Silobreaker Daily Cyber Digest – 03 June 2019
GandCrab ransomware allegedly shutting down its operations
- The operators behind GandCrab ransomware are shutting down their operation and telling affiliates to stop distributing the ransomware. Victims have been told to pay for the decryption of their files as their keys will be deleted once the service shuts down.
- GandCrab was first launched on January 28th, 2018. The operators claimed GandCrab generated $2.5 billion in profits.
Maze ransomware tries to detect computer type to calculate ransom amount
- Security researcher Jérôme Segura discovered Maze ransomware being distributed via the Fallout exploit kit, through a fake site purporting to be the Abra cryptocurrency exchange app.
- According to Bleeping Computer, the ransom amount will depend on whether the victim was targeted via a home computer, server, or workstation.
Source (Includes IOCs)
New sample of Hidden Bee Malware detected
- Researchers at Malwarebytes labs have discovered a new variant of the Chinese Hidden Bee malware. Hidden Bee is a commodity malware used for cryptocurrency mining.
- Malwarebyte’s report includes a technical analysis of the new features, including a new loading format and new memory load area.
- Researchers stated that the construction of Hidden Bee was reminiscent of that which is used by APTs. In addition, Malwarebytes assesses that the authors of the malware are professional, due to the evident consistency in its complex design.
Source (Includes IOCs)
Foreclosure warning spam used to distribute Sodinokibi ransomware
- Bleeping Computer have reported on a Sodinokibi ransomware campaign potentially targeting German speakers. Recipients receive an email titled ‘Ankündigung der Zwangsvollstreckung’ which translates as ‘Announcement of Foreclosure’.
- The email asks victims to enable macros and then downloads the Sodinokibi ransomware.
- Once Sodinokibi is downloaded, Windows startup repair is disabled and files are encrypted using a random extension unique for each infected machine. Attackers demand a payment of $2500 worth of bitcoin or $5000 after 48 hours expires.
Phishing campaign asks victims to ‘manage undelivered email’
- According to Bleeping Computer, a new phishing campaign pretends to notify a user of a list of undelivered emails that are being held on their Outlook Web Mail service.
- Users are then asked what action they want to perform for each of the emails, with respective links leading them to fake Outlook Web App login forms that phish for their credentials.
Microsoft Azure used to host malware and C2 servers
- Researchers ‘JayTHL’ and MalwareHunterTeam discovered that attackers are using Microsoft’s Azure cloud service to host malware, as well as using the service as a C2 infrastructure for malicious files.
- The issue was reported to Microsoft, however, the malware was still present on the Azure infrastructure on May 29th.
SIM swapping attacks hit US cryptocurrency users
- Over the past week, several cryptocurrency users have been targeted by SIM swapping attacks. SIM swapping entails a threat actor using various techniques to transfer a victim’s phone number to their own SIM card, in order to receive 2FA verification codes, or reset passwords for protected accounts.
- Over the last week or so, a wave of cryptocurrency users have reported a loss of funds as a result of the attacks, in addition to other reports of failed attempts. One victim reported that a threat actor realised their attack would be unsuccessful, they changed tactics and targeted social media and email accounts instead.
- The majority of the recent attacks have been focused on victims in the US.
Leaks and Breaches
People Inc notifies clients of data breach
- The non-profit organization notified nearly 1,000 current and former clients that their personal and protected health information was exposed after two employees’ email accounts were breached.
- The exposed information may include names, addresses, Social Security numbers, financial account information, medical information, health insurance information, and/or driver’s license or other government identification numbers.
Leicester City Football Club discloses card breach
- The UK football club stated that users of their online store had their personal and financial information compromised due to a security breach affecting the club’s official website.
- The compromised information includes card numbers, cardholder names, expiry dates and CVVs. The investigation remains ongoing.
Princess Polly suffers data breach between November 1st, 2018 and April 2019
- On May 31st, 2019, Australian fashion retailer Princess Polly warned customers who paid via debit or credit card that their account details may have been compromised as they entered them into the site at checkout.
- The attackers may have accessed payment details, billing and shipping addresses, names, emails, passwords, phone numbers, and more.
NVIDIA patches two high severity vulnerabilities in GeForce Experience (GFE) software
- The first flaw, CVE-2019-5678, exists in the NVIDIA GFE Web Helper component. An attacker with local system access can craft input that may not be properly validated. This could lead to code execution, denial of service, or information disclosure.
- The second flaw, CVE-2019-5676, exists in the NVIDIA GFE installer software, which incorrectly loads Windows system DLLs without validating the path or signature. This can lead to an escalation of privileges through code execution.
Android smartphones found vulnerable to new ‘tap ‘n Ghost’ attack
- The latest Android smartphones are susceptible to a new type of attack dubbed ‘Tap ‘n Ghost’, that can cause fake finger taps to enact unwanted actions. The attack exploits flaws in the software and hardware of most recent smartphone models.
- The attack, discovered by three academics at Waseda University in Tokyo, uses an attack rig consisting of a 5mm thick copper sheet connected to a DDS signal generator, a high voltage transformer, a battery pack, NFC readers/writers and a laptop. When a user places their smartphone near an attack rig the NFC readers/writers can obtain basic information from the device, as well as ‘make the user’s smartphone open and access a specific URL’; ‘ask the smartphone to pair a rogue Bluetooth device’; or ‘ask the user to connect to a malicious WiFi network’.
- In the second phase, the attacker can use a copper plate to cause electrical disturbances in the touchscreen. The fake taps can be used to hijack a user’s original tap on a ‘No’ button and apply it to the ‘Yes’ one, which could cause the smartphone to potentially approve a malicious Bluetooth connection or connect to a rogue WiFi network.
Apple patches multiple vulnerabilities in its AirPort Station Firmware
- Apple released a patch for multiple vulnerabilities affecting its AirPort Base Station Firmware. CVE-2019-8581 could allow a remote attacker to leak memory, while CVE-2019-8588, CVE-2018-6918 and CVE-2019-7291 could cause a denial of service. CVE-2019-8578 and CVE-2019-8572 could cause an arbitrary code execution, CVE-2019-8578 could prevent a full factory reset and CVE-2019-8580 could unexpectedly accept Source-routed IPv4 packets.
Multiple vulnerabilities patched by Adobe and Foxit
- In their recent security updates, Adobe and Foxit Software patched multiple vulnerabilities discovered by Palo Alto’s Unit 42 affecting Acrobat DC, Acrobat Reader DC, Foxit Reader and PhantomPDF. In total, 33 vulnerabilities were patched across the products, with 19 of the 28 Adobe vulnerabilities classed as critical ‘Use-after-free’ vulnerabilities.
New vulnerabilities discovered in rkt
- Security researcher Yuval Avrahami discovered three vulnerabilities in rkt, an open source container runtime created by CoreOS. No patch is available yet.
- The vulnerabilities, tracked as CVE-2019-10144, CVE-2019-10145 and CVE-2019-10147, could allow an attacker with root access to the container to overwrite existing binaries and libraries in the container when the user enters the ‘rkt enter’ command, which will automatically run the attackers malicious code. The attacker can then escape the container and gain root access on the host.
Third-party patches released for zero-day flaw in Windows 10
- The zero-day vulnerability has been dubbed Bear LPE and was disclosed by security researcher SandBoxEscaper. The exploit triggers a flaw in the Task Scheduler of Windows 10 which allows users to get SYSTEM rights even when they started with limited privileges.
- CERT/CC vulnerability analysts Will Dormann found the exploit is 100% reliable on x86 systems.
- A temporary patch for this vulnerability has been released through the 0patch platform and can be applied without the need to reboot systems.
Kraft Heinz brands’ twitter accounts hacked
- The accounts for Planters, Kool-Aid and Capri Sun were hacked on May 31st, 2019.
- The attackers published nonsensical tweets and tagged popular Fortnite streamer KEEMSTAR, as well as themselves. The hackers were identified and suspended from Twitter.
Hacked Cryptopia exchange owes $4.2 million to creditors
- Liquidators, Grant Thornton, released a report on May 31st, 2019, stating that Cryptopia owes $4.22 million to creditors, of which there are currently 69 unsecured creditor claims totaling $2.439 million. Additionally, employee entitlement at the time of liquidation totalled $318,000.
- Cryptopia was hacked in January 2019 and an estimated $16 million was stolen.
UK Universities research programs targeted by state sponsored hackers
- A survey of 75 senior IT leaders across 68 UK universities conducted by Dell EMC and VMware showed that a quarter of respondents believed that their institution was targeted daily. One in ten stated that a successful attack on their research could potentially harm the lives of UK citizens.
- Moreover, 24% believed their security and defense research may have already been infiltrated and 53% believed that University research had ended up in foreign hands.
- The key subjects that cyber criminals targeted were science, medicine, economics and defense research.
64% of ransomware attackers launder their funds through crypto exchanges
- Chainalysis identified 38 illicit cryptographic exchanges, where they found that 64% of ransomware attackers process their money through cryptographic exchanges. Other methods include mix services, peer-to-peer networks, online retailers and the Internet. Roughly 9% of the funds remain unspent.
- The researchers also found a change in procedure where attackers are shifting their focus on large corporations and government institutions, rather than many small individuals.
Eurofins Scientific hit by ransomware attack
- In a press release, Eurofins Scientific stated its IT security monitoring teams discovered a form of ransomware that caused disruption to some of its IT systems. As a precaution a number of IT systems have been taken offline. No evidence of unauthorised data transfer or misuse has been found.
Bitcoin CEO faces 21 months in prison
- Morgan Rockcoons, CEO of Bitcoin Inc., was sentenced to 21 months in prison for wire fraud and operating an unlicensed money transmitting business. He was also ordered to forfeit $80,600 in illicit profits. Claiming to be the owner of land in Elko County, Nevada, he had been promoting ‘Bitcointopia’ and sold property plots that did not belong to him.
Warning issued over the risk of drone proliferation
- Researchers at IOActive warned that there are significant security risks if the growth in drone use is left unchecked. Cesar Cerrudo, CTO at IOActive, stated that manufacturers need to take responsibility for drone related cyber security.
- Researchers warned that attackers could launch physical attacks against individuals or infrastructure. Additionally, they stated that drones could be used to disrupt Wi-Fi networks, perform man-in-the-middle attacks and distribute malware.
Facebook ordered to give shareholders information on how data privacy is handled
- Vice Chancellor Joseph Slights of the Delaware Chancery Court stated that there was a “credible basis” to believe that Facebook board members had failed to properly act in relation to data privacy breaches.
- The case centres around the 2015 Cambridge Analytics data breach, during which time Facebook was supposed to be strengthening its data security measures following a US Federal Trade Commission consent decree.
- The European Court of Justice is also preparing to hear a privacy case relating to the transfer of EU citizens data to the US.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.