Silobreaker Daily Cyber Digest – 09 September 2019
Phishing campaign discovered using Salesforce’s invoice-sending functionality
- Researchers at Avanan discovered a phishing attack, dubbed SalesPharce, targeting one of its customers by sending fake Salesforce invoices from one of its vendors’ Salesforce accounts via emails containing a malicious link.
- The fake invoices appear legitimate, as they are sent from the vendor’s official Salesforce account, which was compromised by the threat actors. The threat actors also compromised the vendor’s public website and injected two malicious URL paths on it.
- This compromise also resulted in the exposure of sensitive data of the vendor, including the details of customers and partners.
Source (Includes IOCs)
Qakbot delivered via fake update notices
- Researchers at My Online Security discovered a campaign delivering Qakbot, via an email containing a fake update notice purporting to be from west-telecom[.]com. The email includes a link to a ZIP file containing an encrypted and encoded VBS file, which drops the backdoor, as well as the legitimate Windows calc[.]exe.
- The link in the email leads to a compromised Nigerian e-commerce site with an open directory listing and additional malware. A number of versions of the ZIP file and VBS files with various webshells were found on the site’s open directory listing.
- The company itself does not appear to have been compromised, however, at present the website displays a 404 error or redirects the user to a French telecom company. Additionally, the site’s settings allow anyone to send emails on behalf of west-telecom[.]com and the researchers observed emails being sent from multiple IP addresses, domains and servers.
Source (Includes IOCs)
Nemty Ransomware distributed via fake PayPal site
- Researcher nao_sec identified a fraudulent PayPal site which attempts to trick users into downloading Nemty ransomware. The malware download is purportedly an application which offers users 3-5% returns on purchases made on the PayPal platform.
- The fake site uses the same structure and visuals as the legitimate site and features homographic domain names that redirect to the legitimate PayPal site.
- Researcher Vitali Kremez analyzed the variant of Nemty ransomware used in the campaign and identified it as version 1.4. The recent version features a checking function which ensures that devices in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine are not infected.
Source (Includes IOCs)
Lilocked ransomware targets servers and websites
- Security researcher Benkow identified Lilocked ransomware being used to target servers and encrypt their data. As the infected servers are websites, the encrypted files are appearing in Google search results.
- Google reported that over 6000 search results have been encrypted, however many of these results are for the same sites. At present there is no free decryption key available for Lilocked.
Source (Includes IOCs)
GootKit malware sets patch exclusions to avoid Windows Defender
- Security researcher Vitali Kremez discovered that GootKit malware is using a UAC bypass and WMIC commands to avoid being analyzed by Windows Defender. By setting the exclusion path the attackers ensure that Windows Defender will continue to ignore GootKit’s pathway even if it is set to detect the sample.
- The malware is used to steal online credentials through fake banking sites and via video capturing. A full technical analysis of the exploit is available via Bleeping Computer.
Source (Includes IOCs)
Campaign uses fake DHL emails to deliver keylogger
- My Online Security researchers observed a new campaign sending out fake DHL delivery notice emails containing malicious macro-enabled Word or Excel files, or ZIP files that extract an executable file. It is unclear which keylogger is delivered, with some anti-virus programmes registering it as AgentTesla, and others as Sentinel.
- The executable is downloaded from a phishing site for Heritage Bank. Once it is downloaded, it checks the user’s IP address, before dropping an additional three executable files. The malware then alters the firewall settings and attempts to send stolen data to a location unknown to the researchers.
Source (Includes IOCs)
PsiXBot updated to use Google DNS over HTTPS and sexploitation feature
- In August and September 2019 researchers at Proofpoint identified two new versions of PsiXBot malware listed as v.1.0.2 and 1.0.3. Both new variants were dropped via the Spelevo Exploit Kit and use Google’s DNS over HTTPS (DoH) service to retrieve the IP address from the attackers C2. The researchers stated that the attackers chose to route their DNS queries through Google’s DoH service in order to hide queries to their C2 domain behind HTTPS.
- PsiXBot features a keylogger, password stealer, cookie stealer, crypto modules, and more.
- Unique to version 1.0.3 is a new module named ‘StartPorn’ which contains a dictionary of terms associated with pornography. If a user enters a word in their browser which matches a term in the dictionary, then the malware records audio and video which is exfiltrated to the users C2. This new module allows the attacker to carry out blackmail campaigns.
Source (Includes IOCs)
LordEK exploit kit delivers data back to attackers via cookie
- Researchers at Trustwave discovered that the LordEK exploit kit sets a cookie on a target’s device which is used to relay information to the attacker. The cookie uses the Set-Cookie HTTP header and contains base64 encoded data which is sent back to the attacker’s server in the follow up request for the Flash exploit.
- The data contains a unix timestamp which shows when the cookie was issued, when the CVE was used, the URL of the payload and the type of exploit.
- The researchers attempted to test whether the data from the cookie was used for collecting data or if it was directly used in the construction of the Flash. However, the server became unresponsive before they could perform analysis.
Leaks and Breaches
Data breach exposes email addresses of up to 2,000 transgender patients
- London’s Charing Cross Gender Identity Clinic accidentally sent an email to nearly 2,000 of its transgender patients without using the blind copy function, exposing the addresses to all recipients.
Major Swedish companies affected by DataSpii
- According to Heimdal Security, a number of Swedish companies, including Volvo, Scandinavian Airlines, Ericsson, and more, have been affected by the data leak DataSpii, first discovered in July 2019. Millions of individuals are believed to have been affected by the leak, with about 40,000 Swedes affected.
- The data leak, uncovered by security researcher Sam Jadali, involved browser extensions for Chrome and Firefox capable of harvesting browsing activity, including personally identifiable information and corporate information. Leaked data included discussions between employees, downloaded files, internal confidential information, and more.
- Following the reports on the leak, Nacho Analytics, who collected and sold the data, is now ending its activity, with a message on its website stating it will close all remaining accounts.
Tamil Nadu Police exposes private data by using facial recognition app with unsecured database
- Security researchers Elliot Alderson and Oliver Hough discovered a publicly accessible database containing private data of individuals suspected to be involved in criminal activity by the Madurai branch of the Tamil Nadu police. The database contained about 4,900 ‘wanted’ individuals and a total of 7,500 images.
- The data was collected by Geomeo Informatics’ CopsEye app, which automatically sends photos taken of suspected criminals to the police’s centralized criminal database for scanning. Exposed data included names, photographs, one-time passwords, an administrator password, and details of police officers that were using the app.
- According to a Geomeo Informatics spokesperson, the app in question was a demo version and the leaked data was from a test set. The app is no longer available on Google Play Store.
Exim server vulnerability allow attackers to run malicious code with root privileges
- The flaw, tracked as CVE-2019-15846, was detected by security researcher Zerons in early July 2019 and kept secret due to the ease of exploitation, large number of vulnerable servers, and the severity of the issue.
- The flaw impacts all Exim servers running version 4.90.1 and earlier. The exploit can be triggered if an Exim server is configured to accept incoming TLS connections. Under these circumstances an attacker can send an SNI packet with a malicious backslash-null sequence in place. This can then be used to run malicious code with root privileges.
- Exim revealed the vulnerability on September 6th, 2019, and at the same time released version 4.92.2 which resolves the issue.
PHP release fixes multiple vulnerabilities
- PHP developers released PHP versions 7.3.9, 7.2.22, and 7.1.32, which resolve multiple flaws. The most severe flaw allows a remote attacker to execute code on a targeted server. Other patched flaws could trigger a DoS condition on vulnerable systems.
Cisco patch high severity vulnerability in Webex Teams
- Cisco patched a vulnerability, tracked as CVE-2019-1939, which could allow an attacker to perform remote code execution in Webex Teams for Windows prior to version 3.0.12427.0.
- The vulnerability is caused by improper restrictions on software logging features used by the application on Windows OS. The vulnerability can be exploited if an attacker gets a user to visit a site designed to submit malicious input to the affected application. Successful exploitation could allow an attacker to modify files and execute arbitrary code.
- Cisco also released patches for two other high severity vulnerabilities and five medium severity flaws. A full list of vulnerabilities and impacted products is available via Cisco.
Report published on March 2019 cyber attack on US power grid
- The North American Electric Reliability Corp (NERC) published a report detailing ‘lessons learned’ following an attack on one of its grid control center and several small power generation sites on March 5th, 2019. The incident itself involved attackers abusing a vulnerability in the firewall system at the site to carry out a denial-of-service attack.
- Although the incident did not cause any blackouts and only lasted roughly five minutes, it is referred to as the ‘first disruptive cyber event on record for the US power grid’ after having been reported to the US Department of Energy.
Exploit for BlueKeep vulnerability released on Metasploit
- On September 6th, 2019, a wormable BlueKeep module was released in the wild. The flaw, tracked as CVE-2019-0708, is located in the Remote Desktop Service of Windows 2003, Windows XP, Windows Vista 7, Server 2008 R2, and Server 2008. The vulnerability was patched by Microsoft in May 2019, but machines without the patch remain vulnerable.
- At present the module is a work in progress. Users still have to specify which version of Windows they wish to attack. Additionally, to get the exploit to work on server machines requires that users change default settings in the directory.
Toyota Boshoku Corporation loses more than $37 million in BEC attack
- On September 6th, 2019, Toyota Boshoku Corporation revealed that it lost more than $37 million in a BEC attack which occurred on August 14th, 2019. The company manufactures car components and is a subsidiary of Toyota Group.
Apple dispute severity of iOS vulnerabilities revealed by Google’s Project Zero
- On September 6th, 2019, Apple released a statement following the disclosure by Google’s Project Zero of vulnerabilities in iOS. Apple asserted that the attack was narrowly focused against the Uighur community and impacted less than a dozen websites for a period of roughly two months.
- The statement went on to say that Google’s post created a false impression that stoked fear among iPhone users. Additionally, Apple claimed to have already been in the process of fixing the bug when Google approached them.
- A Google spokesperson defended the research stating that ‘We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities.’
Malware samples uploaded by US Cyber Command have links to North Korean APT
- According to security researchers, the 11 malware samples, uploaded to VirusTotal on September 9th, 2019 by the US Cyber Command, are linked to North Korean government hackers. Some of the malware samples have previously been linked to Lazarus Group, including Hoplight trojan, which is used for information gathering and uses a public SSL certificate for secure communications.
- Security researchers are debating the usefulness of uploading already known malware, however, according to FireEye’s Andrew Thompson, the uploads are intended as a message to North Korean hackers that they cannot remain anonymous in cyberspace.
Oklahoma pension fund loses $4.2 million to cyber criminals
- On September 6th, 2019, Oklahoma Law Enforcement Retirement System revealed that they lost $4.2 million following a cyber-attack. A spokeswoman for the Governor of Oklahoma stated that the investigation is ongoing, but it is believed that the theft resulted from a compromise in the agency’s email system.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.