Silobreaker Daily Cyber Digest – 15 February 2019

Archive for the ‘Threat Reports’ Category

Silobreaker Daily Cyber Digest – 15 February 2019

 

Malware

GandCrab exploits software flaw to infect customers of remote IT support firms

  • Hackers have exploited a two-year-old-flaw, tracked as CVE-2017-18362, in the Kaseya plugin for ConnectWise Manage software to attack companies with GandCrab ransomware. ConnectWise Manage is a software package used by remote IT support firms.
  • The vulnerability is a SQL injection flaw that could allow an attacker to create new admin accounts on the main Kaseya app. Although Kaseya released a patch for the bug soon after its initially discovery in November 2017, according to ZDNet, it appears that many companies failed to install the update leaving their networks exposed.
  • In one of the attacks, a managed service provider’s network was breached and GandCrab was deployed to 80 customer workstations.

Source

 

New Emotet trojan variant uses malicious macros to avoid detection

  • A new variant of the Emotet trojan, active since mid-January, has been discovered with the ability to hide from anti-malware software by ‘embedding malicious macros used to drop the main payload inside XML files disguised as Word documents.’
  • Emotet is used by threat actors to infect targets via spam email, steal financial information and exfiltrate sensitive information, login credentials, and personally Identifiable Information (PII).

Source

 

Ongoing Campaigns

Fake EnergyAustralia bills used to distribute malware

  • Australian users are being targeted by fake emails disguised as electricity bills from EnergyAustralia. Once users click to view their bill, malware is downloaded onto their computer.

Source

 

Gaza Cybergang targets Middle East

  • Researchers at 360 Threat Intelligence Center detected a new campaign by the Gaza Cybergang targeting Arabic-speaking individuals.
  • Microsoft Word documents with malicious macros were found to drop and execute a backdoor packed by Enigma Virtual Box. According to the researchers, the backdoor has a built-in keyword list containing names of people or opera movies to communicate with the C&C server.
  • The researchers attributed the campaign to the Gaza Cybergang based on similarities to previous campaigns that have been linked to the hacker group.

Source (Includes IOCs)  

 

GandCrab targets US healthcare provider

  • Sophos researchers discovered recent attacks using GandCrab ransomware to target a US healthcare provider. The attacks were detected on February 3rd, 2019.
  • The perpetrators were able to enter the organisation’s network through computers with open RDP ports that were visible via the Shodan search engine. They then ask for a ransom payment of $18,750 per infected machine that would double after six days.

Source

 

Leaks and Breaches

Fresh batch of 127 million records for sale on Dream Market

  • A new batch of 127 million records stolen from eight companies has been put up for sale on the Dream Market marketplace by a seller under the pseudonym of ‘gnosticplayers’. The seller asks for $14,500 worth of Bitcoin in exchange for the entire collection.
  • This follows reports last week of the same seller(s) listing a collection of 620 million accounts stolen from another 16 breached companies, offered at approximately $20,000 in Bitcoin.  

Source

 

Online dating app Coffee Meets Bagel suffers data breach

  • Coffee Meets Bagel became aware that they had been breached on February 11th, 2019, after it was reported that their leaked credentials were being sold as part of a larger collection of leaked data on the dark web.
  • Leaked data consisted of 6 million usernames and email addresses, however, passwords and financial information were not disclosed due to these details not being stored by the app.

Source

 

Database used for tracking Chinese Uyghur Muslim population left exposed online

  • Security researcher Victor Gevers discovered that a MongoDB database, used by the Chinese government to track the Uyghur Muslim population in the Xinjiang region, has been left exposed online.
  • The database is owned by SenseNets, a Chinese company that provides video-based crowd analysis and facial recognition technology. The database exposed user profiles including names, ID card numbers, ID card issue dates, ID card expiration dates, sexes, nationalities, home addresses, birthdates, photos and employer information.
  • The database also contained a list of GPS coordinates of locations where the individual has been seen and a list of associated ‘trackers’. According to ZDNet, the ‘trackers’ appear to be locations of public cameras from which video had been captured and was being analysed.

Source

 

Vulnerabilities

Critical flaw in OkCupid exposes users to app takeovers

  • The flaw could allow a threat actor to steal credentials, launch man-in-the-middle attacks or compromise the victim’s application. If successful, the attacker would have the capability to monitor the app’s usage, read all messages, track the victim’s geographic location, and send users malicious links with self-replicating malware.
  • The flaw exists in OkCupid’s Android application, which uses WebView. In some cases, the OkCupid app URLs are defined by OkCupid as MagicLinks, which are opened and rendered within the app’s WebView. Any link containing a specific string “/l/” passes as MagicLink, which could allow bad actors to send app users URLs that contain this string, without them being suspected as malicious.

Source

 

General News

Germany makes cyber capabilities available for NATO alliance

  • Germany has announced that it will share its cyber capabilities with the NATO alliance to help protect members of the alliance against hacking and electronic warfare. The US, Britain, the Netherlands, and Estonia, have also previously announced the availability of their cyber capabilities to the alliance.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 14 February 2019

 

Malware

New Shlayer variant targets macOS users and disables Gatekeeper protection mechanism

  • A new malware variant, dubbed Shlayer, has been observed in the wild targeting macOS users with the capability to escalate privileges using a technique that disables the Gatekeeper protection mechanism to run unsigned second stage payloads.
  • Intego’s research team discovered Schlayer being distributed in a malware campaign in February 2018 disguised as a fake Adobe Flash Player, distributed via torrent websites. The new malware version, discovered by Carbon Black’s Threat Analysis Unit (TAU), also poses as a legitimate Adobe Flash software update, however it is distributed this time via fake update pop-ups on hijacked domains or clones of legitimate sites.
  • Schlayer ensures that all payloads downloaded and launched are detected as whitelisted software by disabling the Gatekeeper protection mechanism, which ensures that the OS will no longer check if they are signed with a legitimate Apple developer ID.

Source 1 Source 2 (Includes IOCs)

 

Bromium analyse malware sample with interesting properties

  • A malware sample in the form of a Word document that was distributed via a phishing campaign has recently been analysed by Bromium, who have reported on several of the malware’s notable properties.
  • Bromium have observed in particular that the user does not have to open the document for the malware to be triggered, and the malware still works even if the file is marked with an ADS security Zone identifier of 3, which suggests that the file has come from an untrustworthy location. In addition, the malware successfully avoids the scanning of its payloads by certain AV APIs.
  • Bromium’s report also includes an analysis of these features and mitigation advice.

Source

 

Ongoing Campaigns

New Astaroth trojan campaign exploits Avast antivirus and security software

  • The new Astaroth trojan campaign has been observed targeting Brazil and European countries to exploit the Avast antivirus and security software to steal information and load malicious modules.
  • The malware uses ‘legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected’, as well as expanding its capabilities by using other tools and antivirus software.
  • The new strain is distributed via spam campaigns, and uses Windows BITSAdmin utility to download malware payloads. In particular, the malware injects a malicious module in the Avast Software Runtime Dynamic Link Library of the Avast Antivirus and uses it to gather information about the infected machine, as well as load extra modules.

Source

 

DNS manipulation campaign targets Venezuela amidst humanitarian crisis

  • Kaspersky Labs SecureList researchers discovered that a fake website was mimicking the official website of a humanitarian aid organization in Venezuela. The official website, called ‘Voluntarios por Venezuela’, was set up to allow volunteers to sign up by providing their full name, personal ID, phone number, location, and whether they possess a medical degree, car, or smartphone.
  • Upon further investigation, the researchers found that both the legitimate and the fake website were resolved within Venezuela to the same IP address belonging to the fake domain owner, allowing the perpetrator to steal the victims’ data.

Source

 

Leaks and Breaches

Image-I-Nation Technologies suffers data breach

  • The North Carolina-based technology provider discovered that there was unauthorized access to its database containing ‘personal information of individuals who had a consumer report through [their] system at some point in the past’. The data breached includes Social Security numbers, names, dates of birth and home addresses.
  • Image-I-Nation Technologies provide employee and background screening software used by Equifax, Experian, TransUnion, and others.

Source

 

Bank of Valletta suffers cyber attack

  • The largest bank of Malta fell victim to a cyber attack in which hackers attempted to steal $14.7 million. According to Maltese Prime Minister Joseph Muscat, the perpetrators then tried to transfer funds to banks in the Czech Republic, Hong Kong, the UK and the US.
  • Authorities were able to trace the transactions and reverse them. No customer accounts or funds were affected.

Source

 

Optus customers report major breach on social media

  • Customers of Optus have complained on social media that they have fallen victim to ‘major privacy’ breaches when logging into their accounts. They stated that when they logged into their accounts, they were all logged in as ‘Vladimir’ before the screen refreshed on a loop.
  • One victim stated that she received an email claiming that her bill was $300 when it should have been $100 on her usual plan. In addition, there have also been reports since August last year, of a phishing email that claims to be from Optus, asking the recipient to click on a link to a malicious PDF document.

