Silobreaker Daily Cyber Digest – 22 November 2019
New malware discovered using ‘Port Monitors’ technique
- ESET researchers detected a new malware, dubbed DePriMon, that registers a new local port monitor as a way to maintain persistence, using the ‘Windows Default Print Monitor’ name. According to the researchers, this may be the first documented malware using the ‘Port Monitors’ technique.
- DePriMon has been active since at least March 2017. The researchers believe it is a region-specific campaign as some of the domains used for its C2 contained Arabic words. Its C2 communication is well protected through the proper implementation of encryption.
- The initial infection vector and final payload used in the attack remain unclear. DePriMon’s purpose is to download and execute a payload, as well as to collect information about the targeted system. It is downloaded to memory and executed as a DLL. In some cases, the malware was detected on devices also infected with ColoredLambert, a malware linked to The Lamberts, also known as Longhorn.
Source (Includes IOCs)
New remote access malware SectopRAT uses second desktop to control browsers
- G Data analysts reported on a new .NET based remote access malware, dubbed SectopRAT, initially discovered by MalwareHunterTeam on November 15th, 2019.
- SectopRAT creates a second desktop on the infected computer, that is invisible to the system’s user and permits the attacker to browse the internet using the infected machine.
- According to the analysts, the malware still looks unfinished and ‘hastily done’, despite its use in the wild. However, they claim it is possible these first samples are used merely for testing purposes and new versions may emerge in the future.
Source (Includes IOCs)
Web skimmer masquerades as payment service platform to steal credit card information
- While tracking a threat actor that registers domains for skimming and phishing campaigns, Malwarebytes Lab researchers detected a new attack scheme in which the perpetrators trick victims into thinking they are using a payment service platform.
- According to the researchers, the skimmer initially resembles a phishing page, copied from the official CommWeb site – a payment acceptance service by the Australia Commonwealth Bank. However, it is not a login page that phishes for credentials, but instead a fake payment gateway service, specifically made for an Australian store running the PrestaShop.
Source (Includes IOCs)
FBI reports that hackers are targeting US auto industry
- According to an FBI bulletin, hackers have been targeting the US automotive industry since at least 2018. Successful attacks have led to ransomware infections, data breaches resulting in the exfiltration of personally identifiable information, and unauthorized access to enterprise networks.
- The FBI stated that attacks are likely to continue as the ‘vast amount of data collected by Internet-connected vehicles and autonomous vehicles become a highly valued target for nation-state and financially motivated actors.’
Raccoon Stealer malware targets financial organisation
- Cofense researchers reported on the latest campaign by Raccoon Stealer that targeted an undisclosed financial organisation. The campaign began with an email, purporting to be a wire transfer, that was able to bypass Symantec Email Security and Microsoft EOP gateways. The email included a Dropbox URL that, once clicked, downloaded the malicious file.
- According to the researchers, Raccoon Stealer is a relatively new malware, first spotted in April 2019. It is being sold on underground forums in both Russian and English, provides an easy-to-use interface, 24-hour customer support and highly active development.
Source (Includes IOCs)
Leaks and Breaches
Maze ransomware attackers leak stolen data from security firm Allied Universal
- On November 15th, 2019, Bleeping Computer were contacted by the perpetrators behind Maze ransomware, who claimed that they have breached Allied Universal.
- The attackers stated they were demanding approximately $2.3 million in bitcoin in return for decrypting the firm’s network. After Allied Universal missed the deadline for the ransom payment, the perpetrators published 700MB of stolen data and files. This allegedly only represents about 10% of all data stolen from the company.
- The files related to termination agreements, contracts, medical records, server directory listings, encryption certificates, and exported lists of users from their active directory servers. The attackers are now threatening to release the remaining 90% of data if no ransom payment is made.
T-Mobile reports data breach affecting prepaid customers
- According to the company’s statement, the account information of an undisclosed number of customers using their prepaid services was accessed by an unauthorized third party.
- The breached data includes names, billing addresses, phone numbers, account numbers, and rate plans and features.
- T-Mobile stated that no financial data, including credit card information, or Social Security numbers was breached, and no passwords were compromised.
Payment solutions firm Edenred discloses malware incident
- The company stated that the malware incident affected its information technology systems. The malware strain remains unknown. Edenred is still investigating the full extent of the attack.
WeWork exposes customer data on GitHub
- Contracts between WeWork and its customers were freely accessible via a WeWork developer’s GitHub profile. The profile contained a script with URLs to PDF files of these contracts that were hosted on unprotected Amazon servers. A web portal related to WeWork in India was also found to be leaking data. The GitHub repository and domain have since been secured.
- The data leak affects a number of customers in India, China, and Europe. The data also included membership agreements with cybersecurity companies such as Palo Alto Networks and Tenable. Exposed information included names, phone numbers, addresses, email addresses and other personal information. In some cases, bank account information was also exposed.
