Cyber Security Training from QA

Cyber Pulse: Edition 63

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


13 May 2019

Fake site pretending as KeePass Password Manager found distributing adware

A fake site that appears to promote the popular KeePass password management software has been found distributing adware to unsuspecting visitors. The fake site is part of a large network of sites that are involved in the distribution of adware bundles as free programs. Berk Cem Göksel, an independent security researcher, has discovered that a site named keepass[.]com is acting as the official site for KeePass Password manager to distribute malware. The malware is propagated in the form of .dmg and .exe files which are available on the site. According to BleepingComputer, keepass[.]com contain four links of KeePass for Windows, Windows Portable, Mac and Linux. While the first three links contain similar URLs and download adware bundles, the fourth link for Linux takes the visitors to the legitimate keepass[.]info site. The three malicious links are cdndownloadapr[.]com and are meant for adware bundles whose file names are dynamically generated based on the values in the URL. The distributed adware bundles come with a digital certificate signed by a company named ‘In Profit Limited’. The signs used in these certificates are changed quite often. Once the users click ‘Next’ on these certificates, they are presented with a series of offers that include search offers, extensions, anti-malware PUPs, and other unwanted malicious software. The adware bundle is also capable of stealing a ton of information from infected systems that include the hardware type, location and more. It is always advisable to download and install software from trusted and official sites. In case you are prompted to install software other than the intended program, then immediately shut down the program and do not let it continue.

Jokeroo Ransomware as a Service performs an exit scam

On May 7, 2019, Tor sites for Jokeroo Ransomware as a Service displayed a notice on its website claiming that their server has been seized by the Royal Thai Police in conjunction with the Dutch National Police and Europol. However, Europol denied the fact and stated that they were not involved in this case. This reveals that what Jokeroo Raas claims is fake and the Raas is conducting an exit scam. Jokeroo is a Ransomware-as-a-Service that allows cybercriminals and would-be hackers to gain access to the ransomware and distribute the ransomware by signing up to the service. Upon signing up, the service provider offers ransomware and a payment server. Jokeroo RaaS has been offered in multiple membership packages ranging from $90 to $300 and $600. In the basic package, a member earns 85% of the ransom payments. An exit scam is when a business stops providing it services and quietly steals away funds or goods from its members and clients. Clients would be unable to recover their lost funds in such a case. Jokeroo RaaS is pretending that its service has been seized by the police, while it's actually exit-scamming with clients funds.

Fake VPN software called Pirate Chick leveraged to push AZORult info stealing trojan

The infamous AZORult info-stealing trojan is back in a new attack campaign. The attackers are leveraging a fake VPN software called Pirate Chick to distribute the malware. According to BleepingComputer, the Pirate Chick VPN is distributed via fake Adobe Flash Players and adware bundles. The site looks very similar to other VPN sites and includes a free three months trial period. Additionally, the executables also look convincing as they are signed using a certificate from a UK company called ATX International Limited. Once the Pirate Chick VPN is launched, it downloads and installs a payload to the %Temp% folder and executes it. The software fails to run its malicious payload in three different cases: If the system is running any of these processes such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker. If the user is from Russia, Belaris, Ukraine or Kazakhstan. For this, the software connects to https[:]//www[.]piratechickvpn[.]com/collectStatistics[.]php, which in turn returns the location of the IP address. If the user is running under Vmware, VirtualBox, or HyperV. If the user passes the above checks, the software will download a file from https[:]//www[.]piratechickvpn[.]com/wohsm[.]txt. This file eventually downloads the executables which also includes the AZORult.

Amazon Hit With Extensive Fraud Campaign Impacting Hundreds Of Seller Accounts

Amazon has revealed that it was hit with an extensive fraud campaign last year, whereby attackers compromised almost 100 seller accounts and stole the loan funds. The hack took place between May 2018 and October 2018, wherein attackers gained access to seller accounts and siphoned loan funds which were intended to be used for business and startup costs. According to the filing, hackers managed to change the payment details of accounts on the Seller Central platform to their own bank accounts at Barclays Plc and Prepay Technologies Ltd., which is partly owned by Mastercard Inc. A spokesperson for Barclays said that the bank is working to close the accounts used by the hackers. Meanwhile, Amazon noted that the accounts were likely compromised by phishing techniques that tricked sellers into providing their account details and login credentials. The stolen loan funds which have been given by Amazon to its third-party sellers and businesses might be over hundreds of thousands of dollars. Amazon has disclosed that it has issued over $1 billion in loans to sellers in 2018. However, how much money has been stolen were not revealed in the filing. Amazon needed the documents “to investigate the fraud, identify and pursue the wrongdoers, locate the whereabouts of misappropriated funds, bring the fraud to an end and deter future wrongdoing,” the company’s lawyers said in the court filing, Bloomberg reported.