Source

 

Texas-based Truluck’s restaurant chain reports data breach at eight locations

  • Truluck’s Seafood, Steak & Crab House in Texas, suffered a data breach due to malware inserted into point-of-sale systems at eight of its restaurants.
  • Customers’ credit and debit card information, including expiry dates, was breached.

Source

 

Vulnerabilities

Bug patch released for flaw in Cisco Network Assurance Engine

  • The flaw, tracked as CVE-2019-1688, results in password changes being made via the Cisco Network Assurance Engine (NAE) to not be synchronized to the CLI of the associated device. This allows a user to gain access to a device via its CLI by using the previous password.
  • A successful exploit could allow an attacker to view potentially sensitive information, bring the server down or cause a denial-of-service condition. The flaw affects NA version 3.0(1).

Source


Micropatch released for OpenOffice zero-day code execution flaw

  • The flaw, tracked as CVE-2018-16858, is a code execution vulnerability ‘which can be triggered via automated macro execution following a mouseover event when viewing a maliciously crafted ODT document.’ An attacker could leverage this flaw to enact a directory traversal attack against users of all versions of OpenOffice and LibreOffice versions 6.0.6 and 6.1.2.1.
  • The OpenOffice flaw has received a fix by The Document Foundation.  

Source

 

SAP patches 13 flaws including critical vulnerability in HANA XSA

  • As part of its February 2019 set of security fixes, SAP released patches for 13 vulnerabilities found across its product portfolio. The company also released 3 updates to previously released security notices.
  • The most severe flaw that was patched affects HANA XSA, and is a missing authentication check that could permit an attacker to gain access to high-privileged functionalities in addition to being able to read, modify, or delete sensitive information.  

Source

 

Multiple security flaws found in Lenovo Watch X

  • Checkmarx researchers discovered numerous vulnerabilities in Lenovo’s Watch X smartwatch.
  • The most concerning issues include the phone’s latitude and longitude coordinates being regularly sent to a remote unknown server in China, as well as communication sent between the mobile app and web server not being encrypted. In addition, a lack of account validation and permissions allows password change requests to be forced for any user or write permissions on a specific GATT UUID, which allows spoofing call attacks.
  • In a response to the discovery, Lenovo stated the watch ‘was designed for the China market’ and issued fixes for the bugs in January 2019.

Source

 

General News

US Department of Justice charges two hackers allegedly members of Apophis Squad

  • Timothy Dalton Vaughn and George Duke-Cohan have been charged for making false threats of violent attacks at several locations including the Los Angeles International Airport and Southern California school districts. In addition they allegedly staged attacks on the computer systems of various institutions and companies. The two defendants are reportedly members of the Apophis Squad.
  • According to security researcher Brian Krebs, Vaughn’s arrest followed the exposure of his identity in the Town of Salem user database breach first reported on in January 2019. Town of Salem is a popular online game.
  • Duke-Cohan is already serving a sentence in the UK for making hoax bomb threats against an airline carrier.

Source 1 Source 2

 

South Korea censors Internet using SNI filtering  

  • South Korea has previously been blocking HTTP specific websites that they have censored, however recently it has been reported that they have begun using Server Name Indication (SNI) filtering to block their counterparts that are served over HTTPS.
  • Blocked websites display a warning page bearing the seals of the Korea Communications Standards Commission and the Korean National Police Agency. In addition, those TLS sites that are blocked using SNI filtering states a ‘This site can’t be reached’ error.

Source

 

Former US Air Force officer charged with spying for Iran

  • Monica Witt allegedly defected to Iran in 2013 after previously working as a US counterintelligence officer. Following her recruitment, Witt worked with the Iranian Revolutionary Guards Corps to launch cyber attacks against her former Air Force colleagues, including spear phishing campaigns, malware infections and social media-based operations.
  • Alongside Witt, The US Department of Justice’s indictment also features four Iranian hackers who allegedly carried out the attacks based on the information provided by Witt. The four hackers include Behzad Mesri who was charged in November 2017 for hacking HBO and believed to be a member of Charming Kitten.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 13 February 2019

 

Malware

New Trickbot variant is capable of stealing remote application credentials

  • According to Trend Micro researchers, the new Trickbot variant is delivered via emails disguised as tax incentive notifications from Deloitte. The emails include a Microsoft Excel attachment with malicious macros that, once executed, will infect the victim’s device with Trickbot.
  • The new Trickbot version contains an updated pwgrab module that is capable of stealing VNC, PuTTY and RDP credentials.  

Source

 

Ongoing Campaigns

Experts claim APT31 not APT10 responsible for attacks against Norwegian MSP and US firms

  • Last week, researchers at Rapid7 and Recorded Future assessed with high confidence that the breach of a Norwegian managed service provider (MSP), a US law firm, and an international apparel company, was linked to threat actor APT10. However, specialists at PricewaterhouseCoopers and Microsoft are now saying that APT31 is actually responsible for these attacks.
  • According to the specialists, the C&C structure used in the attacks corresponds to that previously used by APT31 and differs from that of APT10, despite the two threat actors using the same hacking tools and focusing on supply-chain attacks.

Source  

 

Scarlet Widow Gang targets victims with romance scams

  • The Agari Cyber Intelligence Division (ACID) reported on the Nigerian Scarlet Widow Gang targeting the elderly, disabled, divorced and even farmers, with romance scams.  The gang created fake personas using stolen pictures, fake names, personalities, and back stories on social media and dating sites including Dating4Disabled[.]com, Farmers Dating Site, and DivorcedPeopleMeet[.]com.
  • Once an online relationship is established the scammers state that they are having financial difficulties and ask for assistance, usually in the form of plane tickets or accommodation.
  • In one case, a Texan man was scammed out of $50,000 over the period of a year by the online persona of ‘Laura Cahill’.

Source

 

Phishing campaign uses links with 1,000 characters

  • The phishing email states that the victim’s email has been blacklisted due to multiple login failures and asks that they confirm it by entering their credentials. The campaign pretends to be from the victim’s mail domain’s support department. The link to input credentials leads to a landing page with a login form customised for the victim’s domain.
  • Most notably the URLs in the emails are extremely long, ranging from 400 to 1,000 characters.  

Source

 

Scammers file fake trademarks to steal Instagram accounts

  • Scammers have been observed creating fake companies and trademarks to trick Instagram into giving them legitimate ownership of sought-after Instagram handles. The handles can be used by hackers as digital mementos, to brag about their acquisition, or to resell for a profit on the dark web.
  • Motherboard observed evidence of a scammer talking with someone from Facebook Advertiser Support to get control of a username belonging to another account. To do this, the scammer registered a trademark that corresponds to an existing username that they want to hijack, as well as details such as the jurisdiction, the trademark registration number, the trademark complaint form, and a link to the trademark itself.
  • There are reportedly several users on the underground forum OGUsers that deal in the theft and sale of high value Instagram accounts. Some handles sell for tens of thousands of dollars’ worth of cryptocurrency.

Source

 

Cybaze-Yoroi ZLAB reveal link between Gootkit and AZORult in latest campaign

  • Yoroi ZLAB reported on a large-scale attack in the last few days that has hit several organisations across the Italian Cyber Industry. The attacks attempted to impersonate communication from a known express courier.
  • The campaign begins with an email attachment which is a compressed archive containing a stealthy JavaScript file, which is an obfuscated dropper that downloads a further component from remote servers. During analysis, ZLAB identified a variant of AZORult in addition to the payload, identified as ‘sputnik[.]exe’, also known as GootKit.
  • ZLAB state that this campaign highlights the evolution of dropping techniques used in the initial stages of attacks.

Source (Includes IOCs)

 

Leaks and Breaches

US servers of VFEmail hacked and all data destroyed

  • VFEmail stated that ‘all externally facing systems, of differing OS’s and remote authentication, in multiple data centers are down.’ The hackers formatted every disk on all the servers and all VMs were lost in the process.
  • All of the data was destroyed on both the main and backup systems and the hackers did not leave a ransom note.

Source

 

LandMark White suffers data breach impacting Australia’s largest banks

  • The Australian property valuation firm revealed a data breach that may have affected up to 100,000 customers. LandMark White is one of the largest valuation firms used by banks and other lenders across Australia including the Commonwealth Bank of Australia, ANZ Bank, National Australian Bank, and Westpac.
  • Breached data includes property valuations and personal contact information of homeowners, residents, and property agents. Although no payment information was compromised and no evidence of misuse of the breached data was found, the investigation remains ongoing.

