Silobreaker Daily Cyber Digest – 14 November 2019
RIG exploit kit delivers new AnteFrigus ransomware
- Security researcher Mol69 identified a Hookads malvertising campaign that redirects users to the RIG exploit kit, which in turn delivers a new ransomware, named AnteFrigus.
- Numerous security researchers found that AnteFrigus ignores the C: drive and unmapped network shares, and only targets the D:, E:, F:, G:, H:, and I: drives. This is unusual as the majority of home users save files on their C: drive.
- Security researcher Vitali Kremez, who opined that AnteFrigus is still in development, stated that the ransomware most likely failed to encrypt the C: drive due to a bug in the code.
Source (Includes IOCs)
Malicious file drops Revenge RAT and WSH RAT
- WSH RAT version 1.6 is delivered as part of the second stage infection. The RAT achieves persistence by copying itself to the Windows Startup folder and by adding new data to the Windows Registry. WSH RAT contains a range of functions, including the ability to steal information from browsers, log keystrokes, kill processes, and more.
- A full technical analysis of the attack is available via Fortinet’s blog.
Source (Includes IOCs)
APT33 used multiple small botnets to infect target networks
- Researchers at Trend Micro discovered that the Iranian APT33 group have been actively maintaining about a dozen C2 domains, each compromising up to a dozen infected computers, which they have used for gaining persistence in target networks. The malware linked to the botnet is ‘rather basic’ and can download and execute additional malware.
- The group, which are known for targeting the oil and aviation industry, used these botnets for ‘extremely narrow targeting’ of organisations in the Middle East, Asia, and the US.
- APT33 use multiple layers of obfuscation, including hosting the majority of its C2 domains on cloud-hosted proxies, and using a private VPN network. Tracking the private VPN exit nodes showed the researchers that APT33 were also performing reconnaissance operations on the networks of oil companies and companies involved in the oil industry supply chain.
- In addition to their use of botnets, the group were also observed performing ‘noisy’ attacks using phishing emails. The group use email addresses that impersonate oil and gas, and aviation companies to deliver destructive malware.
Source (Includes IOCs)
Leaks and Breaches
Health insurance provider Florida Blue notifies members of data breach
- Personal information of Florida Blue members may have been exposed due to a data breach at its third-party vendor Magellan Health. Less than 1 percent of members are believed to have been affected.
- Potentially exposed member data includes names, dates of births and prescriptions. Florida Blue and Magellan Health do not believe the data has been misused.
Unsecured PrankDial database exposes user data
- Security Discovery researchers discovered a non-password protected database belonging to PrankDial that contained 138 million records. Among the records were user emails, credentials and password reset tokens, IP addresses and more. No phone numbers were visible. The database has since been secured.
Flaw in bike-sharing company’s Bounceshare app could have exposed customer data
- Security researcher Ehraz Ahmed discovered a flaw in one of the APIs of the Bounceshare app, which could allow an attacker to log into any Bounceshare account and gain access to customer data. This data includes driving licenses, pictures, phone numbers and email addresses of approximately 2 million Bounceshare users.
- The vulnerability has since been fixed and, according to the company, it was not exploited by anyone. The company added that the risk was limited because an attacker would need to be a registered user and know a targeted registered user’s phone number to gain access.
Exhibitor Web UI contains code injection vulnerability
- Researchers at Cisco Talos identified a vulnerability, tracked as CVE-2019-5029, in the Config editor of Exhibitor Web UI version 1.0.9 to 1.7.1. An attacker can use arbitrary shell commands inserted into the editor to execute any code.
- The researchers disclosed the vulnerability to Exhibitor, who has not issued a patch, to date.
Intel IGC4 graphics driver contains denial-of-service vulnerability
- Researchers at Cisco Talos identified a vulnerability, tracked as CVE-2019-14574, in Intel’s IGC64.DLL graphics driver. The issue, which is present in versions 22.214.171.12409 and 126.96.36.19961, can be triggered from a VMware guest by an attacker who sends a specially crafted pixel shader file. Successful attacks can result in denial-of-service.
VMware patch five security vulnerability
- VMware patched five vulnerabilities, three of which were classified as important. The flaws, tracked as CVE-2019-5540, CVE-2019-5541 and CVE-2019-5542, impacted VMware Workstation and Fusion. Successful exploitation could lead to denial-of-service and information disclosure issues.
- CVE-2018-12207 and CVE-2019-11135, are rated as moderate issues and affect VMware Workstation, VMware Fusion, VMware ESXi. Full details of all vulnerabilities are available via VMware.
US National Association of Manufacturers targeted by Chinese threat actors
- According to sources speaking to Reuters, the US National Association of Manufacturers (NAM) was targeted in a cyberattack over the summer of 2019. A security firm investigating the attack concluded that the tools and techniques used in the attack have previously been associated with a known Chinese threat actor. Chinese Foreign Ministry spokesperson Geng Shuang stated these accusations were ‘creating something from nothing and have ulterior motives.’
- The incident is said to have taken place around the time of a meeting between President Trump and NAM President Jay Timmons, which was also shortly before the formal trade negotiations between the US and China took place. It is unclear why NAM was targeted or what data was stolen. A spokesperson for the organisation stated that their network is now secure.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.