Silobreaker Daily Cyber Digest – 11 November 2019
Platinum group deploy new Titanium backdoor tool
- Researchers at Kaspersky discovered that the Platinum group, which have been tracked since 2012, developed a new backdoor, named Titanium. The group, who are described as ‘one of the most technologically advanced APT actors primarily target political, military, and government entities in South and Southeast Asia.
- The researchers stated that the attack begins with malicious code which is hosted on local intranet websites. Following the initial infection, the attack proceeds by a sequence of dropping, downloading and installing stages. At each stage of the infection, the attack chain is disguised by mimicking the actions of common software. The final stage of the attack is the deployment of the Titanium backdoor.
- The backdoor can drop and run files, read files and send them to the attacker’s C2, update configuration patterns, and more. A full technical analysis of each stage of the attack process is available via the Kaspersky blog.
New injection patterns observed in ongoing malware campaign
- Sucuri researchers observed new injection patterns and vectors in a multi-year malware campaign targeting WordPress websites, and now also Magento websites. The campaign redirects victims to numerous scam landing pages, such as tech support scams, fake lottery wins, and malicious browser notifications.
- Additionally, the researchers observed threat actors exploiting vulnerabilities in Adminer versions below 4.6.3 to inject malicious script into the wp-posts tables and add new malicious WordPress admin users to the table of the database. This allows them to create a backdoor on the compromised website and gain administrator permissions. An increase in the installation of the fake Super Socialat plugin was also observed.
Threat actors spread Trickbot via fake sexual harassment complaints
- Researchers at Malcrawler observed threat actors using social engineering techniques to target employees of medium to large companies in a TrickBot campaign. The email is made to look like an official notification of a harassment complaint sent from the US Equal Employment Opportunity Commission, and contains a malicious Word document. To lure victims into opening the email and attachment, threat actors use provocative adjectives or verbs to get a victim’s attention, as well as full names and workplace information to make it appear more legitimate.
ConnectWise Automate used by threat actors to spread ransomware
- ConnectWise is advising its customers to block internet access to ConnectWise Automate servers after discovering that threat actors are targeting open ports for its on-premise application to deploy ransomware across the company’s computer network. Details on which ports are targeted were not given.
WarZone RAT delivered via malicious WebEx meeting invites
- Security researcher Alex Lanstein discovered a malspam campaign purporting to invite a user to a WebEx meeting. Clicking on the ‘Join Meeting’ link redirects the user via a Cisco open URL to a WebEx executable. However, this executable is not legitimate, but instead contains the WarZone RAT.
- Once installed the malware can execute commands, access webcams, record keystrokes, steal Chrome and Firefox passwords, download and execute software, and more.
- The researchers warned that the campaign could prove effective because Cisco own WebEx, thus the use of the Cisco open redirect could convince the user that the email was legitimate.
Source (Includes IOCs)
Targeted BitPaymer ransomware attack used against Spanish MSSP
- Researchers at McAfee analysed a recent attack against a Spanish MSSP by an unnamed, yet experienced threat actor. The researchers state that the adversary is well known in the industry and employed a mixture of new and old TTPs in their attack path.
- The infection vector is a compromised website, upon which the target is tricked into downloading a desired application. In this attack the victim unknowingly downloaded Dridex malware which grants the attacker remote access to their network. The attacker then collects credentials, via tools such as Mimikatz, which allows them to move laterally through the target network. PowerShell based frameworks, like Empire, are then used to allow the attacker to pivot within the network.
- Once the attacker used these tools to collect high privilege accounts and take over the Active Directory they deployed BitPaymer ransomware. The researchers found that the BitPaymer operators use a customer binary for each victim. Additionally, the ransomware note was customised to contain the name of the targeted company.
Source (Includes IOCs)
SmarterASP[.]NET hit with ransomware
- On November 9th, 2019, SmarterASP[.]NET was hit with a ransomware attack which impacted customer data and the company’s website. ZDNet reported that a Twitter screenshot appears to show that customer files have been encrypted with a version of Snatch ransomware. The ASP[.]NET hosting provider has more than 440,000 customers.
- ZDNet reported that a Twitter screenshot appears to show that customer files have been encrypted with a version of Snatch ransomware.
Potentially dangerous apps among most popular antivirus apps
- VPNpro researchers analysed the top 15 antivirus apps available on Google Play Store, some of which have previously been identified as potentially malicious. The researchers found that the apps request dangerous permissions that they do not require in order to function. This includes access to a user’s location, which was requested by 9 out of the 15 apps, and which is sold to marketing companies.
- Full details of the analysed apps’ permissions are available on VPNpro’s blog.
Leaks and Breaches
TennCare suffers data breach
- On November 8th, 2019, TennCare announced that a hacker may have stolen private information belonging to 43,847 members. The compromise was the result of a phishing attack on May 28th, 2019 against an employee at Magellan Health, TennCare’s pharmacy benefits manager.
- An investigation found no evidence that a third party had accessed, viewed or attempted to use member data. Nonetheless, Magellan Health stated that data access cannot be ruled out. Potentially compromised data includes names, Social Security numbers, member IDs, health plans, provider names and names of prescribed drugs.
Ransomware attack against Boardriders Inc. impacts subsidiaries
- Boardriders Inc. disclosed that the company was hit by a ‘computer virus’ that impacted ‘some systems’ in ‘some regions’. The company, which owns QuickSilver, Billabong, DC Shoes, and other sports brands, did not disclose the exact timing or nature of the attack.
- BleepingComputer reported that a source informed them that the incident took place in the last week of October 2019, and was caused by ransomware. The attack appears to have impacted some of the company’s e-commerce activity, with messages on various online stores stating that they are experiencing shipping delays.
Vulnerability found in Ceph RGW configuration
- A vulnerability in the Ceph RGW configuration, tracked as CVE-2019-10222, could allow an attacker to crash the server by causing a remote denial of service condition. The flaw affects a number of products, including Red Hat Ceph Storage 3.3, Ubuntu 1904 and Ubuntu 18.04 LTS. Patches are available.
Apple Mail app on macOS stores portions of encrypted emails in plaintext
- Security researcher Bob Gendler discovered that the Apple mail app on macOS stores encrypted emails in plaintext. The issue is caused by a Siri feature that scrapes information from a variety of applications. Gendler found that the scraper gathers encrypted messages from Apple Mail and stores plain text versions of them in a file called ‘snippets[.]db’ file.
- The flaw is present in Catalina, Mojave, High Sierra, and Sierra. Despite issuing updates for all four OS versions, Apple, who were informed of the flaw in July 2019, have yet to provide a fix for the issue.
US Department of Homeland Security warn of flaws in Medtronic medical devices
- The US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) published an advisory that warned of vulnerabilities in Medtronic devices.
- The highest severity vulnerabilities, tracked as CVE-2019-3464, and CVE-2019-3463, existed in Valleylab FT10, Valleylab FX8, and could allow an attacker to execute arbitrary code or gain administrative access to files.
Berlusconi Marketplace shut down by Italian law enforcement
- The Guardia di Finanza of Italy shut down Berlusconi Marketplace and arrested three individuals suspected of being its administrators. Since January 2019, the marketplace represented one of the most important dark web markets, with over 100,000 announcements of illegal products, such as weapons and drugs.
- It was also known for offering malware, hacking tools, bulletproof services and stolen payment card data for sale.
- Chief prosecutor of Brescia Carlo Nocerino likened the shutdown operation to those conducted by the FBI and Dutch police against Silk Road, AlphaBay and Hansa Market.
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.