Source

 

Vulnerabilities

Microsoft patch Tuesday includes fixes for zero day in IE and PrivExchange bug

  • The flaw in Internet Explorer, tracked as CVE-2019-0676, affects IE version 10 or 11 running on all supported versions of Windows. The flaw allows attackers to test whether files are stored on disks held on vulnerable PCs. To exploit the flaw, an attacker must lure a target to a malicious site. Active exploits for this vulnerability have been detected.
  • PrivExchange, also tracked as CVE-2019-0686, is an Exchange Server flaw that allows remote attackers with an unprivileged mailbox account to gain administrative control over the server. The flaw was publicly disclosed in January 2019, along with a proof-of-concept code.
  • A fix was also included for a critical DHCP vulnerability, tracked as CVE-2019-0626, that could allow an attacker to send a specially crafted packet to a DHCP server, which would allow remote code execution to be performed on the affected server.

Source

 

Design flaw in Xiaomi electric scooter permits remote control

  • Zimperium researchers found that they were able to hack into Xiaomi M365 scooters by exploiting a serious design flaw.
  • The flaw is a result of insecure Bluetooth communication between the scooter and its corresponding app. Hackers located up to 100 meters away from the scooter would be able to launch an attack against it.  
  • They released a proof-of-concept that demonstrates how the flaw can lead to denial-of-service, permits installing malicious firmware onto the scooters, and allows remote attackers to cause the scooter to suddenly brake or accelerate. In a response to Zimperium’s report, Xiaomi stated that they are aware of the flaw, however it remains unpatched.

Source

 

Adobe patch 43 critical flaws in Acrobat and Reader

  • CVE 2019-7089 is a zero-day flaw in Adobe Reader that was temporarily patched by 0patch on Monday and has now received a permanent fix. The flaw allowed threat actors to steal victim’s NTLM hashes. In addition, two other critical flaws, tracked as CVE-2018-19725 and CVE-2019-7041, could allow a security bypass via privilege escalation.
  • In addition to a critical integer overflow flaw, tracked as CVE-2019-7030, which could allow information disclosure, the remaining critical flaws patched in the update all enable arbitrary code execution. These include out of bounds write flaws, type confusion flaws, use-after free flaws and buffer errors.

Source 1 Source 2

 

Dirty Sock vulnerability permits root access on Linux systems

  • The local privilege escalation flaw, tracked as CVE-2019-7304, was discovered by researcher Chris Moberly and primarily impacts Ubuntu as well as other Linux distros.
  • The bug does not permit attackers to break into vulnerable machines remotely, but once attackers gain a foothold on any unpatched system, they can gain control over the entire OS.
  • The vulnerability is not in the Ubuntu operating system itself, but in the Snapd daemon included by default with all recent Ubuntu versions and other Linux distros. Snapd exposes a local REST API server that can be used to gain access to all API functions including those restricted for the root user.
  • Canonical, the company behind the Ubuntu OS, released a patch addressing this flaw on February 11th, 2019.

Source

 

Siemens release patches for flaws in industrial control and utility products

  • In the newly released 16 security advisories, Siemens include a warning for a critical flaw, tracked as CVE-2018-3991, in the WibuKey digital rights management solution that affects the SICAM 230 process control system. The vulnerability allows attackers to cause heap overflow, potentially leading to remote code execution.
  • Another flaw that was addressed is tracked as CVE-2018-3990 and permits a specially-crafted I/O request packet to cause buffer overflow, resulting in kernel memory corruption or privilege escalation.
  • The remaining advisories address three denial-of-service bugs, CVE-2018-11451, CVE-2018-16563 and CVE-2018-11452, and several other less severe flaws in Siemens’ industrial products.

Source

 

General News

Researchers release new report on GreyEnergy

  • Nozomi Networks researchers published a detailed report on GreyEnergy, particularly focusing on the deep analysis of the APT’s packer.
  • After reverse-engineering GreyEnergy’s malware, the researchers found that it contains a ‘massive amount of junk code’ intended to confuse reverse engineers. Their report also details the infection vector, stages of the malware, how it disguises itself, its functionality, and also cites two new tools for further GreyEnergy analysis.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 12 February 2019

 

Ongoing Campaigns

EXE files used to infect Mac devices with malware

  • Trend Micro researchers observed a new method of infecting macOS devices with malware that consists of running executable files that normally only execute on Windows devices. They were led to their discovery after analysing an app called Little Snitch, advertised as a firewall application for macOS.
  • The researchers suspect that malicious actors are leveraging this technique to bypass built-in protection measures, such as Gatekeeper, as these only inspect native macOS files and not EXE files. Once installed, the malware collected system information related to the device model, processor, memory, serial number, or firmware version. It also scanned all basic and installed apps and sent the collected data to its C&C server.
  • Trend Micro detected the highest number of infections from the UK, Australia, Armenia, Luxembourg, South Africa and the US.

Source (Includes IOCs)  

 

Malicious code prevents updates on QNAP NAS devices

  • Users of QNAP NAS devices reported on a string of malware attacks that disable the devices’ software updates by hijacking entries in the host machines’ hosts file. According to the users’ forum discussions, the malicious code adds around 700 entries to the hosts file that redirects requests to IP address 0.0.0.0.

Source

 

Leaks and Breaches

Dunkin’ Donuts suffers another credential stuffing attack

  • The company announced that its customer accounts have been compromised in a second credential stuffing attack in the last three months. The attack took place on January 10th, 2019.
  • Similarly to the first attack from November 2018, hackers used stolen credentials to access DD Perks rewards accounts. These compromised accounts were then sold on dark web forums.

Source

 

600 million accounts stolen from 16 websites sold on the dark web

  • The Register reported that 617 million online account details that were stolen from 16 hacked websites are now being sold on the Dream Market dark web forum.
  • Databases belonging to Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, DataCamp, Armor Games, Bookmate, Whitepages, and many more, are being advertised for less than $20,000 in Bitcoin.
  • According to The Register, the account records mainly consist of account holder names, email addresses, and passwords. In some cases, other information including location, personal details, and social media authentication tokens, is also being offered.

Source

 

Vulnerabilities

Privacy protection bypass flaw in macOS allows access to restricted data

  • The flaw could allow attackers to access data stored on restricted folders, such as web browsing history, on all macOS Mojave up to 10.14.3.
  • The flaw is not exploitable using malicious sandboxed applications, but only with non-sandboxed or notarised ones.

Source

 

Container breakout security flaw discovered in runc container

  • The security flaw, tracked as CVE-2019-5736, is in the runc container runtime and allows malicious containers with minimal user interaction to overwrite the host runc binary to gain root-level code execution on the host machine. Affected systems include Amazon Linux, and Amazon Elastic Container Service, Amazon EKS, Fargate, IoT Greengrass, Batch, Elastic Beanstalk, Cloud 9, SageMaker, RoboMaker and Deep Learning AMI.
  • Runc is an open source command line utility created to spawn and run containers, as well as being used as the default runtime for containers with Docker, containerd, Podman, and CRI-O.
  • The flaw is automatically blocked on systems where user namespaces are used correctly, however, it does impact machines where ‘the host root is mapped into the container’s user namespace’ because the default AppArmour policy and Fedora’s default SELinux policy do not block the vulnerability from triggering.

Source 1 Source 2

 

Adobe Reader issues micropatch for zero-day to stop malicious PDFs connecting to attackers

  • The zero-day flaw in Adobe Reader allowed maliciously crafted PDF documents to call home and send over the victim’s NTLM hash in the form of an SMB request to remote attackers. The flaw can be triggered by a malicious PDF which includes a component designed to start the automatic loading of a remote XML style sheet via SMB.
  • The micropatch is delivered by the opatch platform.

Source

 

Researchers discover new cryptographic attack that breaks encrypted TLS traffic

  • The attack is a variation of the original Bleichenbacher oracle attack and even works against the latest version of the TLS protocol, TLS 1.3. The researchers were able to break RSA PKCS#1 v1.5, which is currently the most common RSA configuration used to encrypt TLS connections.
  • The attack also works against Google’s new QUIC encryption protocol, as well as OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL and GnuTLS.
  • The flaws that enable the new Bleichenbacher attack are tracked as CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869 and CVE-2018-16870.

Source

 

Vulnerable WordPress plugin permits taking over entire sites

  • Security researcher Luka Šikić discovered an improper application design flow that is ‘chained with lack of permission check’ in the Simple Social Buttons WordPress plugin. The plugin is used to support social media sharing features.
  • According to Šikić, the flaw permits attackers to make modifications to a WordPress site’s main settings, permitting them to take over the sites by installing backdoors or taking over admin accounts.
  • Simple Social Buttons version 2.0.22 was released on February 8th and addresses the flaw.

Source

 

General News

New offensive USB cable allows attackers to execute commands via Wi-Fi

  • When the malicious USB is plugged into Linux, Mac or Windows, it is detected by the operating system as a human interface device (HID). These devices are considered to be input devices by an operating system, allowing commands to be sent as if they are typed on a keyboard.
  • Security researcher Mike Grover created the cable, which includes an integrated Wi-Fi PCB, that allows an attacker to connect to the cable remotely to execute commands on the computer or manipulate the mouse cursor. This allows an attacker to input commands, even when the device is locked, and if the computer locks a session due to inactivity, the cable is configured to prevent this by simulating user interaction.
  • The HID attack could also be used for Wi-Fi deauthentication attacks, particularly if an attacker does not have access to a location to perform an attack but the victim’s plugged-in cable does, allowing the attacker to create a physical diversion while another remote attack goes unnoticed.

Source

 

Researchers use Intel Software Guard Extensions (SGX) for attacks

  • SGX provides processor instructions for the creation of secure enclaves – a space in which code can run without oversight or access from other software.
  • Graz University researchers discovered that SGX can be harnessed using return-oriented programming (ROP) to host and execute malicious code that remains untraceable by other processes.
  • In response to the paper, published today, Intel have noted that while SGX provides a protected enclave it does not guarantee that code within the enclave is trusted.

Source

 

Criminals install C&C malware on infected AMZ devices to circumvent chip & PIN protections

  • The 2019 Booz Allen Hamilton Cyber Threat Predictions Report states that Cyber criminals could begin reusing ATM EMXV malware to attack retail environments by infecting POS systems, potentially via USB drives and introducing an altered EMV chip to the POS terminal.
  • The attack is connected to Skimmer and Ripper malware, which use malicious EMV chips to authenticate and grant access to hidden menus within ATMs that have already been infected with the malware.
  • The report states that it is possible that criminals will exploit NFC applications in the same way that they will abuse EMV technology, due to the increased use of mobile phones to authorise transactions.

Source 1 Source 2

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 11 February 2019

 

Malware

Adware disguised as game, TV and remote control apps infects 9 million Google Play users

  • Trend Micro researchers recently discovered an adware family, tracked by Trend Micro as AndroidOS_HidenAd, disguised as 85 game, TV, and remote control simulator apps on the Google Play store. The apps have been downloaded 9 million times globally and have since been taken down from the Play store.
  • The adware is capable of frequently displaying full-screen apps, hiding itself from the user, monitoring a device’s screen unlocking functionality, and running in the device’s background.

Source (Includes IOCs)

 

Linux coin miner copies scripts from KORKERDS and Xbash, removes competing malware

  • While conducting a routine log check, Trend Micro researchers found a script that is capable of deleting a variety of Linux malware, coin miners, and connections to other miner services and ports. The script was found to resemble Xbash and KORKERDS.
  • Upon further inspection, the researchers discovered that the script deletes the components and mining process of KORKERDS and instead installs a modified version of the XMR-Stak cryptocurrency miner. Moreover, it implants itself on the system and crontabs to survive reboots and deletions.

Source (Includes IOCs)

 

Clipper malware found on Google Play store

  • According to ESET researcher Lukas Stefanko, Clipper malware exploits the fact that users tend to copy and paste cryptocurrency wallet addresses using the clipboard. The malware intercepts the content of the clipboard and can replace it with the attacker’s own wallet address.
  • In this case, Stefanko discovered clipper malware impersonating a legitimate service called MetaMask. This clipper’s primary goal was to steal credentials and private keys to gain control over their Ethereum funds.
  • Clipper malware was initially discovered on Windows platforms in 2017 and on ‘shady’ Android app stores in 2018.

Source (Includes IOCs)

 

Actor behind AZORult ceases sales of malware

  • The author behind AZORult, known as ‘Crydbrox’, announced on December 17th that all sales and updates for the malware would end.
  • According to BlueLiv, Crydbrox may be attempting to hide certain parts of his criminal profile, despite being well-known for supporting AZORult since 2016.
  • Because it is no longer updated, the stealer is likely to lose popularity over time and be replaced by a variety of competing products.

Source

 

Ongoing Campaigns

Phishing campaign targets anti-money laundering officers at US credit unions

  • Brian Krebs reported on a phishing campaign that exclusively targeted Bank Secrecy Act (BSA) contacts at US credit unions. BSA officers are appointed by financial institutions to report suspicious financial transactions that may be associated with money laundering.
  • Emails purporting to be from fellow BSA officers were sent to individuals to lure them into opening a malicious PDF attachment.
  • According to Krebs’ blog post, several credit union sources suspect the officers’ non-public contact information may have been obtained from the National Credit Union Administration (NCUA), which all BSA officers are required to be registered with. In a response to the incident, the NCUA has claimed that none of its systems have been compromised.

Source

 

Malicious Excel attachment leverages steganography to download URSNIF  

  • Bromium researchers detected an Excel spreadsheet containing malicious macros that build a PowerShell command from individual pixels in a downloaded image of video game character Mario. Once executed, the command will install malware on the victim’s device.
  • The malicious macros were configured to execute the command only when the machine is located in Italy. Initially, the researchers believed the malware to be GandCrab however, further research conducted by Yoroi’s ZLab team revealed that the malware installed is actually URSNIF.  

Source 1 Source 2

 

Leaks and Breaches

Parenting website Mumsnet suffers data breach

  • In an official statement, the website operators acknowledged an incident in which users logging in at the same time could have had their account information switched. The issue affected users logging into the platform between 2pm on February 5th and 9am on February 7th, 2019.
  • According to Mumsnet, the incident is believed to have been caused by a software change as part of the service’s shift to the cloud. Data affected includes email addresses, account details, posting history and personal messages. No passwords were compromised.

Source

 

RDM refrigeration systems vulnerable to remote attacks

  • Safety Detective researchers discovered that refrigeration systems made by Scotland-based provider Resource Data Management (RDM) are exposed to remote attacks from the internet. This is due to users’ failure to change default passwords and implement other security measures.
  • The affected systems can be accessed over HTTP on port 9000, and in some cases ports 8080, 8100 or 80, and are protected by a known default username and password. An unauthorized user can perform operations such as changing refrigerator, user and alarm settings.
  • The vulnerable systems are used by healthcare providers and supermarket chains worldwide such as Marks & Spencer, Ocado, Way-On, Menu Italiano or CCM Duopharma Biotech Berhad. A Shodan search revealed over 7,400 devices accessible directly from the internet. These are located in countries such as Russia, Malaysia, Brazil, the UL, Taiwan, Australia, Israel, Germany, Netherlands, and Iceland.

Source

 

Pawnee County Memorial Hospital data breach

  • The Nebraska hospital has notified 7,038 patients that their full names, dates of birth, driver’s license details and medical information has been compromised.
  • The breach took place after an employee was infected with malware via a malicious attachment. The malware gave unknown actors access to the employee’s account from 16 to 24 November 2018.

Source

 

Pharmaca announces data breach

  • The health and wellness company stated that payment information may have been compromised for customers who made purchases at retail locations between July 19, 2018 and December 12, 2018.
  • The breach was caused by suspicious code on point-of-sales systems, discovered on December 6, 2018. No medical records or other sensitive information were exposed.

Source

 

‘TeamOrangeWorm’ attempt to extort healthcare provider, release employees’ financial files

  • A hacker group going by the name ‘TeamOrangeWorm’ attempted to extort Ontario-based CarePartners for $18,000 in Bitcoins to prevent the public release of employee and patient files. The files were allegedly obtained in a breach that occurred in June 2018.
  • In a response to a request by DataBreaches[.]net, the threat actor provided a link to an archive that contained files including company financial documents, employee T4 statements containing sensitive information, company banking information, accounts payable and wire transfers.
  • Despite the files not being from the June 2018 dump, TeamOrangeWorm claim they possess three other dumps with employee and corporate files that they plan to release in the future. DataBreaches[.]net note that they do not believe the threat actor is the same actor identified as Orangeworm by Symantec.

Source

 

Bunnings discloses data breach that affected employee and customer data

  • The household hardware chain issued an apology for a data breach that led to the exposure of employee and customer data. The breach was a result of a ‘staff member setting up an employee performance monitoring system on their home computer’.
  • The breached data includes details of Bunnings staff members and comments relating to employee performance, login details for staff and developers, and the email addresses, home addresses and telephone numbers of 1,194 customers.

Source

 

Vulnerabilities

Vulnerability patched in FireOS

  • The flaw, tracked as CVE-2019-7399, exists in the operating system of Amazon’s Fire Tablet. Successful exploitation could allow a main-in-the-middle to inject malicious content into Settings, Legal and Compliance, Terms of Use and Privacy sections of the device. It could also permit an attacker to access the device’s serial number.
  • The flaw was patched in v5.3.6.4. released by Amazon in November 2018.

