Silobreaker Daily Cyber Digest – 29 October 2019
Adload malware continues to evade security solutions
- SentinelOne researchers have observed an increasing number of reports of attempted Adload macOS malware infections. Adload is an adware strain that attempts to install a man-in-the-middle web proxy. This proxy redirects user’s web traffic through the attacker’s chosen servers with the aim of hijacking and redirecting a user’s web browsers for financial gain.
- Adload was first discovered in 2017, with at least two variants known to Apple’s XProtect, yet the malware’s authors continue to adapt Adload to evade security solutions and maintain persistence. For example, the newer variants no longer contain the string ‘getSafariVersion,’ that would trigger a detection.
- Additionally, Adload installs under a number of different names, including Kreberisec, Apollo, Aphrodite Searchdaemon, and more. To avoid simple static detections, its variants also contain different hashes.
- A full analysis of Adload is available on SentinelOne’s blog.
Source (Includes IOCs)
American Cancer Society targeted in Magecart attack
- Security researcher Willem de Groot discovered malicious skimming code embedded into American Cancer Society’s online shop by Magecart. The group is known for selling stolen credit card numbers on the dark web or using them to commit fraud.
- The loader code was found twice in the legitimate analytics GoogleTagManager, most likely as one of the codes is faulty. It searched for ‘checkout’, after which it loaded the actual skimming code from a server hosted in Irkutsk, Russia.
- The code has since been removed, however, anyone who entered payment details on the site last week is advised to contact their payments provider.
Turkish companies targeted in DDoS attacks
- Turkish officials confirmed that a recent disruption to internet traffic in Turkey was due to distributed denial-of-service attacks on Türk Telekom and Garanti BBVA, as well as other companies. The attacks were reportedly relatively small-scale and are believed to have originated from abroad, mainly from the US, Canada, Russia and China.
- Türk Telekom successfully intercepted the attacks and service is now back to normal. Garanti BBVA stated that access problems had been resolved yet the company is still working on resolving problems for access abroad to lender’s digital services.
Strontium hacker group target sporting authorities and anti-doping organisations
- Microsoft Threat intelligence Centre researchers discovered that the Strontium hacker group carried out a series of cyber-attacks against at least 16 sporting and anti-doping organisations, located in three continents. Entities previously targeted by Strontium include governments, militaries, law firms, human rights organisations, and more.
- The attacks began on September 16th, 2019, and utilised a variety of techniques that the group have used in previous campaigns, which include spearphishing, password spraying, and the use of custom and open source malware. The researchers stated that in some cases the attacks were successful.
Sextortion scammers exploit hacked WordPress and Blog sites
- BleepingComputer reported that hackers are accessing WordPress and Blogger sites to perpetuate sextortion scams. The compromised sites display a message which states that the user has a RAT on their device which has recorded them watching adult content. The user is then prompted to pay a ransom.
- In actuality there is no malware related to the sextortion message on the user’s device, and it is unclear how the hackers are compromising the sites.
- Analysing over 1,500 hacked Blogger accounts and over 200 hacked WordPress accounts showed that the campaign has been successful. Three bitcoin wallets associated with the attack have received bitcoin payments which approximate to $110,000.
Source (Includes IOCs)
Recent 777 Ransomware campaign suggests links to Trickbot actors
- Researchers at Pondurance observed a recent 777 Ransomware campaign that may suggest that the actors behind Trickbot have shifted focus and are now additionally compromising vendors, rather than focusing solely on malspam to spread its malware.
- The observed campaign involved threat actors gaining access to a vendor-managed system before returning to typical Trickbot techniques. The threat actors gained access by pivoting through servers with Trickbot backdoors and by leveraging the same accounts as Trickbot actors.
- Two shellcodes were observed, one of which injects victims’ processes with numerous payloads, including Bloodhound, PupyRAT containing a LaZagne plugin, a Shifu-related keylogging payload, and 777 Ransomware.
