Silobreaker Daily Cyber Digest – 20 December 2018
McAfee publish detailed report on Shamoon attacks
- McAfee have released a report giving an overview of the recent Shamoon attacks, including their geopolitical context. Based on their analysis, they attribute the attack to APT33, or a group posing as APT33.
- McAfee assess that the use of the image of a burning American flag in the first version, and the image of a drowned Syrian boy in the second version, hint towards the attacks’ connection to the conflicts in Syria and Yemen.
- In addition, Palo Alto’s Unit 42 have also reported on the Shamoon attacks, stating that they discovered an additional wiper that is a modified variant of the opensource SuperDelete tool. Their analysis found that this tool was on the same system that was running the Disttrack executables.
- The wiper was modified to create a new variant that has no other functionality apart from deleting files on the system and therefore unlike Disttrack, it is unable to spread to other systems on the network. Interestingly, the wiper also contained a verse from the Quran, which is not displayed prior to wiping the system, and would therefore only be discovered by those analysing the tool.
Amnesty International report reveals how hackers bypass 2FA
- Amnesty International observed several ongoing campaigns involving credential phishing targeting individuals in the Middle East and North Africa.
- One campaign involved hackers attempting to collect credentials for Tutanota and ProtonMail accounts, and another campaign targeted hundreds of Yahoo and Google accounts, successfully bypassing those that implemented 2FA.
- The attackers achieve this by creating legitimate looking phishing sites for the email services. If the target logs in, then the login procedure remains the same to ensure the victim is not alerted to any malicious activity. This includes sending of a 2FA code that is also phished by the attackers.
Source (Includes IOCs)
15 phony Android wallpaper apps taken down from Google Play store
- The apps, which were downloaded over 222,200 times, were available for several months on the Google Play store, and have particularly affected victims in Italy, Taiwan, the US, Germany and Indonesia.
- Once the apps are downloaded, Google Play Services’ advertising ID is replaced with different URL parameters, creating profit for the criminals by using the system provided by Google and Android developers to create money from their apps.
- The malicious app’s package name replaces the IP with the infected device’s current IP, which loads a URL causing the apps to simulate clicks on the ad page.
Source (Includes IOCs)
Email campaign targeting banking and financial services discovered
- Discovered by researchers at Meno Labs, the email campaign appears to have been operating in the US and the UK since August 2018. It attempts to trick victims into clicking on links to archive files in order to deliver a malicious payload.
- Two types of payloads are being distributed by the campaign – VBS scripts and JAR files. The VBS scripts and one of the JAR files appears to belong to the Houdini malware family, whereas the rest are still being analysed, but show some resemblance to Qrat.
Source (Includes IOCs)
Smoke Loader being delivered in fake tsunami alert campaign
- Initially discovered in November, researchers at Fortinet have stated that the email spam campaign was found targeting people living in the North East of Japan, masquerading as a tsunami alert from the Japan Meteorological Agency. Instead, when the link to their website was clicked, Smoke Loader was downloaded to the victim’s system. At the end of November, the Smoke Loader link appears to have been replaced by AZORult Stealer.
- The domain that users are directed to attempts to look like the legitimate JMA domain (jma[.]go[.]jp), but instead uses a hyphen (jma-go[.]jp).
Source (Includes IOCs)
Leaks and Breaches
Payment details from August’s Click2Gov breach are being sold on the dark web
- Gemini Advisory have stated that the payment details stolen from the Click2Gov breach in August, have been spotted for sale on the dark web. Gemini noticed, ‘an out-of-pattern concentration of victims located in small-to-medium US cities’, which they later determined were stolen from local services that licensed the Click2Gov software.
- At the time of the research, Gemini found 294,929 payment records stolen from which the criminals have earned approximately $1.7 million, by uploading the card details and selling them for around $10 per card. 65% of the stolen records are reportedly associated with the top 20 affected banks.
Pottery firm suffers security breach
- Steelite International, a pottery firm based in Stoke-on-Trent, suffered disruption to its payroll systems as a result of an attacker gaining access to their servers and encrypting their data, before demanding 79 Bitcoins, currently valued at around £2,500.
- The firm restored their systems using back-up data.
Retailer SheIn accused of data breach cover-up
- Rosalie Golbahar, a customer of fashion chain SheIn, has accused the e-commerce retailer of causing $10,000 worth of unauthorised charges on her credit card as the result of a data breach and subsequent cover up. She also argues that the defendant did not take adequate measures to protect their computer systems and safeguard customer data.
Microsoft issue an emergency update to fix IE flaw under active exploit
- The vulnerability, tracked as CVE-2018-8653, is a memory corruption flaw, affecting all supported versions of Windows, that allows attackers to remotely execute malicious code when computers use IE to visit a malicious website. The flaw lies in the way Microsoft’s scripting engine handles objects in memory in Internet Explorer.
- The bug allows attackers to execute arbitrary code in the context of the current user and, if the user is logged on with administrative rights, then a successful exploit could take control of the affected system, allowing the ability to install programs, view, change and delete data and create new full user accounts.
- Microsoft have released a security update stating that they were informed by Google of this vulnerability being leveraged in targeted attacks. This flaw has been patched in the latest security updates.
Vulnerabilities discovered in Keybase applications
- Two privilege escalation vulnerabilities were discovered in the Keybase Linux and macOS apps. The first was a flaw in the Keybase Helper process on the macOS version, which failed to perform proper permission checks in version 2.5.2 and before.
- The second vulnerability, identified as CVE-2018-18629, allowed an attacker to increase their privilege level on a Linux system, allowing them to change path environment variables to one that included malware before executing it.
- The bugs were reported via the HackerOne bug bounty platform, and the developer rewarded each discovery with $5,000.
Proof-of-concept attack corrupts server firmware
- Researchers at Eclypsium have demonstrated a remote attack that is capable of corrupting server component firmware, rendering them unbootable. The tools used in the attack are the same tools used to keep the baseboard management controller updated.
- In the demonstration, an attacker firstly infiltrates the target server via malware, credential theft or other means. Once compromised, the attacker is able to update the BMC firmware with a malicious version. The BMC then boots to the image supplied by the attacker, leaving it inoperable.
New keystroke interception attack discovered
- Academics from the University of California, Riverside, Virginia Tech and the US Army Research lab are publishing a research paper on the new side channel attack, capable of predicting keystrokes based upon how a processor computes code from standard graphics libraries.
- This can be performed via a malicious process running on a system, which can observe leaked clues from standard graphics libraries in modern operating systems to predict what information is being processed. The attack is still currently theoretical, and would require a high level of skill to perform.
- The research team has released a demo of their attack, and plan to release source code in the future.
Symantec reports on how LED bulbs can be remotely controlled
- The security issues reside in remote-controlled, full-colour LED light bulbs, which are set up by installing a smartphone app and creating a free account. The hackers found that after the light bulb is connected to the local Wi-Fi network, it can be remotely controlled through the internet.
- During their analysis, Symantec found that the smartphone was mostly using plaintext HTTP requests to interact with the cloud. When a user changes the name of the light bulb, an unencrypted post request is sent with the user’s email address in cleartext and the MD5 hash of the unsalted password. Due to this, anyone with access to the connected network could brute-force this password hash.
- The information could allow an attacker to log into the account and gain control of the user’s lights.
Android apps used in combat by US troops contain severe vulnerabilities
- The apps, named KILSWITCH and APASS, work as an equivalent to radios and paper maps, allowing troops to message in real-time and coordinate with other military branches. They work by showing satellite imagery of their surroundings, as well as mission goals and nearby enemy and friendly forces.
- According to a Navy Inspector General Report, both apps contain vulnerabilities that could allow enemy forces to access troop’s information. The report does not disclose the nature of the vulnerabilities, but does state that the navy failed to control the distribution of the applications and did not warn troops of the dangers for almost a year.
McAfee assess that hackers are moving away from large dark web markets
- McAfee state that the downsizing is the result of an attempt by hackers to build more trust with their buyers, and also as a response to law enforcement efforts to disrupt activity.
- In their latest December threat report McAfee also share insights on various other topics, statistics and observations.
Profit-driven hackers targeting Fortnite
- It is alleged that hackers targeting Fortnite users are making significant profits through the sale of skins and accounts, and that some teenagers who are participating in this practice have made thousands of pounds a week. Due to the popularity of the game, the black market appears to be ever-growing and stolen accounts are being freely sold on Twitter.
US Treasury Department announce sanctions against nine Russian individuals and entities
- The sanctions are a response to their roles in election interference and the hacking of the World Anti-Doping Agency (WADA), amongst other accusations. The individuals have also been placed on the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list.
- The nine sanctioned officers of Russia’s GRU military intelligence worked within Unit 26165 and Unit 7445. Four of these officers were sanctioned for their involvement in the cyber-attacks against WADA, two Russian nationals and four companies were sanctioned for their involvement in ‘Project Lakhta’ which included the interference in political and electoral systems, and two further officers were allegedly sanctioned for their involvement in the attempt to assassinate Sergei Skripal.
- The sanctions mean that US companies, including banks, are no longer permitted to engage in any transactions with the sanctioned individuals and entities, and that all of their assets must be frozen.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.