Silobreaker Daily Cyber Digest – 24 January 2019
Russian language malspam distributing Redaman banking malware
- Palo Alto Networks Unit 42 observed Redaman being distributed in mass Russian-language malspam campaigns since September 2018. The malspam emails all use a common theme that includes a document regarding a financial issue that the recipient must reportedly resolve. The targets of the emails are primarily Russian.
Source (Includes IOCs)
Trend Micro release analysis of Emotet’s multilayer operating mechanisms
- Trend Micro researchers found that Emotet’s infrastructure for creating and distributing document droppers differs from that of packing and deploying its executables. Moreover, they found that unlike common malware packers ‘that wipe or forge compilation timestamps in the packed samples, Emotet uses a packer that still shows some possible legitimate timestamps from its artefacts’.
- In their blog post, the research team also provide a link to an accompanying research paper that provides further details on Emotet’s activities, operational models, technical details on its infection chains and binaries, and potential threat actor attribution.
Source (Includes IOCs)
New ransomware targeting Bitcoin mining rigs in China
- A ransomware dubbed hANT was observed targeting Chinese Antminer S9 and T9 rigs in January 2019. hANT has also infected Antminer L3 rigs, which are used for mining Litecoin rather than Bitcoin.
- hANT infects the mining equipment, locking it so it is unable to mine new cryptocurrency. Victims are given the choice of paying $36,000 worth of Bitcoin in ransom, or download a malicious firmware update in order to infect other mining rigs with the ransomware.
Virgin Media support scammers inadvertently disclose IP address to security researcher
- Andrew Mabbitt from Fidus Information Security reported on a scam in which fraudsters disguised themselves as Virgin Media support agents to phish for payment card details.
- Following a complaint Mabbitt made on Twitter to the official Virgin Media, he received a private message from a fake Virgin Media account asking him to provide his full name, address and eventually his full card number, expiry date, CVV and card holder name.
- Mabbitt decided to ‘play along’ with the scam, ultimately luring the fraudsters into clicking on a URL that led to the disclosure of their IP address.
Adware campaign targets Mac users leveraging steganography to spread Shlayer trojan
- According to their blog post, once a Mac user clicks on a malicious ad, their device will be infected by Shlayer trojan disguised as a Flash upgrade. Apart from functioning as a trojan, Shlayer also acts as a dropper for additional payloads, most notably adware.
- So far, the researchers detected 191,970 malicious ads and estimate that around 1 million users have been affected.
Source (Includes IOCs)
Pear[.]php[.]net shuts down after discovery of supply chain attack
- Officials with the PHP extension and Application Repository have shut down the majority of their website after they discovered that attackers had replaced the main package manager with a malicious one.
- Officials urge anyone who has downloaded the go-gear[.]phar in the last 6 months to compare file hashes with the legitimate copy of the same release version to check if they have the infected file.
- Results from Virus Total suggest that the malicious PEAR download also installed a backdoor possibly in the form of Web shell on infected servers. The backdoor would give attackers complete control, including the ability to install applications, execute malicious code and download sensitive data.
Voicemail phishing campaign uses EML attachments to steal victims’ credentials
- Security firm EdgeWave reported on an email phishing campaign that uses EML attachments purporting to be voicemail received through RingCentral.
- Victims are sent emails with subjects such as ‘Voice:Message’, ‘Voice Delivery Report’ or ‘PBX Message’. Once they click the malicious EML attachment, they are redirected to a fake Microsoft account login page and are prompted to enter their credentials. Upon entering their password for the first time, victims are told the password is incorrect and asked to re-enter it.
- According to EdgeWare, this is likely done by the perpetrators to double-verify the victim’s password. After entering the password for the second time, victims are redirected to a generic MP3 voicemail recording.
Jigsaw Ransomware scam returns
- Jigsaw ransomware encrypts victims’ files and continues to delete them at an increasing rate until a Bitcoin payment is confirmed against the Bitcoin blockchain.
- This latest campaign has been observed using scam emails stating that a threat actor has compromised the victim’s financial accounts. The emails then attempt to trick the victim into clicking on a link disguised as a stolen bank statement.
- The link uses a shortened link to evade detection, and send the user to the payload server where the malware is downloaded under the filename ‘Statement[.]pdf[.]msi.’
- The ransomware demands $400 worth of Bitcoin as payment for the decryption of files.
Source (Includes IOCs)
Lokibot campaign discovered propagating via malspam emails
- The emails pose as delivery notifications from Fedex, stating that they require more details to clear customs. The email contains a single embedded image to help avoid spam filters, and a .ace attachment posing as a screensaver, which downloads Lokibot.
Kaspersky Lab identify overlap between GreyEnergy and Zebrocy
- Kaspersky discovered that GreyEnergy and Zebrocy used the same C&C server, infrastructure and both targeted numerous industrial companies in Kazakhstan within the same time frame.
- Zebrocy has been described as a subset of APT28 and has focused their attacks mostly on government-related entities across the Middle East, Europe and Asia.
Severe vulnerability found in BMC firmware stacks and hardware
- The flaw, known as CVE-2019-6260, impacts multiple Baseboard Management Controller firmware stacks and hardware.
- IBM Linux Technology Center software engineer dubbed the vulnerability ‘pantsdown’.
- The flaw can lead to unauthenticated access and therefore potentially to ‘malware execution, firmware flashing, or the dump of firmware of a running BMC from the hosts; arbitrary reads or writes, configuration tampering’, and more.
Vulnerability discovered in firmware for Marvell Avastar Wi-Fi chipset
- Embedi researcher Denis Selianin reported the major vulnerability, which is a ThreadX block pool overflow condition, triggered anytime the device scans for networks. Marvell Avastar uses the firmware for its Wi-Fi chipset, rendering product lines that use Marvell Avastar vulnerable.
- Potentially affected product lines include Sony PlayStation 4, Xbox One gaming consoles, Microsoft Surface tablets and laptop, Valve SteamLink cast devices, and more.
Security researchers demo second stage of remote iPhone X jailbreak exploit chain
- Qihoo 30 security researcher Qixun Zhao released a proof of concept for a kernel vulnerability that is reachable in the sandbox, which he exploited in order to remotely jailbreak iPhone X’s latest iOS system.
Memory leak exists in Sysmon utility
- Researchers stated that those who routinely update the configuration file through a scheduled task will trigger a memory leak which could cause the computer to run out of memory and eventually crash.
- They stated ‘each reload spiked the non-paged pool 15mb, and we had that run hourly on servers for 30 days, they were all crashing.’
Researchers find flaws in PoS cryptocurrencies that allow ‘Fake Stake’ attacks
- Academics from the University of Illinois at Urbana-Champaign discovered two resource exhaustion vulnerabilities, dubbed ‘Fake Stake attacks’, that affect 26 proof-of-stake (PoS) cryptocurrencies.
- According to ZDNet, the flaws could permit attackers ‘to crash rival network nodes to gain a 51 percent majority for their own malicious servers’ and be able to control all of a currency’s blockchain transactions. ZDNet also provide a link to the full list of impacted cryptocurrencies.
Cisco discloses 23 vulnerabilities in SD-WAN and Webex
- A critical flaw, tracked as CVE-2019-1651, was found in the vContainer of the SD-WAN Solution that permits an authenticated, remote attacker to cause a denial-of-service condition and execute arbitrary code as the root user. The flaw is the result of improper bounds in checking by the vContainer.
- Another flaw in SD-WAN, tracked as CVE-2019-1647, was discovered and allows authenticated, adjacent attackers to bypass authentication and have direct unauthorized access to other vSmart containers. The bug is the result of an insecure default configuration of the affected system.
- Other disclosed vulnerabilities in SD-WAN include a user group configuration flaw, CVE-2019-1648, and an arbitrary file overwrite flaw, CVE-2019-1650. A URI handler insecure library loading vulnerability, CVE-2019-1636, was also found in Webex.
US Senators concerned over Chinese-made metro rail cars
- Four US Senators sent a letter to the Washington Metropolitan Area Transit Authority (WMATA) regarding their concerns over a Chinese firm bidding on a contract to provide rail cars for a new metro in Washington DC.
- The Senators’ concerns regard the cyber security of smart rail cars that contain systems for automatic train control, video surveillance and a WMATA data interface. The systems could potentially be targeted by foreign governments or terrorists for espionage purposes or to disrupt metro lines across the city.
Researchers create algorithm to protect children from disturbing YouTube videos
- The researchers have developed a high accuracy deep learning-based classifier that is designed to detect YouTube videos with disturbing content. The researchers tested their binary classifier using a dataset of 133,806 videos.
- The research was started after the current recommendation algorithm used by YouTube lacked the appropriate restraints.
- The deep learning video content classifier was able to reach an accuracy of 82.8%.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.