Silobreaker Daily Cyber Digest – 24 May 2019
Newly upgraded version of JasperLoader targets Italy
- Cisco Talos researchers discovered a new version of JasperLoader targeting Italy and other European countries with banking trojans such as GootKit.
- The new version has several additional features and upgrades, including a different distribution method, additional layers of obfuscation, decoy documents, geolocation filtering, detection for hypervisor-based environments and changes to file storage locations and file name conventions.
- In addition, the new version also has new persistence mechanisms, a new C2 domain retrieval mechanism permitting time-based fluxing, and new bot registration and ID generation mechanisms.
- Cisco Talos’ analysis follows their recent review of the functionality associated with JasperLoader.
Source (Includes IOCs)
Mirai variant uses multiple exploits to target several devices
- Researchers at Trend Micro discovered a new variant of Mirai which utilizes a total of 13 different exploits. These exploits have been observed in older variants of Mirai but have never been used in conjunction in a single campaign.
- The 13 exploits are used in combination to scan for vulnerabilities and then deploy Mirai. This specific campaign takes advantage of flaws in routers, surveillance products and other devices which are widely used and infrequently patched by users.
- Trend Micro’s latest analysis includes a review of the 13 exploits.
Source (Includes IOCs)
Fake cryptocurrency apps on Google Play attempt to scam users
- Reddit users discovered an app on Google Pay called ‘Trezor Mobile Wallet’, impersonating the popular hardware cryptocurrency wallet Trezor.
- ESET researchers analysed the fake app and found that it can’t cause harm to Trezor users due to Trezor’s use of multiple security layers, however, it is able to phish for Trezor users’ credentials. They also found that the app is connected to a fake cryptocurrency wallet app called ‘Coin Wallet – Bitcoin, Ripple, Ethereum, Tether’ that is used to scam victims out of money.
- Both the fake Trezor app and the ‘Coin Wallet’ app were created based on an app template sold online. The researchers suspect that the emergence of these apps is related to the continuously rising prices of Bitcoin in the last few months. Both apps have since been taken down from Google Play.
Source (Includes IOCs)
Phishing campaign spams Android users via fake ‘Missed Call’ alerts
- Lookout’s Phishing AI services detected a new phishing campaign that abuses the Notifications and Push APIs, and Google Chrome on Android devices, to push spam alerts disguised as missed phone calls.
- The perpetrators use custom icons for apps that trigger the alerts, which in this case was Google Chrome. The custom icons are used to better disguise the notifications and fool unsuspecting users.
Anonymous and LulzSec hacker groups target Italian Police and doctors
- In the last 10 days, Anonymous Group and LulzSec have been targeting Italian doctors and law enforcement, particularly the Police and the Carabinieri.
- The attacks are part of a protest against the abuses in public health systems, to raise attention to mysterious deaths in hospitals that have allegedly been covered up by the authorities. In addition, the attacks also sought to bring attention to various arrests made on members of the hacking group.
Malicious email campaigns target Canadian organisations
- Between January and May 2019, Proofpoint researchers detected thousands of malicious email campaigns, with hundreds of them targeting Canadian organisations. In many cases, stolen branding from several Canadian firms and agencies, including major shipping and logistics organisations, national banks, and large government agencies, was used.
- According to the researchers, many campaigns involved Emotet, a trojan associated with threat actor TA542. Other malware used includes Ursnif, IcedID, GandCrab, DanaBot, Formbook, Dridex and more.
- The campaigns mostly affected Canadian financial services, the energy and utility sector, the manufacturing sector, the healthcare sector, and technology industry.
Two law firms lost $117,000 after being hit with malware
- Two unidentified law firms in the US have fallen victim to ‘an international cybercrime network that tried to loot an estimated $100 million from businesses.’
- Phishing emails were sent to the companies disguised as an invoice from ‘Quicken Billpay Center,’ which downloaded GozNym malware, allowing the attackers access to the recipient’s banking credentials.
Third party mailbox used by Computacenter employees hacked
- The mailbox was used by Computacenter employees and contractors to deposit data to gain security clearance. The data in the mailbox could include ID data, contact details, bank details, and more.
- Once the mailbox was hacked the attacker changed the password and proceeded to use the data to send phishing emails.
Leaks and Breaches
US license-plate scanning company suffers data breach
- Hacker ‘Boris Bullet-Dodger’ informed The Register that he had hacked into the US license-plate scanning company Perceptics. Perceptics’ technology is installed at multiple border crossings in the United States.
- Nearly 65,000 files were stolen and placed on the dark web, including Microsoft Exchange and Access databases, ERP databases, HR records, Microsoft SQL Server data stores, and more.
Snapchat employees allegedly abused data access to spy on users
- Motherboard reported that Snap, the company behind Snapchat, possesses several tools dedicated to accessing user data. Moreover, several employees allegedly abused their privileged access to spy on Snapchat users.
- The accessed data included location information, saved Snaps, and personal information such as phone numbers and email addresses. One of the tools used, dubbed SnapLion, is accessible by multiple departments within the company. According to Motherboard’s sources, Snap employees have used the tool to spy on users.
Joomla servers hacked and cryptocurrency mining scripts installed
- Joomla issued a statement confirming that a notification was received from a security researcher on May 15th, 2019, informing them that an internal Jenkins CI server, used by the JED to deploy updates to their live and staging website, was vulnerable to exploit CVE-2018-1000861.
- During the investigation into the breach a crypto miner was detected running on the server. Joomla stated that they had no cause to think that ‘any user data has been accessed improperly.’
PoC exploits for Windows wormable flaw released online
- Security experts have developed PoC exploits for the wormable Windows RDS flaw tracked as CVE-2019-0708, also known as BlueKeep. BlueKeep, is a remote code execution flaw in Remote Desktop Services (RDS) that could be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.
- Not all of the exploits published by the researchers are working fully, however, one of the PoC exploits could be used for remote code execution on flawed systems.
Equifax’s credit ratings revised following data breach
- Credit rating agency Moody’s changed Equifax’s credit rating from stable to negative due to the financial losses suffered after the 2017 data breach. The report states that the breach affected Equifax’s performance and reputation, and the company’s cash flow decreased due to the legal and IT expenses following the incident.
Google investigated following GDPR complaint
- An investigation into Google’s processing of personal data was launched by the Irish Data Protection Commission (DPC) following a complaint filed with the UK Information Commissioner and the Irish Data Protection Commissioner on September 12th, 2018.
- The investigation will assess whether Google’s processing of personal data collected by the company as part of Ad Exchange online advertising transactions is breaching GDPR regulations.
- Further complaints against the company were recently filed in Spain, the Netherlands, Belgium and Luxembourg.
18 charges filed against Julian Assange by US Department of Justice
- Julian Assange is facing 18 indictments accusing him of violating the US Espionage Act after publishing confidential military and diplomatic documents on WikiLeaks in 2010.
- According to US officials, the charges are not made for acting as a publisher, but for endangering the lives of sources. The charges also include one count of conspiring with former intelligence analyst Chelsea Manning and conspiracy to commit computer intrusion.
NATO Secretary General focuses on cyber threats
- Secretary General Jens Stoltenberg, in his keynote speech at the National Cyber Security Centre in London, focused on how cyber threats are changing the nature of modern warfare.
- Moreover, Mr Stoltenberg spoke about how NATO is adapting its capabilities and increasing its resources to deal with these cyber threats.
- Mr Stolenberg also stated, with reference to the failed attack on the Organisation for the Prohibition of Chemical Weapons, that NATO must focus on attribution in their efforts to deter future cyber attacks.
UK political parties fail to protect members from phishing attacks
- A security vendor has claimed that members of UK political parties are being targeted with phishing attacks after the DMARC protocol has not been consistently applied. Domain-based Message Authentication, Reporting and Conformance (DMARC) is the best practice used to mitigate email impersonation.
- According to analysis by Red Sift, only 5 out of the full 22 main political parties participating in the European Parliament elections have implemented DMARC.
Chrome, Firefox and Safari mobile browsers fail to show phishing warning
- Researchers from Arizona State University and PayPal discovered that Chrome, Safari and Firefox failed to show blacklist warnings from mid-2017 to late 2018.
- The issue was confined to mobile browsers that used the Google Safe Browsing link blacklisting technology.
- Failure to display warnings was attributed to the transition to a new mobile designed API which did not function correctly.
Audio card skimmers preferred over flash skimmers
- Researchers at Advanced Intelligence observed that audio skimmers are growing in popularity with criminals, due to their ease of use, moderate price and high resilience.
- Audio card skimmers pick up audio when a card magnetic track is being scanned and can bypass jittering and radio-electronic defenses, however, they are therefore vulnerable to noise jamming.
- The growing popularity of audio skimmers coincides with a drop-in market share for flash skimmers which are cheaper but also less reliable.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.