This week, cryptomining malware that launches Linux VMs on Windows and macOS, Oracle patches another actively-exploded WebLogic 0-day, LokiBot and NanoCore malware distributed in ISO image files, and an anonymous hacker that was exposed after dropping a USB drive while throwing a Molotov cocktail! In the expert commentary, we welcome Tyler Hudak, Practice Lead of Incident Response to talk about TrickBot!
- Beware! Playing Untrusted Videos On VLC Player Could Hack Your Computer – Parsing data is still hard, and often leads to these types of vulnerabilities: Discovered by Symeon Paraschoudis from Pen Test Partners and identified as CVE-2019-12874, the first high-severity vulnerability is a double-free issue which resides in “zlib_decompress_extra” function of VideoLAN VLC player and gets triggered when it parses a malformed MKV file type within the Matroska demuxer. The second high-risk flaw, identified as CVE-2019-5439 and discovered by another researcher, is a read-buffer overflow issue that resides in “ReadFrame” function and can be triggered using a malformed AVI video file.
- This Cryptomining Malware Launches Linux VMs On Windows and macOS – This is one way to get your malware to be cross platform! The malware uses a combination of QEMU and VirtualBox to run malicious VMs on infected systems: Dubbed “LoudMiner” and also “Bird Miner,” the attack leverages command-line based virtualization software on targeted systems to silently boot an image of Tiny Core Linux OS that already contains a hacker-activated cryptocurrency mining software in it. Spotted by researchers at ESET and Malwarebytes, attackers are distributing this malware bundled with pirated and cracked copies of VST (Virtual Studio Technology) software on the Internet and via Torrent network since August 2018. VST applications contain sounds, effects, synthesizers, and other advanced editing features that allow tech-centric audio professionals to create music. Researchers have found various malicious versions of nearly 137 VST-related applications, 42 of which are for Windows and 95 for macOS platform, including Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor 6 and AutoTune.
- LokiBot and NanoCore Malware Distributed in ISO Image Files | SecurityWeek.Com – Interesting, curious how the code gets loaded from the ISO or if the user mounts it and clicks on an executable: ISO image files are designed to contain the full content of an optical disk. As such, legitimate files tend to be of 100 Mb or more in size. This was one of the first clues to be detected by researchers at cloud security firm Netskope. “The observed ISO files were in the size range of 1MB to 2MB which is an unusual file size for image files,” they say in a report…This could be common since ISO files are often whitelisted in scanning engines.
- Anonymous hacker exposed after dropping USB drive while throwing Molotov cocktail | ZDNet – This is bizarre, and he got caught because the police traced the USB drive to him! Belgium police have identified a member of the Anonymous Belgium hacker collective while investigating an arson case at a local bank. The perpetrator, a 35-year-old man from the Belgian city of Roeselare, was initially arrested after throwing a Molotov cocktail at the Crelan Bank office in Rumbeke, a suburb of Roeselare, back in 2014. Police tracked down the suspect because he dropped a USB thumb drive on the ground while/after throwing the Molotov cocktail.
- Presidential warnings ‘easy’ to spoof – Now, eight University of Colorado researchers have demonstrated how to send spoof messages across a small area using portable mobile-phone base stations and some specially adapted software. And their method exploited problems with the WEA protocol that defined how presidential alerts were created and sent. Using just four low-power base stations would let attackers reach all the phones in a large stadium, they said. “Fake alerts in crowded cities or stadiums could potentially result in cascades of panic,” wrote the researchers.
- Firefox zero-day was used in attack against Coinbase employees, not its users | ZDNet – According to indicators of compromised shared by Martin, attackers would send a spear-phishing email luring victims to a web page, where, if they used Firefox, the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data. The attack was tailored for both Mac and Windows users, alike, with different malware for each OS. Mozilla released on Tuesday Firefox 67.0.3 and Firefox ESR 60.7.1 to fix the reported zero-days. Earlier today, these fixes were also merged into the Tor Browser with the release of v8.5.2.
- Oracle patches another actively-exploited WebLogic zero-day | ZDNet – Oracle released an out-of-band security update to fix a vulnerability in WebLogic servers that was being actively exploited in the real world to hijack users’ systems. Attacks using this vulnerability were first reported by Chinese security firm Knownsec 404 Team on June 15, last Saturday. The initial report from Knownsec claimed the attacks exploited a brand new WebLogic bug to bypass patches for a previous zero-day tracked as CVE-2019-2725 — which was also exploited in the wild for days in April before Oracle released an emergency security patch for that one as well.
- Hundreds of million computers potentially exposed to hack due to a flaw in PC-Doctor component – Experts at SafeBreach discovered that the Dell SupportAssist software, that comes preinstalled on most Dell PCs, was affected by a DLL hijacking vulnerability tracked as CVE-2019-12280. The flaw could have been exploited by an attacker with regular user permissions to execute arbitrary code with elevated privileges by planting specially crafted DLL files in specific locations. SupportAssist is used to check the health of systems’ hardware and software when an issue is detected it sends necessary system state information to Dell for troubleshooting to begin. Obviously, thee checks require elevated privileges because many services run with SYSTEM permissions. Now considering that PC-Doctor is pre-installed on over 100 million computers worldwide the extent of the problem could be huge. SafeBreach researchers discovered that the flawed component is also present in CORSAIR Diagnostics, Staples EasyTech Diagnostics, and Tobii I-Series and Tobii Dynavox diagnostic tools.
Expert Commentary: Practice Lead, Incident Response – Tyler Hudak, TrustedSec
Tyler has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. He has spoken and taught at a number of security conferences about topics ranging from incident response to penetration testing techniques. Tyler’s passion for incident response stems from his love of solving puzzles. He uses this ambition to get to the bottom of issues at hand; whether it’s forensic analysis of a disk, reverse engineering or malware, or the latest CTF contest, Tyler is driven to uncover every detail.