Silobreaker Daily Cyber Digest – 25 April 2019
Researcher creates new backdoor inspired by leaked NSA malware
- Sean Dillon created a proof-of-concept backdoor, dubbed SMBdoor, designed as a Windows kernel driver that, once installed, will abuse undocumented APIs in the srvnet.sys process to register itself as a valid handler for Server Message Block (SMB) connections.
- SMBdoor has been described as ‘very stealthy’ as it doesn’t bind to any local sockets, open ports, or hooks into existing functions, and by doing so avoids detection.
- The backdoor was inspired by two NSA malwares, DoublePulsar and DarkPulsar, that were leaked by The Shadow Brokers in spring 2017.
New sextortion campaign targets Italian-speaking users and demands payments in Bitcoin Cash
- Trend Micro researchers detected a new sextortion campaign that appears to have been sent via the Gamut spam botnet. The scheme targets Italian-speaking users and demands payments in Bitcoin Cash.
- The campaign involves spam emails claiming that the user’s device, social media and email accounts, were hijacked. The perpetrators then claim to have recordings of the user watching pornography as well as the websites the user allegedly visited, and threaten to send the compromising videos to the user’s contacts unless a payment is made.
TA505 launch new phishing campaign using LOLBins to avoid detection
- Following previous reports by Proofpoint of TA505 targeting banks, retail businesses, and restaurants in November 2018, Cybereason researchers have now reported on the discovery of a new campaign targeting a financial institution in April this year. The new campaign was found to be using a signed version of the ServHelper backdoor and several LOLBins created to help the campaign avoid detection.
- Cybereason stated that the campaign used a ‘selective persistence mechanism and self kill commands based on autonomous reconnaissance’ and ‘a deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code’ using a legitimate certificate from Sectigo RSA Code Signing CA.
- The attack also used LOLBins that take advantage of legitimate and native Windows binaries to deploy the ServHelper payload in an attempt to remain undetected. ServHelper is able to collect the information needed to decide if a full removal of evidence from the machine is required.
Source (Includes IOCs)
Scam ads served to French users of Microsoft games
- The ads are redirecting users to scam surveys, polls and other forms of unwanted promotions. In some circumstances, the ads are able to load the scams in a default browser used by Windows.
- The ads state that they will give users an iPhone or Samsung phone if the survey is filled out, however, the likely result is that any information inputted is harvested and used for further spam campaigns. French security researcher Malekal stated that one of the scams encourages victims to sign up to a fake online shop where money is siphoned from accounts every month.
- The ads are focused upon those with IP addresses based in France.
Proofpoint discover threat actors hosting phishing kits on GitHub service
- The cyber criminals abused the service’s free repositories to deliver phishing kits to their targets via GitHub domains. This technique allowed them to bypass whitelists and network defenses because their use of large consumer cloud storage sites, social networking, and commerce services means that any nefarious activity is lost within legitimate web traffic.
- One attacker hosted a phishing kit that was designed to steal credentials from customers of a retail bank after redirecting them to a landing page using malicious emails. Researchers from Proofpoint also found that the phishing kits were sending the collected credentials and personal information to other compromised servers controlled by the attackers.
- The use of free GitHub accounts meant that all the repository information was exposed and Proofpoint were able to monitor all actions, during which they discovered that the phishing kits were customised to suit their purposes. For example, they found ‘updates to indicators of compromise including shortened links’, and modified landing pages that used a ‘PHP script hosted on a remote domain rather than one local to the kit’, in order to evade the limitations of GitHub Pages.
Source (Includes IOCs)
Phishing campaign discovered dropping Qbot banking trojan
- JASK Special Operations team discovered the campaign in late March dropping Qbot malware via phishing emails that were posing as parts of previous conversations. Qbot is a banking trojan with worm capabilities that is used to steal financial and banking data, drop malware, log keystrokes and create a backdoor on victims’ machines.
- The campaign sent phishing emails that appeared to be replies to pre-existing email threads, that included a link to a ZIP archive containing a VBScript-based dropper designed to drop the Qbot payload after being launched.
- After execution, Qbot brute-forces network accounts to spread laterally, using a list of local account credentials, before attempting to steal as much financial information as possible.
Threat actor(s) steal over $54 million in Ethereum due to weak private keys
- An individual or group of hackers, dubbed by Independent Security Evaluators (ISE) as Blockchainbandit, has managed to steal over $54 million, or 38,000 Ethereum, in digital currency by finding wallets that were improperly secured with private keys. The firm placed a dollar’s worth of Ethereum in a wallet with a weak private key and observed it being transferred to the attacker within seconds.
- ISE stated that a 256-bit private key may have been truncated due to a coding error, leaving the key insufficiently complex. Other possible reasons include ‘error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors’.
- ISE was able to guess or duplicate 732 weak private keys being used on the Ethereum blockchain.
Gamaredon hackers target Eastern European military personnel
- Researchers at Yoroi-Cybaze ZLab discovered a new campaign by Russian hacking group Gamaredon that appears to be designed to target military personnel.
- The researchers provide a technical analysis of the campaign, revealing that it uses the Pteranodon implant to gather information about the compromised machine through the command ‘systeminfo.exe’.
Source (Includes IOCs)
Leaks and Breaches
Atlanta Hawks online shop becomes latest victim of Magecart
- The online shop stated that it is temporarily out of action for maintenance after the Atlanta Hawks host site was targeted by Magecart group in an isolated attack that resulted in a payment skimmer being injected on the site. A spokesperson for the organisation stated that they believe ‘less than a handful’ of purchases on the site were affected.
- The shop runs Magento Commerce 2.2, a commonly used enterprise-grade e-commerce system that could have been used to gain access to the system. Leveraging flaws in third-party infrastructure is a common tactic for Magecart group.
Hacker breaks into GPS tracking apps which allows him to monitor cars and stop engines
- A hacker, known as L&M reported to Motherboard that he had hacked into 7,000 iTrack accounts and 20,000 Protrack accounts. The two apps monitor and manage hundreds of vehicles through GPS tracking devices.
- L&M was able to track vehicles in countries worldwide, including South Africa, Morocco, India and the Philippines. In addition, on some cars the software is able to remotely turn off the engines of vehicles that are travelling at 12 miles per hour or less.
- L&M reverse engineered the applications and found that all customers have the default password of ‘123456’ when they sign up. He used this information to brute-force the apps and was able to scrape information including the name and model of GPS tracking device, the device’s unique IDs, usernames, full names, phone numbers, email addresses and physical addresses.
Vulnerability in Qualcomm chips permits attackers to recover private data and encryption keys
- The flaw, tracked as CVE-2018-11976, impacts how Qualcomm chips handle data processed inside the Qualcomm Secure Execution Environment (QSEE).
- The QSEE is a hardware-isolated area in Qualcomm chips where the Android OS and app developers can send data to be processed in a safe and secure environment, preventing it from being accessed by the OS and other apps. Researcher Keegan Ryan found that Qualcomm’s implementation of the ECDSA cryptographic signing algorithm allowed for the retrieval of data processed inside the QSEE area.
Serious vulnerability in Rockwell controllers permits attackers to redirect users to malicious sites
- The flaw, CVE-2019-10955, impacts Rockwell Automation MicroLogix 1100, MicroLogix 1400 and CompactLogix 5370 controllers.
- It is an open redirect vulnerability related to the web server running on these devices. The server accepts user input from the programmable logic controllers’ web interface and a remote, unauthenticated attacker can inject a malicious link to redirect users from the web server to an arbitrary site.
Chrome 74 addresses 39 vulnerabilities
- The update addresses several high-risk flaws including a use-after-free in PDFium (CVE-2019-5805), an integer overflow in Angle (CVE-2019-5806), a memory corruption in V8 (CVE-2019-5807), and two use-after-free flaws in Blink (CVE-2019-5808 and CVE-2019-5809).
- Other patched flaws include medium severity issues in Autofill, Blink, Omnibox on iOS, and a low-risk ‘CORS bypass in download manager’ and ‘a forced navigation from service’ worker which is also low-risk.
Serious vulnerabilities discovered in Fujifilm x-ray devices
- Discovered by researchers Marc Ruef and Rocco Gagliardi, the flaws affect Fuji Computed Radiography XC-2 and Capsula X medical imaging products. These devices are used in the healthcare sector worldwide.
- The first vulnerability, tracked as CVE-2019-10948, allows an attacker to cause a denial-of-service condition that requires manual reboot of the device.
- The second vulnerability, tracked as CVE-2019-10950, is related to the lack of authentication mechanisms for Telnet services and can be exploited to access the underlying operating system and possibly gain full control of the vulnerable device.
Zero-day RCE flaw discovered in Oracle WebLogic
- According to Waratek researchers, Oracle WebLogic wls9_asinc and wls-wsat components trigger a deserialization remote code execution (RCE) vulnerability that impacts all WebLogic versions that have these components enabled, including the latest one.
228,000 Danish passports have fingerprint data swapped
- Over 200,000 Danish passports were printed with the user’s fingerprint information swapped between the left and right hand. The Danish media have reported that the system used to store the biometric data in the passports’ chips incorrectly stored the passport owner’s left hand fingerprints as their right hand fingerprints, and vice versa.
The Silobreaker TeamDisclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein