Silobreaker Daily Cyber Digest – 3 May 2019
Emsisoft releases free decryptor for MegaLocker and NamPoHyu ransomware
- Emsisoft has released a freely available decryptor for NamPoHyu ransomware, also known as MegaLocker, that has been targeting exposed Samba servers.
Qakbot displays new evasion and persistence technique in latest campaign
- Cisco Talos has observed a new malware campaign disseminating a Qakbot banking trojan variant that has displayed a persistence technique with new evasion capabilities, making removal much more difficult.
- Upon infection, the variant was found to add scheduled tasks to compromised systems which downloaded the malware’s binary spread over several archives, and then recomposed it on the infected system. The malware is then relaunched after each system restart to avoid removal.
Source (Includes IOCs)
Retefe banking trojan returns in 2019
- Proofpoint researchers have reported on the resurgence in Retefe attacks against Switzerland and Germany in April of 2019, despite only limited use in 2018.
- Newer versions of the malware include a number of changes. Retefe uses Stunnel rather than TOR for proxy redirection and C2, leverages Smoke Loader in place of sLoad, and abuses a packed, shareware application called “Convert PDF to Word Plus 1.0”, written in Python.
- Current attacks against macOS systems deliver malicious payloads using developer-signed versions of fake Adobe installers.
Forcepoint publish report on TinyPOS
- The report analyses over 2000 samples of the TinyPOS point-of-sale malware, explaining delivery, execution, exfiltration and obfuscation techniques.
Source (Includes IOCs)
Old Coinhive script injected with new code
- The end of the Coinhive service resulted in a large drop in web-based cryptocurrency mining, however, its code is still present on a number of websites and devices.
- According to Malwarebytes researcher Jérôme Segura, the code that remains is being injected with a new miner called WebMinePool, which is described as a ‘multifunctioning mining service for site owners and individuals’. WebMinePool does not run an email verification at sign up, which makes it easier for nefarious actors to abuse the tool.
Scammers create fake customer support ads for popular sites
- Scammers are creating ads in Google search results that are posing as customer support for popular sites such as eBay, PayPal and Amazon. When they are called, the scammers pose as customer relations staff from the respective company and state that they need a code from a Google Play gift card before they can help.
- BleepingComputer has identified multiple versions of these scams, which are using parenthesis, pipes, and unicode symbols to bypass Google’s automated ad quality screening tools.
Magecart Group 12 targets OpenCart websites
- The group used a domain name that posed as the script for Microsoft’s Bing search engine, which has now been taken offline.
- According to RiskIQ telemetry, OpenCart is in the top three most frequently used shopping platforms worldwide.
Hackers target piracy apps to install malware and steal data
- Digital Citizens Alliance has reported that hackers are using illicit devices and apps to access pirated content in order to spread malware and exploit users. The researchers observed malware from piracy apps stealing usernames and passwords, probing user networks and uploading data without consent.
- When the user downloaded or streamed from the piracy app Mobdro, the malware contained in the app forwarded the researcher’s WiFi network name and password to a server in Indonesia. The malware then probed for vulnerabilities in the network and uploaded 1.5 terabytes of data without permission.
- Further details on the scam can be found in the Digital Citizens Alliance report.
Scammers target social media influencers
- An increasing number of online scammers are managing to gain access to the page admin rights of social media influencers, leading to a significant loss of followers. The influencers are being targeted predominantly by phishing emails or messages.
- One victim was approached by a scammer stating that they would help him monetise his page by using advertisements. The victim was sent a link, which redirected to a website with a survey, after which he logged in after 30 minutes to discover his page credentials and many followers had gone.
US power grid suffered from DDoS attack
- A first quarter report for 2019 by the National Energy Technology Laboratory states that a cyber event caused interruptions of electrical system operations.
- The incident occurred on March 5th, 2019 at 9:12AM, at an unspecified utility overseen by the Western Electricity Coordinating Council with systems restored by 6:57PM the same day. It affected counties in California, Utah and Wyoming.
Researchers analyse APT34’s Glimpse project
- Following on from the leak of APT34’s internal tools, Marco Ramilli of Yoroi has analysed one of them, the Glimpse project. The package contains a readme, explaining how to set up a nodejs server and a Windows server to run one of the package’s applications, a standalone tool that can control infected machines.
- It also contains a VBS script that runs a sophisticated PowerShell payload. The payload leverages DNS communication channels to talk to an attacker-controlled C2 server.
- Ramilli calls the Glimpse project a ‘stereotype’ of APT34, both in its design, and in its behaviours.
Leaks and Breaches
Employment website Ladders suffers data breach
- Approximately 14 million user records belonging to employment website Ladders have been exposed in a data breach as a result of an exposed Elasticsearch database. The database was discovered by Sanyam Jain, who was quick to inform the necessary parties, who took the server down.
- Exposed data includes names, addresses, email addresses, phone numbers and previous employment histories.
US Restaurant POS provider suffers data breach
- The Grill at Calvary Chapel, Fort Lauderdale, suffered from a payment card security incident as a result of an issue with their third-party point-of-sale solution provider, Pinnacle Hospitality Systems. A malicious actor gained access to a Pinnacle employee remote service account, and remotely deployed card-stealing malware on POS devices.
- The unspecified malware was running on The Grill’s POS devices between July 23rd, 2018 and February 20th, 2019. The malware searched for track data read from a payment card’s magnetic stripe, and additionally stole cardholder names as well as the card number, expiration date and internal verification code.
SilentCards hacker group steals Ksh400 million from local bank
- A local cyber cartel in Kenya, dubbed SilentCards, which branched off from the larger hacker group Forkbombo Group, allegedly stole Ksh400 million from a local bank in 2018. Ksh400 million is the equivalent of approximately £3 million.
- The group reportedly collected as many credentials as possible by using an unreported malware, and then proceeded to steal the money in small batches to avoid being caught. They later accessed the money via Mobile Money Transfers and overseas VISA or MasterCards.
D-Link camera vulnerable to MitM interception
- ESET researchers discovered that D-Link’s DCS-2132L cloud camera has a variety of security issues, the most serious of which is its unencrypted transmission of video between the camera, the cloud and the client-viewer application.
- The camera also had a flawed web browser plugin which is responsible, amongst other things, for forwarding video and audio data stream requests through a tunnel. This tunnel is available for the whole operating system, such that any user or application on the client’s computer can access the camera’s web interface while it is streaming.
- While the plugin issue has been fixed, persistent issues include the camera exposing port 80 publicly, and the ability to run malicious firmware updates using the previously described tunnel. This latter attack is, however, non-trivial.
10KBLAZE exploits could impact 90% of SAP production systems
- Onapsis has reported that 90% of 1 million SAP production systems could be at risk of being hacked by threat actors due to publicly released critical exploits, dubbed 10KBLAZE, that are targeting misconfigured SAP installations.
- The exploits can be leveraged to abuse a configuration issue in SAP NetWeaver installations that could lead to a full system compromise, without attackers needing a valid SAP user ID and password. A full compromise of the system could allow attackers to extract information, delete all data or shut down systems completely.
Vulnerabilities fixed in Revive Adserver
- Two vulnerabilities have been patched in the open-source server software. The vulnerabilities do not have official identifiers.
- The first was a deserialization of untrusted data issue, which would allow an attacker to send a specially crafted payload to gain access to an Adserver instance and deliver malware.
- The second vulnerability was an Open Redirect issue than can allow a remote attacker to trick a logged in user into opening a specially crafted link, redirecting them anywhere they choose.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein