Silobreaker Daily Cyber Digest – 10 July 2019
New techniques observed in Powload malware
- Researchers at Trend Micro analysed over 50,000 samples of Powload malware, collected between January and June 2019, and observed the addition of new techniques designed to improve the malware’s effectiveness.
- These include basic evasion techniques, such as the use of XML-based documents, the use of unreadable text/ASCII to hide macro strings, the use of password-protected macro modules, and the possible use of hidden VBA project modules. The malware also uses macro-enabled documents for social engineering.
- The researchers believe Powload will continue to evolve and will remain prominent in the cybercrime scene.
New version of Smokeloader spotted using new deception and self-protection tricks
- Check Point researchers discovered that Smokeloader malware received updates providing it with new anti-hooking, anti-debug, anti-VM, and persistence capabilities.
- Moreover, the malware authors altered their custom sequence of arithmetic-logic operations which Smokeloader used to encode its C2 domains. The authors modified a single instruction in the sequence meaning that automatic tools intended to extract the Smokeloader configuration will no longer detect it.
- The researchers also found that the actor using this variant of Smokeloader is using its FakeDNS and DDoS plugins to attack the website of cryptocurrency wallet Trezor. Additionally, this new variant of Smokeloader connects to a malicious URL to download Azorult malware, designed to exfiltrate information.
Source (Includes IOCs)
Trickbot trojan threat grows as malware spotted with new IcedID proxy module
- Security researcher Brad Duncan recently discovered a malicious Office Word document that was being used to deploy a PowerShell script to download the Ursnif Trojan. Once the targeted system was compromised the host then received a new Trickbot malware variant containing an IcedID malware proxy module.
- IcedID malware operates as a banking trojan and redirects targets to fake banking sites, or attaches to browsers to inject fake forms on legitimate bank pages.
- Researcher Vitali Kremez determined that the IcedID proxy, that was downloaded with Trickbot, can inject itself in popular browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.
ERIS ransomware pushed by RIG exploit kit
- A researcher known as ‘nao_sec’ discovered a malvertising campaign that uses the popcash ad network to redirect users to the RIG exploit kit. Following redirection the kit will attempt to exploit a Shockwave vulnerability in the browser to download and install ERIS ransomware.
- A successful installation of ERIS ransomware results in files being encrypted on the target device. Additionally, the ransomware creates a note providing instructions on how to pay the ransom.
Source (Includes IOCs)
Danabot delivered through ‘Sexfavor’ email scam
- Trustwave researchers observed DanaBot banking trojan, known for being spread via extortion emails, now being dropped via a ‘Sexfavor’ email scam campaign.
- The emails ask for Bitcoins in exchange for sexual videos or photographs, and has a malicious attachment that contains the dropper.
Source (Includes IOCs)
State-sponsored threat actors behind Sea Turtle campaign use new DNS hijacking technique
- Researchers at Cisco Talos reported that the actors behind the Sea Turtle campaign remain active and are using a new DNS hijacking technique.
- The new technique is described as ‘difficult to track’ as the actor-controlled servers were found not to be used across multiple targets, but instead every hijacked entity received its own dedicated name server hostname and IP address. The technique leads to man-in-the-middle attacks and interception of login credentials. It was used against a private organization and a government organization in the Middle East and North Africa region.
- The researchers also confirmed that the group were behind an attack against The Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth) that occurred on April, 19th, 2019. The researchers determined that the hackers had access to the ICS-Forth network until at least April 24th, 2019.
- According to the researchers, the actors’ primary targets now include government organizations, energy companies, think tanks, international non-governmental organizations and at least one airport. Attacks have occurred in Europe, North America, North Africa and the Middle East.
Source (Includes IOCs)
Leaks and Breaches
Data breach exposes LA County patient data
- The confidential data of 14,591 Los Angeles (LA) County hospital and clinic patients was compromised as a result of a phishing attack on March 28th, 2019 on the Nemadji Research Corp., a company that contracts with the LA County Department of Health Services.
- The data itself was encrypted, however the accessed email account included encryption keys, allowing information to be stolen. Exposed data includes patient names, addresses, dates of birth, medical record numbers and Medi-Cal ID numbers. The Social Security numbers of two patients were also exposed.
Open database exposes 188 million records of personal data
- Security researcher Bob Diachenko discovered an open MongoDB database containing 188 million records on June 18th, 2019. It is unclear whether the database was accessed by a third-party.
- Roughly 800,000 of the records appear to be linked to the legal search engine LexisNexis, and contain names, past names, addresses, gender, parental status, biographies, family members and more, including private information on the person’s neighbours.
- Some records were also linked to the people search engine Pipl, however the researchers do not believe the companies themselves have been breached. The data itself came from a Github repository for a people search API called thedatarepo, for which the creators most likely either scraped or purchased the data from the companies.
Philadelphia Federal Credit Union (PFCU) customers hacked
- Reports of fraudulent activity first emerged during the weekend, with many customers noticing money totalling between $200 and $500 missing from their accounts.
