Silobreaker Daily Cyber Digest – 12 February 2019
EXE files used to infect Mac devices with malware
- Trend Micro researchers observed a new method of infecting macOS devices with malware that consists of running executable files that normally only execute on Windows devices. They were led to their discovery after analysing an app called Little Snitch, advertised as a firewall application for macOS.
- The researchers suspect that malicious actors are leveraging this technique to bypass built-in protection measures, such as Gatekeeper, as these only inspect native macOS files and not EXE files. Once installed, the malware collected system information related to the device model, processor, memory, serial number, or firmware version. It also scanned all basic and installed apps and sent the collected data to its C&C server.
- Trend Micro detected the highest number of infections from the UK, Australia, Armenia, Luxembourg, South Africa and the US.
Source (Includes IOCs)
Malicious code prevents updates on QNAP NAS devices
- Users of QNAP NAS devices reported on a string of malware attacks that disable the devices’ software updates by hijacking entries in the host machines’ hosts file. According to the users’ forum discussions, the malicious code adds around 700 entries to the hosts file that redirects requests to IP address 0.0.0.0.
Leaks and Breaches
Dunkin’ Donuts suffers another credential stuffing attack
- The company announced that its customer accounts have been compromised in a second credential stuffing attack in the last three months. The attack took place on January 10th, 2019.
- Similarly to the first attack from November 2018, hackers used stolen credentials to access DD Perks rewards accounts. These compromised accounts were then sold on dark web forums.
600 million accounts stolen from 16 websites sold on the dark web
- The Register reported that 617 million online account details that were stolen from 16 hacked websites are now being sold on the Dream Market dark web forum.
- Databases belonging to Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, DataCamp, Armor Games, Bookmate, Whitepages, and many more, are being advertised for less than $20,000 in Bitcoin.
- According to The Register, the account records mainly consist of account holder names, email addresses, and passwords. In some cases, other information including location, personal details, and social media authentication tokens, is also being offered.
Privacy protection bypass flaw in macOS allows access to restricted data
- The flaw could allow attackers to access data stored on restricted folders, such as web browsing history, on all macOS Mojave up to 10.14.3.
- The flaw is not exploitable using malicious sandboxed applications, but only with non-sandboxed or notarised ones.
Container breakout security flaw discovered in runc container
- The security flaw, tracked as CVE-2019-5736, is in the runc container runtime and allows malicious containers with minimal user interaction to overwrite the host runc binary to gain root-level code execution on the host machine. Affected systems include Amazon Linux, and Amazon Elastic Container Service, Amazon EKS, Fargate, IoT Greengrass, Batch, Elastic Beanstalk, Cloud 9, SageMaker, RoboMaker and Deep Learning AMI.
- Runc is an open source command line utility created to spawn and run containers, as well as being used as the default runtime for containers with Docker, containerd, Podman, and CRI-O.
- The flaw is automatically blocked on systems where user namespaces are used correctly, however, it does impact machines where ‘the host root is mapped into the container’s user namespace’ because the default AppArmour policy and Fedora’s default SELinux policy do not block the vulnerability from triggering.
Adobe Reader issues micropatch for zero-day to stop malicious PDFs connecting to attackers
- The zero-day flaw in Adobe Reader allowed maliciously crafted PDF documents to call home and send over the victim’s NTLM hash in the form of an SMB request to remote attackers. The flaw can be triggered by a malicious PDF which includes a component designed to start the automatic loading of a remote XML style sheet via SMB.
- The micropatch is delivered by the opatch platform.
Researchers discover new cryptographic attack that breaks encrypted TLS traffic
- The attack is a variation of the original Bleichenbacher oracle attack and even works against the latest version of the TLS protocol, TLS 1.3. The researchers were able to break RSA PKCS#1 v1.5, which is currently the most common RSA configuration used to encrypt TLS connections.
- The attack also works against Google’s new QUIC encryption protocol, as well as OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL and GnuTLS.
- The flaws that enable the new Bleichenbacher attack are tracked as CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869 and CVE-2018-16870.
Vulnerable WordPress plugin permits taking over entire sites
- Security researcher Luka Šikić discovered an improper application design flow that is ‘chained with lack of permission check’ in the Simple Social Buttons WordPress plugin. The plugin is used to support social media sharing features.
- According to Šikić, the flaw permits attackers to make modifications to a WordPress site’s main settings, permitting them to take over the sites by installing backdoors or taking over admin accounts.
- Simple Social Buttons version 2.0.22 was released on February 8th and addresses the flaw.
New offensive USB cable allows attackers to execute commands via Wi-Fi
- When the malicious USB is plugged into Linux, Mac or Windows, it is detected by the operating system as a human interface device (HID). These devices are considered to be input devices by an operating system, allowing commands to be sent as if they are typed on a keyboard.
- Security researcher Mike Grover created the cable, which includes an integrated Wi-Fi PCB, that allows an attacker to connect to the cable remotely to execute commands on the computer or manipulate the mouse cursor. This allows an attacker to input commands, even when the device is locked, and if the computer locks a session due to inactivity, the cable is configured to prevent this by simulating user interaction.
- The HID attack could also be used for Wi-Fi deauthentication attacks, particularly if an attacker does not have access to a location to perform an attack but the victim’s plugged-in cable does, allowing the attacker to create a physical diversion while another remote attack goes unnoticed.
Researchers use Intel Software Guard Extensions (SGX) for attacks
- SGX provides processor instructions for the creation of secure enclaves – a space in which code can run without oversight or access from other software.
- Graz University researchers discovered that SGX can be harnessed using return-oriented programming (ROP) to host and execute malicious code that remains untraceable by other processes.
- In response to the paper, published today, Intel have noted that while SGX provides a protected enclave it does not guarantee that code within the enclave is trusted.
Criminals install C&C malware on infected AMZ devices to circumvent chip & PIN protections
- The 2019 Booz Allen Hamilton Cyber Threat Predictions Report states that Cyber criminals could begin reusing ATM EMXV malware to attack retail environments by infecting POS systems, potentially via USB drives and introducing an altered EMV chip to the POS terminal.
- The attack is connected to Skimmer and Ripper malware, which use malicious EMV chips to authenticate and grant access to hidden menus within ATMs that have already been infected with the malware.
- The report states that it is possible that criminals will exploit NFC applications in the same way that they will abuse EMV technology, due to the increased use of mobile phones to authorise transactions.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.