Silobreaker Daily Cyber Digest – 15 November 2019
Microsoft Office 365 administrator accounts targeted in new phishing campaign
- PhishLabs researchers observed threat actors impersonating Microsoft and its Office 365 brand in a broad phishing campaign using multiple validated domains not related to Microsoft. Using domains belonging to a legitimate organisation allows the attacker to bypass security measures and avoid being blocked.
- The campaign targets Office 365 administrative credentials to gain access to all email accounts on a domain, as well as any elevated privileges an administrator may have, which could allow for further compromises. Additionally, the threat actors are capable of creating new accounts within an organisation, which could be used to send out new attacks under the guise of the targeted organisation.
Source (Includes IOCs)
Threat actors increasingly use specific document types to evade detection
- Researchers at Rapid7 noted an increase in the use of malformed document headers, white fonts to hide obfuscated Jscript code and embedded VBA macros in malicious documents by threat actors as a method of bypassing security measures.
- The researchers analysed a specific sample using such multi-layered antivirus evasion techniques, which is detailed on Rapid7’s blog.
Source (Includes IOCs)
Tax assessment and refund lure malware campaign targets users in Europe and North America
- Researchers at Proofpoint identified a threat actor, tracked as TA2101, targeting companies and organisations in Germany, Italy and the US with a variety of malware. The actors used the Cobalt Strike software tool in their German campaigns. The legitimate software, which emulates a backdoor framework, has been previously abused by APT32, APT19, and others.
- German users were targeted between October 16th, October 20th, and November 6th, 2019, with malicious emails which purported to come from the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance. The emails, which primarily targeted IT companies and businesses contained malicious Microsoft Word document which delivers Maze ransomware. A near identical campaign also targeted German users on November 7th, 2019, in this instance the attackers posed as a German Internet service provider.
- Attacks against Italian users began on October 29th, 2019, with emails that appeared to come from the Agenzia Entrate, the Italian Ministry of Taxation. The attackers once again used malicious Microsoft Word document which contained Maze ransomware.
- On November 12th, 2019, users in the US were targeted with an email which purported to come from the United States Postal Service. The email contained a malicious Microsoft Word attachment which delivered the IcedID malware payload onto victim’s machines.
Source (Includes IOCs)
Ongoing campaigns use custom droppers to deliver information stealers
- Since January 2019, researchers at Cisco Talos have tracked threat actors using custom droppers to deliver malware such as Agent Tesla and Lokibot.
- The researchers analysed an attack which dropped Agent Tesla, the campaign begins with an email containing a malicious ARJ archive. Using complex droppers with a variety of obfuscation techniques ensures that antivirus software fails to detect the malware.
- The malware is never unencrypted on the hard drive and is only injected into memory at runtime. Following infection, the malware can steal information from a variety of browsers and software products. An in-depth killchain analysis is available via Cisco Talos.
Source (Includes IOCs)
Recently discovered Trojan malware on Android continues to infect devices
- Researchers at Malwarebytes identified an Android trojan, named Android/Trojan.FakeAdsBlock, which purports to be an Ad blocker app. The malware, which was detected last month, has infected over 500 devices. The researchers believe that the infection, which appears to be spreading in the US, most likely originates from a third-party app store.
- Once installed on a target device, the malware asks to connect to a VPN, in actuality enabling this setting allows the malware to constantly run in the background. The primary function of the malware is to display adverts, which it does in full screen and in notifications. The malware proves difficult to detect as it hides its icon and does not show its name or logo on the App Info page.
Leaks and Breaches
Misconfigured database exposes billing files of patients treated for alcohol or drug addiction
- A misconfigured Amazon AWS S3 bucket belonging to the private network Sunshine Behavioral Health LLC exposed personal and financial information of patients of Monarch Shore, Chapters Capistrano and Willow Springs Recovery facilities. The leak was first discovered in late August 2019 and the database was secured shortly after. During a follow-up investigation, a DataBreaches[.]net researcher discovered the database was still accessible without a password until November 12th, 2019.
- The database contained approximately 93,000 patient files related to billing information, exposing patient names, dates of birth, postal and email addresses, telephone numbers, full credit card numbers with partial expiry dates and full CVV codes, and more.
Select Health Network and Solara Medical Supplies expose patient data
- On November 13th, 2019, Select Health Network disclosed that an employee’s email account was accessed by an unauthorised party. The intruder, whose identity is unknown, had access to the email accounts from May 22nd, 2019, until June 13th, 2019. Personally identifiable information that was accessible via the email accounts included names, addresses, dates of birth, treatment information, and more.
- Solara Medical Supplies revealed that a series of successful phishing attacks allowed an attacker to access employees’ Office 365 accounts between April 2nd, 2019, and June 20th, 2019. Information accessed through the breached accounts included names, addresses, dates of birth, financial information, Social Security numbers, and more.
- Neither company disclosed how many individuals were impacted in the data breach incidents.
Vulnerability detected in Symantec Endpoint Protection software
- Researchers at SafeBreach Labs identified a vulnerability, tracked as CVE-2019-12758, in all versions of Symantec Endpoint Protection prior to 14.2 RU2. An attacker who loads an arbitrary unsigned DLL into a process which is signed by Symantec can exploit the flaw to evade defences, achieve persistence, and escalate privileges.
Vulnerabilities found in TEE implementations
- Checkpoint researchers discovered multiple vulnerabilities in Trusted Execution Environment (TEE) implementations. One of the vulnerabilities, tracked as CVE-2019-10574, is present in QualComm’s Secure Execution Environment (QSEE), the most popular TEE implementation for Android-based mobile devices, and could allow for a fuzzing attack.
Lizard Squad claims responsibility for Labour Party DDoS attacks
- Lizard Squad, a group known for targeting gaming platforms, has claimed responsibility for the recent distributed denial-of-service (DDoS) attacks against the UK Labour Party. Security experts noted that the group has previously carried out similar attacks and is also the only one to have taken responsibility at present, making it ‘a strong indication of a credible claim,’ according to Andras Somkuti of Netlock.
- A Tweet by the group stated that ‘Today’s DDoS attack on the Labour Party is to show that no terrorist supporting government should allow to rule.’ According to the Independent, the group also claims to have compromised Jeremy Corbyn’s family members’ personal accounts and is currently carrying out DDoS attacks against their home internet.
5.4 billion fake accounts taken down by Facebook in 2019
- Facebook published its latest Community Standards Enforcement Report, which revealed that the company removed about 5.4 billion fake accounts from its social media website in 2019. The company stated it had improved its ability to detect and block attempts of fake account creations and estimates that it prevents about a million attempts on a daily basis using its detection systems.
- The report also details government demands for user information, which has increased by 16% in the case of the US government, which is also the country issuing the largest number of requests per volume. This is followed by India, the UK, Germany and France.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.