Silobreaker Daily Cyber Digest – 11 July 2019
New Linux ransomware targeting QNAP NAS devices discovered
- Researchers at Anomali and at Intezer discovered a new ransomware, dubbed eCh0raix or QNAPCrypt, targeting QNAP Network Attached Storage (NAS) devices used for file storage and backups via brute force attacks and by exploiting vulnerabilities in targeted attacks.
- Due to incorrect English in the ransom note, Anomali suggests the actors behind the campaign are not native-English speakers. The ransomware can run uninhibited, as NAS devices commonly do not run antivirus programmes and the malware currently has a low detection rate.
- After finding design flaws in the script, the Intezer researchers performed a DoS attack on the malware’s infrastructure, which led to the actors behind the campaign to develop a new variant that uses an embedded static wallet and RSA public key. Intezer believes the malware was developed by the same authors as Linux Rex, as this new variant shares a large amount of code with previous QNAPCrypt samples and Linux Rex.
Source 1 Source 2 (Includes IOCs)
New Miori variant observed using new protocol to communicate with C2
- Researchers at Trend Micro discovered a new variant of Miori using a text-based protocol to communicate with its C2, rather than the usual binary-based protocol used by Mirai variants. The malware’s routine is generally similar to previously observed Mirai variants, however the researchers believe the Miori variant may also be a new malware trying to appear as a Mirai variant to avoid detection.
- The variant was also observed using a protocol for receiving encrypted commands, while simultaneously scanning for vulnerable telnets hosts to propagate, which has also not been observed in other Mirai variants.
- In previous attempts to connect to the C2 server, the researchers were given a login prompt. In this new variant, however, the researchers received a message from the authors and were immediately disconnected from the server, which suggests that the cybercriminals are aware of the methods used by security researchers.
Source (Includes IOCs)
New mobile malware infected around 25 million devices
- Check Point researchers discovered a new variant of mobile malware, dubbed Agent Smith, which disguises itself as a Google related app and shows fraudulent ads for financial gain. The campaign shows similarities to Gooligan, HummingBad and CopyCat and its primary targets are in India, however infections have been observed globally.
- The malware exploits known Android vulnerabilities and automatically replaces installed apps with its malicious versions, with no interaction from the user required, meaning users are unaware of any changes.
- It is believed to be the first campaign to combine the three popular loopholes, Janus, Bundle and Man-in-the-Disk, for a three-stage infection chain. Although the campaign is currently focused financial gain via malicious ads, researchers believe the malware could easily be used for more harmful purposes.
Threat Vector researchers perform analysis of APT28 malware sample
- The researchers analyzed a malware sample which was tweeted by the US CyberCom Cyber National Mission Force on May 17th, 2019. The malware is thought to be a sample of XTunnel, a tool used by APT28, ‘to make a compromised host inside the firewall act as a traffic proxy’. This allows attacker-controlled traffic from external hosts to be sent to difficult to reach internal targets.
- The sample was created in C++ and is larger than prior versions indicating that the malware has obfuscation tools, static linking and embedded resources.
- Analysis of other builds of XTunnel have shown capabilities such as remote code execution, UDP tunneling, TLS encryption, proxy support, and more.
Source (Includes IOCs)
FortiGuard Lab researchers perform analysis of LooCipher Ransomware
- LooCipher Ransomware uses high level libraries such as Crypto++ for its encryption function, ensuring that the malware is difficult to reverse engineer. The researchers found that the symmetric key algorithm AES-128 ECB was used to encrypt files, which uses a 16-byte random key randomly generated from 74 characters. If a user wanted to decrypt the key using brute force they would have to perform 808 Octillion AES-128 ECB operations.
- The researchers found that the only realistic way of deciphering LooCipher at this moment is to extract the key from the data that is being sent to the attackers’ C2 during the infection process. If the network traffic was not initially captured a user could attempt to extract the key from memory.
- The researchers concluded with a warning, stating that LooCipher is still in its infancy and several other encryption codes are already present in the body of the malware and could become operational in the future.
Source (Includes IOCs)
Phishing campaign targeting UK banking customers
- Researchers at Cofense have recently observed convincing phishing emails targeting TSB banking customers in the United Kingdom. They masquerade as TSB’s customer care team, and state that TSB have recently implemented a new ‘SSL server’ to prevent third-party access, and as a result, the victim must update their account information.
- As well as attempting to harvest a victim’s email, password, and contact details, the campaign attempts to steal two-factor authentication information. The sender of the email is also spoofed, to appear that it arrived from a legitimate TSB-affiliated email address, however, the email headers show that it originated from a Brazilian registered domain.
Researchers observe AZORult activity in the wild
- CyberSafeNV researchers have investigated an open directory that appears to have been used as part of an AZORult Stealer malspam campaign. Initially discovered by Twitter user @ps66uk, The directory contained two malicious .iso files, one of them actually containing a more recent variant, AZORult++, written in C++ rather than Delphi.
Source (Includes IOCs)
FinSpy iOS and Android spyware found in the wild
- Over the past year, Kaspersky researchers have observed several unique mobile devices infected with FinSpy implants, the most recent of which were recorded in Myanmar in June 2019. FinSpy is made by the German company Gamma Group and is sold globally to law enforcement organizations and governments. The spyware is configured to run on all iOS and Android devices.
- Devices can be infected by an attacker with physical access or remotely via SMS messages, emails and WAP push. On iOS devices the attacker must first jailbreak the device and then use the Cydia package manager to install FinSpy. On Android, an attacker can gain root privileges on an unrooted device by using the DirtyCow exploit. Each implant features various unique configurations which enables the FinSpy Agent to tailor the behavior of each implant to their target.
- FinSpy has almost identical functionality on iOS and Android. The spyware can collect SMS/MMS messages, emails, calendars, GPS locations, photos, files, and phone calls. Additionally the malware can gather data from messenger apps such as Telegram, Threema and Signal.
Source (Includes IOCs)
Leaks and Breaches
Pale Moon announces archive server breach
- The Pale Moon web browser had its Windows archive servers breached on December 27th, 2017, with all archived installers of versions Pale Moon 27.6.2 and older infected with malware. The breach was first discovered on July 9th, 2019, after which all connections to the affected servers were cut off.
- A script containing a ClipBanker Trojan leveraged as a malware dropper was found on .exe files stored on the servers, meaning anyone who downloaded the Pale Moon browser installers and self-extracting archives would be infected.
160,000 resumes leaked from Chinese recruitment site Zhilian
- In a statement on July 9th, 2019, Zhilian Zhaopin, China’s second largest online recruiting platform, released evidence at a trial suggesting that approximately 160,000 personal resumes were stolen and sold for approximately five yuan apiece on Taobao, Alibaba’s e-commerce website.
- Two staff members have been detained for allegedly leaking client’s corporate member accounts to external actors.
Apple resolve Zoom vulnerability with silent update
- The vulnerability, tracked as CVE-2019-13450, allowed hackers to gain access to and enable the cameras on a device without prompting the user to authorize the action.
- On July 10th, 2019, Apple announced that it had removed the undocumented webserver that Zoom installed. Additionally, the update ensures that users who click on a conference link are not automatically redirected to Zoom.
21 vulnerabilities fixed by new Firefox browser and Firefox Extended Support Release
- Mozilla released Firefox Browser version 68 and Firefox Extended Support Release (ESR) version 60.8 on July 9th, 2019. The patch fixed 21 bugs, two of which, CVE-2019-11709 and CVE-2019-11710, were rated as critical.
- CVE-2019-11709 is a memory issue that impacts both the Firefox browser and Firefox ESR, and CVE-2019-11710 is another memory issue that only impacts the browser.
Atlassian patches critical vulnerability impacting Jira Server and Data Center
- Bugcrowd researcher Daniil Dmitriev discovered the vulnerability, tracked as CVE-2019-11581, located in the ContactAdministrators and the SendBulkMail actions. For an attacker to successfully perform an attack, Jira would have to be configured with an SMTP server and the Contact Administrators form would have to be enabled.
- Under these conditions an unauthenticated attacker could exploit the vulnerability to perform a template injection on the server side. This could cause arbitrary code execution and full compromise to the application data and functionality.
Vulnerability discovered in Rockwell Automation’s PanelView graphics terminals
- DHS and Rockwell Automation have reported on CVE-2019-10970, a vulnerability that impacts PanelView 5510 human-machine interfaces (HMIs) made before March 13th, 2019. Rated ‘high-severity’, a threat actor could leverage this flaw to gain root-level access to a device’s file system.
- The issue is fixed in firmware versions 4.003, 5.002 and above, and customers have been urged to update immediately.
Microsoft advises Windows 10 users to patch Secure Boot
- Microsoft is urging users of Windows 10 version 1903 to install this month’s servicing stack update (SSU) as it provides a ‘critical’ security fix in Secure Boot. The bug detected in the Secure Boot feature update could potentially force Window’s BitLocker encryption system into recovery mode.
Intel fixes privilege escalation in two Enterprise SSD products
- The flaws affect products in the SSD DC S4500 Series and SSD DC S4600 Series. One of the flaws is located in the Solid-State Drives for Data centres that run firmware versions before SCV10150. The bug, tracked as CVE-2018-18095, ‘may allow an unprivileged user to potentially enable escalation of privilege via physical access.’
- Intel’s Processor Diagnostic Tool is also impacted with a vulnerability. The issue can increase the threat actors privilege on a system which allows them to obtain information and can cause a denial of service conditions.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.