Silobreaker Daily Cyber Digest – 15 May 2019
New variant of Trickbot banking trojan discovered
- Discovered by researchers at the Cybersecurity and Infrastructure Security Agency (CISA), the new variant of Trickbot is capable of remote application credential theft.
- This variant goes beyond the original capabilities of harvesting emails and credentials, and includes new capabilities in the remote desktop space, including Virtual Network Computing (VNC), PuTTY and a Remote Desktop Protocol (RDP) platform.
- Trickbot is usually spread via malspam campaigns, embedded URLs or infected attachments.
New malware infects macOS and Windows systems
- Researchers at Doctor Web discovered a new malware designed to target macOS operating systems. Siggen backdoor is distributed via websites controlled by its developers, one of which is disguised as a personal website with a pretend portfolio, and the other is disguised as the official WhatsApp messenger website.
- When one of the sites is opened, the embedded code determines the victim’s operating system and depending upon the result, will upload either the Siggen backdoor, or NetWeird trojan.
- The Siggen backdoor allows attackers to upload malicious code from a remote server and execute it, and the Netweird trojan allows attackers to control a victim’s machine remotely, including using the targeted device’s camera and microphone.
Plead malware distributed by misusing ASUS WebStorage
- Researchers at ESET found that Plead malware being used in new activities detected in Taiwan being created and executed by a legitimate process belonging to the Windows client for a cloud storage service named ASUS WebStorage. The executable is digitally signed by ASUS Cloud Corporation.
- Plead malware is a backdoor allegedly used by BlackTech group, who are known to focus on cyber espionage in Asia. The malware is most likely spread via man-in-the-middle attacks at router level.
- ASUS WebStorage is known to be vulnerable to such attacks, as the software does not validate the authenticity of an update before execution, allowing attackers to easily intercept an update process and replace legitimate data with malware.
Source (Includes IoCs)
Magecart actors target CloudCMS and Picreel
- Researchers at RiskIQ reported that content management system, CloudCMS and analytics provider Picreel, were targeted in supply chain attacks using Magecart web-skimmers that were placed within the script of both systems.
- RiskIQ assessed that the damage was limited because only a few hundred websites using CloudCMS hosted scripts and even fewer ran an exact version of the compromised script.
Connections between Chinese APTs found
- Researchers of the BlackBerry Cylance Threat Intelligence team analyzed an Area 1 Security report on Chinese hacking activity and were able to confirm connections between several suspected Chinese state and non state-sponsored actors.
- The report stated that the Chinese government’s Strategic Support Force (SSF) conducted attacks against diplomatic cables and over 100 foreign organisations. The researchers noticed that one of the domains cited in connection to these attacks, used by the attackers for C2, was also discovered in connection to a host of other disparate Chinese APT groups. In addition, evidence was also found that suggests that different Chinese APT groups were also using the same malware, and in some instances, the same exploit builder.
- They assess that Chinese threat groups either share IoCs or are adopting the same targets and tasking of other Chinese groups, which means that blacklisting IoCs still leaves defenders vulnerable to attackers.
Source (Includes IOCs)
Leaks and Breaches
Paterson Public Schools suffer data breach
- The New Jersey school district suffered a data breach that resulted in the theft of 23,103 account passwords, desktop logins, access tokens, laptop credentials, and more. According to the Paterson Times, there is no indication of financial information being stolen.
- The stolen account usernames were stored in plain text, while passwords were encrypted with a weak encryption that is ‘relatively simple to reverse’. It is believed that the data was stolen in October 2018.
Keyloggers injected into Best of the Web’s seals of trust
Oklahoma City Public Schools targeted by ransomware attack
- A recent ransomware attack impacted the Oklahoma City Public Schools, compromising data stored on the school district’s computer network. Authorities suspect the attack could have been caused by a phishing email. The investigation remains ongoing.
