Silobreaker Daily Cyber Digest – 24 May 2019

Archive for the ‘Threat Reports’ Category

Silobreaker Daily Cyber Digest – 24 May 2019

 

Malware

Newly upgraded version of JasperLoader targets Italy

  • Cisco Talos researchers discovered a new version of JasperLoader targeting Italy and other European countries with banking trojans such as GootKit.
  • The new version has several additional features and upgrades, including a different distribution method, additional layers of obfuscation, decoy documents, geolocation filtering, detection for hypervisor-based environments and changes to file storage locations and file name conventions.
  • In addition, the new version also has new persistence mechanisms, a new C2 domain retrieval mechanism permitting time-based fluxing, and new bot registration and ID generation mechanisms.
  • Cisco Talos’ analysis follows their recent review of the functionality associated with JasperLoader.

Source (Includes IOCs)

 

Mirai variant uses multiple exploits to target several devices

  • Researchers at Trend Micro discovered a new variant of Mirai which utilizes a total of 13 different exploits. These exploits have been observed in older variants of Mirai but have never been used in conjunction in a single campaign.
  • The 13 exploits are used in combination to scan for vulnerabilities and then deploy Mirai. This specific campaign takes advantage of flaws in routers, surveillance products and other devices which are widely used and infrequently patched by users.
  • Trend Micro’s latest analysis includes a review of the 13 exploits.

Source (Includes IOCs)

 

Ongoing Campaigns

Fake cryptocurrency apps on Google Play attempt to scam users

  • Reddit users discovered an app on Google Pay called ‘Trezor Mobile Wallet’, impersonating the popular hardware cryptocurrency wallet Trezor.
  • ESET researchers analysed the fake app and found that it can’t cause harm to Trezor users due to Trezor’s use of multiple security layers, however, it is able to phish for Trezor users’ credentials. They also found that the app is connected to a fake cryptocurrency wallet app called ‘Coin Wallet – Bitcoin, Ripple, Ethereum, Tether’ that is used to scam victims out of money.
  • Both the fake Trezor app and the ‘Coin Wallet’ app were created based on an app template sold online. The researchers suspect that the emergence of these apps is related to the continuously rising prices of Bitcoin in the last few months. Both apps have since been taken down from Google Play.

Source (Includes IOCs)

 

Phishing campaign spams Android users via fake ‘Missed Call’ alerts

  • Lookout’s Phishing AI services detected a new phishing campaign that abuses the Notifications and Push APIs, and Google Chrome on Android devices, to push spam alerts disguised as missed phone calls.
  • The perpetrators use custom icons for apps that trigger the alerts, which in this case was Google Chrome. The custom icons are used to better disguise the notifications and fool unsuspecting users.

Source

 

Anonymous and LulzSec hacker groups target Italian Police and doctors

  • In the last 10 days, Anonymous Group and LulzSec have been targeting Italian doctors and law enforcement, particularly the Police and the Carabinieri.
  • The attacks are part of a protest against the abuses in public health systems, to raise attention to mysterious deaths in hospitals that have allegedly been covered up by the authorities. In addition, the attacks also sought to bring attention to various arrests made on members of the hacking group.

Source

 

Malicious email campaigns target Canadian organisations

  • Between January and May 2019, Proofpoint researchers detected thousands of malicious email campaigns, with hundreds of them targeting Canadian organisations. In many cases, stolen branding from several Canadian firms and agencies, including major shipping and logistics organisations, national banks, and large government agencies, was used.
  • According to the researchers, many campaigns involved Emotet, a trojan associated with threat actor TA542. Other malware used includes Ursnif, IcedID, GandCrab, DanaBot, Formbook, Dridex and more.
  • The campaigns mostly affected Canadian financial services, the energy and utility sector, the manufacturing sector, the healthcare sector, and technology industry.

Source

 

Two law firms lost $117,000 after being hit with malware

  • Two unidentified law firms in the US have fallen victim to ‘an international cybercrime network that tried to loot an estimated $100 million from businesses.’
  • Phishing emails were sent to the companies disguised as an invoice from ‘Quicken Billpay Center,’ which downloaded GozNym malware, allowing the attackers access to the recipient’s banking credentials.

Source

 

Third party mailbox used by Computacenter employees hacked

  • The mailbox was used by Computacenter employees and contractors to deposit data to gain security clearance. The data in the mailbox could include ID data, contact details, bank details, and more.
  • Once the mailbox was hacked the attacker changed the password and proceeded to use the data to send phishing emails.  

Source

 

Leaks and Breaches

US license-plate scanning company suffers data breach

  • Hacker ‘Boris Bullet-Dodger’ informed The Register that he had hacked into the US license-plate scanning company Perceptics. Perceptics’ technology is installed at multiple border crossings in the United States.
  • Nearly 65,000 files were stolen and placed on the dark web, including Microsoft Exchange and Access databases, ERP databases, HR records, Microsoft SQL Server data stores, and more.

Source

 

Snapchat employees allegedly abused data access to spy on users

  • Motherboard reported that Snap, the company behind Snapchat, possesses several tools dedicated to accessing user data. Moreover, several employees allegedly abused their privileged access to spy on Snapchat users.
  • The accessed data included location information, saved Snaps, and personal information such as phone numbers and email addresses. One of the tools used, dubbed SnapLion, is accessible by multiple departments within the company. According to Motherboard’s sources, Snap employees have used the tool to spy on users.

Source

 

Joomla servers hacked and cryptocurrency mining scripts installed

  • Joomla issued a statement confirming that a notification was received from a security researcher on May 15th, 2019, informing them that an internal Jenkins CI server, used by the JED to deploy updates to their live and staging website, was vulnerable to exploit CVE-2018-1000861.
  • During the investigation into the breach a crypto miner was detected running on the server. Joomla stated that they had no cause to think that ‘any user data has been accessed improperly.’

Source

 

Vulnerabilities

PoC exploits for Windows wormable flaw released online

  • Security experts have developed PoC exploits for the wormable Windows RDS flaw tracked as CVE-2019-0708, also known as BlueKeep. BlueKeep, is a remote code execution flaw in Remote Desktop Services (RDS) that could be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.
  • Not all of the exploits published by the researchers are working fully, however, one of the PoC exploits could be used for remote code execution on flawed systems.

Source

 

General News

Equifax’s credit ratings revised following data breach

  • Credit rating agency Moody’s changed Equifax’s credit rating from stable to negative due to the financial losses suffered after the 2017 data breach. The report states that the breach affected Equifax’s performance and reputation, and the company’s cash flow decreased due to the legal and IT expenses following the incident.

Source

 

Google investigated following GDPR complaint

  • An investigation into Google’s processing of personal data was launched by the Irish Data Protection Commission (DPC) following a complaint filed with the UK Information Commissioner and the Irish Data Protection Commissioner on September 12th, 2018.  
  • The investigation will assess whether Google’s processing of personal data collected by the company as part of Ad Exchange online advertising transactions is breaching GDPR regulations.
  • Further complaints against the company were recently filed in Spain, the Netherlands, Belgium and Luxembourg.

Source

 

18 charges filed against Julian Assange by US Department of Justice

  • Julian Assange is facing 18 indictments accusing him of violating the US Espionage Act after publishing confidential military and diplomatic documents on WikiLeaks in 2010.
  • According to US officials, the charges are not made for acting as a publisher, but for endangering the lives of sources. The charges also include one count of conspiring with former intelligence analyst Chelsea Manning and conspiracy to commit computer intrusion.

Source

 

NATO Secretary General focuses on cyber threats

  • Secretary General Jens Stoltenberg, in his keynote speech at the National Cyber Security Centre in London, focused on how cyber threats are changing the nature of modern warfare.
  • Moreover, Mr Stoltenberg spoke about how NATO is adapting its capabilities and increasing its resources to deal with these cyber threats.
  • Mr Stolenberg also stated, with reference to the failed attack on the Organisation for the Prohibition of Chemical Weapons, that NATO must focus on attribution in their efforts to deter future cyber attacks.

Source 1 Source 2

 

UK political parties fail to protect members from phishing attacks

  • A security vendor has claimed that members of UK political parties are being targeted with phishing attacks after the DMARC protocol has not been consistently applied. Domain-based Message Authentication, Reporting and Conformance (DMARC) is the best practice used to mitigate email impersonation.
  • According to analysis by Red Sift, only 5 out of the full 22 main political parties participating in the European Parliament elections have implemented DMARC.

Source

 

Chrome, Firefox and Safari mobile browsers fail to show phishing warning

  • Researchers from Arizona State University and PayPal discovered that Chrome, Safari and Firefox failed to show blacklist warnings from mid-2017 to late 2018.
  • The issue was confined to mobile browsers that used the Google Safe Browsing link blacklisting technology.
  • Failure to display warnings was attributed to the transition to a new mobile designed API which did not function correctly.

Source

 

Audio card skimmers preferred over flash skimmers

  • Researchers at Advanced Intelligence observed that audio skimmers are growing in popularity with criminals, due to their ease of use, moderate price and high resilience.
  • Audio card skimmers pick up audio when a card magnetic track is being scanned and can bypass jittering and radio-electronic defenses, however, they are therefore vulnerable to noise jamming.
  • The growing popularity of audio skimmers coincides with a drop-in market share for flash skimmers which are cheaper but also less reliable.

Source

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 23 May 2019

 

Malware

Decryptor released for newly discovered GetCrypt ransomware

  • A threat analyst known as ‘nao_sec’ discovered a new ransomware called GetCrypt that is being installed via malvertising campaigns that redirect victims to the RIG exploit kit. Following its discovery, Emsisoft released a free decryptor for the ransomware.
  • Security researcher Vitali Kremez analysed the ransomware and found that, once installed, GetCrypt will check if the Windows language is set to Ukrainian, Belarusian, Russian or Kazakh. If any of these languages are detected, the ransomware will terminate.
  • GetCrypt will also ‘utilize the WNetEnumResourceW function to enumerate a list of available network shares’ in an attempt to encrypt files on these shares. If it fails to connect to a share, it will attempt brute force credentials for the shares and mount them using the WNetAddConnection2W function.  

Source 1 Source 2

 

Alphabet’s Chronicle analyses signed malware exploited in the wild

  • Chronicle recently investigated signed malware present in Windows PE Executable files. Executable files in Windows are signed by trusted certificate authorities (CAs), backed by a trusted parent CA, to guarantee its authenticity. Malware authors, however, have been purchasing and abusing such certificates.
  • The investigation found a total of 3,815 malware samples, of which ‘100 or more malware samples account for nearly 78% of signed samples’.
  • The only solution to a compromised certificate is for the CA to revoke it, which happens regularly according to Chronicle.

Source

 

Ongoing Campaigns

ESET researchers analyse APT28 backdoor

  • ESET researchers released new analysis of APT28’s Zebrocy Delphi backdoor, focusing on what the operators do post-compromise. The report focuses on a campaign from August 2018 in which phishing emails were used to distribute shortened URLs that delivered the first stage of Zebrocy components.
  • The researchers found that the operators run commands manually to collect information from infected systems, such as documents, pictures, or databases stored by web browsers and email clients.

Source (Includes IOCs)  

 

Rise in instances of Emotet banking ransomware detected

  • Seqrite researchers detected a growing number of daily intrusions by Emotet banking malware since 2018. The malware is delivered via phishing emails and proves problematic to remove due to it polymorphic, self updating and spreading capability.
  • Emotet attempts to access financial data by password stealing, email harvesting and spamming.
  • Additionally, Emotet also deploys other malwares such as Qakbot, TrickBot and Ryuk Ransomware in order to maximise disruption.

Source

 

Krebs On Security published report on the use of legal threats in phishing lures

  • Brian Krebs analysed a recent spam campaign that sent fake legal threats including malware to over 100,000 business email addresses. The scams typically state that the recipient is being sued and instructs them to review the attached file.
  • The emails were sent to two antivirus firms, with attached malicious Microsoft Word files, using a phishing kit that was being traded on the dark web, that allows you to choose from five malicious Microsoft Word documents. In this instance the trojan was used to drop an unreported malware.
  • The scam used a spoofed law firm domain that redirects to the website for a legitimate, Connecticut based law firm, RWC LLC.

Source

 

Unit 42 publishes analysis on Shade Ransomware

  • Palo Alto Networks’ Unit 42 research shows the top countries affected by Shade Ransomware are the United States, Japan, India, Thailand and Canada. Shade Ransomware, also known as Troldesh, was first spotted in late 2014 and is distributed via malspam and exploit kits.
  • Recent reports have focused only on the ransomware’s distribution via Russian-language emails, which suggests that most of the activity can be found in Russia and former Soviet Union countries. Unit 42’s research, however, found that the majority of URLs hosting Shade Ransomware executables were reported outside Russian language countries.
  • The most frequently targeted sectors are High Tech, Wholesale and Retail, and Education.

Source

 

Millions stolen from San Francisco Bay Area residents in SIM swap scams

  • NBC Bay Area reported that more than 800 US residents have fallen victim to SIM Swap scams since early 2018 amounting to a loss of $50 million. San Francisco Bay Area in particular saw a large amount of SIM Swap activity, with more than 50 victims losing $35 million.
  • Joel Ortiz, arrested for his involvement in a string of cyber heists, is the first SIM swapper to be sentenced to prison time in the United States. Further cases in the San Francisco Bay Area are pending.

Source

 

US Air Force opens investigation into a malware infection

  • The US Air Force opened an investigation into an alleged cyber intrusion by a US Navy prosecutor. The investigation concerns US Air Force lawyers defending a US Navy Seal over war crimes.
  • A US Navy prosecutor allegedly planted malware onto the devices of US Air Force lawyers and the editor of the Navy Times via emails containing hidden tracking software. According to Air Force Times, the US Navy prosecutor suspected information had been leaked to the Navy Times editor.

Source

 

Leaks and Breaches

Truecaller allegedly suffers data breach

  • The Economic Times reported that call identity app Truecaller has suffered a data breach which they claim exposed the personal data of users. The exposed data allegedly includes names, phone numbers and email addresses of users.
  • The Economic Times claims that user information is for sale on the dark web and that the data of Indian users is selling for €2000 and the information of global users is selling for €25,000.
  • Truecaller refutes the claim, stating that ‘We would like to strongly confirm at this stage that there has been no sensitive user information being accessed or extracted, especially our users financial or payment details’

Source

 

Redtail Technology customer data exposed

  • Redtail Technology confirmed a data leak took place on March 4th, 2019. According to the company’s CEO Brian McLaughlin, less than 1% of its clients were affected.
  • Further details concerning the exact number of affected customers, the data in question and whether the data was accessed by unauthorised parties are not known.

Source

 

Travel plans of Israeli Prime Minister, government officials and security agents leaked

  • An anonymous hacker reported to Calcalist that they had gained access to the travel details of Israeli officials via a compromised database of an online platform used by Israeli travel agents. The database also contained the information of millions of Israeli citizens.  
  • Information contained in the database included the details of 36 million booked flights, 15 million passengers, over 1 million hotel bookings and 700,000 visa applications.
  • The information was passed to the Israeli National Cyber Directorate and the breach has been addressed.

Source

 

Vulnerabilities

ActiveX Controls in South Korean websites affected by critical vulnerabilities

  • Risk Based Security discovered several critical flaws in South Korean ActiveX controls, that are still used by several government sites due to a 20-year-old law that requires the use of Internet Explorer with ActiveX running. Microsoft no longer supports ActiveX in Microsoft Edge.
  • According to experts at IssueMakersLab, from 2007 to 2018 North Korea linked attacks have exploited a large number of zero-day flaws in ActiveX. Due to this, the law invoking mandatory use of ActiveX controls was lifted, however several websites continue to use them.
  • During analysis undertaken since January 2019, 40 flaws have been discovered across 10 of the most popular controls. These include buffer overflow flaws and unsafe exposed functionality, that allows the execution of code on other people’s systems.

Source

 

More Windows zero-day exploits released

  • On Wednesday 22nd May, a developer known as SandBoxEscaper released a privilege escalation code exploiting a flaw in Windows Error Reporting service that allows attackers to modify files to which they normally wouldn’t have access.
  • Another exploit was released for Internet Explorer 11 that allows attackers to execute JavaScript that runs higher system access than normally permitted by the browser sandbox.
  • These two exploits follow another zero-day exploit for a local privilege escalation flaw in Windows Task Scheduler that SandBoxEscaper released on Tuesday, May 21st.

Source

 

Critical flaws in Khan Academy could allow account takeover attacks

  • Two critical cross-site request forgery (CSRF) flaws have been discovered in Khan Academy’s website that could be exploited to perform account takeover attacks. The flaws were the result of a lack of CSRF tokens, which are used to double-check account log-in requests to ensure there aren’t CSRF attacks.
  • One of the flaws could have allowed an attacker to takeover accounts that were created using the Google or Facebook login option, and the other could have allowed an attacker to takeover any unconfirmed account on Khan Academy.
  • The flaws were resolved by adding a CSRF token check to the password-change request.

Source

 

XXS flaw discovered in Slimstat WordPress plugin

  • The flaw could be exploited to allow a malicious user to inject arbitrary JavaScript code on the plugin access log function. An attacker could forge an analytics request by pretending their browser has a specially crafted plugin to inject arbitrary code on the plugin access log.

Source

 

General News

Authorities take down Bestmixer[.]io cryptocurrency laundering service

  • The Dutch Fiscal Information and Investigation Service, in cooperation with the Europol and authorities in Luxembourg, took down one of the three largest cryptocurrency mixing services Bestmixer[.]io.
  • The service was launched in May 2018 and allegedly achieved a turnover of at least $200 million. It offered customers services for laundering their Bitcoins, Bitcoin Cash, and Litecoins.

Source

 

US considers barring Chinese video surveillance firms from US components and software

  • According to Bloomberg, the Trump administration is considering blacklisting Chinese firms Megvii, Zhejiang Dahua Technology Co, Hangzhou Hikvision Digital Technology Co, Meiya Pico, and Iflytek Co Ltd. The blacklist will prevent them from buying American components and software for their surveillance technologies.
  • The potential ban comes as a response to the companies’ involvement in the surveillance and mass detention of Uighurs, a mostly Muslim ethnic minority.

Source

 

Financial Conduct Authority claims that £27 million was lost in the UK to crypto scams last year

  • The UK financial regulator warned that £27 million (approximately $34 million) was lost to cryptocurrency and foreign exchange investment scams that promised high returns.

Source

 

A year after GDPR instigated 145,000 complaints have been registered

  • The complaints have led to several penalties for companies such as Google, who were targeted by France and made to pay a 50 million euro fine for failing to inform users on how their data was used.

Source

 

EU gains new powers to respond to cyber-attacks

  • Ministers of the EU are able, for the first time, to impose asset freezes and travel bans on individuals, firms and state bodies that are involved in cyber-attacks. Sanctions on these entities will be considered if the cyber-attack is thought to have had a significant impact.

Source  

 

G Suite users’ purchases also tracked

  • According to Bleeping Computer, a Reddit user found that when a user uses Google’s Takeout service and exports ‘Purchases & Reservations’, all purchase receipts and confirmations sent to their G Suite inbox will be part of the downloaded archive in JSON format. This confirms that purchase history is being collected for paid G Suite accounts even though the information isn’t displayed on the accounts’ Purchases page.
  • This report follows Bleeping Computer’s finding that purchase information is also being scraped and collected from users’ Gmail inboxes.

Source

 

Spotify resets passwords for some accounts due to ‘suspicious activity’

  • Spotify reset the passwords of a select number of accounts, informing its users of ‘detected suspicious activity.’ According to Spotify’s statement given to TechCrunch, the company experienced a credential stuffing attack. TechCrunch has raised doubts to its accuracy.

Source  

 

Edmonton Economic Development Corporation files lawsuit following phishing scam

  • The EEDC filed a lawsuit to recover $375,000 plus $225,000 in damages following a phishing scam that began on October 31st, 2018.
  • The EEDC received an email from a compromised Edmonton Regional Airport Authority account which requested payment by wire transfer on November 27th, 2018. Following the payment, the EEDC were informed that the transaction was flagged as suspicious.
  • The EEDC filed the suit against a numbered company and its incorporator Sithira Pranavan Arutjothy.

Source

 

Deutsche Telekom records growing number of cyber attacks

  • Research by Deutsche Telekom recorded 46 million daily attacks on its honeypots by the beginning of April 2019. For the same period last year, the average daily attack figure was recorded as 12 million.
  • Additionally, research showed that 51% of attacks were aimed at compromising network security, 26% were concerned with taking control of another computer while a further 7% were aimed at compromising passwords.
  • Botnet attacks also rose from 330 billion fired data packets in April 2018, to 5.3 trillion data packets in April 2019.

Source

 

German data protection authorities impose fines totaling €449,000 over GDPR breaches

  • 75 personal data breach cases have been reported since GDPR came into effect on May 25th, 2018.
  • GDPR fines have been issued in six of the sixteen federal states. Seven cases were reported in Baden-Wurttemberg where fines totalled €203,000.
  • The fines often related to GDPR violations such as inadequate organisational security, non-compliance with information duties and unauthorised marketing emails.

Source

 

UK invests £22 million in new cyber-operations center for British army

  • The facility, set to open in 2020, will aim to bridge the gap between the abilities of the security service and the military.
  • Foreign Secretary Jeremy Hunt is also due to talk today at the NATO Cyber Defence Pledge Conference. He is expected to focus on the global threat that Russia poses to critical infrastructure and government networks.
  • This follows the recent addition of ‘Cyber’ as a legitimate military domain by NATO.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 22 May 2019

 

Ongoing Campaigns

Hundreds of US schools remain vulnerable to WannaCry attacks

  • While investigating the ongoing Baltimore City ransomware attack, Ars Technica found that the neighbouring Baltimore County public school system had eight publicly accessible servers with configurations indicating they were vulnerable to EternalBlue – the exploit used as part of the 2017 WannaCry outbreak.
  • After conducting a Shodan search, Ars Technica found that hundreds, if not thousands, of US school districts are running potentially vulnerable systems. Those with the largest number include the Montebello Unified School District in Los Angeles County, California; the Fresno Unified School District in Fresno, California; the Washington School Information Processing Cooperative in Washington State; and the Cupertino Union School District in San Jose, California.

