Silobreaker Daily Cyber Digest – 30 May 2019
HiddenWasp malware targets Linux systems
- Intezer researchers discovered a new strain of Linux malware dubbed HiddenWasp. It appears to have been created by Chinese hackers and is used for targeted remote control.
- The researchers found similarities between HiddenWasp and the recently discovered Linux variant of Winnti malware. These include the use of a user-mode rootkit, a trojan, and an initial deployment script. Similarities were also spotted in malware used by ChinaZ. HiddenWasp also adapted pieces of code from different open-source projects, such as the open-source rootkit Azazel.
- The initial infection vector is currently unknown, however, the researchers suspect HiddenWasp is deployed on already compromised devices. The malware remains active and allegedly has a zero-detection rate across all major AV systems.
Source (Includes IOCs)
YouTube cryptocurrency scam campaign delivers Qulab infostealer
- A security researcher known as Frost discovered an ongoing campaign on YouTube in which videos are used to promote a ‘bitcoin generator’ tool that promises to generate free bitcoins for users. Instead, the campaign infects victims with Qulab trojan.
- Qulab is an information-stealing and clipboard-hijacking trojan that will attempt to steal browser history, saved browser credentials, browser cookies, saved credentials in FileZilla, Discord credentials, and Steam credentials. Qulab is also capable of stealing .txt, .maFile and .wallet files from a computer.
- Additionally, the trojan monitors a user’s clipboard for cryptocurrency addresses and will swap them with a different address controlled by the attacker.
Turla utilise improved PowerShell scripts to target diplomatic entities in Eastern Europe
- Researchers at ESET observed that Russian-speaking APT group Turla recently improved the PowerShell scripts they use for direct, in-memory loading and execution of malware executables and libraries. The scripts were first detected in 2018 and are currently being used to load a wide range of custom malware.
- According to the researchers, the PowerShell scripts differ from other droppers by persisting on the system as they regularly load into memory only the embedded executables. In some cases, they were also modified to bypass the Antimalware Scan Interface (AMSI). The scripts are used to load various payloads including an RPC backdoor and a PowerShell backdoor, which the researchers also analysed.
- Confirmed targets included diplomatic entities in Eastern Europe, however, it is likely the same scripts were also used worldwide against ‘traditional’ Turla targets in Western Europe and the Middle East.
Over 50,000 MS-SQL and PHPMyAdmin servers breached and infected
- Researchers at Guardicore Labs have tracked a China-based campaign dubbed ‘Nansh0u’, targeting Windows MS-SQL and PHPMyAdmin servers around the world. Over 50,000 servers from the healthcare, telecommunications, media and IT sectors were breached.
- The attackers run a series of brute force attacks against port scanned MS-SQL servers, escalating privileges through the exploitation of CVE-2014-4113. They then infect servers with a malicious payload that drops a crypto-miner and installs a signed kernel-mode rootkit. Twenty different payload versions were used throughout the campaign.
- Although this is a crypto-mining attack, researchers noted that fake certificates and privilege escalation exploits are more commonly used by APTs. They are confident that the campaign was operated by Chinese actors.
Source (Includes IOCs)
Leaks and Breaches
POS malware discovered at Checkers and Rally’s restaurant chains
- The two US restaurant chains disclosed a data breach that impacted 102 of their locations. Point-of-sale (POS) malware was planted on the chains’ payments processing system, and extracted data such as cardholder names, card numbers, card verification codes, and expiration dates.
- Most of the 102 restaurants had the malware installed between early 2018 and 2019. Some locations were infected in 2017, with the earliest infection occurring in September 2016.
Unprotected database exposes data of Snaptrip customers
- Security researcher Bob Diachenko discovered an unprotected MongoDB database belonging to Snaptrip, a UK marketplace for cottage holiday deals.
- The database contained 1,006 records of personal and payment information of customers, including full name, email, phone number, full address and full card details, as well as admin credentials and hashed account passwords. The company has since secured its database.
Attackers exploit XSS vulnerability in WordPress Live Chat Support plugin
- Zscaler ThreatLabZ researchers detected what appears to be the first campaign abusing a cross-site scripting (XSS) flaw in the WordPress Live Chat Support plugin.
- Attackers are exploiting the vulnerability and injecting malicious scripts that redirect users, pushing unwanted pop-ups and fake subscriptions. According to the researchers, the number of compromised websites is increasing.
- The flaw affects all versions of the plugin prior to 8.0.27. It was patched on May 16th, 2019.
Source (Includes IOCs)
Critical flaw in WordPress Convert Plus plugin patched
- The vulnerability was discovered by Wordfence researchers who have now reported that it has been patched in the new Convert Plus version 3.4.3.
- The vulnerability permitted unauthenticated users to register new accounts with arbitrary user roles, up to and including Administrator accounts.
Trend Micro release analysis of critical RCE flaw in Windows DHCP Server
- The vulnerability, tracked as CVE-2019-0725, is a remote code execution (RCE) flaw in the Windows Dynamic Host Configuration Protocol (DHCP) Server. The vulnerability doesn’t require user interaction and affects all versions of Windows Server.
- The vulnerability is a use-after-free caused by a race condition. In their blog post, Trend Micro detail how the race condition is triggered and how the flaw can be exploited by attackers.
White hat hacker discovers code execution vulnerability in Microsoft’s Notepad text editor
- Google Project Zero researcher Tavis Ormandy stated that the vulnerability is a memory corruption bug. Ormandy showed that the vulnerability can be exploited to launch a command prompt and confirmed that he had already develop a ‘real exploit’.
- Microsoft have been given 90 days to release a patch before the details of the vulnerability are released.
Mimecast’s new report finds increase in impersonation phishing attacks
- According to Mimecast’s 2019 report on email security, 67% of surveyed organizations observed an increase in impersonation phishing attacks in the last year. 41% of organizations also saw an increase in internal threats and data leaks.
- The report also found that phishing attacks remain a top threat, with 94% of organizations experiencing one in the last 12 months.
New Zealand Police confirm that Treasury site was not hacked following budget leak
- Details of New Zealand’s Treasury’s budget were leaked online earlier this week after a cloned version of the website was indexed on the live website. An unknown party utilised a website search tool to reveal elements of the new budget.
- Treasury Secretary Gabriel Makhlouf had previously claimed that the Treasury had been ‘deliberately hacked’. However, Police found no evidence of illegal activity.
National Security Agency conspired with Norwegian spies to target Russian civil targets
- A document leaked by Edward Snowden showed that the NSA sought cooperation with Norwegian Intelligence Services (NSI) in April 2005.
- The document reveals that the NSA and NSI discussed targeting Russia’s petroleum sector.
Phantom Secure CEO sentenced to 9 years in prison for selling encrypted phones to criminal gangs
- Canadian citizen Vincent Ramos, the CEO of Phantom Secure, knowingly sold custom PGP-encrypted BlackBerry smartphones to criminal gangs in the US, Mexico, and Australia. The phones were utilized by members of the Sinaloa Cartel and Hells Angels Biker Gang to traffic drugs and arrange murders.
- Phantom Secure sold over 20,000 devices, half of which were sold in Australia. At the time of Ramos’ arrest at least 7,000 units were operational.
Apple sued over allegations that they sold data relating to customers’ iTunes transactions
- Three customers filed a case in a San Francisco court, claiming that Apple sells, rents, transmits, and/or discloses data relating to customer purchases on iTunes. The data allegedly includes names, addresses, music genres and songs purchased.
- The claimants assert that they are launching the class action lawsuit on behalf of hundreds of thousands of users in their states.
UK government cyber-official says security in the telecom sector is broken
- During a keynote speech at the GSMA’s Mobile360 Security for 5G conference, Ian Levy, technical director of UK’s National Cyber Security Centre (NCSC), said that ‘security is fundamentally broken in the telecoms sector.’
- He also referred to the telecom supplier Huawei as a ‘paragon of bad security,’ echoing the conclusion of the recent NCSC Oversight Board report, which claims that Huawei’s mobile network has the potential of being used as a base for espionage operations.
Mobile devices primary target for threat actors
- According to PhishLabs, mobile devices have become a primary target for threat actors due to the increased online traffic from these devices.
- SMS phishing, especially in the financial industry, increased significantly in 2018. An increased use of phish kits, specifically made for mobile-based phishing, was also observed. The reason for this increase is most likely due to the difficulty in tracking SMS attacks and the lack of spam filtering for SMS messaging.
- The most targeted operating systems in 2018 were Android at 75%, followed by iOS at 23%,
- and the most active mobile trojans were BankBot, RedAlert2, and Marcher.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.