Silobreaker Daily Cyber Digest – 14 May 2019
LockerGoga and MegaCortex ransomware share traits
- Researcher Chet Wisniewski stated, that despite a lack of similarities in the code of MegaCortex and LockerGoga, there are similarities in their behavior and tooling.
- Operationally, MegaCortex and LockerGoga have similar processes and batch files. Moreover, both rename files before encryption and have shared at least one C2 address.
- Additionally, both forms of ransomware have been used in major cyberattacks to target global organizations.
Source (Includes IOCs)
Threat actors behind Banload malware implement new techniques
- According to SentinelOne researchers, the Brazilian cybercrime group behind the Banload trojan is implementing a new driver component, referred to as ‘FileDelete’, to remove software drivers and executables belonging to anti-malware and banking protection programs.
- The researchers state that the goal behind the driver is to carry out fraud via credential theft and account takeover. ‘FileDelete’ removes software products from AVG, Trusteer Rapport, Avast and Bradesco software ‘scpbrad’.
Source (Includes IOCs)
New report details Iran-aligned Endless Mayfly disinformation campaign
- Researchers from Citizen Lab released a new report detailing an Iran-linked network of fake personas and social media accounts used to spread disinformation primarily targeting Saudi Arabia, the US, and Israel.
- Dubbed Endless Mayfly, the ongoing campaign involves the use of websites that impersonate legitimate media outlets to post content and inauthentic online personas used to amplify such content. The messages appeared to criticize the Saudi Arabian regime, the US and Israel, and were sent to numerous journalists, activists and legitimate media outlets, to further amplify the disinformation.
- The researchers’ report provides a detailed overview of Endless Mayfly’s technical and non-technical tactics, preferred narratives, the observable impacts of their efforts, and evidence of a potential link to a malware campaign targeting Android and Windows devices. The report also analyses competing hypotheses on the perpetrators responsible for the activity.
ScarCruft continues to evolve
- Researchers at Kaspersky Lab’s SecureList have continued to monitor the Korean-speaking group ScarCruft, also known as APT37, known for targeting organizations and companies with links to the Korean peninsula. They found that the group continues to evolve and has recently introduced a Bluetooth harvester than can collect and save information from an infected device.
- The group used a known public exploit to implement a multi-stage binary infection scheme. By exploiting the vulnerability CVE-2018-8120, the initial dropper bypassed Windows User Account Control, allowing for the next payload to be executed with higher privileges. The final payload was the the cloud service-based backdoor ROKRAT, used to steal information from affected devices.
- The researchers suggested a possible connection between ScarCruft and DarkHotel, after having discovered a victim from Russia targeted by both groups.
Leaks and Breaches
Pennsylvania-based police records company suffers malware attack
- According to various media reports, Tulip Systems, based in Pleasant Hills, Pennsylvania, suffered a malware attack last week that affected police departments and boroughs that use the firm’s software for records management.
- The affected police departments and boroughs include those in Whitehall, Munhall, West Mifflin, Pleasant Hills and South Park. All of the victims stated that they believe no data or records were compromised in the attack.
Data breach exposes information of millions of Panamanians
- Researcher Bob Diachenko discovered an unprotected Elasticsearch cluster containing 3,427,396 records labelled ‘patient’ and an additional 468,086 records labelled ‘test patients’, both relating to Panamanian citizens.
- First indexed in April 2019, the dataset had not been properly configured, allowing anyone with an internet connection to access it. Moreover, the server also had an open remote desktop protocol, allowing anyone with a password to control the server.
- The records contained names, dates of birth, national ID numbers, addresses, phone numbers and more.
Twitter discloses bug that resulted in the exposure of some users’ location data
- According to Twitter’s statement, a bug caused some users’ location data to be collected and shared with an unnamed advertising partner.
- The bug affected users who had more than one account on Twitter for iOS and opted into using the precise location feature in one of their accounts. The flaw caused location data to also be collected for the other accounts on which the feature was not enabled. Twitter claims the data was ‘no more precise than zip code or city’.
UNIQLO’s online stores in Japan suffer data breach affecting over 460,000 accounts
- Japanese retail group Fast Retailing, owner of UNIQLO, confirmed a data breach that affected 461,091 customer accounts. The breach impacted the official UNIQLO Japan and GU Japan websites, on which unauthorized logins were detected between April 23rd and May 10th, 2019.
- Data including customers’ names, addresses, contact numbers and credit card information may have been accessed.
Boost Mobile notifies customers of data breach
- Boost Mobile, a virtual mobile network owned by Sprint, informed its customers of a data breach that took place on March 14th, 2019. More than 500 people were affected, yet the exact number remains unclear.
- Data accessed by hackers included customers’ phone numbers and account PINs, allowing access to private account settings. Affected customers have been issued with new temporary PINs to prevent further access.
Further details of FXMSP breach uncovered
- Following reports last week of the hacker group Fxmsp selling data stolen from three US-based antivirus software vendors, one of the breached companies, AdvIntel, has released information gathered on chat forums that uncovers further details.
- Director of security research at Advanced Intelligence (AdvIntel) Yelisey Boguslavskiy stated that it took six months for Fxmsp to breach their companies, during an operation conducted by two teams, one in the US and the other in Taiwan. They are currently working on remediating the breach.
- AdvIntel has also collected information about the activity of Fxmsp by gathering instant messaging logs containing discussions on their access to the data. Once of the conversations included source code files for various products from antivirus companies including Symantec, McAfee and Trend Micro, though these companies have not yet denied nor confirmed the breach.
Several flaws discovered in the Roav A1 Dashcam and Novatek NT9665X chipset
- The Roav A1 dashcam is a dashboard camera that uses the Roav app in Android and iOS to allowusers to connect, toggle settings, download dashcam videos, and more.
- CVE-2018-4014 is a code execution flaw that exists in a WiFi command of the Roav A1 dashcam that could be triggered by sending a specially crafted packet to cause a stack-based overflow, resulting in code execution on the device. CVE-2018-4016 is a stack overflow code execution flaw in the URL-parsing functionality of the Roav A1 dashcam. An attacker could use a specially crafted packet to cause a stack-based buffer overflow, resulting in code execution on the affected device.
- Flaws in the Novatek NT9665X chipset include CVE-2018-4018, an upload firmware update flaw, CVE-2018-4023, a path overflow code execution flaw, CVE-2018-4024 a denial of service vulnerability, and more. The flaws could be exploited to cause code execution, device reboot, denial of service, and more.
Critical remote code execution flaw discovered in Kaspersky Lab products
- CVE-2019-8285 was discovered and reported to Kaspersky Labs by a research team named ‘Imaginary’. The flaw is a heap-based buffer overflow vulnerability that exists in Kaspersky’s antivirus engine and could allow an attacker to remotely execute arbitrary code.
WhatsApp vulnerability exploited to infect phones with spyware
- WhatsApp disclosed that unnamed attackers, using advanced spyware made by Israeli developer NSO Group, gained access to the phones of ‘a select number of users’.
- The vulnerability, tracked as CVE-2019-3568, is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution when SRTCP packers are sent to a target phone.
- To instigate the attack, a call is placed to a target phone and surveillance software is installed irrespective as to whether the call is answered. The call then disappears from the call log, leaving no trace of compromise.
Linux machines vulnerable to remote code execution
- Machines powered by kernels prior to 5.0.8 are vulnerable to a remote exploit vulnerability, tracked as CVE-2019-11815, and DoS states.
- Attacks can be launched using specially crafted TCP packets which are sent to vulnerable Linux boxes.
Linksy routers impacted by information disclosure vulnerability
- Researcher Troy Mursch discovered that 25,000 Linksys Smart Wi-Fi routers in 146 countries can be accessed by remote and unauthenticated attackers by exploiting a flaw, tracked as CVE-2014-8244, that was allegedly patched 5 years ago.
- By exploiting this vulnerability an attacker can gain access to device information including present and historical MAC addresses of connected devices, device names, operating systems, metadata, and more.
Cisco router vulnerabilities affecting Trust Anchor module
- Researchers at Red Balloon Security revealed two vulnerabilities affecting the Cisco ASR 1001-X router due to issues in its Trust Anchor module (TAm), a security module present in many Cisco units. It is believed to also affect other systems that feature TAm.
- The first vulnerability, CVE-2019-1649, was found in Cisco’s IOS operating system, allowing hackers to bypass Cisco’s TAm. The second, tracked as CVE-2019-1862, affects the Cisco IOS XE Version 16, allowing remote code execution as root.
- These vulnerabilities mean that attackers can disable the Trust Anchor without detection, enabling the attacker to make changes to the Cisco router whilst the Trust Anchor continues to report that a device is trustworthy. Cisco is due to release a software update to address these vulnerabilities.
Facebook files lawsuit against Rankwave data analytics firm
- Facebook has filed a lawsuit against Rankwave for allegedly violating Facebook rules. Rankwave, who ran apps on the Facebook platform, are being investigated for their data practices in relation to advertising and marketing.
- Rankwave reportedly misused data collected by the app for checking user’s social media ‘influencer score’. Facebook have suspended apps and accounts associated with Rankwave.
ConnectWise target of ransomware attack
- The ConnectWise Manage platform in the EU was taken offline for two weeks due to a ransomware attack that occurred on May 3rd, 2019.
- The attack came through an off-site machine used by ConnectWise for cloud performance testing outside of its network.
- ConnectWise stated that the ransomware was encryption-based and was unable to read, remove, or alter data.
WannaCry continues to affect “hundreds of thousands” two years on
- First affecting individuals and organizations globally between May 12th and May 15th 2017, WannaCry ransomware continues to exploit a vulnerability found in older Microsoft Windows operating systems.
- Research has shown that the risk is most prominent in Eastern countries, with record numbers of detection documented in India and Malaysia in 2019.
- A so-called ‘kill-switch’ discovered by security researcher Marcus Hutchins has mostly stopped many further attacks, but threat actors have continued to exploit this vulnerability by creating new malware, such as Emotet and Trickbot.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.