Silobreaker Daily Cyber Digest – 27 November 2019
Researchers analyse Dridex, BitPaymer and Doppelpaymer
- LIFARS analysts looked at multiple campaigns that make use of at least three malware families and tools, namely Dridex, BitPaymer and Doppelpaymer. All three malware were created by INDRIK SPIDER.
- Dridex is a banking trojan known for using PowerShell Empire for lateral movement, usually sent via emails containing malicious Word documents. BitPaymer is a ransomware typically distributed by Dridex operators and packed with a custom loader compiled just before deployment to evade security products. DoppelPaymer is a more recent variant of BitPaymer that contains additional features.
- A full technical analysis of the malware observed in the campaigns is available on LIFARS’ website.
Source (Includes IOCs)
New polymorphic campaign delivers cryptomining Dexphot malware
- Researchers at Microsoft identified a new polymorphic malware campaign, that began in October 2018 and infects user’s systems with a malware named Dexphot. The ultimate aim of the malware is to install a cryptominer on the target’s device. The attack, which peaked in mid-June 2019, targeted thousands of machines with files and URLs that changed every 20-30 minutes.
- Despite the relatively simple aim of the campaign, the researchers highlighted the extent to which the malware operators went to avoid security solutions by using obfuscation, encryption and randomised file names. The malware is dropped on target machines via ICLoader and its variants. The initial attack chain is ‘complex’ and uses a number of legitimate processes to avoid detection.
- Following infection, the malware runs code directly in memory using fileless techniques. The researchers observed the malware authors make continual changes to Dexphot, improving its defences and target processes.
Source (Includes IOCs)
DeathRansom ransomware begins to encrypt victim’s files
- An upgrade to DeathRansom ransomware allows the malware to encrypt a target’s data, rather than only pretending to encrypt files by adding an extension. Prior to the upgrade, which occurred around November 20th, 2019, infected users had been able to recover their files by simply deleting the added extension.
- DeathRansom now fully encrypts data within files on the victim’s device, only avoiding those that are necessary to run the machines. The malware also attempts to delete the target’s shadow copies.
- BleepingComputer highlighted a ‘strange’ overlap between victims who were infected by DeathRansom and those infected by STOP ransomware. The researchers speculated that DeathRansom, similarly to STOP ransomware, may also be distributed via adware bundles and cracks.
Source (Includes IOCs)
New TrickBot campaign abuses SendGrid and Google Docs
- Researchers at PhishLabs observed a TrickBot campaign using a new infection vector. Instead of the typical malicious Microsoft Office document sent as an attachment, TrickBot is currently spread via links using the email delivery platform SendGrid.
- The email uses themes like termination, meetings with lawyers, customer complaints, and payouts, and ‘RE:’ in the subject to lure victims. The use of SendGrid allows the threat actor to obscure the link contained in the email and SendGrid’s popularity means most victims are less likely to see a potential threat in the link. Once clicked, a victim is redirected to Google Docs and prompted to download an executable that installs TrickBot.
- The campaign targets multiple industries, with no specific focus on any particular organisation or sector. Nonetheless, due to the use of customised lures, the researchers do not believe that the targets are randomly selected.
Stantinko botnet updated to mine for Monero cryptocurrency
- Researchers at ESET found that the Stantinko botnet, which has been active since at least 2012, now contains a cryptomining module which can mine Monero. The botnet primarily targets machines in Russia, Ukraine, Belarus, and Kazakhstan.
- The botnet, which has been deploying its new module since at least August 2019, uses a version of the open-source cryptominer XMR-STAK. The operators removed unneeded strings and functions, and applied obfuscation to the remaining ones. Communication is established with the mining pool via proxies, the IP addresses of which are retrieved from the description text of YouTube videos.
- The cryptominer contains a number of key features, including the ability to detect security software, suspend other cryptomining applications, and postpone its mining operations when Task Manager is opened.
Source (Includes IOCs)
Google sends warning to targets in 149 countries about state-backed hacking attacks
- Google’s Threat Analysis Group (TAG) revealed that from July to September 2019, they sent over 12,000 warnings to users in over 149 countries alerting them of state-backed attacks. TAG stated that these figures remained consistent with the number of warnings sent in 2017 and 2018.
- The vast majority, over 90% of attacks, were credential phishing emails which sought to acquire login details. TAG warned that journalists, human rights activists, and political campaigns, were all high-risk targets.
Leaks and Breaches
Great Plains Health Hospital hit by ransomware attack
- The Nebraska-based Great Plains Health Hospital was targeted by a ransomware attack on November 25th, 2019, affecting all its electronic communications, including email. The hospital does not believe any confidential patient data was breached.
