Silobreaker Daily Cyber Digest – 13 February 2019
New Trickbot variant is capable of stealing remote application credentials
- According to Trend Micro researchers, the new Trickbot variant is delivered via emails disguised as tax incentive notifications from Deloitte. The emails include a Microsoft Excel attachment with malicious macros that, once executed, will infect the victim’s device with Trickbot.
- The new Trickbot version contains an updated pwgrab module that is capable of stealing VNC, PuTTY and RDP credentials.
Experts claim APT31 not APT10 responsible for attacks against Norwegian MSP and US firms
- Last week, researchers at Rapid7 and Recorded Future assessed with high confidence that the breach of a Norwegian managed service provider (MSP), a US law firm, and an international apparel company, was linked to threat actor APT10. However, specialists at PricewaterhouseCoopers and Microsoft are now saying that APT31 is actually responsible for these attacks.
- According to the specialists, the C&C structure used in the attacks corresponds to that previously used by APT31 and differs from that of APT10, despite the two threat actors using the same hacking tools and focusing on supply-chain attacks.
Scarlet Widow Gang targets victims with romance scams
- The Agari Cyber Intelligence Division (ACID) reported on the Nigerian Scarlet Widow Gang targeting the elderly, disabled, divorced and even farmers, with romance scams. The gang created fake personas using stolen pictures, fake names, personalities, and back stories on social media and dating sites including Dating4Disabled[.]com, Farmers Dating Site, and DivorcedPeopleMeet[.]com.
- Once an online relationship is established the scammers state that they are having financial difficulties and ask for assistance, usually in the form of plane tickets or accommodation.
- In one case, a Texan man was scammed out of $50,000 over the period of a year by the online persona of ‘Laura Cahill’.
Phishing campaign uses links with 1,000 characters
- The phishing email states that the victim’s email has been blacklisted due to multiple login failures and asks that they confirm it by entering their credentials. The campaign pretends to be from the victim’s mail domain’s support department. The link to input credentials leads to a landing page with a login form customised for the victim’s domain.
- Most notably the URLs in the emails are extremely long, ranging from 400 to 1,000 characters.
Scammers file fake trademarks to steal Instagram accounts
- Scammers have been observed creating fake companies and trademarks to trick Instagram into giving them legitimate ownership of sought-after Instagram handles. The handles can be used by hackers as digital mementos, to brag about their acquisition, or to resell for a profit on the dark web.
- Motherboard observed evidence of a scammer talking with someone from Facebook Advertiser Support to get control of a username belonging to another account. To do this, the scammer registered a trademark that corresponds to an existing username that they want to hijack, as well as details such as the jurisdiction, the trademark registration number, the trademark complaint form, and a link to the trademark itself.
- There are reportedly several users on the underground forum OGUsers that deal in the theft and sale of high value Instagram accounts. Some handles sell for tens of thousands of dollars’ worth of cryptocurrency.
Cybaze-Yoroi ZLAB reveal link between Gootkit and AZORult in latest campaign
- Yoroi ZLAB reported on a large-scale attack in the last few days that has hit several organisations across the Italian Cyber Industry. The attacks attempted to impersonate communication from a known express courier.
- ZLAB state that this campaign highlights the evolution of dropping techniques used in the initial stages of attacks.
Source (Includes IOCs)
Leaks and Breaches
US servers of VFEmail hacked and all data destroyed
- VFEmail stated that ‘all externally facing systems, of differing OS’s and remote authentication, in multiple data centers are down.’ The hackers formatted every disk on all the servers and all VMs were lost in the process.
- All of the data was destroyed on both the main and backup systems and the hackers did not leave a ransom note.
LandMark White suffers data breach impacting Australia’s largest banks
- The Australian property valuation firm revealed a data breach that may have affected up to 100,000 customers. LandMark White is one of the largest valuation firms used by banks and other lenders across Australia including the Commonwealth Bank of Australia, ANZ Bank, National Australian Bank, and Westpac.
- Breached data includes property valuations and personal contact information of homeowners, residents, and property agents. Although no payment information was compromised and no evidence of misuse of the breached data was found, the investigation remains ongoing.
