Silobreaker Daily Cyber Digest – 16 April 2019
AfterShock-3PC malware attacks over 200 premium publishers
- The Media Trust researchers reported that over 200 premium publishers were hit by AfterShock-3PC malware in March by the same perpetrators behind the ShapeShifter-3PC campaign from February that targeted Alexa 500 sites.
- Victims received fraudulent pop-up warnings to renew their software, followed by ransomware pop-up messages threatening users with file encryption if they fail to renew within 15 minutes. Those who clicked to renew were redirected to a fake online payment platform and any information provided on the site was sent to the attackers’ C&C server.
- Those who didn’t renew had their browsers frozen requiring them to restart their machines at which point the malware exited without leaving any digital traces.
New campaign uses signed rootkit to steal login and payment credentials
- The rootkit, dubbed Scranos, poses as a video driver, and once installed can download any payload its operator chooses. Targets include Chrome, Chromium, Firefox, Opera, Edge Internet Explorer and more. The certificate is a Digicert issue for Yun Yu Health Management Consulting Co. in Shanghai, which has no connection to software development. The certificate is still valid at the time of writing.
- Scranos is a memory rootkit that infects Windows systems via fake software posing as pirated utilities, or legitimate applications such as e-book readers, anti-malware solutions and video players. Once installed, the rootkit rewrites itself to the disk before the infected computer shuts down in order to achieve persistence.
- The malware can download and run the payload dropper, achieve persistence and delete files that are still in use, in order to remove payloads in memory. The rootkit downloader is capable of extracting login details from several browsers and uses specialised DLLs.
Mobile VPNs are promoted by ‘Hacked’ Ads
- Mobile VPN affiliates are displaying scam ads that state you have either been hacked or that your mobile is infected or being tracked, in order to urge victims into purchasing a subscription. Mobile VPN affiliates are websites or online markets that can earn commission by promoting VPN companies’ products.
- In order to push for sales, affiliates purchase advertising campaigns on low quality ad networks, that redirect users to scam sites while they are browsing the web.
FireEye report on spear phishing campaign targeting Ukraine government and military
- FireEye observed spear-phishing emails containing content related to demining machines targeting government and military entities in Ukraine. The emails contained a malicious LNK file with a PowerShell script that downloads the second stage payload from a C&C server.
- FireEye assess that based on the domain resolutions and malware compile times, the campaign could be linked to previous activity identified in 2014, in which attackers targeted the Ukranian government with Ratvermin and Quasarrat. In addition, the actors behind the campaign may also be associated with the Luhansk People’s Republic.
Source (Includes IOCs)
Cisco Talos researchers observe ongoing campaigns distributing HawkEye Reborn
- According to the researchers, the current version, v9, of HawkEye Reborn is being marketed across a variety of hacking forums. HawkEye reborn is an updated version of HawkEye keylogger that has been active since at least 2013.
- Hawkeye Reborn v9 is being sold using a licensing model, meaning buyers get access to the software and updates for different periods of time based on a tiered pricing model. The version is also heavily obfuscated and being distributed via emails masquerading as invoices, bills of material, order confirmation and other corporate functions. A small number of the recent campaigns also used Dropbox for hosting the malicious documents rather than directly attaching them to emails.
- Hawkeye Reborn v9 is currently being used against organizations to steal sensitive data and account credentials for use in additional attacks and account compromise.
Source (Includes IOCs)
Ellen DeGeneres scam circulating on social media
- Multiple fake Facebook profiles of Ellen Degeneres are being circulated to trick people into entering a fake competition to win a variety of prizes. The scam uses genuine pictures and video clips to attempt to appear legitimate.
- First victims are asked to share the scam with others, then they are prompted to download random movies, which the scam claims will automatically register them. All the links send users to a movie sign-up portal.
Compromised account with admin privileges used to install BitPaymer ransomware via PsExec
- Trend Micro researchers released an analysis of a recent incident in which a US manufacturing company was hit with BitPaymer ransomware.
- According to the researchers, it seems that an account with administrative privileges was compromised to install the ransomware via PsExec, a command-line tool that allows the execution of processes on remote computers.
