Silobreaker Daily Cyber Digest – 30 September 2019
New trojan-delivered spyware discovered
- Masad Stealer is a new trojan-delivered spyware that uses Telegram as a C2 channel to exfiltrate stolen information and receive commands. The malware was discovered being advertised on black market forums as ‘Masad Clipper and Stealer’.
- The malware is capable of stealing usernames, passwords and credit card information, and automatically replaces cryptocurrency wallets from the clipboard, with its own wallet.
- When the malware is executed, it drops itself into a folder and creates a scheduled task that starts itself every minute. The malware then begins to collect sensitive information and zips it into a file, which is then bundled into the malware binary.
Source (Includes IOCs)
Arcane Stealer V malware provides threat actors with cheap information stealer
- Researchers at Fidelis identified a net information stealer, dubbed Arcane Stealer V, being sold online for approximately 9 US dollars. The malware was acquired by the researchers in July 2019 and appears to be built and distributed by a Russian speaking threat actor.
- The malware can steal passwords, cookies, and forms from a range of browsers including Chrome, Comodo, and Amigo. Arcane Stealer V also collects cryptocurrency wallets files, Telegram sessions, Steam community data, OS data, and more.
- The researchers stated that Arcane Stealer will likely be popular with lower skilled threat actors but lacks ‘traversal, propagation, or destructive capabilities’ that would make it more attractive to APTs.
Source (Includes IOCs)
Adobe and Google open redirects used by phishing campaigns to add legitimacy
- Malicious actors have been observed using open redirects in their phishing campaigns to add legitimacy to the URLs used in their spam emails. Open redirects can be used by anyone to redirect users to another site and are not considered as security vulnerabilities by most companies.
- Links in phishing emails are more likely to be clicked on if they belong to Google or Adobe because it lends legitimacy to the email. Virus Total demonstrates how the Adobe redirect has been heavily abused by phishing attacks.
India’s Cyber Crime Police investigate Airtel SIM-swapping scams
- Five individuals have been accused of being involved in a SIM-swapping scam in which retail agents used forged Aadhaar papers to swap numbers. At least 18 Airtel customers have been affected since January 1st, 2019.
- The scam was first discovered by Airtel customers, who noticed their numbers had been switched with ‘fancy’ ones ending in digits such as 12345, 77777, 33333, or 00000. The Cyber Crime Police believe that thousands of numbers may have been duplicated and not only ‘fancy’ numbers are involved. At present, the purpose of the attacks remains unclear.
Scammers target Thomas Cook customers after company collapse
- Thomas Cook customers have been advised not to respond to unsolicited messages following the collapse on the company, as reports surfaced that customers have been contacted by cold callers claiming to work for a ‘refund agent’, who have been requesting bank or card details in order to reimburse them.
- UK banks have added to the confusion by also sending unsolicited text messages about the bankruptcy to customers, containing links and a phone number.
Information Rights Management password protected documents deliver Remcos RAT
- Researchers at Trustwave identified a spam campaign delivering Remcos RAT via a Word document protected with Information Right Management (IRM) technology.
- The malicious emails used in the campaign purport to contain an attachment relating to either a job resume or invoice. The body of the email contains a password which can be used to access the IRM wrapped document.
- The document contains a macro which downloads an attachment with a self-extracting archive that will run Remcos RAT. The malware can be used to steal system information and to control the infected system.
Source (Includes IOCs)
Leaks and Breaches
1,751 Berry Family Services patients potentially affected by ransomware attack
- Berry Family Services was hit by a ransomware attack on July 10th, 2019, which potentially affected 1,751 of its patients. The purpose of the attack is believed to have been money extortion, rather than information theft, however access to patient data has not been ruled out. Potentially accessed data includes names, addresses, dates of birth, Social Security numbers, medical insurance information and related health information.
Hacker claims to have stolen millions of records from game company Zynga Inc.
- Pakistani hacker Gnosticplayers claims to have accessed the database for the games ‘Words with Friends’ and ‘Draw Something’. The database for Draw Something allegedly contains clear text passwords for over 7 million users.
- The ‘Words with Friends’ database allegedly contains the details of 218 million Android and iOS users who installed the game before September 2nd, 2019. Gnosticplayers shared a portion of the database with The Hacker News, the exposed details included names, email addresses, hashed passwords, and more.
- Zinga Inc. previously disclosed on September 12th, 2019, that they believed that certain ‘Draw Something’ and ‘Words with Friends’ players had their accounts compromised by hackers. However, the company did not state how many players were affected or what data may have been accessed.
Arizona Department of Transportation increases security measures after identity theft
- The Arizona Department of Transportation (ADOT) announced that 164 drivers had their identities stolen. Criminals used the online site ServiceArizona to order duplicate driver licenses. Stolen licences were used to establish bank accounts and credit cards.
- In response to the attacks ADOT has increased the details required to order a license online. Additionally, the states is establishing an online fraud task force composed of cyber security and law enforcement professionals.
Fragrance Direct customer details exposed by ‘malicious code’
- English-based online perfume retailer Fragrance Direct disclosed that an attack on the site resulted in criminals gaining names, addresses, phone numbers, and credit and debit card details.
- Fragrance Direct’s founder stated that the data was accessed by ‘malicious code’. The Register speculated that the attack was a MageCart infection.
Schoolchildren mental health monitoring app contains hardcoded login credentials
- Privacy advocate Gareth Llewellyn discovered that the ‘AS Tracking’ Android app produced by Steer contained username and password pairs. Steer provides apps that allow for monitoring the mental health of schoolchildren.
- The company stated that it will rewrite its apps to eliminate the issue. Steer asserted that they did not, ‘believe that any sensitive data was accessible, or exposed.’
Security researcher publishes iOS jailbreak that exploits Bootrom vulnerability
- A security researcher, going by the Twitter handle axi0mX, published a new jailbreak that affects all iOS devices running on A5 to A11 chips. Vulnerable devices include iPhone 4S to iPhone 8 and iPhone X. The jailbreak does not affect A12 or A13 chipsets.
- Abusing a vulnerability found in Apple’s Bootrom, the exploit, dubbed Checkm8, can allow phone owners to take full control over their device. Unlike the typical iOS operating system jailbreaks, the Bootrom jailbreak can’t be patched. Software-based jailbreaks are usually patched within weeks, whereas this vulnerability would need a physical modification to the device chipsets, which would require callbacks or mass replacements from the company.
- A beta version of Checkm8 is freely available on GitHub, however ZDNet has warned users without proper technical skills to refrain from using it, as it could result in bricked devices.
Multiple security flaws found in Request a Quote plugin
- Multiple security failures in the WordPress Request a Quote plugin could result in a cross-site scripting attack, as well as cross-site request forgery.
Vulnerability in SIM cards Wireless Internet Browser (WIB) app exploitable via over the air attack
- Researchers at Ginno discovered a vulnerability in SIM cards that allows an attack to take control of a victim’s phone by sending an over the air (OTA) SMS to their phone number. The OTA function is used by network operators to modify the contents of a SIM card without establishing a physical connection.
- If an attacker breaks OTA SMS they can send an SMS to the target device which contains WIB commands that can be used to send messages, provide location, setup calls, and more.
- The researchers stated that they have been aware of the vulnerability since 2015 but did not disclose it due to its ease of exploitation and difficulty to patch. The flaw is present on millions of SIM cards worldwide.
UK police will have access to encrypted WhatsApp messages under new treaty
- According to Bloomberg, a new treaty between the US and the UK, due to be finalised in October, would mean that Facebook, including WhatsApp, as well as other US-based social media platforms will be required to hand over users’ encrypted messages to the UK police for use in serious crime investigations.
German authorities arrest 7 in dark web raid
- German police stated that they have arrested seven people, and are investigating six more, following the raid of a Dark Web hosting operation that reportedly supported child porn, cybercrime and drug markets. The raid revealed hundreds of servers housed within a heavily fortified military bunker, located in Traben-Trarbach on the Mosel River in Western Germany.
- The Associated Press reported that websites supported by the operation include the well known ‘Wall Street Market’, the drug markets ‘Cannabis Road’ and ‘Orange Chemicals’.
- The police seized $41 million in funds tied to these sites, over 200 servers, and at least two website domains belonging to Herman Johan Xennt, and self-proclaimed anarchist Sven Kamphuis. Xennt and Kamphuis are reportedly known for hosting ‘scammers, fraudster, pedophiles, [and] phishers…’
Google removes 49 apps by Chinese developer iHandy
- Google removed 46 apps by the Chinese mobile developer iHandy from its Play Store due to ‘deceptive or disruptive ads.’ A further three apps were removed following Buzzfeed’s report on the removal, and the investigation is still ongoing. Those removed included selfie apps, security apps, antivirus apps, and more, and had been downloaded tens of millions of times.
Iranian government warns energy sector to be on full alert for cyber attacks
- On September 29th, 2019, Iran’s oil minister Bijan Namdar Zanganeh stated that ‘All companies and facilities of the oil industry should be fully alert to physical and cyber threats as sanctions target the petroleum industry’. The minister’s statement follows an escalation in tensions between Iran and the US.
China states that they were not involved in hacking of Airbus
- On September 27th, 2019, Beijing denied involvement in a series of hacks which targeted Airbus. An AFP report contained allegations from unnamed security and industry sources who linked the attacks to hackers who are linked to the Chinese Communist Party.
- Chinese foreign ministry spokesman Geng Shuang branded the reports as a ‘smear’ and stated that China is “is a firm defender of network security.”
Defence contractors in Europe and North America hit by cyber-attacks
- Rheinmetall AG and Defence Construction Canada (DCC) were hit by cyber-attacks in September, that resulted in the disruption of their information technology systems.
- Rheinmetall AG reported that the IT infrastructures of their plants in Brazil, Mexico and the US were affected by malware attacks since the evening of September 24th 2019. They predict that the disruption caused could last between two to four weeks. DCC stated that their information technology systems were disrupted on Wednesday 11th September.
- There are currently no further details on the attacks, or the malware used.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.