Threat Reports

Silobreaker Daily Cyber Digest – 29 August 2019

 

Malware

New Android botnet discovered targeting IoT devices

  • Researchers at WootCloud discovered the Ares ADB botnet targeting IoT devices including set-top-boxes running Android OS. Currently affected products include those manufactured by HiSilicon, Cubetek and Qezymedia.
  • The infection vector is via the Android ADB interface, a communication component present in all Android devices that is an associated client to debug and remotely manage devices. Once Ares Bot is installed on a device, it scans for additional devices with exposed ADB interface and installs payloads to start other malicious behaviour, such as cryptomining.
  • The researchers noted that, at present, the bots were only found running on STBs and televisions, however they believe the attackers will also target other devices, including mobile phones in the future.

Source

 

Ongoing Campaigns

TrickBot variant seeks US mobile users PIN codes

  • Researchers at SecureWorks discovered that TrickBot malware operators Gold Blackburn have augmented their TrickBot’s web injects to target US mobile users. The group first added web injects for Verizon Wireless on August 5th, 2019, followed by T-Mobile on August 12th, and Sprint on August 19th.
  • Users who visit these sites have their connection intercepted by the TrickBot and proxied through a C2, which injects additional HTML and JavaScript into the page. On all three mobile providers websites, an additional field is displayed which asks for the user’s PIN. Entered information is transmitted to the TrickBot C2 server where malicious actors can access it.
  • The researchers suggested that Gold Blackburn are gathering PIN numbers in order to perform port-out or SIM swap attacks.

Source (Includes IOCs)

 

Threat Vector publish deep dive analysis of APT28 DLL Backdoor

  • Researchers at threat vector analyzed a multi-threaded DLL backdoor that is used by APT28  to gain access and control of a target. By communicating with the C2 the implant, which is written in C++, can upload or download files, create process, and more.  
  • The researchers stated that they do not believe that the DLL is intended to operate as a module for a larger tool. A full technical analysis of the backdoor is available through Threat Vector. 

Source (Includes IOCs)

 

Threat actor uses Revenge and Orcus RATs in campaign targeting range of organizations

  • Researchers at Cisco Talos discovered an unnamed threat actor employing Revenge RAT and  Orcus RAT in numerous campaigns directed against government entities, financial service organizations, information technology service providers, and other organizations.
  • The attackers infect systems via emails which purport to be from the Better Business Bureau and similar organizations. The emails contain a SendGrid URL which connects to a server a malicious compressed executable is located. The executable purports to be a PDF and runs the malware when executed. Later campaigns abandoned the SendGrid URL in favour of a malicious ZIP archive attachment which retrieves and executes the malicious file.  
  • The attackers utilized several unique TTPs such as persistence techniques usually associated with fileless malware, and evasion methods designed to circumvent automatic analysis. The threat actor also used DDNS pointed over to the Portmap service in an attempt to obfuscate their C2 infrastructure.

Source (Includes IOCs)

 

North Korean APT targets former South Korean government officials

  • According to Simon Choi of IssueMakersLab, a new campaign was carried out by Kimsuky Group between mid-July and mid-August 2019, targeting former South Korean government employees with spear-phishing emails. Kimsuky Group, also known as Velvet Chollima, is believed to be a North Korean state-sponsored cyber-espionage group.
  • The campaign targeted former ambassadors, military generals, and retired members of South Korea’s Foreign Ministry and Unification Ministry – a selection of victims said to be more vulnerable to such attacks than current officials.

Source

 

Leaks and Breaches

Additional healthcare entities affected by AMCA data breach

  • Wisconsin Diagnostic Laboratories, New York’s Mount Sinai Hospital, Integrated Regional Laboratories in Florida, and West Hills Hospital and Medical Center in California reported that they have been affected by the American Medical Collection Agency (AMCA) data breach. This adds nearly 190,000 victims to the AMCA data breach.
  • At present, 25 organisations reported to have been affected, amounting to 25 million patients who had their data exposed.

Source

 

MultiChoice credentials exposed online

  • During a live demo of ‘Google Dorking,’ security researcher Bright Gameli Mawudor discovered a file containing MultiChoice credentials on a misconfigured web server. MultiChoice is a South African company operating the Sub-Saharan African DStv Satellite Television service.
  • According to Mawudor, the leaked data could have enabled an attacker to shut down systems or manipulate live broadcasts. The file has since been taken offline.

Source

 

Wolcott Public Schools hit by ransomware

  • Wolcott Public Schools, Connecticut, were hit by a ransomware attack that affected all servers and network switches in the school district. No student data was compromised.
  • According to Wolcott Superintendent, the attack took place at the end of the last school year. As a number of files still remain encrypted, the Superintendent plans to pay the ransom.

Source

 

Vulnerabilities

Cisco releases patches for critical, high and medium security vulnerabilities

  • On August 28th, 2019, Cisco released patches for four medium, five high, and one critical vulnerability.  The medium and high security vulnerabilities are in Unified Computing System Fabric Interconnect, FXOS, NX-OS, and Nexus 9000 Series Fabric Switches
  • The critical flaw, tracked as CVE-2019-12643, is in the Cisco REST API virtual service container for Cisco IOS XE Software. The attack is triggered when an attacker submits a malicious HTTP request to the target device. Successful exploitation can result in the attacker obtaining the token-id of authenticated users. Use of this token allows an attacker to bypass authentication and perform privileged actions on the target device.
  • CVE-2019-12643 impacts Cisco 4000 Series Integrated Services Routers, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Cloud Services Router 1000V Series and Cisco Integrated Services Virtual Router.

Source 1 Source 2 

 

Apple releases additional security patches

  • Apple addressed vulnerabilities found in three of its operating systems that could enable an attacker to execute arbitrary code with system privileges. The newest security updates are iOS 12.4.1, macOS Mojave 10.14.6, and tvOS 12.4.1. A patch for watchOS was also released, however, the vulnerability in question was not specified.

Source

 

High severity flaw fixed in Chrome

  • The use-after-free vulnerability, tracked as CVE-2019-5869, was present in the open-source browser engine Blink that powers Chrome. It could allow an attacker to perform remote code execution, gain access to sensitive information, and cause denial-of-service attacks.
  • Google urges all users to update to Chrome 76.0.3809.132, which also patches an additional two flaws.

Source

 

Fortinet’s FortiOS SSL VPN web portal affected by vulnerabilities

  • CVE-2018-13379 is a path traversal flaw in FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download files through HTTP resource requests.
  • CVE-2018-13383 also affects Forti OS SSL VPN web portal and is a heap buffer overflow vulnerability that could allow remote code execution on FortiOS due to a failure to handle JavaScript content properly. The flaw could be exploited to terminate the SSL VPN web service for logged in users.
  • The last vulnerability, CVE-2018-13382, could allow an unauthenticated attacker to send specially crafted HTTP requests  to change the password of an SSL VPN web portal. A patch has been released for all three vulnerabilities.

Source

 

General News

US Cyber Command wipe Iranian database and computer systems

  • On August 28th, 2019, The New York Times reported that US Cyber Command launched an attack against computer systems used by the Islamic Revolutionary Guard Corps. The targeted systems were used by the Revolutionary Guard to target oil tankers and shipping traffic in the Persian Gulf. 
  • The attack, which took place on June 20th, 2019, destroyed a database, computer system and military communications network that have not yet been restored. 

Source

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch