Silobreaker Daily Cyber Digest – 14 December 2018
Unit 42 publish analysis on malware possibly used in attack against Saipem
- Following recent reports of new samples of Shamoon malware submitted to VirusTotal on December 10th, Palo Alto Networks’ Unit 42 researchers found that the variant is a new version of the Disttrack malware and shares a lot of code with variants of Disttrack used in the Shamoon 2 attacks in 2016 and 2017.
- The sample submitted to VirusTotal is a Disttrack dropper which installs a communications and wiper module to the infected system, as well as spreading to other systems on the same local network by attempting to use stolen credentials to login. However, this particular version does not include domains, usernames or passwords, and therefore can only run on the system that it has been executed on.
- Unlike previous Shamoon attacks, this Disttrack wiper does not overwrite files with an image, but instead overwrites the MBR, partitions, and files on the system with random data. Unit 42 could not confirm this was the malware used in the attack against Saipem, however they do state that it is likely related.
Trend Micro release an analysis on the Tildeb implant leaked by Shadow Brokers
- The leaked hacking tools, named ‘Lost in Translation’, included multiple zero-day remote code execution vulnerabilities in critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). In addition, the leak also includes multiple post-exploitation implants and utilities that are used to maintain persistence on an infected system, performing malicious activities and bypassing authentication, among other functions.
- Trend Micro state that one implant in particular stands out, which they have named Tildeb, and detect as Trojan.Win32.TILDEB.A. By reverse engineering this standalone executable, they have found that it targets Windows NT 4.0 and Microsoft Exchange Server. In addition, the implant has several programmatic mistakes and uses the mailslot mechanism for inter-process communications.
Bomb extortions scam causes closures across the US and Canada
- Multiple US-based financial institutions reported that they received email threats stating that a bomb had been planted in the recipient’s place of work and will detonate by the end of the day unless the target pays $20,000 in Bitcoin. Many of the emails used unique Bitcoin wallet addresses and different variations of the sender’s name and the explosive material.
- The email led to mass closures of institutions in the US and Canada, including evacuations of the Jewish Community Center of San Francisco and San Francisco’s Fire Credit Union headquarters, multiple business and hospital closures in Chicago and building closures and school lockdowns in Tampa, Florida. In addition, San Francisco Municipal Railway’s bus lines were also disrupted.
- The relevant police services have stated that no explosive materials have been found and the threats are a hoax to cause major disruptions.
Charming Kitten targets US officials involved in sanctions against Iran to steal information
- Certfa researchers reported on a new phishing campaign by Charming Kitten, primarily targeting US citizens involved in the economic and military sanctions against Iran. Other targets include politicians, civil and human rights activists, and journalists, worldwide.
- The threat actor targeted Yahoo and Gmail accounts, leveraging the fact that they knew their targets used two-factor authentication. In one scenario, Charming Kitten sent out fake alerts of unauthorized activity on a user’s account, tricking the user into clicking on a malicious link that redirected them to a fake Google Drive download page.
- Other tactics the attackers implemented are the use of images in email bodies to bypass Google’s security and anti-phishing system or not changing victims’ account passwords to remain undetected and monitor their communication in real time.
Source (Includes IOCs)
Phishing sites continue to abuse HTTPS and SSL certificates
- Wander researchers found and increase in threat actors exploiting HTTPS and SSL certificates to make their phishing sites appear as ‘secure’. Over 1,150 new HTTPS phishing sites were discovered in just one day.
- A similar finding was reported by PhishLabs in their Q3 Report released in November 2018.
Save the Children hit by BEC scam
- In May 2017, Save the Children was a victim of a business email compromise (BEC) scam that resulted in the loss of $1,000,000. The attacker allegedly gained access to an employee’s email account, distributing fake invoices and documents, tricking Save the Children into sending the money to a fake charity located in Japan. Save the Children has stated that 90% of the stolen funds were reimbursed via an insurance policy, and they are taking steps to ensure that it does not happen again. The attacker behind the scam remains unclear.
Malaysian government attacked with ‘mash-up’ espionage toolkit
- ESET researchers released their findings of an espionage toolkit used in attacks against the Malaysian government in mid-2018. The toolkit consisted of leaked source code of well-known malware and publicly available tools, such as Gh0st RAT and NetBot Attacker.
- The toolkit was found to function as a backdoor, allowing attackers to exfiltrate or upload files to a compromised system, as well as monitor and simulate keyboard and mouse activity.
- According to ESET, some systems were infiltrated before the attack was stopped. The researchers also observed the attackers making multiple changes to previously unsuccessful evasion techniques.
Over 2,000 Brazilian mobile banking users hit with banking malware
- The users have downloaded an Android-based malware that controls devices and steals personal information. The malware, tracked as Android.BankBot.495.origin, was distributed on Google Play disguised as an application, and reportedly allowed WhatsApp monitoring of Android-based devices.
- When launched, the malware attempted to gain access to the Android accessibility features. If successful, the malware would then continue operating in the background, tap buttons and steal the contents of active application windows.
- When analysing the malware’s interaction with Brazil’s second largest bank, Bradesco, the malware was observed reading the victim’s account information and automatically attempting to log in by entering the PIN code received from the C&C server. Private banking data, including account balances, was transferred to the criminals.
Leaks and Breaches
Georgia-based treatment facility notifies 16,000 patients of ransomware attack
- Mind & Motion LLC discovered the attack on September 30th, 2018. The information that may have been compromised includes names, addresses, birthdates, gender, medical history, Social Security numbers, medical diagnosis, insurance information, and medical records.
WordPress release security patch addressing privacy leak bug
- One of the seven patched flaws allows search engines to index email addresses and passwords. This leak was due to configurations that allowed the user activation screen to be indexed. The configuration settings, however, are uncommon and in most cases default-generated passwords are not exposed.
- The vulnerability could have allowed an attacker to use special queries in search engines, to uncover credentials such as email addresses that could be used for either phishing or spam.
- The patch fixed a total of seven flaws in WordPress version 5.0.1, including a cross-site scripting bug. Most of the bugs are unlikely to be leveraged as they require certain levels of privilege.
French Foreign Ministry suffers data breach
- The French Foreign Ministry announced that the Ariane system, part of its travel alert registry website, was breached, and as a result, stolen personal data of citizens could be misused. Data stolen within the breach allegedly includes names, phone numbers and email addresses, but it has been made clear that financial related information was not affected. The site has since been secured. It is unclear when the incident happened, or how many individuals overall were affected.
Location data is tracked by mobile apps
- The New York Times reported earlier this week that over 75 companies ‘receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information’. The data is then used by advertisers, who market ads to users based on their locations.
- The sales of location-targeted advertising reportedly reached approximately $21 billion this year.
Chinese Ministry of State Security allegedly behind Marriot breach
- Following the recent report of Chinese state-sponsored hackers being allegedly responsible for the Marriott International data breach, The New York Times stated that the attackers are suspected to be working for China’s Ministry of State Security (MSS).
- The incident is also claimed to be a part of a major intelligence-gathering operation that also included attacks on the Office of Personnel Management. The goal of the operation is to construct detailed profiles on US executives and government officials with security clearance.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.