Silobreaker Daily Cyber Digest – 8 February 2017
Researchers discover highly sophisticated phishing kit
Security researchers at Proofpoint have discovered a new phishing kit. The most notable feature of the kit is an automated process for building and deploying high-end phishing pages. The kit can be used to build multi-stage phishing pages which collect user information in various steps before logging this data in a backend GUI. Unusually, it will also validate data as the user submits it by checking for valid PayPal email addresses, as well as determining whether credentials and credit card numbers are correct. More information.
Erebus ransomware uses UAC bypass
Erebus, spotted by MalwareHunterTeam on VirusTotal, contains two notable features. It demands a relatively low ransom of $90 and deploys a User Account Control (UAC) bypass which allows the ransomware to run at elevated privileges without displaying a UAC prompt. It’s not clear whether Erebus is a rewrite of another piece of malware by the same name, or a completely new version. More information
WordPress vulnerability exploited in massive defacement campaigns
Researchers at Sucuri have discovered that a recently disclosed content injection flaw in the WordPress CMS has already been exploited to deface thousands of websites. The flaw affects the WordPress REST API and can be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation. The vulnerability affects all websites running on WordPress CMS, which number at least 18 million. While a patch was issued on January 26, many websites have not been updated and are therefore still vulnerable. Since disclosing the vulnerability Sucuri has observed several massive defacement campaigns targeting WordPress, with one attack seeing hackers replacing the content of 60,000. More information.
Security vulnerabilities in Steam Profiles
Leaks and Breaches
Norwegian University targeted by cyber attack
The Norwegian Nord University confirmed it was one of several Norwegian organisations targeted in a cyber-attack allegedly carried out by APT29. The head of the university explained that hackers attempted to breach an account registered to one of the university’s old domains. However, as this domain is no longer in use, the attack represented no serious threat to the university. More information. (Norwegian)
Vizio fined for collecting user information without user’s consent
Vizio, a US developer of consumer electronics, has agreed to pay a fine of $2.2 million after it was revealed that the company secretly collected user data and sold personal user details to third-parties without user consent. An investigation by the US Federal Trade Commission (FTC) and the Office of the New Jersey Attorney General concluded that Vizio had included special software on its line of smart TV’s which collected user viewing habits and IP addresses. This data was then sold to third-party companies that used the information to build advertising profiles for each user. More information.
Hackers Deface Pro-Trump Super PAC Website
Hackers were able to breach the website of the Super PAC 45 Committee this week. Once they had gained access to the site they defaced multiple sections, renaming them with slogans such as “Make America Sh**ty again” and “Black Lives Matter”. Following the hack, the 45 Committee were forced to take down the website although it now appears to be functioning as usual. More information.
Sage and Locky ransomware discovered sharing delivery infrastructure
Researchers at PhishMe have discovered that the Locky and Sage ransomware are now being distributed using the same infrastructure. They discovered that the phishing campaigns delivering the Sage ransomware have the same email messages, metadata and Tor payment site as that seen in earlier Locky campaigns. According to PhishMe this shows that, in contrast to claims that Locky has disappeared from the threat landscape, it is still used by attackers. More information.
Possibly Turla-linked group targets embassies
An ongoing reconnaissance campaign against embassy and ministry sites bears hallmarks of the Turla APT Group, according to a Forcepoint threat report. The campaign has targeted the embassies of Iraq, Jordan, Zambia and Russia as well as numerous other government entities across Europe. The attacks used compromised sites to target certain visitors and hid malicious code using Clicky web analytics scripts. Once the visitor is identified through fingerprinting and tested against an IP target list, the malicious payload is dropped. There is no conclusive evidence linking the Turla Group to the attacks, but the behaviour of the malware is indicative of their work. The report along with IOCs can be found here.
AKBuilder exploit kit generating malicious word documents
A report from SophosLabs has tracked another exploit kit utilising Office exploits in order to deliver malicious code – AKBuilder. The AKBuilder creates malicious word documents that can be used to package malware, which is then sent out to multiple victims in large distribution campaigns. The exploit kit is sold for $550 and is often seen advertised on underground forums and YouTube videos. AKBuilder uses known vulnerabilities, making it possible to prevent attacks by keeping on top of software updates. More information.
MacDownloader targeting US defence industry
Security researchers have discovered a MacOS malware agent called MacDownloader that appears to be targeting the US defence industrial base by posing as both an Adobe Flash installer and the Bitdefender Adware Removal Tool. The malware was initially discovered on a fake webpage claiming to be that of the aerospace firm United Technologies Corporation. The page contained links to programs and courses citing the names of employees and interns at a number of known defence and aerospace companies. The malware’s main purpose seems to be the collection of credentials from the MacOS keychain. The responsible threat actor is not known, but there are features of MacDownloader that suggest a connection to the Iranian threat group Charming Kitten. Original Report.
Turkish hacker group claims responsibility for DDoS attack on Austrian parliament
According to a spokeswoman for the Austrian parliament, the Turkish hacker collective Aslan Neferler Tim (ANT) has claimed responsibility for a DDoS attack which brought down the parliament’s website for 20 minutes this weekend. ANT has previously carried out operations against the Austrian central bank and an Austrian airport. Authorities are now investigating the attack. More information.
Dendroid RAT author avoids jail
Ex-FireEye intern Morgan Culbertson avoided a jail sentence on Monday for his role in the development and sale of the Dendroid RAT. Dendroid was rented to various hackers for $300 a month (or $65,000 for source code) via the Darkode forum while Culbertson, 22, worked on Android security at FireEye. Arrested in 2015, he has been sentenced to three years’ probation, computer monitoring and 300 hours of community service. More information.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.