Silobreaker Daily Cyber Digest – 16 January 2019
Lazarus-affiliated PowerRatankba malware responsible for attack on Redbanc
- Flashpoint researchers report that PowerRatankba malware is behind the recent intrusion affecting the Chilean interbank network Redbanc. PowerRatankba is a malware toolkit known to have ties with Lazarus Group.
- The malware was delivered onto Redbanc’s systems after an IT employee clicked to apply to a job opening found via social media. The malware dropper displayed a fake job application form while downloading and executing PowerRatankba.
Source (Includes IOCs)
Malicious Word document attachments deliver NanoCore RAT
- Fortinet researchers observed a phishing campaign involving malicious Microsoft Word documents that contain an auto-executable VBA code which installs NanoCore RAT on a victim’s system. The emails disguise themselves as purchase orders.
- NanoCore RAT is downloaded onto the targeted system once macros are enabled in the malicious Word file. The malware is capable of editing registries, controlling processes, upgrading, transferring files, stealing passwords, and more. It is a .Net framework program and was first detected in 2013.
Source (Includes IOCs)
Djvu ransomware observed spreading new .TRO variant
- In December 2018 the new Djvu ransomware variant was discovered being promoted through crack downloads and adware bundles. The ransomware initially appended encrypted files with the .djvu extension, however the recent variant appends with .tro.
- Most victims reported that they became infected with the ransomware virus after downloading a software crack. When installed, various commands are executed that remove the definitions for Windows Defender and disables various other functionalities.
- After encrypting most files on the computer the ransomware creates a scheduled task named ‘Time Trigger Task’ which launches the ransom at various intervals to encrypt any new files created.
Business email compromise scammers divert employee payrolls
- Agari researchers observed an increase in business email compromise attacks in which threat actors divert employee payrolls to their own accounts through the use of social engineering techniques.
- These attacks consist of threat actors creating fake email accounts impersonating employees of an organization and using them to contact HR and finance departments with the request of changing direct deposit account details.
- Agari notes that the criminals will aim to avoid using any online third-party HR systems or verification and advise businesses to evaluate current processes for updating payroll details.
Cisco Talos discover new Emotet campaigns
- Cisco observed multiple campaigns propagating the Emotet trojan via emails containing Microsoft Word attachments with embedded macros.
- The new variant used in the latest campaign has the ability to check if the IP where the malicious email is being sent from is already blacklisted on the spam list. This allows the attackers to deliver more emails to victims’ inboxes without encountering problems with spam filters.
Source (Includes IOCs)
Leaks and Breaches
Cryptopia cryptocurrency exchange suffers security breach
- The cryptocurrency exchange was pulled offline in response to a security breach that reportedly resulted in significant losses due to unauthorized transaction activity.
Vulnerability in Amadeus booking system exposed data on millions
- Hacktivist Noam Rotem discovered a major vulnerability in Amadeus’ online booking system while booking a flight with an Israeli airline. The flaw allows anyone to access and edit private information related to flight bookings, potentially affecting tens of millions of flyers.
Ethereum blockchain upgrade postponed due to discovered vulnerability
- The Ethereum team postponed the Constantinople upgrade after a reentrancy attack vulnerability was discovered in the code.
- The vulnerability could allow hackers to steal funds from users who engaged in an Ethereum smart contract with them. A hacker could re-run a function until having exhausted all the victim’s shared funds.
Remote Code Execution vulnerability in Microsoft Windows VCard files
- A vulnerability was discovered that could allow remote attackers to execute arbitrary code on Microsoft Windows installations. An attacker can exploit the vulnerability due to crafted data in a VCard file causing Windows to display a malicious hyperlink.
Windows security patch breaks PowerShell remoting
- A security update for an elevation of privilege flaw, CVE-2019-0543, inadvertently broke Windows PowerShell and PowerShell Core 6 WinRM-based remoting for a specific PowerShell remoting scenario.
- According to a Microsoft spokesperson, ‘the fix is preventing WinRM (which PowerShell uses as a remoting transport and host) from successfully creating the remote session host’. However, the issue will only occur on devices ‘where the endpoint configurations have been modified for very specific use cases where non-admin users require access to local loopback remoting’.
Researchers discover six zero-day vulnerabilities in components used in smart buildings
- The zero-days include cross-site scripting (XXS), path traversal, arbitrary file deletion and authentication bypass flaws which could be leveraged to steal sensitive information, access and delete files, or perform other malicious actions. The flaws were discovered in building automation devices such as gateway protocols and programmable logic controllers (PLCs).
- Researchers at ForeScout built a proof-of-concept malware that targeted surveillance, access control, and HVAC systems set up in a laboratory, and discovered three XXS flaws in Access Control PLC and the protocol gateway. The protocol gateway also had a path traversal and arbitrary file deletion vulnerability that provides access to files and directories that are outside the root folder of the web app.
- In addition, they discovered an authentication bypass flaw in the HVAC PLC, as well as a buffer overflow and a hardcoded password vulnerability in the Access Control PLC, present since June 2013.
Federal authorities charge nine in SEC hacking scheme that made $4.1 million
- The defendants are accused of participating in a campaign which resulted in the hack of a Securities and Exchange Commission database, in order to steal confidential data that earned them $4.1 million in illegal stock exchange profits. Ukrainian Oleksandr Leremenko was named as a hacker, with six other individuals from California, Ukraine and Russia.
- Two of the accused breached SEC networks in May 2016 by using directory traversal, phishing attacks and infecting computers with malware. They then accessed the SEC’s Electronic Data Gathering, Analysis and Retrieval system (EDGAR) and stole earnings reports, passing them along to individuals who used them to trade in the window between when the files were stolen and when the information was released for public viewing.
Researchers demonstrate command injection and e-stop abuse against radio remote controllers
- Trend Micro security researchers demonstrated how radio frequency (RF) protocols can be abused to take control over industrial radio remote controllers. They stated that two possibilities exist, one involves taking control of a computer to software-program or -control the RF devices, the other involves physically accessing a facility to insert a small battery-powered device for remote access.
- The researchers developed their own device, dubbed RFQuack, to demonstrate the possibility of building modular hardware tools that can be applied to a variety of RF transceivers. RFQuack can be controlled remotely via Message Queuing Telemetry Transport (MQTT) messages sent from a client-side interactive console. The device also works under Wifi, 3G and 4G conditions.
- Trend Micro showed how the device can cause persistent denial-of-service conditions through emergency stop abuse (e-stop abuse) and even seize control over machines via command injection. They conclude their report by warning these attacks can result in threat actors controlling construction cranes, industrial cranes and mobile hoists on real production implementations.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.