Alpine Linux Docker images found using NULL password for the admin account

Security researchers from Cisco Talos have revealed that Alpine Linux Docker images distributed via the official Docker Hub portal have not been using any password for the root account. This vulnerability (CVE-2019-5021) has been found in v3.3 impacting all Glider Labs Alpine Linux Docker images as well as official images. Moreover, servers and workstations that have been provisioned/installed from Alpine Linux Docker images could be compromised by attackers who can authenticate using the root user and NULL password. Web-facing systems are also impacted by the vulnerability. This security flaw was first earlier discovered in August 2015 and patched in November, however, the flaw has been accidentally re-opened three weeks later in December 2015. This flaw has been re-discovered again by a Cisco Umbrella researcher in January 2019. Researchers noted that existing systems should be modified to either set a custom password for the root account or disable the root account. Additionally, companies and users who have older Alpine Linux Docker images integrated inside install scripts/routines should modify the Docker image to disable the root account or should update to a newer Alpine Linux Docker image. “The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilize Linux PAM, or some other mechanism which uses the system shadow file as an authentication database,” Cisco Talos said.

Hackers stole over $41 million from Binance cryptocurrency exchange

Binance cryptocurrency exchange suffered a security breach on May 7, 2019, wherein hackers stole users’ API keys, two-factor authentication codes, and other information. Hackers also withdrew 7,000 Bitcoin, worth nearly $41 million from Binance’s hot wallet. Hackers leveraged phishing attacks, malware attacks, and other attacks to gain access to Binance user accounts. The hackers then managed to withdraw 7000 Bitcoin in one transaction from Binance's hot wallet and transferred it to several smaller accounts. “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks,” Binance said in a security breach update. Upon withdrawal, various alarms were triggered at the cryptocurrency exchange system, however, it was too late to block the withdrawal before it was executed. Later, Binance immediately stopped all other withdrawals. Binance will be conducting a thorough security review, which will include all parts of its systems and data. The cryptocurrency exchange has suspended all its deposits and withdrawals.

Attackers delete GitHub, GitLab, and Bitbucket repositories and replace with ransom notes

Attackers have targeted GitHub, GitLab, and Bitbucket users by replacing the code and commits from the victims’ Git repositories and leaving a ransom note that demands a ransom payment of 0.1 Bitcoin (~$570). The ransom note threatens victims to make the code public if they do not pay the ransom amount within 10 days. “To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise,” the ransom note read. A GitHub search revealed almost 400 Github repositories that have been targeted. According to BitcoinAbuse.com, there have been 27 abuse reports and all the abuse reports include the same ransom note. Meanwhile, the attackers’ bitcoin address has received a single transaction of 0.00052525 BTC ($2.99) on May 3, 2019. Kathy Wang, Director of Security at GitLab, said that they conducted an investigation and found out that compromised accounts have passwords being stored in plaintext on the deployment of a related repository. Wang also said that they have identified the affected user accounts and are notifying them. “We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue,” Wang said. Meanwhile, in a security advisory, Bitbucket noted that “a third party accessed your repository by using the correct username and password for one of the users with permission to access your repository.” Bitbucket has taken the following steps to prevent further malicious activity:

  1. It has reset passwords for the compromised accounts.
  2. It is working closely with the law enforcement authorities and has taken steps to restore the compromised repositories.
  3. It has requested its users to reset all other passwords associated with the Bitbucket account and to enable two-factor authentication on the Bitbucket account.

Scammers deceive PayPal, Amazon and eBay clients through fake customer support numbers.

Scammers have found a new way to trick PayPal, Amazon and eBay customer. They are leveraging Google Search results to push fake ads that pretend to be customer support numbers of popular sites. BleepingComputer reports that if victims attempted to call one of these fake numbers, they will be greeted with a scammer who claims to be from one of these three companies. In the case of PayPal, the call is answered by someone stating ‘Thank you for calling PayPal support’. The scammer then tells the victims that their PayPal account has a problem and can only be fixed if a code of a Google Play card is sent. The scammer assures that the money paid for the Google Play card will be reimbursed by PayPal. The scam ad pretending to be tech support hotlines works only on mobile devices. The mobile version of the Google search result page looks convincing and can easily confuse a person. However, the desktop version of the search result page looks fake. Most of the desktop ads utilize symbols such as parenthesis, pipes and Unicode symbols to separate different parts of the numbers. The symbols have been used to bypass Google’s automated ad quality screening tools. BleepingComputer contacted Google about these ads. In response, Google told, “We have strict policies that govern the kinds of ads we allow on our platform, and ads that conceal or misstate information about their business are prohibited on our platform. When we find ads that violate our policies, we remove them.” Meanwhile, the fake ads have been removed from the search result page and are no longer visible.

Around 50000 firms that use SAP solutions left vulnerable with new exploits

Around 50,000 companies using SAP software are at great risks as new exploits target software configuration flaws. A recent report by cybersecurity firm Onapsis has detailed these exploits, which can cripple SAP-based systems. According to the report, about a million systems were discovered to be affected. The exploits could be deployed by remote, unauthorized attackers with connectivity to the vulnerable systems having SAP. Collectively Known as ‘10KBLAZE’, the exploits targeted two technical components in SAP applications. The vulnerable components are SAP Message Server and SAP Gateway. With these exploits, attackers could create new users in the SAP system with arbitrary privileges allowing them to view and modify confidential business data such as personal information of employees, financial statements, banking transfer, health records and so on. The report also indicates that a majority of systems with SAP installations were vulnerable. “Onapsis research gathered over ten years calculates that nearly 90% of these systems, approximately 900,000, may suffer from the misconfigurations for which these exploits are now publicly available,” it said. The Onapsis’s report has also detailed solutions in order to stay protected from 10KBLAZE. This involves correctly configuring the SAP Message Server and SAP Gateway, which is critical in SAP applications. Likewise, SAP strongly recommends businesses using their solutions to install security fixes as and when they are released.

New ransomware called MegaCortex infects corporate computer networks

A new ransomware has been discovered this past week. Known as ‘MegaCortex’, the ransomware targeted victims across the US, Italy, Canada, Netherlands, Ireland, and France. The victims were predominantly corporate networks. According to security firm Sophos, which discovered this ransomware, the attackers highly employed automation and a number of tools to propagate the ransomware in large numbers. In a blog, Sophos indicated that the creators behind MegaCortex used a common red-team attack tool script. This was to invoke a reverse shell known as ‘meterpreter’ in the victim’s environment. The reverse shell is leveraged for an infection chain that uses PowerShell scripts, batch files and commands to drop secondary malware payloads. In one of the attacks reported, a Windows domain controller of an enterprise network was used to initiate the attack. The ransom note appears in the root of the victim’s hard drive as a plain text file. The note imitates the Matrix movie references. As of now, 76 attacks have been confirmed by Sophos. Around 47 of them occurred in a span of 48 hours. The blog also shed light on how MegaCortex might probably be linked with the well-known Emotet and Qbot malware. “Right now, we can’t say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) malware,” the researchers suggested.

Hacker ‘Subby’ compromises over 29 IoT botnets due to weak credentials

A hacker named Subby has compromised over 29 IoT botnets that were using default or weak credentials. The hacker carried out brute-forcing attacks on the Command and Control (C&C) servers to gain access to the IoT botnets. The hacker, in an interview with Ankit Anubhav, a security researcher at NewSky Security, stated that he used a dictionary of usernames and a list of common passwords to brute-force C&C servers of the botnets that are using weak username-password combos such as root-root, admin-admin, oof-o0f, root-user2019. “In addition to this, each C2 undergoes a random style password attack which continues up to 6 alphanumeric characters under the user 'root'. I change the user to something specific if I have prior knowledge of the C2. Each cracked password is added to the password list used when brute forcing the C2s in future,” Subby said. Subby said that the initial bot count was 40,000, however, the actual count was 25,000 after removing the duplicates.“I estimate the number to be closer to 25,000 unique devices. I was able to get a reliable network traffic graph produced of the traffic generated from all the botnets combined and it was just under 300gbit/s,” Subby said. The hacker noted that most botnet operators are simply following tutorials on YouTube to set up their botnet, and they fail to reset the default credentials, thereby leaving their botnets vulnerable to brute-forcing. Subby added that he attempted to compromise these IoT botnets to know how well brute forcing would work on C&C servers and whether it would be an efficient technique to compromise IoT devices.

Multiple vulnerabilities in D-Link cloud camera could allow attackers to spy victims’ content

A series of vulnerabilities have been discovered in D-Link DCS 2132L cloud camera. The flaws include unencrypted cloud communication, insufficient cloud message authentication, and unencrypted LAN communication. One of the serious issues in the D-Link DCS 2132L cloud camera can open doors to Man-in-the-Middle (MitM) attacks, thus allowing attackers to view the recorded videos. Researchers at ESET discovered that the camera transmitted a recorded or streaming video in an unencrypted format to the cloud and subsequently to the client-side viewer app. This allowed the intruders to spy on victims’ videos. “The most serious issue with the D-Link DCS-2132L cloud camera is the unencrypted transmission of the video stream. It runs unencrypted over both connections – between the camera and the cloud and between the cloud and the client-side viewer app – providing fertile ground for man-in-the-middle (MitM) attacks and allowing intruders to spy on victims’ video streams,” said ESET researchers in a blog post. By intercepting the communication, the attackers could steal sensitive content such as camera IP and MAC addresses, version information, video and audio streams, and other details of the device. Researchers also spotted another issue in the device’s ‘mydlink services’ web browser plug-in. The flaw can allow any application or user on the client’s computer to simply access the camera’s web interface without any authorization. It can also allow the attacker to replace the legitimate firmware with a fake backdoor version. The issues were promptly reported on May 2, 2019. Some of the vulnerabilities have been mitigated. Current users of the device are advised to make sure that Port 80 isn’t exposed to the public internet. The users should reconsider the use of remote access if the camera is monitoring highly sensitive areas of their household or company.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 62

Cyber Pulse: Edition 61

Cyber Pulse: Edition 60

Cyber Pulse: Edition 59

Cyber Pulse: Edition 58

Cyber Pulse: Edition 57

Cyber Pulse: Edition 56

Cyber Pulse: Edition 55

Cyber Pulse: Edition 54

Cyber Pulse: Edition 53

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.