Silobreaker Daily Cyber Digest – 21 November 2018
Umbro Brasil injected with two web skimmers from the Magecart group
- Malwarebytes Labs reported that the sportswear brand Umbro had their Brazilian website hacked and injected with two credit card skimmers associated with the Magecart Group.
- One of the skimmers scans for the presence of other card skimmers to intercept the data captured and alter credit card numbers in an effort to ‘sabotage’ competing skimmers.
Source (Includes IOCs)
CERT-UA detect new variant of Pteranodon malware
- Ukrainian CERT, along with the Ukrainian Foreign Intelligence Service, have detected a new strain of the Pteranodon malware.
- According to their alert, the new Pteranodon strain differs from previous versions through its ability to infect systems through flash drives and other removable media. This strain was also found to be activated on systems with language localization for languages of post-Soviet states.
- Pteranodon is targeting Ukrainian government agencies. The malware is associated with the Gamaredon Group, known for attacking the Ukrainian military and government in the past.
Researchers detect new Emotet trojan activity
- Researchers recently detected new activity from the Emotet trojan, which was observed being distributed through Thanksgiving-themed messages, and abusing Proofpoint’s URL Defense service.
- Cofense researchers detected an Emotet campaign that contained legitimate links using Proofpoint’s URL Defense scanning service that redirects URLs to Proofpoint servers for verification. According to the researchers, this may indicate that the malware scraped the URLs from a compromised user. In this case Emotet also functioned as a downloader, distributing banking trojan IcedID as the final payload.
- Another Emotet campaign was detected by researchers at Forcepoint. In this case, the trojan was distributed via Thanksgiving-themed messages. This campaign differs from previous Emotet activity by distributing XML files disguised as .doc files to deliver the malicious payload.
Unit 42 report on Sofacy’s continuing attacks leveraging the new ‘Cannon’ trojan
- In late October 2018, Unit 42 detected weaponised documents that were being used to load remote templates containing a malicious macro. The documents were being used by APT28 to target government entities including North America, Europe and the former USSR.
- Analysis of the payloads revealed that the first stage payload was Zebrocy trojan, while the second stage payload revealed a new trojan, which has not previously been detected in association with APT28, dubbed Cannon. Cannon contains an email-based C&C communication channel, which can decrease the chance of detection.
- Unit 42 analysed two of the weaponised documents from the campaign, which both shared a C&C IP, author name and shared tactics. In particular, the researchers discovered that one of the two documents analysed had the file name ‘crash list(Lion Air Boeing 737_[.]docx’, which suggests that the group are attempting to capitalise on the attention gathered by a catastrophic event to help their cause.
- In an additional analysis, ESET have released a report detailing Sofacy’s deployment of two new Zebrocy components aimed at embassies, ministries and diplomats in Central Asia, as well as countries in Central and Eastern Europe.
Active cross-site-scripting (XSS) attacks target Amp for WordPress plugin
- Vulnerabilities discovered in the AMP for WordPress plugin allow any registered user to gain administrative privileges on a WordPress site. The vulnerabilities are caused by a lack of authorisation checks when administrative actions are taken in older WordPress versions.
- WordFence researcher Mikey Veenstra has reported that an active XXS attack has been detected targeting these vulnerabilities to install backdoors and create random admin accounts on vulnerable WordPress sites. Veenstra assessed that the attacks are likely automated, and that the malicious script is hosted at a URL which, when executed in an administrator’s browser, creates a new rogue admin user on the site.
- After an account and a new user is added, the script then attempts to inject a PHP backdoor into each plugin.
Apple Pay malvertising campaign targeted iPhone users visiting premium news websites
- Mediatrust’s Digital Security & Operations reported that a major US West Coast newspaper had been targeted in a phishing and redirect campaign with Payleak malware, which disguised itself as an ad.
- If a visitor to the news website clicked on the ad, PayLeak communicates with a malicious Chinese domain which checks the phone for information including whether the device is an Android or iPhone. If Android, the user is redirected to a phishing site. If an iPhone, the malware checks whether Apple Pay is supported, and then prompts the user to update their device and enter their credit card details into a fake Apple Pay credit card pop-up.
New APT32 campaign targets Southeast Asia
- ESET researchers detected a new campaign targeting Southeast Asian websites and attributed it to APT32. The campaign has compromised the websites of the Cambodian Ministry of Defence, Cambodian Ministry of Foreign Affairs and several Vietnamese newspaper and blog sites. In total, they identified 21 compromised websites.
- This campaign has been described as more sophisticated compared to previous APT32 activity, based on its improved encryption of communications. It is believed to have started in September 2018.
Source (Includes IOCs)
Fake applications in Google Play get over half a million installs
- Over a dozen applications have been detected on Google Play, which silently install another app and trick users into approving the installation. The purpose of the apps is to make money by pushing unsolicited advertisements to the user when their device is unlocked.
- The apps, posing as games, remove their icon from the screen immediately after installation and download another app in the background from a hardcoded address. The icon of the original game disappears in a ploy to make the user believe that the installation has failed, prompting them to consent to reinstallation of the second app.
- The downloaded package is named ‘Game Center’ and hides itself after launch, and displays ads when the device is unlocked. Scans on Virus Total show that only four antivirus engines marked it as malicious.
Lazarus Group spotted planting backdoor into Latin American financial institutions
- Trend Micro has reported that Lazarus Group have been installing the backdoor BKDR_BINLODR[.]ZNFJ-A into targeted machines belonging to financial institutions on September 19th, 2018.
- The backdoor is capable of collecting information from files, folders, and drives, as well as downloading additional files and malware. It can update configuration data, utilize proxy, run in passive mode and more.
Source (Includes IOCs)
Leaks and Breaches
Data management solution provider OSIsoft’s domain accounts compromised in data breach
- The software provider warned employees, consultants and contractors that domain accounts were compromised when hackers used stolen credentials to remotely access the company’s computers.
East Tennessee State University breached due to email phishing scam
- A spokesperson reported that several university employees were intentionally targeted with phishing emails that they believed were coming from a supervisor, resulting in a data breach which potentially affected 7,700 people.
Patches released for multiple vulnerabilities affecting Dell EMC and VMware products
- Several flaws were identified in Dell EMC’s Avamar Server and Integrated Data Protection Appliance. These vulnerabilities also affect VMware’s vSphere Data Protection, versions 6.0.x and 6.1.x, which are based on Avamar Virtual Edition.
- The first vulnerability is a critical remote code execution flaw, tracked as CVE-2018-11066. The second vulnerability, tracked as CVE-2018-11067, can be exploited to redirect users to arbitrary URLs and has been ranked as ‘medium’.
- Two other flaws found in these products include a high severity information exposure vulnerability, CVE-2018-11076, and a less severe flaw, tracked as CVE-2018-11077, that can be exploited to execute arbitrary commands with root privileges. Both Dell EMC and Vmware have issued patches for these vulnerabilities.
Three remote code execution vulnerabilities discovered in Atlantic Word Processor
- CVE-2018-4038 is an arbitrary write vulnerability that can be exploited by using a specially crafted document, allowing an attacker to pass an untrusted value as a length to a constructor, which miscalculates the length and then uses it to calculate the position to write a null byte.
- CVE-2018-4039 is a Huffan table code length remote code execution vulnerability in PNG implementation that can be abused by opening specially crafted documents, which are then checked by the application for fingerprints to determine the correct file parser. An attacker could use this technique to execute arbitrary code in the context of the application.
- CVE-2018-4040 is a rich text format uninitialized TAutoList remote code execution vulnerability that exists in the rich text format parser. The flaw can be exploited by using a specially crafted document to cause RTF tokens to dereference an uninitialized pointer, and then write to it. When opened, the application will check the fingerprint, which will eventually corrupt the memory of the app.
Adobe patches critical flaw in Flash Player
- Adobe released patches for a critical vulnerability, tracked as CVE-2018-15981, in Flash Player for Windows, macOS, Linux, and Chrome OS.
- The flaw permits attackers to execute arbitrary code in the context of the current user.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.