Microsoft patch Tuesday includes fixes for zero day in IE and PrivExchange bug
- The flaw in Internet Explorer, tracked as CVE-2019-0676, affects IE version 10 or 11 running on all supported versions of Windows. The flaw allows attackers to test whether files are stored on disks held on vulnerable PCs. To exploit the flaw, an attacker must lure a target to a malicious site. Active exploits for this vulnerability have been detected.
- PrivExchange, also tracked as CVE-2019-0686, is an Exchange Server flaw that allows remote attackers with an unprivileged mailbox account to gain administrative control over the server. The flaw was publicly disclosed in January 2019, along with a proof-of-concept code.
- A fix was also included for a critical DHCP vulnerability, tracked as CVE-2019-0626, that could allow an attacker to send a specially crafted packet to a DHCP server, which would allow remote code execution to be performed on the affected server.
Design flaw in Xiaomi electric scooter permits remote control
- Zimperium researchers found that they were able to hack into Xiaomi M365 scooters by exploiting a serious design flaw.
- The flaw is a result of insecure Bluetooth communication between the scooter and its corresponding app. Hackers located up to 100 meters away from the scooter would be able to launch an attack against it.
- They released a proof-of-concept that demonstrates how the flaw can lead to denial-of-service, permits installing malicious firmware onto the scooters, and allows remote attackers to cause the scooter to suddenly brake or accelerate. In a response to Zimperium’s report, Xiaomi stated that they are aware of the flaw, however it remains unpatched.
Adobe patch 43 critical flaws in Acrobat and Reader
- CVE 2019-7089 is a zero-day flaw in Adobe Reader that was temporarily patched by 0patch on Monday and has now received a permanent fix. The flaw allowed threat actors to steal victim’s NTLM hashes. In addition, two other critical flaws, tracked as CVE-2018-19725 and CVE-2019-7041, could allow a security bypass via privilege escalation.
- In addition to a critical integer overflow flaw, tracked as CVE-2019-7030, which could allow information disclosure, the remaining critical flaws patched in the update all enable arbitrary code execution. These include out of bounds write flaws, type confusion flaws, use-after free flaws and buffer errors.
Dirty Sock vulnerability permits root access on Linux systems
- The local privilege escalation flaw, tracked as CVE-2019-7304, was discovered by researcher Chris Moberly and primarily impacts Ubuntu as well as other Linux distros.
- The bug does not permit attackers to break into vulnerable machines remotely, but once attackers gain a foothold on any unpatched system, they can gain control over the entire OS.
- The vulnerability is not in the Ubuntu operating system itself, but in the Snapd daemon included by default with all recent Ubuntu versions and other Linux distros. Snapd exposes a local REST API server that can be used to gain access to all API functions including those restricted for the root user.
- Canonical, the company behind the Ubuntu OS, released a patch addressing this flaw on February 11th, 2019.
Siemens release patches for flaws in industrial control and utility products
- In the newly released 16 security advisories, Siemens include a warning for a critical flaw, tracked as CVE-2018-3991, in the WibuKey digital rights management solution that affects the SICAM 230 process control system. The vulnerability allows attackers to cause heap overflow, potentially leading to remote code execution.
- Another flaw that was addressed is tracked as CVE-2018-3990 and permits a specially-crafted I/O request packet to cause buffer overflow, resulting in kernel memory corruption or privilege escalation.
- The remaining advisories address three denial-of-service bugs, CVE-2018-11451, CVE-2018-16563 and CVE-2018-11452, and several other less severe flaws in Siemens’ industrial products.
Researchers release new report on GreyEnergy
- Nozomi Networks researchers published a detailed report on GreyEnergy, particularly focusing on the deep analysis of the APT’s packer.
- After reverse-engineering GreyEnergy’s malware, the researchers found that it contains a ‘massive amount of junk code’ intended to confuse reverse engineers. Their report also details the infection vector, stages of the malware, how it disguises itself, its functionality, and also cites two new tools for further GreyEnergy analysis.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.