Silobreaker Daily Cyber Digest – 11 February 2019
Adware disguised as game, TV and remote control apps infects 9 million Google Play users
- Trend Micro researchers recently discovered an adware family, tracked by Trend Micro as AndroidOS_HidenAd, disguised as 85 game, TV, and remote control simulator apps on the Google Play store. The apps have been downloaded 9 million times globally and have since been taken down from the Play store.
- The adware is capable of frequently displaying full-screen apps, hiding itself from the user, monitoring a device’s screen unlocking functionality, and running in the device’s background.
Source (Includes IOCs)
Linux coin miner copies scripts from KORKERDS and Xbash, removes competing malware
- While conducting a routine log check, Trend Micro researchers found a script that is capable of deleting a variety of Linux malware, coin miners, and connections to other miner services and ports. The script was found to resemble Xbash and KORKERDS.
- Upon further inspection, the researchers discovered that the script deletes the components and mining process of KORKERDS and instead installs a modified version of the XMR-Stak cryptocurrency miner. Moreover, it implants itself on the system and crontabs to survive reboots and deletions.
Source (Includes IOCs)
Clipper malware found on Google Play store
- According to ESET researcher Lukas Stefanko, Clipper malware exploits the fact that users tend to copy and paste cryptocurrency wallet addresses using the clipboard. The malware intercepts the content of the clipboard and can replace it with the attacker’s own wallet address.
- In this case, Stefanko discovered clipper malware impersonating a legitimate service called MetaMask. This clipper’s primary goal was to steal credentials and private keys to gain control over their Ethereum funds.
- Clipper malware was initially discovered on Windows platforms in 2017 and on ‘shady’ Android app stores in 2018.
Source (Includes IOCs)
Actor behind AZORult ceases sales of malware
- The author behind AZORult, known as ‘Crydbrox’, announced on December 17th that all sales and updates for the malware would end.
- According to BlueLiv, Crydbrox may be attempting to hide certain parts of his criminal profile, despite being well-known for supporting AZORult since 2016.
- Because it is no longer updated, the stealer is likely to lose popularity over time and be replaced by a variety of competing products.
Phishing campaign targets anti-money laundering officers at US credit unions
- Brian Krebs reported on a phishing campaign that exclusively targeted Bank Secrecy Act (BSA) contacts at US credit unions. BSA officers are appointed by financial institutions to report suspicious financial transactions that may be associated with money laundering.
- Emails purporting to be from fellow BSA officers were sent to individuals to lure them into opening a malicious PDF attachment.
- According to Krebs’ blog post, several credit union sources suspect the officers’ non-public contact information may have been obtained from the National Credit Union Administration (NCUA), which all BSA officers are required to be registered with. In a response to the incident, the NCUA has claimed that none of its systems have been compromised.
Malicious Excel attachment leverages steganography to download URSNIF
- Bromium researchers detected an Excel spreadsheet containing malicious macros that build a PowerShell command from individual pixels in a downloaded image of video game character Mario. Once executed, the command will install malware on the victim’s device.
- The malicious macros were configured to execute the command only when the machine is located in Italy. Initially, the researchers believed the malware to be GandCrab however, further research conducted by Yoroi’s ZLab team revealed that the malware installed is actually URSNIF.
Leaks and Breaches
Parenting website Mumsnet suffers data breach
- In an official statement, the website operators acknowledged an incident in which users logging in at the same time could have had their account information switched. The issue affected users logging into the platform between 2pm on February 5th and 9am on February 7th, 2019.
- According to Mumsnet, the incident is believed to have been caused by a software change as part of the service’s shift to the cloud. Data affected includes email addresses, account details, posting history and personal messages. No passwords were compromised.
RDM refrigeration systems vulnerable to remote attacks
- Safety Detective researchers discovered that refrigeration systems made by Scotland-based provider Resource Data Management (RDM) are exposed to remote attacks from the internet. This is due to users’ failure to change default passwords and implement other security measures.
- The affected systems can be accessed over HTTP on port 9000, and in some cases ports 8080, 8100 or 80, and are protected by a known default username and password. An unauthorized user can perform operations such as changing refrigerator, user and alarm settings.
- The vulnerable systems are used by healthcare providers and supermarket chains worldwide such as Marks & Spencer, Ocado, Way-On, Menu Italiano or CCM Duopharma Biotech Berhad. A Shodan search revealed over 7,400 devices accessible directly from the internet. These are located in countries such as Russia, Malaysia, Brazil, the UL, Taiwan, Australia, Israel, Germany, Netherlands, and Iceland.
Pawnee County Memorial Hospital data breach
- The Nebraska hospital has notified 7,038 patients that their full names, dates of birth, driver’s license details and medical information has been compromised.
- The breach took place after an employee was infected with malware via a malicious attachment. The malware gave unknown actors access to the employee’s account from 16 to 24 November 2018.
Pharmaca announces data breach
- The health and wellness company stated that payment information may have been compromised for customers who made purchases at retail locations between July 19, 2018 and December 12, 2018.
- The breach was caused by suspicious code on point-of-sales systems, discovered on December 6, 2018. No medical records or other sensitive information were exposed.
‘TeamOrangeWorm’ attempt to extort healthcare provider, release employees’ financial files
- A hacker group going by the name ‘TeamOrangeWorm’ attempted to extort Ontario-based CarePartners for $18,000 in Bitcoins to prevent the public release of employee and patient files. The files were allegedly obtained in a breach that occurred in June 2018.
- In a response to a request by DataBreaches[.]net, the threat actor provided a link to an archive that contained files including company financial documents, employee T4 statements containing sensitive information, company banking information, accounts payable and wire transfers.
- Despite the files not being from the June 2018 dump, TeamOrangeWorm claim they possess three other dumps with employee and corporate files that they plan to release in the future. DataBreaches[.]net note that they do not believe the threat actor is the same actor identified as Orangeworm by Symantec.
Bunnings discloses data breach that affected employee and customer data
- The household hardware chain issued an apology for a data breach that led to the exposure of employee and customer data. The breach was a result of a ‘staff member setting up an employee performance monitoring system on their home computer’.
- The breached data includes details of Bunnings staff members and comments relating to employee performance, login details for staff and developers, and the email addresses, home addresses and telephone numbers of 1,194 customers.
Vulnerability patched in FireOS
- The flaw was patched in v188.8.131.52. released by Amazon in November 2018.
Vulnerable plugin used to encrypt customer systems of US-based MSP
- An attacker managed to encrypt the endpoint systems and servers of all customers of a US-based managed service provider (MSP) by exploiting a vulnerable plugin for a remote management tool Kaseya VSA RMM and used by the MSP.
- According to Dark Reading, the attack resulted in 1,500 to 2,000 customers’ systems being infected with GandCrab ransomware and the MSP being extorted for a $2.6 million.
Trend Micro release a new report documenting TTPs used to target financial organizations
- Key findings include that annual losses from cyberattacks against financial institutions can amount to between $100 to $300 million.
- Cyber criminals were seen mostly targeting bank customers but also focused on employees in financial departments or banks. In some cases, criminals attempted to bribe bank employees into creating money exfiltration and money laundering schemes.
- Trend Micro also found that attackers are increasingly launching attacks against banks’ infrastructures or telecommunication networks.
Kaspersky Lab publish report on DDoS attack in Q4 2018
- In Q4 2018, a number of new botnets were detected such as Chalubo, Torii or DemonBot. New attack mechanisms were also registered such as the FragmentStack vulnerability in the IP stack that works against Linux, Windows and Cisco products. Another attack method abuses the CoAP protocol to boost DDoS attacks.
- In late 2018, a new DDoS launch platform called 0x-booter was also discovered. The platform employs the Bushido botnet that has been used in more than 300 DDoS attacks in the second half of October 2018.
- Additionally, Kaspersky Lab provide statistics related to the countries most targeted by DDoS attacks, the duration and types of DDoS attacks, and the geographic distribution of botnets.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.