Silobreaker Daily Cyber Digest – 24 July 2019
FIN8 threat actor develops new BADHATCH reverse shell
- Gigamon researchers identified a new reverse shell, dubbed BADHATCH malware, while analyzing the toolset used by FIN8. Originally discovered in January 2016, FIN8 are a financially motivated group which focus on stealing credit card details from POS machines.
- BADHATCH launches via WMIC and ‘begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode’. The shell contains no sandbox detection methods or environmental checks. Once embedded the malware connects to a hardcoded C2 IP. The malware gives attackers an option to impersonate a user via the Windows API and also provides upload and download functions.
- The researchers discovered that FIN8 deploys BADHATCH onto a server and then issues commands to POS systems before using PoSlurp malware to collect card data.
Source (Includes IOCs)
Criminals attempt to gain aging reports to commit BEC fraud
- Agari Cyber Intelligence Division researchers discovered cybercriminals posing as CEOs and emailing employees of organizations to request aging reports which contain sensitive financial data and customer information. Targets who send an aging report to attackers receive a second message requesting a list of email addresses for customers in the aging reports.
- The researchers deduced that the attackers are utilising this information to create credible looking emails to use in BEC attacks against target organizations’ customers.
BillGates backdoors delivered via old Elasticsearch vulnerability
- Researchers at Trend Micro observed a recent attack targeting Elasticsearch, delivering BillGates backdoors. The URL used in the attack was designed to exploit CVE-2015-1427, a known vulnerability in the Groovy scripting engine of Elasticsearch.
- The attack involves two scripts used to shut down the firewall and any competing or already-running cryptocurrency mining activities or other processes, as well as the elimination of any traces of initial infection.
- Elasticsearch has been attacked numerous times before, however, those attacks are usually profit-driven and involve the delivery of cryptocurrency-mining malware. The malware observed in this recent attack, on the other hand, is an information stealer capable of launching distributed-denial-of-service attacks. Variants of BillGates malware have also been observed involved in botnet-related activities.
Source (Includes IOCs)
Leaks and Breaches
Northwood Inc. announces data breach
- The Michigan-based medical supplies provider Northwood Inc. announced it suffered a data breach as a result of a phishing attack. An employee’s email was accessed by an unauthorized individual from May 3rd to May 6th, 2019.
- No evidence of data access or data theft was found, however, it has not been ruled out either. Potentially accessed data includes names, addresses, dates of birth, provider names, dates of service, and more. A total of 15,027 patients were affected by the breach.
Crypto-Miners spread by P2P worm
- Researchers at Cybaze-Yoroi ZLab discovered a malicious file on the BitTorrent network. The file purports to be the discography of singer Lucio Dalla. In actuality, the download is an SFX archive that contains multiple files.
- The attackers have configured the files to ‘survive across multiple p2p networks by propagating to p2p shared folders configured into the victim’s machine’
- The attacker’s aim is to install and spread crypto-miners, however the researchers warned that this technique could also be used to deliver, bots, RATs and ransomware.
Source (Includes IOCs)
Jana Small Finance Bank database left exposed on unprotected ElasticSearch server
- Security Discovery researcher, Jeremiah Fowler, discovered the database on May 26th, 2019. The database could be accessed without a password and contained documents such as voter IDs, driver’s licenses, PAN cards, passports, and more. Additionally, the database contained information such as, wallet IDs, usernames, emails, and other account and transaction information. In total Fowler found 2.6 million user and transaction records.
- The database also contained IP addresses, ports, pathways and storage info that could potentially be further exploited by attackers.
- Upon his discovery, Fowler alerted the bank who closed the database and restricted public access on May 28th, 2019.
Vigo County hit by ransomware attack
- Government computers used by the Superior Court Division 4 in Vigo County, Indiana, were infected by a ransomware attack on July 23rd, 2019 causing some data to become inaccessible. The county’s IT department is yet to determine how many computers and servers have been affected.
Avant Communications targeted by phishing attack
- Avant Communications was hit by a phishing attack on June 18th, 2019, which is believed to have originated from the Ukraine. The attack impacted master agents, agents and suppliers, with one master agent’s service being disrupted for 48 hours. Its channel partners have been warned not to open any attachments.
Google cache issue the cause of Nando’s data breach
- Nando’s stated that a data breach related to their FireStarters website was caused by the circulation of an old cached survey page. Customers who signed up on the FireStarters website provided details such as their name, email, and mobile number.
- Nando’s stated that their investigation showed that a user partially completed a FireStarters survey form in May 2014 and posted a link to the survey on Twitter. Due to the survey only being partially completed and the link being posted to Twitter, the page was cached by Google. Nando’s confirmed that they have requested that Google remove the page.
More victims added to AMCA data breach
- A further nine laboratories and health care firms, with cumulatively over one million patients, have been informed by the American Medical Collection Agency (AMCA) that their data was potentially exposed in AMCA’s data breach. This includes American Esoteric Laboratories, CBLPath Inc., Seacoast Pathology, Western Pathology Consultants, Natera Inc., and the Nevada-based Laboratory Medicine Consultants.
Conflicting statements regarding QuickBit’s data breach
- Security researchers at Comparitech and security researcher Bob Diachenko reported that an unsecure database contained over 300,000 customer records. The breach exposed details such as names, addresses, email addresses and card information. Additionally, the researchers discovered 143 records with internal credentials such as passwords, secret keys, secret phrases, user IDs, and more, exposed.
- QuickBit stated that the leak was caused by third party contractors and claimed that the breach only exposed the information of around 2% of their customers, a figure which is far lower than that claimed by security researchers.
Flaw in Facebook Messenger Kids app allowed people to sidestep protection
- The Messenger Kids app is designed for children under the age of 13 to only be able to enter chats with individuals who have been approved by their parents. The flaw was found in the app’s group chat function, in which an administrator of a group would be able to invite any approved individual to a chat, despite that user not having permission to interact with the other group members.
- It is unclear how long the flaw was present. Facebook notified thousands of users of the issue and turned off the affected chats.
Multiple vulnerabilities discovered in Comodo Antivirus
- A number of flaws were found in Comodo Antivirus and Comodo Antivirus Advanced, affecting version 220.127.116.1110, with the exception of CVE-2019-3973, which is only present in versions up to 18.104.22.16882.
- The remaining vulnerabilities are tracked as CVE-2019-3969, CVE-2019-3970, CVE-2019-3971 and CVE-2019-3972. No patches have been released by Comodo.
DarkMatter certificates banned from Chrome and Android
- Google announced on July 23rd, 2019, that they plan to ban root certificates owned by DarkMatter. Moreover, Google will also ban six intermediate certificates issued by QuoVaid, which DarkMatter had been using to issue TLS certificates. Google’s decision follows a similar ban announced by Mozilla on July 9th, 2019.
- DarkMatter, which is based in the UAE, has come under criticism for providing support for surveillance operations which targeted foreign governments, human rights activists, and journalists. Reporters from Reuters, the New York Times, and other media outlets, claimed that some of these operations were carried out on behalf of the UAE government.
MH17 investigation shows global reach of Russian disinformation campaigns
- Malwarebytes Labs analysed the investigation into the downing of the Malaysia Airlines Flight 17 on July 17th, 2014, and believes that the Russian Internet Research Agency (IRA) will continue to spread disinformation to invalidate the methods and results of the Bellingcat and Joint Investigation Team (JIT) investigations now that interest in the incident has risen again.
- Due to the abundance of available information supporting the findings of Bellingcat and the JIT, the IRA’s disinformation campaign is perceived to mainly focus on influencing Russian public opinion relating to the crash. It uses Twitter, Facebook, VKontakte and more platforms to spread disinformation.
- Both Bellingcat and the JIT reported phishing attacks and hacking attempts on their servers, including one attributed to the Russian APT28, presumably aimed at disrupting their research into the crash.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.