Silobreaker Daily Cyber Digest – 13 November 2019
Researchers analyse most recent WannaMine variant
- Crowdstrike researchers have analysed WannaMine v4.0, which, similar to WannaMine’s other variants, leverages EternalBlue to spread and compromise devices that can be used for mining cryptocurrency. A difference to WannaMine v3.0 is that this variant renamed the directory in which it stores its exploit binaries to ‘NetworkDistribution.’ Additionally, to maintain persistence, the variant randomly generates a .dll and service name based on a list of hard-coded strings.
Source (Includes IOCs)
PureLocker ransomware targeting enterprise’s production servers
- Researchers at Intezer and IBM’s X-Force IRIS team have identified a new undetected ransomware, dubbed PureLocker. The malware, which is being sold as-a-service by an experienced malware seller, is written in PureBasic which can be ported between macOS, Windows, and Linux machines. The ransomware sample analysed by the researchers is a 32-bit DLL Windows sample that appears as a Crypto++ cryptographic library.
- When executed on a user’s system, the malware performs evasion and anti-analysis checks, including the unusual use of an anti-hooking technique. PureLocker also ensures that the current year on the machine is 2019, and checks that the device has administrator rights.
- The ransomware deletes shadow copies and encrypts files, except executables, with an AES and RSA encryption combination. The attacker’s demand that the target contacts them by messaging their Proton email address.
- Although most of the code in PureLocker is unique, the researchers state that it also uses code from Cobalt Gang binaries, and the More_Eggs backdoor, previously used by FIN6 and the Cobalt Gang.
Iranian Cloud provider hit with DDoS attack launched through Telegram MTProxy Servers
- Beginning on November 6th, 2019, Arvan Cloud recorded a surge in traffic from IP addresses in Iran, directed toward their edge servers. The attack came through MTProxy servers that Iranian Telegram users utilise to avoid government restrictions.
- The attacks, which lasted until the end of the week, peaked at 5,000 requests per second. The company stated that by banning Telegram, the Iranian government had given power to MTProxies administrators who could abuse their position to easily perform DDoS attacks.
Info-stealing Trojan pushed via YouTube Bitcoin scam
- Security researcher hxFrost discovered a scammer uploading videos to YouTube which promoted a key generator which could allegedly be used to steal Bitcoin. The attacker provided a link in the video description which appears to link to a file which contains the key generator, in actuality the file contains Predator the Thief malware.
- Users who download the software will inadvertently infect their machine with the malware. Predator the Thief can steal passwords, steal files, copy the target’s clipboard, download additional malware from the attacker’s C2, and more.
Source (Includes IOCs)
Potential TA505 campaign targets System Integrator Companies
- Security researcher Marco Ramilli identified emails containing malicious macros being sent to System Integrator Companies based in Europe. The identity of the registrant behind the domain from which the emails were coming was protected by a Panamanian company.
- The infrastructure and dropping URLs that were used in the attack led Ramilli to suggest that TA505 group were behind the attack. Alternatively, a separate threat actor could be utilising TA505’s infrastructure.
Source (Includes IOCs)
Leaks and Breaches
Starling Physicians warns patients of data breach
- The Connecticut-based health care group Starling Physicians was targeted in a phishing attack on February 8th, 2019, and a recent investigation found that affected email accounts contained personal data belonging to patients. Potentially exposed data includes names, addresses, dates of birth, passport numbers, Social Security numbers, medical information and health insurance or billing information.
New variant of ZombieLoad vulnerability discovered in Intel chip
- Security researchers discovered a flaw in the Intel Cascade Lake chip that could allow an attacker to engage in side-channel attacks. The vulnerability, called Transactional Asynchronous Abort by Intel and tracked as CVE-2019-11135, is a new variant of ZombieLoad that allows an attacker with physical access to a device to read sensitive data stored in the processor.
- The flaw was patched in Intel’s latest security update alongside 77 other vulnerabilities. This includes the critical heap overflow vulnerability CVE-2019-0169 affecting Intel CSME, Intel SPS, Intel TXE, Intel AMT, Intel PTT and Intel DAL, as well as CVE-2019-11171, a critical flaw that could allow escalation of privilege, denial of service and information disclosure in Intel BMC.
Researchers discover additional vulnerable drivers
- Eclypsium researchers published details of 40 insecure drivers from 17 major BIOS vendors in August 2019 and have since discovered additional vulnerable drivers, including some for Intel PMx. The driver allows a high level of access which could provide an attacker ‘with near omni-potent control.’ An updated version of the driver was released with Intel’s November 12th, 2019 security update.
Nautilus ATMs vulnerable to remote attacks
- Red Balloon Security Inc discovered two vulnerabilities in ATMs manufactured by Nautilus Hyosung America Inc that could allow a remote attacker to gain full control of a targeted machine and bypass its security measures. As other researchers previously noted, the master keys for the ATMs are also available for purchase on Amazon.
- Another flaw was found in Nautilus’ mobile application for ATM owners and technicians that, if exploited, could allow access to information on user accounts and ATMs, including cash balances, location, software version, and service requests. The researchers note that such information could be used by an attacker to decide which ATM to target for the highest payout.
- Only retail versions of the ATMs in the US are affected, and not ones used in financial institutions. Nautilus released a firmware security update for the ATMs on September 4th, 2019, and its customers were asked to update immediately. The mobile application service has been temporarily been disabled until an updated version becomes available.
Bug allows iOS Facebook app access to camera without user’s knowledge
- Joshua Maddux, a user of the iOS Facebook app, noticed that his phone’s camera was actively working in the background when using the Facebook app. The issue was found to affect iPhones running iOS 13.2.2 and only if a user has given the app permission to access the camera.
- Facebook confirmed the issue, stating a flaw in which ‘the app partially navigates to the camera screen when a photo is tapped’ was accidentally introduced with the latest update. A new fix has been submitted to the App Store.
Microsoft patch 13 critical vulnerabilities including zero day in Internet Explorer
- On November 12th, 2019, Microsoft released their monthly security update which patches 74 vulnerabilities in a range of products. Among the 13 patched critical flaws is a remote code execution vulnerability, tracked as CVE-2019-1429, in Internet Explorer. The vulnerability was being exploited in the wild by web-based attackers who utilised specially crafted web pages.
- A full list of impacted products and associated vulnerabilities is accessible via the Microsoft Security Response Center’s Security Update Guide.
Two vulnerabilities identified in TPM chips
- Researchers at the University of Lübeck, the University of California, San Diego, and the Worcester Polytechnic Institute discovered two vulnerabilities, tracked as CVE-2019-11090, and CVE-2019-16863, in Trusted Platform Modules (TPMs).
- The attacks, which are called ‘timing leakage’, allow an attacker to discover and steal 256-bit private keys that are used inside the TPM. The researchers warned that the attack is fully weaponizable.
- CVE-2019-11090 impacts Intel’s Platform Trust Technology (PTT), which is used on servers, laptops, and desktops. CVE-2019-16863 impacts the ST33 TPM chip which Is made by STMicroelectronics.
Adobe patch for November 2019 resolves 3 critical vulnerabilities
- On November 12th, 2019, Adobe Systems released their monthly security update which patched 3 critical vulnerabilities, two of which impact Adobe Illustrator 2019, and another which affects Adobe Media Encoder.
- The two vulnerabilities in Adobe Illustrator 2019, tracked as CVE-2019-8247 and CVE-2019-8248, impacts Windows 23.1 and earlier, and are both remote code execution vulnerabilities.
- Adobe Media Encoder version 13.1 is affected by CVE-2019-8246, which can lead to arbitrary code execution. A full list of impacted products and associated vulnerabilities is accessible via Adobe.
McAfee patch security vulnerability in Antivirus software for Windows
- Researchers at SafeBreach discovered that McAfee Total Protection, McAfee Internet Security, and McAfee AntiVirus Plus, are all impacted by a local privilege escalation bug, tracked as CVE-2019-3648.
- An attacker with administrator privileges could load an arbitrary unsigned DLL in order to ‘bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence’.
35 vulnerabilities found in multiple open-source enclave SDKs
- Researchers from KU Leuven and the University of Birmingham discovered 35 vulnerabilities affecting eight enclave SDKs, which could be exploited to leak secret keys or enable remote code reuse. Five of the flaws received CVE numbers, namely CVE-2018-3626 and CVE-2019-14565 affecting Intel enclaves, CVE-2019-0876, CVE-2019-1369 and CVE-2019-1370 affecting Microsoft enclaves.
- The eight SDKs analysed by the researchers are Intel SGX-SDK, Microsoft OpenEnclave, Graphene, SGX-LKL, Rust-EDP, and Google Asylo on Intel SGX, Keystone on RISC-V and Sancus. Enclaves are used by laptops or desktops to safely store passwords or encryption keys, and used in cloud computing servers to isolate the data of different cloud server tenants.
UK Labour Party targeted in second DDoS attack
- After being targeted in a distributed denial-of-service (DDoS) attack on November 11th, 2019, the UK Labour Party confirmed it was targeted again the next day and that users ‘may be experiencing some differences’ as a result. The first attack, at first reported as originating from Russia and Brazil, has not been linked to a state and has been classed as a low-level incident.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.