Silobreaker Daily Cyber Digest – 10 February 2017
New Ransomware encrypts, steals and deletes victims’ data
DynA-Crypt not only encrypts data, but also attempts to steal information. The ransomware has been made using a malware creation kit, and appears to be relatively unsophisticated. It contains several standalone executables and PowerShell scripts which will encrypt files and steal data such as passwords and contacts. It will also delete the data in several of the folders it steals information from, without providing a backup. The ransom demanded is $50 in bitcoin. More information.
New Ransomware targeting Danish users
Serpent is currently targeting Danish speakers, and appears to be a new variant of the HadesLocker and Wildfire ransomware families. It is being distributed via spam emails posing as outstanding invoices. These contain a Word document which, if opened, will attempt to trick users into enabling macros that execute and install the final payload. Serpent will encrypt files using AES-256 and demands a ransom of .75 Bitcoins. There is no decryptor currently available. More information.
Shell Crew’s StreamEx malware
Cylance has identified new family of malware used by Shell Crew. Active for over a year and half without detection, StreamEx can modify user file systems and registries, enumerate processes and network resources, remotely execute commands and scan for security tools. 64-bit and 32-bit variants have been spotted in the wild, some of which are not detected by any AV providers. More information.
A new remote access trojan called AthenaGo is using Tor proxies to redirect traffic from infected machines to hidden C2 servers. According to Cisco researchers, AthenaGo is the first RAT to be written in Go and has been deployed against targets in Portugal. The malware is currently spread via emails that come with macro-enabled Word documents purportedly from the Portuguese postal service. AthenaGo can execute system commands, download and execute files, and list and kill processes. More information.
Bug discovered in F5 Network’s BIG-IP
A vulnerability – dubbed Ticketbleed – has been discovered and patched in F5 Network’s Big-IP appliances. It can be exploited when virtual servers running on these appliances are configured with a Client SSL profile which has the non-default Session Tickets option. Attackers may leverage this flaw to obtain Secure Sockets Layer (SSL) session IDs from other sessions. Ten BIG-IP configurations are vulnerable, and patches are now available. Users unable to patch immediately are advised to disable Session Tickets. More information.
jQuery Mobile XSS
The jQuery Mobile framework can expose websites to cross-site scripting (XSS) attacks. According to Google engineer Eduardo Vela, any website using jQuery Mobile with an open redirect is vulnerable due to the way jQuery runs history.pushState on URLs in location.hash and puts the result in innerHTML. More information.
Leaks and Breaches
Fast Food Chain Arby’s suffers major breach
Fast food chain Arby’s has suffered a massive breach, which may have compromised the credit and debit card details of 350,000 customers. In mid-January the restaurant chain discovered that unknown attackers had managed to inject malware onto the point-of-sales systems of a number of the company’s 1,000 corporate restaurants. An Arby’s spokesperson claims the threat has now been eliminated, but customers are advised to check their card statements for unauthorised payments. More information.
Tunisian hackers deface websites of NHS organisations
Tunisian hacker collective Fallaga Team have carried out attacks against the websites of six NHS organisations. The attacks took place three weeks ago, and the attackers defaced the sites to post brutal images from the Syrian Civil War. It is believed that patient data was left vulnerable during the attacks, but as yet there is no indication that this data has been compromised. The Fallaga Team claimed to be acting in retaliation for the West’s aggression in the Middle East. The incident is now being investigated. More information.
RDP Brute Force attacks observed delivering the CRYSIS Ransomware
The CRYSIS ransomware family is being distributed worldwide through Remote Desktop Protocol (RDP) brute force attacks. Once access to a system is established, attackers return and attempt to infect endpoints with CRYSIS. This type of attack was first observed by Trend Micro in September, targeting businesses in Australia and New Zealand. The campaign has since intensified and attacks doubled in January 2017 compared to previous months. A majority of the targets are healthcare organisations in the US. More information.
1.5 million sites defaced using WordPress vulnerability
Over the past two days hackers have intensified attacks leveraging a vulnerability in the REST API to target WordPress hosted websites. On Monday researchers at Sucuri discovered four hacker groups using the flaw to deface 67,000 sites. This number has now grown to over 1.5 million sites, and there are 20 groups involved in a defacement turf war. A patch was included in WordPress 4.7.2, but sites running WordPress version 4.7.0 and 4.7.1 remain vulnerable. More information.
DoJ indicts former NSA contractor
The US Department of Justice has filed official charges against Harold T. Martin, who is charged with wilful retention of national defence information. The indictment alleges that Martin stole documents containing classified information from various government agencies for two decades. The DoJ offered no information on reports suggesting Martin stole hacker tools from TAO – the NSA’s primary offensive cyber unit. More information.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.