Source

 

W97M/Downloader served from compromised websites

  • Sucuri researchers have reported that W97M is being served on compromised websites via a custom PHP dropper. The malware uses macros containing VB scripts to download and execute additional malware from C2 servers.
  • The dropper is hosted on CMS such as Magento, WordPress and Joomla. W97M has been used to download TeslaCrypt, Dridex and Vawtrak.

Source (Includes IOCs)

 

16shop commercial phishing kit includes hidden backdoor

  • 16shop emerged as a sophisticated tool with multiple layers of defences and attack mechanisms that are able to visually adapt to the victim’s platform. The kit also supports 10 languages and is designed to steal sensitive information from Apple users.
  • The author of the kit also added protection against loss of revenue, such as an API-driven system where license validation occurs in real-time, and code-level defences preventing unauthorized copies. Nevertheless, the phishing kit was cracked in late 2018, with pirated versions circulating online soon after.
  • Akamai researchers analysed a cracked version of 16shop and found that the kit contains a backdoor used to steal all data obtained by other attackers. It was allegedly developed by an Indonesian individual known as ‘Riswanda’ or ‘devilscream’.

Source

 

Malware flagged by US Cyber Command involved in active attacks

  • Kaspersky Lab and ZoneAlarm researchers linked a malware sample, recently uploaded to VirusTotal by the US Cyber Command, to Russian-speaking group APT28, also known as Sofacy or Fancy Bear. The malware resembles XTunnel, which APT28 used to breach the Democratic National Committee in 2016.
  • Researchers observed the malware being leveraged in recent attacks against Central Asian nations, organisations in the Czech Republic, and diplomatic and foreign affairs organisations.  

Source

 

Payment skimmer acts as a payment service provider using a rogue iframe

  • Malwarebytes Labs researchers analysed a payment skimmer acting as a payment service provider via a malicious iframe.
  • After detecting suspicious activity from a Magento site, the researchers found that the tampered version of the site included an extra form that asked victims to submit their credit card information before they were redirected to a legitimate checkout page.

Source (Includes IOCs)

 

New campaign combines phishing, steganography and PowerShell to deliver malware

  • Cybereason researchers discovered a malware campaign targeting Japan that combines phishing, steganography, PowerShell, and URLZone and Ursnif malware.
  • The campaign begins with malicious emails containing weaponized Excel files. These files contain a PowerShell script which downloads steganographic images. Further code is extracted from the images, and downloads a stripped-down version of URLZone. URLZone then downloads the Ursnif banking trojan.
  • The campaign is specifically targeting Japanese users and will check a device’s country settings and terminate if the country isn’t Japan.

Source

 

Leaks and Breaches

TalkTalk failed to inform all customers of 2015 breach

  • The company was fined for a breach from October 2015 that exposed the data of 157,000 customers, but failed to inform 4,545 of those customers that their details were part of the breach.

Source

 

Unsecured Game Golf app database exposed

  • Researcher Bob Diachenko found an exposed Elastic database belonging to Game Golf – a golfing app developed by Game Your Game Inc.
  • The database contained 218,000 users’ names, logins, hashed passwords and emails, millions of records of golf games played, login data from Facebook, GPS details from courses, and network information for the company itself. It is unknown how long the database was exposed.

Source

 

Vulnerabilities

Intel fixes numerous high-severity vulnerabilities

  • Intel has issued an advisory for 34 fixes across various products, including one for CVE-2019-0153, a critical bug in Intel’s converged security and management engine (CSME). The buffer overflow could allow privilege escalation via network access.

Source

 

New zero-day exploit developed for flaw in Windows 10 Task Scheduler

  • An exploit developer known as SandboxEscaper released a new zero-day exploit for Windows OS that achieves local privilege escalation, granting a limited user full control over files reserved for full-privilege users like SYSTEM and TrustedInstaller.
  • According to the researcher, running a command using specific executables that were copied over from Windows XP leads to a remote procedure call to a method that registers a task with the server, exposed by the Task Scheduler service. This leads to a user with limited privileges gaining SYSTEM rights.

Source

 

Cambridge University researchers develop a ‘Calibration Fingerprinting Attack’

  • A Cambridge University team developed a new fingerprinting attack, which uses data gathered from the accelerometer, gyroscope and magnetometer sensors present in smartphones.
  • The attack does not require permissions from the user, can extract calibration data within seconds and create a fingerprint that never changes, even after a factory reset. It allows the attacker to track browsing and movement between apps.
  • The vulnerability, CVE-2019-8541, affects iOS devices running iOS 12.1 or lower, as well as Google Pixel 2/3 devices. A patch for the vulnerability is available for iOS devices.

Source

 

Several vulnerabilities addressed in new Mozilla browser version

  • Alongside some privacy additions, Mozilla addressed several critical vulnerabilities with its release of Firefox 67 browser.
  • One of the most critical vulnerabilities, CVE-2019-9800, could allow an attacker to take control of an affected system, whilst another critical vulnerability, CVE-2019-9814, could allow an attacker to run arbitrary code.

Source

 

Rapid7 discover and analyse vulnerabilities in two IoT products

  • The researchers analysed flaws in Eaton’s HALO Home Smart Lighting System and Blue Cats’ AA Beacon. All the flaws have since been patched.
  • Two flaws in AA Beacon, tracked as CVE-2019-5626 and CVE-2019-5627, are low priority information disclosure vulnerabilities in the BC Reveal Android app and iOS app, respectively.
  • Three flaws in HALO Home Smart Lighting include a low severity insecure data storage flaw on Android, tracked as CVE-2019-5625. The other two flaws are medium severity insecure direct object reference vulnerabilities which have not been assigned a CVE.

Source

 

Analysis of worm-like Windows RDP flaw released

  • Researchers at McAfee released an analysis of the recently patched CVE-2019-0708. The wormable vulnerability allows remote code execution in Windows Remote Desktop Services (RDP).

Source

 

Cisco releases firmware patch for high severity vulnerability in Secure Boot

  • The patch release fixes CVE-2019-1649 which affects the logic that handles access control to one of the Secure Boot hardware components.
  • Secure Boot is utilised by enterprises, militaries and government agencies in routers, switches and firewalls.
  • Authenticated local attackers would have the ability to write a modified firmware image, potentially rendering the device unusable.

Source

 

General News

Report finds poor cyber hygiene amongst political parties

  • SecurityScorecard analysed the risk exposure of 29 political parties in North America and Europe, and found indicators of poor security hygiene for nearly all of them.
  • The report also found that political parties in France had ‘systematically lower security ratings’ than all other political parties analysed, while the Republican National Committee had higher security scores than the Democratic National Committee in nearly all categories.

Source

 

Unhashed G Suite passwords stored for over a decade

  • Some of Google’s business customers had their G Suite passwords stored in plaintext for 14 years. The issue was caused by an error in the implementation of an outdated feature that allowed domain administrators to manually set and recover passwords for their company’s users.
  • According to Google’s statement, the passwords remained in their secure encrypted infrastructure and no indication of improper access or misuse was found.

Source

 

GDPR complaint against Google claims personal data leak of billions

  • A GDPR complaint about Real-Time Bidding (RTB) was filed with Data Protection Authorities in Spain, the Netherlands, Belgium and Luxembourg, alleging that Google and other companies have leaked the personal data of billions to the ‘Ad Tech’ industry.
  • RTB allows companies to broadcast the private data of people visiting their sites to other companies in a ‘bid request’, to solicit bids from potential advertisers.
  • Data in these bid requests includes the exact locations, inferred religions, sexual and political characteristics of individuals, as well as what users are reading, watching and listening to online, and more.

Source

 

Former Ombudsman Morales claims her phones were hacked

  • Former Filipino Ombudsman Conchita Carpio Morales claims her phones were hacked following a brief detention at Hong Kong Airport. She has previously stated that she believes she is under surveillance by China.

Source

 

DDoS attacks remain a threat despite law enforcement crackdown

  • Kaspersky Lab researchers published a study of DDoS attacks in Q1 2019. The report tracked an escalation in the efforts of law enforcement agencies to combat the attacks.
  • The US Department of Justice seized 15 internet domains in January 2019, while Europol targeted attack organizers and customers, arresting 250 users in the UK and Netherlands.
  • The full report features a breakdown of the types of attacks and the geographic distribution of attackers and victims.

Source

 

DHS says lack of proper configurations in Office 365 leaves customers vulnerable

  • The US Department of Homeland Security stated that many organizations fail to use proper configurations in Office 365 and other cloud services, posing risks and leading to vulnerabilities. The root cause for poor configurations is the use of third-party firms to migrate services and users to the cloud.

Source

 

AT&T issues false alarm over data breach

  • AT&T warned visitors to their website on May 20th, 2019, that they may have been affected by an AT&T data incident. The message urged users to ensure that their accounts had not been compromised.
  • Following customer queries, AT&T ensured users that the message had been posted by mistake during routine testing.

Source

 

Singapore’s PDPC publishes guidelines on data breach notifications

  • The Personal Data Protection Commission (PDPC) of Singapore published guidelines on data breach notifications aimed at strengthening the accountability of organisations.
  • This includes the expectation that organisations should complete investigations into data breaches within 30 days and notify authorities not later than 72 hours after completion, as well as mandating breach notifications.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 21 May 2019

 

Malware

Fortinet publishes update on Satan ransomware’s new techniques

  • Fortinet has reported that in a recently discovered campaign, Satan ransomware was observed using a crypto-mining malware as an additional payload in order to maximise profits.
  • In addition, Fortinet has discovered new remote code execution exploits including CVE-2017-8046, CVE-2015-1427 and a ThinkPHP 5.X remote code execution flaw.
  • The report also includes an analysis of propagation techniques, targeted networks and exploitation.

Source (Includes IOCs)

 

Emsisoft releases free decryptor for JSWorm 2.0 ransomware

  • Emsisoft researchers released a decryptor for a new strain of ransomware dubbed JSWorm 2.0.  Infections by JSWorm 2.0 have been observed since January 2019, with victims located in South Africa, Italy, France, Iran, Vietnam, Argentina, the US, and other countries.  
  • JSWorm 2.0 is written in C++ and uses Blowfish encryption. According to the researchers, some of the ransomware’s strings suggest it was created by the same author as JSWorm.

Source

 

New variant of Facebook Cryptominer malware discovered

  • Maharlito Aquino and Kervin Alintanahin of Cyren Security Lab discovered the re-emergence of the 2017 Digmine campaign, in which Facebook Messenger was used to distribute CoinMiner malware.
  • The new cryptominer payload observed in the re-emerged campaign uses the files section of Facebook groups and minor changes have been made to the downloader, however, overall the tactics remain similar to those used in 2017.

Source (Includes IOCs)

 

Hawkeye keylogger malware sent from Spytector keylogger email address

  • Researchers at My Online Security discovered a version of Hawkeye keylogger that is sent from an email address registered to spytector, an online retailer which sells keylogger and info-stealer malware. The stolen information is also sent back to the same email address.
  • The email is delivered via the Oracle cloud delivery SMTP system and contains an attachment which downloads Hawkeye malware.

Source (Includes IOCs)

 

Ongoing Campaigns

New Trickbot campaign delivers malware via redirection URL in spam

  • Trend Micro discovered a new variant of Trickbot using a redirection URL in a spam email to avoid detection by spam filters. The spam email is reasonably convincing, with content that indicates that a processed order is ready for shipping, including fake freight numbers, delivery disclaimers, seller contact details and social media icons.
  • In this instance, a Google redirection URL was used to trick victims and deflect from the hyperlink’s actual intention, which is to redirect the user from Google to a Trickbot download site. The malicious site downloads a VBS script that is the Trickbot downloader.
  • Due to its modular structure, once Trickbot is executed it can quickly deploy new capabilities based on the modules that it downloads and installs.

Source (Includes IOCs)

 

Hacker Groups

MuddyWater APT uses new anti-detection techniques

  • Researchers at Cisco Talos have assessed with moderate confidence that a newly observed campaign, dubbed BlackWater, is associated with MuddyWater APT. Samples analysed from this new campaign indicate that the group have added three steps to their operations to allow the bypassing of security systems.
  • The threat actor first adds an obfuscated Visual Basic for Applications (VBA) script which establishes persistence as a registry key. The script then triggers a PowerShell stager which is likely an attempt to appear as a red-teaming tool rather than a threat actor. Finally, communication is made with a threat actor controlled server to obtain a component of the FruityC2 open-source framework on Github, which ‘further enumerates the host machine’.
  • This multi-layered approach makes detection more difficult by ensuring that an ‘errors[.]txt’ file is not generated. In addition, some variable strings were replaced by the threat actors, which Cisco assess suggests an attempt to avoid signature-based detection from Yara-rules.  

Source (Includes IOCs)

 

Leaks and Breaches

HCL exposed employee information and client details online

  • UpGuard researchers discovered publicly accessible pages belonging to technology services provider HCL that exposed information on HCL’s staff and clients.
  • The researchers were able to access an actively used HR portal displaying information on 364 new hires. The data included, names, phone numbers, cleartext passwords, and more.
  • The researchers were also able to access HCL’s SmartManage portal that contained project details for over 2000 customers, including Fortune 1000 companies. This data included internal analysis reports, weekly customer reports and installation reports.

Source 1 Source 2

 

Multiple Airbnb customers victims of scam

  • A number of Airbnb users were charged for non-refundable reservations at fake destinations. According to Airbnb, these are isolated events where the victims’ accounts were accessed using correct login credentials that had been ‘compromised elsewhere.’

Source

 

Michigan health practice shut down following ransomware attack

  • Brookside ENT and Hearing Center, in Battle Creek, Michigan, was targeted in an attack that encrypted all files including patient information, patient records and appointment schedules.
  • Attackers demanded $6,500 to decrypt the files which the practice refused to pay. The practice was scheduled to close down on April 30th, 2019.

Source

 

Cancer Treatment Centers of America targeted by phishing attack

  • Cancer Treatment Centers of America (CTCA) released a notice stating that on March 11th, 2019, an employee provided account details and login credentials to a phishing email.  
  • CTCA stated they could not rule out  unauthorized access to the patient data that includes addresses, phone numbers, medical record numbers, government ID and more.
  • This incident follows a similar report from December 2018, in which CTCA notified 42,000 patients that their data had been compromised in a phishing attack.

Source 1 Source 2

 

Data of Instagram users exposed on unsecured database

  • Security researcher Anurag Sen found an unsecured database hosted by Amazon Web Services containing over 49 million records related to Instagram influencers, celebrities and brand accounts. The database is linked to Mumbai-based social media marketing firm Chtrbox.
  • The leaked information includes Instagram biographies, profile pictures, the number of followers, location, and more, as well as private contact information, including email addresses and phone numbers.

Source

 

Vulnerabilities

194 out of the top 1000 docker containers lack root passwords

  • Following Cisco Talos’ discovery that the Alpine Linux distribution Docker image contains a blank root password, CVE-2019-5021, security engineer Jerry Gamblin found that 194 out of the 1000 most popular Docker images also have no root passwords. Allowing users to login as root without requiring a password is said to ‘drastically [increase] the possibility of exposing the system to a security breach’.

Source

 

Remote code execution vulnerability in Microsoft Remote Desktop Service can be exploited

  • Following Microsoft’s recent warning and release of a patch for its remote code execution (RCE) flaw, CVE-2019-0708, in Windows Remote Desktop Services, security researchers have confirmed the flaw is exploitable. The discovery of the exploit suggests that hackers will most likely create their own exploits shortly.

Source

 

General News

Removing capability SIDs from permissions could cause Windows components to break

  • Microsoft has warned that removing Windows account security identifiers (SIDs) that don’t have a ‘friendly’ name from security permissions could create problems in Windows and installed apps.
  • Microsoft introduced a new security identifier called capability SIDs to Windows 2012 and Windows 8, that enable a Windows component or UWP application to access specific resources on a PC. When the SIDs are shown in the security access list, they are not resolved to a friendly name such as TrusterInstaller or System, but rather a series of numbers and characters.
  • Removing capability SIDs could cause the app or Windows feature to lose access to a resource that it requires to be able to run.

Source

 

Australian Government employee charged for using government IT systems for crypto mining

  • The Australian Federal Police arrested and charged a 33-year-old man for allegedly abusing his position as a government IT contractor to use the processing power of his agency’s computer network to mine cryptocurrency.

Source

 

Former CIA intelligence officer sentenced to 20 years for leaking secrets to China

  • 62-year-old Kevin Patrick Mallory from Leesburg was found guilty of delivering national defence information to aid a foreign government and making material false statements. Mallory was reportedly paid $25,000 for giving classified documents to Chinese intelligence officer Michael Yang.
  • The leaked documents allegedly included information about CIA informants, which Mallory scanned onto an SD card at his local FedEx.

Source

 

New research finds most hacker-for-hire services ineffective

  • A new white paper by Google researchers and a team of academics from the University of California San Diego showed that most account hacking services are scams and ineffective.
  • The studied services didn’t use automated tools and relied on social engineering. The white paper concludes that the market for email hijacking services is ‘far from mature’.

Source

 

DHS warns that Chinese drones can send data back to their manufacturers

  • Concerns were expressed by the US Department of Homeland Security (DHS) that the Chinese government also has access to any information sent back to the drone manufacturers.
  • The DHS warning does not mention a specific manufacturer but over 79% of drones operating in the US and Canada and 74% globally are manufactured by DJI, based in Shenzhen, China.
  • DJI drones have been banned from use in the US army following similar security concerns in 2017.

Source

 

Researchers analyse Wajam adware and find malware-like techniques

  • Concordia University researchers tracked Wajam adware for nearly six years and found that the adware uses multiple techniques similar to malware. These include browser process injection attacks, anti-analysis, anti-evasion and anti-detection techniques, security policy downgrading, and data leakage.
  • Based on their findings, the researchers highlight the need for the security community to not dismiss adware as a less important threat compared to others such as malware or ransomware.

Source

 

Louisville Regional Airport Authority hit by ransomware attack

  • In a statement from May 20th, 2019, Louisville Regional Airport Authority confirmed a ransomware attack affecting ‘localized Louisville Regional Airport Authority files,’ yet further details on the nature of files affected has not been given.
  • The encrypted files have since been deleted and are being replaced with back-ups.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 20 May 2019

 

Ongoing Campaigns

Attacks attempting to use EternalBlue exploit continue to grow

  • According to ESET researchers, EternalBlue has reportedly only grown in popularity since it was used in the WannaCry ransomware outbreak two years ago. Its use has been growing consistently since 2017, particularly due to the large amounts of machines with exposed ports in the wild, particularly in the US, Japan and Russia.

Source

 

Over 12,000 MongoDB databases deleted by Unistellar cyber group

  • After deletion, Unistellar left a message asking the owners of the databases to contact the group to get the data restored. Typically, in these types of ‘Mongo Lock’ attacks, threat actors search for these databases using BinaryEdge or Shodan, and then delete them and demand a ransom for their return.
  • News of further database deletions follow a recent report that detailed Unistellar group deleting a database containing 275 million records belonging to Indian citizens, after the database was reported as exposed.

Source

 

Hackers access Trump’s Golf Association account to add fake golf scores

  • Trump’s US golf association account was hacked to add four fake golf scores for games reportedly played at Trump National in New York and the Cochise Course at Desert Mountain in Scottsdale, Arizona. Trump typically scores in the 70s and 80s, while the hackers posted scores of 100 and above.

Source

 

Million dollar livestock deal interrupted by hackers

  • Two unnamed companies went to court to settle a dispute concerning the interception of a payment, between the seller and buyer, by hackers who disrupted email communications and changed the bank account details for the payment.
  • Both companies discovered the hack after 20 days, resulting in a 13% shortfall on the purchase price due to a change in exchange rates. The court proceedings resulted in the buyers having to pay the remainder of the payment.

Source

 

City College Hyderabad website hacked

  • The Government City College webpage no longer contains information about the college but instead displays a message from ‘Devil Killer’.
  • The message reads ‘Hacked by Devil Killer’ and displays text reading ‘Pak Cyber Agent’ alongside a link to the ‘Pak Cyber Agent’ Facebook page. The groups Facebook page contains a list of other websites which they claim to have hacked.

Source (Includes IOCs)

 

Over 600 computers infected at Montpellier University hospital

  • The virus appears to be a mutated strain of the Wannacry virus. It is believed that the attack originated from a phishing message.
  • The French hospital stated there was no impact on medical records or medical secrecy as internet access was locked.

Source

 

Leaks and Breaches

Over 20,000 Linksys wireless routers leak historic records of all devices

  • The routers leaked records of every device that has ever connected to them, including the device’s unique identifiers, names and operating systems used. The leaked information also includes whether the device’s default password had been changed. A scan found that approximately 4,000 vulnerable devices were still using default passwords.
  • Researcher Troy Mursch stated that the leak was the result of a flaw in several of the Linksys routers. Linksys has stated that they have been unable to reproduce the information disclosure flaw on routers that installed a patch released in 2014. A scan for vulnerable devices last week revealed 25,617 were at risk.

Source

 

Over 400 Jersey and Guernsey based LibertyBus customers impacted in hack

  • A fake login page was created for the Jersey and Guernsey based websites from the 29th April. The phishing attack intercepted the link between the main websites and the top-up shop website for the Puffin pass and Jersey’s AvanchiCard.
  • 361 residents of Jersey and 82 residents of Guernsey had their email addresses, top up card numbers and top up password information compromised and were issued with automatic password resets. No financial details were accessed during the attack.

Source

 

Microsoft’s invoicing system leaks customers’ Azure in Open invoices

  • A Microsoft researcher alerted The Register after finding 187 emails in his inbox yesterday morning that contained an attached invoice with customer’s details, order numbers, and their Azure subscription ID associated with the invoice.
  • The invoices were connected to the Azure in Open licensing scheme in which cloud resellers and integrators purchase Azure credits which are then applied to customer accounts. Microsoft’s invoicing system sent all 187 invoices to every customer rather than to the associated customer.

Source

 

TeamViewer confirms data breach from 2016

  • TeamViewer has confirmed that it was the victim of an undisclosed cyber-attack allegedly undertaken by a group of Chinese origin using the Winnti backdoor, in autumn 2016. The attack was reportedly discovered before the threat actors were able to do any damage, and experts found no evidence of data being stolen.
  • TeamViewer decided not to publish details on the attack because they were certain that no damage had been done. A thorough investigation was undertaken at the time to remove any backdoors that could have been placed on the systems during the attack.

