Silobreaker Daily Cyber Digest – 7 May 2019
Researchers release Evil Clippy tool for red team testing
- The variant, dubbed Evil Clippy, is a tool that modifies Office documents at file format level to generate malicious versions. These are able to bypass the static analysis of antivirus engines and utilities for the manual inspection of macro scripts.
- Evil Clippy was created by researchers at the Dutch testing company Outflank, intended for professionals running red team attacks against a client organisation. The tool runs on Windows, macOS and Linux.
- Evil Clippy uses VBA stomping to generate a maldoc, which entails the original code of the VBS script being replaced by a compiled version of the VBA engine pseudo-code. The tool also evades detection by replacing the macro source code with a fake script that does not trigger an alert. The malicious pseudo-code is still executed when the modified Office file is opened.
MegaCortex Ransomware discovered in the wild
- Discovered by researchers at Sophos, MegaCortex ransomware has been observed targeting corporate networks and workstations in the US, Italy, Canada, Ireland, France and the Netherlands. Once a target has been compromised, the attackers attempt to attack the entire network by distributing ransomware using Windows domain controllers.
Barium hacker group linked to three years of supply-chain attacks
- Supply-chain attacks undertaken over the last three years, that have been observed exploiting software distribution channels of at least six different companies, have now been attributed to one single group of hackers. The suspected group are the Chinese speaking hackers dubbed Barium (also known as ShadowHammer, ShadowPad or Wicked Panda).
- The group has been using supply-chain attacks to infect thousands of computers in a single operation. Barium has reportedly used this technique to infect victims, and subsequently sort through them to find espionage targets.
- The group have hijacked software updates from computer developer ASUS as well as the PC cleanup tool CCleaner. The group has so far focused its efforts on espionage, rather than the destruction of systems.
Israel bombs building in retaliation to Hamas cyber-attack
- The Israeli Defence Forces announced that a building used by Hamas cyber operatives was bombed on Saturday in a joint operation undertaken by the Israel Security Agency (Shin Bet) and Unit 8200 of Military Police, in response to a failed cyber-attack against Israel.
- The attack was made during a period of intense fighting between Israel and the Palestinians, during which approximately 900 rockets were fired. An IDF spokesperson stated, ‘Hamas no longer has cyber capabilities after our strike.’
New extortion email scam threatens to release sex tape
- Scammers have been sending emails stating that they have a sex tape of the victim and themselves and threaten to release the tape unless a payment of $1,500 in Bitcoin is made.
Further exploitation of WebLogic critical deserialization zero-day
- Following reports by Palo Alto’s Unit 42 on the Oracle WebLogic zero-day critical deserialization vulnerability tracked as CVE-2019-2725, Unit 42 bhave observed a significant variety of payloads deploying cryptominers to vulnerable systems. Payloads used include a new version of the Muhstik botnet and the new ransomware dubbed Sodinokibi.
- There are reportedly approximately 41,000 publicly accessible WebLogic instances remaining in the wild, as well as an unknown number of private instances in enterprise environments. Unit 42 have stated that they expect a surge of exploitation attempts in the following weeks.
Source (Includes IOCs)
Hawkeye keylogger uses file-less delivery system via Amazon AWS
- My Online Security detected an increase in emails delivering the Hawkeye keylogger either via a ZIP file containing the malware itself or via a Word document with malicious macros.
- The ZIP file was observed with a shortcut file that uses the Amazon AWS cloud services to distribute the keylogger. This allows the malware binary to never actually appear on the victim’s computer, making it file-less.
Source (Includes IOCs)
Optus customers targeted by email scam campaign
- Customers of the Australian telecommunications provider have been targeted by emails purporting to be from Optus that lure them into clicking malicious links. The emails are disguised as bill notifications and redirect users to phishing sites.
Third-party Android store distributes SMS trojan
- Zscaler have reported on the distribution of an unknown SMS trojan by a third-party app store called ‘Smart Content Store’.
- Apps downloaded via the store request administrative privileges and send device and location details to the attacker’s domain. The malware appears to be under development. It attempts to send nonsense SMS messages to a variety of phone numbers and has access to victims’ contact lists.
Source (Includes IOCs)
Code repository commits wiped by attackers
- Code and commits are being wiped from GitHub, GitLab and BitBucket user repositories, with ransom notes being left behind. It appears that victims were all using multiple Git-repository management platforms as well as the SourceTree Git Client.
