Cyber Security Emotet Malware

CloudSEK Daily Threat Bulletin – 4th February 2020

Twitter announces that its API had been exploited to match usernames to phone numbers. While the fake accounts responsible for this have been suspended, the impact of this is still not known. Magecart targets Olympic tickets reseller’s payment platform to steal customer payment card numbers. And Apollon Market may be pulling off an exit scam, much to the chagrin of its vendors, whose accounts have been locked.

Separate ransomware attacks have targeted Bouygues Construction and Toll Group, forcing them to shut down their systems. And new malware features are making them harder to detect using standard anti-virus. New AZORult campaign uses novel three-tiered obfuscation technique, while Trickbot features allows it to bypass Windows 10 User Account Control (UAC) to deliver malware.

Even as cyber-attacks rage, Apple and Google are proposing ways to make everyday activities such as 2 Factor Authentication and online browser access more secure. Looks like, with EmoCheck, we can start quickly detecting and preventing Emotet attacks.

Round Up of Major Cyber Security Breaches

Twitter API exploited to match usernames to phone numbers

Twitter says that their API had been exploited to match usernames to phone numbers. Twitter became aware of the incident on 24th December 2019. The attackers had created a large network of fake accounts to exploit the API endpoint. These accounts were immediately suspended. It was observed that many of the requests were coming from IP addresses located in Iran, Israel, and Malaysia. Twitter has made changes to this endpoint so that it does not return specific account names in response to queries.

Magecart actor targets Olympic reseller’s payment platform

A Magecart actor is targeting an Olympic ticket reseller and other websites referencing a malicious domain hosting the underlying skimmer code to steal customer payment card numbers. This was done by appending obfuscated malicious code to the end of a legitimate library, slippry.js. They narrowed down the payment related pages using keywords such as checkout, cart, pay, and basket. Then the stolen information was sent to opendoorcdn[.]com.

Apollon Market is pulling off an exit scam

The dark web marketplace, Apollon Market, is believed to be pulling an exit scam. The admins have locked all the vendors’ accounts while still allowing orders to be placed. Vendors usually warn each other through Dread (a Reddit-style forum on the deep web), Envoy, The Hub, and other forums. But many of these forums have been offline over the past few days, due to DDoS attacks, apparently orchestrated by Apollon Market.

Google launches project OpenSK to secure online access, beyond passwords

Google has launched an open-source security key project OpenSK, which when installed on a USB dongle, turns it into a usable FIDO or U2F key. FIDO is a standard that allows secure online access via a browser, by introducing an extra security layer, in addition to your regular password.

Apple proposes upgrade to SMS 2FA

Given that 2 Factor Authentication is susceptible to phishing attacks, Apple has proposed that apps such as mobile browsers will automatically process SMS codes received and submit them to the correct website. While this would address issues such as SIM swap frauds, it is yet to be seen how the security upgrade will be implemented.

Round Up of Major Malware and Ransomware Incidents

Maze ransomware attack targets Bouygues Construction 

Maze ransomware attack forces French construction giant, Bouygues Construction’s, to shut down their computer network, to avoid having all of their data encrypted. The virus was first detected on 30th January 2020. Maze Ransomware operators have taken responsibility for the attack. They claim to have encrypted 237 computers and over 1,000 Terabytes of data.

Toll Group victim of targeted ransomware attack

Toll group, a logistics company that is part of Japan Post, has decided to shut down several systems in response to a targeted ransomware attack. The attack came to light on 31st January 2020, after which they immediately disabled the impacted systems, many of which are customer facing.

AZORult Campaign used three-tiered obfuscation to evade detection

New AZORult campaign attempts to evade detection by using a novel three-tiered obfuscation technique. The triple encrypted AZORult downloader is being pushed by a non-descript malspam attachment. When the macros in the Excel is enabled a payload is decrypted, decoded, and executed using a VBA “shell” command. The next decryption happens as the first payload is executed and converts into a second decryption envelope. The third level of encryption manifests itself in the link used by the dropper to download the final AZORult infostealer malware.

New TrickBot feature that can bypass Windows 10 UAC

The Trickbot trojan has found yet another way to elude detection. This was done by adding a feature that can bypass 

Windows 10 User Account Control (UAC) to deliver malware. It first checks if a system is running on Windows 7 or Windows 10, the latter being a condition for the malware to use the WSReset UAC Bypass to exploit the WSReset.exe process, a Microsoft-signed executable that is used to reset Windows Store settings.

Round Up of Major Vulnerabilities and Patches

New EmoCheck Tool detects Emotet infections

The Emotet trojan that is being spread as information about Coronavirus, can now be detected using a new utility, EmoCheck, released by Japan CERT (computer emergency response team). If EmoCheck discovers that your system is infected, you should immediately terminate the identified process in the Task Manager. The tool will help network admins to quickly detect an infection and prevent a large-scale ransomware attack.

Update for XSS Vulnerabilities stored in WordPress plugin, Strong Testimonials

Multiple XSS vulnerabilities (CVE-2020-8549) were found to be stored in WordPress plugin, Strong Testimonials. This affects all websites using the plugin version 2.40.0 and below. With 90,000 installations, the Strong Testimonials is a popular plugin. 

The stored XSS vulnerabilities can be exploited to steal a victim’s session cookies, login credentials, perform arbitrary actions on the victim’s behalf, log their keystrokes etc. Within a few days, Strong Testimonials released version 2.40.1, that addresses this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *