Silobreaker Daily Cyber Digest – 21 August 2019
Hidden-Cry ransomware posing as Fortnite cheat tool
- Cyren researchers analysed Hidden-Cry ransomware, which poses as a cheat in Fortnite that allows players to aim accurately and know other players’ locations. The malware is suspected to be distributed via an upload to a sharing site and links posted in Fortnite user forums.
- The malware is an open-source ransomware, initially thought to be Syrk. However, the analysis showed that it is Hidden-Cry with a [.]Syrk extension.
- A main feature of Hidden-Cry is a timer, that threatens to delete files every two hours. The researchers believe it is possible to retrieve these deleted files and also offer two methods for decryption.
Source (Includes IOCs)
Parite malware uses polymorphic methods to avoid network detection
- Researchers at Cylance analysed Parite malware, discovering that infection most commonly occurs via the internet or through USB memory devices. Upon infection, Parite self-replicates, implementing minor changes with each new variant. This allows the malware to successfully evade signature-based detection.
- Once the malware gains a foothold, it traverses through a target’s computer and network shares, looking for exe and scr files to infect. When the files are located, the malware adds malicious code to a portable executable section.
Newly registered domains often used for malicious campaigns
- A study by Palo Alto Networks Unit 42 on newly registered domains (NRD) found that more than 70% NRDs were ‘malicious’, ‘suspicious’ or ‘not safe for work.’ A range of malicious usage was observed, including C2, malware distribution, phishing, typosquatting, PUP/Adware and spam.
- The top-level domains (TLDs) with the highest malicious rates for NRDs were country-code TLDs, most likely due to inexpensive or free registration, less strict registration policies and obscuring WHOIS registrant data from public view.
- Although there is a potential of false-positives, Unit 42 recommends blocking complete TLDs or using URL Filtering to block access to NRDs.
Targeted Office 365 phishing campaign observed
- Rapid7 researchers discovered a new Office 365 phishing campaign that appears to target specific organisations. Rather than redirecting users to the standard Office 365 login page, the login page contains the background image and banner logo of the targeted organisation’s Office 365 tenant login page.
- The researchers previously observed a rise in abuse of Lithuanian infrastructure and found this campaign domain IP to belong to a Lithuanian organization called UAB ‘Interneto vizija’.
Ruby libraries containing backdoors removed
- A total of 18 malicious versions of 11 Ruby libraries were found and removed by the maintainers of the RubyGems package repository. This included four versions of rest-client, one of the most popular Ruby libraries.
- The backdoors had multiple purposes, including the collection of environment variables, which was triggered by a malicious actor sending a signed cookie. The collected variables were then sent to a remote server in Ukraine. Other functions included the execution of arbitrary commands and inserting crypto-mining code.
Magecart card skimmer discovered on Poker Tracker site
- Researchers at Malwarebytes identified Magecart malware on Poker Tracker, a website which offers poker users software to track their statistics. The malware was present on Poker Tracker’s subdomains and rootdomains which ran an outdated and vulnerable version of Drupal.
- The criminal behind the attack had customised the skimmer for the Poker Tracker site, the variable names matched the input form field and the data portion of the skimmer script had the site name hardcoded.
Source (Includes IOCs)
Google Play Store hosts 27 apps loaded with adware
- Researchers at Quick Heal identified 27 apps, published by AFAD Drift Racer, hosting adware on the Google Play Store. The apps were all free car racing games and spammed users to download adware disguised as a Google Play Store app.
- The adware showed adverts at random intervals and displayed them in full screen. The fake app icon only displayed on a user’s device for a brief time before it disappeared making deletion difficult.
Source (Includes IOCs)
Silence group expand activities to more than 30 countries
- Group-IB researchers found that Russian-speaking hacker group Silence have expanded their activity and altered their TTPs. Since September 2018, the group has launched 16 new campaigns targeting banks. Additionally, in 2019 alone, the group has infected workstations in 30 countries across Europe, Latin America, Africa and Asia. The researchers estimate that Silence has inflicted approximately $4.2 million worth of damage.
- The researchers discovered that the group have begun to use recon emails to build up lists of targets. Since October 2018, Silence engaged in three major campaigns sending more than 170,000 emails. During this period the group continued to use phishing emails to infect targets with malware.
- In addition to TrueBot, the group are employing new malware such as fileless loader Ivoke and a PowerShell agent dubbed EmpireDNSAgent trojan. EmpireDNSAgent is used in the lateral movement stages of attacks to control compromised systems.
- The researchers also established a link between Silence and TA505. Both groups are Russian, target financial organisations and the malware used by both groups seems to be developed by the same author.
APT41 attack targets US-based research university
- In April 2019, FireEye researchers found that Chinese-based APT41 conducted an attack against a US-based research university. The group attacked an Atlassian Confluence Server with a vulnerability tracked as CVE-2019-3396. The flaw allows an attacker to perform path traversal and remote code execution.
- Using a custom JSON POST the attackers ran commands and forced the vulnerable system to download the China Chopper web shell. Following this, the attackers downloaded multiple files including the Highnoon backdoor and Acehash malware.
- Acehash features credential theft capabilities and a password-dumping utility. APT41 were able to use Acehash to harvest a single credential from the compromised system.
Source (Includes IOCs)
Leaks and Breaches
Vulnerability in Cuscal Limited exposes PayID user data
- A vulnerability in the financial institution Cuscal Limited exposed a number of records and data in the Addressing Service of NPP Australia’s PayID. Affected data includes PayID names and account numbers. NPP Australia noted that no withdrawal of funds could be made using this data.
- PayID data had previously been exposed in June 2019, following an enumeration attack on Westpac.
Adult site Luscious exposes data of over 1 million users
- Researchers at vpnMentor discovered an unauthenticated and unsecured Elasticsearch database which contained the details of 1.195 million user accounts. Personal information included usernames, emails, activity logs, country of residence and gender.
Critical vulnerability found in Russia’s blockchain voting system
- Researcher Pierrick Gaudry discovered a critical vulnerability in the blockchain-based voting system that is due to be used in the 2019 Moscow City Duma election. The voting system allows Moscow residents to remotely cast votes via the internet and is set to go live on September 8th, 2019.
- According to Gaudry, the voting system uses encryption key sizes that are too small to be safe, which allowed him to easily break the private keys and decrypt any data. It is unknown what malicious actors could do with these encryption keys.
- The Moscow Department of Information Technology initially uploaded its blockchain code and encouraged security researchers to find flaws. After Gaudry’s discovery, it promised to fix the issue by changing the key’s length to 1024, instead of the current 256×3. Gaudry, however, believes a minimum of 2048 is required for the key to be secure enough.
Microsoft Remote Desktop for Android app added to security advisory
- On August 17th, 2019, Microsoft added the Microsoft Remote Desktop for Android app to its security update guide for CVE-2019-1108. The vulnerability was originally only thought to impact Windows Remote Desktop Protocol (RDP).
- The vulnerability exists when Windows RDP client improperly discloses the content of its memory. The vulnerability could be exploited by attackers to obtain information to further compromise targeted systems.
CERT-Bund issue warning about exposed Sphinx servers
- On August 20th, 2019, CERT-Bund warned network providers and operators that Sphinx servers that run with a default configuration can be accessed without authentication. This could allow attackers to access an organisation’s data.
All versions of Kubernetes affected by two high severity vulnerabilities
- On 20th August, 2019, Kubernetes announced that two high severity vulnerabilities, tracked as CVE-2019-9512 and CVE-2019-9514, have been identified in the net/HTTP library of the Go language. This issue affects all versions and components of Kubernetes.
- An attacker who exploits this vulnerability can cause a DoS condition by allocating an unlimited amount of memory.
- The two vulnerabilities were part of a series of eight HTTP/2 protocol flaws that were originally discovered by Netflix researchers.
Multiple remote code execution vulnerabilities exposed in Aspose APIs
- Cisco Talos discovered multiple vulnerabilities, tracked as CVE-2019-5032, CVE-2019-5033 and CVE-2019-5041, in Aspose APIs. The vulnerabilities exist in APIs that process PDFs, Microsoft Word files, and more.
- An attacker can exploit the vulnerability by sending a specially crafted, malicious file to the target and tricking them into opening it while using a vulnerable API.
- CVE-2019-5033 and CVE-2019-5033 are present in Aspose Cells, version 19.1.0. CVE-2019-5041 impacts Aspose.Words, version 184.108.40.206.
Xilinx system-on-chip boards feature unpatchable flaw
- Researchers at F-Secure identified two vulnerabilities, one of which is unpatchable, in Xilinx Zynq UltraScale+ family of System-on-Chip (SoC) devices.
- The flaws are located in the Encrypt Only secure boot mode and can be exploited by attackers with physical access. Attackers can tamper with the boot header in the early stage of boot procedure and can modify content to execute arbitrary code. This allows an attacker to bypass security measures. The bug cannot be patched.
- The second vulnerability allows a user to execute arbitrary code by altering the parsing of the partition header table, this flaw is patchable.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.