Silobreaker Daily Cyber Digest – 04 November 2019
Hancitor malware authors combine multiple techniques to evade detection
- Cyber intelligence analyst dodgethissecurity_looun4 observed that the authors behind the known Hancitor malware are using a combination of Living-off-the-Land techniques to avoid detection in their most recent campaign. This includes the use of WMI for indirect command execution and COM objects for downloading stage-two binaries in proxy and non-proxy environments.
- Hancitor is delivered via fake DHL notification emails that contain an embedded link. Once clicked, the link redirects a victim to a website that serves a malicious Word document containing macros. The links do not appear to work on Linux user agents.
Source (Includes IOCs)
NordVPN users targeted in credential stuffing attack
- On October 31st, 2019, Ars Technica received a list which contained the credentials of 753 NordVPN users. Have I Been Pwned also reported at least 10 lists which are similar to the one received by Ars Technica. The publication estimated that approximately 2,000 accounts have been exposed.
- The lists, which contain personally identifiable information, have been seen on online forums such as Pastebin. Disclosed information includes email addresses, account expiration dates, and plain-text passwords.
- The plain-text passwords are weak and feature surnames with numbers, common dictionary words, or contain portions of the associated email address. Ars Technica speculated that the passwords had been uncovered via a credential stuffing attacks.
Hackers try to exploit BlueKeep vulnerability to mine for cryptocurrency
- Security researcher Kevin Beaumont discovered that hackers are attempting to exploit the BlueKeep vulnerability, tracked as CVE-2019-0708, to install a cryptocurrency miner on unpatched Windows systems. The first instance of the cryptomining attack dates back to October 23rd, 2019.
- When the BlueKeep vulnerability was first discovered, Microsoft engineers expressed concerns regarding the exploit’s capability to self-spread to other unpatched machines. However, this recent attack does not appear to be wormable, instead the attackers appear to launch the attack by searching for Windows systems with exposed RDP ports.
- The attackers also appear to have struggled to get their exploit code to work as intended. Beaumont reported that the attack crashed 10 out of the 11 honeypots that he was running.
GandCrab served as ‘school’ for affiliate hacker groups
- Advanced Intelligence researchers published an analysis of GandCrab malware, focusing on the influence which the ransomware has had on the criminal underground. The researchers stated that GandCrab’s operators moved away from the traditional secrecy and anonymity of the Russian cybercrime community. The developers instead chose to engage in branding, marketing, and public relations operations to spread awareness of GandCrab.
- GandCrab also recruited affiliates with little or no previous experience such as the truniger group. The group, which initially began with one hacker, engaged in minor carding operations before becoming GandCrab affiliates. This allowed them to rapidly expand their operations and start their own ‘highly-efficient digital extortion program’. The researchers also speculated that the trungier group may now be working with the REVil malware distributor.
Leaks and Breaches
BitMEX exposes thousands of customer email addresses
- Cryptocurrency exchange BitMEX exposed the email addresses of thousands of its customers by accidentally adding them to the ‘To’ field rather than the ‘Bcc’ field when sending an email, allowing all recipients to view the email addresses of other recipients. The data leak could leave affected customers’ accounts vulnerable to phishing attacks.
- According to the company, the leak was due to a flaw in the software it uses to send emails, which has since been fixed. BitMEX customers are advised to add two-factor authentication, as well as to add BitMEX’s support email to their contact list to avoid phishing emails.
2018 data breach may affect over 20,000 Utah Valley Eye Center patients
- A security incident in June 2018, in which Utah Valley Eye Center’s business portal was hacked, may have exposed demographic information of over 20,000 patients. The incident involved an unauthorised third party sending fake PayPal notification emails to 5,764 patients.
- Utah Valley Eye Center believes only email addresses were accessed, however, patient names, addresses, dates of birth, and phone numbers may also have been exposed. Protected health information and financial information was not exposed.
San Marcos targeted in cyberattack
- A cyberattack on October 24th, 2019, on the computer systems of San Marcos affected most of its internal systems, such as email accounts. No data was compromised in the attack and public safety systems were not affected. It is unclear who was behind the attack and whether it was domestic or foreign.
