Silobreaker Daily Cyber Digest – 23 April 2019
PreAMo malware discovered on Google Play used in click fraud operation
- Checkpoint and BuzzFeed researchers discovered a series of applications on Google Play containing malware dubbed PreAMo and involved in click fraud.
- The malware was downloaded over 90 million times across six applications that have now been removed from the Play Store. PreAMo imitates users by clicking on banners retrieved from three ad agencies – Presage, Admob and Mopub.
Source (Includes IOCs)
New CryptoMix ransomware variant uses .DLL extension
- Bleeping Computer reported on a new CryptoMix variant that is installed via hacked remote desktop services. The ransomware appends the .DLL extension to encrypted files.
Malwarebytes discover alternative malware formats in APT32 sample
- Malwarebytes discovered that a sample connected to APT32 used atypical executable formats. Malware authors use different formats to make detection by AV scanners more difficult and to slow down the analysis process, since researchers have to create custom loaders to analyse the samples.
- In this instance, the sample has two executables, BLOB and CAB, that are in the same unknown format. Malwarebytes’ report includes analysis of the sample’s origin, behaviour, custom formats, loader, and more.
Ongoing campaigns observed targeting government finance authorities
- Checkpoint researchers recently discovered a targeted attack against officials connected to government finance authorities and embassy representatives in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon.
- The attack begins with an email that contains a malicious XLSM attachment posing as a document named ‘Military Financing Program’. A malicious TeamViewer DLL is also loaded via DLL side-loading.
- Once macros are enabled, a legitimate AutoHotKeyU32[.]exe program and AutoHotKeyU32[.]ahk are extracted from hex encoded cells within the XLSM document. The AHK scripts enable the attacker to take screenshots of the victim’s PC, steal usernames, computer information and login information, and send them all to the C&C server.
Source (Includes IOCs)
‘The HotList’ Instagram phishing scam steals account logins and passwords
- The scam pretends to be a list of pictures ranked on how ‘Hot’ users are but instead leads them to a fake Instagram login page that is used to steal their credentials.
- Users receive messages claiming their photos appeared on a ‘HotList’ and are provided with a link to an Instagram profile where they can access the alleged list. Through the profile they are lured into visiting the fake login page. Using the stolen credentials, the perpetrators login into users’ accounts and use them to send further phishing messages to other Instagram users.
- According to Bleeping Computer, the scam is based on the successful ‘The Nasty List’ scam reported on last week.
Analysis of APT34 leaked source code published
- Marco Ramilli, a researcher at Yoroi, has analysed the leaked source code. It is comprised of three main folders, ‘webmask’, ‘poisonfrog’ and ‘WebShells_and_Panel’. The webmask script appears to be related to APT34’s DNS hijacking activity.
- He found that the script comes with a text file guide, which describes the setup of the ICAP proxy server, which is used to serve victims the real destination but trap their connection. There are also multiple Python DNS server scripts that Ramilli goes on to analyse.
Fraudsters exploit Notre Dame cathedral fire
- ZeroFOX observed several different instances of cybercriminals exploiting the recent Notre Dame cathedral fire to conduct malicious activities.
- Cybercriminals were seen setting up fake crowdfunding sites, using hashtag hijacking to promote their services, or utilising fraudulent domains that impersonate Notre Dame fundraiser sites.
Coinbase informs users regarding Telegram scam
- Coinbase’s Matt Muller reported that scammers are attempting to use Telegram to undertake fraudulent scams.
- In one of the scams, hackers impersonated Coinbase recruiters and executives with fake career opportunities for which victims are encouraged to pay for training materials, mining hardware and to share their personal information. Scammers have also been advertising Coinbase giveaways on a daily basis.
- The Telegram Coinbase channel has over 7,250 subscribers, however it has been reported that most of these users are bots. Coinbase have stated that they do not offer any support services through Telegram and do not have an official Telegram account.
New evidence suggests Wipro hackers targeted other companies worldwide
- According to evidence uncovered by KrebsOnSecurity, the perpetrators behind the attack on Wipro also targeted other IT companies such as Infosys and Cognizant. Other targets may include Elavon, Sears, Green Dot, Rackspace, Avanade, PCM, Capgemini, and others.
