Silobreaker Daily Cyber Digest – 19 November 2018
MalwareLab researchers discover a new variant of the APT28 Lojax rootkit
- The behaviour of the new version of Lojax is similar to previous versions, and exploits the legitimate ‘Absolute Lojack’ software to establish persistence on the infected system. Analysis of the new version also links the sample to APT28.
- Lojack is an anti-theft and localisation software developed by Absolute Software Corporation, preinstalled in the BIOS image of Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba and Asus machines.
- MalwareLab’s report includes a technical analysis of the new version, information on the domain used, as well as advice for mitigation.
Source (Includes IOCs)
Trend Micro researchers release detailed analysis of Emotet
- Trend Micro tracked the activity of the Emotet trojan between June and September 2018 and discovered at least two parallel infrastructures supporting the Emotet botnet.
- They also found that ‘multilayer operating mechanisms might have been adopted in the creation of Emotet’s artifacts’, and assess that Emotet’s author may live somewhere in the UTC+10 timezone or further east.
New tech support scam uses Facebook sharer page to scare users
- The scammers use Facebook’s sharer dialog to scare users into believing that there is an issue with their Facebook account. The sharer dialog is a page on Facebook that is used by web site owners to share their content.
- The scammers use low quality ad networks, commonly used by adware and unwanted software, to redirect visitors to the Facebook sharer page in order to share a page from fbsupport[.]pro.
- If a user is logged in, it will display the warning from the ‘Facebook Support Team’ stating, ‘We’ve registered a suspicious activity on your page. You’re account could be hacked. Please call Facebook support team to restore the access to your account.’ The message is designed to prompt the user into calling a listed phone number.
US DHS official warns of Russian campaign to infiltrate US industrial systems
- A Department of Homeland Security’s official warned lawmakers that a Russian campaign was targeting critical industrial control systems belonging to the US government and business organizations. Systems targeted belonged to the aviation, energy, manufacturing, nuclear and water sectors.
Tax scam phishing emails targeting UK university students
- UK HM Revenue and Customs warned that scammers were targeting the email accounts of university students with fake tax refund emails in an attempt to steal personal data and funds.
Phishing campaign delivers Trickbot variant that focuses on Windows stability history
- My Online Security have identified a new phishing campaign in which emails pretending to be from Lloyds Bank infect victims with Trickbot malware. Emails with the subject line ‘Important : please review attached document(s)’ contain malicious file attachments that deliver the malware once macros are enabled.
- The Trickbot variant in this campaign was focusing on Windows system reliability and performance information from the Windows Reliability Monitor. The data targeted includes software installation details, upgrades, errors from operating systems and applications, or details on hardware-related issues.
Source (Includes IOCs)
Dark Web hosting service hacked resulting in over 6,500 sites being deleted
- An unknown threat actor has compromised one of the largest Dark Web hosting providers, Daniel’s Hosting. Over 6,500 sites were deleted in the attack that occurred on November 15th, 2018. Due to the lack of backups the sites cannot be restored.
- The point of entry as well as the perpetrator behind the attack remain unknown.
Spear phishing attack targets US government agencies, businesses and think tanks
- Hackers impersonating a US State Department official have targeted US government agencies, businesses and think tanks in an attack similar to previous campaigns attributed to Russian-linked APT29.
- Researchers from FireEye and Crowdstrike are currently investigating the attack.
Fake fax email delivers Azorult trojan
- The fake email had the subject heading ‘Fax Message ID: 8118 896 972’ with a zip attachment containing two files including a password protected Word doc and a .js file called ‘Password’.
- Opening the ‘Password’ file, which is actually a .js file, downloads and runs further malware which eventually leads to being infected with Azorult. Azorult is a password and financial information stealer that also has the ability to download and install a range of further malware.
Leaks and Breaches
Unprotected Voxox database leaks over 26 million text messages used in 2FA and password resets
- Security researcher Sebastien Kaul discovered an unprotected Voxox database that was exposing just over 26 million messages sent through the service for password resets and other forms of account management via SMS.
- Kaul discovered the database through the Shodan search engine lacked password protection, allowing the text messages to be accessed by anyone in near-real-time. Moreover, the database was configured with a Kibana front-end, making it easily readable and browsable.
- The data exposed includes one-time passwords, password reset links, plain text passwords, banking passwords, or shipping notifications. According to a report by Tech Crunch, the ability to access these types of data in near-real-time could have put large numbers of accounts at risk of hijacking. The database has since been taken down.
Amarillo City workers’ personal information compromised
- Employees of the company had their personal data stolen when an outside contractor conducting an audit lost a USB drive containing the information. The data included names, addresses, bank deposit information, dates of birth and Social Security numbers. The lost data was encrypted.
Twitter confirms cryptocurrency hacks on its platform originated from third-party app
- A Twitter spokesperson reported that hackers had exploited a third-party marketing app to send fake Bitcoin giveaway links from numerous verified Twitter accounts, including legitimate Google and Target accounts.
ProtonMail denies claims of hacker stealing significant amounts of data
- In a ransom note posted to Pastebin, threat actor AmFearLiathMor claimed to have hacked and stolen ‘significant’ amounts of data from ProtonMail. Along with decrypted emails and decrypted customer data, the hacker claims to have accessed information relating to ‘underwater drone activities’, ‘possible international treaty violations’ or ‘conversations revealing rampant paedophilia among executives and the affluent’.
- ProtonMail have denied these claims, stating it is an ‘extortion attempt’ and ‘hoax’. In a statement to Bleeping Computer, ProtonMail said they were aware of a compromise affecting a small number of email accounts, however have ‘no evidence of a breach of [their] infrastructure’.
- The threat actor has been actively promoting the alleged hack, offering $20 in Bitcoins to anyone who spreads information about the attack using #Protonmail on Twitter.
Pakistani bank’s card dumps up for sale on the dark web
- Group-IB discovered a large set of compromised payment details put on the dark web marketplace Joker’s Stash on November 13th. The newly available data includes unauthorised digital copies of the information contained in card magnetic strips from 177,878 cards associated with Pakistani and other international banks.
- Banks affected by the breach include Habib Bank, MCB Bank Limited, Allied Bank Limited, among others.
HealthEquity breach exposes personal data of over 20,000 subscribers
- HealthEquity has reported a data breach that exposed protected health information and personally identifiable information of 20,906 of the service’s subscribers.
- According to HealthEquity’s statement, the attack was the result of a threat actor accessing email accounts of two HealthEquity team members. The first account was accessed on October 5th, 2018, whereas the second account was accessed on multiple occasions between September 4th and October 3rd, 2018.
- The accounts exposed data including employee names, employer names, associated plans, account types and health plan enrolment data. HealthEquity also suffered a breach earlier this year when a phishing attack leaked personal healthcare information of around 23,000 subscribers.
Card-skimming script steals Vision Direct customers’ credit cards
- Vision Direct, a European online contact lens supplier, has disclosed a data breach in which full credit card details and personal information of several customers were exposed. The breach occurred between November 3rd and November 8th, 2018.
- The data compromised includes full names, billing addresses, emails, passwords, telephone numbers and payment card information including card numbers, expiry dates and CVVs. The number of customers impacted remains unknown.
- According to security researcher Troy Mursch, the data appears to have been compromised through a Google Analytics script running on Vision Direct’s website.
York Council’s phone app hacked exposing personal data
- The City of York Council was contacted by a hacker on November 1st, 2018, who claimed to have accessed the personal data of users of the council’s One Planet York app.
- The data includes users’ names, addresses, postcodes, emails, telephone numbers and encrypted passwords. The number of users affected remains unknown.
Bug in Instagram’s data download tool exposes user passwords
- A flaw in Instagram’s ‘Download Your Data’ feature could have exposed some users’ account passwords.
- A small number of users who have used the tool have had their passwords displayed in their browser’s URL, which were then also stored on Facebook’s servers. Instagram has fixed the issue.
CarsBlues Bluetooth attack could affect millions of vehicles
- The CarsBlues attack leverages security flaws in the infotainment systems installed in several vehicles via Bluetooth, and affects those who have synced their smartphones to their cars.
- The biggest threat is against those who sync their phones to vehicles that they have rented or borrowed, and subsequently returned.
- Privacy4cars states that the attack can be performed in a few minutes, is inexpensive and does not require specific technical knowledge.
Lock-screen bypass flaw patched in handsets
- A flaw, tracked as CVE-2018-7929, affecting all in-display fingerprint sensors in several mobile phone models left the devices vulnerable to a trivia lock-screen bypass attack. The bug was found in a popular in-display fingerprint reader technology used for user authentication.
- The flaw affects devices such as Vivo Communication Technology’s V11 Pro, X21 and Nex, OnePlus’ 6T, Xiaomi Mi 8 Explorer Edition phones and Huawei Technologies’ Porsche Design Mate RS and Mate 20 Pro model phones.
Privilege escalation flaw patched in Accelerated Mobile Pages WordPress plug-in
- Researchers at WebARX disclosed the bug which resides in the ‘MP for WP-Accelerated Mobile pages’ plug-in. The flaw allows unauthorised attackers to inject malicious HTML code into the main page.
- A WebARX blog post stated that the flaw is ‘located in the ‘ampforwp_save_steps_data’ which is called to save settings during the installation wizard. It’s been registered as ‘wp_ajax_ampforwp_save_installer’ ajax hook.’ The plug-in has no validation process, and therefore allows all registered users to call ajax hooks, irrespective of their account role. This allows all users to place ads or add custom HTML in pages’ headers and footers.
Denial-of-Service vulnerability discovered in Skype for Business
- The vulnerability, tracked as CVE-2018-8546 and also named the ‘Kitten of Doom’, can be triggered by sending a large number of emojis to the instant messaging client. An attacker only needs to send several emojis at once to a victim on Skype for Business or Lync client, in order to put the tools out of action.
Unit 42 analyse OilRig’s testing activities
- In their continued research of OilRig’s August 2018 attacks on the Middle Eastern government, Unit 42 has linked the hacker group’s testing activities to the creation of the weaponised delivery documents used in this attack.
- The researchers found that 11 additional samples of Microsoft Office documents were submitted across several public antivirus testing sites. The samples were created by OilRig, also known as APT34, and shared similarities with the delivery document used in their 2014 campaign.
- Unit 42 assess that the similarities in the metadata, macro code and filenames containing the C&C domain name, suggests that the files were OilRig testing their code prior to use in the August attack.
Source (Includes IOCs)
General Services Administration issues new rules for data breach reporting
- The General Services Administration (GSA) has issued new guidelines on data breach disclosure that government contractors must follow, as well as give the government access to their systems in the event of a breach.
- The proposal also establishes a time frame for reporting, should an incident occur that affects the confidentiality, integrity or availability of the managed information. The guidelines have not yet been implemented.
Using Microsoft PowerPoint as a malware dropper
- CEO of cyber security firm Yoroi, Marco Ramilli, has explained how to use Microsoft PowerPoint as a malware dropper. Microsoft Excel embedding macros or Microsoft Word with user actions are the main documents used to drop malware, however Ramilli has also found instances of Microsoft PowerPoint being used to drop and execute malicious payloads.
Source (Includes IOCs)
Group-IB presents latest hacking trends in Asia
- According to their findings, Asia is one of the most actively attacked regions in the world. Twenty-one state-sponsored hacking groups have been detected in Asia over the last year, more than was discovered in the UK and US combined.
- Attacks have most notably focused upon the manufacturing of chips, microprocessors and system control boards of various IT vendors located in Asia. In addition, Group-IB have detected that criminals are seeking to gain access to the databases of Hong Kong state internet portals, responsible for taxes, trade, procurement, logistics, innovations and hi-tech infrastructure.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.