Source

 

Hacker forum OGUsers hit by data breach

  • Hacker forum OGUsers released a statement confirming a server breach on May 12th, 2019, ‘through a custom plugin in the forum software’. OGUSERS is a known hacker forum popular for trading online account information, especially for social media accounts.
  • The data was uploaded on another hacker forum, Raidforums, stating that 112,988 users were affected. The breached data contains OGUsers’ usernames, passwords hashed with the MD5 algorithm, emails, IP addresses, source code, website data and private messages.

Source

 

Stack Overflow hack exposes private data for about 250 users

  • In a new update, Stack Overflow stated that hackers obtained private data of approximately 250 Stack Exchange users. This data may include IP addresses, names, and emails.
  • The company first disclosed the hack on May 16th. The incident involved an attacker gaining access to Stack Overflow’s development tier as well as escalating their access on the production version of the company’s website.

Source

 

New Jersey-based orthopedic surgeon informs patients of data breach

  • Ronald Snyder, owner of ActivYouth Orthopedics, informed his patients of a ransomware attack on an office computer server that took place on January 9th, 2019. The breach is believed to have affected 24,176 patients.
  • Information on the affected server includes names, dates of birth, addresses, genders, patient status, and more. In some cases, Social Security numbers may also have been exposed.

Source

 

Delaware-based cancer treatment center suffers data breach

  • Medical Oncology Hematology Consultants informed patients that their protected health information was exposed as a result of an email security breach that occured in June 2018. The breach exposed names, dates of birth, Social Security numbers, government ID numbers, and more.

Source

 

Vulnerabilities

Slack patches flaw in Windows client used to hijack downloads from Slack users

  • Tenable researchers discovered a vulnerability in the Windows version of the Slack desktop  application that could be leveraged to change the default save location of files downloaded from a Slack conversation.
  • The flaw could be exploited to steal downloaded files or to inject the downloaded files with malware in the hope of infecting the user.
  • The vulnerability is present due to a weakness in the way the ‘slack://’ protocol handler has been implemented in the Windows application. Exploitation of the flaw requires an attacker to create a crafted link and post it in a Slack channel to change the default download directory to an alternative location.  

Source

 

General News

Salesforce suffers global outage following change to production environment

  • Salesforce was forced to shut down large portions of its infrastructure after a change in its production environment broke access permission settings across organizations and gave employees access to all of their company’s files.
  • The company stated the issue was the result of a ‘database script deployment that inadvertently gave users broader data access than intended.’ The script only impacted customers of Salesforce Pardot, a B2B marketing-focused CRM. Customers in Europe and North America were the most impacted.

Source

 

Company behind LeakedSource website pleads guilty

  • According to a press release from the Royal Canadian Mounted Police, Defiant Tech Inc, the company behind the LeakedSource website, plead guilty to charges related to the trafficking of hacked or leaked data.
  • During 2016 and 2017, the LeakedSource website listed information for over 3.1 billion accounts including usernames, real names, home addresses, phone numbers, and even plain text passwords. These were obtained either from leaks in the public domain or from hackers willing to sell them.

Source

 

Israeli NSO Group faces lawsuit following WhatsApp spyware attack

  • Following the recent WhatsApp spyware attack, which has been linked to Israeli company NSO Group, Amnesty International is backing a lawsuit filed against the company. Amnesty International believes its staff could continue to be targeted, citing previous hacking attempts in 2018 linked to NSO Group.
  • The lawsuit calls for a banning of the export of NSO’s Pegasus software, a software capable of taking control over a mobile phone, and enabling access to its data and microphone for surveillance.

Source

 

Iran develops firewall against Stuxnet virus

  • The Iranian communications minister announced the development of a firewall to protect the country’s industry against Stuxnet. Stuxnet was first discovered after an attack on Iran’s Natanz nuclear site in 2010, the first known case of a virus being used to attack industrial machinery.

Source

 

Kuwaiti Embassy targeted in Sri Lankan cyber attack

  • The embassy was targeted alongside several other .com and .lk websites.  The attackers defaced the websites of the impacted parties.
  • Ravindu Meegasmulla, Information Security Engineer for the Sri Lanka CERT, stated that no government websites had been compromised in the attack.
  • The attacks coincide with the tenth anniversary of the end of the war against the Liberation Tigers of Tamil Eelam.

Source

 

Gmail tracks users’ purchases

  • According to the Bleeping Computer, users’ Gmail inboxes are being scanned for purchases that are then displayed in their Google account. The purchase history is allegedly difficult to remove.
  • In response to the report, Google stated that the information is not used for advertising purposes and exists to help users ‘easily view and keep track’ of their past purchases.

Source

 

Indonesian police uncover terror cell planning on using IEDs enabled via Wi-Fi

  • Multiple members of a terror cell linked to Jemaah Ansharut Daulah were arrested during an Indonesian police raid. The members were planning on carrying out remotely detonated IED attacks by using Wi-Fi technology, rather than regular mobile phone signals, which are often jammed by the police during protests.
  • Other members of the cell are still at large, which has resulted in an increase in security in the run-up to the country’s presidential elections results.

Source

 

Windows update causes gov.uk websites to be unreachable via Edge and IE

  • Some gov.uk websites have become unreachable due to the gov.uk top-level domain being added to Microsoft’s HTTP Strict Transport Security (HSTS) Preload List in an update from May 14th.
  • A HSTS Preload List is a list of websites that are known to support secure connections so that a browser never connects to them using the insecure HTTP protocol. However, despite being listed, some gov.uk sites do not support HTTPS, meaning they will be unreachable via Microsoft Edge or Internet Explorer (IE).

Source

 

Baltimore’s systems remain down as city refuses to pay ransom

  • Mayor Jack Young stated that the city will not pay ransom despite the expiration of the hackers’ 10-day deadline for making the payment in exchange for the city’s files. The FBI continues to investigate the incident.

Source

 

Researchers investigate VidMate app over suspicious behaviour

  • Researchers at Upstream discovered that VidMate displays hidden ads, subscribes users to paid services, drains battery life and drains mobile data. Moreover, VidMate also collects personal information such as users’ unique numbers associated with their phone and their IP addresses.
  • CEO of Upstream, Guy Krief, stated that users who download VidMate surrender their phone and information to a third party. Moreover, he alleged that the phone becomes part of a botnet which is used to commit ad fraud.
  • The Chinese app has over half a billion users and is used to download YouTube videos.

Source

 

Ohio-based Coventry Local Schools closed after malware attack

  • Coventry Local Schools cancelled classes on May 20th, 2019, after the district’s network and computers were infected by the Trickbot virus.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 17 May 2019

 

Malware

New email stealer used by TA505 hacking group discovered

  • Following a recent spike in attacks in the banking sector, researchers at Yoroi discovered the use of credential stealing software in attacks by the TA505 hacking group. TA505 has previously been connected to email attacks focusing on retail and banking companies.
  • The credential stealing software is delivered via FlawedAmmyy RAT, distributed via the group’s malspam campaign. The purpose of the software is to retrieve emails and password accounts present on the infected device.
  • Attacks of this type were observed globally, suggesting the attacks are not targeted.

Source (Includes IoCs)

 

Ongoing Campaigns

FBI report US businesses continuously attacked with Ryuk ransomware

  • The FBI reported that Ryuk ransomware was used to target more than 100 US companies since August 2018. The attacks primarily targeted logistics companies, tech companies and small municipalities.
  • Once systems are infected, Ryuk establishes a presence in the registry and looks for attack opportunities. Ryuk then deletes files relating to the intrusion, making identification of the infection vector impossible.
  • The FBI also reported that in one case the ransomware used unsecured or brute-forced RDPs to gain access to systems. The report discourages victims from paying into attackers Bitcoin wallets and instead asks those impacted to contact their local field office.

Source

 

Russian bots manipulated results of Voice Kids TV talent show

  • According to an investigation by Group-IB, over 8,000 text messages were sent from around 300 phone numbers to manipulate votes in favour of a Russian millionaire’s young daughter.

Source

 

Hacker Groups

Members of GozNym crime group charged for stealing $100 million

  • Law enforcement agencies in the US and Europe have charged 11 alleged members of the cybercrime group behind the GozNym banking trojan, for reportedly stealing $100 million from over 41,000 victims. The indictment states that the group advertised their services on underground, Russian-language forums.
  • The leader of the group is thought to be 35-year-old Alexander Konovolov, from Tbilisi, Georgia, who controlled over 41,000 victims’ computers infected with GozNym, and was also responsible for recruiting more cybercriminals to the team. In addition, Vladimir Gorin is thought to have been the developer of GozNym.
  • Others included in the indictment are Krasimir Nikolov,Eduard Malancini, Farkhad Rauf Ogly Manokhim, and Konstantin Volchkov, and more, all of whom remain undetained.

Source

 

Leaks and Breaches

Singapore Red Cross website hack compromised data of over 4,000 potential blood donors

  • The Singapore Red Cross’ website was illegally accessed on May 8th, 2019, giving access to the personal details of 4,297 registered potential blood donors to the hackers.
  • The accessed personal information includes names, contact numbers, emails, blood types and preferred appointment slot for donation.

Source

 

Stack Overflow announce hackers accessed their production systems

  • Stack Overflow announced that an investigation revealed ‘some level of production access was gained on May 11’. It is as yet unclear whether the hackers accessed Stack Overflow’s internal network.
  • No customer or user data is thought to have been affected.

Source

 

Unsecured database exposes data belonging to 8 million US citizens

  • The data belongs to citizens who participated in online surveys, sweepstakes, and requests for free product samples. The database was discovered by Sanyam Jaim, and exposed the personal information of 8 million people, including full names, addresses, email addresses, phone numbers, dates of birth, genders, and IP addresses.

Source

 

British Transport Police (BTP) website hacked

  • The initial compromise made by unknown attackers was thought to only affect the ‘newsroom section’ of the website.
  • Following a further investigation by BTP, the National Cyber Security Centre and the National Crime Agency it was revealed that “a small number” of staff details were leaked. At present the content of the leaked details is unclear.

Source

 

Yeshwantpur-based garment company loses over $20,000 in cyber fraud

  • An Indian garment company was persuaded to transfer over ₹14 lakh ($20,090) to a Peruvian bank account following the compromise of their Indonesian-based business partner’s email account.
  • Fraudsters gained access to the email account of fabric material supplier Argo Pantes and created a fake email account to facilitate the transfer.  Cybercrime police are attempting to trace the attacker by following the IP address and trailing the money transfer.

Source

 

Vulnerabilities

Two privilege escalation vulnerabilities discovered in Wacom update helper

  • CVE-2019-5012 exists in the Wacom driver version 6.3 32-3 update helper service in the startProcess command. A threat actor with local access could leverage this flaw to gain root privileges.
  • CVE-2019-5013 exists in the Wacom update helper service in the start/stopLaunchDProcess command. A threat actor with local access could exploit this flaw to raise load arbitrary launchD agents.

Source

 

Cisco patches numerous vulnerabilities across its products, including critical flaws in PI software

  • The critical flaws, tracked as CVE-2019-1821, CVE-2019-1822 and CVE-2019-1823, impact the web-based management interface of Cisco Prime Infrastructure (PI) software and Cisco Evolved Programmable Network Manager. They could allow a remote attacker to execute code with elevated privileges.
  • Other patched flaws include 10 high severity issues in AR 9000 Series routers, Webex Network Recording Player for Windows, multiple versions of Small Business Series switches, FXOS, NX-OS, IOS XR Software, Video Surveillance Manager, and Nexus 9000 Series switches. Over 40 medium risk flaws were also patched in NX-OS.

