Hey all,

Here are this week’s cyber updates:

(1) Microsoft Office allows its users to add a macro script to be executed when the document is opened. While this is usually used for formulas calculation, attackers have used it to execute malicious code on their victims’ workstations, and in particular infecting them with ransomware (such as the Locky ransomware).

Today, the first Word macro for Mac OS was discovered. The malware downloads another file from https://www.securitychecking.org/index.asp and decrypts it (the file is encrypted using RC4 encryption). The malware then executes the decrypted file.

Organizations that use Mac OS systems are requested to check if any machines has queried the following malicious DNS record: www.securitychecking.org

Here are all the details: https://objective-see.com/blog/blog_0x17.html

(2) Numerous worldwide banks have been targeted by a malware stored only in the server’s memory. Kaspersky reported to have their incident response team called due to a meterpeter code found in the memory of a bank’s domain controller.

What’s interesting about this attack is the fact that the attackers have used the netsh.exe utility (builtin tool) in order to tunnel traffic from the victim’s host to the attacker’s C&C servers. In particular, the following command was used:

This caused the infected machine to listen on port 4444 and send this traffic to <IP> in port 8080.

Thus, this has allowed a legitimate tool (netsh.exe) to be used in order to allow internal workstations and computers to communicate with an external C&C server, even if a direct communication channel between the internal machines and the internet is blocked by the organization’s firewall.

Here are some artifacts generated in the Windows registry that will quickly allow an organization to determine if one of their machines was infected:

Here are all the details: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/, https://thehackernews.com/2017/02/bank-hacking-malware.html

(3) This has not been the best week (in terms of cyber security) for banks. Numerous Polish banks have been hacked, and the interesting part is that the source of the attack came from KNF – the Polish authority in charge of the safety and security of banks in Poland. Apparently, someone hacked KNF’s website and has modified a JavaScript file to contain malicious data.

Clients are advised to block access to the following hosts:

Here are all the details: https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/

(4) Last week I’ve mentioned the ransomware that targeted an hotel in Austria; this week it was IHG’s turn to be infected by a malware. About 12 InterContinental point of sales machines have been hacked, allowing the attackers to gain credit cards data.

Be sure to check if you’ve purchased anything there!

Here are all the details: https://krebsonsecurity.com/2017/02/intercontinental-confirms-breach-at-12-hotels/

(5) 76 famous iOS application are vulnerable to MiTM attacks. Some are very popular, such as Snapchat. The app is vulnerable to MiTM attacks, allowing attackers to still your credentials (username and password).

Here are all the details: https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-2c9a2409dd1

Stay tuned for more updates,