Silobreaker Daily Cyber Digest – 28 August 2019
Norway’s NSM warns of cyber campaigns
- The Norwegian National Security Authority’s National Cyber Security Centre (NCSC), alongside the Norwegian Maritime Authority and the Norwegian Shipowner’s Association, issued a statement warning of cyber campaigns targeting different sectors, mainly in the US, Europe and Middle East.
- Intelligence provided to the NSM NCSC suggests the maritime and oil and gas sector have been victims of targeted attacks and the agency recommends organisations to be prepared for a continuation in such activity, in particular shipowners operating ISPS/MARSEC level two areas or higher.
France’s C3N and Avast neutralize over 850,000 Retadup infections
- In a joint effort between the Cybercrime Fighting Center (C3N) of the French National Gendarmerie and Avast, 850,000 Retadup infections were neutralized by replacing its C2 server with a disinfection server that caused the malware to self-destruct. This was possible due to a flaw Avast found in its C2 protocol.
- Retadup is a worm that installs a malicious Monero cryptocurrency miner. Depending on the variant, its core is written in either Autolt or AutoHotkey. Its C2 infrastructure was mainly located in France, whilst some parts were also located in the US before being taken down by the FBI.
- The majority of infections were located in Latin America and on devices running Windows 7, whilst over 85% of the victims did not have a third-party antivirus software. Further research also revealed that all executable files on Retadup’s C2 were themselves infected with the malware strain Neshta.
Source (Includes IOCs)
WS-Discovery protocol abused to launch DDoS attacks
- ZeroBS GmbH noticed a rise in distributed denial-of-service (DDoS) attacks abusing the WS-Discovery protocol in August 2019, with multiple threat actors launching DDoS attacks on a weekly basis. Large-scale DDoS attacks on the protocol were first reported on in early May 2019. WS-Discovery is used by 630,000 devices, including IP cameras, printers, home appliances and more.
- The protocol uses SOAP-over-UDP to support inter-device discovery and communications, which means it can be spoofed by an attacker sending UDP packet with a forged return IP address. As the device’s reply is much larger than the initial input, attackers can bounce the response to a DDoS attack victim at a much larger size, with amplification factors of up to 300 or 500.
- Whilst such amplification factors were found in the first wave of attacks in May 2019, the current one only reached amplification factors of maximum 10, suggesting the threat actors are not yet aware of the protocol’s capabilities or lack technical means for full exploitation. However, due to the large number of devices exposing the WS-Discovery port 3702, it will likely soon become popular among botnet operators.
CamScanner app that has been downloaded over 100 million times contains advertising dropper
- Researchers at Kaspersky discovered an advertising trojan, named Necro.n malware, in the popular CamScanner app hosted on Google Play. The app has been downloaded over 100 million times and is used to scan and manage digital documents.
- When CamScanner runs the dropper decrypts and runs malicious code contained in a zip file in the apps resources. The dropper then proceeds to communicate with the attackers’ servers and download additional modules before executing its code. Necron.n can be used by attackers to display intrusive adverts and steal money from infected users by charging subscriptions.
- The researchers proposed that the malware is present on the app due to a partnership between the app developers and unscrupulous advertisers. The app was reported to Google and has been removed from Google Play.
Source (Includes IOCs)
China Chopper remains popular nine years after discovery
- Cisco Talos researchers identified that criminals continue to use the China Chopper webshell without significant modification. The researchers analysed the use of China Chopper over a two-year period, beginning in June 2017. They found that attackers of varying skill levels have used the widely available tool in a range of campaigns.
- China Chopper is used by attackers to remotely control target systems that are running vulnerable web server applications. The malware allows actors to use a simple GUI to configure servers to connect to and generate server-side code that can be added to the target website code to communicate.
- The researchers observed China Chopper being used in campaigns that exfiltrate data, deploy ransomware, and more. The average detection time in these campaigns was over 180 days.
Source (Includes IOCs)
Secureworks publish analysis of Hexane threat actors TTPs and campaigns
- Researchers at Secureworks identified that since May 2019 Hexane Group have been engaged in a campaign targeting oil and gas organizations in the Middle East. The group has been active since April 2018 and carried out campaigns against entities in South Africa in mid-2018. The most recent campaign follows the development and testing of the group’s toolkit against a public multi-vendor malware scanning service in February 2019.
- The group initially compromises an organisation by performing brute force and password spraying attacks to access email accounts which are then used in spear phishing operations. These phishing attacks target HR staff, executives, and IT personal with emails that contain malicious Excel documents that deliver Danbot malware. Danbot has basic remote access capabilities and is used to download additional keylogger, remote access, and information gathering tools.
- The researchers stated that none of the malware or infrastructure used by Hexane has direct links to any other observed group.
Source (Includes IOCs)
Leaks and Breaches
New Kent County Public Schools hit by ransomware
- New Kent Public Schools in Virginia was hit by a ransomware attack that encrypted its internal hard drive. It is not believed that any personal identifying information was taken by the attackers.
Imperva data breach expose customer details including API keys and SSL certificates
- On August 27th, 2019, Imperva disclosed that they learned from a third party about a security incident that exposed the information of some users of the company’s Web Application Firewall (WAF) product.
- The company became aware of the issue on August 20th, 2019 and stated that the issue affected certain WAF customers through September 15th, 2017.
- Exposed information included email addresses and hashed and salted passwords. An additional subset of customers had their API keys and customer provided SSL certificates exposed.
Check Point resolve vulnerability in Endpoint Security Initial Client software
- Researchers at SafeBreach Labs identified a vulnerability, tracked as CVE-2019-8790, in Check Point Software’s Endpoint Security Initial Client for Windows.
- An attacker can exploit the flaw by loading an arbitrary unsigned DLL into one of the Windows services used by Endpoint Security. A successful attacker can achieve privilege escalation, load and execute malicious payloads each time the service is loaded, and load and execute malicious payloads using a signed service.
- The researchers identified that the vulnerability was caused by a lack of safe DLL loading and the absence of digital certificate validation against the binary. The vulnerability was patched by Check Point on August 27th, 2019.
Source (Includes IOCs)
Instagram vulnerability allows attackers to gain access to accounts
- Security researcher Laxman Muthiyah identified a vulnerability in the account recovery process used by Instagram. By using the same device ID multiple pass codes of different users can be requested. Requesting passcodes of multiple users allows an attacker to generate numerous valid nonces, therefore increasing the probability of hacking accounts. The vulnerability has been patched by Facebook.
HIPAA publishes July Healthcare Data Breach Report
- The report found that July was the second worst month in 2019 after May 2019, with 25,375,729 healthcare records exposed, the majority of which were the result of hacking or IT incidents.
- The high amount of data breach reports is due to the breach at American Medical Collection Agency, which affected at least 22 healthcare organisations and exposed more than 24 million records. The exact number of exposed records remains unknown.
- Exposed data in the first five months of 2019 also exceeds the number of records exposed in 2016, 2017 and 2018 combined, affecting over 35 million individuals.
NATO Secretary General states that a cyberattack could trigger ‘collective defence commitment’
- NATO Secretary General Jens Stoltenberg wrote that a cyberattack could trigger Article 5, invoking a ‘collective defence commitment’ from NATO members.
- Stoltenberg also emphasised the focus which NATO is placing on cyberspace as a top priority battleground. He called on member states to work closely together and improve their cyber defence capabilities.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.