Silobreaker Daily Cyber Digest – 28 November 2018
Fake voice messaging apps on Google Play distribute FraudBot adware
- Trend Micro researchers discovered seven apps on the Google Play store that contain a new adware strain dubbed FraudBot. The apps were disguised as legitimate voice messenger platforms. Based on similarities in their codes, the researchers suspect the apps were all developed by the same threat actor.
- The fraudulent apps lured victims into providing personally identifiable information via fake surveys in exchange for gift cards. Victims were prompted to enter data such as names, phone numbers and home addresses.
- According to Trend Micro’s report, only a small number of users were affected before the apps were taken down from the Google Play store. However, Trend Micro expects similar apps to be uploaded to the store in the near future and that the threat actor may be in the process of developing a botnet.
Source (Includes IOCs)
Newly discovered worm delivers fileless version of njRAT backdoor
- Trend Micro researchers found a new worm, detected as Worm.Win32.BLADABINDI.AA, spreading a modern variant of njRAT malware, also known as Bladabindi. Although it remains unclear how the worm enters a system, the researchers suspect it installs a hidden copy of itself on removable drives.
- The worm uses AutoIt scripting language to package the final payload and main script into a single executable for the purpose of making the malicious payload harder to detect. It also loads the malware from an executable hidden in memory, rather than a system disk, making the malware fileless and further complicating its detection.
Source (Includes IOCs)
Cisco Talos discover new DNSpionage campaign targeting Middle East
- The new campaign was discovered targeting .gov domains in Lebanon and the United Arab Emirates, as well as a private Lebanese airline. The campaign uses two fake malicious websites that display phony job postings used to infect victims via malicious Microsoft Office documents embedded with macros.
- The malware used, dubbed DNSpionage, supports HTTP and DNS communication with the attackers. Based on their analysis, Cisco have been unable to connect them to any other campaign or threat actor.
Source (Includes IOCs)
Central Bank of Nigeria issues warning on ATM attacks
- The warning was issued to Nigerian organizations following reports of several ATMs in Nigeria being infected with FASTCash malware.
Criminals continue to attack AutoCAD to steal design plans
- Forcepoint researchers discovered that threat actors are continuing to exploit a feature in Autodesk’s AutoCAD program to steal computer-assisted designs for bridges, factory buildings and other projects.
- The attacks are carried out through spear phishing emails or, in some cases, postal packages containing design documents and plans. These directories contain masked AutoLISP files that, when executed, use a series of obfuscated commands to download documents and send them to the attackers’ servers.
- According to Ars Technica, these attacks are likely to continue based on their ongoing occurrence ever since their earliest detection in 2005. Ars Technica also state that Forcepoint researchers are expected to release further analysis today.
BEC scam exploiting California wildfires
- Agari researchers discovered a Business Email Compromise scam impersonating the CEO of a company, informing an employee that their clients require assistance due to the ongoing wildfires. The scammer asks the employee to send the redemption codes to Google Play gift cards worth $500 each.
Pegasus spyware targets Mexican journalists
- Citizen Lab reported that the colleagues of journalist Javier Valdez Cárdenas were targeted with Pegasus spyware, manufactured by the Israeli NSO Group, shortly after he was killed in May 2017.
- The colleagues were sent links in text messages claiming to have information on Cárdenas’ killers, which would have silently installed the spyware on their phones had they been clicked.
3ve fraud scheme responsible for the loss of tens of millions of dollars has been dismantled
- Dubbed 3ve, the fraud scheme’s activity grew into a large-scale campaign in 2017, leveraging malware infections, Border Gateway Patrol (BGP) hijacking, and fraudulent domains and websites to generate between three and twelve billion daily ad requests.
- The campaign handled over 700,000 infections at any one time, forging more that 10,000 websites and exploiting over 1,000 data center nodes. At one point 3ve reportedly controlled over one million IPs.
- 3ve’s campaign caused the loss of approximately $29 million to businesses paying for fake traffic and ad views. The group behind the campaign avoided detection by relying on different data centers and botnets that created fake ad inventories and encouraged false traffic to pages.
SLoad Powershell malspam expands to Italy
- SLoad has previously been observed delivering various types of malware including Ramnit trojan. Yoroi has more recently observed an emerging campaign leveraging sLoad to target Italy, with a series of well designed malicious email messages.
- Yoroi’s Cybaze Z-Lab has analysed samples from the recent campaign and published a detailed technical analysis on the sLoad malware infection.
SentinelOne release further analysis of spam campaign targeting Exodus Mac users
- The spam campaign was first reported on in early November 2018 by researchers at F-Secure. SentinelOne follow up on their report by providing an analysis of the components of this campaign, including the RealTimeSpy spyware, the dropped files, and the malicious code.
- Their analysis further uncovered an additional keylogging application, named Keystroke Spy, used in this campaign. Lastly, no C&C structure was discovered and thus it remains unclear if, or how, user data is exfiltrated.
Source (Includes IOCs)
Leaks and Breaches
North Carolina health provider suffers breach of 2 million patients’ data
- The billing vendor AccuDoc was hacked, allowing unauthorized parties access to the addresses, dates of birth and Social Security numbers of Atrium Health hospitals’ patients.
Sennheiser headset software vulnerable to MITM attacks
- Upon installation, it has been discovered that the Sennheiser headset software also installs a root certificate into the Trusted Root CA Certificate Store, as well as an encrypted version of the certificate’s private key.
- The certificate and its private key are the same for everyone who installs the software, and therefore could allow an attacker, with the ability to decrypt the private key, to issue fraudulent certificates under domains that they have no control over. This could allow them to perform a man-in-the-middle attack to sniff traffic when a user visits those sites.
- The certificate files are deleted when a user uninstalls the software, however the trusted root certificate is not removed, which results in an attacker with the right private key being able to perform attacks despite the software no longer being installed. The vulnerability is tracked as CVE-2018-17612.
Vulnerabilities found in Schneider’s Modicon Quantum PLC
- Tenable researchers discovered multiple vulnerabilities in Schneider’s Modicon Quantum programmable logic controller (PLC). The flaws affect all M340, Premium, Quantum PLCs and BMXNOR0200 products.
- Two of the vulnerabilities, tracked as CVE-2018-7811 and CVE-2018-7809, could allow an attacker to manipulate user accounts. A cross-site scripting flaw, CVE-2018-7810, and a cross-site request forgery flaw, CVE-2018-7831, were also found, permitting threat actors to carry out cross-site scripting attacks.
- Lastly, the products were found to contain two denial-of-service vulnerabilities, one of which is tracked as CVE-2018-7830, while the other has not yet been assigned a CVE. Patches for these flaws will not be released as the Quantum PLC product line will be discontinued.
Siemens informs customers of vulnerabilities in Linux & GNU components for SIMATIC S7-1500
- CPU 1518(F)-4 PN/DP multifunctional platform was created to allow plants to run multiple applications on a controller by combining control and PC capabilities in one device. Siemens have announced that some of the Linux and GNU components used by the platform contain 21 security flaws patched recently.
- The flaws impact the Linux kernel, the libxml2 XML parsing library, OpenSSH, and the GNU Binutils tools. The majority of the flaws can be exploited by a remote attacker using specially crafted files to cause a denial-of-service condition.
Uber fined for 2016 data breach cover up
- The UK’s Information Commissioner’s Office and the Dutch Autoriteit Persoonsgegevens fined Uber £385,000 and €600,000 respectively over its cover up of a data breach and extortion attempt by hackers. The breach resulted in the compromise of data relating to 2.7 million Uber customers in the UK, as well as 82,000 drivers.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.