Silobreaker Daily Cyber Digest – 14 October 2019
Tarmac malware targets macOS
- Researchers at Confiant found an ‘advanced piece of macOS malware’, dubbed OSX/Tarmac, being delivered by OSX/Shlayer malware. OSX/Shlayer was first identified in February 2019 and the addition of the OSX/Tarmac as a second stage payload began in January 2019. The researchers told ZDNet that the campaign targets users in the US, Italy and Japan.
- The initial infection vector occurs via a fake Adobe Flash Player update that contains a signed Apple developer certificate. The signed certificate, which is probably associated with a fake name, makes it less likely that anti-virus software will detect the malware. Users who attempt to apply the update will become infected with OSX/Shlayer which will then download OSX/Tarmac.
- OSX/Tarmac is sophisticated and well developed. The malware’s function symbols are stripped, its key strings are compressed and encrypted, and it contains unbreakable cryptography for its C2 traffic. The researchers’ attempts to analyse the malware’s function were complicated by the removal of the original C2. However, they did find that the virus was gathering system information and relaying it back to the attacker.
Crypto-trading scheme discovered installing backdoor
- MalwareHunterTeam discovered a scheme that distributes a cryptocurrency trading program, called JMT Trader, that drops a backdoor on the victim’s Mac and Windows PCs. The attackers created a fake company, Twitter account and website that offered the trading platform for free.
- Users who attempted to download the software were redirected to a GitHub repository, which contained Windows and Mac executables for the JMT Trader platform, as well as source code for the trading programme, for those who want to compile it under Linux.
- The programme can be used legitimately to trade cryptocurrency. When the programme is installed, the installer also extracts a secondary program call CrashReporter[.]exe, which acts as a backdoor. When launched, CrashReporter connects to a C2 server to receive commands, which are executed by the backdoor.
RIG exploit kit discovered distributing new variant of Nemty ransomware
- Researcher mol69 observed the RIG exploit kit spreading malware, including a new version of Nemty ransomware. The malvertising campaign targets victims who are still using Internet Explorer and Flash Player, and redirects users to the RIG exploit kit.
- If users are redirected to the exploit kit landing page, malicious scripts will attempt to exploit the flaws in the browser and install malware, including the new version of Nemty 1.6 ransomware. The new version includes a modified encryption algorithm, which uses the old Windows cryptographic libraries instead of a custom AES implementation.
15 apps in Google Play discovered hiding app icons
- SophosLabs discovered 15 apps in Google Play that generate intrusive ads and hide app icons in the launcher to make removal difficult. In addition, some of the apps also disguise themselves in the phone’s App settings page. Over 1.3 million devices worldwide have installed at least one of the applications.
- SophosLabs also observed the apps using one name and icon for the application and a different name and icon for the Main Activity, to conceal their activity.
- The majority of these apps were posing as utility tools such as QR code readers. Image editors, backup utilities, and more.
Source (Includes IOCs)
Leaks and Breaches
Monterey Health Center informs patients of ransomware attack
- On August 12th, 2019, Monterey Health Center was hit by a ransomware attack which targeted a server containing patient medical records. No evidence of attempted or actual misuse of data was found. Potentially accessed patient data includes names, addresses, driver’s licenses, financial account information, Social Security numbers, and more.
Personal information of Click2Mail customers exposed in data breach
- Click2Mail is informing over 200,000 customers of a data breach in which unknown parties used customer data to send spam emails. The intrusion point was found and closed on October 4th, 2019. Compromised customer data includes names, organisation names, account mailing addresses, email addresses, and phone numbers.
Magnolia Pediatrics hit by ransomware attack
- Louisiana-based Magnolia Pediatrics was hit by a ransomware attack in August 2019, after its IT company was targeted. The incident is currently being investigated by the FBI and at present it is not believed that any patient data was removed by an unauthorised party.
- Potentially accessed data includes names, dates of birth, Social Security numbers, addresses, phone numbers, and more. No financial information was present on the system, however, Magnolia Pediatrics recommends patients’ families to monitor credit card statements and credit bureau reports.
Philadelphia patient health records exposed online
- A Philadelphia Inquirer reporter discovered private health data of Philadelphia patients that were diagnosed with hepatitis B and C between 2013 and the end of 2018 online. The data was exposed on the Philadelphia Department of Public Health website, which had collected the data as part of its opioids initiative.
- Exposed information included names, gender, dates of birth, address, test results, and in some cases Social Security numbers and notes by health providers. It is unclear how many individuals had accessed the website before the data was removed.