Source

 

Vulnerable plugin used to encrypt customer systems of US-based MSP

  • An attacker managed to encrypt the endpoint systems and servers of all customers of a US-based managed service provider (MSP) by exploiting a vulnerable plugin for a remote management tool Kaseya VSA RMM and used by the MSP.
  • According to Dark Reading, the attack resulted in 1,500 to 2,000 customers’ systems being infected with GandCrab ransomware and the MSP being extorted for a $2.6 million.

Source

 

General News

Trend Micro release a new report documenting TTPs used to target financial organizations

  • Key findings include that annual losses from cyberattacks against financial institutions can amount to between $100 to $300 million.
  • Cyber criminals were seen mostly targeting bank customers but also focused on employees in financial departments or banks. In some cases, criminals attempted to bribe bank employees into creating money exfiltration and money laundering schemes.
  • Trend Micro also found that attackers are increasingly launching attacks against banks’ infrastructures or telecommunication networks.

Source

 

Kaspersky Lab publish report on DDoS attack in Q4 2018

  • In Q4 2018, a number of new botnets were detected such as Chalubo, Torii or DemonBot. New attack mechanisms were also registered such as the FragmentStack vulnerability in the IP stack that works against Linux, Windows and Cisco products. Another attack method abuses the CoAP protocol to boost DDoS attacks.
  • In late 2018, a new DDoS launch platform called 0x-booter was also discovered. The platform employs the Bushido botnet that has been used in more than 300 DDoS attacks in the second half of October 2018.
  • Additionally, Kaspersky Lab provide statistics related to the countries most targeted by DDoS attacks, the duration and types of DDoS attacks, and the geographic distribution of botnets.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 08 February 2019

 

Malware

Danabot updated with new C2 communication

  • New variants with updated communications protocols are being delivered to existing victims as updates, and via malspam in Poland, according to researchers at Eset.
  • Danabot now uses AES and RSA encryption for C2 communication, breaking existing network signatures. New versions also leverage a loader component (registered as a service), in place of the downloader that previously executed the main module.

Source (Includes IOCs)

 

Spyware discovered in anti-censorship applications

  • Triout is an Android malware framework that was bundled with Psiphon, an anti-censorship application, before being distributed via non-official channels. The Google Play version of Psiphon is unaffected, and has been downloaded over 50 million times. The unofficial version functions exactly the same as the official one, but with malicious capabilities.
  • Triout’s malicious capabilities include recording phone calls, taking photos and videos, logging text messages, and collecting GPS coordinates. This data is then exfiltrated to the attackers C2 server, which, according to researchers at BitDefender, currently traces back to a French discount retail website of unknown legitimacy.

Source

 

Ongoing Campaigns

Phishing campaign targeting North American banking customers

  • Excel documents are being utilised by malicious actors against North American banking customers to infect them with a TrickBot variant. The phishing emails that are distributed appear to be from JPMorgan Chase and Bank of America. Upon opening the attachment and enabling macros, the Trickbot payload is downloaded from a compromised website.
  • This new variant is capable of stealing credentials of cryptocurrency wallets and is capable of targeting POS systems. It also uses a new encryption technique to protect the PowerShell command used by the macro.

Source 1 Source 2

 

New hacker groups holding MongoDB databases to ransom

  • ZDNet reporters have stated that new hacker groups have been copying malicious behaviours of their predecessors, by holding a MongoDB database to ransom and attempting to extort money out of companies. The attackers find a vulnerable database, take a copy, and delete data from the original server, before trying to sell it back to the targeted company.
  • This practice is not as lucrative as it originally seems, as groups observed have been sloppy in their tactics, forgetting to delete databases, whereas other companies may already have a backup. Three new groups that have appeared have only made a measly $200 between all of them.

Source

 

Leaks and Breaches

Historical breach discovered by Trakt

  • Trakt, a movie and TV-tracking service, appears to have only just discovered a breach that occured in December 2014. Trakt emailed their subscribers informing them that a PHP language exploit in December 2014 was used to capture user data.
  • Affected information includes user emails, usernames, encrypted passwords, names and stored locations. They reassured users that payment information has not been impacted, as it is stored separately.

Source

 

Vulnerabilities

Two iOS zero-days exploited in the wild

  • Google researchers have revealed that CVE-2019-7286 and CVE-2019-7287 were exploited in the wild before Apple released iOS 12.1.4.
  • The former vulnerability exploits a memory corruption bug to elevate privileges. The latter is also a memory corruption issue that allows arbitrary code execution with kernel privileges. Users are advised to update as soon as possible.

 

Multiple vulnerabilities in Lifesize Products

  • Simon Kenin of SpiderLabs discovered multiple Authenticated Remote OS Command Injection vulnerabilities in Lifesize Team, Room, Passport and Networker. Combined with a privilege escalation found by another researcher, it becomes possible to gain persistent root privileges on affected devices.
  • After initially declining to fix the issues because the products were End of Life, Lifesize has now asked all 220 Series customers to contact support for a hotfix. A PoC exploit for the vulnerabilities will be released on February 21st.

Source

 

Multiple vulnerabilities in Kunbus gateway

  • Applied Risk researcher Nicolas Merle found five vulnerabilities in Kunbus PR100088 Modbus gateways running 1.0.10232 and possibly earlier versions. Two are rated critical and two high severity, allowing an unauthenticated user to gain full control of the device.
  • Kunbus has released Security Update R02 to address four of the flaws. R03 will address the fifth and is scheduled for release at the end of February.

Source 1 Source 2

 

Google patches critical vulnerability in Android update

  • February’s security update contains fixes for CVE-2019-1986, CVE-2019-1987 and CVE-2019-1988, a flaw which allows a remote attacker to execute arbitrary code  on Android 7.0 to 9.0 if the user opens a malicious PNG.

Source

 

Vulnerability in FaceTime patched

  • The previously reported ‘FacePalm’ vulnerability in Apple’s FaceTime allowed users to eavesdrop on audio without a user accepting the call. The bug has since been patched, and iOS and macOS users have been urged to install it as soon as possible.

Source

 

General News

Australian government resets network after incident

  • The federal government confirmed that a security incident affected everyone with an Australian Parliament House email address. According to the Department of Parliamentary services, all users with network access had their passwords reset.
  • Investigations are ongoing, but there is currently no evidence that data has been taken or accessed, or that the incident was an attempt to influence parliamentary or political processes.

Source

 

Germany’s Federal Cartel office bans Facebook from combining user data without permission

  • Germany’s Bundeskartellamt banned Facebook from combining it’s Messenger, Whatsapp and Instagram platforms without explicit user permission, as well as banning them from gleaning user data from third-party sites unless there is voluntary consent.

Source

 

20 individuals indicted in international online fraud scheme

  • The case, led by US Secret Service agents, investigated a scheme where fraudsters post fake advertisements for expensive items on websites such as eBay and Craigslist. Victims would send money, normally cryptocurrency, to the fictitious profiles, and the items would never show up.
  • Most of the suspects are based in Romania, and around a dozen have already been extradited to the US for trial.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 07 February 2019

 

Malware

Researchers discover new JAR-based information stealer ‘Qealler’

  • Zscaler ThreatLabZ researchers found a new information-stealing malware dubbed Qealler, written in Java and designed to silently steal sensitive information from the targeted device. The malware was first detected on January 21st, 2019.
  • Qealler is distributed via malicious JAR files, and once executed, will attempt to steal credentials from a variety of software including browsers, chats, databases, games, mails, Wi-Fi, SVN, dumps from memory or sysadmin.

Source

 

Ongoing Campaigns

New ‘Lucky Draw’ smishing campaign asks for money in exchange for prize

  • A new text message-based phishing campaign has been discovered targeting Nokia owners in India. The texts pose as legitimate messages from Nokia and state that the recipient has won either a Tata Safari car or 1,260,000 Indian Rupees. The scam then asks that the recipient calls them to pay 6,500 Rs in order to collect the prize.
  • The text messages are filled with grammatical errors and are therefore unconvincing.

Source

 

APT10 attacked Norwegian managed service provider and US firms in sustained campaign

  • Researchers reported that Chinese threat actor APT10 hacked and stole data from at least three companies in the US and Europe including Visma, a Norwegian firm specializing in cloud-based software solutions for European businesses. The attacks occurred between November 2017 and September 2018.
  • In all three incidents, APT10 used Citrix and LogMeIn remote access software to gain access to networks using stolen user credentials. In their attack against Visma, APT10 deployed Trochilus malware, whereas in the two other attacks the group used a unique version of the Anel backdoor.
  • According to Visma’s official statement, the hackers managed to steal the company’s internal data, however, none of their clients’ systems were affected.