Government of Nunavut hit by ransomware attack
- On November 2nd, 2019, the government of Nunavut was hit with a ransomware attack that impacted all government services, except Qulliq Energy Corporation. A statement from authorities claimed that there was no concern about loss of personal information.
Unprotected back-end database exposes millions of users and sex workers
- Researchers at Condition:Black discovered an unprotected back-end database that lacked password protection for weeks and exposed daily logs of multiple ‘camgirl’ sites. The sites are all run by the Barcelona-based VTS Media and most users are based in Europe. The database has since been secured.
- The logs included detailed records of login activity, including usernames and occasionally user-agents and IP addresses, as well as failed login attempts that stored usernames and passwords in plain text.
- The detailed logs often also revealed email addresses and other identifiable information that could be matched with real-world identities, as well as users’ private chat messages, and which videos a user was watching and renting. Additionally, the ‘camgirls’ using the websites also had their account information exposed.
India’s Bharatiya Janata Party’s website hacked
- The Delhi website of the Bharatiya Janata Party was hacked to redirect users to a landing page displaying messages against India and its Prime Minister Narendra Modi. The group responsible calls itself _Muhammad Bilal TeAM [PCE]. According to security researcher Elliot Alderson, the hackers’ page, called Kashmir[.]html, is loaded from Pastebin and the hackers used cross-site scripting vulnerabilities to gain access.
WordPress plugin vulnerable to remote code execution
- Multiple vulnerabilities were found in the MobiLoud News plugin, the most serious of which could permit an attacker to remotely execute code, allowing them to run arbitrary PHP code on a website. The plugin also lacks a nonce check to prevent cross-site request forgery.
Malware can be installed on Android devices by using NFC beaming
- A vulnerability, tracked as CVE-2019-2114, in Android versions 8 (Oreo) and higher, allows an attacker to bypass security controls and install malware using Near Field Communication (NFC). NFC is used to pair devices, support contactless payment and transfer data between two devices using the Android Beam feature.
- The NFC services do not warn a user with the ‘install unknown apps’ prompt, meaning that an attacker can install malware on a target’s device when they have NFC and Android Beam enabled.
- The vulnerability which has been rated as ‘High’ was patched in October 2019.
Chrome zero-day used in Operation WizardOpium
- Researchers at Kaspersky, who discovered CVE-2019-13720, reported that the exploit was used in an watering-hole attack on a Korean-language news portal. The campaign, which has been dubbed Operation WizardOpium has not been definitely attributed to a particular threat actor.
- The researchers stated that there were weak code similarities with Lazarus attacks, however, these could be false flags. According to the researchers, the profile of the targeted websites is more similar to attacks by the DarkHotel Group.
SYLK files can avoid Microsoft Office for Mac protections
- US-CERT warned that an unauthenticated attacker can execute arbitrary code by using XML macros incorporated into SYLK files.
- According to US-CERT, Office 2011 for Mac does not warn users when opening SYLK files with XLM macros. Office 2016 and 2019 versions do warn users, however, if a user enables the ‘disable all macros without notification’ feature, XLM macros in SYLK files will also be executed without prompting the user.
Government officials said to be among those targeted by NSO Group’s spyware
- According to Reuters, sources close to the ongoing investigation by Facebook claim that government officials of several US-allied countries were also targeted with NSO Group’s spyware. The sources stated that a ‘significant’ amount of the known victims are high-profile government and military officials.
- A lawsuit by Facebook alleges that NSO Group developed a WhatsApp exploit that allowed their clients to hack into about 1,400 devices, yet the total number of victims may be higher. Several Indian nationals have since claimed they had been targeted. This includes journalists, academics, lawyers and defenders of India’s Dalit community.
Nikkei Inc. loses $29 million in BEC scam
- On October 30th, 2019, Nikkei Inc. disclosed that an employee of their subsidiary Nikkei America, Inc. was tricked into transferring $29 million to malicious actor. The scammer, who contacted the employee in late September 2019, posed as a Nikkei management executive.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.