Threat Report

Discover a financial service data breach, a viral Apple vulnerability, the evolution of malware, and indicators related to the Iranian DNS hijacking campaign in this week’s threat report.

Discover discloses August 2018 data breach

Discover Financial Services notified customers and the California Attorney General of a data breach. On August 13, 2018, they learned that an undisclosed number of Discover card accounts may have been part of a data breach, however, the breach “did not involve Discover card systems.” The company is issuing new cards for affected customers and advises cardholders to monitor their accounts for fraudulent activity.

Discover commented, “We can confirm this incident did not involve any Discover systems and we are forwarding this to the appropriate parties for review. We’re aware of a possible merchant data breach & are monitoring accounts. Our members can rest assured they’re never responsible for unauthorized purchases on their Discover card accounts.”

The breach was filed in two separate breach notifications. The statements differ slightly in the Automatic Bills section. One titles the section “A Helpful Reminder About Automatic Bills,” and encourages users to use the included list to contact merchants that bill their card automatically or store card information. The other titles the section, “Make sure any other automatic bills get paid as easily as these,” and states that there’s no need to contact the merchants listed, but if users have other automatic bills not on the list, they should contact them and update account information accordingly. Another difference between the two is that only some customers were issued a card with a new account number, while other customers were not. It sounds like it was a breach of systems used for automated billing that are outside of Discover. Users were advised to monitor their banking statements for fraudulent activity.

Apple disables group FaceTime

Apple has disabled Group FaceTime since a severe iOS bug was disclosed via Twitter (January 28, 2019). The bug allows iPhone users to access the microphone and front-facing camera belonging to the person they are calling even if the person does not answer the call.

The flaw received global attention when Apple iPhone user Benji Mobb tweeted a video of the bug in action. Within 24 hours, the post reached 30K+ retweets and over 75K likes.

A spokesperson for Apple reported that they are aware of the issue and plan to release a software update later this week. iPhone users are advised to disable FaceTime until the latest available patch is officially released by Apple and keep software up to date in order to best mitigate risk.

BankBot Anubis learns Chinese and adds Telegram for C&C

Researchers tracking BankBot Anubis noticed two significant changes in C&C tactics. BankBot Anubis is a mobile banking trojan that targets hundreds of unique mobile applications from organizations worldwide. Researchers observed BankBot Anubis encoding C&C information using Chinese characters in addition to base64 encoding in an attempt to hide their C2 infrastructure. Also, researchers noted the use of Telegram Messenger in addition to Twitter for communicating C&C URLs. This offers BankBot the use of public channels to broadcast messages to large audiences with a public URL.

Formbook information stealer distributed through file hosting service

Deep Instinct reports sightings of attackers using a file hosting service to distribute Formbook, an information/credential stealing malware. The observed attacks began with a phishing email containing a malicious attachment. In one analyzed case, the initial infection was carried out via a malicious RTF document that exploited CVE-2012-0158 (Office ActiveX vulnerability) and CVE-2017-11882, the Equation Editor vulnerability previously used by Loki.

After opening the maldoc, the malware was dropped and executed. It copies itself and writes an auto-run entry, ensuring persistence and boot-survival on infected machines. Formbook scans the victim’s system for passwords and sends them back to its C2 server. It can also take screenshots of the victim’s desktop and logs key strokes. The domain that served the payload was recently registered (files.dropmybin[.]me) on January 19, 2019, and employs Cloudflare, a popular reverse-proxy provider, to hide its real IP address. Deep Instinct notes that customers in retail and hospitality sectors in North America have been targeted. The following indicators of compromise were released with the researchers’ findings:

Domains

files.dropmybin[.]me 

R2dummy[.]info 

xcpcfw[.]com 

thelan[.]win 

yatekipu[.]site 

ra-design[.]net 

timbaleepoxy[.]com 

ajexin[.]com 

review-ih4ewkr0m5aqxl[.]cricket 

zdhuanka[.]com 

dropmyb[.]in 

AZORult masquerading as Google Update

Minerva Labs observed the AZORult information stealer and downloader malware strain that is posing as a signed Google Update installer on compromised machines. AZORult is a data-stealing trojan also known to act as a downloader for other malware payloads. Minerva Labs disclosed the flaw after they detected a “suspicious executable” with a valid certificate. Minerva Labs also noticed that the actors had been executing the exploit through a “GoogleUpdate.exe” which pretends to be a legitimate updater, however, the certificate with which the malicious file was signed did not belong to Google.

Researchers have identified the camouflaged Google Update binary based on multiple patterns: HTTP POST request to a /index.php it made, using a “.bit domain” (for DNS over blockchain) and Typical User-Agent Mozilla/4.0. Researchers note that the capability of the AZORult replaces the legitimate Google Updater to run administrative privileges and allows it to establish a stealthy persistence mechanism. Users and organizations best defense against these attacks is to keep the software up to date and download applications in legitimate stores. Here are a few of the indicators of compromise released with the report. Check out the full report for all the file hashes.

File Paths

C:\ProgramData\localNETService\localNETService.exe 

URL

http://s63.bit/index[.]php 

Iranian DNS hijacking infrastructure identified

Last week, researchers published further findings into the global DNS hijacking activity, allegedly conducted by Iran. Five attacker owned domains were used in the clandestine change of NS records, to act as nameservers to route traffic temporarily for targeted entities.

Once hijacked, targeted domains ceased resolving to their normal IP addresses and began resolving to actor-controlled infrastructure. The actors mostly used Let’s Encrypt certificates for TLS encryption. Available data shows that most affected domains were hijacked for very short periods of time, sometimes a day or less, with one domain showing resolutions to a malicious IP address for over a month. Researchers identified dates when the nameservers were used to route traffic to malicious IP addresses.

142.54.179[.]69February 2017Jordan (Government) 

89.163.206[.]26February 2017Jordan (Government) 

185.15.247[.]140December 2017 and January 2018Kuwait (Government) and Albania (Government) 

146.185.143[.]158August 2018UAE (Government) 

128.199.50[.]175September 2018UAE (Unidentified Sector) 

185.20.187[.]8September 2018UAE (Law Enforcement) and UAE (Government) and Lebanon (Government) and Lebanon (Civil Aviation) 

82.196.8[.]43October 2018Iraq (Government) 

188.166.119[.]57October 2018 and November 2018Egypt (Government) and Libya (Government) 

206.221.184[.]133November 2018Egypt (Government) 

37.139.11[.]155November 2018UAE (Unidentified Sector) 

199.247.3[.]191November 2018Iraq (Government) and Albania (Government) 

185.161.209[.]147November 2018Lebanon (Insurance) 

139.162.144[.]139December 2018Jordan (Government) 

37.139.11[.]155December 2018UAE (Unidentified Sector) 

178.62.218[.]244December 2018UAE (Government) and Cyprus (Government) 

139.59.134[.]216December 2018Sweden, Saudi Arabia and Lebanon (Internet Services) 

82.196.11[.]127December 2018Sweden and U.S. (Internet Infrastructure) 

46.101.250[.]202December 2018 and January 2019Saudi Arabia (Government) 

This large-scale activity shows the determination of nation state actors to reroute internet traffic for surveilling targets and gleaning information from that traffic. The rerouted traffic may have been used to steal session information, access sensitive information, and/or infect victims with malware. DNS hijacking poses a risk to the users of Web service and the confidentiality, integrity, and availability of the data in the service behind a hijacked domain.

NS Domains

cloudipnameserver[.]com 

mmfasi[.]com 

interaland[.]com 

cloudnamedns[.]com 

lcjcomputing[.]com 

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday January 23rd 2019