Source

 

Persistent cross-site scripting vulnerability found in WordPress Live Chat Plugin

  • Researchers at Sucuri found that older versions of the WordPress Live Chat Plugin are vulnerable to stored/persistent cross-site scripting (XSS) due to an unprotected ‘admin_init hook’. XSS enables hackers to inject malicious code into websites or apps.
  • More than 60,000 users are suspected of being affected. A patch is available and the researchers have advised website administrators and users to update their plugin.

Source

 

Large number of Ethereum clients remain unpatched leaving network vulnerable to 51% attacks

  • Security researchers from SRLabs revealed that only two thirds of Ethereum nodes have been patched ever since a critical vulnerability was discovered in the Parity client, that can be used to run the nodes, earlier this year.
  • The flaw is a denial-of-service vulnerability that could permit an attacker to remotely crash the nodes by sending malformed packets. According to ZDNet, when attackers crash nodes, they can overwhelm the network and gain a 51% majority in the blockchain, providing them with the ability to perform double-spend attacks and validate malicious transactions.

Source

 

General News

EDRi warns about widespread and potentially growing use of deep packet inspections by ISPs

  • In an open letter to European policymakers and regulators, the European Digital Rights (EDRi) organization, along with 45 NGOs, academics and companies from 15 countries, warned about the widespread and potentially increasing use of deep packet inspection (DPI) by internet service providers (ISPs).
  • DPI refers to the analysis of data packets’ contents and has been criticized as ‘privacy invasive’ and ‘not strictly legal within the EU’. The letter warns that the evaluation of such contents can ‘reveal sensitive information about a user, such as preferred news publications, interest in specific health conditions, sexual preferences, or religious beliefs.’

Source

 

Google Project Zero releases document listing known cases of detected zero-day exploits

  • The Google Project Zero tracks zero-day exploits in the wild and experts of the project have shared the collected data in a publicly accessible spreadsheet. Vulnerabilities include zero-days affecting products from major vendors, such as Adobe, Apple, and Google.

Source

 

Real estate businesses and home buyers most affected by Baltimore City Hall ransomware attack

  • City servers remain disrupted following a ransomware attack on Baltimore City Hall on May 9th, 2019. Real estate businesses and home buyers are said to be most affected due to a lack of access to databases.

Source

 

Rise in attacks using spam and phishing methods

  • Researchers at Kaspersky Lab released their Q1 2019 report on spam and phishing attacks. They recorded a rise in spam mail globally and noted that their anti-phishing systems prevented more than 111,832,308 redirects to phishing sites, a rise of 35,229,650 from the previous quarter.  
  • Attackers continue to trick users into giving away details with ‘sextortion’ spam, banking related phishing emails and ‘dream job offers’. Attackers also moved beyond mailing lists and started advertising on social media platforms, enticing users to enter their details to receive heavily discounted goods.
  • Moreover, attackers focused on high-profile real-world events such as the release of new Apple products, releasing waves of emails advertising discount deals.

Source

 

Facebook partially restore their ‘View As’ security feature following data breach

  • The ‘View As’ feature was at the center of a data breach in September 2018, which impacted 29 million accounts. The attack was made by spammers seeking to profit through deceptive advertising.
  • Attackers were able to view the names, phone numbers and email addresses of 15 million users, and the gender, hometown, date of birth, religion, and check-ins of a further 14 million users.
  • The feature is being restored gradually and is at present not available to all users.

Source

 

Dutch intelligence services investigate Huawei for possible spying

  • Dutch intelligence and security agency AIVD are investigating Huawei for possibly conducting espionage on behalf of the Chinese government by leaving backdoors to customer data of major telecoms firms.
  • Huawei is believed to have hidden backdoors that provide access to customer information of Dutch networks Vodafone/Ziggo, T-Mobile/Tele2, and KPN.

Source

 

Facebook bans Archimedes Group for creating fake accounts

  • Facebook has removed 265 Facebook and Instagram accounts, Facebook Pages, Groups and Events for engaging in fake behaviour. The accounts were created by Archimedes Group, who was also responsible for breaching other Facebook policies such as misrepresentation and coordinated inauthentic behaviour.
  • The group focuses on influencing citizens in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, as well as some areas of Latin America and Southeast Asia. The fake accounts ran pages that represented them as local opinion resources, such as local news organisations, and were widely followed.

Source

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 16 May 2019

 

Malware

Morphisec researchers discover new variant of H-worm with changes in obfuscation technique

  • According to the researchers, H-worm is continuously being used in large scale spam phishing campaigns. The new H-worm variant uses a file-less VBScript that leverages DynamicWrapperX, a freeware ActiveX component that is also used by DarkComet and KilerRAT, among others.

Source

 

New Linux variant of Winnti malware discovered

  • Following reports of Winnti malware targeting a German pharmaceutical company in April 2019, Chronicle researchers analysed a variety of campaigns leveraging Winnti.
  • While reviewing a 2015 report of a Winnti attack against a Vietnamese gaming company, the researchers discovered a small number of Winnti samples designed specifically for Linux.
  • The Linux version of Winnti consists of a main backdoor and a library designed to hide the malware’s activity on an infected system. In their blog post, the researchers provide a technical analysis of the malware, its functionality and its components.

Source (Includes IOCs)

 

Ongoing Campaigns

Researchers discover tech support scams using Microsoft Azure cloud platform

  • Microsoft Azure uses a feature named App Services to mass deploy websites to the cloud. When the site is deployed, it is hosted on the Azure website’s domain using specific names.
  • Researchers have now discovered nearly 200 websites hosted on the Azure App Services platform displaying tech support scams.
  • Due to the high volume of abuse reports received by Microsoft, the links tend to stay active for 4-5 days, which gives scammers extended time to create new Azure accounts and mass deploy new websites displaying the support scams.

Source

 

Magecart skimming malware discovered on Forbes magazine subscription website

  • Researcher Troy Mursch discovered that hackers installed Magecart malware on the Forbes magazine website. The malware collects any bank details entered into the site and sends them to another server used by the hackers.
  • The payment page has been taken offline. A Forbes spokesperson stated that it does not appear that the hackers have accessed any credit card information.

Source

 

Rise in ‘cipher stunting’ as bots are used to avoid TLS detection

  • Akamai researchers observed attackers using a new technique, named ‘cipher stunting’, to avoid detection by randomizing SSL/TLS signatures.
  • Researchers noted a spike in TLS fingerprints following the rise in cipher stunting attacks. Recorded instances rose from tens of thousands of fingerprints in August 2018, to over a billion by February 2019. The rise in attacks correlates with growing adoption rates of SSL/TLS by web applications as their default method of data transportation.
  • Attackers are primarily targeting businesses, airlines, banks and dating websites to gather credentials and data.

Source

 

Hacker Groups

Proofpoint publish report on threat actor TA542

  • TA542 was first discovered in 2014 after reports emerged on activity related to the group’s signature payload, Emotet. The group has used several variations of the malware in widespread email campaigns targeting North America, Central America, South America, Europe, Asia, and Australia. The group uses Emotet to deliver banking malware such as IcedID and GootKit.
  • Proofpoint’s report includes a detailed analysis of the evolution of Emotet, and of the group’s campaigns, including delivery emails, attachments, and more.

Source

 

Leaks and Breaches

University of California San Diego failed to notify patients of data breach

  • The university allegedly failed to notify 24 HIV-positive patients that their data was accessible by employees at a partnered non-profit organization in October 2018. The affected patients were involved in the university’s ‘EmPower Women’ study.
  • The compromised data included participants’ names, audio-taped conversations, and other sensitive data.

Source

 

Turkish branch of Microsoft discloses email data breach affecting 1,820 Turkish citizens

  • According to the company, the online ID of a support centre executive was illegally obtained, and as a result, the perpetrators managed to access the email accounts of 1,820 Turkish individuals.
  • The affected data includes email address lines, folder names, and subject titles from January 1st to March 28th, 2019. Moreover, the contents of emails sent and received by a ‘very few’ users may have also been exposed.

Source

 

Data breach investigation launched at Scotland’s Highland Council

  • The council allegedly used a public waste bin to dispose of documents that contained the private and personal information of 28 children.
  • The affected information includes full names, birth dates and patient case numbers. One of the documents contains information on an adoption arrangement.

Source

 

Australians’ Medicare details continue to be illegally sold on darknet two years after data breach

  • Following the initial discovery of Australian Medicare patient details being sold on the darknet in July 2017, patients’ details continue to be available for illegal purchase.
  • The data sold could be used for potential identity theft and fraud.

Source

 

Estimated 150,000 students’ personal information exposed on misconfigured cloud storage

  • Colorado-based Total Registration, a firm in contract with multiple schools and school districts that registers students’ data for AP and PSAT exams, failed to secure its Amazon bucket, leaving student and parent information exposed.
  • Information on the database contained names, grade levels, gender, date of births, addresses, email addresses, and parent/guardian names.

Source 1 Source 2

 

Data leak exposes passport data of 360,000 Russians

  • According to privacy expert Ivan Begtin, at least eight Russian government websites were breached, exposing the passport data of 360,000 Russians, including that of deputy chairman of the State Duma Alexander Zhukov, former deputy prime minister Arkady Dvorkovich and Rosnano head Anatoly Chubais.

Source

 

Vulnerabilities

SAP’s May 2019 Patch Day addresses missing authorization checks

  • SAP released a series of eight security notes, five of which fix missing authorization check issues. The missing checks affected SAP’s Treasury and Risk Management products, Solution Manager and ABAP managed systems, dbpool administration, and Enterprise Financial Services.
  • The security notices also address one high-priority flaw, tracked as CVE-2019-0301, in SAP Identity Management REST Interface Version 2. By exploiting this flaw, under certain conditions users would have the ability to request role modification or privilege assignments.
  • A full list of the patched vulnerabilities is accessible on SAP’s website.

Source 1 Source 2

 

ACCC patches flaw in its CMS following early disclosure of mitigation decision

  • The Australian Competition and Consumer Commission (ACCC) patched a flaw in its Content Management System (CMS) after they inadvertently disclosed the decision to block the merger between Vodafone Australia and TGP.  The decision was leaked on May 8th and was live for 8 minutes, despite the original intention of disclosing it the following day.
  • The information was written into the back end of the mergers register, and due to the CMS flaw, a third party was able to access the existing webpage at the moment it was updated.

Source

 

Google’s Bluetooth Titan security keys accessible by nearby hackers

  • Google warned that their Bluetooth Low Energy (BLE) version of the Titan security key can be compromised by attackers within 30 feet of the key.
  • When signing into an account, users are asked to press the BLE security key to pair the key with their device. However, this pairing process can be hijacked by another user if they connect their own device to the security key before the original user is able to complete the process.
  • For the attack to be successful the attacker would have to be aware of the target’s username and password. Successful attackers would have the ability to change their device to appear as a Bluetooth keyboard or mouse, and could potentially take actions on the compromised device.

