Silobreaker Daily Cyber Digest – 14 August 2019
New version of GoBrut discovered
- Researchers at Cybaze-Yoroi ZLAB discovered a new version of GoBrut, used to enlist victims into the GoBrut botnet. The new version has many upgrades and new features, including modules targeting various different e-commerce platforms. It is estimated that over 270,000 third-party destinations are currently targets of the campaign.
- The researchers published a full killchain analysis.
Source (Includes IOCs)
New version of PsiXBot discovered
- The new version of PsiXBot incorporates a new method of dynamically fetching its own DNS infrastructure by leveraging URL shortening services – retrieving hex-encoded C2 server addresses as a response.
- Four new modules have been added to PsiXBot, alongside its old features. The first, SelfDelete, allows the bot to remove itself from a target system. The second, StartCryptoModule, will monitor the system clipboard for cryptocurrency wallet addresses, replacing them with a wallet address set by the attacker. The third, StartFGModule, grabs data that has been input into web forms, saving it in a log file and exfiltrating it to the C2 server. The fourth, StartSpam, sends outbound emails via Microsoft Outlook with varied content depending on the attacker’s choosing.
Source (Includes IOCs)
Developers of HawkEye modify keylogging technique
- Researchers at Cyberbit Labs noted a change in the way HawkEye malware monitors keystrokes on a victim’s system. Previously, the malware would leverage SetWindowsHookExA API, whereas now it has been changed to exploit RegisterRawInputDevices API to register keyboard input. Whilst not a new technique, it has not been seen in HawkEye malware before.
Cerberus banking trojan targets Android devices
- In June 2019, researchers at ThreatFabric discovered criminals on an underground forum renting out Cerberus malware. The malware authors also operate a Twitter account where they promote their product and engage with malware researchers.
- Cerberus is designed to target banking activities that are carried out on Android devices. To ensure that it has been installed on a user device and not a VM, the malware accesses the devices accelerometer and implements a pedometer. Once the step-counter hits a certain level, the malware activates.
- Upon activation, the malware requests privileges by asking the user to enable ‘Flash Player Service’. If enabled, the malware disables Google Play Protect and establishes persistence on the device. Cerberus can harvest user information, log keystrokes, send SMS messages, remotely install apps, and more. Additionally, the malware can perform overlay attacks against 30 unique targets including seven French and seven US banks.
Source (Includes IOCs)
Energy sector targeted by phishing campaign
- Researchers at Cofense found a ‘highly customized’ credential phishing campaign targeting companies within the energy sector.
- The sender masquerades as the CEO of the target company, pretending that they have used Google Drive to share data with the recipient. It is believed that Google Drive is used, as it is a legitimate business service – potentially bypassing spam filters. Once this document is accessed, it explains a business decision and provides a related document via another link.
- This link takes the recipient to a fake login page, prompting the user to enter their credentials, which will then be exfiltrated to the attacker.
Source (Includes IOCs)
Phishing emails target North American hotel industry
- 360 Security Centre researchers identified a new campaign targeting hotels in North America. The attackers send a malicious email to finance personnel which purports to contain an attachment to an outstanding bill that the target company needs to settle.
- Targets who open the file will download NetWiredRC. The malware can retrieve file directory structure, simulate mouse and keyboard clicks, download and execute files, steal login credentials, get system version information, and more.
Source (Includes IOCs)
Blank emails used to validate targets in BEC attacks
- Researchers at Agari discovered that a Nigerian BEC organisation, dubbed Curious Orca, send blank emails to validate targets. The scammers target employees that have the title of ‘Controller’ or ‘Accountant’. If the message bounces back, then the attackers try variants of the name until the message is delivered.
- Validated email addresses are placed on a list to be used at a later date. The researchers identified one database which contained the email addresses of 35,000 individuals and 28,000 companies.
- Curious Orca have not automated this process. Group members manually pursue these leads. Since August 2018, one associate has sent more than 7,800 blank emails to more than 3,200 companies in 12 countries.
Leaks and Breaches
Mental health administrator suffers data breach
- Email systems at Mid-Valley Behavioral Care Network, Oregon, were accessed by an unknown third-party as the result of a phishing scam, sometime around June 25th, 2019. It has been claimed that the intruder only had access to emails, rather than databases of health records, meaning that they could only view data within emails, including names, addresses, and other personally identifiable information.
- According to Executive Director Justin Hopkins, all individuals impacted by the breach have been contacted.
Choice Hotels suffer data breach
- It is claimed that attackers stole over 700,000 customer records, including names, addresses, email addresses and phone numbers from Choice Hotels, one of the world’s largest hotel chains.
- Security researcher Bob Diachenko discovered a publicly accessible MongoDB instance, but it appears the actors found it prior to him, as a ransom note demanding 0.4 Bitcoin was contained within it.
- Choice Hotels stated that the data was hosted on a vendor’s server, and none of their own infrastructure was accessed. They stated in an email that they are not working with the vendor in the future.
Vulnerable routers targeted by botnet malware
- Variants of Neko, Mirai and Bashlite malware have been discovered, targeting vulnerable routers in an attempt to enlist them into botnets. This was first detected on July 22nd, 2019, when a Neko sample attempted to brute force credentials on one of Trend Micro’s honeypots, to exploit vulnerabilities such as CVE-2015-2051, a remote code execution flaw in D-Link routers, and CVE-2017-17215, a similar issue in Huawei devices.
- The Mirai variant, dubbed Asher, was first detected on July 30th, 2019, attempting to drop a BusyBox payload onto vulnerable routers. It attempts to exploit CVE-2014-8361, a command execution vulnerability in devices that use Realtek SDK, CVE-2018-10561 and CVE-2018-10562, both remote code execution vulnerabilities in GPON home routers.
- Ayedz, the Bashlite variant, attempts to send information about the infected device to a hardcoded IP address. Ayedz is capable of running multiple backdoor commands to launch DDoS attacks, including an HTTP flood capable of bypassing CloudFlare protection.
Vulnerability discovered in British Airways ticketing system
- British Airways are sending airline check-in links that are unencrypted and therefore vulnerable to interception, potentially exposing personally identifiable information of customers.
- Passenger details are included in the URL parameters that redirect the recipient to the British Airways check-in page, allowing someone on the same Wi-Fi network to view these details, and log in to the itinerary.
- Personal information within the itinerary includes email address, telephone number, BA membership numbers, names, booking references and flight details.
KNOB vulnerability simplifies encryption key cracking on Bluetooth devices
- Researchers at the Center for IT-Security, Privacy and Accountability (CISPA) identified a vulnerability related to BD/ER connections.
- The exploit, dubbed Encryption Key Negotiation of Bluetooth Vulnerability (KNOB) and tracked as CVE-2019-9506, allows an attacker to reduce the length of the encryption key. In certain cases this can be reduced down to a single octet. This would simplify the attack process for malicious actors wishing to perform brute force attacks.
- To perform the attack, an attacker would need to be in range of two vulnerable devices that were in the process of establishing a BR/EDR connection. Successful exploitation requires one of the devices to have a vulnerability.
Adobe Patch Tuesday addresses vulnerabilities in a range of products
- The August 2019 update patches 119 vulnerabilities in eight products. These include After Effects, Character Animator, Premiere Pro CC, Prelude CC, Experience Manager, Photoshop CC, Creative Cloud Desktop, and Acrobat and Reader.
- Most vulnerabilities were present in Acrobat and Reader that ran on Windows and MacOS. Critical vulnerabilities were patched in Creative Cloud Desktop, Photoshop CC, and Experience Manager.
- A full list of impacted products and vulnerabilities are listed on Adobe’s website.
Microsoft Patch Tuesday resolves two wormable vulnerabilities in Remote Desktop Services
- On August 13th, 2019, Microsoft released their August security update, issuing patches for 94 vulnerabilities, 26 of which are rated as critical.
- Two of these critical vulnerabilities, tracked as CVE-2019-1181 and CVE-2019-1182, affect Windows Remote Desktop Services and are wormable Remote Code Execution vulnerabilities. Impacted products include Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions.
- Google Project Zero researcher Tavis Ormandy also identified a bug, tracked as CVE-2019-1162, which impacted part of the Windows Text Service Framework. The vulnerability was present in all versions of Windows since Windows XP.
- A full list of patched vulnerabilities is available via Microsoft’s website.
HTTP/2 vulnerabilities can be launched to perform DoS attacks
- Security researchers at Netflix and Google discovered seven vulnerabilities in multiple implementations of HTTP/2 protocols. Most of the attacks operate at the HTTP/2 transport layer and are triggered when a malicious client requests that the target server generate a response which the client refuses to read.
- By sending these requests, an attacker can force the server to consume excessive memory and CPU. This can eventually lead to a denial of service (DoS).
Czech parliamentary committee attributes cyberattack to foreign state
- The Committee of the Upper House of Parliament said that the National Cyber and Information Security Agency informed them that a foreign state was behind a cyberattack on the Czech foreign ministry. The perpetrator of the attack was not specified.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.