Silobreaker Daily Cyber Digest – 26 November 2019
Researchers analyse recent Donot Team campaign
- Researchers at Positive Technologies analysed one of the attack vectors recently used by the threat actor Donot Team, also known as APT-C-35 or SectorE02. The group has been active since at least 2012 and recent activity in 2019 saw them targeting a number of countries, including Bangladesh, Thailand, India, Sri Lanka, the Philippines, Argentina, the United Arab Emirates and Great Britain.
- The initial infection vector of the recent campaign is not known, but is suspected to be phishing messages. A victim is sent a non-malicious Microsoft Word document in Office Open XML format that, ‘abuses the external elements autoloading capability.’ The vulnerability CVE-2018-0802 found in Microsoft Equation is then exploited via an RTF document, after which the main shellcode is loaded.
- The group is known for using its own tools for every stage of attack and making use of a number of techniques, which makes code analysis more difficult. The researchers also note that Donot Team tends to carry out multiple attacks on the same target, which could indicate that their tactics and techniques are not very successful.
Source (Includes IOCs)
Push notifications used for ad-fraud and phishing scams
- Throughout 2019 researchers at Kaspersky recorded a rise in the number of adverts and scams distributed via push notifications. The malicious actors behind these scams trick users into enabling the notification via a variety of tactics. These include trying to pass the confirmation window off as a CAPTCHA, blocking access to the site until the user accepts the notification, pretending that the push notifications are related to content the user wishes to see, and more.
- The researchers identified scam notifications that related to offers of money, lottery wins, or online surveys. The majority of these notifications were related to phishing scams which attempted to gain money from the target.
Source (Includes IOCs)
MuddyWater observed using Excel files in spear phishing campaign
- RSA Link researchers observed MuddyWater delivering malicious Excel files in a new wave of attacks in October and November 2019. MuddyWater are believed to be linked to Iran and have previously targeted organisations in the telecommunications, government and oil sectors in the Middle East.
- Similar to previous spear phishing attacks using infected Word documents, a victim is prompted to enable macros. Following this, two malicious files are dropped, including an executable that loads a VB script, which connects to the group’s domain.
Source (Includes IOCs)
SDKs found to be collecting personal information of Twitter and Facebook users
- According to Twitter and Facebook, two software development kits (SDKs) used by third-party iOS and Android apps accessed users’ profiles and covertly collected data. The SDKs in question are from oneAudience for Twitter and Facebook, and MobiBurn for Facebook.
- Both companies’ SDKs allegedly harvested profile information such as names, genders, and email addresses, as well as Tweets in the case of oneAudience. In a public statement, MobiBurn said that it does not collect, share or monetise any data from Facebook, noting that it has no access to any data collected by mobile application developers using its SDK.
- Facebook has removed the relevant apps and Twitter informed Google and Apple of the issue. Twitter noted that no evidence was found indicating that the SDK targeted iOS users.
Researchers observe large-scale scanning for exposed Docker instances
- Bad Packets LLC researchers observed a large increase in scanning activity looking for exposed Docker API endpoints. More than 59,000 IP networks were scanned by the threat actors.
- Once an exposed API endpoint is discovered, the threat actors start an Alpine Linux OS container to run commands that run a script to install a XMRig cryptocurrency miner. According to Bad Packets co-founder Troy Mursch, the threat actor has already mined 14.82 Monero coins ($740).
- Mursch also noted that the threat actor disables security products via a downloaded script and shuts down any lso processes associated with other cryptocurrency-mining botnets. Additionally, a malicious script used for scanning an infected host for rConfig configuration files was also found, being used to encrypt, steal and send the files to the threat actor’s C2.
New web-skimming group makes use of phishing and card skimming
- RiskIQ researchers analysed a web-skimming group, dubbed Fullz House, using both phishing and card skimming attack techniques. There has been an increase in the group’s activity since August and September 2019. Malwarebytes Labs have previously analysed a campaign by this group targeting the Australia Commonwealth Bank.
- The group created their own skimmer, which works by ‘hooking to every input field…and waiting for an input change to check if there’s data to steal’. Once payment data is found it is exfiltrated to the ‘drop location’, and is packaged and disguised as an image on the page. In addition, the group also use a technique that performs a Man-in-the-Middle attack on e-commerce transactions. For this, the same domains used for the skimmers are deployed, as well as a fake page that mimics a known payment processor.
- The group’s two activities are kept majoritively separate to avoid being detected, however, some overlap was found in their domain-to-IP address resolution data, as well as their ‘sales platforms’ and theft of card or payment credentials.
Source (Includes IOCs)
Leaks and Breaches
Unprotected Vistaprint database exposes customer records
- Security researcher Oliver Hough discovered an unencrypted database belonging to Vistaprint containing information on customers from the US, the UK and Ireland. The database was first discovered on November 5th, 2019, but may have been exposed for longer. The company has since taken the database offline.
- The data found was split into five tables storing over 51,000 customer service interactions, including details on calls to customer services, online support chats and full email threads. This includes written transcripts of phone conversations, as well as information about a customer’s browser and network connection, location, what operating system was used and their internet provider.
- Additionally, the database exposed personally identifiable information, including names, email addresses, phone numbers, and more. No financial data or passwords were exposed.
New York Police Department fingerprint database taken offline in 2018 due to ransomware
- The New York Post reported that the NYPD’s LiveScan fingerprint tracking database was temporarily taken offline due to a ransomware incident which occurred on October 5th, 2019. The incident was triggered by a contractor who connected an infected NUC mini-PC while setting up a digital display.
- The infected device spread the unidentified ransomware, however, it still failed to execute on 23 machines which were linked to LiveScan. In addition to temporarily taking LiveScan offline, the NYPD reinstalled software on 200 city computers.
Smart watch for children exposes sensitive data
- AV-TEST Institute researchers discovered an unprotected server belonging to smart watch manufacturer Shenzhen Smart Care Technology Ltd that exposes the private data of children wearing its SMA-Watch-M2. The researchers also discovered that a config file in the accompanying app can be used to transfer any account data exposed via the Web API by merely entering a user ID into the config file. The company has been informed, however, the server remains unsecure at present.
- Exposed data includes names, addresses, ages and images of over 5,000 children. Additionally, all voice messages and real-time GPS position data is exposed, as is the personal data of over 10,000 parent accounts.
Splunk contains timestamp recognition problem
- Splunk has warned that un-patched Splunk platform instances will incorrectly index data due to a timestamp issue. The issue, which will begin to impact instances on January 1st, 2020, affects all un-patched Splunk platform types on all operating systems.
- Unpatched systems could incorrectly timestamp incoming data, incorrectly retain data, give incorrect search results due to wrong timestamps, or cause the incorrect rollover of data buckets.
Fortinet uses weak encryption and hardcoded keys to communicate with cloud services
- Researchers at SEC Consult Vulnerability Lab discovered a vulnerability, tracked as CVE-2018-9195, in multiple Fortinet products, including FortiGate and Forticlient. The flaw is related to weak XOR encryption and hardcoded cryptographic keys used by these products to communicate with FortiGuard services including FortiGuard Web Filter, FortiGuard AntiSpam, and FortiGuard AntiVirus.
- An attacker could exploit the vulnerability to eavesdrop on a user’s activity and to manipulate responses for Web Filter, AntiSpam, and AntiVirus. The researchers developed a proof-of-concept for the vulnerability which displayed the feasibility of the attack.
Apache Solr bug more dangerous than previously thought
- Researchers at Tenable assert that a configuration flaw in Apache Solr, tracked as CVE-2019-12409, affects more versions of the software than previously thought. The issue, which was thought trivial when first discovered, was later found to lead to remote code execution when an attacker used velocity templates.
- On November 18th, 2019, Apache Solr stated that the flaw impacted versions 8.1.1 and 8.2.0 for Linux. However, Tenable researchers state that the vulnerability impacts Apache Solr versions 7.7.2 through to 8.3. The researchers also speculate that older versions that include Config API could be vulnerable.
Multiple Mobile Apps still impacted by GIF processing vulnerability
- Researchers at Trend Micro identified over 3,000 applications on the Google Play Store which contain a patched vulnerability, tracked as CVE-2019-11932. The flaw, which was discovered in October 2018 by ‘Awakened’, exists in the library of the ‘android-gif-drawable’ package, and allows an attacker to use maliciously crafted GIF files to perform remote code execution.
- Despite now being patched, many app developers have failed to apply the update. In addition to vulnerable applications on the Google Play Store, the researchers found a number of third-party app stores which also contain vulnerable applications.
Twitter changes 2FA policy to reduces risk of SIM Swap
- Twitter announced changes to their two-factor authentication (2FA) system, which will now allow users without a phone number to use 2FA. The new policy means that users can choose to make use of any 2FA system that supports FIDO2 WebAuthn protocol.
- The policy change follows an attack on the Twitter account of CEO Jack Dorsey in August 2019. The attackers were able to access Dorsey’s account by performing a SIM swap attack.
Bluetooth pump skimmer used in combination with pin hole camera
- Brian Krebs reported on a fuel pump attack, which he had not previously seen, which made use of a Bluetooth skimmer in combination with a pinhole camera. The attacker installed a Bluetooth based card skimmer into the pump card reader which could transmit stolen card data wirelessly.
- To circumvent the pump’s encrypted PIN pad, the attacker installed a fake panel which contained a pinhole camera. The camera saved memory space and battery life by only recording when motion was detected.
- Detective Matt Jogodka of the Las Vegas Police Department, who provided details of the attack, also stated that it was the first time that he had seen a camera and skimmers used in combination on a petrol pump.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.