Source 1 Source 2

 

Phishing campaign exploits Google Translate to target multiple user accounts simultaneously

  • Akamai researcher Larry Cashdollar reported on a recent phishing campaign targeting Facebook and Google accounts, and using Google Translate features to conceal the landing page.
  • The campaign begins with fake emails stating that a user’s Google account was accessed from a new device and asks the user to click a link to verify this activity. Once clicked, the link will redirect the victim to a malicious domain that is loaded via Google Translate and asks the victim to input their credentials. Usernames, passwords, IP addresses and browser types are collected. In some cases, location and various level of personally identifiable information are also stolen.
  • According to Cashdollar, a second stage of the attack follows, in which victims are redirected to a fake Facebook login page. The researcher notes that based on the visualization of the fake login pages, the campaign is designed to target mobile users.

Source

 

Tech support scams leveraging PUAs

  • Rather than calling a support hotline, tech support fraudsters are instead attempting to get users to install potentially unwanted applications (PUAs) after showing them a fake malware scan, stating that their system is infected. This allows them to perform a variety of actions on the victim’s computer, including, but not limited to, showing pop-up windows, changing search engines and default home pages, exfiltrating user information, and mining cryptocurrency in the background, thereby hogging system resources.
  • All of these methods are used to generate revenue for the malicious actor. They can also earn revenue by maximising the number of PUA installs they perform.

Source

 

Online retailers targeted with IcedID trojan

  • IBM Security has warned that actors behind IcedID banking trojan are now using the malware to steal payment card credentials from websites of online retailers. The hackers are targeting victims in order to make purchases at that retailer, after having stolen all of the credentials required to check-out on their site.
  • IBM has produced a complete report detailing and analysing the behaviours of IcedID against online retailers.

Source 1 Source 2

 

Magecart targets undisclosed flaws in Magento eCommerce third-party plugins and extensions

  • Crowdstrike researchers observed that the Magecart Group has been targeting online stores running the Magento platform by exploiting undisclosed PHP Object Injection vulnerabilities in third-party plugins and extensions. The flaws allow an attacker to execute arbitrary code in the context of the vulnerable server.
  • The researchers analyse three different attack paths that all aim to exfiltrate payment card data from online customers. The first is overwriting a core JavaScript Library, the second is altering Magento configuration database tables and the last concerns exploiting old vulnerabilities.

Source

 

Leaks and Breaches

Gay dating app ‘Jack’d’ leaked ‘private’ images and data via unsecured AWS S3 bucket

  • The photos were uploaded to an Amazon Web Services S3 bucket via an unsecured web connection, identified by a sequential number. In order for the images to be accessible, a person must simply traverse the range of sequential values.
  • As a result of the images being retrieved by the application via an unsecured web connection, it is also possible that they can be intercepted by anyone monitoring network traffic. In addition to the private images, location data alongside other metadata pertaining to users of the app were also accessible via the app’s unsecured interfaces to backend data.
  • The dating app reportedly has 5 million users worldwide on iOS and Android. The flaw was fixed with a February 7th update, a year after the leak was initially disclosed to the company.

Source

 

South African Eskom Group hit by security breach due to downloaded game

  • The energy supplier has been hit by a double breach involving an unsecured database containing customer details, as well as an infected corporate computer that was hit by the AZORult information-stealing trojan.
  • Security researcher ‘.sS!’ discovered the stolen data, which contains passwords for logging into Eskom’s internal network, corporate email accounts, a screenshot of the victim’s desktop during the trojan’s install and other information. The AZORult infection was found to be masquerading as a downloader for The Sims 4 game.
  • Information exposed as a result of these breaches include credentials, customer information, sensitive business information and redacted customer credit card information. Eskom supply 95% of the electricity used in South Africa and approximately 45% of the electricity used in Africa.

Source

 

MPs targeted by new phishing campaign following hack of government whip account

  • Dozens of MPs have reportedly been added to a WhatsApp group named ‘Hack warning 1’ that appeared to be linked to the personal phone number of Tory MP Mike Freer. Freer later announced in a Facebook update that his email account has been compromised.
  • Freer warned that if anyone received a message asking them to download a viber to have a secure call, they should delete it. The Whip’s Office followed by stating that the hack aims to access the victim’s contacts list so that it can send texts and emails to private contacts.

Source

 

The Californian Bayside Covenant Church suffers data breach

  • In a statement, the church said that unauthorised personnel gained access to certain email accounts between August 3rd, 2018 and October 20th, 2018. Information exposed includes names, addresses, Social Security Numbers, passport numbers, drivers’ license numbers, financial account information, medical information, health insurance information, usernames and passwords for online accounts, as well as emails and passwords.
  • Further details of the breach are currently unknown and an investigation is ongoing.

Source

 

Passenger data exposed by airline check-in links

  • Wandera’s threat research team found that check-in links sent by several major airlines across the globe can allow attackers to obtain passengers’ personal information – as the connection is initiated over HTTP rather than HTTPS. An attacker could intercept the user’s traffic and gain access to their check-in page, such as the ‘record locator’, origin, and destination, via the data unencrypted in the URL.
  • Affected airlines include Southwest in the US, KLM and Transavia in the Netherlands, and Thomas Cook in the UK. The airlines have been notified, and some have stated that they are investigating the issue, but no fixes have yet been deployed.

Source

 

Cal Poly Pomona College of Science suffers data leak

  • On January 28th 2019, the computer science department accidently exposed 4,557 active student records in an erroneous email that was sent out to other students. As well as sending students an email containing their individual academic records, a spreadsheet was sent to all recipients containing the academic details of everyone in the college of science.
  • Leaked data included student records, their current academic standing and their Grade Point Average.

Source

 

Vulnerabilities

Security researcher Linus Henze declined to share zero-day macOS exploit with Apple

  • Henze demoed a zero-day macOS exploit that impacted the Keychain password management system, which is used to store passwords for applications, servers, and websites, as well as other sensitive information related to bank accounts. The data stored on the Keychain app is automatically encrypted.
  • Henze discovered a flaw in the Keychain’s access control in Apple’s macOS operating system, that could allow an attacker to steal Keychain passwords from any local user account on the Mac, without needing admin privileges or the Keychain master password.
  • The flaw can be exploited as long as the Keychain is unlocked, and impacts all macOS versions up to 10.14.3 Mojave. The vulnerability has not been made public, or reported to Apple, due to a lack of a bug bounty program in macOS.

Source

 

Microsoft confirms high severity flaw in Microsoft Exchange

  • The vulnerability, dubbed ‘PrivExchange’, is an elevated privilege flaw in the Exchange Server that could allow a malicious actor to impersonate an administrator.
  • According to Microsoft’s security advisory, a threat actor would need to perform a man-in-the-middle attack to forward an authentication request to an Exchange Server to successfully impersonate an administrator. A planned update addressing this vulnerability is currently under development.

Source

 

Flaw in Marvell Avastar SoCs leave some models open to Wi-Fi attack

  • CVE-2019-6496 affects the Marvell Avastar wireless system-on-a-chip (SoC) models including 88W8787, 88W8797, 88W8801 and 88W8897. The flaw can be exploited to cause an overflow condition, which results in overwriting specific block pool data structures due to a block pool memory overflow.
  • The flaw can be leveraged by an attacker if they are within Wi-Fi range and use a series of specially crafted Wi-Fi frames to execute arbitrary code on a system that is running one of the vulnerable processors. Following this, an attacker could use the compromised SoC to intercept network traffic or achieve code execution on the host system.
  • A patch has been issued.

Source

 

General News

Ukrainian hacker sentenced to 13 years in prison for theft of $15 million from Russian banks

  • According to law enforcement officials, Yury Lysenko was involved in a criminal group specializing in the theft of funds from commercial banks. Victims include Promsvyazbank, Bank Uralsib, Trust Bank and Bank Zenit. The banks were targeted over a six-month period in 2014.
  • The group used ‘special software’ which permitted illegal withdrawals from accounts belonging to customers and then proceeded to restore the customers’ account balances at the expense of the banks themselves. It is also believed the criminals used devices to tamper with ATMs.

Source

 

Hackers find new ways to unlock iCloud-linked iPhones

  • Motherboard reports that criminals have found ways to bypass Apple’s attempts at making Apple devices less prone to theft by linking them to a single iCloud account. The iCloud security feature enables the owner of the phone to remotely lock the phone and find its location via their iCloud account.
  • Criminals have reportedly been bypassing this feature by removing iCloud. To achieve this, the attacker phishes the phones’ original owners, or scams employees at Apple stores, who have the ability to override iCloud locks.
  • Dark web services also offer thieves the opportunity to unlock iPhones using illegal iCloud unlocking companies. These companies use fake receipts and invoices to pose as the legitimate owners of the phones, and also supply custom phishing kits for sale that are designed to steal iCloud passwords from a phone’s legitimate owner.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 06 February 2019

 

Malware

Coveware detail GandCrab v5.1’s new exploit kit distribution and TOR site features   

  • Coveware researchers found that the core features of the site remain unchanged with the most recent version of GandCrab ransomware 5.1. The website features a customer support chat and a free test decryption for victims. It also offers ‘discount codes’ which, according to Coveware, cater to ‘shady data recovery firms’ as they enable them to hide the final cost of decryption from victims.
  • The discount codes were also found to enable private chats that are hidden from any other visitor of the TOR site, which allows the data recovery firms to conceal the decryption process from their customers, and profit from substantial mark-ups on the actual cost of decryption.  
  • The researchers also note that RDP ports remain the primary attack vector for v5.1. However, they discovered that the ransomware has also been linked to automated attacks using exploit kits such as Fallout, Emotet and the Vidar credential stealer.

