Threat Reports

Silobreaker Daily Cyber Digest – 12 December 2018

 

Malware

Cobalt Group use new ThreadKit builder to deliver CobInt backdoor

  • Cobalt group, who are known for breaching the networks of financial institutions and banks, were spotted on the 30th October using a new variant of the ThreadKit exploit builder kit for Microsoft Office documents. ThreadKit’s author sold the tool in May 2017 for $400, enabling threat actors and hacker groups to use it for their own operations.
  • Fidelis Cybersecurity found that the executable for the ThreadKit delivery is the downloader for CobInt, a backdoor used by Cobalt for reconnaissance that was discovered on the C&C server used by the hackers.

Source

 

CapitalInstall adware family discovered

  • Netskope researchers have discovered CapitalInstall, a strain of malware that delivers the Linkury Adware from a Microsoft Azure blob storage IP range, targeting multiple customers in the health and retail sectors.
  • The binaries were shared via multiple internal applications, and claim to provide licenses and keys for popular software. The malicious binaries are then synced to cloud storage applications and accessed by users who were licencing their software.
  • Linkury, the adware bundled into CapitalInstall, infects a machine and causes it to display advertisements and download unwanted applications, often generating revenue for the malware’s author.

Source

 

New BadWord and LamePyre Mac malware bear similarities to DarthMiner

  • Following Malwarebytes Labs’ recent finding of DarthMiner, the company has now reported that two additional malware targeting Macs have been identified. The first, tracked as BadWord, was found by Microsoft’s John Lambert and analysed by Objective-See’s Patrick Wardle. The second malware, dubbed LamePyre, was found by Malwarebytes’ Adam Thomas.
  • BadWord is delivered via macros embedded in Word documents. According to Malwarebytes, the malware ‘uses a sandbox escape to create a launch agent on the system’. The launch agent then provides persistence to a Python script that creates a Meterpreter backdoor on the system.
  • LamePyre was made to appear as a malicious version of the Discord App, however Thomas found that it was actually an Automator script that was not a modified copy of Discord and lacked any attempt at disguising itself as the app. LamePyre runs a Python script and installs an EmPyre backdoor, bearing similarities to the previously-identified DarthMiner.
  • Similarities were also found between BadWord and DarthMiner, suggesting that all three malware could have been made by the same developer.

Source (Includes IOCs)

 

Ongoing Campaigns

New Exploit Kit Novidade targets SOHO Routers

  • The Novidade Exploit Kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers, redirecting traffic from connected devices to attacker-controlled IP addresses. This enables attacks on victims’ mobile devices or desktops through web applications that have authenticated the user.
  • Novidade is delivered through malvertising, compromised website injection, instant messaging, and more. Trend Micro assert that once the victim clicks on the link to Novidade, ‘the landing page will perform several HTTP requests generated by JavaScript image function to a predefined list of local IP addresses to download a corresponding exploit payload’.
  • Following this, Novidade will attack detected IP addresses with all of its exploits, and then attempt to log into the router with default account credentials, followed by a CSRF attack to change the original DNS server to the attackers’. Three versions of the Exploit Kit have been discovered, all sharing the same attack methods, but with some improvements.

Source (Includes IOCs)

 

Android malware allows hackers to steal funds via PayPal

  • The malware masquerades as a battery optimisation tool called ‘Optimisation Android’ and is available from unofficial third-party stores. Once launched, the app closes and then hides on the infected device.
  • The malware takes advantage of a built-in accessibility service, which is used to send a message to the user to launch the PayPal app if it is installed on the device. To transfer funds to the attacker’s address, the malware mimics this interaction by disguising the prompt to enable the service as a message asking the user to activate statistics for the fake battery optimisation software.
  • If the accessibility service is successfully enabled and the user opens and logs in to PayPal, the service will mimic the user’s clicks to send money to the attacker’s address. Two-factor authentication is of no use against this attack because the login is a legitimate action taken by the user.

Source

 

Researchers investigate phishing campaign against Russian critical infrastructure

  • Cylance researchers reported on their investigation of an apparent state-sponsored attack against Russian critical infrastructure. They concluded that the perpetrators behind the attacks were not attempting to conduct cyberespionage but were motivated by financial gain.
  • The attacks involved the use of phishing emails to infect victims with the RedControle trojan using C&C domains that intentionally spoofed actual domains of various Russian critical infrastructure firms. A Sticky Keys backdoor was also used to perform sticky keys hijacking.
  • Russian oil company Rosneft was amongst the most prominent companies targeted by these attacks. Other targets include more than two dozen oil, gas, chemical, agricultural and other critical infrastructure organizations, as well as Russian financial exchanges.  
  • The researchers discovered the campaign in early 2018, however the attackers had set up their operations three years earlier, initially launching an attack against Steam users and the gaming community.

Source (Includes IOCs)

 

Italian oil company’s servers in the Middle East targeted by attackers

  • Reuters reported that Italian oil services company Saipem was hit by a cyberattack that primarily affected its servers in the Middle East. According to a company spokesperson, servers in Saudi Arabia, the United Arab Emirates and Kuwait were targeted while servers in Italy, France and the UK remained unaffected.
  • The company’s servers were shut down and it is claimed that no data has been lost. The attack was found to have originated in Chennai, India.

Source

 

Leaks and Breaches

Hackers steal 40,000 logins for government services in 30 countries  

  • Credentials have been stolen for the access of official government portals in 30 countries worldwide. 52% of victims are located in Italy, 22% in Saudi Arabia and 5% in Portugal. Government employees, military and civilian citizens in France, Hungary, Croatia, Poland, Romania, Switzerland, and Bulgaria were also affected. Other targets include Israel Defense Forces, Georgian Ministry of Finance, Norwegian Directorate of Immigrations and Italian and Romanian Ministries of Foreign Affairs.  
  • Group-IB researchers have reported to Bleeping Computer that the theft occurred via phishing attacks that delivered malware such as the Pony Formgrabber, AZORult and Qakbot.
  • According to Bleeping Computer, there is a possibility the credentials might have already been sold on underground hacker forums. Although these logins may not result in immediate financial gain, they can allow attackers to reach classified information or infiltrate government websites for espionage purposes.

Source

 

Scraped data dump discovered in the wild

  • Researchers at Malwarebytes Labs discovered three large databases containing 66,147,856 records, scraped from various publicly available sources across the internet. At least one of the databases was exposed due to lack of authentication on the server.
  • Some of the data appears to be business-centric, as it includes full names, emails, employment history and skills; data which appears to be consistent with a LinkedIn profile.
  • The other two databases appeared to include IPs, names, emails, phone numbers and employer information. Researchers have stated that whilst the information isn’t a dump of sensitive information, it is useful data for an actor to use in a phishing campaign.

Source

 

Experian customer data exposed via training manuals

  • Experian has removed some of their training manuals from one of their websites after it was alleged that they contained customer data and sensitive information from a business in California.
  • Initially discovered by a security researcher known as ‘notdan’, further investigation revealed that the information did actually refer to a real Californian restaurant. Neither Experian nor the restaurant have released a response in regards to the alleged incident.

Source

 

North Texas hospital suffers data breach

  • The breach occurred between September 22th and September 29th, 2018, at the Baylor Scott & White Medical Center, and may have compromised the payment information of around 47,000 patients. Vulnerable data included names, mailing addresses, medical record numbers, insurance provider data, card information, and invoices and payment information.
  • The hospital stated that information and clinical systems were not affected, and that Social Security numbers and medical records were not accessed.

Source

 

Software vendor Central Square suffers data breach

  • The third-party payment vendor of the City of Topeka suffered a data breach between October 31st and December 7th, 2018, impacting approximately 10,000 customers. It is unclear what information has been compromised, but potential victims are being contacted and advised to contact their credit card issuer for advice.
  • Local law enforcement and the FBI have been notified, and an investigation is ongoing.

Source

 

Lenovo suffers data breach

  • Lenovo has written a letter to their Singaporean employees stating that a laptop containing unencrypted payroll data of staff based in the Asia Pacific region was stolen from a Lenovo employee. The incident occurred on September 10th, and staff were notified on November 21st, 2018.
  • The laptop contained payroll information including employee names, monthly salaries and bank account details. It is unclear how many employees have been affected.

Source

 

Vulnerabilities

Critical vulnerabilities patched in Adobe Acrobat and Reader

  • The vulnerabilities impact the Windows and macOS versions of Acrobat and Acrobat Reader. The critical flaws include several bypass issues (CVE-2018-16045, CVE-2018-16044, CVE-2018-16018), buffer errors (CVE-2018-15998, CVE-2018-15987), untrusted pointer dereference (CVE-2018-16004, CVE-2018-19720), and more.
  • Of the 87 vulnerabilities patched, 39 were critical, and allowed an attacker to perform privilege escalation or code execution on a targeted computer. There is no indication that these vulnerabilities have been exploited.

Source

 

Microsoft patches actively used zero-day vulnerability

  • Included in Microsoft’s Patch Tuesday was a zero-day Windows vulnerability, tracked as CVE-2018-8611, that has been leveraged in recent campaigns.
  • The flaw is caused by the Windows kernel failing to properly handle objects in the memory, allowing an attacker to execute programs in the Windows kernel at a higher privilege level. In order to use this bug, the attacker would need to be logged in to the PC. The flaw was discovered by Kaspersky and is reportedly being used by malware developers.
  • In addition, the latest Microsoft security updates also include a patch for the Adobe Flash zero-day that was used in a recent APT attack against Russia’s FSBI ‘Polyclinic #2’ clinic, known as Operation Poison Needles. In total, Microsoft have patched 39 vulnerabilities, 10 of which are critical.

Source

 

Cisco and Texas Instruments claim to have patched critical BleedingBit flaws

  • The recently discovered critical vulnerabilities, CVE-2018-16986 and CVE-2018-7080, in access points sold by Cisco, Meraki and Aruba, were claimed to have been addressed by Texas Instruments in previous software updates. Similarly, Cisco stated that they have released an update addressing the two flaws.

Source

 

General News

Researchers analyse Twitter bots amplifying the spread of misinformation

  • Duo Security researchers found that Twitter bots are not only used to ‘follow accounts to artificially boost that account’s popularity’ but are also used to ‘amplify content through artificial retweets and likes’.
  • The researchers analysed a dataset of 576 million tweets using their own web crawler, which led them to discover over 7,000 potential amplification bots in just one day. They conclude that these bots can be potentially more dangerous than bots boosting individual accounts as ‘by artificially inflating the popularity of content, amplification bots not only affect how content spreads, but also its perceived credibility’.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 23 January 2019

      Malware New ransomware family Anatova discovered on private peer-to-peer network McAfee researchers discovered ransomware, dubbed Anatova, that ciphers files before requesting a ransom...
  • Silobreaker Daily Cyber Digest – 22 January 2019

      Malware New STOP ransomware variant distributed through software cracks and adware bundles A new STOP ransomware variant is being bundled with adware and...
  • Silobreaker Daily Cyber Digest – 21 January 2019

      Malware Check Point release an update on GandCrab variant Check Point have published an update to their previous report on GandCrab, reviewing how...
View all News

Request a demo

Get in touch