Silobreaker Daily Cyber Digest – 09 April 2019
Researchers discover iOS version of Exodus Android spyware
- Researchers at Lookout were led to their discovery after analysing Android samples of the Exodus spyware first detected earlier this year. These were distributed via the official Google Play Store.
- According to the researchers the iOS version of Exodus is ‘not as sophisticated’ as the Android one. Nevertheless, it is capable of exfiltrating contacts, audio recordings, videos, GPS location, device information and in some cases also offers remote audio recording.
- The iOS version is being distributed outside the official Apple App Store by abusing the Apple Developer Enterprise programme. The programme is designed to allow organizations to distribute proprietary, in-house apps to employees, outside the App Store. In this case, the iOS spyware is being delivered via phishing sites imitating Italian and Turkmenistani mobile carriers.
Researchers discover new Flame malware version and ties between Stuxnet and Flowershop
- Researchers at Chronicle Security found a new version of Flame malware that first emerged in 2014 and most likely remained active until 2016.
- Until now, it was assumed that the perpetrators behind Flame killed their operation following their public exposure by Kaspersky Lab in 2012. Instead, it was found that they re-tooled their spy kit, adding strong encryption to better evade detection and make it harder to reverse engineer.
- Additionally, Chronicle Security researchers recently found evidence that Stuxnet has connections to the Flowershop malware family after some of Flowershop’s code was discovered in a Stuxnet component.
Mirai discovered compiled for new processors and architectures
- The newly discovered samples of Mirai have been observed compiled for Altera Nois II, OpenRISC, Tensilica Xtensa and Xilinx MicroBlaze processors. In addition, the new samples also contained new features such as an encryption algorithm that is a modified version of the standard byte -wise XOR.
- The new samples were discovered on a single IP, hosted via an open directory. The same IP also hosted Mirai samples containing exploits that are known to be used in previous versions of Mirai.
Source (Includes IOCs)
Tax season malware campaign delivers Trickbot
- IBM X-Force researchers detected three spam campaigns in which Microsoft Excel attachments were used to deliver Trickbot financial malware. The spam emails delivering these attachments purported to be from large accounting, tax and payroll services firms. The emails were sent to both business and personal email accounts.
- The three campaigns spoofed large US companies including Paychex and ADP. According to the researchers, they appear to be related to one another and the perpetrators are most likely associated with the Trickbot Gang. The first instance of this campaign was detected on January 27th, 2019.
Source (Includes IOCs)
Anubis Android trojan discovered with almost functional ransomware module
- ESET malware researcher Lukas Stefanko discovered an Android application on the Google Play store that steals PayPal credentials, encrypts files in the device’s external storage and locks the screen using a black screen. The app’s malicious behaviour is due to an Anubis banking trojan malware payload, which is dropped by a malware downloader on a compromised device.
- The trojan collects banking information using inbuilt keylogger modules or by taking screenshots when a user inserts credentials into apps. In this instance, the trojan also had a built in ransomware feature that encrypts files and appends with the .Anubiscrypt file extension.
- The component comes with a device lock feature which attempts to lock the phone while encryption takes place. However, Stefanko was able to bypass this feature, and it doesn’t request a ransom.
Genesis cybercrime marketplace selling full digital fingerprints of over 60,000 users
- Speaking at the Kaspersky Security Analyst Summit in Singapore, Kaspersky Lab researchers reported that a new cybercrime marketplace, called Genesis, is offering full digital fingerprints of over 60,000 users.
- Genesis was launched in late 2018 and its main product is users’ full digital profiles. Each user profile includes login credentials for accounts on online payment portals, e-banking services, file-sharing or social networking services, and cookies associated with those accounts, browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, and other browser and PC details.
- Prices for user profiles range from $5 to $200. Once access is purchased, attackers can steal funds, photos, sensitive or proprietary documents, or submit official papers on behalf of the victim.
Leaks and Breaches
Authorities investigate alleged data breach of Israel’s voter registry
- Israel’s National Cyber Directorate and Population Authority are investigating a hacker who has claimed to have breached the country’s voting system and stolen the data of roughly 6 million Israeli voters.
- The hacker, known as ‘DarkCoder’ on Twitter, made the announcement via a tweet using the hashtag ‘OpIsrael’ which refers to the ongoing annual large scale hacking campaign coordinated by the Anonymous Group.
- As no evidence of a breach has been found to date, it is suspected that the data originates from a database known as Agron 2006 that was leaked online in 2006 by a Ministry of Labor and Welfare contract worker.
Bitcoin wallet Electrum suffers DoS attack from botnet of 140,000 machines
- As reported by Hard Fork, a sophisticated botnet consisting of over 140,000 machines has launched a Denial-of-Service (DoS) attack on Electrum servers with the aim of redirecting users to compromised versions of the platform, designed to steal their Bitcoin.
- So far, millions of dollars have been reportedly stolen, with one user losing almost $140,000 in Bitcoin. According to an Electrum spokesman, users who have not updated their Electrum software recently are most at risk.
UK Home Office admits data breach in Windrush compensation scheme
- The department sent emails to Windrush migrants in which the email addresses of other recipients could be seen. Five batches of emails, each with 100 recipients, were exposed.
Cyber-attack shuts down Hoya Corporation’s Thailand plant
- Japanese optical products manufacturer HOYA Corporation was hit by a cyber-attack in late February, which led to a shutdown of some of its production lines from Thailand for three days. Approximately 100 computers were infected with ransomware that was designed to steal user credentials from compromised machines and drop a cryptocurrency miner.
- Hoya Corporation blocked the crypto jacking attempt after the malware put an abnormal load on a network server, that let to a quick discovery of the attack.
- The Japanese headquarters were simultaneously affected, which made it difficult to issue invoices during the attack. Industrial output dropped to 60% during the attack, however, no data was leaked.
Xiaomi browsers remain vulnerable after patches fail
- The flaw, CVE-2019-10875, affects international versions of Mint browser and Mi, the web browser that is preinstalled on Xiaomi smartphones, and could enable attackers to spoof URLs in a way that is hard for users to detect.
- The fixes applied by Xiaomi were bypassed by bounty hunter Renwa, after which Xiaomi attempted another patch which was bypassed again.
Zero-day buffer overflow vulnerability discovered in TP-Link routers
- IBM X-Force researcher Grzegorz Wypych discovered a zero-day buffer overflow vulnerability in TP-Link WR-940 routers that could allow attackers to take control of the devices from a remote location.
- In a blog post, the researcher provides a detailed analysis of the flaw and how he was led to its discovery. The flaw was patched soon after it was reported.
Cisco reports two further flaws in small business routers
- Cisco has released further fixes for the two patched flaws in their RV320 and RV325 small business routers tracked as CVE-2019-1652 and CVE-2019-1653. These flaws were previously patched in September 2018, however, the fixes were incomplete and further patches have recently been issued.
- At the same time as the re-patch, Cisco alerted users to two further flaws, CVE-2019-1827 and CVE-2019-1829, affecting the same routers. The flaws could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting attacks against users, and the second could allow a remote attacker access to administrative controls. No patch has yet been issued for these flaws.
Further details released after testimony released for breach at Mar-a-Lago
- Chinese national Yujing Zhang allegedly carried four mobile phones and a thumb drive containing malware, as well as other electronics into Trump’s private Florida club Mar-a-Lago. Further reports have now detailed that the malware that was smuggled in on the pen drive had the capability to infect computers as soon as it was plugged into a computer.
- In addition, possessions in Zhang’s hotel room included five SIM cards, nine USB drives, a second mobile phone, a signal indicator and over $8,000 in cash.
Two New Jersey Secuarus High School students hack WiFi to avoid tests
- The two students used an interrupter program or app to perform a denial of service attack on the school’s WiFi equipment to cause it to crash. The two students have been charged with computer criminal activity.
Huawei WiFi modules removed from Pakistan CCTV system
- According to the BBC, Huawei was told to remove WiFi transmitting cards from 1,800 CCTV cameras that were installed in Pakistan as part of the Lahore Safe City programme.
- The WiFi cards were discovered by the Punjab Safe City Authority who told Huawei to remove them in 2017. Despite the presence of these cards being referenced in the original bidding documents, the reference described them as ‘obscure’. Huawei responded stating there has been a ‘misunderstanding’ and that the cards were installed to provide diagnostic information.
Authorities use AI systems to arrest criminals behind Bitcoin Ponzi scheme
- South Korean authorities used artificial intelligence (AI) systems to identify language patterns of a Bitcoin Ponzi scheme that stole over $18.7 million from around 56,000 people. This led them to track down the perpetrators behind the scheme and arrest them.
Group-IB and NGN International report Gulf countries heavily targeted in 2018
- Group-IB has reported that they have found the compromised credentials of 7,306 users from Gulf countries in 2018, as well as a total of 138,978 compromised cards.
- In 2018, Gulf countries in particular such as Bahrain, Kuwait, Qatar, Saudi Arabia and the United Arab Emirates were targeted, according to evidence discovered on underground forums, phishing websites and analysis based on cyber criminals infrastructure.
Planetary ransomware can decrypt files for free
- Researchers at Emsisoft have developed a decryptor for Planetary ransomware that allows them to decrypt their files for free.
Increase in attacks against OECD countries
- Criminals have reportedly targeted half the member states of the Organisation for Economic Cooperation and Development (OECD) that held national elections in 2018. The OECD is a group of 36 of the world’s richest nations committed to promoting democracy and the free market.
- A report by the Canadian Security Establishment stated that voters have become the target of cyber activity rather than political parties. In addition, the report stated that a small number of nation states have begun targeting their activity during democratic processes worldwide, following the success of Russia’s interference in the 2016 US presidential election.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.