TA505 used RATs to target financial entities
- According to a new report by CyberInt, a Russian threat actor, tracked as TA505, used tRAT and ServHelper backdoors in recent campaigns against financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, as well as retailers in the US. The attacks occurred between December 2018 and February 2019.
Leaks and Breaches
Over 4.91 million records of rehab patients exposed by misconfigured Elasticsearch database
- Security researcher Justin Paine discovered a misconfigured Elasticsearch database that exposed personally identifiable information of individuals who had received medical treatment at Steps to Recovery, an addiction treatment centre in Pennsylvania.
- A total of approximately 1.45 GB of data, containing over 4.91 million records and related to over 146,000 patients was exposed from mid-2016 to late 2018. The data includes names, birthdates, past addresses, names of family members, political affiliation, phone numbers, emails, medical procedures received, date of medical procedures, billing sums, and locations at which the patient was treated.
Unsecured databases leak 60 million scraped LinkedIn records
- Security researcher Sanyam Jain discovered eight unsecured databases that leaked 60 million records of LinkedIn users’ information. The information was found to have been scraped from users’ public LinkedIn profiles.
Over 6.7 million records of Iranian drivers leaked via misconfigured database
- Security researcher Bob Diachenko discovered an open and publicly available MongoDB database containing sensitive information on Iranian drivers. The leaked data includes full names, Iranian ID numbers in plain text, phone numbers and invoice dates.
- It remains unknown who owned and managed the databases but Diachenko suspects either Snapp or TAP30, two major Iranian ride-hailing companies, are involved.
Lab Dookhtegan use Telegram channel to dump information on APT34
- According to the Bleeping Computer, Lab Dookhtegan hackers used a Telegram channel to dump information related to APT34’s infrastructure, hacking tools, members and victims.
- In their official statement, the hackers expressed their negative feelings towards the Iranian regime. They also released the names and phone numbers of some individuals working for the Iranian Ministry of Intelligence, as well as pictures, names, phone numbers, and email addresses of alleged APT34 members.
- Lab Dookhtegan also leaked the source code of six tools used by APT34 and details on their victims. The victims include Dubai Media Inc, Etihad Airways, Abu Dhabi Airports, Emirates National Oil, Lamprell Energy Ltd, Amiri Diwan of Kuwait, Oman Administrative Court, Emirates Prime Minister Office, and National Security Agency of Bahrain.
WiFi Finder app exposed 2 million passwords
- The app geolocates Wi-Fi hotspots and attempts to supply username and password details crowdsourced by thousands of users.
- Researchers at the GDI Foundation discovered a plain-text database of these username and password combinations, many of which were for residential Wi-Fi networks. The China-based app developers could not be contacted by researchers, but hosting provider DigitalOcean has removed the database.
Augusta City targeted in cyber attack
- The city was hit by a cyber attack last Thursday which resulted in the forced closure of Augusta City Center. The virus froze the city’s computer network and spread to laptops and other devices.
- Director of the IT department for the city and schools stated that the attack was targeted, but that no data was stolen during the incident. Servers are currently being restored and reports state that the city’s networks will hopefully be up and running at some point today after being inaccessible since Thursday morning.
Hacktivists target UK police sites after arrest of Julian Assange
- A hacker known as ‘CyberGhost404’ on Twitter, and an alleged member of the Philippine Cyber Eagles, released a large amount of data connected to two dozen police agencies across the UK. The origin of the data remains unknown.
- The data was leaked in compressed zip files that contained various spreadsheets and Excel documents from several police officers and branches across the UK, including information such as local records, press releases and ongoing court cases.
- The data breach was carried out under the hashtags #OpAssange and #OpUK. So far, attacks have targeted Barnsley News Council, the Council of Mid & East Antrim, Bolton Town Council, Rydale Town District, Council of East Riding and Yorkshire, and the London Datastore. A list of future targets has also been released.
Bodybuilding[.]com suffers security breach
- The website suffered a security breach in February 2019 as the result of a phishing email distributed in July 2018. Bodybuilding[.]com stated that they cannot rule out that personal information was accessed, but payment cards are not affected as the website does not store full card numbers.
