Silobreaker Daily Cyber Digest – 18 April 2019
Sea Turtle campaign uses DNS hijacking to target organizations in Middle East and North Africa
- Cisco Talos researchers identified a new state-sponsored attack, dubbed Sea Turtle, that uses DNS hijacking to target security organizations in the Middle East and North Africa. So far, 40 different organizations across 13 different countries have been targeted. The operation likely began in January 2017 and continued through to the first quarter of 2019.
- According to the researchers, targets fall into two categories. Primary victims include national security organizations, ministries of foreign affairs and prominent energy companies. The perpetrators targeted third-party entities that provide services to these primary entities to perform DNS hijacking on them. Secondary victims include numerous DNS registrars, telecommunications companies and internet service providers.
- After accessing a domain’s DNS records, the threat actor set up man-in-the-middle (MitM) frameworks on their servers and impersonated legitimate services to capture user credentials of victims. Once targeted systems were compromised, the threat actor also stole SSL certificates and conducted further MitM attacks, impersonating various VPN applications.
Source (Includes IOCs)
On-going campaign uses .tk domains to redirect users to PushKa browser notification scam
- Sucuri researchers observed an ongoing campaign that uses .tk domains and .info domains to redirect victims to a PushKa browser notification scam.
- Users are redirected via .tk and .info domains to a site that attempts to lure them into subscribing to push notifications that then displays spam ads on the user’s desktop. To work with browser push notifications, the malicious sites use the PushKaWrapper library.
- Even if the user doesn’t subscribe to the notifications, they are then redirected to fake news sites that lead to further scam sites.
Source (Includes IOCs)
Campaign uses AutoHotkey and malicious script embedded in Excel file to avoid detection
- Trend Micro researchers identified a potential targeted attack that uses the legitimate script engine AutoHotkey in combination with malicious script files.
- The attack involves Excel email attachments disguised as files related to ‘Military Financing’. Once a victim opens the attachment and enables macros, AutoHotkey is used to load a malicious script and avoid detection. The perpetrator is then able to steal certain information and even download TeamViewer to gain remote access to the system.
Source (Includes IOCs)
Microsoft lose control of subdomain used for Windows Live Tiles
- The Live Tiles was introduced in Windows 8 to receive new content updates with the help of RSS feeds. Golem.de journalist and security researcher Hanno Böck discovered that he was able to take control of the subdomain after Microsoft disabled a web service for the system but failed to delete nameserver entries.
- The abandoned host was exploitable with a subdomain takeover attack. Böck stated that he achieved this by using a ‘CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus, we were able to control which content is served on that host.’
- Böck took control of the server, blocking any potential malicious actors from launching attacks against users of Live Tiles. Approximately 2,500 websites are reportedly still using the service.
Retailers targeted by TA505 spear-phishing campaign
- Researchers at CyberInt have reported on a new TA505 campaign that targets retailers, delivering Remote Manipulator System, a legitimate remote administration tool, as well as xRAT and Vimditator. The attacks leverage obfuscation techniques to hide multi layered executions in order to evade detection.
- The malware itself attempts to steal user information, before exfiltrating it to the attacker’s C&C server. At the time of the analysis, the C&C server was unavailable.
APT34 hack tools and victim data leaked on Telegram
- The tools used by APT34 are said to be less sophisticated than the NSA tools leaked in 2017, but are still regarded as dangerous. As well as the tools, data from some of APT34’s victims has surfaced, mostly comprised of username and password combinations collected via phishing campaigns. The actor that has shared the tools and data goes by the persona Lab Dookhtegan.
- The authenticity of the tools has been confirmed by several cyber-security experts, and they include Glimpse, a new version of BondUpdater, PoisonFrog, an older version of BondUpdater, TwoFace Web Shell, HighShell Web Shell, Fox Panel Phishing Kit and Webmask, a DNS tunnelling tool.
- As well as this, the leaker also posted information regarding Iranian Ministry of Intelligence officers, including phone numbers, images, officer names, roles, email addresses and social media profiles of people allegedly involved with APT34 operations.
Verint Systems Inc targeted by ransomware
- The Israeli offices of the surveillance and business intelligence company were attacked by ransomware, which it managed to successfully thwart.
Leaks and Breaches
DCMS shared emails of UK journalists
- The government department for implementing GDPR sent an email stating that DCMS has just announced that the porn filters are coming online on July 15th, in an email that CC’d every media and technology journalist in Britain.
- All those who received the email were able to view the CC’d email addresses, which in some cases names contained names, breaching GDPR regulations.
Chipotle customers’ accounts allegedly breached
- TechCrunch reported that several Chipotle customers have claimed that their accounts have been hacked and fraudulent orders have been charged to their credit cards.
- Although a Chipotle spokesperson said that the incident is the result of a credential stuffing attack, several customers claimed to have used unique passwords for their Chipotle accounts and in one case an affected customer only used Chipotle’s guest checkout option.
JustDial suffers data breach
- JustDial, an Indian search engine, has suffered a data breach resulting in the leak of sensitive information of over 100 million users including names, emails, mobile numbers and addresses.
- The company has denied the data breach, stating that it may be the case that an older version of their applications, used by only a fraction of users, may have given people access to certain APIs where basic user details were accessible.
Navicent Health suffers data breach
- A data breach notice has been published on the company’s website stating that as a result of a phishing campaign conducted against them last summer, they have determined that the breached accounts contained some personal information including individuals’ names, dates of birth, addresses and some medical information.
- Potentially impacted patients are being notified, as well as the offer of free identity theft protection.
Flaws in Broadcom WiFi driver expose computers to IoT and RCE attacks
- Broadcom WiFi chipset drivers contain flaws that impact several operating systems, allowing potential attackers to remotely execute arbitrary code and trigger denial of service. Quarkslab’s intern Hugues Anguelkov reported the five flaws which he discovered while reverse engineering and fuzzing Broadcom WiFi chips firmware.
- Anguelkov found that ‘the Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.’ The flaws are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.
Microsoft Edge flaw allowing XXE attacks receives micropatch
- A recent flaw affecting Internet Explorer has received a micropatch that stops remote attackers being able to exfiltrate local files and run reconnaissance on vulnerable systems. The flaw could be exploited by an attacker using a specially-crafted MHT file downloaded with Microsoft’s Edge browser.
- The flaw exists due to an undocumented security feature in Microsoft Edge, that interfered with Internet Explorer’s capability to correctly read the mark of the web flag given to files downloaded from the web.
Evernote fixes RCE flaw in macOS app
- CVE-2019-10038 is a local file path traversal vulnerability that allows attackers to run arbitrary code on their target’s Macs remotely. The flaw can be exploited to run arbitrary code, due to Evernote’s note sharing feature, which could allow an attacker to send crafted notes (.enex) to the victim to perform further attacks.
- The flaw has been patched with the release of 7.10 Beta 1 version.
Cisco patch critical flaw in ASR 9000 Series Aggregation Service Routers running IOS XR 64-bit
- The flaw, tracked as CVE-2019-1710 has a CVSS score of 9.8, and could be exploited by an unauthenticated, remote attacker to access internal applications on the sysadmin virtual machine. An attacker could exploit this flaw by connecting to one of the listening internal applications, which could result in a denial of service and remote unauthenticated access to the device.
Vulnerabilities patched in Drupal jQuery and Symfony components
- The latest patch for Drupal fixes several vulnerabilities in Drupal core components, including CVE-2019-10910, an arbitrary code execution issue, CVE-2019-10911, a cookie-authentication vulnerability and CVE-2019-10909, a bug that could be leveraged to perform a cross-site scripting attack. These flaws all affected the Symfony component.
- In addition, an issue with jQuery that could allow cross-site scripting attacks was also patched.
Denial-of-Service attack on programmable logic controllers can disrupt physical processes
- Last year, a team of researchers from German universities Hochschule Augsburg and Freie Universität Berlin demonstrated an attack targeting the cycle time of programmable logic controllers (PLCs). The attack exploited a flaw, tracked as CVE-2019-10953, which, when exploited can cause disruptions to the real-world physical process controlled by the PLC.
- ICS-CERT have now released an advisory providing an update on how each impacted vendor responded to the flaw. These vendors include ABB, Phoenix Contact, Schneider Electric, Siemens and WAGO.
Thieves stole 100 cars from Car2Go using mobile app
- The Chicago Police Department stated that 100 Car2Go cars in Chicago have been stolen. The investigation is ongoing, and it is unclear at this time how the cars were taken, however, it is known that the cars are usually locked and unlocked using an app, which could contain vulnerabilities.
- The Police stated that it was not a ‘hack’, but that the cars had been ‘rented by deceptive or fraudulent means through a mobile app’.
Far right groups use ProtonMail to communicate following removal from social media
- Following the recent removal of white nationalist content from Facebook and other web hosts, neo-Nazi extremist groups are encouraging their members to meet offline and to use encrypted networks to communicate.
- One group, Feuekrieg Division (FDK), was observed encouraging potential users to join and contact its Protonmail email address. A spokesperson for ProtonMail stated that they were ‘deeply concerned’ about the recent shift is use to their email services.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein