Silobreaker Daily Cyber Digest – 15 October 2019
Researchers analyse sextortion spam that uses infected devices to mine Monero
- Reason Cybersecurity researchers have analysed a recent sextortion campaign, which uses Save Yourself malware for blackmailing purposes and Monero mining. The threat actors claim to have infected victims with a remote access tool (RAT), appearing legitimate as they know victims’ passwords. In reality, the victims’ email addresses and passwords were found in a password dump file and their devices are not infected with a RAT. The emails, however, are sent from compromised devices infected with malware.
- The infected devices are used as a proxy station to send the sextortion spam emails, whilst also using its CPU for Monero mining, limiting itself to 50% of the CPU’s capability to remain undetected. The malware is also capable of reading clipboard data and replacing Bitcoin wallet addresses.
- The malware itself spreads via USB devices and network shares by pretending to be a legitimate programme, and ensures persistence by infecting all executable files on a device. To avoid detection, the legitimate programme is executed and the alternate data stream is deleted after the malware’s execution. Additionally, the malware pauses activity for 24 hours before continuing to download additional executables.
Source (Includes IOCs)
Hackers continue using stolen Deliveroo account information to place orders
- A Mail on Sunday investigation found that hackers continue to sell access to Deliveroo and other customer accounts on the dark web. The data is believed to have been obtained via data breaches at other companies. Those customers who reuse passwords across different platforms are therefore most vulnerable.
- Hackers who buy the stolen data access the accounts to change telephone numbers and addresses to divert deliveries, before changing the details back and quitting the account to avoid detection.
- Deliveroo has previously been alerted to the issue and has ensured that ‘measures to combat fraudsters and to protect customer accounts’ are regularly introduced.
TA407 continue to operate convincing phishing campaign despite DOJ indictments
- Researchers at Proofpoint ascertained that the Iranian-based hacking group TA407, also known as Silent Librarian, are continuing to target higher education institutions. The group’s most recent activity occurred in September 2019 and involved registering new Freenom domains to host phishing services.
- The group aims to acquire the login details for students at universities in North America and Europe. The group then use these details to exfiltrate intellectual property and academic data.
- TA407 send emails to students warning that their library access will be restricted unless they sign into a university portal and verify their accounts. The message contains the school logo and a link to a cloned login pages. The threat actors frequently update the wording and appearance of their fake login pages to mirror alterations on genuine portals.
- The researchers warned that detection is difficult due to the group’s use of university based and free URL shorteners, and abuse of legitimate services and infrastructures.
Source (Includes IOCs)
Forum analysis shows success of Sodinokibi campaign
- Researchers at McAfee continued their multi-part analysis of Sodinokibi ransomware by examining underground forums and tracing victim’s bitcoin payments. Posts on underground forums show that the ransomware owners are actively recruiting experienced affiliates to infect targets. Affiliates are paid a 60% cut of the received ransom payment, this rises to 70% following three successful payments.
- One affiliate posted a screenshot of their earnings with partial transaction IDs (TXIDs) which allowed the researchers to retrieve the full TXIDs. The affiliate’s post appears to show that he made $287,000, in a 72-hour period. This would result in the ransomware operators receiving approximately $86,000.
- The researchers identified over 41 active affiliates distributing Sodinokibi ransomware. One affiliate was observed transferring multiple small amounts into a wallet containing approximately $4.5 million dollars’ worth of bitcoin. The researchers concluded by stating that the ransomware owners are probably ‘making a fortune’.
Emotet malware distributor targets company with SOC report
- Security researcher Marco Ramilli identified a threat actor targeting a company with a well-crafted malicious email purporting to be a SOC Weekly report. The email contained a Microsoft Word document that contained heavily obfuscated macros. If the attachment was opened an infection process begins which would result in the victim’s device becoming infected with Emotet malware.
- Emotet steals credentials, cookies and e-coin wallets and can also access saved credentials on popular browsers. Stolen information is then exfiltrated to the attackers C2.
Source (Includes IOCs)
Winnti Group uses new tools and engage in crypto-currency mining
- Researchers at ESET identified that the Chinese state backed Winnti Group, who have been active since 2011, are using a new modular Windows backdoor dubbed PortReuse. The malware has been used against an Asian mobile hardware and software vendor.
- The group also added random module IDs and extra obfuscation to ShadowPad backdoor, which the researchers described as their ‘flagship backdoor’.
- The researchers also found that the group deployed cryptocurrency mining software using the backdoor which they installed in games and software in 2018 . This is a departure from the groups usual operations which traditionally focused on espionage.
- A full analysis of Winnti Group is available in the research paper ‘Connecting the dots: Exposing the arsenal and methods of the Winnti Group’.
Leaks and Breaches
Alphabroder targeted with Sodinokibi ransomware
- The North American supplier for promotional products Alphabroder was hit by Sodinokibi ransomware on October 14th, 2019, affecting its order processing and shipping platform. No customer data or account information was compromised.
Personal information potentially exposed in Wisconsin agency data breach
- Up to three Wisconsin Housing and Economic Development Authority (WHEDA) email accounts were accessed by an unauthorised third party in a phishing attack on or around August 22nd, 2019. Potentially accessed data includes the personal information of 2,100 individuals part of WHEDA’s single family mortgage program.
Pitney Bowes systems impacted by ransomware attack
- On October 14th, 2019, Pitney Bowes revealed that they had been affected by a ransomware attack. The incident caused a ‘significant system outage’ that impacted SendPro products, postage refill, and Your Account access. The company said that an investigation is underway and that initial signs indicate that the attack was the work of a third-party.
French multimedia organisation M6 Group hit by ransomware
- M6 Group revealed that it had been targeted by a ransomware attack on the morning of October 12th, 2019. The group’s TV channels, radio stations, and film studios all remained on the air, however, L’Express reported that phone lines and email servers were knocked out of operation.
Flaw in Linux sudo allows potential bypass of Runas user restrictions
- Researchers at Apple Information Security identified a bug, tracked as CVE-2019-14287, in Linux sudo. The flaw allows an attacker to run commands as root ‘when sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification.’
- To perform the attack a user requires sudo privileges that, ‘allow them to run commands with an arbitrary user ID’. The issue impacts all Sudo versions prior to 1.8.28.
China’s Study the Great Nation educational app contains backdoor code
- Cure53 researchers found the Chinese government’s Study the Great Nation app, which was reportedly developed in collaboration with Chinese tech giant Alibaba, has multiple functions that would allow third parties to monitor and copy data. The Chinese government denies the app contains such monitoring functions. The app is advertised as an educational tool by the Chinese Communist Party and has been downloaded over 100 million times.
- An analysis of the android version of the app found that its code resembles a backdoor that, on a rooted device, could grant an individual system-wide administrative access to everything in the operating system, allowing them to download any software, modify files, install keyloggers, and more. The analysis could not determine whether the backdoor is being exploited, or how it could be achieved.
- A full analysis of the app’s functions can be found in Cure53’s report.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.