Silobreaker Daily Cyber Digest – 26 April 2019
Emotet adds new evasion technique and uses connected devices as proxy C&C servers
- Trend Micro researchers observed recent Emotet trojan samples using a different POST-infection traffic as well as attempting to use compromised connected devices as proxy C&C servers.
- According to the researchers, the recent Emotet samples, from the beginning of April, continue to be spread via spam and are dropped through the help of Powload trojan.
New Chase Bank phishing scam attempts to steal users’ identity
- MalwareHunterTeam observed a new phishing campaign targeting customers of Chase Bank.
- The scam begins with a phishing page imitating a legitimate login form for users to sign in to their Chase online accounts. When a user attempts to login, the page will display an error claiming that the users’ identity needs to be verified.
- The phishing page will then present multiple forms that ask the user to provide their personal information including email address, email password, full name, birthdate, home address, phone number, card details, Social Security number, ATM pin code, mother’s maiden name, and driving license number. Ultimately, the user will be asked to upload a selfie while holding their ID card as well as a scan of both sides of their ID.
New Beapy cryptojacking worm targets Chinese enterprises
- Symantec researchers reported on a new cryptojacking campaign that is exploiting the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. The campaign was first detected by Symantec in January 2019 and has been increasing since the beginning of March.
- The campaign uses a file-based coinminer, dubbed Beapy, that uses emails as an initial infection vector. The emails infect victims with the DoublePulsar backdoor that is then used to download Beapy.
- Apart from cryptomining, earlier versions of Beapy also targeted web servers, containing Mimikatz modules for credential harvesting, as well as EternalBlue exploit capabilities. Beapy also attempted to exploit an Apache Struts flaw, CVE-2017-5638, an Apache Tomcat flaw, CVE-2017-12615, and a flaw in Oracle WebLogic server, CVE-2017-10271.
- The campaign is mostly affecting enterprises in Asia, with over 80% of victims in China and others in South Korea, Japan, and Vietnam.
Source (Includes IOCs)
Lazarus Group campaign targets Mac users
- Researchers at SentinelOne have analysed a Lazarus Group campaign, first identified by Kaspersky Lab, that leverages Word documents and targets both macOS and Windows systems.
- SentinelOne found that organisations will need to begin putting effort into securing macOS devices as much so as they do Windows and Linux, and that the mistaken belief that one operating system is more secure than another is not something businesses can afford.
GoDaddy removes over 15,000 spam subdomains
- Over 15,000 subdomains used as part of a spam operation have been removed by GoDaddy, after being discovered by Palo Alto Networks security researcher Jeff White. The domains acted as click-throughs from spam emails, selling products backed by bogus celebrity endorsements to generate revenue for the actor behind it.
- GoDaddy also reset the passwords of compromised accounts and informed the impacted users.
Leaks and Breaches
Cleveland airport suffers ransomware attack
- Cleveland Hopkins International Airport has suffered a ransomware attack, affecting their email, payroll and record-keeping systems. It is not currently known what exact variant struck, but a press release has stated ‘technical issues impacting a small number of systems’. This includes departure, arrival and baggage information screens.
- They have reassured passengers that other systems are functioning as normal and there are no impacts to flights or safety and security operations.
DMS suffered from GandCrab attack in 2018
- A statement released by Doctors’ Management Services (DMS) states that they suffered from a GandCrab Ransomware attack on December 24th, 2018, and as a result some personally identifiable information of clients’ patients may have been accessed by a third party. This information included names, addresses, dates of birth, medical information and insurance details.
- It appears that the breach began in April 2017 when an attacker managed to gain access via a Remote Desktop Protocol attack on a single endpoint, but no other malicious activity was detected until the GandCrab incident. DMS refused to pay a ransom note, instead restoring their systems from backups.
- A list of 38 medical practices, whose patient data was involved in the breach, has been published by DMS and they have stated that they are now working on their network security to help prevent these incidents in the future.
Amnesty International suffers alleged state-conducted cyber attack
- Amnesty stated that their Hong Kong office has been struck with a cyber attack spanning many years, and that it was conducted by an APT with links to the Chinese government. They first discovered a system compromise mid-March 2019 during a planned IT infrastructure migration.
- External cyber-forensic experts claim that they were able to establish a link between the attack infrastructure and ‘a known APT group’ that has campaigns associated with the Chinese government. Their investigation is ongoing, but they state a technical report will be released at a later date.
- Individuals who may be at risk as a result of their details being accessed have been contacted by Amnesty International, but it was stated that no financial information had been compromised.
JasperLoader targets Italy with Gootkit banking trojan
- Cisco Talos researchers detected a new campaign primarily targeting central European countries, particularly Germany and Italy. The campaign employs a multi-stage loader dubbed JasperLoader that ultimately infects victims with Gootkit banking trojan.
- The campaign leverages a legitimate certified email service called Posta Elettronica Certificate to distribute malicious emails. The use of message signing has been described as ‘a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments’.
Source (Includes IOCs)
Multiple vulnerabilities found in Sierra Wireless AirLink ES450
- Cisco Talos researchers reported on multiple flaws in Sierra Wireless AirLink ES450 – the LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. The vulnerabilities could permit attackers to carry out remote code execution on the victim’s machine, change admin passwords and expose user credentials.
- The majority of the flaws exist in the ACEManager web server included in ES450, such as a command injection flaw, tracked as CVE-2018-4061, in ACEManager that could permit arbitrary command execution.
- In total, 11 vulnerabilities were discovered and patched. The flaws affect multiple Sierra Wireless devices including GX400, ES/GX440, LS300, ES/GX450, MP70, RV50/50X, and LX40/60X.
Vulnerabilities discovered in Android-based Sony smart TVs
- Tracked as CVE-2019-11336, the first vulnerability allows an attacker to retrieve a WiFi password from the Photo Sharing Plus application when it is launched. The second, CVE-2019-10886, allows an attacker to read arbitrary files including images within the TV’s software without any authentication.
- Leveraging these vulnerabilities would allow an attacker to upload their own content, or pilfer content from the TV owners.
New report finds 500% increase in ransomware attacks against businesses over last year
- According to Malwarebytes Labs’ report for Q1 2019, threats against corporate targets increased by 235% in the last year. Detections of Emotet increased by over 200% since Q4 2018 and by almost 650% in the past year.
- Between Q1 2019 and Q4 2018, ransomware detections increased by 195%, and by 500% since Q1 2018. The report also found a rapid decrease in cryptomining against consumers, an increase in adware attacks against mobile and Mac devices, and the US’ leading position in global threat detections at 47%, followed by Indonesia at 9% and Brazil at 8%.
Amazon Alexa team can access user data
- It is alleged that an Amazon Alexa team that audits user commands, can access location data and find customer home addresses by mapping geographic coordinates given by the device. The team exists to transcribe, annotate and analyse a portion of Alexa voice recordings from data collected by the device. This was shown to Bloomberg by an Amazon team member.
Used drives leaking sensitive data on eBay
- Researchers at the Blancco Technology Group have reported that 42% of used drives sold on eBay contained sensitive data, with 15% of them containing personally identifiable information, even though sellers stated that they had used proper data sanitization methods.
Researchers analyse Carbanak’s desktop recording capability
- In their last post of a series documenting the Carbanak toolset, FireEye researchers analysed the Carbanak backdoor and its capability of recording victims’ desktops. According to the researchers, this capability allowed the attackers to learn about their targets’ daily workflow and tailor their approach to remain undetected.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein