Silobreaker Daily Cyber Digest – 18 October 2019
Phishing campaign uses SPF-enabled domain
- Security researcher Jan Kopriva detected a new phishing scam that uses a Sender Policy Framework (SPF) enabled domain to appear legitimate. The email purports to be a DHL delivery notification and contains two malicious attachments, one of which is a RTF file masquerading as a Word document that attempts to exploit CVE-2017-11882. The second attachment is an ACE archive file containing an information stealer that uses Delphi packer.
- SPF-enabled domains have previously been used in phishing attempts, however, in this case the same email address was used in the ‘MAIL FROM’ address as in the ‘From’ address. ‘MAIL FROM’ addresses are typically detected by a SPF, whereas ‘From’ addresses are not and are the ones victims will see.
- The scam also ensured that the SPF check results in the address were detected as ‘Neutral,’ meaning no record was made as to whether the sending IP address was authorised to send emails for the domain.
Source (Includes IOCs)
Fake UpdraftPlus plugins used as backdoors
- Sucuri researchers discovered multiple malicious WordPress plugins that contain backdoor functionalities. The plugins have a number of different names, yet all appear to have a similar structure to the backup/restore UpdraftPlus plugin, which at present has over 2 million active installations.
- The malicious plugins are hidden in the WordPress dashboard from anyone that does not use browsers with specific User-Agent strings. Their main purpose is to serve as a backdoor to upload arbitrary files onto infected websites, including ones containing scripts that could be used for brute force attacks on other sites.
New clicker trojan automatically subscribes users to paid services
- Doctor Web discovered a new clicker trojan with several variants, dubbed Android.Click.322.origin, Android.Click.323.origin and Android.Click.324.origin. The malware only targets users in specific countries by checking where a user’s SIM card is registered. Targeted countries are Austria, Italy, France, Thailand, Malaysia, Germany, Qatar, Poland, Greece, and Ireland.
- To avoid detection, the malware is integrated into harmless applications on Google Play, such as camera apps or image collections. Additionally, it uses the Jiagu packer, which makes the malware more difficult to detect and prevents code analysis, allowing it to bypass Google Play’s security tools. Google has since removed the malicious applications.
- Upon infection, the malware asks for permission to access notifications of the operating system, allowing it to hide all notifications about incoming text messages. Accessing premium service websites in an invisible WebView, the malware automatically clicks on links and buttons, hooks the verification codes from the text messages and confirms subscriptions.
Russian speaking Dukes threat group targeted foreign government entities since 2013
- Researchers at ESET identified a new campaign, dubbed Operation Ghost, which they attributed to the Russian speaking threat group Dukes (also known as APT29). The group, which were suspected of hacking the DNC in the lead up to the 2016 US election, have carried out Operation Ghost without detection since 2013.
- The attackers targeted Ministries of Foreign Affairs in at least three different European Countries and also infiltrated the Washington DC based embassy of an unnamed European country.
- To carry out their attacks the group developed three new malware tools, named PolyglotDuke, RegDuke, and FatDuke. The researchers discovered that the Dukes hosted the PolyGlotDuke C2 URLs on social media sites such as Twitter and Reddit.
- The group use their various new tools alongside older viruses to form a ‘sophisticated malware platform’, which allows them to steal credentials and move laterally through networks. The researchers described the group as ‘very persistent’. A full analysis of the group and their tools is available via the ESET research paper.
Source (includes IOCs)
Phishing campaign aims to acquire Stripe credentials
- Researchers at Cofense identified a new phishing campaign targeting Stripe customers via a malicious email. The email informs targets that their account will be placed on hold due to invalid details. An embedded hyperlink in the email prompts users to review their details. Hovering over the link does not reveal the URL address.
- Users who click on the link are redirected to a series of fake Stripe login forms which ask for their email address, password, bank account number, and phone number. Once the target has entered these details they are redirected to the legitimate Stripe site.
Source (Includes IOCs)
Bitcoin blockchain used to hide Pony’s C2
- In September 2019, researchers at Checkpoint identified a new version of Redaman malware that hides a Pony malware C2 inside the Bitcoin blockchain. The malware finds the C2 server by connecting to Bitcoin and chaining transactions together.
- The researchers stated that hiding a dynamic C2 address inside the Bitcoin blockchain makes Redaman a more challenging threat to defend against.
Source (Includes IOCs)
Leaks and Breaches
TrialWorks hit by ransomware attack
- The case management software company TrialWorks was reportedly hit by a ransomware attack on October 13th, 2019 and customers continue to be unable to access their files. At present, no further information on the incident is available.
Universiti Malaya portal defaced
- An unknown hacker defaced the E-Pay Cashless Payment and Records portal of Universiti Malaya, used for financial transactions of students, with a protest message. The message contains hashtags believed to draw attention to a recent student protest at the university.
- According to messages sent via WhatsApp, students are advised not to log into any of the university’s portals as they may all have been hacked and infected with malware capable of stealing credential information.
Developers expose websites by failing to turn off debug mode in PHP framework Laravel
- Researchers at Comparitech alongside security researchers Bob Diachenko and Sebastien Kaul, identified 768 vulnerable websites using Laravel’s debug mode. Developers who forget to disable debug mode on live websites will expose sensitive backend details, such as passwords, secret keys, and more.
- The researchers were able to access Donald Trump’s official campaign website which exposed a mail server configuration in plain text. They warned that a malicious party could take advantage of the exposure to intercept correspondence and send emails on behalf of the campaign.
- The researchers estimated that 10 to 20 percent of the 768 exposed websites contained sensitive details. The majority of the sites belonged to small businesses and charities.
Multiple vulnerabilities found in YouPHPTube
- YouPHPTube, an open-source program for creating custom video sites, contained nine vulnerabilities that could allow an attacker to exfiltrate files in the database, steal user credentials, and access the underlying operating system in some configurations.
- CVE-2019-5117, CVE-2019-5116, CVE-2019-5114, CVE-2019-5119, CVE-2019-5120, CVE-2019-5121 and CVE-2019-5123 affect versions 6.2 and 7.6. Version 7.6 is also affected by CVE-2019-5127 and CVE-2019-5129. A patch has been released.
Amazon Echo and Amazon Kindle contain KRACK vulnerabilities
- Researchers at ESET discovered that the Amazon Echo and Amazon Kindle contain Key Reinstallation Attack (KRACK) vulnerabilities. KRACK attacks, which were discovered in 2017, relate to a weakness in the WPA2 standard used to secure Wif-Fi networks. The attacks primarily target the four-way handshake mechanism and can be exploited by an attacker to trick a victim’s device into ‘reinitializing the pair-wise key used in the current session’.
- The ESET researchers discovered that the 1st generation of Amazon Echo and 8th generation of Amazon Kindle are vulnerable to two KRACK vulnerabilities, tracked as CVE-2017-13077 CVE-2017-13708.
- Exploiting the flaws can allow an attacker to perform a DoS attack, decrypt data transmitted to the target, forge data packets, dismiss data packets, inject new packets, and intercept sensitive information. Amazon has released patches for the vulnerabilities in both products.
Linux flaw could allow attackers to compromise a vulnerable machines over Wi-Fi
- A flaw in the RTLWIFI driver, which is used in Realtek Wi-Fi chips in Linux devices can be targeted to cause a buffer overflow in the Linux kernel. The vulnerability, which is tracked as CVE-2019-17666, can be triggered when an attacker is within radio range of a vulnerable system.
- The flaw could cause a crash of the targeted operating system, and potentially allow hackers to gain complete control of the computer.
‘Highly dangerous’ vulnerabilities discovered in Kubernetes
- Palo Alto Networks researchers discovered two flaws in Kubernetes, tracked as CVE-2019-16276 and CVE-2019-11253, that could be ‘highly dangerous under some Kubernetes configurations.’
- CVE-2019-16276 concerns the implementation of Go language’s standard HTTP library and could be exploited to bypass authentication controls to access a container. CVE-2019-11253 leaves Kubernetes’ API server vulnerable to a denial-of-service attack on YAML parsers, an attack known as ‘Billion laughs attack.’
- Both flaws were patched and users are recommended to update to versions 1.14.8, 1.15.5 or 1.16.2 regardless of their configuration.
UC Browser applications downloads third party APK over unsecured channel
- Researchers at Zscaler discovered that UC Browser and UC Browser Mini, which are hosted on the Google Play store, place users at risk by downloading an Android Package Kit (APK) via an unsecured channel. Collectively the two apps have been downloaded over 600 million times.
- Following installation, the app downloaded a third-party app store, called 9Apps, over an unsecured HTTP over HTTPS channel. Using an unsecured channel leaves users vulnerable to Man in The Middle attacks. Additionally, downloading the APK from a third party violates Google Play’s policy.
- Although the 9Apps store is not malicious, a scan conducted by the researchers using VirusTotal flagged up a number of detections. The researchers notified Google of the policy violation, the company confirmed the issue, and current versions of UC Browser and UC mini no longer download 9Apps.
Source (Includes IOCs)
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.