Source (Includes IOCs)
E-skimmer placed on online store for Sixth June Paris fashion retailer
- Rapid Spike security researcher Jenkins discovered a skimming script on the checkout page for the online retailer Sixth June. The site uses the Magento e-commerce platform, the attackers calibrated the malicious code to steal customer’s card information.
- The researcher identified that the script had been placed on the checkout page at some point before October 23rd, 2019. Despite contacting the CEO of Sixth June, the malicious code remained active.
Steam users targeted by hackers seeking to acquire in-game purchases
- Beginning in June 2019, researchers at Kaspersky identified a surge in hackers targeting Steam users via phishing attacks. The researchers stated that the attackers are seeking to gain access to accounts with in-game purchases which they can re-sell.
- Victims are lured to sites that purport to sell in game items, the fake sites are at times ‘impossible to distinguish from the real thing’. To convince their victims about the sites legitimacy, the attackers employ security certificates, support HTTPS, warn about cookies, and more.
- Users who click on any link on the malicious site are prompted to enter their Steam login name and password. Following this the victim is asked for their 2FA code. Entered information is exfiltrated to the attacker.
Up to 2,000 Georgian websites hit by cyber attacks
- On October 28th, 2019, up to 2,000 websites in Georgia were impacted by a cyber attack which displayed an image of exiled former President Mikheil Saakashvili, alongside the message ‘I’ll be back!’. Attacked websites included those which belonged to the president, courts, government agencies, NGOs, and media outlets.
SWEED attacks Italian precision engineering companies
- Security researcher Marco Ramilli identified an attack targeting an Italian precision engineer company. The attack, which was identified on October 26th, 2019, begins with an email purporting to come from a customer. The email contains a malicious Excel document which contains an object that exploits CVE-2017-11882, a flaw within the EquationEditor component in Microsoft Office.
- Targets who open the Excel document unknowingly run the vulnerability which executes a code that drops a Windows PE File. The dropped PE file searches for the victims passwords and export them to the attacker’s C2. The researcher stated that the User-Agent, pushing path and net-trace were reminiscent of LokiBot Malware.
- Based on the attacks TTPs and communication schema, the researcher proposed that the attack was conducted by the SWEED threat actor.
Source (Includes IOCs)
Multiple South African ISPs targeted in DDoS attacks
- Afrihost, Echo, Liquid Telecom, Axxess and Webafrica were targeted in distributed denial-of-service attacks on October 27th, 2019, resulting in intermittent connectivity issues for subscribers.
- According to Liquid Telecom, the original attack was aimed at one of its clients and is re-occurring sporadically. Afrihost stated that it appears the attacks were not specifically against Afrihost or Echo, Afrihost’s service provider.
Leaks and Breaches
Details of over 1.3 million payment cards dumped on Joker’s Stash
- Researchers at Group-IB reported that a new dump of 1.3 million card details has been added to the carding shop Joker’s Stash. The majority of the cards appear to belong to Indian customers, of the more than 550,000 cards that the researchers analysed, over 98% belong to Indian banks.
- The dump contains Track 1 and Track 2 data which is found on the card’s magnetic stip. This suggests that their details have been acquired from skimming devices on ATMs or PoS systems. The cards are currently being sold for $100 per-card. At present, the party behind the card dump remains unidentified.
VMWare ESXI, Workstation, and Fusion impacted by denial-of-service vulnerability
- Researchers at Cisco Talos identified a flaw, tracked as CVE-2019-5536, in select versions of VMWare Fusion, VMware ESXi, and VMWare Workstation that could lead to a DoS condition. The attack can be conducted by a malicious actor who has normal privileges. An attacker can trigger the vulnerability by providing a specially crafted shader file.
Bitdefender releases Ouroboros ransomware decryptor
- Bitdefender published its Ouroboros ransomware decryption tool, which can be used to decrypt Lazarus and Lazarus+ extensions. The decryptor does not work for the Kronos variant.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.