Silobreaker Daily Cyber Digest – 03 December 2018
New Powershell backdoor targets Turkey and bears similarities with MuddyWater tool
- Trend Micro researchers recently observed a malicious campaign delivering a backdoor that shows similarities with the POWERSTATS backdoor used by the MuddyWater group. Similarly to previous MuddyWater activity, the campaign was found to be targeting Turkish government organizations related to the finance and energy sectors.
- Malicious Word document files named ‘Raport.doc’, ‘Gizli Raport.doc’ or ‘maliyeraporti (Gizli Bilgisi).doc’ are being used to deliver the new Powershell backdoor. However, this campaign differs from previous POWERSTATS incidents as the C&C communication and data exfiltration is done by using the API of a cloud file hosting provider.
Source (Includes IOCs)
New Pied Piper campaign delivers FlawedAmmyy RAT and RMS RATs
- Morphisec researchers discovered a new global phishing campaign, dubbed Pied Piper, infecting users with FlawedAmmyy RAT and Remote Manipulator (RMS) remote access trojans. Based on their analysis, the researchers suspect TA505 is responsible for the attacks.
- Targets of this campaign include popular food chains such as Godiva Chocolates, Yogurtland and Pinkberry.
- Victims are infected after enabling macros in malicious Microsoft Publisher attachments disguised as business invoices.
Source (Includes IOCs)
iPhone Heart Rate attempt to scam customers using TouchID
- The supposed Heart Rate Measurement app drops the brightness of victims’ screens while taking a heart reading. The malicious app uses the reduced visibility to trick users into authorizing a transaction of $89.99 using Touch ID.
Barracuda Networks discovers new technique used in spear-phishing attacks
- The researchers discovered that hackers are posing as CEOs to trick office managers, executive assistants and receptionists into sending them gift cards. These phishing emails do not have malicious attachments or links and are generally sent from trusted emails and domains, which means the emails are not flagged as suspicious.
- The attackers attempt to capitalise on busy periods during the holidays and frame the requests as a company surprises to induce the victim into taking part and discourage them from looking into the legitimacy of the request.
Leaks and Breaches
Sotheby’s site infected with a digital skimming code
- The British auction house announced on Friday that its New York based e-commerce marketplace Sotheby’s Home was affected by digital skimming code. The firm discovered and removed the malicious code on October 10th 2018, which they believe had been present on the system since at least March 2017.
- The code targeted data entered into the payment information form on the website, including names, addresses, email addresses and payment card details.
Moscow’s cable car system infected with ransomware a day after opening
- Attackers have reportedly hacked into the new cable car systems and infected the main computer controlling the cable car with ransomware.
- A message was then received from the hacker on the head computer of the Moscow Cable Cars operating company requesting the transfer of Bitcoins in exchange for decrypting all the electronic files of the computer.
Twitter user hacks 50,000 exposed printers to promote YouTuber PewDiePie
- Twitter user @TheHackerGiraffe carried out the hack by using automated scripts to send print messages to printers with exposed Internet Printing Protocol (IPP) ports, Line Printer Daemon (LPD) ports and port 9100. The hacker claims to have used a tool called Printer Exploitation Toolkit (PRET) to carry out his attack.
Tencent discovers bug that could allow hackers to remotely steal tokens from user wallets
- Tencent Security Lab have informed the NEO developers and node operators of a critical bug that could allow hackers to steal tokens remotely when a user starts a network note set to the default configuration.
Researchers describe updated padding oracle attack
- In a research paper titled ‘The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations’, the researchers described a way to ‘exploit side-channel information to downgrade most of the current TLS implementations’, using ‘ongoing support for outmoded RSA key exchanges’.
- The new attack, an updated version of Bleichenbacher’s original padding Oracle attack against RSA implementations, does not work over the network but rather must be malware or a logged-in user in order to exploit system vulnerabilities, find running applications’ encryption keys and hijack connections and accounts.
- The researchers identified four vulnerabilities (CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869,CVE-2018-16870) in the open libraries OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, GnuTLS, BearSSL and BoringSSL.
McAfee Labs release threat predictions for 2019
- McAfee’s report provides predictions for the structure of the cybercriminal underground, the use of AI by threat actors to evade detection, attacks targeting cloud data and the use of voice-controlled assistants as an attack vector.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.