Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   July 3rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Communications system used by criminals to trade drugs and guns “successfully penetrated”

The NCA worked with forces across Europe on the UK's "biggest and most significant" law enforcement operation. Major crime figures were among over 800 Europe-wide arrests after messages on EncroChat were intercepted and decoded. More than two tonnes of drugs, several dozen guns and £54m in suspect cash have been seized, says the NCA. While the NCA was part of the investigation, it was initiated and led by French and Dutch police, and also involved Europol. Learn more >

DarkCrewBot – The Return of the Bot Shop Crew

Researchers recently discovered an ongoing, evolving campaign from a known hackers’ group, “DarkCrewFriends.” This campaign targets PHP servers, focusing on creating a botnet infrastructure that can leverage for several purposes such as monetization and shutting down critical services. DarkCrewFriends has been quite active over the last few years. Learn more >

ThiefQuest ransomware is a file-stealing Mac wiper in disguise

A new data wiper and info-stealer called ThiefQuest is using ransomware as a decoy to steal files from macOS users. The victims get infected after downloading trojanized installers of popular apps from torrent trackers. While not common, ransomware has been known to target the macOS platform in the past, with KeRanger, FileCoder (aka Findzip), and Patcher being three other examples of malware designed to encrypt Mac systems Learn more >

Connection discovered between Chinese hacker group APT15 and defense contractor

A report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree. The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China's border regions but also living abroad in at least 14 other countries. Learn more >

How EKANS ransomware targets industrial control systems

The EKANS ransomware family is one strain that has been used in targeted ICS campaigns. Researchers were able to obtain two modern samples, one from May and another compiled in June, which revealed some interesting features. Both Windows-based samples are written in GO, a programming language widely used in the malware development community as it is relatively easy to compile to work on different operating systems. Learn more >

Emergency Firefox update for search issues

After releasing Firefox 78 yesterday, Mozilla quickly halted its rollout via automatic updates due to problems discovered with the built-in search functionality. Today, Mozilla has released a new version 78.0.1 to fix these issues and has resumed auto-updates. In a Mozilla bug, it was reported that numerous search issues occurred after installing Firefox 78. Learn more >

Netgear releases fixes for ten vulnerabilities affecting nearly 80 of its products

Four of flaws have been rated high severity, they can be exploited by an unauthenticated attacker with network access to the vulnerable Netgear device to execute arbitrary code with admin or root privileges, and to bypass authentication. The US Cybersecurity and Infrastructure Security Agency (CISA) published a security alert warning of the Netgear Router flaws. The CERT/CC also published a security advisory related to one of the above vulnerabilities that can be exploited by an unauthenticated attacker to gain remote code execution with root privileges. Learn more >

Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set

Thanos is a RaaS (Ransomware as a Service) that provides buyers and affiliates with a customized tool to build unique payloads. This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root. The generated payloads can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. Learn more >

Xerox allegedly suffers Maze Ransomware attack

The company declared over $1.8 billion in revenue in Q1 2020 and has 27,000 employees across the globe. It’s currently tracking at 347 of the Fortune 500 list. Maze ransomware operators claim to have stolen more than 100GB of files from Xerox and threaten to publish them is the company will not may the ransom. Learn more >

New Mac ransomware spreading through piracy

Researchers found a malicious Little Snitch installer available for download on a Russian forum dedicated to sharing torrent links. A post offered a torrent download for Little Snitch, followed by several comments that the download included malware. They discovered that not only was it malware, but a new Mac ransomware variant that was spreading via piracy. Learn more >

FakeSpy Masquerades as Postal Service Apps Around the World

A new campaign is up and running using newly improved, significantly more powerful malware as compared to previous versions. FakeSpy is under active development and is evolving rapidly; new versions are released every week with additional evasion techniques and capabilities. The analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group, commonly referred to as "Roaming Mantis". Learn more >

