Silobreaker Daily Cyber Digest – 22 November 2018
Saudi dissident Ghanem Almasarir targeted with Israeli Pegasus spyware
- Forbes has reported that London-based YouTube comic Almasarir discovered NSO Group’s Pegasus spyware on his iPhone, likely planted by the Saudi regime.
- Pegasus is able to access private information on a targeted device, including Whatsapp chats and emails. The malware is also capable of spying on device users via their smartphone’s camera and microphone.
New Mirai variant targets vulnerable Linux servers
- NetScout researchers discovered a new variant of Mirai trojan targeting a Hadoop YARN vulnerability in Linux servers. This demonstrates a shift from previous Mirai campaigns that were aimed at IoT devices and relied on bots for propagation.
- The Hadoop YARN flaw is a command injection vulnerability that can allow an attacker to remotely execute arbitrary shell commands on a vulnerable server.
- Upon infection, the malware behaves similarly to previous Mirai cases and begins brute-forcing telnet usernames and passwords. However, the researchers note that Linux servers provide the attackers with greater hardware resources and better network speed compared to IoT bots.
Trickbot contains a new module aimed at POS
- Trend Micro researchers discovered that a POS module was recently added to Trickbot malware. The POS feature scans the infected device to determine whether it is connected to a network that supports POS services and machines.
- The full capabilities and intentions of the added module remain unknown as the researchers found that although attackers were able to successfully infiltrate a network with POS services, they did not steal specific data such as payment information. However, they warn that it is likely the perpetrators may be preparing for the launch of a future attack.
Source (Includes IOC)
Researchers discover L0rdix malware
- EnSilo researchers discovered a new ‘multipurpose attack tool’ named L0rdix. The malware has been circulating on underground hacker forums and is aimed at Microsoft Windows PCs.
- L0rdix combines both information-stealing and cryptomining features, including other capabilities such as maintaining persistence by copying itself to a number of areas on the infected system or functioning as a botnet.
- The malware has also been structured in a way that allows new modules to be added in the future, leading enSilo to predict that more sophisticated versions of L0rdix are likely to emerge.
Source (Includes IOCs)
Researchers detect malicious Google Docs campaign
- Fortinet researchers have reported on a new ongoing malware campaign targeting Google Documents. They uncovered that threat actors have inserted thousands of files containing malicious links all over the service.
- According to the researchers, the links triggered a long chain of redirects inside a malicious network. Users were redirected based on their IP address and their user agent. It is believed that the current goal of the operation is to ‘abuse referral programs of legitimate applications.’
- The criminals behind the campaign are suspected to be Russian speakers and possibly located in Ukraine. The operation was found to target all major platforms including Windows, Android and MacOS.
Source (Includes IOCs)
FindMyName campaign distributes updated version of AZORult
- Unit 42 researchers identified a new ongoing campaign distributing a new version of AZORult Stealer as a primary payload through the Fallout Exploit Kit. The campaign was discovered on October 20th, 2018, and was dubbed ‘FindMyName’ based on the exploit page being hosted on findmyname[.]pw.
- The exploit code targeted an IE VBScript vulnerability, tracked as CVE-2018-8174, that was patched in August 2018.
- According to the researchers, this is the first time AZORult is being delivered as a primary payload. This new version also has upgraded features that allow it to target a wider range of software and cryptocurrency wallets.
Source (Includes IOCs)
Leaks and Breaches
Amazon customers’ names and email addresses disclosed via website error
- Amazon customers were informed on Wednesday that a technical error had caused the site to disclose their names and email addresses. The issue has reportedly been fixed, however, to date, Amazon has failed to report on any further details of the leak.
Adult furry erotica site High Tail Hall suffers data breach
- 411, 755 people’s data, including email addresses, names, and order histories, were exposed.
USPS inadvertently exposed 60 million users’ account details
- KrebsOnSecurity reported that the US postal service had an authentication weakness in its API. The vulnerability exposed real-time commercial package and mail data, as well as allowed any logged-in users of usps[.]com to view account details for other users.
- Personal data exposed included email addresses, usernames, user ID, account numbers, street addresses, phone numbers and more. The issue has been resolved.
Rowhammer bitflips can bypass ECC protections
- The newly reported Rowhammer attack, dubbed ECCploit, bypasses ECC protections that are built into widely used models of DDR3 chips. Recent research, undertaken by the Vrije Universiteit Amsterdam, has proven that the ECC protections that were added to enhance higher-end memory chips and protect against bitflips are now redundant in DDR3 chips.
- The researchers have not demonstrated that ECCploit works against the newer types of memory chip, DDR4, used by higher-end cloud services, nor that it can penetrate hypervisors or secondary Rowhammer defences. The bypassing of ECC, however, still represents a significant discovery and suggests that Rowhammer continues to adapt and pose a threat.
Security test for Dropbox reveals three Apple zero-day vulnerabilities
- Dropbox hired security firm Syndis to perform a cyber-attack simulation on their services to test how well their systems could detect and track a successful breach. During the test, Syndis discovered three zero-day vulnerabilities that could allow an attacker to remotely execute commands on a vulnerable macOS computer, by visiting a malicious website.
- The first, tracked as CVE-2017-13890, is in the macOS CoreTypes.bundle, and can be leveraged by opening a malicious web page, resulting in the mounting of a disk image on a macOS computer. CVE-2018-4176 is a flaw in how disk images are mounted to macOS, which could be exploited to cause a folder to open when the volume is mounted.
- Lastly, CVE-2018-4175 is a Gatekeeper bypass in LaunchServices, which could be exploited to allow an attacker to bypass Gatekeeper. Sydnis chained these flaws together, creating a two-stage exploit that could achieve arbitrary code execution for a user who visits a specially crafted web page with Safari.
Flawed authentication process in German eID cards could allow identity spoofing
- Identity cards issued since 2010 come with a radio frequency identification (RFID) chip that stores information about the user. Researcher Wolfgang Ettlinger was able to bypass protections from the authentication server and cause the web application to accept the altered data.
- The flaw lies in the Governikus Autent SDK, a software that enables companies to add the ID card authentication feature to a web service. Ettlinger was able to manipulate the response from the server without breaking the seal of trust given by the digital signature.
- He provided the web app with a reply containing a valid signature from the authentication server and then delivered a manipulated response with ID card details. This method allowed him to authenticate with an arbitrary name against a demo version of eID client.
Zscaler researchers release new report on recent phishing campaigns
- The report found that Microsoft, Facebook and PayPal are amongst the most targeted brands in phishing attacks.
- 65% of the campaigns the researchers studied over the last 3 months were found to deliver content over HTTP compared to 35% delivering content over HTTPs.
- Other findings were that threat actors are disabling right-click functionality to prevent users from checking the page source, requesting users to send ID scans for the purpose of stealing information through an image or using homograph techniques to construct fake URLs.
China reportedly increases spying on Australian business
- A Fairfax Media/Nine News investigation has revealed that China’s Ministry of State Security is reportedly responsible for a surge in cyber attacks against Australian companies over the past year, believed to be part of ‘Operation Cloud Hopper’.
- The Chinese hackers allegedly penetrated poorly secured IT service providers that were responsible for the outsourced IT of Australian firms, allowing the threat actors to enter the companies’ IT systems.
- The campaign ramped up in the first six months of this year, and remains ongoing, targeted at mining, engineering and professional service companies. This attempt at the theft of intellectual property breaches an agreement that was made between Premier Li Keqiang and the former Australian Prime Minister Malcolm Turnbull, to not steal the other country’s intellectual property.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.