- In a statement, the PFCU confirmed the security breach, stating it was discovered on July 8th, 2019 by the company. According to the PFCU the fraudulent activity is affecting a small number of its customers and the incident is not the result of an internal breach. Approximately 400 customers believed to have had their accounts compromised have been informed.
Severe prototype pollution vulnerability found in Lodash library
- The prototype pollution could be manipulated to perform Denial of Service attacks, remote code execution and property injection.
Four new vulnerabilities in Logitech Unifying USB receivers
- Security researcher, Marcus Mengs discovered the flaws in the USB’s are caused by outdated firmware. CVE-2019-13054 impacts Logitech R500, Logitech SPOTLIGHT and CVE-2019-13055 impacts all devices with keyboard capabilities. Logitech confirmed that these vulnerabilities will be patched in August.
- Both bugs can be exploited by attackers who have physical access to their targets and can be used to perform keystroke injection attacks, record keystrokes, and take over compromised systems.
- CVE-2019-13052 and CVE-2019-13053 also require attackers to have physical access to all devices and impact all Logitech Unifying devices. However, Logitech have said that they have no plans to fix these vulnerabilities.
Adobe patch vulnerabilities in range of products
- The flaws are in Bridge CC, Experience Manager and Dreamweaver products, and are rated as either ‘important’ or ‘moderate’ in severity. Adobe stated that there was no evidence that any of the vulnerabilities had been exploited in the wild.
- A full list of the vulnerabilities is accessible via Adobe’s Security Bulletins.
GE anesthesia and respiratory devices can be accessed by hackers with network access
- Researchers at CyberMDX discovered the vulnerabilities in models 7100 and 7900 of GE Aestiva and GE Aespire devices. The bugs can be exploited if an attacker accesses the hospital network and if the GE devices are connected via terminal servers.
- Attackers who gained access can force the devices to revert to less secure versions of the communication protocol and can modify parameters without authorization.
- Successful attackers could alter the gas composition input, alter barometric pressure settings, silence device alarms and alter time and date settings. GE decided not to patch the issues and stated the attack can be avoided if the machines are not connected to hospital networks.
Two actively exploited Zero-days patched in Microsoft’s July 2019 patch Tuesday
- CVE-2019-1132 is a Win32k bug that affects Windows 7 and Server 2008 systems and could allow attackers to run arbitrary code execution in kernel mode. Attackers could use this to escalate their privilege and gain the ability to install programs, access, alter or delete data, or create new accounts with full rights.
- CVE-2019-0880 is a splwow64 privilege escalation issue found in Windows 8.1, Server 2012 and later operating systems.
- In total Microsoft patched 77 flaws, 15 of which were assigned a ‘critical’ rating.
Intel MDS vulnerabilities affect several Siemens devices
- Siemens informed its customers of four known Intel Microarchitectural Data Sampling (MDS) vulnerabilities affecting some of its SIMATIC Field PG programming devices, SIMATIC Industrial PCs, SiMotion motion control systems, SINUMERIK CNC automation solutions, their PCU and TCU human-machine interfaces, and SIMATIC S7-1500 MFP CPUs.
- The vulnerabilities are tracked as CVE-2018-12130, CVE-2018-12126, CVE-2018-12127 and CVE-2018-11091 and can be exploited to leak information, such as passwords, website content, disk encryption keys or browser history.
- The new Siemens BIOS updates address these vulnerabilities for several Industrial PC devices, however the company urges customers to install operating system patches to completely eliminate the risk. For the other devices, the company recommends ensuring that untrusted code cannot be executed, as this is a requirement for the attack.
Multiple SAP vulnerabilities patched
- A total of twenty SAP Security Notes were released this month, with Onapsis Research Labs identifying one critical, one high severity and three medium priority vulnerabilities in their blogpost. Patches have been made available for all detected vulnerabilities.
- The critical vulnerability, CVE-2019-0330, is found in the Solution Manager Diagnostic Agent (SDMAgent) and, if exploited, could enable an attacker to bypass validation by sending a custom-crafted payload to obtain full control over the SAP system. SDMAgent is installed in every SAP system, meaning the scope of the attack is quite broad.
- The high severity vulnerability, tracked as CVE-2019-0328, fixes a code injection in the Extended Computer Aided Test Tool (eCATT), which allows an attacker to execute malicious commands.
DarkMatter bid to become trusted certificate authority in Firefox blocked by Mozilla
- In addition to blocking UAE based security firm DarkMatter from becoming a trusted root certificate authority, Mozilla has also revoked trust in intermediary certificates used by DarkMatter.
- Mozilla’s decision follows a Reuters report which alleged that DarkMatter had ties to the UAE state sponsored hacking campaign named Project Raven. Project Raven’s actives included hacking into the accounts of journalists, human rights activists and officials from foreign governments.
- Mozilla’s senior director of engineering, Selen Deckelmann expressed concerns that DarkMatter would abuse their power as internet security gatekeepers to conduct surveillance operations.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.