Silobreaker Daily Cyber Digest – 13 February 2017
Ultranationalist developer creates SerbRansom
SerbRansom is a recently discovered ransomware family created by an ultranationalist developer from Serbia dubbed R4z0rx0r. According to researchers at MalwareHunterTeam the ransomware does not yet represent a major threat, as it is not a part of a major distribution campaign and has relatively unsophisticated source code. The ransomware creator uses an application to generate custom versions of SerbRansom, including which files are encrypted, what Bitcoin wallet ID should be displayed in the ransomware note and whether a UAC bypass should be deployed. This suggests that the author of the tool may soon attempt to monetise it further, as it allows non-technical users to create and deploy ransomware. More information.
New Mirai trojan linked to larger campaign
There appears to be a link between C2 infrastructure used to distribute a RAT, and a newly discovered trojan that scans TCP ports before dropping Mirai. Researchers discovered that the version of Mirai dropped by Trojan.Mirai.1 (first reported by Dr Web) makes HTTP GET requests to malicious subdomains as well as a Chinese social media site, from which it attempts to download an image of Taylor Swift spiked with an embedded portable executable (PE) file. This file is a RAT, and the aforementioned C2 infrastructure includes several interconnected domains used to distribute other malware. More information.
Leaks and Breaches
Sports Direct suffered major breach in September 2016
Sports Direct fell victim to a serious breach last year. In September of 2016 a hacker breached the company’s internal systems by exploiting a known vulnerability affecting the unpatched version of the DNN platform used by the company to host the staff portal. This allowed the attacker to access employee personal information including names, emails, postal addresses and phone numbers which was stored in plain text. The company discovered the breach in December, but as there was no evidence that the hacker had shared the data, they did not report the breach to its staff. More information.
Russia suspected of hacking Italian foreign ministry
Russian actors are suspected of hacking the Italian foreign ministry last year, according to a government official who spoke to the Guardian. The attack took place in spring and lasted for up to four months. Although foreign ministry field offices and associated staff were affected by malware, the encrypted system used for classified communications was not accessed, meaning that confidential information remains secure. Maria Zakharova, a spokesperson for the Russian foreign ministry, has stated that there is no evidence to support such allegations of hacking. More information.
Deleted Safari history stays in iCloud
Elcomsoft has discovered that internet history deleted in Safari remains invisible, but technically accessible, on Apple’s iCloud. When synced, Safari history is saved across all devices and can be removed in the same fashion through the delete history command. This does not fully remove history records from the iCloud however; such information can be kept, unbeknownst to users, for up to year. Possibly in response to this disclosure (and the implicit privacy concerns and potential for exploitation) Apple has begun to purge these iCloud records. More information.
Additional websites targeted through WordPress vulnerability
Several more websites have fallen victim to an ongoing defacement campaign which has targeted over 1.5 million WordPress sites. The attacks leverage a vulnerability in the WordPress REST API allowing attackers to alter the content of posts without the need for authentication. Over the weekend it was disclosed that a website belonging to security company Trend Micro was amongst the most recent victims. More information.
New malware targeting financial institutions across the globe
Beginning in October 2016, a campaign has been deploying a previously unknown malware to target financial institutions. The attacks were discovered after a bank in Poland shared IOCs from malware it had found running on a number of its computers. This led several institutions to confirm they had been compromised by the same threat. The attacks use compromised websites – watering holes – to redirect visitors to a customised exploit kit that was preconfigured to only infect visitors from around 150 different IP addresses. The targeted IP addresses belong to 104 organisations, mainly from the financial sector, located in 31 different countries. Code string in the malware used in the attacks share commonalities with code in malware associated with the Lazarus group. More information.
Smishing campaign targets Czech users
A smishing campaign is targeting Czech users through text messages posing as delivery notifications from the Czech Republic’s postal service. According to Check Point, the messages contain a link to a fake Czech Post web page which, if clicked, will download a malicious app onto a victim’s device. This app contains a trojan which will steal credit card details and other personally identifying information. More information.
Spyware used to target backers of Mexico’s Soda Tax
Spyware developed by the NSO Group has been used to target researchers and activists lobbying for a soda tax in Mexico. According to the New York Times, unknown attackers sent personalised messages urging targets to click a link contained in the text. If the victim complied, a tracking system from the NSO Group dubbed Pegasus was installed onto their mobile phone. Pegasus would then extract text messages, contact lists, calendar records, emails, instant messages and location. It is as yet unknown who was behind the malicious activity. More information.
Teen admits to attack on Brussel airport
A 14 year-old US teen has admitted to an attempted hack on the Brussels Zaventem Airport on March 22 2016, a day after ISIS conducted a terrorist attack in the city. The teen attempted to breach the airport’s website and then escalate his access to core airport systems, but this was ultimately unsuccessful. The hacker does not appear to have any ties to terrorist organisations. More information.
US authorities arrest sophisticated Russian hacker
An alleged Russian hacker has been arrested by US authorities, and is suspected of stealing money from thousands of US bank accounts. Alexander Tverdokhlebov is described as an extremely sophisticated hacker who used a botnet of 10,000 compromised computers to launch cyber-attacks. Tverdokhlebov, who appears to be well connected on Russian cybercrime forums, was detained in Los Angeles on 1 February on charges of cybercrime and wire fraud. More information.
DHS releases new GRIZZLY STEPPE analysis
The DHS and partner organisations have published a followup report on GRIZZLY STEPPE activity. In contrast to the original Joint Analysis Report, the new Analytical Report includes detailed recommendations for the detection and mitigation of GRIZZLY STEPPE actors, indicators of compromise, Snort and YARA rules and a reading list of open source publications covering APT28 and APT29 activity. Full report.