Out-of-band security updates to patch two vulnerabilities in Microsoft Windows

The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. After successfully exploiting CVE-2020-1425, attackers "could obtain information to further compromise the user’s system," while successful exploitation of CVE-2020-1457 could lead to arbitrary code execution on vulnerable systems. Learn more >

PROMETHIUM extends global reach with StrongPity3 APT

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, a research team has identified around 30 new C2 domains. They assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year. Learn more >

Glupteba: Hidden Malware Delivery in Plain Sight

About a month ago, researchers noticed a spike in the number of samples belonging to the same malware campaign, most of them with the filename app.exe. This malware, which turned out to belong to a family called Glupteba, spreads using EternalBlue, and downloads additional payloads. Glupteba malware does something novel: It uses the bitcoin blockchain as a communications channel to receive updated configuration information. Learn more >

Bundlore (macOS) mm-install-macos

The mm-install-macos variant of the Bundlore family of macOS adware has been around for many years in many variations and delivery methods. Recently, an alternative with a novel installation method was discovered. Although most of the installation details were the same or similar to the other samples analyzed, these new samples modified the sudoers file on the infected system to remove the password requirement for privilege escalation. The malware also utilizes a form of obfuscation not observed before in this family, hiding compressed data in a resource fork on a downloaded script file. Learn more >

US Local Government Services Targeted by New Magecart Credit Card Skimming Attack

Eight cities across three states in the United States have fallen victim to a Magecart card skimming attack. In these attacks, their websites were compromised to host credit card skimmers that passed on the credit card information of residents to cybercriminals. These sites all appear to have built using Click2Gov, a web-based platform meant for use by local governments. Learn more >

WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations

Symantec, a division of Broadcom, has identified and alerted their customers to a string of attacks against U.S. companies by attackers attempting to deploy the WastedLocker ransomware on their networks. The end goal of these attacks is to cripple the victim's IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion-dollar ransom. At least 31 customer organizations have been attacked, meaning the total number of attacks may be much higher. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks.   Learn more >  

GeoVision access control devices let hackers steal fingerprints

In a new report by Acronis, researchers disclose numerous vulnerabilities in GeoVision surveillance equipment and fingerprinter scanners. Acronis’ security team found four critical vulnerabilities in GeoVision's devices, including a backdoor password with admin privileges, the reuse of cryptographic keys, and the disclosure of private keys to everyone. All of these vulnerabilities could allow state-sponsored attackers to intercept potential traffic. The CVEs made public by Acronis include CVE-2020-3928, CVE-2020-3930, and CVE-2020-3929, and were found in fingerprint scanners, access card scanners, and access management appliances being used around the world.   Learn more >  

Almost 300 Windows 10 executables vulnerable to DLL hijacking

A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10. In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking. It turns out nearly 300 executables in your System32 folder are vulnerable to relative path DLL Hijacking. Did you know that with a simple VBScript some of these EXEs can be used to elevate such executions, bypassing UAC entirely?   Learn more >  

Chinese malware used in attacks against Australian orgs

The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country. Behind the attack is a “sophisticated” adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China. The attacker targets public-facing infrastructure with remote code execution exploits, a frequent choice being unpatched versions of Telerik user interface (UI).   Learn more >  

Chinese bank forced western companies to install malware-laced tax software

A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today. The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China. Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating its customer's network.   Learn more >  

GuLoader: Peering Into a Shellcode-based Downloader

GuLoader, a malware family that emerged in the wild late last year, is written in Visual Basic 6 (VB6), which is just a wrapper for a core payload that is implemented as a shellcode. It is distributed via spam email campaigns with archived attachments that contain the malware. The majority of malware downloaded by GuLoader is commodity malware, with AgentTesla, FormBook, and NanoCore being the most predominant. This downloader typically stores its encrypted payloads on Google Drive.   Learn more >  

