads and could allow an attacker to arbitrarily execute code on vulnerable devices.
- A full list of vulnerabilities and affected products is available via the Cisco security advisory.
Adobe’s Mobile Software Development Kits contain multiple vulnerabilities
- Researchers at Nightwatch Cybersecurity identified vulnerabilities in Adobe’s Experience Platform mobile SDKs. The SDKs are used by developers to create apps which interact with cloud services.
- The flaw relates to configuration files which contain several insecure settings which lead to date being transmitted without SSL protection. Due to these settings, an attacker could view and modify data that was being transmitted.
- The researchers stated that they discovered multiple mobile applications in the wild which were using the vulnerable files. The issue, which was discovered in March 2019, has now been patched by Adobe.
Ring Doorbell vulnerability leaves household Wi-Fi accessible
- Researchers at Bitdefender identified a vulnerability in the Ring Video Doorbell Pro which could allow an attacker to capture network traffic. The flaw occurs when the Ring Doorbell enters configuration mode and receives a user’s network credentials from their smartphone app. The user’s credentials are sent through plain HTTP, which allows an attacker within Wi-Fi range to view transferred data.
- The researchers found that they could force a user to reconfigure the Ring Video Doorbell Pro by knocking the device from the wireless network via constant deauthentication messages.
Das U-Boot vulnerabilities affect third-party hardware
- Researchers at ForAllSecure identified flaws, tracked as CVE-2019-13103, CVE-2019-13104, CVE-2019-13105, CVE-2019-13106, in the universal bootloader Das U-Boot. The bugs can be exploited locally and remotely.
- Successful exploitation could lead to a range of attack conditions such as device takeover, DoS attacks or code execution.
- Das U-Boot is used in a range of devices including networking hardware, Amazon Kindles, ARM Chromebooks, and more.
SVG images leave web applications vulnerable to attacks
- Fortinet researchers found that the use of embedded Scalable Vector Graphics (SVG) images could pose a number of security risks. The researchers found the most common SVG attack vectors to be cross-site scripting, HTML injection, XML Entity Processing, also known as the Billion Laughs Attack, and the new SVG Billion Laughs Attack.
- As SVGs could be considered more similar to HTML than an image, the researchers recommend that web developers not load SVG as an object or iframe and limit the file types that can be uploaded to avoid such attacks.
Same server used in ISRO and Kudankulam Plant attacks
- The Indian Space Research Organisation (ISRO) confirmed that it had been alerted by CERT-In of a possible cyberattack on September 3rd, 2019, yet stated that their systems were not affected. Security experts noted that ISRO would only have been alerted if an actual intrusion had taken place, which was the case in the Kudankulam Nuclear Power Plant (KKNPP) breach.
- Security Bridge’s Yash Kadakia confirmed that the phishing emails originated from the same server in both attacks, which suggests the attack was carried out by the same threat actor.
- The server was not hosted in North Korea yet the attacks have been linked to North Korea. Simon Choi of IssueMakerLabs noted that the North Korean threat actor Kimsuky, also known as Velvet Chollima, engaged in reconnaissance since at least 2018 by targeting Indian nuclear physicists. Choi also believes the attack on KKNPP was for the purpose of stealing technology-related data.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.