Silobreaker Daily Cyber Digest – 14 February 2017
New version of Sage mimics Cerber routines
A new variant of the Sage 2.0 ransomware is being distributed by the Pandex spambot. Researchers at Symantec have discovered that this new version of Sage shares similar routines with the Cerber ransomware. These include using a .HTA ransom note, offering multiple language support, dropping a .VBS script using the SAPI SPVoice interface to inform victims of an infection, and ending database-related processes. Sage 2.0 also uses a process list identical to a list found in Cerber 4. More information.
Researchers at Palo Alto Networks have discovered a new malware loader. Known as StegBaus, the loader is currently being used to deliver a variety of commodified malware including DarkComet, Pony and the LuminosityLink RAT. StegBaus is notable for using custom steganography to remain hidden, and a UAC bypass technique to avoid alerting users. More information.
Leaks and Breaches
University hit by DDoS attack from Own IoT Devices
An unnamed university fell victim to a DDoS attack caused by its own smart devices. In a soon-to-be published report by Verizon, researchers explain how an unnamed IoT malware strain connected to the university’s smart devices and changed their default passwords, before launching brute-force attacks to gain admin credentials of nearby devices. Hacked devices then flooded the university’s DNS server, rendering it unable to process legitimate student traffic. Researchers at Verizon managed to mitigate the attack by identifying a flaw in in the malware’s mode of operation. This allowed the university to log network traffic, catch the new passwords, and write a script to reverse the effects. More information.
Lahore District Website defaced by Indian hacker collective
The website of the Lahore District Government was hacked by Indian hacker collective IND 3MB3R. The site was defaced to display an image of the Indian Army Insignia along with a message stating “Pakistani kids keep distance from Indian server. It’s payback for hacking Indian sites”. More information.
NewsBeef APT targets Saudi Arabia’s National Technology Group
The website of Saudi Arabia’s National Technology Group is one of several institutions targeted in a campaign orchestrated by hacker collective NewsBeef APT (AKA CHARMING KITTEN). According to a report by CERT Saudi Arabia, the website was spoofed using typo-squatting. The group then attempted to direct victims to the compromised website to steal credentials and gain access to corporate information. Further, CERT states that NewsBeef has recently been deploying a new toolset which includes macro-enabled Office documents, a Powershell-based tool suite dubbed ‘Powersploit’, and the Pupy backdoor. These have been used in a complex espionage campaign targeting the websites of several Middle-Eastern institutions. More information.
WordPress can be leveraged to install a backdoor
Threat actors have found a way to escalate a benign flaw in the WordPress REST API to install a hidden backdoor and take over servers. Researchers at Sucuri discovered that the flaw – which has thus far been leveraged for simple defacement attacks on WordPress sites – is now being used in remote code execution attempts. The attacks involve hackers sending their own PHP code to WordPress sites via the flaw, which will include a remote PHP file on the target’s site. This file downloads and installs the FilesMan backdoor which allows an attacker to take over the victim’s underlying server. More information.
Georgia Institute of Technology simulate ICS malware
Extracting ransom payments from industrial control system operators could soon be a reality, after university researchers simulated the effects of custom malware on a water treatment plant. Presented at RSA on Monday, the research involved manipulating programmable logic controllers (PLCs) to add substances such as chlorine to a water supply. More information.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.