Hackers hide credit card stealing scripts in favicon EXIF data

Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection. In a new report by Malwarebytes, an online store using the WordPress WooCommerce plugin was found to be infected with a Magecart script to steal customer's credit cards. What made this attack stand out was that the scripts used to capture data from payment forms were not added directly to the site but were contained in the EXIF data for a remote site's favicon image.   Learn more >  

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection. Researchers found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another variation to exfiltrate stolen credit card data.   Learn more >  

Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

New variant of powerful cryptojacking and DDoS-based malware is exploiting severe vulnerabilities in order to infect Windows machines. Dubbed Lucifer, the malware is part of an active campaign against Windows hosts and uses a variety of weaponized exploits in the latest wave of attacks, Palo Alto Networks' Unit 42 said on Wednesday.   Learn more >  

CryptoCore A Threat Actor Targeting Cryptocurrency Exchanges

A hacking group known as CryptoCore has pulled off cryptocurrency heists worth $70 million, but research indicates that it may be an estimated value of over $200 million since 2018. This group targets cryptocurrency exchanges by conducting spear-phishing campaigns against employees and executives. The main goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees.   Learn more >  

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the Evil Corp group in 2020. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017.   Learn more >  

New ransomware posing as COVID‑19 tracing app targets Canada

New ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an official COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims. CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert.   Learn more >  

XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers

Researchers from TrendMicro have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware. Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS is known for targeting Linux hosts on cloud systems, while recently discovered Kaiji first reported affecting internet of things (IoT) devices. Attackers usually used botnets to perform brute-force attacks after scanning for open Secure Shell (SSH) and Telnet ports. Learn more >

Inside a TrickBot Cobalt Strike Attack Server

TrickBot is the successor of Dyre that, at first, was primarily focused on banking fraud, even reusing the same web-injection systems utilized by Dyre. TrickBot has since shifted focus to enterprise environments over the years, incorporating network profiling, mass data collection, and lateral traversal exploits. This focus shift is prevalent in their tertiary deliveries that target enterprise environments. Learn more >

Hackers use Google Analytics to steal credit cards, bypass CSP

Hackers are using Google's servers and the Google Analytics platform to steal credit card information submitted by customers of online stores. A new method to bypass Content Security Policy (CSP) using the Google Analytics API disclosed last week has already been deployed in ongoing Magecart attacks designed to scrape credit card data from several dozen e-commerce sites. Learn more >

Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline

Indian conglomerate Indiabulls Group has allegedly been hit with a cyberattack from the CLOP Ransomware operators who have leaked screenshots of stolen data. The CLOP Ransomware operators claimed to have breached Indiabulls and have posted screenshots of files that they have allegedly stolen during the attack. When performing a ransomware attack, the CLOP threat actors are known to steal unencrypted files before deploying the ransomware. Learn more >

Dark Basin Uncovering a Massive Hack-For-Hire Operation

Researchers give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, we link Dark Basin to BellTroX InfoTech Services, an India-based technology company. Over the course of researchers' multi-year investigation, they found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy.   Learn more >  

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals. The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.   Learn more >  

Discord modified to steal accounts by new NitroHack malware

New malware is being distributed that pretends to be a hack that gets you the premium Discord Nitro service for free but instead steals user tokens saved in the various browsers, credit card information, and then tries to spread it to others. When you have an open platform like Discord that makes it easy to modify the JavaScript files utilized by the client, threat actors commonly abuse it to modify the client to perform malicious behavior.   Learn more >  

Malwarebytes causing performance issues in Windows 10 2004

Since the release of Windows 10 2004, users have been reporting performance issues and crashes when Malwarebytes 4.1 is installed. In numerous reports to the Malwarebytes support forums since Windows 10 version 2004, the May 2020 Update, was released, users are reporting many problems with MBAM 4.1 installed. These issues range from random freezes, general slowness, video stuttering, blue screen of death crashes (BSOD), or Windows 10 becoming unresponsive.   Learn more >