Silobreaker Daily Cyber Digest – 26 September 2019
Researchers analyse new sample of GMERA.B
- Trend Micro recently discovered the two macOS malware variants GMERA.A and GMERA.B, which disguise themselves as the legitimate trading app Stockfolio. Researchers at SentinelOne analysed a new sample of GMERA.B that was not mentioned in the previous research.
- The researchers found that the malware variant distributes the malicious Stockfoli[.]app Info plist with at least two bundle identifiers that are made to appear like genuine bundles, however, the bundles contain a capital ‘I’ instead of a lowercase ‘L’ in the word ‘apple’. This is done to trick victims into thinking the process is benign and may trick security solutions from checking for Apple’s signature.
- The researchers noted that the malware itself offers nothing new in terms of tools, tactics and procedures, yet it remains largely undetected by the majority of well-known anti-virus solutions.
Magecart group targeting L7 routers
- Researchers at IBM discovered that the criminal gang Magecart Group 5 (MG5) are testing code that is likely designed for compromising layer 7 (L7) routers that are used by organizations such as hotels, resorts, airports, and more.
- The researchers state that the group are trying to take advantage of the large number of transient users who access L7 routers by infecting router libraries. The group could then steal guest’s payment data and display malicious adverts to all users who connect to the internet.
Phishing campaign uses percentage-based URL encoding to avoid antivirus products
- Security researchers at Cofense identified a phishing campaign that is successfully bypassing secure email gateways in an attempt to direct users to a fake Office 365 login page.
- The attack begins with a malicious email that is sent from the compromised account of a recognizable American brand. The email contains a hyperlink which targets are encouraged to access in order to view an invoice.
- The URL is made up of two parts, the first section is a benign and instructs Google to query the second part of the URL. The second section of the string is encoded with percentage-based URL encoding where the ASCII characters are replaced with a ‘%’ sign followed by two hexadecimal digits. When a user clicks on the link the majority of browsers will decode the string back to ASCII characters and direct the user to the phishing page. This method successfully bypasses basic URL and domain checks.
Source (Includes IOCs)
Researchers discover high-volume spam campaign
- Researchers at Trustwave have observed multiple spam campaigns originating from across the globe, however all messages are sent out by the same spambot. The campaign, dubbed Chameleon, sends out messages with randomised headers and various templates. It is unclear which malware is behind the campaign.
- Once a user clicks on the link, they are redirected to a site hosting a Canadian Pharmacy Pill spam and in some cases to Bitcoin purchase sites. The researchers believe the nature of the campaign could shift from spam to also serve phishing or malware in the future.
Suspected Chinese APT targets Southeast Asian tech companies
- Researchers at Cylance have identified a suspected Chinese APT conducting a stealthy campaign with the aim of achieving long term persistence in the systems of Southeast Asian tech companies. The researchers did not attribute the campaign to any group, however they indicated that the victims and use of certain tools bear a similarity to the actions of Tropic Trooper.
- To establish a foothold on a target’s machine, the attackers use a version of the open source PcShare backdoor. The threat actor has added additional C2 encryption and proxy bypass functions, and the malware also uses a custom DLL side-loading technique, operating side-loaded with the ‘Nvidia Smart Maximise Helper Host’ application.
- Following the initial infection, the attackers deploy post exploitation tools including a custom trojan, dubbed Fake Narrator malware, which replaced the Narrator ‘Ease of Access’ feature used in Microsoft Windows. The trojan can be used to gain SYSTEM-level permissions and control the target system without requiring permission.
Trickbot used to send malicious emails from infected systems
- Researchers at FortiGuard discovered a malicious email being sent from an electrical component manufacturer to a company that provides logistic services to a nation state. The email was sent from the email account of an employee without their knowledge, the two companies had likely exchanged legitimate messages prior to the attack.
- The researchers stated that it is likely that the sender had been infected with Trickbot malware, which now features a component allowing attackers to gather email addresses from the victims and send out spam mail.
- The Trickbot authors attached a MS Office document to the email that contained malicious macro, hidden by setting the script font to white. Targets who enabled macros would inadvertently run a script that gathers system information, downloading and executing additional malware.
Source (Includes IOCs)
Leaks and Breaches
Northshore School District hit by cyberattack
- A cyberattack on Northshore School District, Washington, on September 20th, 2019 is believed to have been a ransomware attack. As a precaution, the district disabled its phone communication systems and email servers. No evidence was found that information related to staff or students was accessed.
