Silobreaker Daily Cyber Digest – 05 August 2019
GermanWiper malware deletes files while pretending to be ransomware
- Initial reports of GermanWiper malware first appeared on the BleepingComputer forum on July 30th, 2019. GermanWiper is delivered via an email that claims to be a job application with a message written in German, containing two PDF copies of the sender’s resume. In actuality, the PDFs are shortcuts to PowerShell commands that download an HTA file from a malicious domain.
- The HTA file downloads the ransomware which, when once executed, wipes all the data on the victim’s device by overwriting it. To provide the illusion that data has been encrypted, GermanWiper adds randomized five-character extensions to file names. The malware avoids files that are required to boot Windows and run web browsers. Following file deletion, the malware places a note on the target machine requesting a Bitcoin ransom to retrieve files. If paid, the victims will not get their files back, as they were previously overwritten.
Source (Includes IOCs)
Lord exploit kit attempts to take advantage of Flash vulnerability
- Malwarebytes researchers published an analysis of the so-called Lord exploit kit (EK) which was first spotted by Adria Luca on August 1st, 2019. LordEK uses a compromised site as a landing page and is part of a malvertising chain via the PopCash ad network.
- LordEK uses the ngrok service to craft custom hostnames and to generate random subdomains. Upon execution, LordEK checks for Flash Player and tries to exploit the old vulnerability, CVE-2018-15982. If the vulnerability can be exploited, then a shellcode is launched to deliver njRAT, however this was changed a few days later to ERIS Ransomware. The researchers stated that LordEK’s author is still developing the exploit kit.
Source (Includes IOCs)
New fraudulent campaigns involving the use of well-known brands discovered
- Group-IB discovered a series of new fraudulent campaigns masquerading as dozens of well-known brands, including Alitalia, Carrefour and more, mainly targeting Spanish and Italian speaking customers. The group behind the scheme, dubbed Lotsy by Group-IB, is believed to be the same group that was discovered in 2017 that was offering users free gifts in the hopes of luring them into visiting fake websites.
- The fraudulent scheme is spread on Facebook or WhatsApp via messages from previous victims promising a free ticket giveaway. The messages contain links that redirect the victim to a website posing as that of a known brand, after which the victim has to conduct a quiz and share the promotion’s link to supposedly claim the result. Victims are then redirected to third-party fraudulent and potentially malicious websites that depend on the victim’s country, device or language settings.
- Thus far, Group-IB detected a total of 114 domains involved in the scheme and found Lotsy to be particularly cautious by not using brand names in second-level domains.
Leaks and Breaches
Capital One data breach may affect other companies
- According to security researchers, the alleged hacker behind the Capital One data breach, Paige Thompson, also accessed databases belonging to several other major companies. A report by CyberInt points to Vodafone, Ford, Michigan State University and the Ohio Department of Transportation as potential victims.
- Amazon stated that, as of yet, there is no proof of Thompson having found similar vulnerabilities to gain access to other customers’ databases. However, according to security researcher John Wethington, the evidence available, such as a Slack conversation pointing to other companies’ databases, means it is likely other data has been stolen.
Aegon customer data leaked online
- Aegon Life Insurance Company accidentally leaked the data of up to 10,000 customers as a result of a vulnerability in their website. According to the company, this incident was not caused by malicious activity and there is no evidence of customer data having been stolen. Customers will soon be informed of the type of data that was exposed.
Imperial Health suffers ransomware attack
- The Louisiana-based physician’s network Imperial Health is informing its patients of a ransomware attack that potentially exposed private health information of 116,262 patients. Imperial Health’s Center for Orthopaedics first discovered the attack on May 19th, 2019.
- No evidence of data access or theft has been found yet, however, potentially accessed data includes names, addresses, telephone numbers, birth dates and Social Security numbers.
More than 6.8 million records allegedly stolen from in StockX data breach
- According to TechCrunch, an unnamed individual claims to have stolen more than 6.8 million records from the StockX site in May 2019, with the stolen data being sold for $300 on the dark web. TechCrunch received a sample of the data and has confirmed with StockX customers that their data was accurate. Stolen data included names, email addresses, scrambled passwords, and more.
- StockX had initially claimed password email resets were sent to customers due to system updates, before admitting to being ‘alerted to suspicious activity.’ StockX has since issued a statement confirming the data breach.
Entertainment Software Association leaks data of over 2,000 individuals
- The personal data of more than 2,000 journalists and content creators that attended E3 2019 has been exposed via a publicly avaliable Excel sheet. According to the Entertainment Software Association, the leak was the result of a website vulnerability.
- Exposed data includes addresses, phone numbers and email addresses. The issue has not been fixed completely and the leaked data is already available on message boards.
