Silobreaker Daily Cyber Digest – 01 February 2019
New CookieMiner malware collects cookies and credentials to steal and mine cryptocurrency
- Researchers at Palo Alto Networks’ Unit 42 discovered a new malware, dubbed CookieMiner, targeting macOS devices. It is believed to have been developed from DarthMiner malware.
- CookieMiner is capable of stealing Safari browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by victims. It also steals passwords and credit card information saved in Chrome or iPhone text messages stored in iTunes backups on the targeted Mac device.
- The malware was also spotted configuring the system to load coin-mining software which is disguised as an XMRig-type coinminer, used to mine Monero. However, it instead loads a coinminer that mines Koto, a cryptocurrency associated with Japan.
- CookieMiner has attacked exchanges including Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website containing the term ‘blockchain’ in its domain name.
Source (Includes IOCs)
Basecamp defends against hour long credential stuffing attack
- On January 29th, Basecamp’s platform was targeted by a credential stuffing attack that hit 124 out of the company’s 3 million accounts. The attacker made approximately 30,000 attempts to access Basecamp accounts from several IP addresses.
- The attack was eventually stopped via a CAPTCHA system. Passwords were reset for all 124 accounts which were successfully breached.
GMX warns of new ‘calendar spam’ campaign
- The new spam campaign involves sending ‘unwanted calendar appointments’ along with conventional spam emails to victims’ inboxes to provide the perpetrators with multiple opportunities to infect victims with malware.
- The calendar attachment can attack a victim when the invitation is sent, when its an entry on the calendar and if the appointment contains a reminder function.
Facebook takes down accounts associated with widespread Iran-led manipulation campaign
- According to Facebook’s statement, the company removed 783 pages, groups and accounts ‘for engaging in coordinated inauthentic behaviour tied to Iran’. The pages were part of a campaign designed to promote the interest of Iran in over 20 countries by creating fake identities as residents of those nations.
- The accounts posted content that has been described as ‘commentary that repurposed Iranian state media’s reporting on topics like Israel-Palestine relations and the conflicts in Syria and Yemen’. The campaign is believed to have been active since at least 2010. Facebook also took down 162 Instagram accounts that had a total of 2 million followers.
Hacker groups leverage vulnerability in SS7 protocol to steal money
- Motherboard has discovered that hacker groups are using previously exploited flaws in SS7 to gain access to bank accounts to steal money. They found that Metro Bank in the UK had fallen victim to this attack, and further analysis revealed that this method is much more prevalent than previously thought.
- SS7 is a protocol that is used by telecom companies to coordinate how texts and calls are routed around the world. Exploiting the flaw in this protocol potentially allows hackers to track phones around the world, as well as intercept text messages and phone calls without the need to hack the phone itself.
- The National Cyber Security Centre (NCSC) has confirmed that SS7 is being used to target bank accounts by intercepting SMS text messages used for 2FA.
TheMoon IoT botnet available to be sold as-a-service
- TheMoon now contains a new module that allows bots from the botnet to be sold to other actors as-a-service. Active since 2014, it is capable of targeting many different modems and routers from brands such as ASUS, Linksys and D-Link.
- The new module appears to pick a random proxy port above 10,000, which, according to CenturyLink analysts, is changed multiple times per day.
- One actor was seen leveraging TheMoon to conduct video ad fraud, mimicking thousands of people clicking on their video ads.
Drive-by download attack analysed by SpiderLabs
- Trustwave Spiderlabs have published an analysis of a variation of an exploit leveraging the vulnerability CVE-2018-15982 that was patched in Adobe Flash Player in December 2018. Originally exploited by an APT group, the CVE has since been integrated into exploit kits that no longer need to leverage a malicious Office document, instead functioning completely standalone on a domain.
- When the URL was first checked against available security engines, only 4 out of 66 detected the domain as malicious, marking it as ‘Phishing’. The page contains a Shockwave Flash file that attempts to download a file called ‘in.exe’. The executable was not available at the time of analysis, and so SpiderLabs researchers could not investigate this.
Source (Includes IOCs)
New ‘Collection 2-5’ data breach exposes 2.2 billion email accounts and relevant passwords
- German security firm Heise Security discovered 2.2 billion email addresses and associated passwords freely accessible on the web. The firm labelled this data leak ‘Collection 2-5’.
- The credentials were found in data caches similar to the Collection 1 data dump that was discovered in mid-January this year, and involved 773 million unique emails in 600GB of exposed data. Moreover, similarly to Collection 1, Collection 2-5 does not involve newly exposed data, but data that has been most likely compiled from previous breaches.
- According to Heise Security, the leaked data was initially traded on online forums before becoming publicly accessible via the hoster Mega.
State Bank of India suffers data breach impacting millions of account holders and customers
- India’s largest bank failed to password-protect a server based in Mumbai, exposing partial bank account numbers, phone numbers, balance, transaction details, and more. The server is used to store data from SBI Quick, an SMS and cell-based service. The specific number of affected individuals remains undisclosed.
Home improvement startup Houzz suffers data breach
- According to Houzz’s official statement, an unauthorized third party obtained a file containing some users’ data.
