Silobreaker Daily Cyber Digest – 01 November 2018
Kraken ransomware now distributed as ransomware-as-a-service
- The new version of Kraken ransomware, dubbed Kraken v.2, is being promoted as a ransomware-as-a-service (RaaS) model on the dark web alongside a video demonstrating the ransomwares’ capabilities.
- Those interested must complete a form and pay $50 to join as a trusted partner, after which customers are given a new build of the ransomware every 15 days, complete with updated payloads and new anti-evasion techniques.
New Stuxnet variant hits infrastructure and strategic networks in Iran
- A report from the Israeli evening news bulletin Hadashot has stated that Iran ‘has admitted in the past few days that it is again facing a [Stuxnet-like] attack.’ The variant is reportedly more sophisticated and violent than its predecessor, and has targeted infrastructure and strategic networks.
- Stuxnet was allegedly created by intelligence agencies in the U.S. and Israel, and is tailored to target Siemens industrial control system equipment. More specifically, it reportedly reprogrammed programmable logic controllers (PLCs) for centrifuges in nuclear enrichment at various facilities in Iran.
Ongoing sextortion campaign uses breached credentials to scare victims
- Two separate reports, one by Cisco Talos and the other by Barracuda Networks, analyse ongoing sextortion scam operations, the earliest one being active since July 2018.
- The campaigns utilize publicly available lists of breached email addresses and passwords to frighten victims and threaten them with false claims that they were caught watching pornographic content. The perpetrators aim to blackmail targets by threatening to release compromising material relating to the victim. In total, the campaigns are believe to have generated a profit of at least $147,000 in Bitcoin.
- Cisco has dubbed the campaign as the ‘Aaron Smith Operation’ based on the email headers featuring variations of this name. They also discovered that 50% of all threats originated from Vietnam, Russia, India, Indonesia and Kazakhstan. Cisco also suspects that the Necurs botnet may be involved in this operation.
Phishing campaign relating to Brazilian presidential election targets users in Brazil
- Researchers from Confense identified a recent phishing campaign targeting Brazilian users and distributing the Astaroth trojan. Emails relating to the recent Brazilian presidential election attempted to lure victims into downloading malicious .Ink files or click on malicious links.
- The subject of the emails was related to a scandal involving then-presidential candidate Jair Bolsaro. Some of the emails also impersonated the Brazilian Institute of Public Opinion and Statistics (IBOPE).
Perl Shellbot variant targets organizations via C&C
- Trend Micro researchers have discovered a recent campaign attributed to a hacking group dubbed ‘Outlaw’. The group uses an IRC bot built with a Perl Shellbot variant to target organizations.
- The bot is distributed through the exploitation of a common command injection vulnerability found in IoT devices, Linux servers, Windows and Android devices. The threat actors compromised a File Transfer Protocol (FTP) server of a Japanese institution and a Bangladeshi government site by leveraging a vulnerability on Dovecot mail servers.
- According to Trend Micro, two compromised servers were then linked to a high availability cluster, which was hosting an IRC bouncer. This was used to send commands to the botnet.
Source (Includes IOCs)
Leaks and Breaches
Eurostar asks customers to reset account passwords following data breach incident
- Eurostar is urging customers to reset their passwords and check for any unusual account activity following their detection of unauthorized attempts to access user accounts between October 15th and October 19th, 2018.
- Eurostar found that an unknown attacker may have been using automated attempts to log in to customers’ accounts using stolen emails and passwords. The method through which the credentials were obtained remains unknown.
- According to a Eurostar spokesperson, customers who have not logged into their accounts during this period may have had their accounts accessed. No credit card or payment details were compromised.
Radisson Hotel Group suffers data breach resulting in exposure of personal information
- The Radisson Hotel Group has suffered a data breach in which personal information of members of Radisson’s loyalty scheme was exposed.
- The breached information includes names, addresses, country of residence, email addresses and in some cases company names, phone numbers, Radisson Rewards member numbers and frequent flier numbers. Payment information and passwords were also exposed.
- The incident occurred on September 11th, 2018 but remained undetected until October 1st, 2018. According to a Radisson spokesman, ‘the data security incident impacted less than 10% of Radisson Rewards member accounts.’
