Silobreaker Daily Cyber Digest – 16 November 2018
Proofpoint report on new modular tRAT distributed in recent campaigns
- TA505, who were previously responsible for the Dridex campaigns in 2014 and the Locky campaigns in 2016 and 2017, have recently been observed distributing several remote access trojans, along with information gathering, loading and reconnaissance tools including tRAT, a new modular remote access trojan written in Delphi.
- In October this year, Proofpoint observed TA505 distributing tRAT using Microsoft Word and Microsoft Publisher files with varying subject lines and senders. The messages included malicious Microsoft Publisher documents named ‘invoicing’, with various sending addresses, aimed at users at commercial banking institutions.
- tRAT was also observed being distributed in September this year, via malicious Microsoft Word documents using macros, abusing the Norton brand. Proofpoint’s report includes a full analysis of tRAT.
New Olympic Destroyer strain
- Checkpoint researchers observed new activity from the Hades APT group that was previously responsible for Olympic Destroyer.
- The researchers reported that the new dropper variant of Olympic Destroyer includes new features such as anti-analysis and delayed execution.
Source (Includes IOCs)
Midlands Regional Hospital targeted by ransomware
- The hospital in Tullamore, Ireland, suffered a ransomware attack that affected the Library Information Systems (LIS) and associated computer systems. It remains unknown whether patient information was compromised during the attack.
Politicians’ Twitter accounts hijacked with Elon Musk Bitcoin giveaway scam
- The ongoing scam has now targeted Twitter accounts of California state senator Ben Allen and Israeli politician Rachel Azaria. The scammers previously hijacked accounts of two Indian Consulates and retailer Target.
- The scam promotes tweets purporting to be from Elon Musk promising to give away 5,000 Bitcoins if victims first send a 1-2 Bitcoin payment to verify their payment address.
RiskIQ blacklist includes numerous malicious Black Friday apps
- RiskIQ reported in its 2018 Black Friday E-Commerce Blacklist that hackers were exploiting the names of popular brands in an estimated 6,000 malicious apps targeting Black Friday shoppers.
- In addition, Kaspersky Labs has reported their discovery of 14 malware families, all banking trojans, targeting e-commerce brands. The trojans include Betabot, Panda, Gozi, Zeus, IcedID and more.
- The trojans are used to hunt for user credentials such as logins, passwords, card numbers, phone numbers, and more. Kaspersky’s report highlights the need for extra vigilance during busy shopping periods such as Black Friday and Christmas, and the willingness of criminals to capitalise on such events.
Cybercriminals target exposed Docker services to mine Monero cryptocurrency
- Juniper Network researchers found that threat actors are actively exploiting misconfigured Docker services to mine cryptocurrency.
- The point of entry are TCP ports 2375 or 2376, which allow attackers to remotely reach the Docker service through REST management APIs and permit creating, starting and stopping containers. Both ports provide unencrypted and unauthenticated communication unless configured otherwise. Attackers were found to be adding their own containers that execute a Monero mining script.
- The threat actors were also found to be scanning the networks of infected hosts in search for any other IP addresses of misconfigured Docker daemons that they could target.
New campaign discovered distributing new LokiBot variant
- Fortinet researchers detected a new phishing email campaign distributing a new version of the LokiBot Trojan.
- The malware is distributed via emails disguising themselves as invoices and containing malicious attachments that download LokiBot. The trojan was found to be stealing software credentials from a victim’s Windows system, similarly to previous campaigns. The only new feature, according to Fortinet, is the URL of the C&C server encrypted in the malware’s memory.
Source (Includes IOCs)
MoneyTaker and Silence hacker groups attack Russian banks
- Group-IB have detected two large scale campaigns targeting Russian banks with emails that appeared to be from the Central Bank of Russia (CBR) and the Financial Sector Computer Emergency Response Team (FinCERT).
- A malicious email campaign was detected on November 15th, 2018 purporting to be from the CBR, with the email subject line ‘Information from the Central Bank of the Russian Federation’. The emails contained zip files that downloaded Silence.Downloader, a tool known to be used by the hacker group Silence.
- On October 23rd, a further campaign was observed purporting to be from FinCERT, containing five attachments disguised as official CBR documents. Three out of five of the documents were empty ‘decoys’, however, two contained a download for Meterpreter Stager. The analysed server infrastructure suggests that the attacks were conducted by MoneyTaker.
British Airways and Newegg customers’ card details sold on dark web following Magecart breach
- The recent report by RiskIQ and Flashpoint researchers additionally informed, that customer payment data stolen by Magecart Group in their attacks against British Airways and Newegg, was marketed on the dark web just over a week after the raids. Card details were sold for $9 to $50.
Cofense Intelligence observe emails with .com extensions targeting finance departments
- In October alone, Cofense Intelligence analysed 132 unique samples with the .com extension. In comparison, only 34 samples in the nine months preceding October were discovered.
