Silobreaker Daily Cyber Digest – 13 September 2019
Newly discovered WiryJMPer dropper used to deliver Netwire Rat
- Researchers at Avast discovered a new dropper, dubbed WiryJMPer, hiding as an ABBC Coin wallet. The malware attempts to hide its installation from the user by displaying program windows in the foreground. Once opened the dropper is used to deliver the remote access trojan NetWire RAT.
- NetWire RAT can be used to control the target computer, record keystrokes, steal passwords, and more.
New Glupteba trojan variants found written in Golang
- Researchers at Cybereason discovered new variants ofGluptebawritten in Golang. The use of Golang allows threat actors to make the malware executable across several operating systems despite only compiling it on a system using only one repository.
- The researchers also observed the malware implementing a cryptocurrency miner and using the living-off-the-land technique to gain access and persistence. Yet they note the malware failed to evade detection, whilst also using contradicting techniques.
- A full analysis of the infection method is available on Cybereason’s blog.
Source (Includes IOCs)
Newly identified ‘Simjacker’ attack can deliver malware through SMS
- Researchers at AdaptiveMobile Security identified a new vulnerability and exploit that has been employed to carry out surveillance on individuals in a multitude of countries. The attack, dubbed Simjacker, has been conducted for at least two years by an unnamed private company that works with governments.
- The attack involves sending an SMS with SIM Toolkit (STK) instructions to a target mobile. The SMS can be sent from a handset, a GSM modem or an A2P account connected to an SMS sending account. The attack targets the S@T Browser within the UICC/eUICC (SIM Card) and uses the S@T Browser library as its execution environment to trigger logic on the handset.
- The attack then requests location and specific device information from the mobile. Stolen information is then sent to the attacker via SMS. Victims of the attack are unaware of either incoming or outgoing texts.
- The researchers tested the attack and found that they could use it to provide local information, launch browsers, open channels, set up phone calls, and more. Additionally, the attack works on devices from ‘nearly every manufacturer’ including Apple, ZTE, Samsung, Google, IoT devices with SIM cards, and more.
Irish mailboxes targeted with sextortion scam
- Researchers at ESET identified several related sextortion emails being delivered to Irish mailboxes. The scammers claim to have access to the victim’s computer and accuse the target of accessing child pornography. The scammers then demand £5000 in Bitcoin.
Leaks and Breaches
Garmin South Africa customer details stolen following portal breach
- On September 12th, 2019, Garmin Ltd announced that customers who bought products through Garmin South Africa’s payment portal have had their personal data compromised. Stolen personal information included phone numbers, email addresses, and first and last names. Exposed payment information included card numbers, expiration dates and CVV codes.
- Garmin did not disclose the exact details of the attack. However, security researcher Jérôme Segura suggested that the type of data exfiltrated and the fact that the portal ran on Magento CMS indicated that the attackers may have used a Magecart skimmer.
Major fraud network uncovered after discovery of unsecured database
- vpnMentor researchers uncovered a major criminal operation after discovering an unsecured database containing a cache of 17 million emails and 1.2 terabytes of data. According to vpnMentor, the owners of the database are the same fraud group that Groupon has been monitoring since 2016. However, Groupon stated that although similarities were found, no evidence that they are related or connected was found.
- The initial investigation suggested the database was exposing personal details of individuals purchasing tickets on Neuroticket, Ticketmaster and Tickpick, yet further research showed that 90% of the records on the database linked to Groupon.
- The database was found not to be linked to any of the affected vendors and to contain fraudulent accounts that were used for purchasing tickets that would later be resold at full or higher prices. The researchers also discovered a ransom note demanding $400 in Bitcoin, suggesting at least one criminal had hacked the database and was attempting to extort the owners.
WordPress contains XSS zero-day vulnerability
- If a visitor to the page has administrator rights the attacker could exploit the vulnerability to add themselves as an administrator through WordPress’s GetShell function. An attacker who gained administrator rights could then take control of the webserver.
Source (Includes IOCs)
Trend Micro publishes technical brief on critical Internet Explorer vulnerability
- Trend Micro published an analysis on a use-after-free vulnerability, tracked asCVE-2019-1208, which could allow threat actors to gain the same privileges as the user of the impacted system. If a user has administrative access, threat actors could hijack their system to install or uninstall programmes, view and modify data, create user accounts with full privileges, and more.
- The flaw could be triggered using VBScript Class through multiple steps. In response to the discovery, VBScript was disabled for Internet Explorer 11 in Windows 7, 8, and 8.1, however according to Microsoft, VBScript could be enabled via Registry or Group Policy.
- The vulnerability was patched in Microsoft’s September Patch Tuesday.
Facebook patch Instagram flaw that allowed phone number to be linked to user details
- Researcher ZHacker13 identified a vulnerability in Instagram that used a combination of brute force and the platforms contact import feature to access account details and phone numbers.
- The first stage of the attack employs an algorithm to brute force Instragram’s login form. The algorithm checks phone numbers to determine if they are linked to a live account. When an attacker identifies a live phone number, they can abuse Instagram’s Sync Contact feature to link the number to an account. Exposed data included users’ real names, Instagram account numbers and handles, and full phone numbers.
- The researcher reported the vulnerability in early August. Facebook has now patched the issue and the attack no longer works.
Former US officials claim Israel planted spying equipment near White House
- According to Politico, three former US officials claimed that the international mobile subscriber identity-catchers (IMSI-catchers), also known as StingRays, that were discovered in 2017 were placed there by Israel. IMSI-catchers are a type of surveillance device that imitate cell towers and are used to capture calls and data use.
- Israeli Embassy spokesperson Elad Strohmayer has denied the allegations, calling them ‘absolute nonsense,’ whilst Prime Minister Benjamin Netanyahu referred to them as ‘a complete fabrication,’ stating that Israel has a directive not to undertake any intelligence work in the US.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.