Microsoft warns against high-severity RCE flaw in RDP that could lead to worm-like infection
- Microsoft researchers released a new security advisory addressing a high-severity vulnerability, tracked as CVE-2019-0708, in Windows Remote Desktop Services (RDP) that could be exploited by malware to spread from vulnerable computer to vulnerable computer. The researchers compare the ‘wormable’ nature of the flaw to how WannaCry ransomware spread globally in 2017.
- The vulnerability is a remote code execution (RCE) flaw that affects in-support systems Windows 7, Windows Server 2008 R2, and Windows Server 2008, and out-of-support systems Windows 2003 and Windows XP. Customers running Windows 8, Windows 10 and later, are not affected.
- Although Microsoft researchers haven’t observed any exploitation of the flaw so far, they warn that it is ‘highly likely’ that malicious actors will develop an exploit for it and incorporate it into their malware. The researchers urge users to patch all vulnerable systems as soon as possible.
Adobe patches over 80 flaws in its products including two RCE bugs in Acrobat Reader
- Adobe’s Patch Tuesday addressed 84 vulnerabilities across its products, including a critical flaw, tracked as CVE-2019-7837, in Flash Player. The update also addressed two remote code execution (RCE) flaws in Acrobat Reader, reported on by Cisco Talos.
Four new vulnerabilities discovered in Intel processors lead to speculative execution attacks
- Multiple security researchers developed three side-channel speculative execution attacks dubbed RIDL, Fallout, and ZombieLoad, that exploit four flaws in Intel processors, collectively dubbed Microarchitectural Data Sampling (MDS) vulnerabilities by Intel.
- The MDS flaws are tracked as CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091, and affect Intel CPUs released since 2008. An attacker running unprivileged code on a vulnerable machine could use the flaws to extract information from the operating system kernel, processes, the Software Guard eXtensions (SGX) enclave, and CPU-internal operations.
RCE flaw discovered in Antenna House Rainbow PDF document converter
- Cisco Talos reported on a remote code execution (RCE) vulnerability, tracked as CVE-2019-5030, in Antenna House’s Rainbow PDF when the software attempts to convert a PowerPoint document. The flaw has since been patched.
- The vulnerability arises when the converter ‘incorrectly checks the bounds of a particular function, causing a vtable pointer to be overwritten.’ This permits attackers to ‘overflow the buffer and gain the ability to execute code remotely on the victim machine.’
Apple patches 21 flaws in WebKit
- The security updates include patches for iOS, macOS, Safari, tvOS and watchOS. The flaws include 20 memory corruption issues that could lead to arbitrary code execution during the processing of maliciously crafted web content.
- The remaining patched flaw is an out-of-bounds vulnerability in WebKit, which could result in the exposure of process memory during the processing of maliciously crafted web content.
- The flaws impact components of Webkit including Contacts, Disk Images, Kernel, Lock screen, Mail, Mail Message, and more.
Check Point researchers analyse WhatsApp vulnerability
- The recently patched WhatsApp vulnerability, tracked as CVE 2019-3568, is a buffer overflow flaw in the SRTCP protocol. By patch-diffing the newest version of WhatsApp, the researchers found that a RTCP handler function was patched and new sanitation checks added to avoid possible overflow.
Siemens address vulnerabilities in LOGO SINAMICs products
- The patched flaws include two high severity vulnerabilities discovered in SINAMICS Perfect Harmony GH180 medium voltage that could be exploited by an attacker with access to the network connected to the targeted device. The flaws could be exploited with no user interaction or privileges.
- In addition, LOGO!8 BM devices are affected by three critical flaws that could be exploited by an attacker with network access to TCP port 10005 to decrypt project data, access unencrypted passwords or reconfigure devices.
- There are also several critical flaws that affect SIMANTIC PCS7 and WinCC products that could allow unauthenticated code execution, arbitrary code execution and denial-of-service attacks.
Russians hacked two Florida county’s election data in 2016
- Florida Governor Ron DeSantis confirmed that Russian hackers accessed election data in two Florida counties following successful spear-phishing attacks. The Mueller report did not identify which county’s systems were affected but did report that hackers sent spear-phishing emails to approximately 120 Florida election officials’ email accounts.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.