Over 23 million CafePress accounts leaked in data breach
- The breach occurred on February 20th, 2019, where 23,205,209 accounts containing details such as names, addresses and phone numbers were disclosed.
- CafePress have not notified customers of the breach or provided any other form of public disclosure. Many users only becoming aware that their data had been breached due to a submission to haveibeenpwned on August 5th, 2019.
Vulnerabilities enable hacking of WPA3 protected WiFi passwords
- Security research duo Dragonblood discovered two new vulnerabilities that can enable an attacker to steal WiFi passwords by exploiting flaws in WiFi Protected Access 3 (WPA3).
- CVE-2019-13377 affects the password encoding algorithm of Dragonfly, and could allow for a timing-based side-channel attack, in which an attacker could use leaked information to carry out brute-force attacks.
- The second flaw, tracked as CVE-2019-13456, is an information leak vulnerability in the implementation of Extensible Authentication Protocol-Password (EAP-pwd) in FreeRADIUS.
JIRA misconfiguration exposes details of multiple companies and governments
- Researcher Avinash Jain reported on January 11th, 2019, that he was able to view NASA project details through a vulnerability in Jira. Following this discovery, Jain also found internal data and internal project details for Google, Yahoo, Western Union, Lenovo, the United Nations, and other organisations.
- Jira users at these organizations who created filters or dashboards were not changing the default visibility options from ‘All users’ and ‘Everyone’. This meant that all information became publicly accessible. Moreover, an authorization error in Jira’s Global Permissions settings allowed anyone to access the user picker functionality, providing complete lists of an organization’s usernames and email addresses.
- Disclosed information includes employee roles, names, mail ids, secret projects, and more.
Source (Includes IOCs)
NVIDIA update GPU Display driver to fix vulnerabilities
- On 2nd, August, 2019, NVIDIA released an update to fix three high and two medium security vulnerabilities in their NVIDIA GPU Display Driver.
- The vulnerabilities all required local user access and could be exploited on a Windows computer to cause a denial of service, escalation of privileges for an attacker, and allow them to execute code locally.
- CVE-2019-5683 is the highest rated vulnerability with an assigned a CVSS V3 score of 8.8. Located in the user mode video trace logger component, an attacker with access to the system could perform a hard link attack which the system would fail to check for. A successful attacker could perform local code execution, denial of services and privilege escalation.
Majority of iPhone users remain vulnerable to bugs in iOS
- Apple recently patched five critical flaws with its 12.4 iOS update, however over 90% of iPhone users have not updated their devices, meaning they remain vulnerable. The most critical vulnerabilities, CVE-2019-8624 and CVE-2019-8646, could leave users at risk of having their files read by a remote malicious actor, among other threats.
- Users are required to manually visit the software update section of their device, as user notifications for the update are not available yet.
Various Android antivirus apps contain privacy and security flaws
- An analysis from Comparitech of 21 Android antivirus apps showed that three of the apps, from VIPRE Mobile, AEGISLAB and BullGuard, contain serious security flaws, whilst a further seven apps failed at detecting a test virus. Overall, 47% of all apps failed Comparitech’s tests in some way.
- Most severely, VIPRE’s app includes a critical flaw, caused by broken or poorly implemented access control, that could enable an attacker to gain access to premium users’ address books if synchronisation is enabled. This could leave them at risk of having their contacts stolen, including full names, photos, addresses and notes with sensitive personal information.
- All three apps that were found to contain serious vulnerabilities have updated their apps to address them.
Pastebin scrape analysis shows wealth of malicious files
- Researchers at Fortinet scraped Pastebin data and discovered over 22,000 pastes that contained malicious scripts, stolen credentials, encoded content, or malware.
- Over 8,000 files contained Base64 encoded content that included hashes, binary data and obfuscated scripts. Approximately 1,000 files were bash scripts such as crypto miners and scripts used to install other services. A further 4,000 pastes related to encoded content such as encryption keys, hardcoded authentication tokens, onion service links, and more.
US military purchased electronics with known security risks
- Throughout 2018, the US military purchased $32.8 million worth of electronics containing known security risks, including Lexmark printers, GoPro cameras and Lenovo computers. The products were bought by Army and Air Force employees using payment cards issued by the government for micro-purchases of under $10,000.
- The Department of Defence Inspector General (DODIG) feared that the Chinese-made Lexmark printers and Lenovo computers could potentially be used for cyberespionage purposes by US adversaries. The GoPro cameras were found to contain vulnerabilities that could allow a remote attacker to access the stored network credentials and live stream videos.
- The DODIG report emphasised that it is not the first time that Department of Defence agencies ignored cybersecurity alerts when making micro-purchases.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.