Personal data of Ecuadorians leaked again
- Security researchers Ran Locar and Noam Rotem, who had discovered the first leakage, found the data on a server hosted in Germany and used by the Ecuadorian company DataBook. The database was taken down on September 25th, 2019.
- Personal data stored on the database included names, addresses, workplace, family members, phone numbers, and more of approximately 20 million Ecuadorian citizens. Locar noted that the data appears similar to the previously discovered data, however it may not be the same.
Heyyo App data leak exposes private data of over 70,000 users
- Hacktivist Avishai Efrat of WizCase discovered an unsecured Elasticsearch database belonging to the Turkish dating app Heyyo that contained 600MB of data and roughly 77,000 records. Private information of over 70,000 of its users was exposed, and according to Efrat, the number of users increased by 7.7% while investigating the leak.
- Exposed data included usernames, email addresses, GPS location, dates of birth, messages, photos, sexual preferences, occupation, and more. The most affected users are from Turkey, Brazil, and the US.
- According to ZDNet, the owners of the database did not respond to inquiries for a week, after which Turkey’s CERT was notified. The database has since been taken offline. It is unclear whether anyone besides ZDNet and WizCase accessed the exposed data.
vBulletin high security vulnerability exploited in the wild
- Hackers have begun to exploit a vulnerability in vBulletin that could enable attackers to inject commands and remotely execute code. The flaw was published by an anonymous hacker on September 23rd, 2019, if exploited a hacker could take control of servers running vBulletin. The vulnerability has been described as ‘severe and easy to exploit’.
- Security researcher Troy Mursch discovered that hackers are already using botnets to exploit the vulnerability. Some users are already reporting that they have been hacked. Zerodium CEO Chaouki Bekrar stated that the vulnerability has been privately circulating for three years.
- vBulletin released a patch for the issue on September 25th, 2019.
Rich Reviews WordPress plugin vulnerability actively exploited
- The Rich Reviews plugin is still running on an estimated 16,000 websites, despite being removed from the WordPress repository over six months ago. The plugin is impacted by a flaw which is caused by a ‘lack of access controls for modifying the plugin’s options, and a subsequent lack of sanitization on the values of those options’.
- Attackers are taking advantage of the issue to deliver XSS payloads which inject malvertising code into vulnerable websites.
- Due to the removal of the Rich Reviews plugin from the WordPress repository, the developers are unable to deploy a fix until the plugin is reinstated.
Source (Includes IOCs)
Cisco issues security advisories for XSS vulnerabilities
- Two cross-site scripting (XSS) vulnerabilities, found in Cisco IOS and CISCO IOS XE Software and tracked as CVE-2019-12668 and CVE-2019-12667, could allow an authenticated remote attacker to carry out stored XSS attacks against users of the web interface. The flaws have been patched with the release of software updates.
Decyptors released for Yatron and FortuneCrypt
- On September 25th, 2019, Kaspersky released decryptors for Yatron ransomware and FortuneCrypt ransomware. The majority of Yatron attacks occurred in Germany, China, the Russian Federation, India and Myanmar. Mistakes in its cryptographic scheme allowed researchers to develop the decryptor.
- FortuneCrypt ransomware is notable due to being written in Blitz BASIC. The top five counties targeted in FortuneCrypt attacks are the Russian Federation, Brazil, Germany, South Korea and Iran. The researchers found that encrypted files can be recovered with ease due to FortuneCrypt’s weak cryptographic scheme.
Simple applications on Google Play Market overcharge uses after free trial period
- Researchers at Sophos identified several apps on the Google Play Market which charge users exorbitant fees after a trial period. The applications are simple in nature and relate to photo filters, QR code readers, calculators, and other typically free or cheap tools.
- Users were charged after a 72 hour trial period, the highest fee that the researchers discovered was €219.99.
- The applications, dubbed as ‘Fleecewear’, do not contain malware. However, after being contacted by the research team, Google did remove 14 applications from the Play Market.
NUKIB says Chinese actor was behind 2018 cyberattack
- According to a report by the Czech Republic’s National Cyber and Information Security Agency (NUKIB), the attack on a key government institution in 2018 was ‘almost certainly carried out by a state actor or related group’ and ‘a Chinese actor’ is the most likely suspect.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.