- The subject lines were ‘payment’ and ‘purchase order’ which, in combination with the email content, suggested that the threat actor is targeting finance departments. The .com extension was used for text files and executable byte code.
- Cofense found that the email subject lines were specific to the malware delivered, for example, emails with the ‘payment’ subject line delivered AZORult and emails with the subject line ‘purchase order’ delivered Loki Bot and Hawkeye keylogger.
Scammers host fraudulent files on ThousandEyes domain
- Scammers were found hosting hundreds of thousands of fraudulent PDF files using an IP address linked to the infrastructure of network intelligence services firm ThousandEyes.
- According to an article by Ars Technica, PDF files promoting screenplays, books and ‘how to’ guides have been hosted on the domain since the beginning of November 2018, up until their removal on November 13th.
- ThousandEyes claims that the IP address, through which the files were hosted, is no longer used by the company. A company spokesperson said that a ‘stale DNS record from a decommissioned infrastructure was pointing to an IP address [ThousandEyes] no longer use’. ThousandEyes further stated that no compromise of their hosting, DNS, website or systems, and no exposure of company or customer data, occurred.
INDRIK SPIDER evolves and shifts focus to targeted attacks
- Crowdstrike researchers released an analysis of INDRIK SPIDER’s recent operations. They detail the threat actor’s shift to more targeted, low-volume and high-return criminal activity that has earned them a profit of $1.5 million in just 15 months.
- INDRIK SPIDER was found to be using the Dridex malware and BitPaymer ransomware in their attacks. Crowdstrike’s report provides a detailed analysis of the both malware, their delivery and the decryption process.
Source (Includes IOCs)
Leaks and Breaches
Health First phishing attacks potentially compromises 42,000 patient’s data
- Health First have notified 42,000 patients to a potential breach of their personal information. Data exposed does not include medical details, but does include Social Security numbers, addresses and dates of birth.
- The breach took place between February and May 2018, after some employees received phishing emails.
- A review of the breach has suggested that the criminals were interested in using the data to continue their phishing scam, and were not interested in obtaining personal data.
Gmail bug permits falsifying ‘From:’ fields in emails
- Software developer Tim Cotten discovered a bug in Gmail’s structuring of the ‘From:’ header that allows placing of an arbitrary email address in the sender field. By adding a recipient’s email address into the ‘From:’ field, emails can be forced into the recipient’s Inbox, Sent folder and in:sent filter without them knowing.
- Cotten was led to the discovery after one of his colleagues discovered messages in their Gmail Sent folder that they did not recall sending. The emails were found not to have been sent from the colleague’s account but received from an external account, despite being filed into the Sent folder automatically.
- According to the developer, this flaw provides an opportunity for threat actors to carry out BEC scams as they can make emails appear to be sent from a company’s employees’ accounts.
Researchers at Synopsys detail vulnerability in D-Link router
- CVE-2018-18907 is an authentication flaw that affects routers with hardware revision A and firmware version 1.21B06 Beta and older.
- The flaw could allow an attacker to join the router’s network without any credentials, by enabling them to skip the four-way WPA handshake used to establish encryption parameters and validate ownership of the access point’s pre-shared key, allowing intruders direct access to unencrypted communications.
- Once the network is joined, the attacker has access to all services, computers and devices available to any other user on that network.
Vulnerable wristwatch allows hackers to spy on children
- The Misafes ‘Kids Watcher’ allows for two-way calling via SIM and cellular connection, as well as enabling parents to track the device using an app. Pen Test partners have found vulnerabilities in the product that could allow an attacker to retrieve real-time GPS coordinates of the watches, as well as call the watches, eavesdrop on conversations and intercept personal information about the children such as name, age and gender.
- The watches are vulnerable to Insecure Direct Object Reference (IDOR) attacks, which can be undertaken when an internal implementation object, such as a file or database, is exposed to users without any access controls. An attacker could manipulate references to get access to unauthorised data that allows them to carry out attacks.
- In addition, traffic is also not encrypted, which leaves information such as names, genders, dates of birth, height and weight of the children exposed to interception.
Two men sent to prison for stealing $125,000 through ATM jackpotting
- The two Venezuelan men were given sentences of 51 months and 15 months in prison. The perpetrators were involved in infecting ATMs with malware in Indiana, Kentucky, Wisconsin and Michigan.
US House of Representatives creates a new cybersecurity agency at the DHS
- The US House of Representatives have passed a CISA bill that creates a new cybersecurity agency at the Department of Homeland Security. The department will specifically be responsible for cyber and physical infrastructure security, as well as the security of federal networks.
US authorities request Infraud hackers’ extradition
- Taimoor Zaman and Anthony Nnamdi Okeakpu are due to appear in a London court regarding a US extradition request. The two men are suspected senior members of the dark web forum Infraud which sold stolen credit cards and IDs. Reported losses, caused by the group to financial organizations and individuals, are estimated at $530 million.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.