Silobreaker Daily Cyber Digest – 12 September 2019
New Trickbot malware dropper contains 10k lines of code
- Researchers at Cybaze-Yoroi ZLab analysed a new dropper employed by TrickBot operators composed of several thousand highly obfuscated lines of code. The dropper abuses the old Windows File System feature Alternate Data Stream.
- A full analysis of the code is available on Cybaze-Yoroi ZLab’s blog.
Source (Includes IOCs)
New Kimsuky campaign targets US-based entities using trojanised documents
- Prevailion researchers observed a new campaign, dubbed Autumn Aperture, in which official documents written by industry experts were trojanized and sent to US-based entities, in the summer of 2019. The researchers have linked the campaign to Kimsuky, a North Korean hacker group also known as Velvet Chollima or Smoke Screen.
- Using socially engineered emails, the documents are sent as Word files, with the trojan embedded in a Kodak FlashPix (FPX) file, a format less likely to be detected as malicious by anti-virus solutions. In some cases, the threat actors also sent Bitly links, which would redirect a user to a webpage that downloads a file RAR containing a trojanised document.
- The documents concern nuclear deterrence, North Korea’s nuclear submarine programme, and North Korean economic sanctions, with some having been used in previous Kimsuky campaigns. This campaign saw new functionalities added by the group, including the use of FPX files, enumeration of the host machine, experimentation with password protection for the documents and added additional anti-virus solutions that are checked for by the dropper.
Source (Includes IOCs)
New malware that steals classified files has links to Ryuk
- Security researchers at MalwareHunterTeam identified a malware that is used to detect and exfiltrate files relating to finance, the military and law enforcement. The malware shares certain code similarities with Ryuk malware but is designed to steal files rather than encrypt them.
- Security researcher Vitali Kremez analyzed the virus. Upon execution the malware runs a recursive scan and checks for Word and Excel files. Detected files are then checked against a list of 77 strings for phases such as ‘hack’, ‘tank’, ‘secret’, ‘federal’ and ‘military’. Files that match a string are then uploaded to an FTP site that is controlled by the attacker.
- The malware also contains a blacklist in order to avoid folder and files which contain terms such as ‘Windows’, ‘Intel’, ‘Mozilla’ and ‘Ryuk’. It is unknown if the author behind the malware has links to Ryuk or has altered its code. Bleeping Computer, MonsterHunterTeam, and Vitali Kremez suggested that the virus is intended to be run prior to an encryption attack.
Source (Includes IOCs)
Virtual disk files can be abused to deliver malware
- Security researcher Will Dormann discovered that attackers can bypass initial AV defences in Windows by mounting their malware inside VHD and VHDX disk image downloads. Windows does not scan the container or mark it as potentially dangerous.
- Researchers tested out the attack vector and discovered that products which would normally detect malicious files overlook them when stored in a VHD file. Security researcher Jan Poulsen constructed a script that mounted the VHD automatically and then executed the malware. The researcher attached the VHD to Gmail and downloaded the file with Google Chrome onto a device running Windows Defender. The malicious file was not detected at any point in this process.
- Poulsen also managed to get the malware to execute on a target system by automating the mounting process using the ‘diskpart’ command-line disk partition in Windows. Upon execution the malware was finally detected and stopped by antivirus products.
New campaign delivers Astaroth trojan using Facebook and YouTube profiles
- Researchers at Cofense Intelligence observed a campaign delivering Astaroth trojan that is exclusively targeting Brazilian citizens, similar to another campaign conducted in September 2018. According to the researchers, 8,000 machines were compromised within a week.
- The malware is delivered via emails using an invoice theme, a show ticket theme, or a civil lawsuit theme, which encourages users to download and open a HTM file, thereby starting the infection chain.
- Multiple stages of infection are involved, including the downloading of two DLL files, which are joined together and side-loaded into a legitimate programme that can bypass security measures. The technique of ‘process hollowing’ is then used to inject malicious code into programmes, after which Astaroth retrieves C2 configuration data and starts collecting sensitive data of the user, including financial information, stored passwords, email client credentials, SSH credentials, and more.
- The researchers found that the C2 configuration data is hosted and maintained by using YouTube and Facebook profiles. The data is present within Facebook posts or profile information of YouTube user accounts, which enables the threat actors to bypass network security measures.
Source (Includes IOCs)
Watchbog cryptomining botnet exploits unpatched web application to access systems
- Researchers at Cisco Talos identified an attack in which Watchbog malware infected a victim’s system via a vulnerability, tracked as CVE-2018-1000861. The flaw exists in the Staple web framework for versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests.
- The Linux based Watchbog malware is used to mine Monero cryptocurrency. The attackers behind this campaign did not try to hide their activity and relied on Pastebin for their C2. Additionally, the attackers left a note on infected systems claiming that they wanted ‘To keep the internet safe’ and stating that ‘We only Wanna Mine’.
Source (Includes IOCs)
Cobalt Dickens conducts global campaign targeting universities
- Researchers at Secureworks discovered that the hacker group Cobalt Dickens are conducting a campaign targeting universities. The researchers suggested that the group are likely linked to the Iranian government. The recent campaign, which was discovered in July and August 2019, targeted over 60 universities in Australia, the US, the UK, Canada, Hong Kong, and Switzerland.
