Silobreaker Daily Cyber Digest – 16 August 2019
APT38 malware samples shared by US Cyber Command
- US Cyber Command have uploaded samples of Electricfish malware to VirusTotal. Electricfish is suspected to have been used by APT38, a North Korean hacking group that has been quietly active for several years, first uncovered in May 2019.
Remcos RAT analysis published by Trend Micro
- Researchers at Trend Micro have produced an analysis of Remcos RAT, which they observed being delivered as a malicious attachment within a phishing email. Remcos RAT first emerged in 2016 being offered on hacking forums, and has since been sold, cracked and distributed across multiple communities.
- This variant of Remcos was found to have many similarities with older versions, but the newer edition appears to use an AutoIt wrapper to help avoid detection, incorporating multiple obfuscation and anti-debugging techniques.
Source (Includes IOCs)
Researchers publish analysis of Gootkit banking trojan
- Discovered in 2014, the Gootkit Banking trojan is capable of website injections, password grabbing, video recording, remote desktop capabilities and more. The researchers stated that the actors behind it have continually updated it to slow down analysis.
- The anti-analysis functionality performs multiple checks, including filename comparisons, environmental variable examinations, and registry key investigations. The MAC addresses are also checked and compared against a list belonging to corresponding sandbox developers. If any of these checks trigger analysis detection, the trojan will enter an infinite sleep-loop cycle.
DanaBot expands into Germany
- Researchers at H3 Collective identified Danabot malware being used to target organizations in Germany. The info stealer trojan, first identified in May 2018, uses geo-targeting methods to ensure that victims in a specific region receive the correct inject scripts post compromise. Targeted companies include Lidl, Baur, Airbnb, Esprit, and more.
- The malware utilizes Zeus style web injects to display fake login pages, and the authors have also added new features, such as stealer and tor modules. The researchers concluded that the malware ‘has matured into a very profitable modular crimeware project’.
Source (Includes IOCs)
Phishing attack impersonates Microsoft Office 365 voicemail notifications
- Researchers at Avanan discovered criminals sending malicious emails that purported to contain a Microsoft voicemail notification. To trick targets into accessing a malicious link, the emails displayed a caller number and pretended to show the length of the voicemail.
- The HTML attachment contains a meta tag which the attackers use to obfuscate a malicious URL. Users who click on the link are redirected to a compromised WordPress website which then redirects to a spoof login page.
- Targets are asked to enter their Microsoft email address and password to gain access to the voicemail. Entered information is then forwarded to the attackers IP, which is located in Pakistan.
Source (Includes IOCs)
Phishing attack targeting Microsoft users employs Custom 404 Pages
- Researchers at Microsoft discovered that criminals are using a free Firebase subdomain to create a 404 page, which they customized for use in a phishing campaign. By registering a single domain, the attackers can generate an infinite number of landing page URLs.
- The customized page is highly convincing and contains the same active links as Microsoft’s sign in page. Attackers are trying to gain Microsoft email addresses, phone numbers, or Skype names.
Source (Includes IOCs)
Leaks and Breaches
European Central Bank Integrated Reporting Dictionary website breached
- A breach on the BIRD website, maintained by a third-party provider, has been discovered after routine maintenance work. The breach notice states that the attack succeeded in injecting malware onto an external server to aid phishing activities. After discovery, the website was shut down.
- The website is physically separate from ECB’s external and internal systems, meaning that no internal systems or sensitive data was affected. However, 481 subscribers to a statistical newsletter have had their email addresses exposed.
Healthcare providers suffer breaches
- Following the recent ransomware attack against Eye Care Associates, two more healthcare providers have reported similar incidents against them. NCH Healthcare suffered a breach on its payroll system, as the result of several employees falling victim to phishing attacks. Attackers could have potentially accessed data within these accounts, with a review ongoing to determine this.
- On August 13th, 2019, Bayview Dental in Minnesota began notifying patients about a potential breach of their data as a result of a cyberattack on their systems on May 28th, 2019. Potentially exposed data includes names, contact information, dental insurance data, social security numbers and medical histories.
Google detects 316,000 accounts using previously exposed passwords
- The Password Checkup extension for Chrome by Google holds over 4 billion usernames and passwords, and warns users when their credentials have been detected in a third-party data breach. Within the first month, they claim to have scanned 21 million combinations, flagging over 316,000 as unsafe, which is approximately 1.5% of scanned sign-ins.
Eurekahedge disclose website system data breach
- Eurekahedge stated that they detected unauthorized access on their website on August 8th, 2019. The attacker could have potentially accessed the accounts of 120,000 users.
- Potentially disclosed information includes client’s usernames, email addresses, telephone numbers and more. Additionally, approximately 500 companies that used paid services had their company name, title and service agreement exposed.
Kaspersky AV allows third party websites to identify users
- C’t magazine discovered that Kaspersky antivirus solution injects a unique system ID number onto a webpage when a user visits. The flaw, tracked as CVE-2019-8286, has been present since 2015 and exists in paid and free versions of Kaspersky antivirus. The vulnerability is present in all web browsers.
- The issue exists in a script that Kaspersky uses to warn customers which search results are dangerous. The company patched the issue in June 2019, however, the script is still present but only identifies users by which edition of Kaspersky they use rather than by a unique ID.
Mozilla patch moderate impact vulnerability in Firefox Password Manager
- Mozilla patched a vulnerability, tracked as CVE-2019-11733 in Firefox 68.0.2 and Firefox ESR 68.0.2.
- The bug allows locally stored passwords in ‘Saved Logins’ to be copied through the ‘copy password’ menu without requiring the entry of a master password.
Apache Struts updates 24 advisories after they contain incorrect information
- Researchers at Synopsys reviewed 115 Apache Struts releases and correlated them against 57 advisories covering 64 vulnerabilities. Researchers examined advisories going back to 2008 and discovered that 24 of them contained incorrect information. The researchers also found that 61 Struts versions were impacted by at least one known flaw.
SQL injection vulnerability patched in US Maritime Safety Information portal
- A security researcher known as ‘rootaccess’ reported a high severity vulnerability in the US Maritime Safety Information portal. The SQL injection was caused by an unsanitized parameter and if exploited would have given an attacker database access and allowed them to gain RCE.
- The vulnerability was reported on July 18th, 2018 and patched on December 12th, 2018.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.