Silobreaker Daily Cyber Digest – 22 August 2019
First known spyware based on AhMyth found on Google Play Store
- The malicious app called ‘Radio Balouch’ (or ‘RB Music’) and detected as Android/Spy.Agent.AOX was discovered by researchers at ESET. It is a fully functional streaming radio app, that also steals personal data of users.
- The spyware is based on AhMyth, an open-source Remote Access Tool that was publicly released in late 2017. Radio Balouch is the first app based on AhMyth that has appeared on the Google Play Store.
- The spyware is also promoted on alternative app stores, a dedicated website, Instagram, and on YouTube. Its malicious functionality allows it to steal contacts and files stored on the device, and send SMS messages from the infected device.
Source (Includes IOCs)
Bitdefender publishes analysis of worm-cryptominer
- The malware leverages both Beapy and PCASTLE, giving it wormlike behaviours whilst being able to mine cryptocurrency using either the CPU or the GPU. The worm-cryptominer pauses the intensive cryptomining process if a victim launches a game, helping it remain undetected. It also uses a variety of tools and unpatched vulnerabilities to move laterally across a victim’s network.
- The malware is delivered through a supply chain attack via a PUP called DriveTheLife, as a legitimate domain that the application uses has been manipulated to deliver the worm-cryptominer instead.
Researchers analyse Gamaredon Group’s TTPs in recent campaign
- FortiGuard Labs researchers analysed a new Gamaredon Group campaign targeting Ukrainian law enforcement and government agencies, finding that the tools and methods used suggest the group to be political activists rather than special services. The analysis also revealed that the group has strong Russian ties.
- Gamaredon Group has been active for over 6 years, with its tactics, techniques and procedures (TTPs) largely remaining the same. The group has also been connected to the Linux malware EvilGnome.
Source (Includes IOCs)
Malicious password-stealing package removed from npm repository
- The ‘bb-builder’ package was removed from the npm repository after it was found that it steals login information from computers on which it was installed. According to an advisory, computers with the package installed or running should be classed as ‘fully compromised’.
- bb-builder was running an executable targeting Windows and uploaded the stolen information to a remote server.
New NanoCore RAT variant for free on darkweb
- Security researchers at LMNTRIX Labs observed a new variant of NanoCore RAT geared towards amateur hackers and that is being offered for free on darkweb forums. The researchers warn that the free availability and easy-to-use interface of this version could ‘lead to an explosion of campaigns.’
- NanoCore RAT is capable of remotely controlling an infected device. Other functions include stealing passwords, performing keylogging, and recording audio and video footage without being noticed.
- The malware is typically spread via email phishing campaigns, with many of the current campaigns sending out fake invoices or purchase orders with a malicious attachment.
Ministry of Foreign Affairs agencies and think tanks targeted in suspected North Korean campaign
- Anomali researchers observed a cyber espionage campaign targeting foreign ministries of four countries, as well as Stanford University, The Royal United Services Institute, Congressional Research Service, and five email service providers. Similarities with a known North Korean threat actor were found, including the same domain and hosting provider, as well as similar targeting.
- The campaign was first discovered on August 9th, 2019, after the researchers came across a phishing campaign masquerading as the French Ministry for Europe and Foreign Affairs online portal.
- The exact purpose of the campaign remains unclear, however, the targeting of foreign ministries and posing as email or online document services suggests it is to gain access to sensitive communication or information.
Source (Includes IOCs)
Kaspersky publish Microsoft SQL attack analysis
- Kaspersky researchers stated that one of the most common attack vectors against MS SQL is a remote attack based on malicious jobs – a sequence of commands to be executed by the server agent. These can allow attacks to deliver malicious commands, packages, ActiveX scripts and more.
- The attacks often do not target particular individuals, rather they scan networks looking for a server with a weak password, attempting to either brute-force their way in, or use a user account token from a previously infected machine.
- Cryptocurrency miners and remote access trojans are the most commonly delivered payload, but this can vary, depending upon an attacker’s intentions and capabilities.
Source (Includes IOCs)
Researchers analyse Neutrino campaign active since 2013
- Researchers at Positive Technologies discovered a malware campaign involving Neutrino, which can be traced back to 2013. Neutrino was initially spread via email attachments and exploit kits before becoming a botnet in 2018.