Source

 

Budget radios can spoof plane navigation systems

  • Research conducted at Northeastern University in Boston shows that unencrypted and unauthenticated radio signals used in instrument landing systems (ILS) can be spoofed by $600 software defined radios.  
  • ILS systems are employed at practically all civilian airports in the industrialized world.  Spoofed signals can be used to deviate an aircraft’s course during landing.
  • Pilot and radio operator Vaibhav Sharma commented on the research, stating that an ILS attack is realistic but its effectiveness would depend on visibility and the attackers proficiency using aviation navigation systems.

Source

 

General News

Trump declares national cyber emergency against foreign adversaries

  • Donald Trump has signed an executive order which bans US companies from using foreign telecoms that allegedly pose security risks. Although no particular companies have been mentioned, the order is believed to be aimed at Huawei. The US is reportedly pressuring allies to not involve Huawei in their 5G technology.
  • A White House statement reported that the order aims to ‘protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services’.

Source   

 

Safeguard breaches committed relating to data handling at MI5

  • Home Secretary Sajid Javid reported to parliament that MI5 committed serious breaches of surveillance safeguards when handling information obtained under interception warrants. The Investigatory Powers Commissioner’s Office (IPCO) has deployed a team of inspectors into the intelligence agency for a week to investigate.
  • Javid notified parliament of ‘compliance risks MI5 identified and reported within certain technology environments used to store and analyse data, including material obtained under the Investigatory Powers Act’. The risks are thought to be related to material obtained via ‘lawful interception’.

Source

 

ARIN revokes over 757 thousand fraudulently obtained IPv4 addresses

  • The American Registry for Internet Numbers (ARIN) discovered in late 2018 that an individual had fraudulently acquired 757,760 IPv4 addresses worth between $9,850,880 and $14,397,440.
  • The accused allegedly used multiple deceptive websites and false identities to obtain the IPv4 addresses.
  • The individual and company behind the scheme were charged in federal court with twenty counts of wire fraud. Following the arbitration, ARIN revoked the fraudulently obtained IPv4 addresses.

Source

 

Israeli Eurovision webcast interrupted by hackers warning of rocket attack

  • Hackers interrupted the Israeli Kan public broadcaster streaming of Eurovision with a two-minute video message containing a fake warning from the ‘Israel Defense Forces’ advising viewers to take shelter from an imminent rocket attack. The message concluded with ‘Israel is not safe, you will see’.
  • It is not clear who is behind the hack, but the broadcaster suspects pro-Palestinian groups to be responsible.

Source

 

Reports show increase in ransom amounts and that ransom is most often paid by recovery firms

  • Coverware reports a 89% increase in the cost of ransom amounts in Q1 2019. This increase correlates with an increase in ransomware attacks.
  • ProPublica’s report found that Proven Data and Monster Cloud, two data recovery firms promising ‘high-tech [alternative] ransomware solutions’ to paying demanded ransoms, most often pay the ransom to the hackers.

Source 1 Source 2

 

Documents on Department of Energy’s hacking incident in 2015 show difficulty in tracing attacker

  • Records released under the Freedom of Information Act show the difficulty in tracing a hacker involved in a Department of Energy phishing scam in 2015. The hacker, posing as an employee, sent emails advertising jobs with the Department of Energy’s ‘Department of Petroleum and Natural Resources’.
  • The hacker was traced back to Gambia, which is not a member of the international cybercrime agreement, meaning no requests for information could be made. The investigation has since been closed.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 15 May 2019

 

Malware

New variant of Trickbot banking trojan discovered

  • Discovered by researchers at the Cybersecurity and Infrastructure Security Agency (CISA), the new variant of Trickbot is capable of remote application credential theft.
  • This variant goes beyond the original capabilities of harvesting emails and credentials, and includes new capabilities in the remote desktop space, including Virtual Network Computing (VNC), PuTTY and a Remote Desktop Protocol (RDP) platform.
  • Trickbot is usually spread via malspam campaigns, embedded URLs or infected attachments.  

Source

 

New malware infects macOS and Windows systems

  • Researchers at Doctor Web discovered a new malware designed to target macOS operating systems. Siggen backdoor is distributed via websites controlled by its developers, one of which is disguised as a personal website with a pretend portfolio, and the other is disguised as the official WhatsApp messenger website.
  • When one of the sites is opened, the embedded code determines the victim’s operating system and depending upon the result, will upload either the Siggen backdoor, or NetWeird trojan.
  • The Siggen backdoor allows attackers to upload malicious code from a remote server and execute it, and the Netweird trojan allows attackers to control a victim’s machine remotely, including using the targeted device’s camera and microphone.
  • Source

 

Plead malware distributed by misusing ASUS WebStorage

  • Researchers at ESET found that Plead malware being used in new activities detected in Taiwan being created and executed by a legitimate process belonging to the Windows client for a cloud storage service named ASUS WebStorage. The executable is digitally signed by ASUS Cloud Corporation.
  • Plead malware is a backdoor allegedly used by BlackTech group, who are known to focus on cyber espionage in Asia. The malware is most likely spread via man-in-the-middle attacks at router level.
  • ASUS WebStorage is known to be vulnerable to such attacks, as the software does not validate the authenticity of an update before execution, allowing attackers to easily intercept an update process and replace legitimate data with malware.

Source (Includes IoCs)

 

Ongoing Campaigns

Magecart actors target CloudCMS and Picreel

  • Researchers at RiskIQ reported that content management system, CloudCMS and analytics provider Picreel, were targeted in supply chain attacks using Magecart web-skimmers that were placed within the script of both systems.
  • RiskIQ assessed that the damage was limited because only a few hundred websites using CloudCMS hosted scripts and even fewer ran an exact version of the compromised script.
  • Moreover, the attack on Picreel failed as attackers accidentally broke into the file’s JavaScript Syntax causing the script to fail during execution.

Source

 

Hacker Groups

Connections between Chinese APTs found

  • Researchers of the BlackBerry Cylance Threat Intelligence team analyzed an Area 1 Security report on Chinese hacking activity and were able to confirm connections between several suspected Chinese state and non state-sponsored actors.
  • The report stated that the Chinese government’s Strategic Support Force (SSF) conducted attacks against diplomatic cables and over 100 foreign organisations. The researchers noticed that one of the domains cited in connection to these attacks, used by the attackers for C2, was also discovered in connection to a host of other disparate Chinese APT groups. In addition, evidence was also found that suggests that different Chinese APT groups were also using the same malware, and in some instances, the same exploit builder.
  • They assess that Chinese threat groups either share IoCs or are adopting the same targets and tasking of other Chinese groups, which means that blacklisting IoCs still leaves defenders vulnerable to attackers.

Source (Includes IOCs)

 

Leaks and Breaches

Paterson Public Schools suffer data breach

  • The New Jersey school district suffered a data breach that resulted in the theft of 23,103 account passwords, desktop logins, access tokens, laptop credentials, and more. According to the Paterson Times, there is no indication of financial information being stolen.
  • The stolen account usernames were stored in plain text, while passwords were encrypted with a weak encryption that is ‘relatively simple to reverse’. It is believed that the data was stolen in October 2018.

Source

 

Keyloggers injected into Best of the Web’s seals of trust

  • Security researcher Willem de Groot found that hackers compromised the script of Best of the Web’s trust seal and injected it with two different JavaScript-based keyloggers. The Best of the Web script is hosted on Amazon’s content delivery network (CDN) and is used to display a trust seal on verified websites.

Source

 

Oklahoma City Public Schools targeted by ransomware attack

  • A recent ransomware attack impacted the Oklahoma City Public Schools, compromising data stored on the school district’s computer network. Authorities suspect the attack could have been caused by a phishing email. The investigation remains ongoing.

Source

 

Vulnerabilities

Microsoft warns against high-severity RCE flaw in RDP that could lead to worm-like infection

  • Microsoft researchers released a new security advisory addressing a high-severity vulnerability, tracked as CVE-2019-0708, in Windows Remote Desktop Services (RDP) that could be exploited by malware to spread from vulnerable computer to vulnerable computer. The researchers compare the ‘wormable’ nature of the flaw to how WannaCry ransomware spread globally in 2017.
  • The vulnerability is a remote code execution (RCE) flaw that affects in-support systems Windows 7, Windows Server 2008 R2, and Windows Server 2008, and out-of-support systems Windows 2003 and Windows XP. Customers running Windows 8, Windows 10 and later, are not affected.
  • Although Microsoft researchers haven’t observed any exploitation of the flaw so far, they warn that it is ‘highly likely’ that malicious actors will develop an exploit for it and incorporate it into their malware. The researchers urge users to patch all vulnerable systems as soon as possible.

Source

 

Adobe patches over 80 flaws in its products including two RCE bugs in Acrobat Reader

  • Adobe’s Patch Tuesday addressed 84 vulnerabilities across its products, including a critical flaw, tracked as CVE-2019-7837, in Flash Player. The update also addressed two remote code execution (RCE) flaws in Acrobat Reader, reported on by Cisco Talos.
  • The two RCE flaws, CVE-2019-7831 and CVE-2019-7761, allow specific JavaScript code embedded in PDF files to cause a heap corruption when Adobe Acrobat is used to open a PDF document. Once this script has been run, remote code execution is feasible. To trigger the vulnerability victims would need to open a malicious file or web page.

Source 1 Source 2

 

Four new vulnerabilities discovered in Intel processors lead to speculative execution attacks

  • Multiple security researchers developed three side-channel speculative execution attacks dubbed RIDL, Fallout, and ZombieLoad, that exploit four flaws in Intel processors, collectively dubbed Microarchitectural Data Sampling (MDS) vulnerabilities by Intel.
  • The MDS flaws are tracked as CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091, and affect Intel CPUs released since 2008. An attacker running unprivileged code on a vulnerable machine could use the flaws to extract information from the operating system kernel, processes, the Software Guard eXtensions (SGX) enclave, and CPU-internal operations.

Source 1 Source 2 Source 3

 

RCE flaw discovered in Antenna House Rainbow PDF document converter

  • Cisco Talos reported on a remote code execution (RCE) vulnerability, tracked as CVE-2019-5030, in Antenna House’s Rainbow PDF when the software attempts to convert a PowerPoint document. The flaw has since been patched.
  • The vulnerability arises when the converter ‘incorrectly checks the bounds of a particular function, causing a vtable pointer to be overwritten.’ This permits attackers to ‘overflow the buffer and gain the ability to execute code remotely on the victim machine.’

Source

 

Apple patches 21 flaws in WebKit

  • The security updates include patches for iOS, macOS, Safari, tvOS and watchOS. The flaws include 20 memory corruption issues that could lead to arbitrary code execution during the processing of maliciously crafted web content.
  • The remaining patched flaw is an out-of-bounds vulnerability in WebKit, which could result in the exposure of process memory during the processing of maliciously crafted web content.
  • The flaws impact components of Webkit including Contacts, Disk Images, Kernel, Lock screen, Mail, Mail Message, and more.

Source

 

Check Point researchers analyse WhatsApp vulnerability

  • The recently patched WhatsApp vulnerability, tracked as CVE 2019-3568, is a buffer overflow flaw in the SRTCP protocol. By patch-diffing the newest version of WhatsApp, the researchers found that a RTCP handler function was patched and new sanitation checks added to avoid possible overflow.

Source

 

Siemens address vulnerabilities in LOGO SINAMICs products

  • The patched flaws include two high severity vulnerabilities discovered in SINAMICS Perfect Harmony GH180 medium voltage that could be exploited by an attacker with access to the network connected to the targeted device. The flaws could be exploited with no user interaction or privileges.
  • In addition, LOGO!8 BM devices are affected by three critical flaws that could be exploited by an attacker with network access to TCP port 10005 to decrypt project data, access unencrypted passwords or reconfigure devices.
  • There are also several critical flaws that affect SIMANTIC PCS7 and WinCC products that could allow unauthenticated code execution, arbitrary code execution and denial-of-service attacks.

Source

 

General News

Russians hacked two Florida county’s election data in 2016

  • Florida Governor Ron DeSantis confirmed that Russian hackers accessed election data in two Florida counties following successful spear-phishing attacks. The Mueller report did not identify which county’s systems were affected but did report that hackers sent spear-phishing emails to approximately 120 Florida election officials’ email accounts.

Source  

 

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Digest – 14 May 2019

 

Malware

LockerGoga and MegaCortex ransomware share traits

  • Researcher Chet Wisniewski stated, that despite a lack of similarities in the code of MegaCortex and LockerGoga, there are similarities in their behavior and tooling.
  • Operationally, MegaCortex and LockerGoga have similar processes and batch files. Moreover, both rename files before encryption and have shared at least one C2 address.
  • Additionally, both forms of ransomware have been used in major cyberattacks to target global organizations.  

Source (Includes IOCs)

 

Ongoing Campaigns

Threat actors behind Banload malware implement new techniques

  • According to SentinelOne researchers, the Brazilian cybercrime group behind the Banload trojan is implementing a new driver component, referred to as ‘FileDelete’, to remove software drivers and executables belonging to anti-malware and banking protection programs.
  • The researchers state that the goal behind the driver is to carry out fraud via credential theft and account takeover. ‘FileDelete’ removes software products from AVG, Trusteer Rapport, Avast and Bradesco software ‘scpbrad’.

Source (Includes IOCs)

 

New report details Iran-aligned Endless Mayfly disinformation campaign

  • Researchers from Citizen Lab released a new report detailing an Iran-linked network of fake personas and social media accounts used to spread disinformation primarily targeting Saudi Arabia, the US, and Israel.
  • Dubbed Endless Mayfly, the ongoing campaign involves the use of websites that impersonate legitimate media outlets to post content and inauthentic online personas used to amplify such content. The messages appeared to criticize the Saudi Arabian regime, the US and Israel, and were sent to numerous journalists, activists and legitimate media outlets, to further amplify the disinformation.
  • The researchers’ report provides a detailed overview of Endless Mayfly’s technical and non-technical tactics, preferred narratives, the observable impacts of their efforts, and evidence of a potential link to a malware campaign targeting Android and Windows devices. The report also analyses competing hypotheses on the perpetrators responsible for the activity.

Source

 

Hacker Groups

ScarCruft continues to evolve

  • Researchers at Kaspersky Lab’s SecureList have continued to monitor the Korean-speaking group ScarCruft, also known as APT37, known for targeting organizations and companies with links to the Korean peninsula. They found that the group continues to evolve and has recently introduced a Bluetooth harvester than can collect and save information from an infected device.
  • The group used a known public exploit to implement a multi-stage binary infection scheme. By exploiting the vulnerability CVE-2018-8120, the initial dropper bypassed Windows User Account Control, allowing for the next payload to be executed with higher privileges. The final payload was the the cloud service-based backdoor ROKRAT, used to steal information from affected devices.
  • The researchers suggested a possible connection between ScarCruft and DarkHotel, after having discovered a victim from Russia targeted by both groups.

Source

 

Leaks and Breaches

Pennsylvania-based police records company suffers malware attack

  • According to various media reports, Tulip Systems, based in Pleasant Hills, Pennsylvania, suffered a malware attack last week that affected police departments and boroughs that use the firm’s software for records management.
  • The affected police departments and boroughs include those in Whitehall, Munhall, West Mifflin, Pleasant Hills and South Park. All of the victims stated that they believe no data or records were compromised in the attack.

Source

 

Data breach exposes information of millions of Panamanians

  • Researcher Bob Diachenko discovered an unprotected Elasticsearch cluster containing 3,427,396 records labelled ‘patient’ and an additional 468,086 records labelled ‘test patients’, both relating to Panamanian citizens.
  • First indexed in April 2019, the dataset had not been properly configured, allowing anyone with an internet connection to access it. Moreover, the server also had an open remote desktop protocol, allowing anyone with a password to control the server.
  • The records contained names, dates of birth, national ID numbers, addresses, phone numbers and more.

Source

 

Twitter discloses bug that resulted in the exposure of some users’ location data

  • According to Twitter’s statement, a bug caused some users’ location data to be collected and shared with an unnamed advertising partner.
  • The bug affected users who had more than one account on Twitter for iOS and opted into using the precise location feature in one of their accounts. The flaw caused location data to also be collected for the other accounts on which the feature was not enabled. Twitter claims the data was ‘no more precise than zip code or city’.

Source

 

UNIQLO’s online stores in Japan suffer data breach affecting over 460,000 accounts

  • Japanese retail group Fast Retailing, owner of UNIQLO, confirmed a data breach that affected 461,091 customer accounts. The breach impacted the official UNIQLO Japan and GU Japan websites, on which unauthorized logins were detected between April 23rd and May 10th, 2019.
  • Data including customers’ names, addresses, contact numbers and credit card information may have been accessed.

Source

 

Boost Mobile notifies customers of data breach

  • Boost Mobile, a virtual mobile network owned by Sprint, informed its customers of a data breach that took place on March 14th, 2019. More than 500 people were affected, yet the exact number remains unclear.
  • Data accessed by hackers included customers’ phone numbers and account PINs, allowing access to private account settings. Affected customers have been issued with new temporary PINs to prevent further access.

Source

 

Further details of FXMSP breach uncovered

  • Following reports last week of the hacker group Fxmsp selling data stolen from three US-based antivirus software vendors, one of the breached companies, AdvIntel, has released information gathered on chat forums that uncovers further details.
  • Director of security research at Advanced Intelligence (AdvIntel) Yelisey Boguslavskiy stated that it took six months for Fxmsp to breach their companies, during an operation conducted by two teams, one in the US and the other in Taiwan. They are currently working on remediating the breach.
  • AdvIntel has also collected information about the activity of Fxmsp by gathering instant messaging logs containing discussions on their access to the data. Once of the conversations included source code files for various products from antivirus companies including Symantec, McAfee and Trend Micro, though these companies have not yet denied nor confirmed the breach.

Source

 

Vulnerabilities

Several flaws discovered in the Roav A1 Dashcam and Novatek NT9665X chipset

  • The Roav A1 dashcam is a dashboard camera that uses the Roav app in Android and iOS to allowusers to connect, toggle settings, download dashcam videos, and more.
  • CVE-2018-4014 is a code execution flaw that exists in a WiFi command of the Roav A1 dashcam that could be triggered by sending a specially crafted packet to cause a stack-based overflow, resulting in code execution on the device. CVE-2018-4016 is a stack overflow code execution flaw in the URL-parsing functionality of the Roav A1 dashcam. An attacker could use a specially crafted packet to cause a stack-based buffer overflow, resulting in code execution on the affected device.
  • Flaws in the Novatek NT9665X chipset include CVE-2018-4018, an upload firmware update flaw, CVE-2018-4023, a path overflow code execution flaw, CVE-2018-4024 a denial of service vulnerability, and more. The flaws could be exploited to cause code execution, device reboot, denial of service, and more.

Source

 

Critical remote code execution flaw discovered in Kaspersky Lab products

  • CVE-2019-8285 was discovered and reported to Kaspersky Labs by a research team named ‘Imaginary’. The flaw is a heap-based buffer overflow vulnerability that exists in Kaspersky’s antivirus engine and could allow an attacker to remotely execute arbitrary code.
  • An attacker could exploit the flaw by getting the targeted user’s security software to scan a specially crafted JavaScript file to execute arbitrary code with system privilege.

Source

 

WhatsApp vulnerability exploited to infect phones with spyware

  • WhatsApp disclosed that unnamed attackers, using advanced spyware made by Israeli developer NSO Group, gained access to the phones of ‘a select number of users’.
  • The vulnerability, tracked as CVE-2019-3568, is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution when SRTCP packers are sent to a target phone.
  • To instigate the attack, a call is placed to a target phone and surveillance software is installed irrespective as to whether the call is answered. The call then disappears from the call log, leaving no trace of compromise.

Source

 

Linux machines vulnerable to remote code execution

  • Machines powered by kernels prior to 5.0.8 are vulnerable to a remote exploit vulnerability, tracked as CVE-2019-11815, and DoS states.
  • Attacks can be launched using specially crafted TCP packets which are sent to vulnerable Linux boxes.

Sources

 

Linksy routers impacted by information disclosure vulnerability        

  • Researcher Troy Mursch discovered that 25,000 Linksys Smart Wi-Fi routers in 146 countries can be accessed by remote and unauthenticated attackers by exploiting a flaw, tracked as CVE-2014-8244, that was allegedly patched 5 years ago.
  • By exploiting this vulnerability an attacker can gain access to device information including present and historical MAC addresses of connected devices, device names, operating systems, metadata, and more.

Source

 

Cisco router vulnerabilities affecting Trust Anchor module

  • Researchers at Red Balloon Security revealed two vulnerabilities affecting the Cisco ASR 1001-X router due to issues in its Trust Anchor module (TAm), a security module present in many Cisco units. It is believed to also affect other systems that feature TAm.
  • The first vulnerability, CVE-2019-1649, was found in Cisco’s IOS operating system, allowing hackers to bypass Cisco’s TAm. The second, tracked as CVE-2019-1862, affects the Cisco IOS XE Version 16, allowing remote code execution as root.
  • These vulnerabilities mean that attackers can disable the Trust Anchor without detection, enabling the attacker to make changes to the Cisco router whilst the Trust Anchor continues to report that a device is trustworthy. Cisco is due to release a software update to address these vulnerabilities.

Source 1 Source 2

 

General News

Facebook files lawsuit against Rankwave data analytics firm

  • Facebook has filed a lawsuit against Rankwave for allegedly violating Facebook rules. Rankwave, who ran apps on the Facebook platform, are being investigated for their data practices in relation to advertising and marketing.
  • Rankwave reportedly misused data collected by the app for checking user’s social media ‘influencer score’. Facebook have suspended apps and accounts associated with Rankwave.  

Source

 

ConnectWise target of ransomware attack

  • The ConnectWise Manage platform in the EU was taken offline for two weeks due to a ransomware attack that occurred on May 3rd, 2019.
  • The attack came through an off-site machine used by ConnectWise for cloud performance testing outside of its network.
  • ConnectWise stated that the ransomware was encryption-based and was unable to read, remove, or alter data.

Source

 

WannaCry continues to affect “hundreds of thousands” two years on

  • First affecting individuals and organizations globally between May 12th and May 15th 2017, WannaCry ransomware continues to exploit a vulnerability found in older Microsoft Windows operating systems.
  • Research has shown that the risk is most prominent in Eastern countries, with record numbers of detection documented in India and Malaysia in 2019.
  • A so-called ‘kill-switch’ discovered by security researcher Marcus Hutchins has mostly stopped many further attacks, but threat actors have continued to exploit this vulnerability by creating new malware, such as Emotet and Trickbot.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Request a demo

Get in touch