Silobreaker Daily Cyber Digest – 18 December 2018
Second sample of Shamoon disk wiper uncovered in one month
- The first sample from the recently observed Shamoon V3 attacks was believed to be uploaded to VirusTotal from Italy. This second variant, however, was seen on VirusTotal just three days later and was seemingly uploaded from the Netherlands.
- Much of this variant of the malware is the same as the previous version, however, Anomali Labs researchers noted that the trigger date was set in the past to December 12th, five days later than the one set in the first identified variant. The sample also did not have a C&C server configured.
- In contrast with the first observed version, this variant uses the Ultimate Packer for eXecutables (UPX) which modifies the signature, helping it evade detection. In addition, the variant also uses ‘VMWare Workstation’ in its file description, likely in an attempt to pose as a VMWare setup executable during a superficial check.
- The malware has been observed targeting at least one oil and gas company with operations in the Middle East and Asia. Additionally there have been unconfirmed reports that some oil and gas companies in the UAE have also been affected.
Source (Includes IOCs)
APT28 creates new ‘Go’ variant of Zebrocy tool
- The new variant of Zebrocy has been created using the Go programming language, which varies from the previous versions. APT28 are known for using different programming languages in their variants, which Palo Alto Networks’ Unit 42 assess is a tactic to make them less detectable.
- Two separate attacks have been observed delivering the new version of Zebrocy. The first on October 11th 2018 used a spear phishing email with a LNK shortcut attachment. The Powershell scripts used to extract the payload were coded incorrectly and therefore did not install or run the payload. The second attack delivered the Go variant using a document related to the Dear Joohn campaign, reported on last week.
- Unit 42 have published a detailed analysis of these attacks and their payloads.
Source (Includes IOCs)
‘Three Questions Quiz’ scam campaign impersonates brands to collect personal information
- Akamai researchers reported on a phishing campaign in which victims are tricked into providing personal information after supposedly winning a prize for completing a three-question quiz related to a particular well-known brand.
- The campaign impersonated 78 unique brands over the last year, of which a large number were airlines. Other impersonated brands were from retail, food and beverage, and entertainment.
- The campaign leverages various social engineering techniques such as customized ‘brand’ websites, fake social network endorsements or typosquatted domains to trick victims into disclosing their email addresses, home addresses and age.
Twitter discovers possible state-sponsored attack
- Following an investigation of a flaw affecting its support form, Twitter has stated that it has detected unusual activity on its platform, possibly related to state-sponsored actors.
- In November 2018, Twitter became aware of an issue with one of its support forms that could be exploited to uncover the country code of users’ phone numbers in cases where users had linked their phone number to their Twitter account.
- While investigating the origins and background of the issue, Twitter detected unusual activity involving the API associated with the affected support form. Specifically, the company found that a large number of inquiries from individual IP addresses in China and Saudi Arabia were being made. Twitter has stated that some of these IP addresses ‘may have ties to state-sponsored actors’.
The Wall Street Journal’s website defaced to promote YouTuber PewDiePie
- An individual has defaced a section of The Wall Street Journal’s website to promote YouTuber Felix Kjellberg, also known as PewDiePie. The defacement was posted on a section of the website dedicated to sponsored content and claimed to be an apology from the WSJ, following a dispute between the Journal and Kjellberg in 2017, and urged users to subscribe to Kjellberg’s YouTube channel.
Phishing campaign delivers IcedID trojan through password-protected Word documents
- The long-running campaign uses emails containing links to password-protected Word documents that, once opened, infect the victim with malware. The campaign was previously seen infecting victims with Nymaim malware, however, a researcher has found that the campaign has recently changed tactics to push the IcedID trojan.
Source (Includes IOCs)
Leaks and Breaches
White hat hacker hacks Arizonian man’s IoT security camera to warn him of security risks
- A Canadian white hat hacker has used a Nest Cam IQ security camera, belonging to Arizonian real estate agent Andy Greg, to broadcast his voice and warn Greg of the security risks of the internet-connected camera.
- Greg, who recorded the conversation, was told that the hacker gained access to the camera using Greg’s compromised information, that included a password Greg had used for multiple websites. In addition, he had not implemented two factor authentication, which, combined with the credentials, allowed the hacker to remotely log in to the device.
Fortinet analyse Heap corruption vulnerability in office Outlook
- CVE-2018-8587 is a heat corruption vulnerability that was discovered in several versions of Outlook running on Windows. The flaw can be abused by a malformed RWZ file. When Outlook receives an incorrect RMZ file, it fails to allocate sufficient heap memory and lacks the appropriate boundary checks, which results in Out of Bounds Writing of the heap.
- Fortinet have written an in depth analysis by analysing a reproduction of the flaw.
Czech cybersecurity agency warns against use of Huawei and ZTE technology
- The Czech National Cyber and Information Security Agency (NCISA) has issued a warning against the use of software and hardware produced by Huawei Technologies and ZTE Corporation. According to the statement, Huawei and ZTE products pose a threat to state security, particularly as China’s laws ‘require private companies residing in China to cooperate with intelligence services’.
- NCISA’s warning follows recent decisions of countries such as the US, UK, Australia, New Zealand or Japan, to ban the use of Huawei technology in upcoming 5G network implementations.
Russia continues influence campaign on social media platforms
- The Senate Intelligence Committee have reported that Russia are continuing to interfere with US politics using social media influence campaigns aimed at suppressing Democratic voters, particularly African Americans.
- The report claims that the Russian Internet Research Agency (IRA) have targeted black American communities on Facebook and Instagram, with the focus of developing black audiences and recruiting black Americans as assets.
- It has also been stated that the influence campaign that was conducted to affect the outcome of the 2016 election was broader and more targeted that previously thought, and that Russian influence operations have continued and evolved since.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.