- The botnet scans for phpMyAdmin systems, whilst simultaneously brute-forcing various web shells, after which it brute-forces the password for the root account. The payload includes a PowerShell script that downloads external components, which are most often a Monero cryptocurrency miner. Different miner versions are used to avoid detection. Once a server is infected, Neutrino changes TCP stack parameters to set up the fastest scanning possible.
- Tens of thousands of bots have been assembled by Neutrino, most of which are Windows systems running phpStudy, which is used by Neutrino to mine Monero.
Leaks and Breaches
Thousands of MoviePass customer card numbers exposed
- Security researcher Mossab Hussein of Spider Silk LLC discovered an exposed database belonging to MoviePass that contained over 161 million unencrypted records, some of which included personal information, which was increasing in real time. The database was found to be open from early May 2019. It has since been taken offline.
- The exposed data included more than 58,000 records with MoviePass debit card data. The records also included customers’ personal credit card numbers alongside their expiry date and billing information, whilst some records had masked card numbers.
- Other exposed information included email addresses and password data entered for logins.
Government of Argentina suffers data breach
- The leak resulted in 700GB of data, including confidential documents, biometric information and wiretap data from both the Argentine Federal Police and the Argentinian government, being shared online via ‘LaGorraLeaks’ Twitter account, which has since been suspended. The leak also contained data on individual police officers, their addresses and their families.
- The official Argentine Naval Prefecture Twitter account was also stolen, with both links to the breached data and fake news about a British attack on Argentine ships being shared. Investigations into the incident are ongoing, including claims that the Federal Police database hack must have taken place over several months.
Hospice of San Joaquin suffers ransomware attack
- The California Attorney General’s Office has been notified of a ransomware attack that occurred against the Hospice of San Joaquin on July 2nd, 2019. Encrypted information includes full names, patient IDs, diagnosis data and home addresses. They do not believe that any of the information has been disclosed to unauthorised third-parties.
- It is unclear if the hospice has yet recovered from the attack, if they paid a ransom, or what strain of ransomware was used.
Privilege escalation flaw discovered in BitDefender Antivirus 2020
- SafeBreach Labs researchers found the flaw, tracked as CVE-2019-15295, that could be used to achieve privilege escalation and persistence by ‘loading an arbitrary unsigned DLL into multiple services that runs as NT AUTHORITY/SYSTEM’.
- In their blog post, the researchers provide a proof-of-concept demonstration of how the vulnerability could be exploited. The flaw has been patched.
Local privilege escalation zero-day flaw discovered in Steam Windows Client
- The bug could allow malicious apps to gain admin rights through Valve’s Steam app. This was the second zero-day Steam vulnerability recently discovered by researcher Vitaly Kravets.
Cisco patch multiple vulnerabilities
- 17 critical and high-severity vulnerabilities have been patched in Cisco’s Unified Computing products, with a majority impacting the Integrated Management Controller.
- The critical vulnerabilities are identified as CVE-2019-1937, CVE-2019-1974, CVE-2019-1935 and CVE-2019-1938, and can be remotely exploited via specially crafted requests to allow attackers to gain administrative permissions on the target device.
Google and Mozilla block Kazakhstan government’s ability to intercept traffic
- Mozilla stated that, alongside Google, it has decided to ‘deploy a technical solution’ that will enable users in Kazakhstan to protect their online security and privacy.
- This comes after a decision made by the Kazakh government requiring people within the country to install a government-issued certificate on all devices in every browser in order to access the internet. The certificate allows the government to decrypt and intercept user traffic.
Number of Texas government entities hit by ransomware revised
- The number of Texas government entities hit by the ransomware attacks that started on August 16th, 2019, has been updated to 22 by the Texas Department of Information Resources, down one from the initial 23.
- A number of affected entities have also been named. These include Lubbock County, and the cities Borger, Kaufman, Keene, and Wilmer. The city of Wilmer is believed to be hit hardest, with the systems at its police department, water department and public library affected by the ransomware.
- It remains unclear which ransomware is involved in the attacks.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.