Threat Reports

Silobreaker Daily Cyber Digest – 8 February 2017


Researchers discover highly sophisticated phishing kit
Security researchers at Proofpoint have discovered a new phishing kit. The most notable feature of the kit is an automated process for building and deploying high-end phishing pages. The kit can be used to build multi-stage phishing pages which collect user information in various steps before logging this data in a backend GUI. Unusually, it will also validate data as the user submits it by checking for valid PayPal email addresses, as well as determining whether credentials and credit card numbers are correct. More information.

Erebus ransomware uses UAC bypass
Erebus, spotted by MalwareHunterTeam on VirusTotal, contains two notable features. It demands a relatively low ransom of $90 and deploys a User Account Control (UAC) bypass which allows the ransomware to run at elevated privileges without displaying a UAC prompt. It’s not clear whether Erebus is a rewrite of another piece of malware by the same name, or a completely new version. More information



WordPress vulnerability exploited in massive defacement campaigns
Researchers at Sucuri have discovered that a recently disclosed content injection flaw in the WordPress CMS has already been exploited to deface thousands of websites. The flaw affects the WordPress REST API and can be exploited by an unauthenticated attacker to inject malicious content as well as for privilege escalation. The vulnerability affects all websites running on WordPress CMS, which number at least 18 million. While a patch was issued on January 26, many websites have not been updated and are therefore still vulnerable. Since disclosing the vulnerability Sucuri has observed several massive defacement campaigns targeting WordPress, with one attack seeing hackers replacing the content of 60,000. More information.

Security vulnerabilities in Steam Profiles
A serious vulnerability that was affecting the Steam online games marketplace has been patched. A warning was issued on the subreddit page for Steam advising users not to open profiles of other users or open their own activity feed. Although the message was vague, it referred to the risk of malicious script execution and suggested that all users disable JavaScript on their browser. The exploit has now been fixed but Steam are advising those that feel as though they may have been affected to change their password, enable mobile authentication, and de-authorise any other systems linked to their Steam account. More information.


Leaks and Breaches

Norwegian University targeted by cyber attack
The Norwegian Nord University confirmed it was one of several Norwegian organisations targeted in a cyber-attack allegedly carried out by APT29. The head of the university explained that hackers attempted to breach an account registered to one of the university’s old domains.  However, as this domain is no longer in use, the attack represented no serious threat to the university. More information. (Norwegian)

Vizio fined for collecting user information without user’s consent
Vizio, a US developer of consumer electronics, has agreed to pay a fine of $2.2 million after it was revealed that the company secretly collected user data and sold personal user details to third-parties without user consent. An investigation by the US Federal Trade Commission (FTC) and the Office of the New Jersey Attorney General concluded that Vizio had included special software on its line of smart TV’s which collected user viewing habits and IP addresses. This data was then sold to third-party companies that used the information to build advertising profiles for each user. More information.

Hackers Deface Pro-Trump Super PAC Website
Hackers were able to breach the website of the Super PAC 45 Committee this week. Once they had gained access to the site they defaced multiple sections, renaming them with slogans such as “Make America Sh**ty again” and “Black Lives Matter”. Following the hack, the 45 Committee were forced to take down the website although it now appears to be functioning as usual. More information.


Ongoing Campaigns 

Sage and Locky ransomware discovered sharing delivery infrastructure
Researchers at PhishMe have discovered that the Locky and Sage ransomware are now being distributed using the same infrastructure. They discovered that the phishing campaigns delivering the Sage ransomware have the same email messages, metadata and Tor payment site as that seen in earlier Locky campaigns. According to PhishMe this shows that, in contrast to claims that Locky has disappeared from the threat landscape, it is still used by attackers. More information.

Possibly Turla-linked group targets embassies
An ongoing reconnaissance campaign against embassy and ministry sites bears hallmarks of the Turla APT Group, according to a Forcepoint threat report. The campaign has targeted the embassies of Iraq, Jordan, Zambia and Russia as well as numerous other government entities across Europe. The attacks used compromised sites to target certain visitors and hid malicious code using Clicky web analytics scripts. Once the visitor is identified through fingerprinting and tested against an IP target list, the malicious payload is dropped. There is no conclusive evidence linking the Turla Group to the attacks, but the behaviour of the malware is indicative of their work. The report along with IOCs can be found here.

AKBuilder exploit kit generating malicious word documents
A report from SophosLabs has tracked another exploit kit utilising Office exploits in order to deliver malicious code – AKBuilder. The AKBuilder creates malicious word documents that can be used to package malware, which is then sent out to multiple victims in large distribution campaigns. The exploit kit is sold for $550 and is often seen advertised on underground forums and YouTube videos. AKBuilder uses known vulnerabilities, making it possible to prevent attacks by keeping on top of software updates. More information.

MacDownloader targeting US defence industry
Security researchers have discovered a MacOS malware agent called MacDownloader that appears to be targeting the US defence industrial base by posing as both an Adobe Flash installer and the Bitdefender Adware Removal Tool. The malware was initially discovered on a fake webpage claiming to be that of the aerospace firm United Technologies Corporation. The page contained links to programs and courses citing the names of employees and interns at a number of known defence and aerospace companies. The malware’s main purpose seems to be the collection of credentials from the MacOS keychain. The responsible threat actor is not known, but there are features of MacDownloader that suggest a connection to the Iranian threat group Charming Kitten. Original Report.


General News

Turkish hacker group claims responsibility for DDoS attack on Austrian parliament
According to a spokeswoman for the Austrian parliament, the Turkish hacker collective Aslan Neferler Tim (ANT) has claimed responsibility for a DDoS attack which brought down the parliament’s website for 20 minutes this weekend.  ANT has previously carried out operations against the Austrian central bank and an Austrian airport. Authorities are now investigating the attack. More information.

Dendroid RAT author avoids jail
Ex-FireEye intern Morgan Culbertson avoided a jail sentence on Monday for his role in the development and sale of the Dendroid RAT. Dendroid was rented to various hackers for $300 a month (or $65,000 for source code) via the Darkode forum while Culbertson, 22, worked on Android security at FireEye. Arrested in 2015, he has been sentenced to three years’ probation, computer monitoring and 300 hours of community service. More information.


The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 21 September 2017

    Malware CryptoMix ransomware variant appends .shark extension to encrypted files > The SHARK variant uses one of three domains for victim contact payment information....
  • Silobreaker Daily Cyber Digest – 20 September 2017

    Malware aIR-Jumper Malware uses security cameras with infrared capabilities to steal data > aIR-Jumper takes collected data, breaking it down into binary and leveraging...
  • Silobreaker Daily Cyber Digest – 19 September 2017

    Malware New Locky ransomware variant switches to .ykcol extension > Stormshield reports that the variant is distributed via spam emails containing a VBS file...
View all News

Request a demo

Get in touch