Leafly customer information exposed in data leak
- On September 30th, 2019, the marijuana information and review website Leafly discovered that some of their users’ information had been exposed by a data breach.
- The set of records were stored in a secondary database that was dated July 2nd, 2016, and contained information such as emails, usernames, and encrypted passwords. Some users also had additional information exposed, these details included names, ages, gender, location, and mobile numbers.
- The company has begun to notify impacted customers but has not revealed the total number of users exposed by the breach.
Mobile data leaked via the Tor network
- Researchers from Deloitte Canada discovered that approximately 30% of Android and 5% of Apple iOS devices are leaking personally identifiable information over the Tor network. The researchers stated that impacted users are often unaware that Tor is present on their devices as it comes bundled with mobile applications.
- Using Tor exit nodes, the researchers forced devices to use regular HTTP where possible. This allowed them to view unencrypted data such as web, addresses, phone numbers, keystrokes, and more. The researchers stated that they plan to make legislators, governments and organisations aware of the issue.
Vulnerabilities in E4 Strategic systems exposes personal data of home loan applicants
- Multiple vulnerabilities in E4 Strategic systems have left personal data of individuals who applied for home loans in South Africa exposed. E4 Strategic develops and maintains systems used by several South African banks and attorneys.
- According to E4 Strategic, the flaws in question were fixed and no unauthorised access to the data is believed to have taken place. However, according to MyBroadband, there continue to be vulnerabilities in the system, specifically in its API. Requests and responses from and to the API are not encrypted and no authentication is needed to query the API.
- Although the personal data cannot be extracted directly from the API, the data may be extracted from the API using another API. Exposed data includes ID documents, home loan application information, and property valuation. Affected individuals may include those who applied for home loans from 2010 onwards.
Multiple vulnerabilities found in Cobham EXPLORER 710
- CERT/CC researchers discovered six vulnerabilities in the satcom terminal Cobham EXPLORER 710 that could allow an attacker to intercept traffic such as passwords or sensitive data, remotely execute commands, access restricted files, and make changes to the device.
- The vulnerabilities, tracked as CVE-2019-9529, CVE-2019-9530, CVE-2019-9531, CVE-2019-9532, CVE-2019-9533, CVE-2019-9534, affect firmware version 1.07. CVE-2019-9533 also affects firmware up to and including version 1.08.
Microsoft release fix for privilege escalation flaw in Windows 10
- CVE-2019-1378 is a local privilege escalation vulnerability in Windows 10 Update Assistant that could allow an attacker to increase their permissions and run a program with system privileges. In order to fix the flaw, users need to remove Windows 10 Update Assistant or download the latest version from Microsoft.
Juniper Networks patch vulnerabilities in range of products
- Juniper Networks patched 84 product vulnerabilities, 31 of which were rated as critical. Flaws were present in Junos OS, Contrail Networking, NFX Series, CTPView and CTP Series, SBR Carrier and SRX5000 Series.
- Two bugs in the Contrail Networking cloud network automation product, tracked as CVE-2019-3828 and CVE-2018-14721, were assigned a CVSS score of 10.0. A full list of products and vulnerabilities is available via Juniper Networks.
Chrome 77 Update patch contains fix for 8 vulnerabilities
- The patch contains fixes for eight vulnerabilities, five of which were discovered by external researchers. The five vulnerabilities were all classed as high severity issues. The most important vulnerability, tracked as CVE-2019-13693, was reported by Guang Gong of Alpha Team at Qihoo 360. The flaw relates to a use-after-free issue in IndexedDB.
At least 29 countries impacted by ‘Simjacker’ attack
- Researchers at Adaptive Mobile Security revealed a list of countries where one or more mobile operators use SIM cards that are vulnerable to the ‘Simjacker’ attack that they reported on in mid-September 2019. The attack targets SIM cards with contain the pre-installed S@T Browser.
- The list includes countries in Central America, South America, Africa, Europe, and Asia. The researchers stated that the vulnerability has been actively exploited against users in Mexico, Colombia and Peru.
- The researchers stated that they think a surveillance company developed the exploit, however, they did not reveal the company name.
Huawei state that they are targeted by 1 million cyberattacks everyday
- Huawei Senior Vice President and Global Cyber Security and Privacy Officer John Suffolk stated that the company’s networks and computers are attacked approximately 1 million times per day from unknown sources. Suffolk stated that the attacks occur internally and externally and are aimed at stealing 5G technology.
- Suffolk asserted that the majority of attacks were neutralised, however, he conceded that some older types of computers had been affected.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.