Silobreaker Daily Cyber Digest – 02 December 2019
CStealer exfiltrates stolen Chrome credentials to MongoDB database
- Security researchers at MalwareHunterTeam identified an info-stealing trojan, named CStealer, which primarily targets credentials stored in Google Chrome.
- Analysis performed by security researcher James showed that the malware contains hardcoded MongoDB credentials and uses the MongoDB C Driver to connect to a remote MongoDB database. Stolen credentials are sent to the MongoDB database for later retrieval.
- Bleeping Computer warned that other parties who analyse CStealer could gain access to stolen information by retrieving the hard-coded MongoDB credentials from the malware.
Source (Includes IOCs)
Researchers discover new spyware apps
- Zscaler researchers detected a number of new spyware apps that are most likely used for malicious purposes. The apps are capable of stealing contacts, spying on text messages, stealing photos, spying on browsing history and banking apps, stealing GPS locations, and more.
- The majority of the apps are poorly designed and store stolen data on servers lacking security. In some cases, the stolen data is transferred over plain-text channels. Such poor security means any server compromise could leak every victim’s data into the wild.
- One of the apps has a package named ‘Lookout,’ the name of a well-known security vendor, and was most likely used to trick a victim into trusting the app.
Source (Includes IOCs)
Steam login stealing scam promoted through comments on user profiles
- A security researcher known as nullcookies identified a phishing scam that seeks to steal the login credentials of Steam users. Bleeping Computer identified the propagation of the scam through comments on Steam account profiles.
- The comments direct users to a site which purports to deliver free skins for use on the game Counter-Strike: Global Offensive. Targets are then prompted to enter their Steam username and password. Entered information is then exfiltrated by the attacker.
Source (Includes IOCs)
TICK threat group launch cyber espionage campaign
- Researchers at Trend Micro discovered a new campaign, dubbed Operation ENDTRADE, by the TICK group. TICK, who have been active since 2008, are an ‘organised and persistent’ group specialising in cyber espionage operations. This latest campaign, which began in February 2019, targeted Japanese organisations with subsidiaries in China. The group’s targets operate in the defence, aerospace, chemical, and satellite industries.
- The group conducted their attack using legitimate email addresses stolen in January 2019 from a Japanese economic research company and a public relations agency. The stolen email addresses were used to contact targets with spear phishing messages. The emails contained malicious attachments which the target was prompted to open.
- The group tried to steal documents by using a variety of open source and custom tools. New tools used by the group can evade detection, add to obfuscation, and escalate administrative privileges. The researchers identified TICK utilising an updated version of the DATPER backdoor, new tools named down_new malware and Avenger malware, and a modified version of the Cobalt Strike backdoor dubbed Casper malware.
- The researchers concluded that TICK has ‘the skills and resources needed to coordinate sophisticated attacks’. A full evaluation of the group’s activities, including malware analysis, is available via Trend Micro’s blog.
Source (Includes IOCs)
Leaks and Breaches
McLaren Health Plan member data potentially accessed in phishing attack
- Personal information of McLaren Health Plan members, including names, dates of birth, identification numbers, health plans, and more, may have been accessed in a third-party vendor data breach. Magellan Rx Management, a subsidiary of Magellan Health Inc, recently discovered an unauthorised third party had gained access to one of its employees handling the member data.
- An investigation into the data breach found no evidence that the unauthorised third party accessed, viewed, or attempted to use, information present in the employee account.
Over 100 million individuals impacted by TrueDialog data breach
- On November 26th, 2019, vpn Mentor researchers discovered an unsecured Microsoft Azure database belonging to TrueDialog, a US communications firm that provides SMS texting solutions to companies. The database contained 604GB of data, including almost 1 billion entries of highly sensitive data related to the company, its client base and the clients’ customers. The database has since been closed.
- Exposed information included millions of TrueDialog account login details, such as email addresses, usernames, cleartext passwords and base64 encoded passwords, as well as account user details, including full names, phone numbers, addresses, emails and more.
- Additionally, tens of millions of SMS messages sent via TrueDialog were also exposed, containing sensitive data such as full names of recipients, TrueDialog account holders and users, the contents of the messages, email addresses, phone numbers of recipients and users, and more.
Details for 21 million MixCloud accounts advertised on the Dark Web
- A data reseller, operating under the alias A_W_S, is attempting to sell data belonging to approximately 21 million Mixcloud users.
- The music streaming site was informed of the breach by Motherboard. A company spokesperson stated that the vast majority of users had signed up via Facebook authentication and consequently had no default passwords.
- The seller, who is asking for approximately $4000 worth of Bitcoins for the data, sent a sample of 1,000 accounts to Motherboard. The data, which contained usernames, email addresses, and hashed passwords, was confirmed as genuine.
New Zealand gun buyback scheme website suffers data breach
- On December 2nd, 2019, the national firearms buyback scheme website was shut down after an individual notified the New Zealand police that it was exposing the private data of gun owners. Exposed information included names, addresses, dates of birth, firearms licence numbers and bank account details.
- According to a gun lobby group, 15 individuals had managed to access the information before the website was shut down, whereas New Zealand’s deputy police commissioner Mike Clement stated that officers knew of only one individual who had accessed the information.
- The data breach has been blamed on a ‘human error’ by German software provider SAP, in which a software update was initiated without authorisation from the police. An investigation into what information may have been accessed is ongoing.
IM-RAT taken offline by international law enforcement operation
- An international operation, involving Europol and Eurojust and led by the Australian Federal Police, resulted in the arrest of Imminent Monitor Remote Access Trojan’s (IM-RAT) developer, an employee, and 13 prolific users. IM-RAT’s infrastructure has also been disabled and over 430 devices seized in operations conducted in Australia, Colombia, and throughout Europe.
- IM-RAT was an easy-to-use and cheap remote access trojan that gave the user full remote control of a target device. The malware, which disabled anti-virus software, could be used to steal passwords, log keystrokes, steal data and passwords, and more. The tool infected tens of thousands of victims and was used in over 124 countries. Authorities estimate that it was purchased by more than 14,500 individuals.
48 Indian government websites hacked since 2018
- According to CERT-In, 48 Indian central and state government websites were hacked between 2018 and October 2019. The IP addresses used in the attacks suggest that they originated from a number of countries including China, Pakistan, the Netherlands, France, Taiwan, Tunisia, Russia, Algeria and Serbia.
Pakistani authorities warned against using WhatsApp
- Pakistan’s Ministry of Information Technology is encouraging relevant authorities, holding delicate portfolios and managing national security issues, not to use WhatsApp for authentic correspondence. A letter sent to authorities warns of ‘hostile intelligence’ agencies that may attempt to gain access to sensitive data.
- This comes in response to reports of Pegasus malware, which was spread via WhatsApp, being present on some government and military authorities’ mobile phones in 20 countries, including Pakistan.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.