Silobreaker Daily Cyber Digest – 10 October 2019
Android malware distributed via Google Play apps through September
- In September 2019, Doctor Web researchers identified a variety of Android malware being distributed via Google Play. The malware included banking trojans, spyware and adware.
- In particular, the researchers highlighted the threat posed by the Android.Banker.352.origin, which is delivered via a fake app for crypto exchange service YoBit. Upon launch, the malware displays a fake authentication window and steals a victims credentials. The virus is also capable of hooking two-factor authentication codes from emails and text messages.
- During September the researchers also detected Android.Banker.347.origin targeting customers of a Brazilian credit service organisation. The malware poses as a family tracking application and is capable of stealing confidential data from text messages and displaying phishing pages.
Phishing campaign uses fake Amazon Web Services suspension notice
- BleepingComputer reported on a new phishing campaign targeting Amazon Web Services (AWS) users. The email states that the target must pay an outstanding bill to reinstate the service.
- Targets who access the link will be asked to enter their login details on a fake AWS login page. The start of the URL is configured to dupe users into believing that they are accessing a legitimate Amazon domain.
- Entered credentials are saved and can be accessed at a later point by the attacker. Once a target has entered their details, they are redirected to the genuine AWS login page.
Apple Remote Desktop targeted by attackers
- Researchers at FireEye discovered attackers using the Apple Remote Desktop (ARD) screen sharing function to move between systems. If remote desktop was not enabled, an attacker could gain remote desktop access by ‘connecting to systems via SSH and executing a kickstart command to enable remote desktop management’
- Once access is gained to an ARD administrator system, an attacker can transfer files, schedule tasks, execute AppleScript and UNIX shell scripts, and more.
Magnitude Exploit Kit continues to evolve
- Researchers at Fortinet discovered attackers continuing to deploy the Magnitude Exploit Kit against targets who use Internet Explorer in South Korea.
- The analysed sample demonstrated attackers users a unique technique with VBScript to load the .NET assembly from memory. The VBScript used is a modified proof of concept for CVE-2018-8174.
- The usual exploit used for CVE-2018-8174 is to execute shellcode after the chain with VirtualProtect, however, in this instance the Magnitude EK is using alternative payload generation techniques. A full technical analysis of the exploit kit is available via Fortinet’s blog.
Source (Includes IOCs)
FIN6 behind recent Volusion Magecart attack
- The researchers found similarities between the code used in the recent attack and previous FIN6 attacks against British Airways and Newegg, as well as an improved version of the same skimmer being used. The domain of the attackers’ exfiltration server was similar to a legitimate Volusion domain, a method also used in the previous campaigns. Additionally, the domains used in the three attacks all registered through Namecheap.
Source (Includes IOCs)
Leaks and Breaches
Pleasant Valley School District hit by ransomware attack
- Pleasant Valley School District’s servers were compromised by Ryuk ransomware on August 14th, 2019. A malicious email containing the malware is believed to have been opened in June, yet the malware did not activate until August. Two emails, which had not been opened, contained malicious HTML files and had Russian and Korean addresses.
- No data was compromised and the school district managed to restore the system using backups.
Researchers analyse vBulletin zero-day
- Palo Alto Networks Unit 42 researchers analysed the root cause of CVE-2019-16759, a pre-auth remote code execution vulnerability present in vBulletin. The flaw is due to a PHP server-side template injection by the Ajax render function, which was introduced in version 5.0.0.
- Multiple exploitation attempts have been detected in the wild. The researchers advise updating to version 5.5.2/3/4 Patch Level 1 or to disable PHP, Static HTML, and Ad Module rendering setting in the administration panel.
Source (Includes IOCs)
Critical flaw found in iTerm2
- A critical vulnerability in macOS terminal emulator iTerm2 was discovered that could allow an attacker capable of producing output to execute commands on a user’s device. The flaw, tracked as CVE-2019-9535, has been present in the tmux integration feature for at least seven years.
- The very recent update 3.3.5 does not contain the patch and users are advised to update to version 3.3.6.
NitroPDF contains numerous vulnerabilities
- Researchers at Cisco Talos discovered multiple flaws that impact NitroPDF Pro. The researchers identified 6 vulnerabilities, 5 of which can be used by an attacker to perform remote code execution.
- At present there is no patch in place for any of the disclosed vulnerabilities. A full list of the flaws is available via Cisco Talos.
vBulletin patches three high-severity flaws
- vBulletin released patches for three vulnerabilities affecting versions 5.5.4 and prior. The first, tracked as CVE-2019-17132, could be exploited to inject and execute arbitrary PHP code on a target server using unsanitised parameters. The flaw cannot be triggered in the default vBulletin forum installation.
- The second and third flaws, both tracked as CVE-2019-17271, could enable an attacker to engage in SQL injection attacks, allowing them to read sensitive data from the database. Certain permissions are required for an attacker to exploit these vulnerabilities.
SAP patches two critical vulnerabilities
- On October 8th, 2019, SAP released their monthly security patch which resolved seven new vulnerabilities, two of which are classified as critical.
- CVE-2019-0379 pertains to the AS2 adapter of the B2B add-on for SAP NetWeaver Process Integration and fixes a missing authentication check. CVE-2019-0380 fixes an information disclosure bug in SAP Landscape Management enterprise edition.
- A complete list of vulnerabilities and impacted products is available via SAP.
Moroccan human rights activists targeted by NSO Group spyware
- According to Amnesty International, two prominent Moroccan human rights activists have been targeted by NSO Group’s Pegasus spyware since October 2017. Maati Monjib and Abdessadak El Bouchettaoui received multiple SMS containing malicious links that have been linked to the NSO Group.
- Additionally, an analysis of Monjib’s browsing history showed that he had been redirected to ‘suspicious’ sites when attempting to reach yahoo[.]fr, suggesting a network injection attack had taken place in an attempt to install spyware. At least four similar network injection attacks were observed between March and July 2019, with at least one being successful.
- Amnesty International believes NSO Group’s tools may also have been involved in these man-in-the-middle attacks, yet state that they ‘do not have sufficient information to conclusively attribute these suspected network injection attacks to NSO Group’s products or services.’
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.