Source

 

Ongoing Campaigns

Cryptocurrency wallets Electrum and MyEtherWallet hit by phishing attacks

  • On February 4th, the MyEtherWallet team warned via Twitter of a phishing email circulating, asking users for their personal information. A Reddit post stated that the phishing scam was posing as a security update and was attempting to steal sensitive data from Electrum customers.
  • Versions of Electrum older that 3.3.3 are vulnerable to a phishing attack where ‘malicious servers are able to display a message asking users to download a fake version of Electrum.’

Source

 

Morphisec identify new campaign delivering Orcus RAT

  • The attacks, undertaken by a threat actor dubbed PUSIKURAC, were focused upon stealing information from victims. Before performing the attacks, PUSIKURAC registered domains through FreeDNS services.
  • In addition, the threat actor behind the campaign also uses legitimate free text storage such as pastes, signs executables, misuses commercial .NET packers, and embeds payloads within video files and images.
  • Orcus RAT is capable of stealing browser cookies and passwords, launching DDoS attacks, disabling webcam activity lights, recording microphone input, spoofing file extensions, logging keystrokes, and more.

Source (Includes IOCs)

 

New spam campaign uses links inside fake ebooks on Kindle store

  • Malwarebytes Labs detected a new spam campaign targeting fans of John Wick on the Amazon Kindle store. Fake ebooks disguised as an upcoming third movie in the John Wick series are being used to lure victims into clicking malicious links.
  • Around 40 individual posts were found advertising the fake ‘John Wick 3’ movie between January 25th and February 2nd, 2019. Upon further inspection, Malwarebytes Labs uncovered that the movies were in fact ebooks that included links to the fake movie. Once clicked, the links redirected unsuspecting users through a series of third-party websites.
  • The fake ebooks have since been taken down from the Kindle store.

Source

 

Outlaw group conducts active campaign targeting Linux systems to mine cryptocurrency

  • JASK Special Ops research team reported on the recent attacks observed seizing infrastructure resources in order to enact cryptomining attacks.
  • The attacks use a refined version of Shellbot, which creates a tunnel between an infected system and a C&C server operated by the threat actors. Shellbot is distributed through common command injection vulnerabilities which target flawed Linux servers, as well as IoT devices.
  • Recently, Outlaw group compromised a File Transfer Protocol (FTP) server of a Japanese art organisation, as well as a Bangladeshi government website. The systems targeted in these attacks received payloads including IRC C&C botware, the cryptomining script XMR-Stak, and the Haiduc SSH scan and network propagation toolkit.

Source

 

Malicious cryptocurrency software distributes AZORult stealer

  • Hackers have hacked into the Github account of Carson Klock, the lead of Denarius cryptocurrency, and installed a backdoored version of the Windows client with the AZORult infostealer. Klock stated that the attack was the result of him reusing an older password to secure his Github account.
  • The hacker accessed the account and uploaded a backdoored version of the Denarius Window client which installed a version of the AZORult malware.
  • AZORult has the capability to steal a large amount of data such as browser passwords, browser cookies, password for FTP clients’ wallet database files, and more. The malicious control panel had been hosted since July 2018.

Source

 

Scammer groups exploit Gmail ‘dot accounts’ to enact online fraud

  • Gmail’s ‘dot accounts’ are a feature of Gmail addresses that ignore dot characters inside Gmail usernames. Scammer groups have recently discovered that this feature can be abused to file for fraudulent unemployment benefits, file fake tax returns and bypass trial periods for online services.
  • Recently, one group has been observed exploiting this feature by using legitimate-looking Netflix emails to prompt Netflix account owners into adding their card details to the scammer’s accounts registered with the user’s dotted email address.

Source

 

Vulnerabilities

OpenOffice remains vulnerable to remote code execution

  • OpenOffice is still exposed to a remote code execution flaw, tracked as CVE-2018-16858, that affects the latest version of OpenOffice, 4.1.6. The vulnerability can be triggered using automated macro execution when users move the cursor over a maliciously-crafted ODT document.
  • The flaw was initially discovered by researcher Alex Inführ and was found to impact LibreOffice releases up to and including 6.0.6/6.1.2.1. However, following the researcher’s report, the bug has been patched in LibreOffice 6.0.7/6.1.3.

Source

 

Vulnerabilities discovered in AEG Smart Scale devices

  • Checkmarx researchers reported on several security issues discovered in AEG Smart Scale PW 5653 BT and the related Smart Scale apps for both Android and iOS.
  • The most severe flaw discovered is a denial-of-service vulnerability that could allow an attacker to trigger a special request via Bluetooth and crash the smart scale.
  • The other flaws discovered in Smart Scale devices could permit attackers to change the device name or launch man-in-the-middle attacks and intercept information sent between the mobile application and the host.

Source

 

Zcash team divulge details on severe flaw in Zcash

  • In October 2018, a severe vulnerability was discovered in Zcash that could have allowed an attacker to generate new Zcash funds without any upper limit. Due to the severity of the bug, only four people were made aware of the issue before it was patched in the same month.
  • The flaw could have been abused to flood the Zcash ecosystem with new funds, which could have resulted in the dilution of and destruction of the currency.

Source

 

Google patches critical PNG image flaw

  • In its February Android Security Bulletin, Google addressed three critical vulnerabilities in the Android Framework, tracked as CVE-2019-1986, CVE-2019-1987 and CVE-2018-1988. One of these flaws is a PNG image vulnerability that could allow a remote attacker using a specially-crafted PNG file to execute arbitrary code within the context of a privileged process.
  • The security update addresses a total of 42 flaws out of which 11 were rated critical and 30 rated high severity.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Silobreaker Daily Cyber Digest – 05 February 2019

 

Malware

SpeakUp backdoor trojan exploits vulnerabilities in six Linux distributions

  • Check Point researchers discovered a new campaign exploiting Linux servers to infect victims with a new backdoor trojan dubbed SpeakUp. The trojan has predominantly targeted servers located in East Asia and Latin America.
  • According to Check Point, the initial infection vector is a recently disclosed flaw in ThinkPHP tracked as CVE-2018-20062. The backdoor has been described as evading all security vendors and being able to propagate internally within the infected subnet and beyond to new IP ranges. Apart from infecting six different Linux distributions, SpeakUp also has the ability to infect Mac devices.
  • The researchers suspect the perpetrator behind SpeakUp is a malware developer known as Zettabit.

Source (Includes IOCs)

 

Researchers discover new Cayosin botnet

  • The researchers discovered that Cayosin is a botnet-for-hire comprised of Qakbot, Mirai and various other pieces of software.
  • The botnet used marketing and support techniques by having subscribers sign up for an account when it was still in early development. Cayosin is marketed through social media platforms such as Instagram, as well as the dark web.
  • Using the social media accounts allowed the hackers to support their operation through market research and customer support on a wide scale. Following the social media accounts led the researchers to more malware and botnets, including Yowai.

Source

 

Qakbot malware being delivered as first-stage payload

  • Researchers at Cofense have detected Emotet botnets delivering non-Emotet malware via phishing campaigns, as well as more precise targeting. They have been observed attempting to deliver the Qakbot trojan to employees of a US state-level government agency via use of internal signatures, targeted addressing and including previous threads.

Source

 

Ongoing Campaigns

New cyber espionage targets Tibet with ExileRAT

  • Cisco Talos have recently observed a malware campaign targeting Tibet, delivering a malicious Microsoft PowerPoint document via a mailing list run by the Central Tibetan Administration (CTA), which represents the Tibetan government in exile. The malicious email contained a PPSX file attachment named “Tibet-was-never-a-part-of-China[.]ppsx”.  
  • The malicious PSSX file is a copy of a legitimate PDF that is available on Tibet[.]net, which abuses CVE-2017-0199, an arbitrary code execution flaw in Microsoft Office. An infected system will run ExileRAT, delivered by the attacker’s C&C server, which is capable of stealing information such as computer names, usernames, listing drives, and more, from the infected device, as well as pushing files and terminating processes.
  • Cisco Talos assess that given the nature of the targets and the malware, the campaign is likely designed to provide the ability for nation state actors to spy on civilians for political purposes. The infrastructure used for C&C in this campaign has previously been linked to the LuckyCat trojan.

Source (Includes IOCs)

 

Alexa 500 sites targeted with adaptive malware

  • The Media Trust has observed a large-scale malicious campaign targeting premium publishers using malvertising posing as legitimate advertisements for 44 popular adtech retailers. Researchers analysed over 600,000 attacks and found that most visitors didn’t need to click on any of the ads but were redirected to malicious content that asked for personal information just by visiting the sites.
  • The authors behind the campaign created persistence by ensuring that as soon as one malware and supply chain route was identified and terminated, another attack would immediately begin using a different malware and alternative supply chain routes. 80% of the targeted devices were running iOS.

Source

 

GoDaddy domains still used to propagate spam despite authentication weakness fix

  • Following reports that GoDaddy had recently addressed an authentication weakness that was being used to propagate spam via legitimate, dormant domains, KrebsonSecurity has observed that scammers are continuing to use GoDaddy domains for recent malware spam campaigns.
  • The flaw allowed anyone to add a domain to their GoDaddy account without having to validate that they were the domain’s owners. The spammers registered free accounts at GoDaddy and directed the company’s automated DNS service to allow the sending of any emails with those domains from an address controlled by the threat actors.
  • KrebsonSecurity has stated that despite the fixes for this issue, the domains in the recent GandCrab campaign, reported last week by MyOnlineSecurity, all had their DNS records altered between January 31st and February 1st to allow the sending of emails from addresses associated with two ISPs identified with GoDaddy.

Source

 

BEC campaign disguised as Doodle poll targets senior executives  

  • Discovered by GreatHorn researchers on January 31st, the business email compromise (BEC) campaign purports to be from the CEO of an organisation and claims that a planned board meeting needs to be rescheduled, requesting users to take part in a Doodle poll to set a new date.
  • Once users click the link to the poll, they are redirected to a phishing site disguised as a Microsoft Outlook and Office 365 login page that steals victims’ login credentials.
  • According to GreatHorn, the campaign remains active and users are advised to be on the lookout for emails with the subject line ‘New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)’.

Source

 

South Korean bus apps discovered dropping malware

  • McAfee has detected a new malicious Android app posing as plugins for a South Korean transportation application series. The applications include services such as Naver, KakaoTalk, Daum and SKT.  
  • When installed, the malicious app downloads an additional payload from hacked web servers that includes a fake plugin. After the fake plugin is downloaded and installed, it installs a trojan on the device that attempts to trick users into inputting their Google account password to completely take control of the device.  
  • The malware uses the native library to take over the device and then deletes the library to avoid detection. Three of the apps have been available on Google Play since 2013, and one from 2017, though all have now been removed.

Source

 

Threat actors advertise access to websites of media organizations on the dark web

  • Sixgill researchers detected that hackers are increasingly advertising stolen credentials to websites of news outlets on the dark web.
  • One of the offers was found to be for the access to 1,400 US magazines, while another was found to be for access to a major Southeast Asian news wire.
  • Although there is currently no evidence of the offers being legitimate, the access to news websites could potentially allow malicious actors to edit articles, spread disinformation or plant malware on the affected sites.

Source

 

Phishing campaign targets Office 365 users

  • Researchers at Kaspersky Lab have stated that the phishing campaign has been going on since summer 2018, and involves hackers tricking employees into sharing their Office 365 credentials in a campaign dubbed PhishPoint.
  • The phishing email does link to a legitimate document in OneDrive for Business, but the ‘Access Document’ link at the bottom of the email links to a third-party site, masquerading as an access request. Once the user enters their credentials to this phishing page, an attacker will retrieve them and leverage them to perform malicious actions.

Source

 

CoAP used for DDoS amplification

  • Netscout has warned that the Constrained Application Protocol (CoAP) is being used by attackers for the amplification of distributed denial-of-service attacks. The attacks are hitting targets that are ‘geographically and logically well distributed, with little commonality between them.’ The attacks have around 100 packets a second, and last around 90 seconds overall.
  • Around 388,344 CoAP devices have been found on the Internet, with 81% of these located in China and others in Brazil, Morocco, the US and South Korea.

Source

 

Leaks and Breaches

Huddle House restaurant chain discloses point-of-sale data breach

  • According to Huddle House’s official statement, threat actors compromised a third-party point-of-sale (POS) vendor’s data system and exploited the vendor’s assistance tools to gain remote access to some of Huddle House’s corporate and franchisee’s POS systems.
  • Customers who have used a payment card at a Huddle House location between August 1st, 2017 and February 1st, 2019 may have been affected. Information including cardholder names, credit and debit card numbers, expiration dates, CVVs and service codes may have been breached.  

Source

 

European Commission recalls ENOX children’s smartwatches

  • Safe-KID-One watches made by German firm ENOX were recalled following reports that they do not comply with the Radio Equipment Directive and pose serious risks to its users.
  • The mobile application accompanying the watch was found to use unencrypted communication with its backend server, enabling unauthenticated access to data. This data includes location history, phone numbers or serial numbers, which could be retrieved and altered.
  • Moreover, a malicious actor could send commands to any watch and force it to call a number of their choosing, communicate with the child wearing the device, or locate the child using GPS.

Source

 

Crosby Independent School District hit by ransomware

  • It is believed no data has been compromised in the ransomware attack that affected the Texas school district’s IT systems.

Source

 

Hackers steal card details of thousands of Great British Florist customers

  • The UK commerce site said that credit card details were most likely scraped when entered into online payment forms. Great British Florist was alerted to the breach on January 30th after customers’ card details were used in fraudulent payments.
  • The firm previously detected the presence of malware on its website in early December 2018 and believes it was re-infected soon after.

Source

 

Roper St Francis Healthcare hit by cyber attack

  • The breach notification stated that someone gained access to thirteen employee emails between November 15th and December 1st, 2018. Some patient information could have been in those emails, including names, dates of birth and medical information pertaining to care at Roper St Francis.

Source

 

Vulnerabilities

Severe vulnerabilities discovered in Tightrope Media Systems’ digital signage software

  • The flaws discovered by security researcher Drew Green are the result of the use of a default administrator password, a bug tracked as CVE-2018-18929.  After gaining access to the web interface, Green found online references to an arbitrary file read (LFI) vulnerability, tracked as CVE-2018-14573, in the software’s RenderingFetch API function.  
  • Another flaw, tracked as CVE-2018-18931, was found and permitted the researcher to escalate privileges on a user account to a local administrator.

Source

 

Vulnerability discovered in Ubiquity devices

  • Nearly half a million Ubiquity devices may be affected by the vulnerability, which is being actively exploited in the wild. The vulnerability is a denial-of-service issue, that is being targeted by attackers via a discovery service on UDP port 10001. When exploited, it leaves the devices inoperable until they are rebooted.
  • Security firm Rapid7 have revealed that they have been monitoring suspicious port 10001 traffic for at least a year. Ubiquity are aware of the issue and are currently working on a firmware update.

Source

 

General News

UK Student Loans Company (SLC) hit by almost 1 million cyber attacks in the last year

  • Following a request for information by the think tank Parliament Street, it was revealed that the organisation was hit by 965,639 separate attacks in the 2017/18 financial year. The attempted attacks included SQLi attempts.
  • Further to this, SLC also defended against 323 malware attempts and 235 malicious emails and calls. 127 of these were not blocked and therefore were treated as ‘incidents’, however only one attack resulted in an actual breach, in which the SLC website was infected Monero cryptocurrency mining malware via a third-party plugin.

Source

 

Chinese software manager exploits ATM loophole to steal $1 million

  • Qin Qisheng was employed in Huaxia Bank’s software and technology development centre and discovered a flaw in the bank’s ATM system that allowed him to make unrecorded ATM withdrawals around midnight.
  • Qin developed a number of scripts that allowed him to make regular withdrawals and send them to his bank account. Despite claiming he was simply performing ‘internal security tests’, Qin was sentenced to ten and a half years in prison in December 2018.

Source

 

Palo Alto Networks release all IOCs associated with AP10

  • Palo Alto Networks’ Unit 42 published all Indicators of Compromise (IOCs) associated with APT10 alongside details of relevant malware and attack infrastructure.
  • This follows the US Department of Justice’s indictment of two individuals, believed to be members of APT10, on December 20th, 2018, on charges of computer hacking, conspiracy to commit wire fraud and aggravated identity theft.
  • The charges are brought forward from evidence based on Operation Cloud Hopper, a lengthy campaign that began in 2014 and targeted Managed Security Providers (MSPs) to steal intellectual property and leverage networks for further attacks.

Source

 

Hacker responsible for theft of $5 million through SIM swapping sentenced to 10 years in prison

  • 20-year-old Joel Ortiz plead guilty in Santa Clara County to stealing over $5 million in cryptocurrency after hijacking phone numbers of roughly 40 individuals. Californian authorities believe Ortiz is the first person ever to be convicted of SIM swapping.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

Request a demo

Get in touch