Saint Francis Medical Center fails to restore all files following ransomware attack
- Ferguson Medical Group, recently acquired by Saint Francis Medical Center, was hit by a ransomware attack on September 20th, 2019, encrypting all medical records prior to January 1st, 2019.
- In a notice, Saint Francis stated the demanded ransom was not paid. Instead, files were restored via backups. However, Saint Francis failed to restore records from between September 20th, 2018 and December 31st, 2018, as well as any scanned documentation.
- Free credit monitoring services are offered to affected patients. However, Saint Francis does not believe any patient data was exposed to third parties during the incident.
Microsoft patches spoofing vulnerability in Outlook for Android
- The flaw, tracked as CVE-2019-1460, permits attackers to create specially crafted emails that could launch scripts on the device in the security context of the user.
- The vulnerability is patched in Microsoft Outlook for Android version 4.0.65.
Vulnerabilities found in SatLink VSAT modems
- Trustwave researchers discovered a flaw, tracked as CVE-2019-15652, affecting SatLink 2000, SatLink 2900 and SatLink 2910 modems running the VMU software versions prior to 18.1.0. The flaw is a reflected cross-site scripting vulnerability that could permit the injection of arbitrary client-side code.
- The second issue discovered is that the devices only supported insecure protocols such as HTTP and Telnet. According to the researchers, ‘these cleartext protocols could permit attackers to sniff for credentials or other sensitive information over the wire, insert unintended date, or hijack entire management sessions.’ Both issues have now been fixed.
Known vulnerabilities still found in hundreds of Android apps
- Check Point researchers found that many Android apps continue to contain long-known vulnerabilities. This is due to many apps utilising reusable components, called native libraries, from open-source projects. When the relevant vulnerabilities are fixed in an open-source project, they are not necessarily fixed in apps using these native libraries.
- The researchers looked at three known critical vulnerabilities, tracked as CVE-2014-8962, CVE-2015-8271, and CVE-2016-3062, and found them present in hundreds of Android apps, including Yahoo Browser, Facebook, Instagram and WeChat.
Tenda AC9 router vulnerable to command injection
- Cisco Talos discovered a vulnerability in Tenda AC9 Router AC1200. The flaw, tracked as CVE-2019-5071 and CVE-2019-5072, could allow an attacker to execute arbitrary commands that could enable them to launch commands on the router. No patch is available to date.
Two remote code execution flaws found in Xcftools
- Two remote code execution vulnerabilities were found in the ‘flattenIncrementally’ function of Xcftools version 1.0.7, which is used for handling Gimp’s XCF files. The flaws, tracked as CVE-2019-5086 and CVE-2019-5087, could be exploited by attackers to trick users into opening specially crafted XCF files. No patch is available at present.
New technique bypasses ransomware protection
- Nyotron’s research team discovered a new technique that enables threat actors to change files, potentially allowing them to bypass security solutions. The technique, dubbed RIPlace, makes use of the Rename operation for file replacement.
- According to Nyotron, only one vendor has addressed the issue since its disclosure, while others ‘seem to view RIPlace as a non-issue because it has not yet been seen in the wild.’
- Microsoft has stated that this technique is not considered a vulnerability, as ‘controlled folder access is a defense-in-depth feature’ and the technique requires elevated permissions to be carried out.
Analytics companies spotted using new technique to track users
- uBlock Origin discovered a new technique that is being used to track users’ web browsers and that seems to bypass typical blocking techniques. It has been spotted being used by several marketing analytics companies such as Eulerian, Wizaly and Criteo, to profile users as they browse the web.
- The technique relies on DNS delegation, using DNS records to make third-party domains appear to be first-party. This tricks the browser into thinking the website and the external trackers are coming from the same domain, allowing them to bypass any blockers.
- A fix for Firefox users has been deployed by uBlock Origin, capable of revealing the tracking using the browser’s DNS API. According to developer Raymond Hill, no fix for Chrome will currently be made available as Chrome does not have a DNS API that could easily detect it. Safari has proposed the introduction of a ‘privacy-preserving ad click attribution scheme.’
Researchers report that Sandworm hackers targeted Android phones
- Speaking at the CyberwarCon conference, Google researchers stated that Sandworm has been attempting to infect large numbers of Android phones with rogue apps since late 2017.
- In December 2017, the researchers spotted the threat actor creating malicious versions of Korean-language Android apps and adding them to the Google Play Store. This led them to find that the same malicious code was used two months earlier in a malicious version of a Ukrainian mail app. In November 2018, Sandworm were spotted targeting mainly Ukrainian Android developers with phishing emails and attachments containing malware. The researchers concluded that Sandworm appears to be mainly fixated on Ukraine.
- The two researchers also claimed that both APT28 and Sandworm were involved in an attack on Emmanuel Macron during the French elections in 2017.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.