Silobreaker Daily Cyber Digest – 5 March 2019
New python-based payload MechaFlounder used by Chafer
- In November 2018, Chafer threat group targeted a Turkish government entity using the domain win10-update[.]com, and a secondary payload hosted on the IP 185.177.59[.]70. Palo Alto’s Unit 42 discovered that the second payload is Python-based and compiled into executable form using PyInstaller.
- Unit 42 were unable to determine how the attackers were targeting victims, however they were able to analyse the malicious executable that was downloaded from the identified IP address. The file named ‘Isass[.]exe’ was downloaded from win10-update[.]com via an HTTP request.
- The file is a previously unknown python-based payload, dubbed MechaFlounder, that supports file upload and download, as well as command execution functionality.
New CryptoMix ransomware variant discovered
- Discovered by MalwareHunterTeam, the new variant of CryptoMix appends encrypted files with the .CLOP or .CIOP, and drops a ransom note containing the contact emails for payment instructions. The distributed variant is also code-signed with a digital signature, making the executable appear more legitimate.
- Prior to encryption, CryptoMix will stop Windows services and processes such as Microsoft Exchange, Microsoft SQL Server and SQL, as well as disabling antivirus software and closing files. Upon launching, it also runs a batch file that disables shadow volume copies and automatic startup repair, clearing all orphaned shadow volume copies.
JCry Ransomware used in ongoing campaign
- Popular Israeli sites have been targeted as part of the #OpJerusalem ongoing campaign, in an attempt to infect users with JCry ransomware. An error in the code made compromised websites show a defacement, rather than causing ransomware to be distributed. If a user’s operating system was not the exact string ‘Windows’, they would not be served a malicious file. The value returned by users was more specific, such as ‘Windows 7’ or ‘Windows 10’, and so the malware was not served.
- The attack took advantage of a vulnerable web accessibility plugin available on some sites. When users went to use it, the plugin’s modified DNS records would load a malicious script rather than the legitimate one.
- The intended payload came in the form of a fake Adobe Flash Player installer, which, when executed, encrypted users files and demanded a ransom to release them.
PwC links perpetrators behind SamSam ransomware to WEX cryptocurrency exchange
- PricewaterhouseCoopers (PwC) released a new bulletin in which they link the Iranian nationals behind the SamSam ransomware campaign to the WEX cryptocurrency exchange.
- WEX, previously known as BTC-e, is known for its alleged involvement in the laundering of around $4 billion used to fund the activities of a threat actor tracked by PwC as Blue Athena.
Researchers discover ring of Github accounts promoting over 300 backdoored applications
- The malicious apps include Windows, Mac and Linux applications, as well as software libraries, and contain a code to gain boot persistence on infected systems, to subsequently download further malicious code.
- Security team DFIR.it analysed the apps and discovered they downloaded a Java based malware called Supreme NYC Blaze Bot. This malware is a ‘sneaker bot’ that adds infected systems to a botnet that would later partake in online auctions for limited edition trainers.
- Some of the apps and libraries that have backdoored versions include MinGW, GCC, Ffmpeg, EasyModbus, as well as various other Java based games. Other Github accounts were also created to boost the popularity of the malicious repositories.
APT40 targets maritime, engineering, transportation and defence industries
- FireEye researchers released an analysis focusing on the activities of APT40, a threat actor that has conducted multiple cyber espionage campaigns, demonstrating a particular interest in maritime and naval technology. APT40 has also targeted engineering, transportation and defence industries, particularly in areas overlapping with maritime technologies.
- The Chinese state-sponsored threat actor has also focused its attacks on countries strategically important to the Belt and Road Initiative such as Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the US and the UK.
- APT40’s attacks begin with phishing emails sent to targets before deploying malware such as Gh0st RAT, AIRBREAK, BADFLICK or China Chopper, to maintain persistence on a compromised network. The threat actor also uses website and web-server compromise as a means of attack and leverages a wide range of tools including exploits targeting known CVE software vulnerabilities. Once a foothold is gained, APT40 harvests credentials, allowing it to expand its reach across the network and move laterally towards their ultimate goal of stealing intelligence.
Brazilian banks targeted with fileless banking trojan
- Researchers at Trend Micro discovered a fileless malware, dubbed Ofbus, that leverages multiple batch files capable of opening an IP address and downloading a PowerShell script which in turn delivers a banking trojan payload, complete with RADMIN and an information stealer. The information stealer appears to scan for strings related to three Brazilian banks; Banco Bradesco, Banco do Brasil and Sicredi.
- The stolen PII is then either abused or sold by the attacker, with the still-infected systems at the risk of being leveraged in a botnet or mass-email attacks.
Source (Contains IOCs)
Leaks and Breaches
Admin access to Chinese railway company sold on dark web
- Sixgill researchers found that an ‘experienced threat actor’ was selling access to the admin panel of a Chinese rail control system on a Russian-language dark web forum. This access would permit criminals to manipulate train control systems, affecting over one million residents living in China’s Hubei Province. The name of the company has not been disclosed.
Access to stolen information from bait-and-switch websites for sale on dark web
- Data obtained from breached bait-and-switch websites is being auctioned off by cybercriminals. The data includes DMV and arrest records, phone number lookups, people searches and genealogy reports. It is estimated that approximately four million records are for sale, which include names, email addresses, passwords and contact numbers.
- Brian Krebs and researchers at Intel 471 believe that the data belongs to both Penguin Marketing and Terra Marketing Group, which operate out of Alberta, Canada.
Google Project Zero researcher publicly discloses zero-day in Apple macOS kernel
- The flaw resides in the way macOS XNU kernel allows an attacker to manipulate filesystem images without informing the operating system.
- The vulnerability could be exploited by an attacker to bypass the copy-on-write functionality and cause unexpected changes in the memory shared between the processes, potentially leading to memory corruption attacks.
- Jann Horn disclosed the vulnerability after Apple failed to fix the flaw after 90 days of being notified.
Vulnerability discovered in WooCommerce
- Researchers at FortiGuard Labs have discovered a vulnerability in WooCommerce, a popular e-commerce plugin for WordPress. CVE-2019-9168 is a cross-site scripting vulnerability that may allow an attacker to inject arbitrary code into WooCommerce powered sites. This could allow an attacker to hijack a session, and steal sensitive information and credentials from the victims browser.
- The vulnerability affects WooCommerce versions up to 3.5.4, and the team have since issued a patch fixing the issue.
Vulnerabilities discovered in visitor management systems
- Discovered by IBM X-Force Red team, a report was released detailing 19 bugs around across five leading visitor-management systems. Affected systems include EasyLobby Solo by HID Global and eVisitorPass by Threshold. Vulnerabilities include CVE-2018-17489, a social security number information disclosure issue in EasyLobby Solo, and CVE-2018-17493, an eVisitorPass Fullscreen button breakout privilege escalation.
Source (Contains IOCs)
Vulnerabilities discovered in Smart Ski Helmet Headphones
- The vulnerabilities were discovered in Outdoor Tech CHIPS smart headphones, and allow a bad actor to view personal information, track their GPS and even the potential to listen into private conversations over the walkie-talkie functionality.
- An attacker is able to bypass authorisation checks present in the system and access even more data, such as users and email addresses via the API, and password hashes and password-reset codes in plain text.
- The researchers reached out to the developers, but they reportedly have not acknowledged the security issue, and they did not wish to comment on the issue to Threatpost.
Patched critical flaw in Cisco routers exploited in the wild
- According to experts from the International Institute of Cyber Security, a recently patched vulnerability, tracked as CVE-2019-1663, in Cisco routers has been exploited in the wild. The flaw affects router models RV110, RV130 and RV215.
- The flaw exists in the web-based management interface of the routers and could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. Cisco issued a patch on February 27th, 2019.
Founder of cryptocurrency firm indicted over $6m scam
- 48-year-old Randall Crater of East Hampton, New York was arrested and charged last week with four counts of wire fraud and three counts of unlawful monetary transactions. The charges are linked to his company, My Big Coin Pay, and the reportedly fraudulent gold-backed currency he created and marketed to investors, My Big Coins.
- It is alleged that Crater told an investor that he had 300 million in gold backing, despite the currency not being backed by gold or any other assets. Crater and two other, including Mark Gillespie, reportedly misappropriated approximately $6 million in investor funds in a scam running from 2014 to 2017.
Security experts question German Police decision to store bodycam footage on Amazon Servers
- Federal Police announced that they will be using a cloud service from Amazon to store bodycam videos, because Amazon is the only company in Germany that is certified by the Federal Police for Information Security. The data will be encrypted and stored on servers located in Germany.
- Security officials are concerned that US intelligence agencies could access the data and threaten sovereignty ‘over the core state function of internal security.’ In addition, there are also concerns over potential unauthorised access and data leaks.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.