Silobreaker Daily Cyber Digest – 11 April 2019
DHS and FBI publish advisory on North Korean HOPLIGHT malware
- The US Department of Homeland Security and the Federal Bureau of Investigation issued a joint analysis of HOPLIGHT trojan, used by Lazarus Group. The new trojan was discovered during an investigation of Lazarus Group.
- The report contains a detailed analysis of nine executable files found to be infected with the HOPLIGHT trojan strain, of which seven are ‘proxy applications that mask traffic between the malware and the remote operators’. The malicious proxies are all capable of hiding the group’s location and generating ‘fake TLS handshake sessions using valid public SSL certificates and disguising network connections with remote malicious actors’.
- The malware collects system information on the victim’s machine, and enumerates the systems drives and partitions.
Source (Includes IOCs)
Extortion email threatens to install Wannacry and DDoS victim’s network
- The spam campaign states that the victim’s computer has been hacked and documents have been found that indicate that the victim is hiding taxes from the IRS and other tax authorities. The threat actors demand to be paid 2 Bitcoins, threatening that they will release the documents to authorities, DDoS the victim’s network and infect their computer with WannaCry ransomware.
- These spam emails are targeting companies rather than individuals. The associated bitcoin address has so far received no payments.
Emotet targets Chile’s financial and banking services
- Between March 18th and March 26th, 2019, SI-LAB researchers detected hundreds of users in Chile being targeted by Emotet malware. The goal of the campaign was to exfiltrate financial credentials from users’ computers to access financial and banking services geolocated in Chile. Apart from Chile, users in the US, Germany, and France were also targeted.
- According to the researchers, the first stage of the infection bypasses VirusTotal detections. Next a vulnerability, tracked as CVE-2018-20250, in WinRAR/Ace is exploited to drop the malware into the Windows startup folder.
Source (Includes IOCs)
Phishing attack pushes WinRAR exploit and resembles MuddyWater activities
- Office 365 Advanced Threat Protection researchers discovered a recent phishing attack that targeted organizations in the satellite and communications industry and resembled campaigns previously attributed to the MuddyWater cyberespionage group.
- The phishing attack involved emails purporting to be from the Ministry of Foreign Affairs in Afghanistan. It exploited a flaw in WinRAR, tracked as CVE-2018-20250, to launch a convoluted infection chain in an attempt to run a fileless PowerShell backdoor.
Source (Includes IOCs)
Leaks and Breaches
Approximately two-thirds of hotel sites leak guest booking information to third-parties
- Multiple websites for over 1,500 hotels in 54 countries have leaked sensitive information from partner services such as analytic and advertising companies. In 67% of cases personal information such as full names, emails, addresses, phone numbers, and payment card details, was leaked via booking reference codes.
- When a customer is redirected to a website that loads additional content from third parties, these remote resources contain the full URL sent to the customer, which, according to Symantec’s senior threat researcher, Candid Wueest, means that ‘direct access is shared directly with other sources or indirectly through the referrer field in the HTTP request.’
- During analysis, it was found that approximately 176 requests were generated for each booking, and although personal information was not shared in all of them, some contained information that would make it possible for a third party to log in to a reservation, view personal details, or cancel bookings.
Three zero-day RCE flaws discovered in Microsoft Windows and Office
- CVE-2019-0825 is a remote code execution (RCE) vulnerability in the Microsoft Office Access Connectivity Engine that results from its failure to properly handle objects in memory.
- CVE-2019-0851 and CVE-2019-0877 are both RCE flaws in Microsoft Jet Database Engine resulting from its failure to properly handle objects in memory.
- Microsoft released a patch for all three vulnerabilities on April 9th.
Yuzo WordPress plugin exploited to redirect users to scams
- Threat actors have recently started to exploit the vulnerability, as it has been observed that WordPress sites have suddenly begun redirecting users to unwanted sites. The vulnerability is present due to missing authentication checks that allow attackers to modify the yuzo_related_post_options value to inject the script.
- Once the script is injected the browser will load it, causing visitors to be redirected through a series of sites until they land on a scam page. Over 60,000 installs of the app took place before the plugin was removed from the directory.
New Dragonblood flaws affect WPA3 WiFi standard
- WiFi Alliance researchers discovered new flaws, dubbed Dragonblood, in the WPA3-Personal protocol which could allow potential attackers to crack WiFi network passwords and obtain access to encrypted network traffic. Devices impacted by these flaws ‘allow collection of side channel information on a device running an attacker’s software, do not properly implement certain cryptographic operations, or use suitable cryptographic elements.’
- These flaws can be abused to steal sensitive information, such as credit card numbers, passwords, chat messages emails and more. The flaws include a downgrade to dictionary attack, a cache-based side-channel attack, a time-based side-channel attack, a denial-of-service attack and group downgrade attack.
SAP patches high severity flaws in Crystal Reports and NetWeaver
- CVE-2019-0285 is a high-risk information disclosure vulnerability in Crystal Reports that could allow an attacker to access details such as system data, debugging information, and other information.
- CVE-2019-0283 is a high-risk spoofing attack vulnerability in NetWeaver Java Application Server that could permit an attacker to spoof the data being displayed to the user.
- Both flaws, in addition to another six vulnerabilities, were patched as part of SAP’s April 2019 Security Patch Day on April 9th.
Proof of concept code released for privilege escalation flaw in Windows
- CVE-2019-0841 exists due to the improper handling of hard links by the AppX Deployment Service (AppXSVC) used for launching Windows applications, installing and uninstalling them. A threat actor with low privileges on the system could leverage this flaw to run processes with increased permissions on Windows 10, Windows Server 2019 and Core Installation.
- Dimension Data security researcher Nabeel Ahmed has shared a technical analysis as well as an exploit code.
Intel Spoiler flaw receives identifier but remains unpatched
- The vulnerability was discovered in March 2019 and affects all Intel chips. It is now being tracked as CVE-2019-0162 despite it remaining unpatched.
- The flaw permits attackers to learn a system’s virtual mapping to physical memory addresses.
Researcher analyses vulnerability in Confluence Server and Data Center
- The flaw, tracked as CVE-2019-3396, is a server-side template injection vulnerability in Confluence Server and Data Center, in the Widget Connector.
- Exploitation of the flaw permits path traversal and remote code execution on systems that run vulnerable versions of the Server and Data Center. A POC exploit has also been released.
DHS and FBI state that all 50 US states were targeted by the Russian government in 2016
- The Department of Homeland Security and Federal Bureau of Investigation have released a joint intelligence bulletin confirming that the Russian reconnaissance and hacking efforts before the 2016 US presidential election targeted more than the previously identified 21 states. New information obtained by the agencies ‘indicates that Russian government cyber actors engaged in research on…election websites in the majority of US states.’
New report by Akamai details credential stuffing attacks in 2018
- According to Akamai, hackers made 30 billion login attempts that involved testing out stolen or leaked login details last year. Moreover, the majority of these attacks were performed either by botnets or all-in-one applications.
- The report also reveals that streaming services are amongst the most targeted by credential stuffing attacks. Akamai observed that three of the largest credential stuffing attacks against streaming services, ranging from 133 million to 200 million login attempts, took place soon after reported data breaches. The security experts believe that this indicates threat actors were likely testing stolen credentials before selling them.
Bloomberg claims Amazon employees listen to voice recordings of Echo owners
- Bloomberg reported that Amazon employees are listening to voice recordings captured via Amazon Echo speakers in an effort to improve Alexa’s understanding of human speech and it’s response to commands. According to Bloomberg, ‘the recordings are transcribed, annotated and then fed back into the software’ to improve its functionality.
Chrome ‘Managed by your organisation’ message could indicate malware
- Google Chrome users have noticed that in some instances the browser has stated that it is ‘Managed by your organisation’, when opening the browser’s menu. The browser displays this message in the new release of Chrome 73, if the group policy is configured.
- In some cases, however, people who are not associated with any organisations are still receiving these messages.
- Malware can use Chrome policies to force install a malicious extension, disable Safe Browsing or configure unwanted behaviour. It is therefore possible that a browser displaying this message, particularly when the user in not associated with any managing organisation, could be infected with malware.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein