Threat Reports

Silobreaker Daily Cyber Digest – 03 December 2018

 

Malware

New Powershell backdoor targets Turkey and bears similarities with MuddyWater tool

  • Trend Micro researchers recently observed a malicious campaign delivering a backdoor that shows similarities with the POWERSTATS backdoor used by the MuddyWater group. Similarly to previous MuddyWater activity, the campaign was found to be targeting Turkish government organizations related to the finance and energy sectors.
  • Malicious Word document files named ‘Raport.doc’, ‘Gizli Raport.doc’ or ‘maliyeraporti (Gizli Bilgisi).doc’ are being used to deliver the new Powershell backdoor. However, this campaign differs from previous POWERSTATS incidents as the C&C communication and data exfiltration is done by using the API of a cloud file hosting provider.

Source (Includes IOCs)

 

Ongoing Campaigns

New Pied Piper campaign delivers FlawedAmmyy RAT and RMS RATs

  • Morphisec researchers discovered a new global phishing campaign, dubbed Pied Piper, infecting users with FlawedAmmyy RAT and Remote Manipulator (RMS) remote access trojans. Based on their analysis, the researchers suspect TA505 is responsible for the attacks.
  • Targets of this campaign include popular food chains such as Godiva Chocolates, Yogurtland and Pinkberry.
  • Victims are infected after enabling macros in malicious Microsoft Publisher attachments disguised as business invoices.

Source (Includes IOCs)

 

iPhone Heart Rate attempt to scam customers using TouchID

  • The supposed Heart Rate Measurement app drops the brightness of victims’ screens while taking a heart reading. The malicious app uses the reduced visibility to trick users into authorizing a transaction of $89.99 using Touch ID.

Source

 

Barracuda Networks discovers new technique used in spear-phishing attacks

  • The researchers discovered that hackers are posing as CEOs to trick office managers, executive assistants and receptionists into sending them gift cards. These phishing emails do not have malicious attachments or links and are generally sent from trusted emails and domains, which means the emails are not flagged as suspicious.
  • The attackers attempt to capitalise on busy periods during the holidays and frame the requests as a company surprises to induce the victim into taking part and discourage them from looking into the legitimacy of the request.

Source

 

Leaks and Breaches

Sotheby’s site infected with a digital skimming code

  • The British auction house announced on Friday that its New York based e-commerce marketplace Sotheby’s Home was affected by digital skimming code. The firm discovered and removed the malicious code on October 10th 2018, which they believe had been present on the system since at least March 2017.
  • The code targeted data entered into the payment information form on the website, including names, addresses, email addresses and payment card details.

Source

 

Moscow’s cable car system infected with ransomware a day after opening

  • Attackers have reportedly hacked into the new cable car systems and infected the main computer controlling the cable car with ransomware.
  • A message was then received from the hacker on the head computer of the Moscow Cable Cars operating company requesting the transfer of Bitcoins in exchange for decrypting all the electronic files of the computer.

Source

 

Twitter user hacks 50,000 exposed printers to promote YouTuber PewDiePie

  • Twitter user @TheHackerGiraffe carried out the hack by using automated scripts to send print messages to printers with exposed Internet Printing Protocol (IPP) ports, Line Printer Daemon (LPD) ports and port 9100. The hacker claims to have used a tool called Printer Exploitation Toolkit (PRET) to carry out his attack.

Source

 

Vulnerabilities

Tencent discovers bug that could allow hackers to remotely steal tokens from user wallets

  • Tencent Security Lab have informed the NEO developers and node operators of a critical bug that could allow hackers to steal tokens remotely when a user starts a network note set to the default configuration.

Source

 

Researchers describe updated padding oracle attack

  • In a research paper titled ‘The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations’, the researchers described a way to ‘exploit side-channel information to downgrade most of the current TLS implementations’, using ‘ongoing support for outmoded RSA key exchanges’.
  • The new attack, an updated version of Bleichenbacher’s original padding Oracle attack against RSA implementations, does not work over the network but rather must be malware or a logged-in user in order to exploit system vulnerabilities, find running applications’ encryption keys and hijack connections and accounts.
  • The researchers identified four vulnerabilities (CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869,CVE-2018-16870) in the open libraries OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, GnuTLS, BearSSL and BoringSSL.

Source

 

General News

McAfee Labs release threat predictions for 2019

  • McAfee’s report provides predictions for the structure of the cybercriminal underground, the use of AI by threat actors to evade detection, attacks targeting cloud data and the use of voice-controlled assistants as an attack vector.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 07 December 2018

      Malware Over 100,000 PCs in China infected with new ransomware The ransomware, dubbed UNNAMED1989, reportedly infected over 100,000 computers in only four days....
  • Silobreaker Daily Cyber Digest – 06 December 2018

      Malware ESET report on 21 previously undocumented Linux malware families based on OpenSSH ESET’s investigation of the 21 in-the-wild malware samples revealed that...
  • Silobreaker Daily Cyber Digest – 05 December 2018

      Ongoing Campaigns Over 100,000 PCs in China infected with ransomware The “poorly written” ransomware encrypts files and steals credentials for Chinese online services...
View all News

Request a demo

Get in touch