Silobreaker Daily Cyber Digest – 09 August 2019
New TrickBot module discovered
- Cofense Intelligence researchers discovered a new credential information stealing module for TrickBot, dubbed Cookie Grabber, used to collect web browser cookie data.
- The module targets Firefox and Chrome cookie information housed in a SQLite database on the local host, whilst in Internet Explorer, the text files storing browser cookie information are targeted.
- Initially, the new feature was present in the main functionality of Trickbot. However, by having it in a separate module, it enables threat actors to avoid detection more successfully and allows for more specific modules to be downloaded.
New Varenyky malware targets French nationals with spam campaigns
- ESET researchers identified a new malware, named Varenyky, that distributes two types of spam as regular internet traffic. Varenyky only targets French nationals who use French ISP, Orange S.A. and uses a locale identifier to ensure that French speakers in Belgium and Canada are not accidentally infected.
- The first spam campaign is a smartphone promotion that tries to gain victims credentials. The second campaign is a sextortion scam where users are notified via email that they have been recorded while viewing an adult website.
- In addition to its spambot features the malware can steal passwords and spy on the target’s screen using FFmpeg. Stolen information is communicated to the attacker’s C2 server through the Tor network.
- The researchers concluded that the malware is not very advanced but that its operators are refining it by testing out a variety of different functions.
Source (Includes IOCs)
Fileless TrickBot infection targets Windows 10
- IBM X-Force researchers identified a new variant of TrickBot malware that uses a fileless attack and targets Windows 10 on a 64-bit OS. During the infection process, the malware’s modules and downloaded configuration files are no longer saved locally to the infected device. A full technical analysis is available in the IBM X-Force report.
Source (Includes IOCs)
Attack campaign propagated through Pardot CRM
- Researchers at Netskope identified a campaign that was being delivered through a cloud-based CRM, Pardot. The attack begins with a ZIP file that contains a lnk file downloaded from Pardot storage. Upon execution, the script downloads the next stage of the payload from Google Docs which then downloads Trickbot trojan.
- According to the researchers, the attack takes advantage of the high level of trust that users place in cloud CRM platforms, often viewing data and associated links as internal. The Salesforce security team were made aware of the issue on August 5th, 2019.
Leaks and Breaches
Lincoln County suffers from second ransomware infection in two weeks
- The county has been hit by a second ransomware attack on August 6th, 2019. This follows a previous ransomware attack from July 26th, 2019, that infected county networks and encrypted access to employee computers.
- The recent attack is said to have a larger impact, crippling communications throughout the county and affecting some computer systems of the North Carolina Police. No ransom has been demanded yet.
Air New Zealand Airpoint customers affected by phishing scam
- Personal information of approximately 70,000 Air New Zealand Airpoints members was compromised in a phishing scam that targeted two Air New Zealand staff accounts.
- The airline revealed that some information relating to membership profiles has been compromised, however this excluded Airpoints accounts, passwords and credit card details.
Two arrested following data breach at Revenue Quebec
- The breach leaked Revenue Quebec HR information for 23,000 current, former, and contracted workers. Leaked information included names, Social Security numbers, birthdates, and some salaries. Authorities were made aware of the breach on July 25th, 2019 and are in the process of notifying impacted individuals.
- On August 7th, 2019, police arrested a man and woman, one of whom was employed by Revenue Quebec.
Kubernetes patches vulnerability in its K8s API
- Kubernetes patched a security vulnerability in its K8s API, tracked as CVE-2019-11247, which could enable users with only access to RBAC permissions for namespaced resource to also read, modify or delete cluster-wide custom resources.
35 flaws discovered in 6 printer models
- Researchers at NCC Group discovered 35 vulnerabilities in printers made by HP, Ricoh, Xerox, Lexmark, Kyocera and Brother. Vulnerabilities include buffer overflows, cross site-scripting, denial of service, information disclosure, and more. A full list of the vulnerabilities and their patches can be accessed via NCC Group.
New attack method can target Siemens PLCs
- Using a rogue engineering workstation, researchers at Technion and Tel-Aviv University developed a new attack method, dubbed Rogue7, which could allow an attacker to send commands to a Siemens S7-1500 PLC. The rogue workstation could also be used to remotely download a malicious control logic program without being noticed.
- The method was discovered after reverse-engineering the S7 network protocol that is used for communication between Siemens SIMATIC S7 PLC and the TIA Portal software. According to the researchers, these attacks are possible due to cryptographic design choices used in the S7 protocol.
- According to Siemens, security features in their products should be able to mitigate these attacks and recommend users to activate those features. The company also plans on releasing product updates to address the security issues.
Steam zero-day privilege escalation vulnerability affects over 100 million users
- On August 7th, 2019, security researcher Felix disclosed a privilege escalation vulnerability in Steam Windows Client. The researcher found that any registry key could be modified by creating a symlink to a subkey. An attacker could then run a service with SYSTEM privileges to be modified to launch a program with elevated rights.
- Following the disclosure, security researcher Matt Nelson created a proof-of-concept code that he shared on GitHub.
- Steam’s parent company Valve were informed of the vulnerability prior to its release. They deemed that the flaw was ‘Not Applicable’ and declined to pay a bug bounty, telling the researchers that they were not allowed to disclose it.
Avaya Deskphone vulnerability allows attackers to take over phones and listen to calls
- McAfee researchers found that Avaya IP Deskphone in the 9600 Series, J1000 Series or B189, are vulnerable to an RCE vulnerability. The flaw is over a decade old and is in the open source software that Avaya copied and modified to run its devices.
- A malicious actor can launch the attack if they are directly connected to the phone or connected to the same network as the phone. A successful attacker could take over phone operations, exfiltrate audio from the speakers and potentially ‘bug’ the phone.
- Avaya released a patch for the issue on June 25th, 2019.
Source (Includes IOCs)
Multiple vulnerabilities discovered in WordPress plugin Easy2Map
- Plugin Vulnerabilities researchers discovered multiple security issues in the WordPress plugin Easy2Map, including a persistent cross-site scripting vulnerability. According to the researchers, the plugin is ‘fundamentally insecure.’
Researchers reveal new Windows process injection method
- SafeBreach researchers tested and catalogued the most known Windows process injection techniques and found a new method, dubbed StackBomber, which according to them is stealthier than other methods and does not need elevated privileges to work. Process injection techniques can be used by malware to inject code into legitimate processes, for stealth, or to bypass security mechanisms.
Critical election systems found to be connected to the internet
- Despite reassurances by US election officials and voting machine vendors that critical election systems cannot be hacked because they are never connected to the internet, a team of election security experts found 35 such systems connected to the internet.
- The SFTP server, which receives electronically transmitted votes, is only meant to be connected for several minutes before an election to test transmission and then again after voting has concluded to transmit the votes. However, the researchers found that multiple systems have been connected for several months, possibly years, which has left them vulnerable to hackers who could attempt to intercept and change results.
Iranian government hackers suspected of cyber intrusions in Bahrain
- On August 5th, 2019, Bahrain’s National Security Agency, the Ministry of Interior, and the first deputy’s prime minister’s office computer systems were targeted by hackers. Bahrain authorities had previously detected intrusions into its Electricity and Water Authority in which the hackers were said to have gained full command and control over some of its systems. One of the country’s major employers, Aluminium Bahrain, also detected intrusions in its systems.
- According to intelligence given to Bahrain authorities by the US and others, Iranian government-backed hackers are allegedly behind the recent cyber intrusions into Bahrain’s critical infrastructure and government computers.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.