- The TTPs employed by Cobalt Dickens in this recent attack have remained largely consistent with those observed in previous campaigns. The group use compromised university resources to deliver emails which contain links to fake login pages associated with universities. Entered credentials are recorded by the attacker before the target is redirected to a genuine login site.
- The group were observed using publicly available tools such as the SingleFile plugin and HTTrack Website Copier. Cobalt Dickens also registered twenty new domains, many of which use valid SSL certificates which were predominantly signed by Let’s Encrypt. As of September 11th 2019, the researchers have observed Cobalt Dickens targeting at least 380 universities in over 30 countries.
Source (Includes IOCs)
Leaks and Breaches
Entercom hit by ransomware attack
- Entercom Communications Corp was hit by a ransomware attack over the weekend of September 7th, 2019, affecting its emails, phones, music scheduling, production, billing, and other internal digital systems.
- According to Radio Insight, the company will not be paying the $500,000 ransom that was demanded.
Personal data of 8,253 Agora users accidentally exposed by Unicef
- On August 26th, 2019, the United Nations Children’s Fund (Unicef) accidentally sent a spreadsheet containing the personal data of 8,253 users of its Agora learning portal to roughly 20,000 users. According to Unicef, it has disabled the functionality that allows reports to be sent and also blocked the Agora server from sending emails with attachments as a prevention measure.
- Exposed data may have included names, email addresses, duty stations, gender, organisation, name of supervisor and contract type.
Dealer Leads LLC exposes 198 million records
- On August, 19th, 2019 researchers at Security Discovery identified a publicly accessible Elastic database belonging to Dealer Leads LLC. The dataset contained 413GB of data and 198 million records.
- The database contained information on those looking to purchase automobiles. Data included loan and finance information, vehicle information, and the IP addresses of website visitors. Additional information included names, email addresses, phone numbers, and more. The database was secured after the researchers made contact with the company on August 20th. 2019.
Vulnerability found in Libra’s Move modules
- The vulnerability was present in the Move IR compiler of the Libra Move modules and could allow for inline comments to be disguised as executable code. The flaw allows anyone with rights to publish Move modules to deceive users, with varying levels of potential impact.
- The vulnerability was fixed in commit 7efb022.
Travelpayouts plugin update contains incomplete vulnerability fixes
- A new version of the WordPress Travelpayouts plugin, which was meant to be a security update, was found to contain an incomplete fix for a vulnerability, whilst another related issue was found to be left unfixed, leaving the plugin vulnerable to persistent cross-site scripting (XSS) attacks.
Intel patches vulnerability in Easy Streaming Wizard
- Intel patched a vulnerability, tracked as CVE-2019-11166, in Easy Steaming Wizard versions 2.1.0731 and previous. The issue exists due to improper file permission in the Easy Steaming Wizard installer. An authenticated local user can exploit the vulnerability to escalate their privilege.
- A second vulnerability, tracked as CVE-2019-11184, impacts Intel Xeon E5, E7 and SP families that support Data Direct I/O Technology (DDIO) and Remote Direct Memory Access (RDMA). The vulnerability can be exploited by an attacker with adjacent access and can potentially be leveraged to disclose information.
- Intel have not issued a patch for CVE-2019-11184 but have recommended that untrusted access to DDIO and RDMA enabled systems are limited.
Bitcoin’s Lightning Network vulnerabilities discovered in the wild
- On September 10th, 2019, Lightning Labs stated that vulnerabilities that were discovered in August 2019 are now being exploited in the wild. Exploitation of the issues, tracked as CVE-2019-12998, CVE-2019-12999, and CVE-2019-13000, could result in funds being lost from accounts. Lightning Labs urged Lightning Network users to update their systems in order to mitigate the issue.
Chrome 77 fixes 52 security issues including one critical vulnerability
- The critical vulnerability, tracked as CVE-2019-5870, was discovered by Guang Gong and is a use-after free vulnerability in the media component. The patch also fixed 8 high severity issues, 17 medium risk issues, and 10 low severity issues. A full list of patched vulnerabilities is available via Google.
Critical vulnerability patched in SAP NetWeaver
- SAP released their security notes for September 2019 and addressed one new critical vulnerability, tracked as CVE-2019-0355, in SAP NetWeaver AS for Java. The issue exists in ‘the SAP default implementation of the HTTP PUT method that allows attackers to bypass the input validation check.’ Successful attackers would gain the ability to upload dynamic web content and take control of the whole application.
- Updates were also applied to patches that have previously been released for three other critical flaws. A full list of CVEs and impacted products is available via SAP.
Siemens warns customers that Windows RDS vulnerabilities impact some products
- Siemens informed customers that some of its Healthineers products are impacted by a series of Windows RDS vulnerabilities known as DejaBlue. The company is working on patches for some products but also advised users to install Microsoft’s patches.
- Siemens warned users that many products are also impacted by Linux kernel vulnerabilities related to the handling of SACK packets. The company released some patches but warned most users to use robust security practices and to limit network access to vulnerable devices.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.