Weekly Threat Briefing: Wallet-snatch Hack: Apple Pay 'vulnerable to Attack', Claim Researchers

The intelligence in this week’s iteration discuss the following threats: Android Trojans, ApplePay, CowerSnail, Lipizzan, Ransomware, UniCredit Breach, Ursnif, Veritaseum, and Windows Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://www.theregister.co.uk/2017/07/28/applepay_vuln/" target="_blank">Wallet-snatch hack: ApplePay 'vulnerable to attack', claim researchers </a> (July 28, 2017) Security Researchers from Positive Technologies have presented at Black Hat USA that two separate attacks can be performed against ApplePay. The first attack requires injecting a jailbroken device with malware, which can intercept traffic to Apple servers. The second more interesting attack requires a device to connect to a public Wi-Fi, or connect to an attacker's fake Wi-Fi hotspot. Attackers are able to steal the ApplePay cryptogram. Using this token, they are able to make payments, to the same website, as the information is sent in cleartext without integrity checking. Recommendation: Users using ApplePay should avoid making transactions in public Wi-Fi hotspots, as the traffic is able to be easily sniffed out by attackers. Users should only connect to Wi-Fi networks that they trust. Tags: ApplePay, SSL<a href="https://beingwinsysadmin.blogspot.co.uk/2017/07/bug-windows-10-default-user-profile-is.html" target="_blank">Windows 10 default user profile is potentially writable by everyone</a> (July 27, 2017) A vulnerability in Windows 10 version 1607 has been discovered where an authenticated attacker is able to add directories and write data to the "C:UsersDEFAULT" folder structure. When a user logs into a computer on the network locally for the first time, this profile is used as a template for the user's profile. If the attacker modifies files in the "Startup folder", then any user logging on for the first time would have those potentially malicious files executed. Recommendation: Microsoft released a "half patch" for CVE-2017-0295. This only addresses the issue relating to the Startup folder. Attackers still have the ability to modify files when a victim runs a malicious file. A fix can be applied by Windows Admins. The fix is to enable the inheritance on all objects and subobjects, of the Default folder, then deleting all the explicitly set permissions. This vulnerability will not affect users who have previously logged on to a machine. Microsoft is planning to release a full fix as part of the March/April 2018 Windows 10 release. Tags: Windows, Vulnerability<a href="https://news.drweb.com/show/?i=11390&c=5&lng=en&p=0" target="_blank">Trojan preinstalled on Android devices infects applications' processes and downloads malicious modules</a> (July 27, 2017) Security researchers from Russian anti-virus company "Dr.Web" have discovered Trojans embedded into the firmware of mobile devices running Android. The Trojans are from the "Android.Triada" family, which embeds itself into the Zygote component. From this, the Trojan is able to embed into the running processes of all applications and download and launch malicious modules. Recommendation: Devices should always be purchased from reputable vendors. Vendors selling devices at cut prices or from low cost wholesalers should be treated with caution. Only trust well known branded devices. If you suspect that your device is infected with a malicious trojan in the firmware, the only way to ensure a safe and secure removal is to just purchase a new device. As malware that infects the firmware or bootloader is not able to be removed by conventional means. Tags: Trojan, Android, Zygote, Triada<a href="https://www.bleepingcomputer.com/news/security/google-discovers-new-lipizzan-android-spyware/" target="_blank">Google Discovers New Lipizzan Android Spyware</a> (July 27, 2017) A new Android spyware called "Lipizzan" was discovered by Google's Android Security team. The spyware was discovered on 20 apps available on the Google Play store. In order to bypass Google's Bouncer security system, it was split into two stages. The first stage was legitimate code that did not flag up as malicious, but when downloaded onto a victim's device, it would download the second malicious stage component under the guise of a "license verification" step. This component would scan the user's device and if it met criteria, then it would root the device using exploit kits. The spyware has the ability to record calls, record device's microphone, record location, take screenshots, take photos, exfiltrate data and user information. Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Tags: Lipizzan, Android, Spyware<a href="https://www.theregister.co.uk/2017/07/26/unicredit_bank_breach/" target="_blank">Details of 400,000 loan applicants spilled in UniCredit bank breach</a> (July 26, 2017) The largest lender in Italy, UniCredit suffered a breach which exposed customer data of 400,000 personal loan applicants. The data accessed related to personal customer data and International Bank Account Numbers (IBANs), but did not include passwords or other information required to make unauthorized transactions. UniCredit claims it will contact all affected customers, through specific channels. Recommendation: Leaks of this sort leads victims to be at a large risk of phishing attacks. Actors can use this information to coerce more personal data from the victim. Users should also monitor their credit in order to make sure that nothing out of the ordinary is happening and no identity fraud is being committed. Tags: Breach, UniCredit<a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Spammed-JScript-Phones-Home-To-Download-NemucodAES-And-Kovter/" target="_blank">Spammed JScript Phones Home To Download NemucodAES And Kovter</a> (July 25, 2017) Recently a new wave of spam has been delivering malicious attachments that download a PHP-based ransomware. The email spam contained a fake UPS delivery notification, that encouraged a user to download the attachment, a ZIP file containing a JS file. If the attachment is unzipped and the JS attachment executed, it downloads a PHP based ransomware that encrypts the user's files with a random 128 bit AES key for each file. This AES key is encrypted with a public RSA key provided from the JS file. Curiously in the code, there's a section which downloads the Kovter ransomware, which has been disabled, but the hard coded address functions properly. Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. If you receive an email with an order number that you did not order, then it's probably not from the company it claims to be. Tags: NemucodAES, Kovter, PHP, JavaScript<a href="https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" target="_blank">CowerSnail, from the creators of SambaCry</a> (July 25, 2017) Apparently created by the group responsible for SambaCry, a new malware for Windows, dubbed "CowerSnail", has been detected by Kaspersky researchers. CowerSnail is a backdoor that is able to receive commands from a Command and Control (C2) server via the Internet Relay Chat (IRC) protocol. CowerSnail provides a set of backdoor functions such as command execution, system information collection, updating and uninstalling itself. The link to the SambaCry creators comes from the mutual use of the same C2 server. Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don't rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Tags: CowerSnail, Windows, RAT<a href="https://www.welivesecurity.com/2017/07/25/malware-found-lurking-behind-every-app-alternative-android-store/" target="_blank">Malware found lurking behind every app at alternative Android store</a> (July 25, 2017) A Turkish alternative to the Google Android app store, called CepKutusu.com, has been serving malware to users instead of the desired application. When downloading an application, the user was sent a banking malware instead. In order to reduce detection chances, after the malware is served to the user, it would serve clean applications for the next seven days before serving another malware APK. The malware was capable of intercepting text messages, downloading other applications and receiving remote commands. Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software. Tags: Android/Spy.Banker.IE, Android, Malware<a href="https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-movement-decryption-and-evasion" target="_blank">Ursnif Variant Found Using Mouse Movement For Decryption And Evasion</a> (July 25, 2017) In July 2017, researchers at Forcepoint discovered emails with an attachment that delivers a new variant of the Ursnif banking Trojan. The attachment was an encrypted Word document, which had the decryption password pasted in plaintext into the body of the email. Once encrypted it shows three OLE icons made to look like Word documents, when in fact they are the same VBS script. When the script is run, it downloads the Ursnif malware. It performs checks on the mouse to see if it is in a sandbox environment. The malware checks the delta between the current and last mouse positions, which is used in the last 5 bits of a decryption key to decrypt the .bss section of the DLL. If ran in a sandbox environment the mouse will usually not move resulting in a delta of 0, and therefore will not decode the .bss section. This means the rest of the code will not run; aiding in evasion. Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Additionally, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Tags: Ursnif, Evasion, Trojan<a href="https://www.welivesecurity.com/2017/07/25/spiderman-pleads-guilty-knocking-900000-german-broadband-routers-offline/" target="_blank">Spiderman pleads guilty to knocking 900,000 German broadband routers offline </a> (July 25, 2017) A 29-year-old Briton has pleaded guilty to hacking into the routers of Deutsche Telekom customers, using a custom made version of the Mirai malware, which resulted in 900,000 customers (1.25 million customers in other sources) not being able to access their internet. The man in question was arrested in Luton airport in February and was extradited to Germany. It was reported in local media that he pleaded guilty to the attack which cost Deutsche Telekom more than 2 million Euros. Recommendation: Never use the default password that comes with the router; always change it. The malware used in this story was a custom version of the Mirai malware. The Mirai botnet takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames/passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring. Tags: BotNet, Deutsche Telekom<a href="https://www.ethnews.com/reggie-middleton-on-the-veritaseum-hack" target="_blank">Veritaseum Hacked</a> (July 24, 2017) A hacker managed to steal VERI tokens from the Initial Coin Offering (ICO) from the Veritaseum platform. The hacker then managed to sell the tokens for $8.4 million worth of Ethereum. The CEO of Veritaseum, Reggie Middleton, claimed that "The hack seemed to be very sophisticated, but there is at least one corporate partner that may have dropped the ball and be liable." No exact details of how the hack took place have taken place and the Middleton refuses to give comment. Recommendation: Since the tokens were stolen off Veritaseum, no customers were affected. The VERI tokens were hacked because of an undisclosed vulnerability. It is advisable that users with cryptocurrencies store their coins/tokens offline. One of the best ways to secure your cryptocurrencies against theft is by using hardware wallets. Hardware wallets are a type of cryptocurrency wallet that stores the owner's private keys on a hardware device that is secure from hacking attempts. Cold storage wallets could also be used to assist in cryptocurrency security. Cold wallets are placed on clean air-gapped computers and therefore protect all private keys from online threats. It is more tedious to use but increases the security. Tags: Cryptocurrency, ICO, Veritaseum