‘Stalkerware’ website and app Xnore exposes data of 28,000 users
- The website and app known as Xnore inadvertently allowed anyone using their service to obtain information from other people’s accounts, as well as intercept the communications of approximately 28,000 users.
- The accounts were exposed via a flaw in the map feature on Xnore’s website, which allowed anyone who viewed the HTML code of the page to see the mobile identifier used by Xnore in order to view any collected data. Collected data included Facebook and WhatsApp messages, GPS coordinates, emails, photographs, and more.
Arik Air fails to act appropriately following a data leak notification
- The leak, discovered on September 6th, 2018 by Cloudflare employee Justin Paine, contained 994 CSV files with customer information dating from December 31st, 2017 to March 16th, 2018. The data included device fingerprints, names, email addresses, credit card digits, and IP addresses.
- Paine stated that it was approximately a whole month after he reported the leak to Arik Air that they issued a notice to say that the Amazon S3 bucket had been secured.
Researcher discovers new passcode bypass method on iOS 12.1 devices
- The day after iOS 12.1 was released, security researcher Jose Rodriguez disclosed a new passcode bypass method that allows you to view email addresses and phone numbers on a device when it is locked.
- The method requires asking Siri to make a call which, when answered, is then switched to FaceTime. Using the ‘Add Person’ option then allows users to see an auto-populated list of contacts. Rodriguez demonstrated the passcode bypass on YouTube, to showcase the ease in which the device’s contact information can be viewed.
Cisco Talos discovered multiple vulnerabilities in Yi Technology Home Camera
- The vulnerabilities could allow an attacker to disable the camera and prevent it from recording, delete stored videos, view video feeds, potentially launch attacks against the camera owner’s phone app, and act as a foothold in the network to attack other devices.
- The flaws include several code execution vulnerabilities in the firmware update functionality, the time syncing functionality, the code-scanning functionality, the cloud OTA setup functionality, and more.
- The most severe is a remote code execution flaw tracked as CVE-2018-3892, that only requires the ability to respond to an HTTP request from the camera in order to gain remote code execution via command injection.
Zero-day vulnerability discovered in Cisco security appliances
- Cisco has reported a serious vulnerability, tracked as CVE-2018-15454, affecting some of the company’s security appliances. The flaw is related to the Session Initial Protocol (SIP) inspection engine used in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
- The flaw could be exploited to cause an infected device to reload or consume CPU resources, resulting in a DoS condition. Attackers ‘could exploit this vulnerability by sending SIP requests’ to trigger the condition at a ‘high rate’. According to Cisco, the flaw has been actively exploited.
- The bug impacts ASA software versions 9.4 and later, and FTD software versions 6.0 and later if the default SIP inspection feature is enabled. Currently no patch is available for the issue.
Source (Includes IOCs)
Flaws found in several popular card readers
- Leigh-Anne Galloway and her team from Positive Technologies analysed seven card readers and four popular vendors including SumUp, iZettle, PayPal and Square. In particular, the team assessed the security of the communication between the phone used to process a payment using the POS hardware and the POS server, as well as between the POS terminal and the phone.
- Several attack vectors were discovered including one in which two of the terminals were found to have displays that an attacker could send an arbitrary command to and manipulate on screen messages. An attacker could connect to the terminal using developer mode and send commands to the terminal with no need for authentication.
UK law firm prepares for class action lawsuit against Cathay Pacific following data breach
- UK law firm SPG Law has claimed that Cathay Pacific are liable for compensation ‘under the relevant data protection laws.’ Following the data breach earlier this year, the firm believe that passengers affected could be eligible for compensation.
Ex Air Force member in New Mexico accused of computer fraud
- The 22-year-old Michael Webber was arrested on Tuesday morning after allegedly placing a program, information, code or command known as a ‘spam bot’ onto a government-issued mobile phone assigned to his supervisor at the Cannon Air Force base on January 16th, 2018.
- The bot reportedly caused the mobile phone to receive a string of messages that were intended to damage the device.
GandCrab ransomware loses estimated $1 million following decryption tool release
- Bitdefender has estimated that the perpetrator behind the GandCrab ransomware campaign has incurred a loss of about $1 million in ransom payments following the company’s release of a free decryption tool on October 25th, 2018.
- At least 1,700 victims located in South Korea, China, India and the US were able to successfully decrypt their files using the tool.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.