Silobreaker Daily Cyber Digest – 30 April 2019
McAfee publishes analysis of LockerGoga ransomware
- McAfee’s report includes a comprehensive technical analysis of LockerGoga following the discovery of samples with newly added features.
- New features of note include the use of parallel tasking to encrypt the system and logging files for debugging purposes. In addition, they found that the new samples encrypted legitimate DLLs, which broke the functionality of specific applications in the system.
Source (Includes IOCs)
Pirate streaming hardware preloaded with malware
- The Digital Citizens Alliance has found that piracy-based streaming hardware sold for enabling free streaming of copyright-protected content often contains lots of malware capable of modifying router settings, planting malware on other network devices and often steal user credentials. By installing these malware-laced devices, the user has helped a hacker bypass network security.
- It was also discovered that the criminals behind the devices found a way of posing as popular streaming sites, such as Netflix, to facilitate illegal access to a legitimate Netflix subscription.
- It is estimated that there are over 12 million active users of these types of devices in the US alone and as a result they present a huge target to hackers who want to exploit them.
Fake cheating and hacking tools discovered
- The fake hack tools and cheats for popular video games and websites are created to trick users into thinking they will get free currency or an in-game advantage, but instead the tools steal user login credentials. These include websites such as PayPal and Facebook, and games like Apex Legends and Roblox.
Tech support scam uses iframe trick to freeze browsers
- Trend Micro have reported on a new version of a common tech support scam (TSS). This type uses iframes to create a loop that freezes a target’s browser. Like similar scams, the intention is to frighten users into calling a fake tech support number displayed on one of the pop-ups.
Source (Includes IOCs)
‘Fake address bar’ attack aimed at Chrome for Android
- After a page has loaded on Google Chrome for Android, the application gives users more screen space by hiding the URL bar.
- Developer James Fisher has suggested that phishing attackers can abuse this to catch users off guard by showing a fake URL bar built into the phishing web page. This would pretend that a phishing site was in fact legitimate, by showing a fake legitimate URL alongside a green padlock.
Ad fraud developer removed from Google Play Store
- The developer DO Global was discovered offering six applications that contained adware, that enforced click-fraud even whilst an app was closed. These were published under generic publisher names, rather than DO Global.
- Google has removed all applications by this developer from the store, and it has been suggested that the company may receive an outright ban for its activities. DO Global ‘fully accepts’ Google’s decision to remove the applications.
TrickBot spread via malicious email
- A researcher at FortiGuard Labs has detailed a report on a suspicious email they received that was attempting to deliver Trickbot. The email prompted the researcher to visit a malicious URL, which then downloaded a zip archive. The archive contains a VBS script, that when ran, downloads Trickbot and executes it.
Source (Contains IOCs)
Church suffers BEC attack
- $1.75million has been stolen from Saint Ambrose Catholic Parish Church as the result of a successful Business Email Compromise attack. An FBI investigation found that the parish’s email system had been hacked and staff were tricked that their building contractor had changed bank. As a result of this, they wired funds to the fraudster.
- The church is working with multiple parties including the FBI to investigate further, determining that the breach was limited to two email accounts. They have also submitted an insurance claim to retrieve the stolen funds.
MuddyWater group uses predominantly homemade tools
- Kaspersky Lab has published an analysis of MuddyWater’s toolset, including those used for lateral movement and data exfiltration. Most are coded in C#, Python and PowerShell, and several third-party scripts are being used for credential extraction.
- MuddyWater focuses on attacking governmental and telecommunications companies in the Middle East and nearby. Kaspersky note that the group has had several OPSEC failures, including embedded usernames in Word documents, Chinese language strings and a possible attempt to impersonate the “RXR Saudi Arabia” hacking group.
Leaks and Breaches
Microsoft outlook email breach found to be targeting cryptocurrency users
- Earlier this month Motherboard reported that hackers had accessed Outlook user’s email metadata and content by using a Microsoft customer support worker’s login details, which allowed access to any non-corporate Outlook, Hotmail or MSN account.
- Following this, several users have reported that they believe the motivation behind the breaches was to steal from the associated cryptocurrency accounts.
- One user reported that the hackers had access to emails that allowed them to reset the password of the victim’s Kraken account and withdraw their bitcoin. The user also provided evidence of an email forwarding rule that had been placed on his account which meant that every time ‘Kraken’ was mentioned the account would automatically forward the emails on to an attacker-controlled address.
Millions of Americans data exposed via database leak
- The 24GB unprotected database contained information on approximately 80 million American households and was found on a Microsoft cloud server. The database is currently being traced to its owners by a group of researchers.
- The leaked information includes full addresses including longitudes and latitudes, full names, dates of birth, marital statuses and incomes.
Oracle releases patch for WebLogic zero-day flaw exploited in attacks
- CVE-2019-2725 is a critical deserialization flaw associated with the wls9_async and wls-wsat components of WebLogic, which allows unauthenticated remote command execution. A proof of concept code for the flaw was made available, after which companies reported seeing attacks exploiting the vulnerability.
- The KnowSec 404 Team discovered tens of thousands of exposed WebLogic versions using the ZoomEye search engine. In one instance, the SANS Institute reported that it observed the flaw being exploited to deliver cryptocurrency miners to vulnerable systems.
Underground market ‘Wall Street Market’ executes exit scam
- On and around the 20th April users reported that the dark net market known as Wall Street Market had performed an exit scam. Usually when an exit scam is performed assets are frozen due to alleged ‘technical difficulties’, after which the entire market is taken offline and the funds are stolen.
- In this instance Wall Street Market froze transactions, which led to speculations in channel messages over a possible scam.
- A public address has been identified as the destination of stolen funds, from which a series of withdrawals totalling 2,067 bitcoin, or approximately $11.5 million USD, is being broken down and laundered via various avenues.
Ex-DJI employee sentenced to prison
- The former employee of the Chinese drone manufacturing company was sentenced to six months in prison and fined approximately $30,000 USD for unauthorised disclosure of company data onto GitHub.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein