Silobreaker Daily Cyber Digest – 09 January 2019
85 adware apps on Google Play installed 9 million times
- Trend Micro observed malicious apps disguised as car simulator games, television streaming channels, and remote controllers for TV sets.
- The adware, AndroidOS_HidenAd, is capable of hiding and running in the background once it is downloaded.
- The apps belong to the same adware family and share code, though Trend Micro noted the manufacturers and APK cert public keys differ.
Zazdi botnet using Firebase Cloud Messaging to communicate with infected devices
- SonicWall Capture Labs Threat Research team observed a botnet campaign, dubbed Zazdi, using Firebase Cloud Messaging to communicate with its infected bots.
- Multiple Facebook pages were identified that contain links to websites hosting a malicious Android app belonging to the botnet’s campaign.
- The campaign includes up to 50 commands that can execute on infected devices to make the apps seems legitimate.
Source (Includes IOCs)
Phone fraudsters use IRSF scheme to steal revenue from premium phone number services
- ZDNet reported that attackers are using a scheme dubbed International Revenue Share Fraud (IRSF) to earn money via phone fraud. The scheme involves the abuse of premium phone numbers to profit from the fees charged for premium phone calls.
- Some firms that offer the necessary infrastructure for premium phone numbers, known as International Premium Rate Number (IPRN) providers, have partnered with spammers and criminals to abuse their phone networks and split profits from providing the service to telecommunications companies and their customers.
Leaks and Breaches
WelderSupply[.]com suffers data breach
- The breach may have affected customers’ information entered through the WelderSupply[.]com website between November 14th and December 6th, 2018. The type of information collected and the amount of customers potentially affected remains unknown.
Discounted copies of Microsoft products pose security risk
- Brian Krebs has reported on the dangers of buying Windows software at a discount from an online seller. In his example, a reader purchased Microsoft Office 2016 Professional Plus for $4 via eBay. The purchase came in the form of a subscription-enabled account, rather than a product key. The buyer must log-in using these assigned credentials, which appear to belong to someone else, from another organisation.
- Whilst the software itself does appear to work, it is unclear what account is being used, and synchronisation features such as OneDrive appear to sync personal documents and files created using Office, posing a data leakage risk to anyone who uses these discounted accounts.
Microsoft fixes multiple vulnerabilities in Patch Tuesday
- Patch Tuesday fixed 49 vulnerabilities, with seven of them rated critical. These include fixes for CVE-2019-0539, CVE-2019-0567 and CVE-2019-0568, which are memory corruption vulnerabilities in Microsoft Edge, due to the way the Chakra Scripting Engine handles objects in memory.
- Other fixes include CVE-2019-0555, an escalation of privilege vulnerability that could allow an attacker to escape an AppContainer sandbox, and CVE-2019-0547, a memory corruption vulnerability in the Windows DHCP client.
Adobe fixes critical vulnerabilities
- The two vulnerabilities are CVE-2018-19718, a session token exposure issue in Adobe Connect version 9.8.1 and earlier, and CVE-2018-12817, an out-of-bounds read bug that affects the Digital Editions software versions 4.5.9 and earlier.
- The security updates were released by Adobe alongside patches for Acrobat DC and Acrobat Reader DC.
Shipping industry targeted by BEC attacks
- Pen Test Partners reported that attackers are imitating high-level executives and using a wide range of social engineering techniques in business email compromise (BEC) attacks against shipping firms.
- Prior to the actual attacks, the threat actors collect a wide range of information on targets from publicly-available sources, such as social media, to implement a variety of social engineering techniques and lure victims into disclosing sensitive information such as bank details. According to Pen Test Partners, the main motivation behind the attacks seems to be financial gain.
Microsoft forced to pay $1,258 after Windows 10 upgrade damages computer
- A Finnish man demanded compensation from the firm after an unauthorized Windows 10 upgrade resulted in his PC breaking.
German hacker arrested over leak of hundreds of politicians’ data
- German authorities arrested the 20-year-old who reportedly committed the crime in annoyance over a number of German politicians’ statements.
- The hacker published the leaks on his Twitter account @_0rbit.
Zerodium announces $2 million payout for remote iOS jailbreaks
- The zero-day broker announced a number of payouts, including $2 million for remote iOS jailbreaks, and $1 million for chat app exploits.
- Other payouts for Chrome on Android and Safari on iOS exploits increased to $500,000.
New tool automates phishing attacks and bypasses 2FA
- Researcher Piotr Duszynski developed a penetration testing tool, dubbed ‘Modlishka’, that automates phishing attacks and can bypass two-factor authentication (2FA).
- Modlishka is a reverse proxy modified for handling traffic meant for login pages and phishing campaigns. It is capable of retrieving content from legitimate sites in real time, meaning it does not use any ‘templates’.
- Moreover, the tool was described as requiring little maintenance and a low level of technical skill in comparison to other phishing tools.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.