- The website has reset all users’ passwords when they next try to log in and have issued an alert regarding the incident.
EmCare Inc suffers data breach
- EmCare Inc suffered a data breach after several employee accounts were accessed by a third party. It is estimated that over 60,000 individuals have had their information compromised. Exposed data includes names, dates of birth and clinical information. No evidence has been found to suggest the exposed data has been used.
Partners for Quality suffers data breach
- Partners for Quality Inc (PFQ) have published a Notice of Security Incident on their corporate website, stating that in February, they became aware of unusual activity on certain employee email accounts. It was determined that they were accessed by an unknown third party during the first two months of 2019. Data that may have been breached includes client and employee names, dates of birth, Social Security numbers and medical information.
- PFQ is investigating the incident alongside law enforcement, and affected individuals are being contacted.
Flaw in endpoint exposes Shopify transaction information
- Researcher Ayoub Fathi discovered a vulnerable API endpoint that could be used to expose the revenue data of thousands of Shopify stores.
- Out of over 800,000 store names tested, 8,700 were found to be both vulnerable and have their private data unintentionally accessible. Shopify has resolved the issue but did not allocated a bounty on the grounds that testing vulnerabilities against merchant stores is against participation rules.
Flawed Nokia 9 update allows bypass of fingerprint scanner
- An update for Nokia 9 PureView handsets intended to improve the fingerprint scanner instead allows the phone to be unlocked with objects including packets of chewing gum.
- The fingerprint scanner had a high false-positive rate before the v4.22 update, so a roll-back will have only limited effect.
Vulnerability discovered in Tchap application
- Tchap is an Android-based chat application used by French government employees as an internal secure communication channel. Security researcher Baptiste Robert managed to gain access to internal ‘public’ discussion channels and information about employees at multiple French ministries.
- Robert notified the French government, who subsequently contacted DINSIC. A patch was deployed within three hours, fixing the security hole. A bug bounty program has since been announced, allowing the current beta version to be continuously improved.
Vulnerability discovered in WordPress plugin
- A vulnerability, tracked as CVE-2019-9978, has been discovered in Social Warfare, a WordPress plugin that adds social buttons to WordPress websites. The vulnerability is comprised of two flaws, a remote code execution issue and a cross-site scripting attack.
- It is estimated that 42,000 websites are vulnerable until they update to 3.5.3, the latest patched release. An attacker is able to run PHP code and control the website and the server with no authentication.
Vulnerability discovered in jQuery
- The vulnerability has been patched in jQuery v3.4.0 and it is recommended that all developers update their projects to this version.
Mueller investigation hindered by data loss
- Among other details pertaining to Russian interference in the 2016 Presidential election, it was discovered that some of the individuals interviewed, including those associated with the Trump campaign, had deleted relevant communications or communicated using encrypted applications.
- The report noted that there was insufficient evidence to conclude that a crime had been committed in relation to the US election.
- In addition, the report also confirmed that at least one county in Florida was hacked by Russian Intelligence Services (GRU), who sent spear-phishing emails to over 120 email accounts used by the county officials responsible for administering the election.
‘Codeshop’ operator sentenced to 90 months’ imprisonment
- Djevair Ametovski, a Macedonian citizen, was sentenced after admitting to access device fraud and aggravated identity theft while running Codeshop, a site created to sell stolen card data, bank credentials, and PII.
- Ametovski was arrested in Slovenia in 2014 before being extradited to the US in May 2016. He ran Codeshop from August 2010 to January 2014 with help from associates.
Carbanak malware source code discovered on VirusTotal
- FireEye researcher Nick Carr found the source code for Carbanak malware in two archives, which also included a variety of unknown plugins.
- A full analysis of the source code is being published on FireEye’s blog on a weekly basis.
MD Anderson Cancer Centre ousts scientists based on links to Chinese espionage
- Federal authorities identified five scientists as being involved in Chinese efforts to steal American research. The faculty members had unreported foreign income and conflicts of interest.
- Three of the five have been dismissed, with one challenging the dismissal. All three are ethnically Chinese.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein