Silobreaker Daily Cyber Digest – 25 October 2019
Apps infected with Ashas adware discovered on the Google Play Store
- ESET researchers uncovered an adware campaign involving 42 apps on the Google Play Store, active since July 2018. The adware involved is tracked by ESET as Android/AdDisplay.Ashas.
- Once launched, the apps begin to communicate with their C2 server and send data about the affected device including device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and ‘Developer mode’ enabled, and whether Facebook and Facebook Messenger are installed.
- The app will not trigger the adware payload if it is being tested by the Google Play security mechanism. It can also set a custom delay between displaying adds meaning that a typical testing procedure will not detect any unwanted behaviour. The apps can also hide their icons and create shortcuts instead, complicating their removal from the device.
- The researchers were able to track down the developer of the apps and uncover his identity. All the apps have since been taken down from the Play Store but remain available via third-party app stores.
Source (Includes IOCs)
Phishing campaign targets United Nations and humanitarian organisations
- Lookout researchers discovered an ongoing phishing campaign aimed at non-governmental agencies, including a range of United Nations humanitarian organisations, such as UNICEF.
Source (Includes IOCs)
DDoS attacks launched by threat actors posing as Fancy Bear
- Link11 and Radware observed multiple distributed denial-of-service (DDoS) attacks and blackmail emails against companies in the payment, entertainment and retail sectors from a group claiming to be the Russian hacker group Fancy Bear, also known as APT28. The group appears to choose targets in advance and attacks companies’ backend servers, which tend not to be protected by DDoS mitigation systems.
- The campaign asks for 2 Bitcoin (€14,200) as ‘protection money.’ If this is not paid, the threat actors launch a warning attack that gives the targeted company two to four days to pay before another DDoS attack is launched against them. The warning attacks use multiple vectors, including DNS, NTP, CLDAP and the new attack techniques WS Discovery and Apple Remote Control. No follow-up attacks have been observed yet.
- Fancy Bear is known for major attacks against government agencies, embassies, NATO bases, and political parties, but have never engaged in DDoS attacks. Additionally, the blackmail email appears almost identical to the one used by another group posing as Fancy Bear in 2017. A difference between previous copycat groups is that the current threat actor appears to own a DDoS botnet, whereas others never actually carried out the attacks.
Australian government warns of Emotet campaign
- The Australian Cyber Security Centre (ACSC) issued an advisory warning of an ongoing Emotet malware campaign against Australian businesses and organisations. The ACSC observed at least 19 successful infections, some of which resulted in the deployment of Trickbot, whilst one against the Victorian health sector lead to a Ryuk ransomware attack.
17 apps containing clicker trojan malware found on Apple’s App Store
- Wandera researchers found 17 apps on the Apple App Store infected with clicker trojan malware that simulates user interactions to fraudulently generate ad revenue.
- The apps cover a range of categories including productivity, platform utilities, or travel. All of the apps are published by the same India-based developer AppAspect Technologies Pvt. Ltd. They also communicate with the same C2 server that was previously discovered by Dr. Web researchers.
- Following Wandera’s discovery, the apps have been removed from the App Store.
Cash App scammers targeting users on Instagram and YouTube
- Tenable researchers reported that scammers are focusing on offers and giveaways promoted on Instagram by the legitimate payment service Cash App. The scammers target Instagram users that comment under official Cash App posts in hope of winning their giveaways. They lure users into sending them an initial payment, claiming they have the ability to ‘modify transactions in the system’ and ask to be ‘given a cut from the “flip” they perform’.
- On YouTube, scammers were seen claiming to have a way to ‘hack’ Cash App for free money. The videos lead users to ‘human verification’ pages that require them to fill out surveys or install mobile applications. In reality, the scammers profit from these installations through cost-per-install programs.
Hacker forums easily used for business by threat actors
- By tracing a detected malware sample, spread by RIG exploit kit, to a hacker forum, Check Point researchers could analyse the ease in which hackers can use such forums to start their business. In this case, a new forum user was capable of starting a business within a month by buying existing tools from other forum members.
- The malware sample observed is a version of DarkRat, a RAT that lacks anti-debugging or sandbox evasion techniques, making it ‘pretty amateurish.’ Its code contained a hardcoded Pastebin link, which led to a Base64 string. The researchers believe the Pastebin post is used to obtain a key for decrypting the hard-coded C2 address.
Source (Includes IOCs)
Leaks and Breaches
7-Eleven customer data exposed via its fuel application
- On October 24th, 2019, a 7-Eleven customer discovered that the 7-Eleven Fuel App exposed personal information, including names, email addresses, mobile numbers and dates of birth, to other users. In response, the company took the application offline for several hours to resolve the issue. An investigation into the cause is ongoing.
Johannesburg targeted in ransomware attack
- Johannesburg was hit by a ransomware attack on October 24th, 2019, that shut down its website and online services. Several banks reportedly experienced internet problems at the same time, which is believed to be related to the ransomware attack.
- Several city employees received a ransom note that demands 4 Bitcoins (£23,770) by October 28th. The attackers, who call themselves Shadow Kill Hackers, threatened to publish the compromised data online if the ransom is not received.
Private health data of Geisinger Health Plan members exposed
- The protected health information of Geisinger Health Plan members may have been exposed due to a phishing attack on the company’s business associate Magellan NIA. It is unclear how many members were affected. The attack is believed to have been carried out for spamming purposes, however, unauthorised access to data cannot be ruled out.
- Magellan NIA first discovered the breach on July 5th, 2019 and informed Geisinger Health Plan on September 24th, 2019. Affected members were directly notified by Magellan NIA.
Samsung patches Galaxy S10 fingerprint scanner flaw
- Samsung released a patch for the recently reported flaw in its fingerprint scanner affecting Galaxy S10, S10+, Note 10 and Note 10+. The vulnerability allows anyone to access a phone that uses certain screen protectors via the fingerprint function, as the phone learns the screen protector’s pattern as part of a user’s fingerprint. Only impacted devices will receive the update.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.