Silobreaker Daily Cyber Digest – 25 January 2019
New campaign delivers Ursnif banking trojan
- Discovered by Cisco Talos, the Ursnif banking trojan is delivered via Microsoft Word documents containing a malicious VBA macro.
- Ursnif was observed aiming to achieve fileless persistence to prevent traditional antivirus techniques from filtering out its C&C traffic from normal traffic. Moreover, the trojan was seen using CAB files to compress its data before exfiltration, which makes it even more difficult to stop.
Source (Includes IOCs)
New Exit Map spam campaign pushes GandCrab ransomware
- The new campaign uses spam emails that contain malicious Word documents pretending to be the current emergency exit map for the recipient’s building. The malicious documents download and install GandCrab ransomware from a remote computer.
- The emails contain the subject ‘Up to date emergency exit map’, and the malicious Word document is titled Emergencyexitmap[.]doc. If content is enabled, the Word macros executes the PowerShell script that downloads and installs the GandCrab v5.1 ransomware.
Netskope detected targeted attacks abusing Google Cloud platform
- The research team detected several themed attacks across 42 customers targeted predominantly at the banking and finance sectors, using the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys.
- The attacks abused the GCP URL redirection in PDF decoys and redirected the malicious URL hosting the malicious payload. The URL that hosts the malicious payload in this instance points the host URL to Google App Engine, suggesting to the victim that the file is delivered from a trusted source.
- Further research led Netskope researchers to attribute the attacks to the Cobalt Strike hacker group.
Attackers use Bit-and-Piece DDoS attacks to evade detection
- In a newly released threat report, Nexusguard details how threat actors are leveraging a new distributed denial-of-service (DDoS) attack pattern, dubbed Bit-and-Piece, that consists of spreading out junk traffic across a large number of IP addresses to evade detection.
- In this attack scenario, threat actors are believed to be conducting extensive reconnaissance operations to map out the network landscape and identify vulnerable IP address ranges.
Leaks and Breaches
70,000 patients’ data was compromised in Kansas addiction treatment centers
- The Valley Hope Association treatment centers were compromised by a phishing attack that occurred in October 2018. The hackers logged into an employee’s email account and gained access to emails and file attachments.
- Data compromised included patient names, addresses, medication information, financial information and more.
- 16 facilities in Kansas, Missouri, Nebraska, Arizona, Oklahoma, Texas and Colorado were affected.
Ransomware targets Sammamish city hall and Salisbury police department
- The city of Sammamish in Washington, and Salisbury in Maryland, were both targeted in January 2019 by severe ransomware attacks.
- The Sammamish attack on the 23rd January resulted in large portions of their networks being shut down, which restricted access to many records.
- The Salisbury attack took place on the 9th January, after which negotiations with the hackers took place, but swiftly broke down. The attack was the third to target Salisbury’s police in the last five years.
100,000 Alaskan households’ data compromised
- Households who had applied to the Alaskan State Department of Health and Social Services for public assistance had their data breached in spring 2018. The Zeus trojan attack undertaken by suspected Russian hackers, was initially believed to only affect 500 Alaskans, but actually affected over 100,000 households.
- Compromised information included names, Social Security numbers, birth dates, addresses, health information and more.
Bancolombia payment details exposed through unsecure Elasticsearch database
- Researcher Bob Diachenko discovered an unprotected Elasticsearch database that exposed an unknown amount of credit card details of Bancolombia customers. In an official response to the incident, Bancolombia claimed they had ‘not been breached’ but disabled 3,000 credit cards as a preventive measure.
Microsoft Exchange vulnerable to privilege escalation attack
- Security researcher Dirk-jan Mollema discovered that Microsoft Exchange includes high privileges by default in the Active Directory domain, which means any user could modify domain privileges to become admin.
- An attacker could thus impersonate Active Directory users by synchronizing their hashed passwords, and authenticate to any service using the Microsoft authentication protocol NTLM, or Kerberos authentication.
Fortinet release analysis of vulnerability in QuartzCore
- The flaw, tracked as CVE-2019-6231, is an image handling integer overflow vulnerability in the QuartzCore (also known as CoreAnimation) framework used by macOS and iOS to create animatable scene graphics. It could allow a malicious application to be able to read restricted memory.
- In their blog post, Fortinet provide a proof-of-concept (PoC) to trigger the issue and debug the vulnerability to identify the root cause.
Check Point fixes privilege escalation bug in ZoneAlarm antivirus solution
- A security issue has been discovered in Check Point’s free edition of ZoneAlarm antivirus and firewall solution.
- Illumant researcher Chris Anastasio discovered a .NET application that exposed a Windows Communication Foundation (WCF) service. The WCF service was running with SYSTEM rights, that could be exploited to elevate privileges to a local attacker.
- The flaw could allow a user with limited rights to inject and execute code with the highest privileges.
Remote code execution flaw unfixed in NumPy
- The current version of NumPy library uses an unsafe default usage of a Python module that could lead to remote code execution in the context of the affected application. NumPy is a Python library widely used in scientific computing and the flaw, tracked as CVE-2019-6446, affects NumPy versions 1.10 to 1.16.
- The problem lies in the ‘pickle’ module, which is used for transforming Python object structures into a format that can be stored on a disk or in databases. If a Python application loads malicious data via the ‘numpy.load’ function then an attacker could obtain remote code execution on the machine.
Vulnerabilities discovered in Moxa IIoT product
- Kaspersky Lab discovered seven flaws in Moxa’s ThingsPro 2, an IIoT gateway and device management solution that allows organisations to collect and analyse data from industrial control systems (ICS). The flaws could be exploited to obtain elevation of privileges, execute arbitrary commands, access industrial networks and take control of devices.
- Moxa ThingsPro was created to enable access to industrial systems from the internet, therefore the vulnerabilities could be exploited remotely.
- After researching the flaws, Kaspersky also discovered a user enumeration issue that enables the finding of valid usernames and launches brute-force attacks to obtain the associated password. An attacker could also use hidden authentication tokens to gain entry to the ThingsPro administration interface.
Researchers report increase in automated attacks targeting cloud infrastructures
- Securonix researchers reported on the increasing number of multi-vector and multi-platform automated attacks against cloud infrastructures over the last few months. These attacks are often a combination of cryptomining, ransomware and worms or botnets. One of the most common tools used in these attacks is the XBash worm.
- According to their new report, attackers often gain access to systems by exploiting unpatched flaws or insecure configurations in services like Redis, Apache Hadoop or Apache ActiveMQ. They have also been observed launching brute-force attacks against a large number of services such as MySQL, MongoDB, Memcached, Elasticsearch, Oracle Database, and more.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.