Silobreaker Daily Cyber Digest – 10 September 2019
DHS publishes analysis of ELECTRICFISH
- The report by the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Agency looks at two variants of ELECTRICFISH, a malware attributed to the North Korean government and referred to as HIDDEN COBRA by the DHS.
- The purpose of both malware variants is to tunnel traffic between two IP addresses, which is done by using a custom protocol. By using a proxy server or port and a proxy username and password when configuring the malware, threat actors are also capable of bypassing a compromised system’s required authentication to reach outside of the network.
Source (Includes IOCs)
Purple Fox malware updated to include fileless capabilities
- Researchers at Trend Micro observed Purple Fox malware abusing PowerShell, rather than its typical use of Nullsoft Scriptable Install System, making it capable of fileless infection. It also includes additional exploits, most likely to ensure infection. Purple Fox is a downloader, typically delivered by the Rig exploit kit and was first discovered in September 2018.
- The new variant uses three separate methods to redirect the user to the malicious PowerShell script, namely via a SWF file that exploits CVE-2018-15982, or via two HTM files exploiting the VBScript vulnerabilities CVE-2014-6332 and CVE-2018-8174. If the targeted user does not have administrative access, the Win32k vulnerabilities CVE-2015-1701 and CVE-2018-8120 are also exploited using PowerSploit to gain privileges to install Purple Fox’s main components.
- Unlike previous versions, this variant abuses an open-source code to enable its rootkit components, as well as a file utility software to hide its DLL component to prevent reverse engineering or cracking attempts.
Source (Includes IOCs)
Undocumented backdoor attributed to Stealth Falcon
- Researchers at ESET identified an unreported binary backdoor, dubbed Win32/StealthFalcon, being used to compromise devices in the United Arab Emirates, Saudi Arabia, Thailand and the Netherlands. The researchers attributed the malware to the Stealth Falcon group who have been active since 2012 and primarily target journalists, activists and dissidents in the Middle East.
- The backdoor appears to have been created in 2015. It is a DLL file which supports basic commands while also being able to collect data, exfiltrate data, employ further malicious tools, and update its configuration. The backdoor communication with its C2 through the standard Windows component Background Intelligent Transfer Service.
- The researchers attributed the backdoor to the Stealth Falcon group by comparing it to a Powershell backdoor that was discovered by researchers at Citizen Lab. The researchers found that both backdoors communicated with the same C2, share code similarities and use the same hardcoded identifiers.
Source (Includes IOCs)
Challenger and Harvey Norman warn of phishing scams impersonating the companies
- The Challenger Technologies scam involves threat actors sending an SMS to customers, falsely claiming they won a mobile phone contest. The link in the text message redirects the user to a phishing site that asks for the user’s credit card details to pay for a processing fee. The company stated it only communicates with customers via its Facebook page, app or shopping site, and not via SMS.
- Harvey Norman warned its customers of a fake Facebook page impersonating the company, called ‘Harvey Norman-Singapore’, whereas the legitimate company page is ‘Harvey Norman Singapore’. Customers are informed that the company will never ask for personal information or credit card details via unsolicited messages.
Malvertising campaigns used to deliver malware via exploit kits
- Security researcher nao_sec identified four malvertising campaigns that redirected users to the landing pages of various exploit kits. When a user visited the malicious site, the kits attempted to exploit vulnerabilities and install malware on the victim’s system.
- The first campaign was identified on September 7th, 2019, and used the GrandSoft exploit kit to push the banking trojan Ramnit . The second campaign was identified the following day and utilized the Rig exploit kit to deliver clipboard hijackers and Amadey malware.
- The final two campaigns were discovered on September 9th, 2019. The first used the Fallout exploit kit to distribute a clipboard hijacker. The second campaign pushed the Radio exploit kit which was used to install Nemty Ransomware.
Spam campaign uses LokiBot trojan to target US manufacturing company
- On August 21st, 2019, researchers at Fortinet identified a malicious spam campaign that was delivering LokiBot trojan. The attack began with an email that was written in broken English and contained an attachment that purported to be a ‘request for quotation’.
- Users who unzipped the file would infect their system with LokiBot malware. LokiBot steals FTP credentials, email and browser passwords, and other credentials.
- The IP address which the email was sent from has been used in two other malicious spam attacks, one of which targeted a German bakery. The researchers suggested that the difference in each campaign’s language and attack template indicates that the IP address is a spam relay.
Source (Include IOCs)
Phishing campaign uses CAPTCHA to bypass secure email gateways
- Researchers at Proofpoint identified a phishing campaign that redirected users to CAPTCHA in order to prevent URL analysis from detecting malicious links. The attack starts from a compromised email account that appears to have originated from a voip2mail service. The email purports to contain a voice message which in actuality is an embedded hyperlink.
- Targets who click on the link are redirected to a page containing a CAPTCHA code. Secure email gateways (SEG) cannot proceed past the CAPTCHA page to scan the malicious site. The SEG therefore marks the CAPTCHA page as safe and allows the user to proceed.
- The target then completes CAPTCHA authentication and is redirected to a phishing page that asks them to select their Microsoft account and sign in. Both the CAPTCHA page and main phishing page are hosted on MSFT infrastructure and are marked as safe against domain reputation databases.
Source (Includes IOCs)
Thrip group target South East Asian military organisations, satellite operators, and more
- Researchers at Symantec discovered that the Chinese-based espionage group Thrip have conducted multiple operations in South East Asia since June 2018. The group’s operations targeted twelve organisations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. Targets include the military in two counties, satellite communication operators, media organisations and the education sector.
- The group are using two custom backdoors named Hannotog and Sagerunex to achieve persistence and remote access on target networks. Thrip also steals information on certain computers with their custom Catchamas malware.
