Silobreaker Daily Cyber Digest – 27 August 2019
Nemty ransomware discovered in the wild
- Nemty encrypts documents and files on a victim’s system, appending them with the ‘.nemty’ extension. Shadow copies of files are also deleted and a ransom note is placed on the desktop, asking for approximately 0.01 BTC, currently worth around $1000, to release the files. The payment portal is hosted on a Tor site.
- Upon examining the ransomware’s code, researchers found a link to a picture of Vladimir Putin, captioned with an offensive remark. It also identifies computers in Russia, Belarus, Kazakhstan, Tajikistan and Ukraine in order to send data about them back to the attacker.
Malwarebytes Labs analyse xHelper Android malware
- Nathan Collier of Malwarebytes Labs analysed the Android malware xHelper, first observed in May 2019 and registering a recent spike in infections. The exact purpose of the malware remains unclear, however, the researcher believes it could be used to send remote commands to a mobile device. The malware is hosted on IP addresses in the US, suggesting the attack targets the US.
- xHelper also comes in two variants. The first is semi-stealth, creating an icon in notifications, but not creating an app or shortcut icon. Shortly after, it starts creating more icons in notifications that direct the user to gaming websites.
- The second variant is a full-stealth version that does not create any icons and its presence can only be detected in the app info section.
Instagram phishing campaign uses fake login warnings
- According to Bleeping Computer, a new Instagram phishing campaign is targeting users with emails masquerading as login alerts claiming that someone attempted to access the user’s account.
- The emails contain what appears to be a 2FA code to look more legitimate and ask the user to confirm their identity via a link. The link then redirects the user to a cloned Instagram login page, secured with a valid HTTPS certificate.
Quasar RAT delivered via phishing campaign
- Discovered by Cofense researchers, this latest phishing campaign sends an email to the intended victim, masquerading as a job seeker to deliver a Word document containing macros.
- The document uses a password to avoid detection by email scanners, alongside a fake message about having to enable macro content. If the macro is scanned using an analysis tool, it often will fail and crash, due to the actor behind it inserting over 1200 lines of base64 encoded garbage code.
- The macro itself delivers the open-source, publicly available, Quasar RAT, which has been frequently observed being used by APT actors to exploit networks.
Source (Includes IOCs)
Emotet botnet resumes activity
- Cofense researchers noticed that Emotet’s C2 servers resumed their activity after being inactive since the beginning of June.
- According to several other researchers, the botnet is currently not distributing any new binaries, however, it is highly likely that a new Emotet campaign will begin soon.
- Emotet activity was detected in multiple locations including Brazil, Mexico, Germany, Japan, and the US.
Source (Includes IOCs)
IRS warns of new impersonation scam delivering malware
- Emails with subject lines such as ‘Automatic Income Tax Reminder’ or ‘Electronic Tax Return Reminder’ redirect targets to a website mimicking the official Internal Revenue Service (IRS) website. The emails also contain a ‘temporary’ or ‘one-time password’ that targets are to submit on the website to access files for submitting the refund. The files were found to be malicious, infecting victims with malware.
TA505 targets new locations in recent campaigns
- Trend Micro researchers reported on TA505’s recent activity that is newly targeting countries such as Turkey, Serbia, Romania, South Korea, Canada, the Czech Republic, and Hungary.
- TA505 continue to use either FlawedAmmyy RAT or ServHelper as payloads, however, the researchers noted several minor changes to their operations. The group is newly using .ISO image attachments as a point of entry, as well as a .NET downloader, a new style for macro delivery, an updated version of ServHelper, and a .DLL variant of FlawedAmmyy.
- According to the researchers, the changes made from the original FlawedAmmyy and ServHelper routines may indicate that the group is testing which forms of obfuscation can bypass detections.
Source (Includes IOCs)
WordPress plugins targeted by malicious campaign
- An active attack campaign has been identified targeting both new and old public vulnerabilities in WordPress plugins in an attempt to redirect traffic from victims’ websites to harmful locations. These include NicDark Plugins, Simple 301 Redirects Addon, WooCommerce User Email Verification and Yellow Pencil Visual Theme Customiser.
- All of the targeted plugins have been patched by the developers, so it is advised that administrators keep these up to date.
Source (Includes IOCs)
Mass scanning activity observed targeting Pulse Connect Secure VPN endpoints
- Experts at BadPackets observed two mass scanning activities on August 22nd, 2019, targeting Pulse Connect Secure VPN endpoints vulnerable to CVE-2019-11510, a critical arbitrary file reading vulnerability in the product that could allow a threat actor to gain access to private keys and user passwords. Both mass scanning activities originated from a host in Spain and tried to download the ‘etc/passwd’ file.
- Once a threat actor gains access, they could exploit the remote command injection vulnerability, tracked as CVE-2019-11539, enabling them to gain access inside the private VPN network.
- BadPackets found a total of 14,528 vulnerable Pulse Connect Secure VPN endpoints, the majority of which are located in the US and include systems from the military, federal, state and local government agencies, as well as universities, schools, hospitals and more.
Leaks and Breaches
Hostinger suffers data breach affecting almost 14 million customers
- The hosting provider reset all Hostinger Client passwords following a data breach involving an unauthorized third party gaining access to their internal system API. The breached data includes Client usernames, emails, hashed passwords, first names and IP addresses.
- No financial data or Client account data, such as websites, domains, or emails, is believed to have been compromised.
Fanatec customer database hacked
- Fanatec informed its customers of an unauthorized access of its online shop on August 16th, 2019, exposing personal data to unknown third-parties. As a response, the company reset customer passwords.
- Part of the email notification asks for customers to keep this data breach confidential, so that affected customers can take all necessary steps without the hackers’ knowledge, which could suggest payment data was stolen in the incident.
Rockville Center School District pays ransom
- Rockville Center School District in New York was hit by a Ryuk ransomware attack on July 25th, 2019, which was shut down promptly after discovery, stopping it early in its encryption process. The school district decided to pay $88,000 to recover the remainder of its data, stating that this was cheaper than recovering from the attack without the decryption keys.
New Zealand government agency data breach exposes private data of 302 individuals
- New Zealand’s Manatū Taonga Ministry for Culture and Heritage suffered a data breach that exposed the private data of 302 applicants for its Tuia 250 Voyage Trainee programme. The breach was the result of unsecured storage on one of its external sites for the Tuia Encounters 250 national commemoration.
- A total of 373 documents were found to be compromised. Exposed data included personal details, such as images of passports, driver licences, birth certificates, or other forms of ID.
Lake County hit by ransomware attack
- Lake County, Indiana, was hit by a ransomware attack on August 22nd, 2019, that affected 40 county servers and disabled its email service and several internal applications. No evidence of data theft was found and no ransom demand was made to date.
Researcher finds Gartner’s legacy system exposed online
- Researcher Bob Diachenko discovered a misconfigured Elasticsearch cluster containing over 1TB of data related to CEB Inc, acquired by Gartner in 2017.
- According to Diachenko, at least one collection from the database contained over 155 million records including personal information, names, biographies, skills, employment details from LinkedIn or GitHub, and fields such as ‘Diversity’. Following Diachenko’s report, Gartner secured the database.
Apple re-patches vulnerability that permits iPhone and iPad jailbreak
- Apple released iOS version 12.4.1 that addresses the kernel flaw. The vulnerability allows malicious apps to execute code running with the highest privileges.
- The bug was previously patched in iOS 12.3, but a more recent version, iOS 12.4, was once again vulnerable, resulting in a researcher developing a jailbreak that exploits the flaw.
Vulnerability discovered in SimpleMDM Apple device management solution
- Security researcher Nishaanth Guna discovered the XML external entity flaw, which he believes could be used for port scanning, reading arbitrary files from the system, and taking over the admin portal used to manage devices.
- SimpleMDM disagreed with the researcher’s findings, stating that the flaw could be exploited to only ‘fetch a publicly accessible web document, such as an HTML page’. The vulnerability has been patched.
Vulnerability discovered in pre-installed Lenovo software
- CVE-2019-6177 is a privilege escalation vulnerability in Lenovo Solution Centre, a pre-installed application on Lenovo devices from between 2011 and 2018. The Lenovo Solution Centre process can overwrite the privileges of any file, potentially allowing an attacker to overwrite a DLL running at system level with some malicious shellcode.
- Lenovo states that support for Solution Centre ended in April 2018, recommending that customers migrate to Lenovo Vantage or Lenovo Diagnostics instead.
Vulnerability discovered in QEMU
- CVE-2019-14378 is a buffer overflow flaw that exists in QEMU, an open source machine emulator. When exploited, the vulnerability can lead to a denial-of-service condition or code execution by a malicious actor.
- Stefan Hajnoczi, a QEMU developer, stated that as production virtual machines do not use Slirp, an old tool used to emulate connections, the vulnerability mainly impacts users who run QEMU for development and testing purposes.
Vulnerabilities in two VPNs exploited in the wild
- Following the reports of vulnerabilities and the subsequent patches in both Pulse Secure SSL VPN and Fortigate VPN, attackers have begun to exploit these issues to retrieve sensitive data from servers that have not applied critical fixes.
- Scans by researchers show that there were still 14,528 vulnerable Pulse Secure VPN endpoints in 121 different countries at the time of publication. Public exploit code for CVE-2018-13379 also became available since the announcement of the vulnerability. VPNs should be updated to protect against these vulnerabilities as soon as possible.
Hong Kong protesters warned against Telegram feature that can disclose their identities
- Hong Kong software engineers warned against using Telegram to coordinate protests as an issue in the instant messaging app can allow a threat actor to access the phone numbers used to register a Telegram account. The phone number could then be used to find a person’s real identity.
- According to ZDNet, Telegram has played a key role in coordinating the ongoing Hong Kong protests.
Clickjacking scripts found on popular websites
- Academics from Microsoft Research, Seoul National University, the Chinese University of Hong Kong and Pennsylvania State University found scripts that either intercept clicks by hyperlinks, event handlers or visual deception, on 613 websites that receive 43 million visits on a daily basis.
- These scripts attempt to either generate profit via clicks on ads, redirect users to malicious sites or technical support scams, or push malicious applications.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.