Silobreaker Daily Cyber Digest – 02 April 2019
vxCrypter ransomware deletes duplicate files
- vxCrypter ransomware could be the first ransomware infection that deletes duplicate files. vxCrypter is a .NET ransomware that is based upon the older ransomware vxLock.
- Analysis of the ransomware uncovered that it keeps track of SHA256 hashes of each encrypted file and if it encounters the same hash during encryption the duplicate file will be deleted. It is possible that the ransomware does this to increase the speed of encryption.
ELF Bot analysis published
- MalwareMustDie lead researcher unixfreaxjp analysed Elf Bot, also tracked as Linux/DDoSMan. It is described as a new Chinese distributed denial-of-service malware that evolved from Elknot, borrowing code from its predecessor. It is capable of infecting Linux systems, and communicating with a C&C server in order to execute commands, send statistical data, conduct DDoS attacks, self-update and more.
Researchers observe NCAA March Madness-related phishing and streaming scams
- While investigating unofficial streams for the upcoming National Collegiate Athletic Association’s (NCAA) March Madness men’s basketball tournament, Zscaler researchers discovered a series of adware installers, phishing attacks and fraudulent security warnings leading to malicious browser plugins.
- In one case, a malicious streaming site was spotted containing adware on almost all of its pages. The researchers also discovered numerous typo-squatted domains for terms associated with the NCAA tournament.
Source (Includes IOCs)
Game of Thrones series popular for disguising malware in illegal content downloads
- Kaspersky Lab’s Securelist researchers reported that cybercriminals are using illegal content downloads for popular TV shows to distribute malware. The most commonly exploited TV shows are Game of Thrones (GoT), The Walking Dead, and Arrow. In particular, GoT was found to account for 17% of all infected pirated content in 2018.
- The researchers also found that the most common threat were trojans. In 17% of all cases, pirated content users were affected with worms of the Trojan.WinLNK.Agent family.
Facebook removes Indian IT cell related content
- Facebook has announced that 687 pages and accounts linked to an IT cell of the Indian National Congress have been removed as a result of their ‘coordinated inauthentic behaviour’. 15 of these groups, accounts and pages were associated with Indian IT Firm ‘Silver Touch’.
- The content posted by them was primarily local news and political events, discussing the Indian government, elections, as well as misconduct claims against political opponents. In addition, 321 Pages and accounts were deemed as spam, due to them being either fake or duplicate accounts that posted links to malware and large amounts of affiliated content across Facebook to generate revenue for the actor.
LulzSec launch annual ‘April Lulz’ event
- The event, run by LulzSec hackers, is focused on hacking corporate websites, government websites, government servers, private IPs, and computers.
- According to the Manila Bulletin, several local LulzSec branches as well as affiliated hacking groups have taken part in the event, sharing evidence of their hacks and exploits on social media under the hashtag ‘AprilLulz2k19’. These include, Pinoy LulzSec, LulzSec Argentina, LulzSec Italy, FilTech Hackers Philippines, and Pinoy ClownSec.
Leaks and Breaches
Over 13,500 iSCSI storage clusters left exposed online without a password
- According to ZDNet, the Internet Small Computer Systems Interface (iSCSI) clusters are currently accessible via the internet after their owners forgot to enable authentication.
- The issue was discovered by a penetration tester known as ‘A Shadow’ who found over 13,500 clusters on Shodan. According to A Shadow, this misconfiguration can allow attackers to plant ransomware on companies’ networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these malicious files.
- Further investigation of the clusters uncovered passwordless iSCSI-accessible storage systems belonging to a YMCA branch, a Russian government agency, and multiple universities and research institutions worldwide.
Indian government agency exposed over 12.5 million medical records of pregnant women
- Security researcher Bob Diachenko discovered a misconfigured MongoDB database belonging to the Department of Medical, Health and Family Welfare of a northern Indian state.
- The database exposed medical information related to the Pre-Conception and Pre-Natal Diagnostic Techniques Act that bans prenatal sex determination in India in an attempt to prevent the abortion of unborn females. Medical tests that may reveal an unborn child’s sex require thorough documentation, which was exposed in this case.
- The affected information includes detailed medical information and digitized version of medical forms that contain patients’ full names, addresses, ages, telephone numbers, diagnoses, pregnancy status, procedures undergone, test results, information about referring doctors, and more.
Albany, New York, hit by ransomware attack
- The City of Albany, New York, was hit by a ransomware attack on March 30th, which, according to a press release, left birth certificates, death certificates and marriage certificates inaccessible to the public. The city is currently attempting to understand the exact extent of the damage.
Google fixes two critical Android code execution flaws
- CVE-2019-2027 and CVE-2019-2028 impact the Media framework and could allow remote attackers to use specially crafted files to ‘execute arbitrary code within the context of a privileged process’. The flaws impact Android 7.0 and later.
- Google also patched a further 11 security flaws within AOSP, two rated as critical and nine rated high. The critical flaws could allow a threat actor to perform remote code execution attacks, while the remaining 11 are escalation of privilege or information disclosure flaws.
Serious path traversal vulnerability discovered in Kubernetes
- Researchers at Twistlock discovered a path traversal and arbitrary code execution flaw, tracked as CVE-2019-1002101, in Kubectl, a command-line interface for running commands against Kubernetes clusters.
- Specifically, the vulnerability affects the cp command that is used to copy files between a container and the user’s machine. It can be exploited to write arbitrary files to any location on the system when the Kubectl cp command is used.
Cross-site scripting flaw discovered in Google Search
- The vulnerability first appeared on September 26th 2018, when sanitization mechanisms were removed as a result of UI design issues. It was fixed on February 22nd, 2019, as the September changes were reverted.
- Google stated that they patched the vulnerability shortly after learning of its existence. It has been suggested that the library has been used throughout multiple products, and so it’s likely that the flaw exists there too.
Researchers trick Tesla Autopilot into steering into oncoming traffic
- Researchers devised a simple way to steer automatic Tesla cars into oncoming traffic, by using small stickers to confuse the Enhanced Autopilot of a Model S 75 into detecting and following a change in the lane.
- The Enhanced Autopilot uses cameras, ultrasonic sensors and radar to understand its surroundings, picking up on nearby obstacles, terrain and changes in lanes. The data is then fed into onboard computers that use machine learning to formulate a response.
- The stickers were barely visible to the drivers and were detected by the car as a line that indicated the lane was shifting to the left.
US airlines suffer flight disruption due to aero-data outage
- US airlines, including Southwest Airlines, American Airlines, Delta Airlines, United Airlines, Alaska Airlines and JetBlue experienced problems with their computer systems which led to flight cancellations and delays on April 1st.
- The airlines’ computer systems are provided by AeroData, who supply aircraft performance data, weight and balance data, and load planning services to the airline industry to support approximately 21,000 flights per day. The Federal Aviation Administration stated that the computer problem has now been resolved.
Google warns of attacks using backdoored SDKs and pre-installed apps on Android
- In a newly released report for the year 2018, Google warns of a rise in the number of potentially harmful apps (PHAs), that were either pre-installed or delivered via over-the-air updates, on Android devices. The report also notes an increase in the number of backdoored Software Development Kits (SDKs) in the last year.
- These PHAs range from data harvesting apps to ones that manipulate or degrade the users’ experience. They may also be part of a larger operation such as click fraud, cryptocurrency mining, or app install attribution fraud.
Ukrainian man extradited to US facing charges in international money laundering and fraud
- According to an indictment released by the US Department of Justice, the Ukrainian national, Aleksandr Musienko, ran his operation between 2009 and 2012, targeting dozens of victims, including a corporation based in the Western District of North Carolina.
- Musienko allegedly cooperated with cybercriminals who had hacked into, and stolen funds from the online bank accounts of individuals and corporations in the US. He also ran a network of ‘money mules’ throughout the US, leading to the theft and laundering of at least $2.8 million.
Major cyber attack expected to hit Israel on April 7th
- The attack is reportedly a ‘semi-organised international hacking assault’, known as ‘OpIsrael’, which is an annual occurrence undertaken by international anti-Israel activists, including Anonymous Group. Denial-of-service attacks, breaking into websites and other basic forms of hacking are expected to take place.
- In previous years, OpIsrael has resulted in the theft of various Israelis’ names, passwords, email addresses and credit card numbers.
UAE accused of spying on Arab Media
- It is alleged by Reuters that the UAE has been spying on figures in Arab media including Faisal al-Qassem of Al Jazeera and Giselle Khoury of the BBC, and that they were aided by hackers in the US. Known as Project Raven, their objective was to find material proving that the royal family of Qatar have been influencing coverage by media outlets, and to find any ties between them and the Muslim Brotherhood.
- Reuters was unable to determine what data, if any, was obtained.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.