Threat Reports

Silobreaker Daily Cyber Digest – 03 September 2019

 

Ongoing Campaigns

MSP targeted by GlobeImposter 2.0 ransomware

  • According to a Reddit post by a managed service provider (MSP) partnered with cybersecurity firm Datto, the MSP’s servers and networks were hit by GlobeImposter 2.0 ransomware, impacting five different customers.
  • A user claiming to be Datto’s Chief Information Security Officer, Ryan Weeks, responded with a statement confirming that an attacker had accessed BCDR appliances from the local network, however, it remains unclear how the network was accessed.

Source

 

Astaroth attackers abuse Cloudflare to avoid detection

  • Security researcher Marcel Afrahim discovered that the threat actor behind Astaroth malware has incorporated Cloudflare Workers into its attack chain. The new campaign, first observed in August 2019, begins with an email which purports to be an audit or billing request. 
  • The email contains an attached HTML file with obfuscated JavaScript code and links to a domain behind Cloudflare’s web infrastructure. The usage of Cloudflare means that antivirus protection solutions receive the challenge page rather than the attacker’s payload. Additionally, Cloudflare’s IP Geolocation feature allow attackers to target users from certain locations. In this case only IPs in the Brazilian address range would be targeted with the second stage payload. 
  • Abusing Cloudflare Worker also gives attackers the ability to generate random payload URLs for each run and easily rebuild their operation if compromised. When a system is compromised with Astaroth an attacker can steal credentials through a key logger module, clipboard monitoring, and more. 

Source 1 Source 2 (Includes IOCs)

 

Sodinokibi ransomware distributor compromising WordPress sites

  • Security researcher Aura identified a Sodinokibi malware distributor injecting JavaScript that displays a fake Q&A form over the content of WordPress sites. The form contains content related to the page and appears to show a site administrator providing a helpful download link to a forum user.
  • Users who click on the link download a ZIP file from a random hacked site controlled by the attacker. The downloaded ZIP contains a JScript file which connects to a remote server and downloads a PowerShell command which executes Sodinokibi.
  • Infected users will have their files encrypted and will be provided with a link to a Tor payment site where they will be encouraged to purchase a decryptor.

Source (Includes IOCs)

 

Fake BleachBit website distributes AZORult malware

  • Security researcher Benkow identified a fake BleachBit website which purported to contain legitimate BleachBit software. The fake website is well designed and contains a convincing domain name.
  • Users who click on the link download a ZIP file from Dropbox which contains AZORult Stealer. The virus can collect browser history, saved logins, text files, and more. Collected data is then exfiltrated to the attacker’s C2.

Source (Includes IOCs)

 

Leaks and Breaches

Option Way exposes company and customer data

  • On August 20th, 2019, researchers at vpnMentor discovered an unprotected and unencrypted Elasticsearch database that belonged to flight booking platform Option Way.  The database contained over 100 GB of sensitive company and consumer data.
  • Exposed consumer data included names, dates of birth, gender, email addresses, phone numbers, flight prices, destinations, and more.  Company data included employees personal identifiable information and the company’s credit card details.

Source

 

XKCD data leak exposes personal information of 562,000 members

  • The XKCD forum was taken offline in response the data leak.
  • Exposed information included email addresses, IP addresses, usernames, and hashed passwords. The hashed passwords are said to have been stored in phpBB MD5 format, a hashing scheme considered ‘cryptographically broken’ and vulnerable to collision attacks.

Source

 

Cracked Poshmark Accounts available on the dark web

  • On August 1st, 2019, Poshmark disclosed that an unauthorized party had gained access to the login details of more than 36 million customers. Exposed data included email addresses, hashed passwords, genders, names, and more.
  • Poshmark stated that passwords are hashed with bcrypt algorithm. Despite this protection measure, security researcher Jim Scott has now discovered approximately one million cracked Poshmark accounts circulating online.

Source

 

Facebook lose control of private key used to sign Facebook Basics app

  • Security researchers at Android Police discovered that a key used by Facebook to sign its Facebook Basics app for Android had been compromised. The reporters discovered that a debug signing key was being used by other vendors to sign their own apps which were appearing in unofficial repositories.
  • The Register reported that Facebook’s update entry for the Free Basics app on the Google Play Store does not mention that the app has been newly re-signed to mitigate the key loss. Additionally, Google searches with the SHA-1 Hash of the old key continue to display results to untrustworthy sites and apps.

Source 1 Source 2

 

General News

113 arrested by EFCC for involvement in cyberfraud

  • Since January 2019, the Economic and Financial Crimes Commission (EFCC), in collaboration with the FBI, arrested 113 individuals in the Nigerian states of Edo, Delta and Ondo, who had been involved in online fraud. Many cases are ongoing in court, whilst 53 convictions have been made to date.
  • One of the arrested is said to be on the FBI’s Most Wanted List. She was allegedly involved in identity theft and said to have worked in collaboration with a US citizen, who would use the stolen identification information to file fraudulent tax returns with the Internal Revenue Service.

Source

 

Iranian engineer recruited by Dutch AIVD aided in 2007 Stuxnet attack

  • According to Yahoo News, sources claimed that, in 2004, the CIA and Israeli Mossad had asked the Dutch AIVD to recruit an inside mole for the covert operation ‘Olympic Games’ that targeted the Iranian nuclear power plant in Natanz.
  • The Iranian engineer, posing as a mechanic worker for a front company, is said to have provided critical data that was used to update the Stuxnet code for a precision attack. He also gained inside access, which allowed him to deliver Stuxnet to the targeted systems.

Source

 

Artificial intelligence used in fake voice fraud

  • Cybercriminals managed to convince the CEO of a UK-based energy firm to transfer £200,000 by using artificial intelligence to pretend to be the chief executive of the company’s parent company.
  • According cybersecurity specialist Jake Moore, there will be a rise in the use of such machine-learned cybercrimes in the near future and such AI mimicking is said to be easier to produce than DeepFakes, as they take much fewer recordings to produce.

Source

 

Federal Prosecutors accuse Adconion employees of operating large-scale spam operation

  • Federal Prosecutors filed a ten count-indictment on charges of conspiracy, wire fraud, and electronic mail fraud, against four employees of Adconion Direct. 
  •  The employees of the email advertising firm are accused of conspiring to identify or pay to identify blocks of IP addresses that were inactive or registered to others.
  • Prosecutor alleges that the accused uses the fraudulently acquired IP addresses to run a spam campaign. All four of the accused have plead not guilty. 

Source

 

Danske Statsbaner (DSB) ticket systems taken offline following cyberattack

  • On September 1st, 2019, Danish national rail operator DSB suffered a DDoS attack which impacted online ticketing platforms, ticket machines at stations and staffed ticket desks.  Impacted systems were fully operational by the morning of September 2nd, 2019.

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch