Silobreaker Daily Cyber Digest – 04 December 2018
APT28 and Turla found responsible for attacks against Czech government institutions
- The Czech Security Information Service (BIS) stated that APT28 and the Turla APT Group are responsible for campaigns targeting the Czech Ministry of Foreign Affairs, Czech Ministry of Defence and Army of the Czech Republic, in 2016 and 2017.
- According to BIS’s annual report, the threat actors did not steal any classified information, though they were able to access individuals’ sensitive personal data by compromising targets’ email accounts.
Proofpoint researchers observe increased threats over the holiday period
- Proofpoint have reported the rapid growth of instances of business email compromise scams with holiday themes such as gift cards, Black Friday and more.
- The researchers also observed numerous instances of point-of-sale malware targeting Black Friday and holiday shoppers.
WakeNet AB spreads prevalent adware
- McAfee Labs have been investigating WakeNet AB, a pay-per-install developer who are responsible for spreading prevalent adware such as Wajam and Linkury.
- WakeNet has recently increased their use of deceptive techniques to convince victims to execute it’s installers. These include fake movie playbacks and fake torrent downloads targeting Windows and Mac systems.
- WakeNet’s tools are responsible for installing some of the most prevalent PUP families, which impact the performance of victims’ devices and cause many unwanted advertisements. From September 2017 to June 2018 McAfee detected 1.9 million instances of this adware in the wild.
Leaks and Breaches
Quora announces hack exposing 100 million users’ data
- Quora discovered the breach on November 30th when they observed that users’ data was accessed by an unauthorised party. Data exposed included account information such as names and encrypted passwords, as well as public and non-public content and actions.
- It is not currently understood how the hackers accessed the system.
Parking ticket payment system breached in Iowa city Ames
- 4,600 residents of Ames may have had their data exposed between August 10th and November 19th, 2018 due to a compromised ticket paying system.
- Data exposed may include payment card details, names, addresses and email addresses.
Local health center in Rhode Island hit with ransomware
- Thundermist Health Center was reportedly targeted in a ransomware attack, locking staff out of infected computer systems.
- A spokesperson said no data was compromised in the attack.
Canadian 1-800-Flowers company reports credit card malware
- The company revealed that over a four-year period malware had stolen credit card details from customers, including names, card numbers, expiration dates and security codes. The breach occurred between August 15th, 2014 and September 15th, 2018.
Digital Oscilloscope comes with backdoor accounts and old software components
- Oscilloscopes are devices used in laboratories to measure how an electrical signal changes over time by showing waveform representation. Researchers at SEC-Consult found that the SDS 1202X-E Digital Oscilloscope from Siglent lacks authentication for access via the EasyScopeX software, which allows users to retrieve and manipulate waveform data to isolate signals.
- The SDS 1202X-E Digital Oscilloscope also had two hardcoded backdoor accounts, ‘root’ and ‘siglent’. The two accounts were found in the ‘/etcshadow’ directory by connecting to the oscilloscope via the UART interface.
- The device has Telnet service turned on, which listens on the default TCP port. If an attacker was connected to the oscilloscope this way then they would be granted rooted access on the local network.
Researchers discover new Spectre variant SplitSpectre
- Northeastern University academics and IBM researchers discovered a new variation of the Spectre CPU vulnerability dubbed SplitSpectre.
- According to their research paper, similarly to Spectre, SplitSpectre is a design flaw in the microarchitecture of modern processors that can be exploited via speculative execution. SplitSpectre differs by being easier to execute as it ‘requires a smaller piece of vulnerable code available in the victim’s attack surface’.
- The research team performed successful attacks using SplitSpectre against Intel Haswell and Skylake CPUs, and AMD Ryzen processors via SpiderMonkey 52.7.4
Cisco Talos report on three Netgate pfSense command injection vulnerabilities
- Cisco has discovered a command injection vulnerability in Netgate pfSense system-advanced-misc.php powerd-notmal-mode. pfSense is an open source firewall and router, that can also be used for threat management, load balancing, multi WAN and more.
- CVE-2018-4019, CVE-2018-4020 and CVE-2018-4021 are present in Netgate pfSense due to the lack of sanitisation on the powerd_normal_mode, powerd_ac_mode and powerd_battery_mode, in POST requests to system-advanced-misc.php.
Jared and Kay jewellers fix bugs in their websites that expose order information
- The bug was discovered in mid-November this year by Brandon Shelley, who discovered that if you slightly modify the confirmation email received after buying some jewellery, and paste it into a web browser, then another customer’s information would be revealed.
- This information includes names, addresses, phone numbers, email addresses, four digits of the person’s credit card number, and more. The issue has now been fixed for all past and future orders.
Vulnerabilities found in Monorail issue tracking tool
- Researcher Luan Herrera discovered vulnerabilities in Monorail, an open-source issue tracker used by Chromium-related projects such as PDFium, Gerrit, V8 and Google’s Project Zero.
- The three flaws, tracked as CVE-2018-10099, CVE-2018-19334 and CVE-2018-19335, could allow an attacker to carry out a Cross-Site Search (XS-Search) attack.
Critical flaw patched in Kubernetes
- Software developer Darren Shepherd discovered a critical privilege escalation vulnerability, tracked as CVE-2018-1002105, in the open-source container orchestration system, Kubernetes.
- The flaw allows ‘any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster’. It has been patched in newly released versions of Kubernetes.
NCIS uncovers large sextortion campaign targeting US military
- The US Naval Criminal Investigative Service (NCIS) uncovered a sextortion campaign targeting US service members from the Army, Navy, Air Force and Marine Corps. The perpetrators were found to be South Carolina inmates and their outside civilian associates. In total, 442 members fell victim to the attacks, generating over $560,000 in profit for the criminals.
- US service members were identified and targeted via social media and online dating websites. The perpetrators posed as attractive women, luring victims into online romances and the exchange of photographs, then claimed to be underage and threatened to expose victims unless ransom was paid.
NY State Education Department fails to make sufficient progress in protecting student data
- The Office of the State Comptroller stated that the Department had not made sufficient efforts to increase its defenses against cyber attacks. The statement followed an audit conducted in July 2017.
- A spokesperson for the Education Department said the Department had, had difficulties in replacing its CISO.
$100 billion company ran NotPetya like EternalGlue on its network
- The company exposed it’s IT environment to a worm, dubbed EternalGlue, that operates in a similar way to NotPetya. EternalGlue was created by researchers at NCCGroup and includes the capability to deploy the open source credential stealing tool Mimikatz.
- Due to the testing environment, EternalGlue also includes telemetry and safeguards so that no lasting Qudamage was inflicted on the infected system. During the first run of the malware, three unpatched machines were discovered and attacked, from which kernel level access was obtained and the network was infected.
- The test revealed that setting ‘Account is sensitive and cannot be delegated’ stops an account’s credentials from being forwarded to other computers on a network via a trusted application. This limits the scope of attacks that use elevation of privilege activities and in the case of this test, it was discovered that this setting was effective at blocking the spread of EternalGlue across the network.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.