- The ransom note asked users to send 0.1BTC (roughly $568) to the attackers’ Bitcoin address if they wish for the attackers to send their code back to them. If the ransom is not paid in 10 days, then they threaten that the code will be made public.
- BleepingComputer discovered 392 impacted repositories on GitHub that had their code and content wiped using an account called ‘gitbackup’. It appears that even though users had 2FA enabled, attackers were still able to access their accounts, with one user stating that they never received a 2FA message indicating a successful login.
College campus stores hit by card skimmers
- The skimmer has been discovered on 201 merchandise and campus book online stores, which serve 176 colleges and universities in the US, and 21 in Canada. It is unknown how much payment information has been compromised.
APT3 used Equation Group tools prior to Shadow Brokers leak
- According to Symantec researchers, APT3 (also known as Buckeye) was using Equation Group tools – including a previously unknown Windows zero-day – during attacks that took place in 2016. The zero-day was patched in March 2019.
- Equation Group tools were leaked by the Shadow Brokers in 2017, meaning that the Chinese APT had access to classified tools, including one that installed a variant of DoublePulsar, at least a year before the leak occurred.
- Although APT3 is believed to have stopped operating in mid-2017 after the indictment of several members, the Equation Group tools it leveraged were still in use until late 2018.
Source (Includes IOCs)
Leaks and Breaches
Watertown Daily Times hit by Ryuk ransomware
- The newspaper, based in the state of New York, was hit by Ryuk on April 27th. The ransomware quickly spread to the parent Johnson Newspaper Corporation, affecting servers used for internal sharing of content used to produce newspapers in Watertown, Hudson and Massena.
Potential data breach affects Health Service Executive
- A man discovered sensitive patient data on a street in Cork City, Ireland. The data, which included patient names and surgical procedures, was related to patients attending the plastic surgery department of Cork University Hospital. The investigation remains ongoing.
Michigan patients affected by Inmediata Health Group data breach
- A data breach at the Puerto Rico-based Inmediata Health Group may have exposed personal and medical information of Michigan patients. The affected information includes addresses and Social Security numbers.
Hackers breach UNIFAST database
- Hackers breached the database of the Filipino Unified Student Financial Assistance System for Tertiary Education (UNIFAST). The breach exposed the personal data of 1,130,899 Tertiary Education Subsidy (TES) applicants including their student IDs, full names, birthdates, parents’ names, and addresses.
Ireland’s Passport Service suffers multiple data breaches
- According to the Irish Examiner, over 50 data breaches have been reported by the Passport Service, mostly as the result of staff errors involving passports being posted to the wrong address.
Buena Vista Horace Mann student data compromised
- Several students from the Buena Vista Horace Mann (BVHM) school in San Francisco had their information exposed when a district worker emailed their information to an unauthorised person.
- The email contained student identification numbers, student names, student usernames and default passwords for San Francisco Unified School District (SFUSD) systems. In addition, passwords for tools including SFUSD email, Student portal, and a digital learning application, for all current and some former BVHM students, were sent to some families in the district.
Hacker takes over at least 29 IoT botnets
- A hacker known as Subby brute-forced the backend panels of at least 29 IoT botnets’ C2 servers. Subby found that the botnets were using weak or default credentials.
Cisco patches high severity vulnerabilities in TelePresence and ASA 5500 Firewalls
- CVE-2019-1721 is a bug in Expressway Series and TelePresence Video Communication Server. It can allow an unauthenticated remote attack to trigger a denial-of-service condition.
- CVE-2019-1694 can also trigger a denial-of-service condition and affects Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
- Cisco also patched a number of other medium severity vulnerabilities.
Vulnerability in WordPress WP Live Chat
- Alert Logic researchers discovered a now-patched bug in the WP Live Chat plugin, v8.0.11, for WordPress. CVE-2019-11185 could allow an attacker to upload arbitrary code to vulnerable systems, because of a flaw in the validation logic used to process uploaded files.
Remote code execution flaws discovered in Dell SupportAssist
- Security researcher Bill Demirkapi discovered two vulnerabilities, tracked as CVE-2019-3718 and CVE-2019-3710, in the Dell SupportAssist app which can allow attackers using address resolution protocol (ARP) spoofing to perform remote code execution.
- The SupportAssist app is preinstalled on Dell computers running Microsoft Windows and thus does not affect those with Linux or no OS. The issue was patched in SupportAssist v184.108.40.206.
Vulnerabilities patched in General Electric power meter software
- ICS-CERT reported that GE Communicator, a tool used for configuring power meters, has five separate vulnerabilities in versions prior to 4.0.517.
- These are CVE-2019-6564 and CVE-2019-6546 (uncontrolled search path), CVE-2019-6544 and CVE-2019-6566 (improper access controls) and CVE-2019-6548 (hard-coded credentials).
Three serious flaws discovered in PrinterLogic software
- The current and older version of PrinterLogic Print Management Software contain three high-severity flaws that could be exploited by attackers to reconfigure the software and remotely execute code.
- CERT/CC at Carnegie Mellon University’s Software Engineering Institute discovered that PrinterLogic fails to properly validate the PrinterLogic management portal’s SSL certificate and PrinterLogic update packages. The flaws are tracked as CVE-2018-5408 and CVE-2018-5409, respectively. In addition, PrinterLogic also fails to sanitize web browser input, a flaw tracked as CVE-2019-9505.
- CVE-2018-5408 could be exploited by introducing an invalid or malicious certificate that allows them to conduct a man-in-the-middle attack. CVE-2018-5409 can be exploited to execute malicious code by ‘compromising the host server, performing DNS spoofing or modifying the code in transit.’ CVE-2019-9505 could be exploited to allow remote unauthorised changes to configuration files.
Vulnerabilities discovered in Jenkins plugins
- The first vulnerability is CVE-2019-5022, an issue in Jenkins Self-Organizing Swarm Modules Plugin. It contains an XML External Entities issue that could allow an attack on the same network as a Swarm client to read arbitrary files from the system.
- The second vulnerability is CVE-2019-5025, an information disclosure vulnerability in Jenkins Ansible Tower Plugin.
- The third vulnerability is an issue in Jenkins GitLab plugin, CVE-2019-5027. This is an information disclosure vulnerability that could allow a user, who send a specially-crafted HTTP request, to retrieve credentials from a Jenkins database to an attacker-controlled server.
Expired certificate disables Firefox add-ons for millions of users
- The expired certificate also prevents users from re-activating or re-installing extensions. The issue impacts users of all Firefox versions, including Stable and Nightly, as well as the Tor Browser which supports Firefox add-ons.
- Mozilla announced a temporary hotfix for the issue that will be automatically applied to users’ browsers.
Choicelunch CFO arrested for stealing competitor’s data
- Keith Wesley Cosbey of Choicelunch was charged by the FBI with unlawful computer access, fraud and identity theft for stealing customer meal preference information from school lunch provider The Lunchmaster.
- In order to undermine his competition, Cosbey allegedly stole data on hundreds of thousands of students and sent it anonymously to the local government department charged with overseeing lunch programs.
Ukrainian man arrested for running extended malvertising campaign
- 31-year-old Oleksii Petrovich from Ukraine has been arrested after allegedly running multiple malvertising campaigns between October 2013 and May 2018. Petrovich was extradited to the US from the Netherlands and is facing charges including ‘one count of conspiracy to commit wire fraud, four counts of wire fraud, and one count of computer fraud.’
- Petrovich was arrested by Dutch authorities following an investigation by the US Secret Service Criminal Investigations and the National High-Tech Crime Unit of the Dutch National Police and the UK’s National Crime Agency.
Credit union sues Fiserv after investigation into major vulnerabilities in software
- A Pennsylvania-based credit union is suing Fiserv for alleged security vulnerabilities discovered in the company’s software that have been ‘wreaking havoc’ on customers. The investigation began after KrebsOnSecurity reported on security weaknesses in the Fiserv platform, that exposed personal information and financial details of customers across hundreds of bank websites.
- In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union after they launched a similar investigation into Fiserv’s systems and discovered that the platform allowed anyone to reset online banking passwords for customers just by knowing their account number and the last four digits of their Social Security number.
Bug in Mirai code can cause crash in C2 servers
- Principal researcher at NewSky Security Anit Anubhav has explained how to exploit a trivial bug in the code of the Mirai bot, which causes it to crash. Anubhav discovered that a Mirai C2 server crashes when someone connects to it using a sequence of 1025+ ‘a’ characters as the username.
- This bug has been exploited by threat actors in the wild to crash the C2 servers of rival hacker groups.
Dark web marketplaces’ servers seized by authorities
- The two marketplaces, Wall Street Market and Valhalla, had their servers seized by law enforcement agencies in Finland and Germany, alongside the arrests of suspects in Germany, Brazil and the US.
- Multiple organisations were involved in the takedown, including the US Drug Enforcement Administration, the US Internal Revenue Service, the FBI, the Dutch National Police, Europol and Eurojust.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein