Silobreaker Daily Cyber Digest – 30 January 2019
Sucuri researchers discover spam injector disguised as license key in WordPress website
- According to the researchers’ blog post, the spam injector was formatted to look like a WordPress theme’s license key.
Emotet and Hancitor re-emerge in January
- Cofense researchers detected the re-emergence of the Emotet trojan and Hancitor following the end of the 2018/2019 holiday period. Emotet was observed pairing up with the IcedID trojan while Hancitor was seen delivering Ursnif.
Altran Technologies infected with new LockerGoga ransomware
- Altran Technologies was attacked on January 24th, 2019, by a malware that spread through their company network and affected some of their operations. In response, Altran shut down their network and applications to protect their client data and assets.
- The malware used in the breach is reportedly likely to be LockerGoga ransomware, which, after analysis, was described as ‘sloppy, slow, and made no effort to evade detection.’ The ransomware launches itself with the ‘-w’ command line argument and created a new process for each file it encrypted, which causes the encryption process to be very slow.
- LockerGoga appends with the ‘.locked’ extension, and drops a ransom note containing an email to contact for payment instructions. Analysis of the ransomware discovered that the LockerGoga strain was signed with a valid certificate.
BankBot Anubis uses Chinese characters and Telegram Messenger for C&C communication
- According to PhishLabs researchers, this represents two significant changes in the way perpetrators behind BankBot Anubis operate. The threat actors have previously used public Twitter accounts to post tweets containing encoded C&C URLs in an attempt to conceal their C&C infrastructure. Now, they have been spotted using Chinese characters to further encode the C&C strings.
- In addition, they have also started using Telegram Messenger for their C&C communication.
Cryptopia hack continues with additional theft of $180,000 in cryptocurrency
- The initial breach took place on January 14th, 2019 and resulted in the theft of $16 million worth of cryptocurrency. Now, Elementus reports, a further $180,000 from another 17,000 Cryptopia wallets has been stolen.
- Elementus also states that the perpetrator still possesses private keys and can thus withdraw funds from any Cryptopia wallet. Moreover, despite the ongoing incident, Cryptopia users are still depositing funds into their Ethereum wallets.
Formbook info-stealer uses a file hosting service in new activity
- Deep Instinct’s analysis of recent Formbook activity led to the discovery of a new malware-friendly file hosting service, which is used by the threat actors to distribute their malware.
- In the latest campaign, Formbook is propagated via phishing emails containing malicious RTF attachments which exploit vulnerabilities in Microsoft Office, including CVE-2012-0158 and CVE-2017-11882. Once the payload is dropped and executed, Formbook will steal as much information as possible, including account usernames and passwords, sending the information back to the C&C server.
- During analysis, the researchers found that the threat actors were using malware-friendly file hosting services such as Cloudflare to deliver their malicious payloads.
New APT28 malware campaign discovered
- Discovered by Emanuele De Lucia, the malicious malware sample was analysed by Cybaze-Yoroi ZLAB, which was identified as Zepakab, a malicious downloader attributed to APT28. The attack vector remains unclear, but it appears to use decoy documents containing a malicious macro.
- Zepakab uses the Autoit language, and the script contained didn’t include any obfuscation or anti-analysis techniques. It included a C&C URL, a payload path, some functions and a main routine, which sends encoded information to the C&C server via an SSL encrypted HTTP channel.
- The C&C server analyses the information sent about the victim, and if the machine is deemed a target, the final payload is delivered. The server was down during their analysis, and so they were unable to investigate the payload.
Source (Contains IOCs)
Leaks and Breaches
Security researcher discovers unsecure MongoDB databases exposing Kremlin’s backdoor account
- Victor Gevers discovered a backdoor account, ‘admin@kremlin[.]ru’, on over 2,000 MongoDB databases that have been left without a password. The account could be used to gain access to sensitive information from thousands of businesses operating in Russia such as local banks, financial institutions, telecommunications providers or even Disney Russia.
- Gevers later found that the same account permitted access to unsecured MongoDB databases belonging to Ukraine’s Ministry of Internal Affairs.
Cisco Talos discover several vulnerabilities in coTURN
- The first flaw, tracked as CVE-2018-4056, is an SQL injection vulnerability that exists in the administrator web portal function of coTURN. The vulnerability can be leveraged by using a login message with a specially crafted username to cause an SQL injection that results in an authentication bypass, potentially resulting in the attacker gaining access to the TURN server administrator web portal.
- CVE-2018-4058 is an unsafe default configuration flaw that exists in the TURN server function of coTURN. This flaw can be triggered by setting up a relay with a loopback address as the peer on an affected TURN server.
- CVE-2018-4059 is another unsafe default configuration flaw that exists in the TURN server. The flaw allows any attacker who can gain access to the telnet port to gain administrator access to the TURN server.
Vulnerabilities discovered in popular IoT devices
- Researchers at Dark Cubed and Pepper IoT reported that many popular consumer devices suffer from security flaws ranging from missing encryption certificate validations to a lack of encryption for data. Affected devices include smart cameras, smart plugs and security systems from manufacturers such as TP-Link, Wyze, iHome and Merkury.
- Some of the vulnerabilities are not present in the devices themselves, but rather the applications that complement them. For example, the Merkury lightbulb app, requires a significant amount of permissions, including the permission to permanently know the user’s location, recording audio, and reading and writing external storage on the user’s phone, as well as having hard coded links to 40 third-party websites.
Vulnerability discovered in Microsoft Exchange
- Discovered by Dirk-jan Mollema, the vulnerability in Microsoft Exchange 2013 onwards allows an attacker to escalate their privileges when performing a NT LAN Manager relay attack. Any user with a mailbox is able to escalate their privileges to gain Domain Admin access. According to the researcher, this attack can be performed by getting Exchange to authenticate an arbitrary URL over HTTP via the PushSubscription feature.
- The attack can also be performed using compromised credentials, but an attacker who has the access to perform a network attack would not even require these. Mitigations proposed include removing high privileges that Exchange has on the Domain object, and blocking Exchange servers from connecting to workstations via arbitrary ports.
FireEye publish report on APT39 activity
- The report covers analysis of APT39 based on their tracked activity since November 2014. The Iranian espionage group focuses predominantly on the theft of personal information, which FireEye assess is likely to support Iran’s monitoring, tracking and surveillance operations.
- The report includes analysis of operational intent, shared similarities between other groups, their attack lifecycle, and predictions for the group’s behaviour going forward.
New report on two hacker groups that dominate cryptocurrency theft
- Chainanalysis, have reported that the two groups together are responsible for stealing approximately $1 billion worth of cryptocurrency so far, which is at least 60% of publicly recorded hacks.
- The first group has been described as a ‘giant, tightly controlled organisation’, while the second group is reportedly smaller and less organised, with very little regard for evading detection.
Israeli Prime Minister accuses Iran of cyber-attacks
- Benjamin Netanyahu, the Prime Minister of Israel, has accused Iran of launching daily cyber-attacks. He stated that they are seen, monitored and foiled ‘all the time’, stating that Israel has a national cyber defence effort and a robust cyber security industry that is in many ways ‘unmatched’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.