Payment card data of On the Border customers exposed in security incident
- The Tex-Mex restaurant chain On the Border is informing its customers of a malware attack on its payment processing system discovered on November 14th, 2019, and potentially affecting some of its customers’ payment card information.
- The security incident affects payment cards processed between April 10th and August 10th, 2019, in certain On the Border restaurants. Impacted information includes names, credit card numbers, credit card expiration dates, and credit card verification codes.
India’s online health portal leaked patient data in 2018
- Security researcher Avinash Jain discovered a bug in the Indian government’s Online Registration System website in 2018, which allowed anyone to access patient details including full names, addresses, age, mobile numbers, partial Aadhaar numbers, and more.
- According to Jain, about 2 million individuals were registered with the website at the time of the leak. The flaw was fixed in October 2018, three weeks after CERT-In was alerted to it.
Estonian authorities accidentally expose email addresses of cryptocurrency companies
- An email sent out by an agency part of the Estonian Police and Border Guard Board was sent to 200 cryptocurrency trading service providers without hiding the individual recipients’ email addresses.
Four million newly stolen cards on criminal underground linked to restaurant breaches
- On November 23rd, 2019, a new batch of four million freshly hacked debit and credit cards appeared for sale on the card site Joker’s Stash. Two unnamed financial industry sources and fraud intelligence company Gemini Advisory, informed KrebsOnSecurity that the cards originated from breaches at four restaurant chains.
- The restaurants were identified as Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s, which primarily operate across the Midwest and Eastern US. Krystal, which disclosed their breach in October 2019, stated that they were breached between April and July 2019. Moe’s, McAlister’s, and Schlotzsky’s, which are all owned by Focus Brands, was breached between April and July 2019.
45% of exposed Jira instances vulnerable to SSRF vulnerability
- Palo Alto Networks Unit 42 researchers analysed the Server-Side Request Forgery (SSRF) vulnerability CVE-2019-8451 in Jira and its impact on public cloud service providers (CSPs). SSRF vulnerabilities enable attackers to engage in internal network reconnaissance, lateral movement, and remote code execution.
- The flaw was initially thought to only affect versions v.7.6 onwards, however the researchers found it present from version 4.3. The researchers discovered 7,002 exposed Jira instances in six public CSPs, with 45% of them vulnerable to CVE-2019-8451, of which 56% are leaking cloud infrastructure metadata.
- The researchers note that known SSRF vulnerabilities exist in numerous applications that could be exploited in the cloud and recommend several best practices.
HP SSD Drive bug will cause loss of drive and data
- A bug in 20 HP Serial-Attached SCSI solid-state drives causes the SSDs to fail at exactly 32,768 hours of operation time. The drivers are used in storage products and multiple enterprise servers. SSD failure results in both the drive and data being lost.
- So far, HP has provided fixes for only 8 of the affected drives, with further updates due in December.
Kaspersky patch introduced bug that allows websites to crash the antivirus
- Kaspersky reported that its July 2019 patch fixed a number of vulnerabilities discovered in Kaspersky’s Web Protection by security researcher Wladimir Palant in December 2018. One vulnerability could allow a website to send commands to the main Kaspersky application, for example to disable the ad-blocking and tracking protection functionality.
- According to Palant, the patch only covered the demonstrated ad-blocking and tracking protection commands and not others, and a website could still disable ad-blocking on its own domain. Additionally, websites could now also gather information about a user’s system and trigger a crash of the antivirus.
- Kaspersky is due to release a patch for these issues with Patch E for the 2020 family of Kaspersky products, which will fix the newly introduced bug. Palant notes that this patch will not include a fix for websites being able to send other commands to Kaspersky applications.
Aircraft warning lights exposed to open internet
- Security researcher Amitay Dan discovered at least 46 exposed control panels for aircraft warning light systems produced by Dialight plc. Accessible settings included ‘Force Day’, ‘Force Twilight’, and ‘Force Night’.
- The locations of exposed lights included Baltimore, Tuscola IL, Decatur, TX, Ontario, and more. Motherboard stated that the location of some of the lights suggest that they are affixed to cell towers.
- Dan alerted the FAA who replicated the issue and informed Dialight of the vulnerability. Dialight are in the process of remediating the issue and helping impacted customers.
Czech Republic targeted by Russian and Chinese spies according to BIS report
- A report published by the Czech Security Information Service (BIS) states that Russian and Chinese spies had repeatedly targeted the country in 2018. Russian and Chinese threat actors are believed to be behind the attacks on the Czech Foreign Ministry’s non-classified computer network. Additionally, APT28, a group the FBI has linked to Russia, is said to have carried out a malware attack on the private email accounts of Czech soldiers.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.