Silobreaker Daily Cyber Digest – 04 June 2019
New Iranian hacking tool leaked on Telegram
- A new hacking tool used by Iranian state hackers has been leaked in a Telegram channel by Lab Dookhtegan, the same actor responsible for leaking the source code for six other Iranian hacking tools in April, alongside information on past hacked victims and the identities of hackers.
- The new tool, dubbed Jason, is a GUI utility for brute-forcing Microsoft Exchange email servers using pre-compiled lists of username and password combinations. Iranian hackers have been using the tool for approximately four years.
BlackSquid malware discovered by Trend Micro researchers
- BlackSquid malware uses eight exploits to target web servers, network drives and removable drives. These exploits include EternalBlue, DoublePulsar, CVE-2014-6287, CVE-2017-12615, and CVE-2017-8464 and three ThinkPHP exploits for several versions. The malware was seen predominantly targeting Thailand and the US.
- BlackSquid employs anti-virtualization, anti-debugging, and anti-sandboxing techniques to determine whether to continue with installation. It was observed dropping the XMRig Monero miner but, according to the researchers, could also be used to drop other payloads which could infect devices, incapacitate hardware, steal information, and more.
- The researchers stated that despite the malware’s sophistication, several coding errors and ‘skipped routines’ suggest it may still be in its testing and development stage.
Source (Includes IOCs)
Cybaze-Yoroi ZLab researchers publish update on Gamaredon attacks
- The Cybaze-Yoroi ZLab team released an update following the Gamaredon attacks against Ukraine last month. They discovered a new email that is potentially linked to the group, which suggests that their attacks are ongoing.
- The report includes a technical analysis of the infection chain used in the latest attack. Based on this analysis, the researchers conclude that the recent attack is still ongoing, and that there is potential Russian interest over the infiltration of the East European ecosystem, particularly Ukraine.
Source (Includes IOCs)
Netscout researchers detect spike in Realtek SDK exploits
- A spike was observed in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability CVE-2014-8361, between April 22nd, 2019 and May 10th, 2019. The attacks originated from Egypt and a large number of the exploit attempts were against South African routers, suggesting targeted attacks.
- The researchers observed the Hakai DDoS bot being delivered on vulnerable devices. The Hakai bot supports HTTP flooding, TCP flooding, and UDP flooding. The Hakai variants in this campaign include a new vseattack function that performs a Valve Source Engine (VSE) query-flooding attack similar to the one found in Mirai botnet.
- The researchers believe this activity is an attempt to recruit more bots and that the actors behind the exploitation attempts are seeking to expand their botnet.
Source (Includes IOCs)
Zebrocy APT uses new backdoor written in Nim
- Kaspersky Lab researchers observed that the Zebrocy Russian-speaking APT group is using a new backdoor family deployed with a new downloader written in Nim programming language.
- The backdoor is being delivered via spear phishing campaigns and is designed to profile systems, steal credentials, and maintain persistence on a compromised computer over an extended period of time.
- The researchers predicted that Zebrocy activity will continue in 2019 and will involve targeting government and military organizations.
Leaks and Breaches
University of Chicago Medicine exposes over a million records
- Researcher Bob Diachenko discovered a publicly available Elasticsearch database belonging to the University of Chicago Medicine. The database contained ‘leads’ and ‘perspective and existing givers’ for the organisation.
- The 34GB-sized cluster was indexed by the Shodan search engine and contained 1,679,993 records including names, dates of birth, addresses, phone numbers, emails, genders, marital statuses, wealth information and communication notes.
University of South Wales suffers data breach
- The University of South Wales suffered a data breach on May 29th, 2019, which potentially compromised personal information of students and staff. The university has since taken down its student record system.
- Police are currently investigating the data breach and have arrested a 26-year-old man in connection with the incident.
Attack on Westpac’s PayID leaves data of 100,000 Australians exposed
- Australian bank Westpac confirmed misuse of its New Payments Platform (NPP) PayID, that exposed the data of nearly 100,000 Australians. Customers from other banks are also believed to be affected. The company stated that no customer bank account numbers were compromised.
- PayID allows instant transfer of money between banks via mobile numbers or email addresses. Its system is vulnerable to a so-called ‘enumeration attack,’ in which attackers can change numbers at random to find the names and mobile numbers of victims.
- High volumes of NPP Australia PayID lookups made from compromised Westpac Live accounts were discovered on May 22nd, 2019 and further analysis showed that the attacks had been occurring since April 7th, 2019.
Dutch Data Protection Authority accidentally exposes data
- The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, exposed the data of 38 journalists and editors by sending an email with all recipients listed in the visible ‘Cc:’ field on May 24th, 2019. The agency has reported the data breach incident to itself.
Chinese headhunting company FMC Consulting leaked data through Elasticsearch cluster
- On May 20th, 2019, security researcher Sanyam Jain discovered that FMC data was stored on a misconfigured and publicly accessible Elasticsearch cluster.
- The data included company contacts, mail logs, over 5 million company records, over 20 million resumes, customer records, client messages, and more. The leaked PII data included information belonging to customers and employees.
Quest Diagnostics Inc’s client data exposed by billing provider
- Billing collections service provider American Medical Collection Agency (AMCA) notified the company that an unauthorized user had accessed their systems between August 1st, 2018, and March 30th, 2019.
- AMCA confirmed that the details of approximately 11.9 million Quest Diagnostics patients were stored on the affected system. The exposed data includes bank account details, credit card numbers, and medical and personal information such as Social Security numbers.
Australian National University targeted in hacking attack
- Vice-chancellor Brian Schmidt released a statement on June 4th, 2019, revealing that the personal details of staff, students and visitors, extending back 19 years, were accessed by an unknown party. The university confirmed that an estimated 200,000 people were affected by the hack.
- Information accessed included, names, addresses, dates of births, bank account details, academic records, and more.
Microsoft releases Intel Microcode update for MDS flaws in older versions of Windows 10
- Last month researchers from VUSec disclosed Microarchitercural Data Sampling vulnerabilities that allowed attackers to access restricted data locations. Attackers could operate system kernel, processes, the Software Guard eXtensions (SGX) enclave, and CPU-internal operations. They could exploit these vulnerabilities to steal passwords and cryptographic keys.
- Microsoft released a patch on June 3rd, 2019, that fixes these issues in Windows 10 versions 1709, 2703, 1607, RTM, and in Windows Server 2016.
Synthetic clicks can be used in macOS Mojave
- MacOS hacker Patrick Wardle discovered that trusted applications can be modified to include synthetic clicks which can be used to trigger a malicious event without the user’s knowledge.
- According to Wardle, this is due to Apple’s app verification process being limited to validating the signature rather than the apps resources and executable code.
Vulnerability in Supra Smart Cloud TV allows attackers to broadcast video
- Researcher Dhiraj Mishra discovered a remote file inclusion zero-day flaw, CVE-2019-12477, which allows users on a local network to access the Supra Smart Cloud TV display.
- The vulnerability can be exploited due to the lack of authentication or session management in the TV software.
Vulnerabilities patched in Kace K1000 Appliance
- Researchers at the Carnegie Mellon University CERT/CC discovered blind SQL injection flaws in the Quest Kace System Management (K1000) Appliance.
- The flaws, tracked as CVE-2018-5404, allow remote authenticated attackers the ‘User Console Only’ privilege which grants them access to the application’s database and sensitive information. The researchers also discovered two further vulnerabilities, CVE-2018-5405 and CVE-2018-5406.
- All vulnerabilities have been fixed with the release of a recent patch from Quest.
US State Department now require 5 years’ of social media information for visa
- The US State Department now require new visitors to the US to give social media account names, email addresses and phone numbers over the past 5 years. The details are now required on the applications forms for those seeking potential residency, education, work, or a tourist visa.
- The State Department stated that the details will bolster the process for vetting applicants and assist in confirming identities.
Russians order Tinder to share user data and private communications
- The Russian government has added Tinder to a government database named the Register of Information Dissemination Organisations, that forces the company to give over user data and private communications to law enforcement and intelligence agencies.
- According to laws 97-FZ and 374-FZ, companies on the list must hand over the data upon request without a court order, in order to assist investigations related to terrorism and national security.
ATM skimmer operator sentenced to over 5 years in jail
- Romanian national Bogdan Viorel Rusu ran a multi-state ATM card skimming scam that stole over $868,000. In addition to his jail sentence, Rusu has been ordered to pay restitution and forfeiture to the total of $440,130.
- Rusu’s operation ran between August 3rd, 2014, and November 14th, 2016, during which card information was stolen from 531 ATM users in Massachusetts, New York, and New Jersey.
Philippine’s Senate approves new bill to address financial fraud
- Philippine’s Senate approved House Bill 6710, an amendment to the Access Devices Regulation Act of 1998, which will see longer sentences and tougher fines for those involved in financial fraud.
- New measures include life sentences and fines up to P5 million (£76,145) for those involved in the hacking of bank systems or skimming 50 or more ATM cards, online banking accounts, credit cards or debit cards, a crime considered to be a form of economic sabotage.
British security researcher Marcus Hutchins pleads guilty to US hacking charges
- Marcus Hutchins, also known as MalwareTech and previously hailed as a hero for finding the WannaCry Ransomware ‘kill switch’, has plead guilty to charges made against him following his arrest in 2017. The charges are linked to his activity in 2014 and 2015, when Hutchins, and another individual, made and distributed the Kronos banking trojan.
‘Robbinhood’ Twitter account linked to Baltimore ransomware attacker
- Researchers at Armor confirmed that the person(s) behind the ‘Robbinhood’ Twitter account, that appeared to be leaking confidential files, is linked to the attacker behind the Baltimore ransomware attack. Robbinhood is the name of the ransomware strain used in the Baltimore attack. The connection was made after the account holder posted the attack panel interface used to communicate with Baltimore during the attack.
- The Robbinhood ransomware was initially believed to be powered by the leaked NSA hacking tool ‘EternalBlue,’ but according a recent analysis by malware analyst Joe Stewart, the Baltimore attack does not contain any EternalBlue exploit code. Stewart believes Robbinhood was set up to become a multi-tenant ransomware-as-a-service offering and also found a potential link to the GandCrab ransomware, a ransomware-as-a-service that has just announced it is shutting down.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.