- The BitPaymer version used in the attack was not new, but had a modified ransom note and extension name.
MuddyWater Group attacks Kurdish political groups and Turkish organizations
- According to ClearSky researchers, MuddyWater Group’s recent targets include various Kurdish political groups as well as organizations in Turkey affiliated with the Turkish army and defence sector.
- Emails containing malicious attachments masqueraded as official documents of the Kurdistan Regional Government, and were used to infect victims with Powerstats backdoor.
- The researchers also detected five additional files, that operate similarly to the aforementioned malicious files, but with no macros, leading them to believe that the attackers are testing these documents to see if they are being detected by various antivirus engines.
Source (Includes IOCs)
Leaks and Breaches
Hackers publish information on AAF members claiming it’s an FBI watchlist
- A hacking group published what appears to be information on tens of thousands of American Advertising Federation (AAF) members, claiming that it is an FBI watchlist. The group have previously published data on three FBI National Academy Associates (FBINAA) charters and the personal information of thousands of FBI agents.
- The new batch of stolen information contains over 20,000 entries with full names, companies, work area information, and email addresses. According to some reports, the data appears to be a previously leaked database of AAF members.
IT outsourcing company Wipro Ltd investigates breach
- The Indian information technology outsourcing and consulting company Wipro Ltd is currently investigating reports that its IT systems have been hacked and are being used to launch attacks against their customers.
- Wipro has not yet commented on the reports; however, two sources have reported to KrebsonSecurity that the company was dealing with an intrusion from a state sponsored attacker that could have gone on for several months. The sources have also stated that Wipro’s systems were being used as bases for launching phishing attacks targeting at least a dozen Wipro customers.
- The targeted customers reportedly traced malicious and suspicious network activity back to partner systems that were communicating directly with Wipro’s network. One of the Wipro customer’s that had been attacked stated that according to file folders found on the intruder’s back-end infrastructure, at least 11 other companies seem to have been targeted.
Facebook admits supply chain leak
- Facebook has confirmed that a supply chain leak in its new Oculus headsets has resulted in the devices shipping out with secret messages stating, ‘Big Brother Is Watching You,’ ‘The Masons Were Here,’ ‘This Space for Rent,’ and ‘Hi iFixit! We See You!.’
- The messages were physically printed inside thousands of the controllers, with the intention of being found by journalists and developers receiving the prototype.
GnosticPlayers hacker releases another 65.5 million records
- Over the last two months, GnosticPlayers has released a total of 932 million records overall. Now, in Round 5 of the data leaks, the hacker released the data of 65.5 million users, which has allegedly been taken from six companies: gaming platform Mindjolt, digital mall Wanelo, e-invitation and RSVP platform Evite, South Korean travel company Yanolja, women’s fashion store Moda Operandi, and Apple repair center iCracked.
- According to ZDNet, based on the nature of the previous hacks, it is likely the stolen data is authentic.
Cork City Council reports data breach
- According to the Irish Examiner, the Cork City Council in Ireland reported a data breach after a councillor claimed to have found parking offence warning letters outside the City Hall.
- The batch of 21 letters related to outstanding fixed charge penalty notices and contained names, addresses, car registration numbers and the alleged offences of several motorists.
Kaspersky Lab researchers analyse recently patched zero-day flaw in win32k.sys
- The vulnerability, tracked as CVE-2019-0859, is a use-after-free flaw that Kaspersky Lab researchers discovered in March 2019. Following its discovery, Microsoft patched the flaw on April 9th.
- Researchers have now released an analysis of the vulnerability that is located in the CreateWindowEx function. The flaw could allow an attacker to escalate privileges on the target system.
- It has been observed being exploited in the wild by an unknown threat actor to deliver a PowerShell backdoor.
Remote code execution flaw discovered in Tomcat
- CVE-2019-0232 is a remote code execution flaw that resides in Apache Tomcat, that could allow malicious actors to execute arbitrary commands on victim’s systems. Apache Tomcat provides an HTTP web server that allows Java-based code to run for Java EE specifications such as the Java Servlet, Java Expression Language, JavaServer Pages, and Java WebSocket technologies.