- The researchers stated that Sagerunex is an evolved variant of Evora which is used by fellow Chinese espionage group Lotus Blossom. The researchers suggested that Thrip and Lotus Blossom may have amalgamated into the same group.
Source (Includes IOCs)
Leaks and Breaches
Private data of 50,000 Australian students potentially exposed in Get app data breach
- A user of the Get app discovered they could request information on other users by using the company’s search function API. The company was formerly known as Qnect Technologies and is used by university societies and clubs for payments. According to the company, changes have been made to prevent such data being visible and affected organisations will be informed.
- Potentially exposed data includes names, email addresses, dates of birth, Facebook IDs, and phone numbers. The company stated that no personal payment information is stored in its databases.
- The company had previously suffered a data breach, in which hackers threatened to publish acquired user data unless the company paid the hackers. The data breach took place in 2018, after which Qnect rebranded to Get.
Illinois school district hit by ransomware attack
- Rockford Public Schools District 205 continues to experience outages following a ransomware attack on its systems on September 6th, 2019. The attack affected the district’s internet and information systems, as well as some phone lines. The outages are expected to continue for several days.
Likud Party database exposes personal data of about 4 million voters
- Israeli newspaper Haaretz found a database belonging to the Likud Party by following a link given to representatives at polling stations for instructions on online applications. Likud, whose chairperson is Prime Minister Netanyahu, blocked access to the database within twenty minutes of being informed of the data leak.
- Exposed data included full names, addresses, mobile phone numbers, ID numbers, and the individual’s political stance on Likud. It remains unclear how Likud obtained the data and how long the data was available to the public.
‘Data incident’ exposes personal data of Boy Scouts of America members
- Boy Scouts of America’s third-party vendor Trail’s End informed the organisation and local councils of a ‘data incident’ that exposed private information of children and their parents. According to Trail’s End, the incident should not be characterised as a data leak, whereas Boy Scouts of America has acknowledged the data breach.
- Exposed data includes full names, dates of birth, email addresses, phone numbers, parent names, favorite products and affiliation, such as council, district or unit. Social Security numbers and bank information were not exposed.
- It remains unclear how many individuals were affected, whether the data breach was local or national, and how long the data was exposed.
US Secret Service investigate breach at IT contractor Miracle Systems LLC
- Researcher Brian Krebs reported that an investigation is ongoing at government IT contractor Miracle System LLC after a criminal advertised access to their platform on an underground forum. The company has contracts with more than twenty federal agencies including the US Department of Transportation, the National Institutes of Health, and US Citizenship and Immigration Services.
- The investigation was triggered when a member of a Russian-language cybercrime forum offered to sell access to the contractor’s system for approximately $60,000. The criminal claimed to have access to email correspondence and credentials needed to access the databases of federal agencies.
- Krebs spoke to Miracle Systems CEO Sandesh Sharda who stated that the hackers were selling access to ‘old stuff’ from the company’s internal test environment. Sharda did however acknowledge that the eight internal systems were infected with Emotet trojan between November 2018 and July 2019.
NETGEAR N3000 wireless routers affected by DoS vulnerabilities
- Researchers at Cisco Talos identified two bugs, tracked as CVE-2019-5054 and CVE-2019-5055, in the NETGEAR N300 line of wireless routers. Both vulnerabilities can be exploited to trigger a DoS condition.
- CVE-2019-5054 can be triggered by an unauthenticated attacker who sends a specially crafted HTTP request with an empty User-Agent string to a page that requires authentication. This can cause a null pointer dereference and crash the HTTP.
- CVE-2019-5055 can also be triggered by an unauthenticated user who sends a specially crafted SOAP requests in an invalid sequence. This can result in the hostapd service crashing.
Researchers demonstrate ‘patch-gapping’ on critical Chrome one-day vulnerability
- Patch-gapping is a practice that involves the development of a one-day exploit kit during the time when a vulnerability is fixed by developers, yet the patch has not been released to users. The researchers warn that threat actors are probably capable of patch-gapping.
- In the case of the V8 vulnerability, the flaw was fixed in August 2019, with the patch released publicly to users on September 10th, 2019, with Chrome version 77.
Red Lion Controls programming software contains multiple vulnerabilities
- Trend Micro researchers identified four vulnerabilities in Red Lion Controls Crimson programming software, specifically in version 3.0 and prior, and 3.1 prior to the 3112.00 release. Red Lion Controls products are primarily used in the critical manufacturing sector and the company is a subsidiary of Spectris plc.
- The vulnerabilities are tracked as CVE-2019-10996, CVE-2019-10978, CVE-2019-10984 and CVE-2019-10990. The most serious bug can be triggered by an attacker who convinces a targeted user to open a specially crafted CD3 file. A successful attacker will gain the ability to remotely execute arbitrary code.
- A detailed list of vulnerabilities is available via the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Telegram messaging app fixes bug that allowed users to view deleted images or files
- The release of Telegram version 5.11 for Android and iOS fixes a bug that allowed recipients to view files or images after they were deleted by the sender. The issue was discovered by security researcher Dhiraj Mishra who found that deleted Telegram files were locally hosted on a user’s device.
Over 1 million IoT radios open to attack through Telnet backdoor
- Researchers at Vulnerability Lab discovered a vulnerability, tracked as CVE-2019-13473, in Telnet service that connects IoT radios. The vulnerability impacts ‘a huge amount’ of Imperial and Dabman radios.
- The flaw is caused by the implementation of weak passwords with hard coded credentials. Researchers found that it took them approximately ten minutes to gain access to the radio through brute-forcing tactics.
- The researchers were able to drop malware, send audio streams or add compromised radios to a botnet. Following the compromise, the researchers discovered a second vulnerability, tracked as CVE-2019-13474, in the AirMusic client which allowed unauthenticated command execution.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.