Silobreaker Daily Cyber Digest – 12 August 2019
Google Play clicker Trojan installed by over 100 million Android users
- Researchers at Dr Web identified a generic clicker trojan being distributed through applications which provide online maps, dictionaries, audio players, and other services. The clicker trojan was present in 34 applications that were installed by 51.7 million users. Additionally, a variant of the clicker was downloaded by approximately 50 million users.
- Following installation, the malware lies dormant for 8 hours. Upon awakening, it communicates with the attackers C2 and transfers information such as the device model, OS, user location and mobile carrier. The malware then loads website addresses in invisible WebView, adds targets to subscription services, and receives links to load in a browser or on Google play.
- The researchers reported the trojan and malicious application to Google Play. A few of the applications were deleted but most are still available for download.
Source (Includes IOCs)
New Saefko malware for sale on the dark web
- Researchers at Zscaler discovered Saefko malware being advertised on the dark web as a ‘multi-protocol multi operating system’ RAT. The malware is delivered via malicious attachments or through compromised software.
- Upon installation, the malware identifies what systems to target based on the users browsing history. The malware is looking for information related to credit cards, cryptocurrency, social media, business, shopping, and more. Screenshots, keystrokes, videos and confidential information is collected and subsequently exfiltrated to an attacker-controlled C2 server.
Source (Includes IOCs)
LiteCoin users targeted in dusting attack
- According to cryptocurrency exchange Binance, LiteCoin users were targeted by a large-scale dusting attack on August 9th, 2019. During dusting attacks, threat actors send tiny amounts of coins in an attempt to break the privacy of cryptocurrency users in order to gain access to their crypto wallets.
Malware pre-installed on 7.4 million Android devices
- Researchers at Google Project Zero discovered that Android’s open source OS code allows malicious actors to ship Android devices with pre-packaged malware. The issue impacts budget phone makers who purchase their software from third parties.
- Malicious software can perform a range of functions including turning off Google Play Protect, spying on web activity, and allowing hackers to execute code remotely. In some cases, vulnerabilities are present due to poor coding, putting the end user at risk.
- Pre-installed malware is particularly dangerous as it is not picked up by anti-virus software and can not be removed unless the phone maker releases a security update.
Leaks and Breaches
Over 10,000 patients affected by FDNY data breach
- The New York City Fire Department (FDNY) is informing its patients of a data breach that potentially compromised the personal data of 10,252 patients treated by the FDNY EMS ambulance between 2011 and 2018. The data loss first became known to the FDNY on March 4th, 2019 and was the result of the loss of an employee’s personal, unencrypted external hard drive containing sensitive patient data.
- It is unclear whether data on the hard drive was accessed. Potentially accessed data includes names, addresses, telephone numbers, dates of birth, and more. For 2,988 individuals, Social Security numbers may also have been exposed.
RCE vulnerability in OpenDreamBox affects nearly a third of organisations
- According to Check Point researchers, a vulnerability in the OpenDreamBox 2.0.0 WebAdmin Plugin affected 32% of organisations globally in July 2019. The remote code execution flaw is often triggered with other IoT attacks, such as exploiting a remote code execution vulnerability in MVPower DVR devices.
Multiple vulnerabilities found in portable WiFi routers
- Researchers at Pen Test Partners found several portable WiFi devices from known companies to contain vulnerabilities, including ZTE and Netgear.
- Vulnerabilities in ZTE MF910 have not been patched as the device is considered an end-of-life product. ZTE MF920’s flaws, tracked as CVE-2019-3411 and CVE-2019-3412, have been patched. Netgear’s Nighthawk M1 also contained two vulnerabilities, tracked as CVE-2019-14526 and CVE-2019-14527.
- A full analysis of some of the affected devices is available on Pen Test Partners’ website.
Over 40 drivers from 20 vendors contain vulnerabilities
- Eclypsium researchers found more than 40 drivers from major BIOS vendors to be insecure. A full list of affected vendors can be found on Eclypsium’s blog.
- The vulnerabilities could allow an attacker to move from user mode to OS kernel mode, something not conventionally possible, even by an administrator. After establishing a kernel connection, the attacker has the highest level of privileges including access to the hardware and firmware interfaces, allowing even higher privileges, including the system BIOS firmware.
- As the flaws were found in drivers from trusted third-party vendors and contain valid Certificate Authorities, as well as being certified by Microsoft, it is not possible to stop a Windows machine from loading an insecure driver.
Delta Industrial Control System (ICS) vulnerability can lead to RCE
- Researchers at McAfee identified a vulnerability, tracked as CVE-2019-9569, in Delta Controls enteliBUS Manager, an application used in systems including building management.
- The flaw is a buffer overflow vulnerability that could allow an attacker to perform RCE. A successful attacker could alter access control, pressure rooms, HVAC, and more. The vulnerability was discovered on December 7th, 2018, and patched by McAfee in June 2019.
- A full technical analysis of the exploit is available via McAfee.
Source (Includes IOCs)
Canon DSLR cameras vulnerable to ransomware infection
- Researchers at Check Point identified flaws in the Picture Transfer Protocol (PTP) which allowed them to infect a Canon EOS 80D. An attacker can infect the camera with ransomware via a rogue WiFi access point or when a victim attaches their camera to a compromised PC.
- Six of the flaws, CVE-2019-5994, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, and CVE-2019-6001, are buffer overflow vulnerabilities. The last exploit, tracked as CVE-2019-5995, can be used to perform a silent malicious firmware update.
- The researchers stated that the PTP is standardized and used by several different manufacturers. Canon released a security advisory on August 6th, 2019, announcing that they were unaware of the vulnerabilities being exploited and advised customers of workarounds to prevent their cameras from being compromised.
SQLite database vulnerability used to execute malicious code
- Researchers at Check Point found that they could use Query Hijacking and Query Oriented programming to cause a memory corruption vulnerability in SQLite. The flaw can be reliably exploited and used to execute malicious code inside other apps that store SQL data.
- The researchers demonstrated the attack by hijacking the C2 of a malware operator and by achieving persistence on iOS devices.
- A full run through of the attack is available via Check Point.
BIG-IP load can be used to compromise organizations
- Researchers at F-Secure identified a coding bug in F5 Networks’ BIG-IP load balancer. The issue is created when an organization configures BIG-IP’s iRules using the Tool Command Language. Misconfigured coding in iRules can cause parse data from incoming web request to be interpreted and executed as commands.
- The researchers found that in some instances the flaw can be exploited by attackers who enter commands or code as part of a web request. Successful exploitation of this attack compromises the device hosting BIG-IP software. Attackers can then perform further attacks to exfiltrate an organization’s data.
- Using a basic web scanning technique, the researchers found over 300,000 active BIG-IP implementations.
Coinbase attacked in spear phishing campaign exploiting Firefox zero-days
- Coinbase published a report on a spear phishing and social engineering attack it suffered, during which two zero-day vulnerabilities in Firefox were exploited. According to Coinbase, the group behind the attack was CRYPTO-3, also known as HYDSEVEN, and the first phishing emails were received on May 30th, 2019, followed by multiple rounds of emails. The final email containing a link that redirected its victims to the exploit payload was received on June 17th, 2019.
- The second flaw, CVE-2019-11708, allows for an attacker to escape the browser sandbox and execute code on the host computer. The method used to exploit this vulnerability was only made available on May 12th, 2019, following a change in the Firefox codebase, which suggests the threat actor has a rapid discovery-to-weaponization cycle.
iNSYNQ compromised with phishing email
- KrebsOnSecurity were shown evidence by security researcher Alex Holden, that a ransomware attack targeting iNSYNQ began on July 6th, 2019, after an employee in the sales division fell victim to a spear phishing email. Following infection, the attackers spent around ten days in iNSYNQ’s network before deploying Megacortex Ransomware.
- iNSYNQ CEO Elliot Luchansky spoke to customers on August 8th, 2019, and stated that the company had the funds to pay the attack but elected not to. Luchansky explained that the company decided not to pay the attack to avoid being targeted in the future.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.