- Attackers could take advantage of an OS command injection caused by an input validation error in the CGI Servlet stemming in Tomcat, which is present due to ‘a bug in the way the JRE passes command line arguments to Windows’. This flaw could be exploited to inject and execute arbitrary commands by sending a maliciously crafted request to the servlet.
Adblock Plus filters can be used to execute arbitrary code in web pages
- Security researcher Armin Sebastian discovered an issue within version 3.2 of Adblock Plus that could permit attackers to remotely inject arbitrary code into web pages.
- The issue results from a new filter option for rewriting requests that was introduced in version 3.2 of AdBlock as well as uBlock, owned by Adblock. The problem lies in the $rewrite filter option that is used by ad blockers to block circumvention attempts, remove tracking data, and prevent sites from forcing ads on visitors using the blockers. The researcher demonstrated his findings by running arbitrary code on Google Maps.
TicTokTrack kids smartwatches expose user locations and personal data
- The TicTocTrack smartwatch that allows parents to track their children’s location, has several vulnerabilities that Pen Test Partners revealed could allow hackers to track children’s locations, spoof the children’s locations and view personal data on the victim’s accounts.
- The parent company of the watch iStaySafe Pty Ltd has restricted use of the app while it investigates the security issues. Researchers discovered that the back-end fails to require any authorisation on any request, aside from requiring a valid username and password.
- The security issues could allow an attacker to log in to the service and remotely compromise the app to track other accounts. In addition, the smartwatch’s API can also be hacked by changing the FamilyIdentifier number, which could potentially give the threat actor complete access to the user’s data, including the child’s location, parent’s full names, phone numbers, and other PII.
Medical DICOM images can be used to hide malware
- Researcher Markel Picado Ortiz found that DICOM files can be used to embed executables as well as malicious software. A DICOM file could be converted in an executable Portable Executable (PE) file and thus be interpreted as either of the two different file formats.
- In a research paper, Ortiz states that these files cannot be used to attack healthcare systems on their own as they need to be dropped as part of a multi-stage malware that will execute them.
- However, the researcher outlines a range of scenarios that DICOM files could be used in. These include hiding malware within DICOM files, uploading images to the hospital Picture Archiving Communication Systems (PACS) using the DICOM network protocol, and keeping malware hidden on infected devices as some antivirus programs do not interpret these images as executable and thus do not analyse them.
Fortinet releases analysis of Silence Group
- Fortinet’s report on Silence Group includes an analysis of their tactics and infrastructure including attack details, the downloader stage, the main module, the proxy module, the monitor module, the ATM module and distribution analysis.
Russian Twitter trolls targeted Bernie Sanders to encourage votes for Trump
- Researchers at Clemson University reported that trolls on Twitter targeted Bernie Sanders in an attempt to encourage people to vote for Donald Trump. Over 9,000 Russian Tweets originating from Russian sources mentioned ‘Bernie’ and cultivated 59,281 likes and 61,804 retweets.
- Sanders supporters believed that the Democratic National Committee (DNC) had thrown it’s support behind Clinton. The tweets attempted to encourage discontent over this while simultaneously increase support for Trump by uploading tweets such as ‘Conscious Bernie Sanders supporters already moving towards the best candidate Trump! #Feel the Bern #Vote Trump 2016’.
86% of Australia’s major websites fail to detect bot attacks
- New research from cybersecurity firm Kasada has revealed that Australia’s top 250 websites are unable to tell the difference between a human using a web browser and a bot running a script. Kasada selected the websites based on their Alexa ranking, focusing on industries most often targeted by bot attacks, such as retail, property, wagering finance, health insurance and more.
- The researchers loaded the sites three times using a regular web browser, a script using curl or Node.js, and the Selenium automation tool. 86% of the tested websites failed to detect the difference between these loads which means that an attacker could also load a login page with a credential abuse tool and attempt to login with credential stuffing attacks using stolen passwords and usernames.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein