Silobreaker Daily Cyber Digest – 24 October 2018
Malicious PyPI package discovered on official repository
- Discovered on the PyPI repository, the package named ‘colourama’ is a malicious package typosquatting the package named ‘colorama’, and has been on PyPI since December 5th, 2017. It contains a malicious dropper, targeting Windows machines to deliver a VBScript cryptocurrency clipboard hijacker. The hijacker runs in the background, checking the clipboard every 500ms. Anything on the clipboard that resembles a Bitcoin address, is replaced with the wallet address of the attacker.
Chalubo Botnet discovered by Sophos
- Chalubo targets internet-facing SSH servers on Linux-based servers, attempting to brute force the login credentials. The bot component and Lua script is encrypted using the ChaCha stream cipher which has been described as an evolution of Linux based anti-analysis techniques by Sophos researchers.
- The Lua script communicates with the attacker’s C2 server for instructions on what other script to download and execute. Observed scripts performed a SYN flood attack against a Chinese IP address.
Source (Includes IOCs)
Two Remote Access Trojans being delivered by phishing campaign
- Researchers at Cofense Intelligence analysed a recent email phishing campaign, delivering malicious dropper attachments via email, pretending to be an invoice. The dropper delivers both jRAT and H-Worm, in order to obtain functionalities of both software. H-Worm is capable of password scraping, keylogging and self-propagation, whereas jRAT is capable of webcam hijacking, and plugging additional modules.
McAfee report on new wave of browser hijackers
- McAfee has received several notifications of a phishing campaign that redirected users to a browser hijacker. The email asks users to click on a box to display the message, where they are redirected to a URL and prompted for user credentials.
- Analysis also uncovered that the instances were linked to a tech support scam which involved the use of scare tactics such as displaying fake error messages and phone numbers. These tactics trick users into thinking they are infected and leads them to pay for unnecessary support.
Fraudulent shipping labels used by criminals to process and distribute stolen goods
- In a blog post, Flashpoint analysts detailed the practices of criminals profiting from fraudulent purchases. They particularly highlight the effectiveness of fraudulent shipping labels to process large volumes of stolen goods on a regular basis.
- According to Flashpoint, several drop networks offer fraudulent shipping labels as a service, which suggests they ‘have access to accounts belonging to major commercial and public-sector shipping services.’ This service was also being advertised as ‘99.9 percent effective’ in being properly processed.
- The labels are used by mules in drop networks that serve to obfuscate the origin or destination of stolen goods. The blog post also details how mules are often recruited through posts on legitimate job websites and thus may be unaware of working for an illegal business.
Magecart group leverages zero-days in 20 Magneto extensions
- Researcher Willem de Groot has reported that Magecart group are abusing unpatched zero-day vulnerabilities in 20 Magneto extensions in order to plant payment card skimmers on online stores. De Groot has tracked the campaign but has identified only two of the twenty extensions and, as such, has asked others for help in identifying the remaining extensions.
- Fixes for the two identified extensions, Webcooking_SimpleBundle Magneto extension and TBT_Rewards, were released just hours after they were reported.
StrongPity APT adapts its methods based on threat intelligence reports
- Cylance researchers found that the StrongPity APT has made changes to their attack method following the exposure of the group’s practices by various threat intelligence reports.
- They found that the variety of research published on StrongPity led the group to start adapting its practices based on the information being published. For example, new domains, new IP addresses, filename changes and small code obfuscation changes were detected by Cylance.
- According to the researchers, StrongPity is expected to continue updating its methods, particularly as only small adjustments are required to remain undetected. StrongPity was first reported on by Kaspersky in 2016.
Source (Includes IOCs)
SLoad and Ramnit distributed as a pair in campaigns against UK and Italy
- Proofpoint researchers have observed email campaigns distributing a new downloader named sLoad, delivering Ramnit banking trojan. The campaigns are connected to an actor named TA554, who has previously targeted Italy, Canada and the UK by sending malicious emails that are crafted in the targeted country’s language, and often include recipient’s names and addresses.
- The emails use notification or package delivery lures and contain URLs linking to zipped LNK files of zipped documents that eventually deliver the final payload.
- The malware gathers information about the infected system, including running processes and the presence of Outlook or Citrix-related files. In addition, sLoad can also check the DNS cache for specific domains, load external binaries and take screenshots.
Microsoft, PayPal and Netflix highly targeted by phishing campaigns
- Vade Secure has reported that Microsoft, Paypal, Netflix, Bank of America and Wells Fargo are the brands that are most impersonated by phishing campaigns. Their report states that the primary goal of Microsoft phishing attacks is to harvest Office 365 credentials, in order to gain access to a ‘treasure trove of confidential files’.
FireEye attributes TRITON deployment to Russian laboratory
- FireEye Intelligence have stated that the Russian government-owned technical research institution known as the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), supported intrusion activity that led to the deployment of TRITON.
- Known as TEMP.Veles, the operation leveraged multiple versions of malicious malware, had multiple ties to Russia, the CNIIHM and an individual in Moscow, also linked to the CNIIHM. A CNIIHM IP address was also used during TEMP.Veles for network reconnaissance, monitoring open-source coverage of TRITON, and other malicious activity to support the intrusion.
Digital Defence VRT reveal zero-day vulnerabilities in Arcserve Unified Data Protection platform
- The vulnerabilities include two unauthenticated information disclosures and an external entity attack that could be leveraged by an attacker to gain access to databases and other credentials and to read files on the system without authentication. In addition, UDP is also vulnerable to cross-site scripting, which could be leveraged for phishing attacks.
jQuery plugin vulnerability discovered by Akamai Security is finally patched
- The flaw was due to the jQuery plugin being designed to upload PHP servers without requiring validation or excluding file types. The vulnerability exists due to a change in the Apache HTTPD server that disabled support for [.]htaccess web server configuration to prevent security features from being overridden, despite the plugin relying on [.]htaccess for security controls. The issue has finally been patched with version 9.22.1.
Zero-day discovered in Microsoft Windows
- Disclosed on Twitter by SandboxEscaper, the zero-day affects the Microsoft Data Sharing service in Microsoft Windows. An attacker can leverage the vulnerability to elevate their privileges on systems that they have access to.
SandboxEscaper also published proof-of-concept code on GitHub that will delete crucial Windows files and force users to perform a system restore.
Morrisons liable for data breach exposing 100,000 employees’ data
- In the latest court ruling, Morrisons was found to be liable for the actions of former employee Andrew Skelton who published personal data, including NI numbers, birthdates or bank accounts information, on 100,000 employees.
- The supermarket chain plans to appeal to the Supreme Court.
US county websites found to lack basic cybersecurity measures ahead of midterm elections
- McAfee researchers surveyed security measures of county websites in 20 US states and found that most of them lacked basic cybersecurity measures to protect voters from misinformation campaigns.
- No consistency was found in validating websites to ensure they belong to genuine county officials. For example, some websites were found to be using the .com TLD rather than a .gov TLD name that requires thorough government validation.
- In other instances, a large number of county websites were found not to ensure the use of Secure Sockets Layer (SSL) certificates that protect web sessions, encrypting personal data or ensuring threat actors do not redirect website visitors to fraudulent sites.
Man sentenced to six years in prison for involvement in phishing scheme
- Olayinka Olaniyi, a 34-year-old Nigerian man, was sentenced to 5 years and 11 months in prison for his role in a phishing scheme that resulted in unauthorized access to the bank accounts of employees of several US colleges and universities, including the Georgia Institute of Technology.
Stolen Paytm data found to include confidential information
- The stolen data relating to an extortion case involving Paytm, an Indian e-commerce payment system, was found to contain passwords, encrypted emails, PIN of Paytm accounts and cash cards belonging to Paytm founder Vijay Shekhar Sharma. The data was also found to include the company’s business model, future plans and financial dealings.
- According to Paytm, no customer data was compromised. The extortion case involves three former employees who stole data from the company founder’s laptop and threatened to release it unless paid a ransom of roughly $258 million.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.