- Data which may have been affected includes publicly visible information from a user’s Houzz profile including full names, cities, states, countries and profile descriptions, internal identifiers and fields. Additionally, internal account information including user IDs, Houzz usernames, one-way encrypted passwords, IP addresses, ZIP codes and Facebook IDs, were also vulnerable.
- The company has reached out to customers recommending them to change their passwords. The number of affected customers remains unknown.
Indian nationalist party’s website hacked by Kerala Cyber Warriors
- The official website of Akhil Bharatiya Hindu Mahasabha (ABHM) was defaced by the Kerala Cyber Warriors. A photo of the general secretary of the right-wing group Puja Shakun Pandey was displayed alongside a message proclaiming she should be arrested.
FBI and Secret Service investigate hacking attempt at Bexar County Jail
- A few weeks before the 2018 US midterm elections, the federal agents investigated an incident in which the systems of the Bexar County Jail, Texas, were hacked. No information is believed to have been compromised.
Minnesota Department of Human Services suffers data breach
- The breach appears to have happened on September 28th, 2018, when an employee of the department fell for a phishing scam, clicking on a malicious link which in turn leveraged their account to send spam.
- The incident may have exposed personally identifiable information of up to 3,000 individuals, including names, dates of birth, phone numbers, emails and information regarding child protection cases.
- Affected individuals have been contacted by the department via a letter.
Capsule8 release exploit code for vulnerabilities in Linux systemd
- The two flaws, tracked as CVE-2018-16865 and CVE-2018-16866, were discovered by security firm Qualys in early January 2019.
- They exist in a component of systemd-journald, a system service that collects and stores logging data. The flaws allow for user-generated log data to manipulate memory in a way that they can take over system-jounald, which runs as root. Successful exploitation allows attackers to escalate privileges to root on the target system.
DoS vulnerability discovered in Oracle VirtualBox NAT network
- CVE-2019-2527 is a denial of service vulnerability in oracle VirtualBox that is ‘caused by a crafted TCP session sent from a virtual machine that causes the NAT process on the host machine to crash’. This causes all the VMs in the same NAT network to lose their network connection.
- The flaw affects VirtualBox versions prior to 5.2.26 and 6.0.4.
Alleged method to spread malware via Google Sheets discovered
- Marco Ramilli, founder of Yoroi, has claimed that he has found a way to spread CSV-based malware via Google Sheets, through the use of malicious formulas. The malware is not executed from Google Sheets, but rather when a user downloads the malicious CSV file to run locally, a user can be impacted by it.
- The behaviour analysed in the example was delivered via a spam email and contained a fake formula that attempted to spawn a command prompt instance. This formula also contained commands capable of telling command prompt to download and run an executable, which was the NanoCore RAT.
- Google has responded, stating that Marco Ramilli’s discovery is an intended behaviour.
Vulnerability discovered in telephony protocols
- The vulnerability has been discovered in the upcoming 5G protocol, and reportedly affects older 3G and 4G protocols too. The vulnerability impacts the Authentication and Key Agreement protocol, which provides authentication between cellular networks and a user’s phone.
- Discovered last year by SINTEF Digital Norway, ETH Zurich and the Technical University in Berlin, the vulnerability allows surveillance tech vendors to create a ‘new-class’ of IMSI-catchers, which are capable of creating profiles for each smartphone holder. The profile information includes mobile traffic metadata and details about a user’s mobile activity such as the quantity received of texts and calls.
- The researchers believe that the new technique can be harnessed to spy on politicians and embassy officials, as well as for better ad targeting.
Vulnerabilities discovered by LimitedResults hacker in smart lightbulb
- A hacker by the name of LimitedResults has demonstrated how to hack into an internet-connected light bulb and gain access to the owner’s Wi-Fi login and password, along with other data.
- The smart bulb hacked is the LIFX mini white, which is controlled by an app on the user’s phone. LimitedResults used a handsaw to break open the light, remove the bulb’s main chip and connect it to another chip that allowed them to interface with the bulb’s hardware through a USB port.
- The user’s Wi-Fi credentials were reportedly stored in plaintext in the bulb’s memory. The device also lacked security settings such as secure boot and flash encryption, and JTAG was enabled, which allows anyone to write data to the device’s memory.
Ethical hacker charged with breaching Magyar Telekom’s systems
- The ethical hacker that discovered a vulnerability in Magyar Telekom’s IT systems in April last year is being investigated by the Hungarian Prosecutions Service.
- The hacker reportedly notified Magyar Telecom of security issues that affected their system, and continued to search for more flaws that led to the discovery of another vulnerability that could have given attackers access to ‘all public and retail mobile and data traffic and monitor the servers of the companies served by T-Systems.’
- The second intrusion was detected by Magyar Telekom, who reported to authorities that their systems had been breached by an unknown attacker. The accused is currently being defended by Hungarian Civil Liberties Union (HCLU), and is charged with breaking into Magyar Telekom’s database and committing the ‘crime of disturbing a public utility.’
IOTA states majority of stolen $11 million in cryptocurrency was found
- IOTA Foundation said that most of the $11 million in cryptocurrency stolen from investor wallets has been discovered and is being held as evidence by law enforcement authorities.
- A 36-year-old man from Oxford, UK, was accused of stealing the IOTA coins from more than 85 victims around the world since January 2018.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.