Silobreaker Daily Cyber Digest – 05 December 2018
Over 100,000 PCs in China infected with ransomware
- The “poorly written” ransomware encrypts files and steals credentials for Chinese online services including Alipay, QQ and Baidu Cloud. It has been dubbed “WeChat Ransom” in some reports, and demands 110 yuan ($16) payable via the WeChat payment service.
- According to researchers at Huorong, the malware’s authors are using a Chinese social networking service called Douban to send commands. Tencent have stated that the malware propagated through over 50 compromised applications, some of which are designed to manage QQ accounts.
Malicious applications discovered on Apple App Store
- In similar vein to the previously discussed App Store scam application ‘Heart Rate’, two applications named ‘Fitness Balance’ and ‘Calories Tracker’ attempted to trick users into expensive purchases by leveraging Touch ID to covertly authorise purchases.
- The applications instructed users to touch the biometric scanner to view their diet recommendations and calorie trackers, but instead the fingerprint was used to authorise a payment of at least $99.99.
- The applications have since been removed from the Apple App Store.
London Blue cybergang phishing campaign discovered
- Researchers at Agari have discovered that London Blue, a UK and Nigeria-based cybergang, has obtained a list of over 50,000 corporate officials to be targeted in business email compromise phishing campaigns. 71% of targets are CFOs, and over half are based in the United States.
Microsoft releases analysis of cyberattack targeting US organizations
- In contrast to some security researchers, Windows Defender Research stated that there is insufficient evidence to attribute the attack to YTTRIUM, a group that largely overlaps with APT29 or CozyBear.
- Microsoft researchers note that the attack targeted mainly US organizations involved in policy-making or politics. Spear-phishing emails mimicked OneDrive sharing notifications from US Department of State employees.
- Clicking on a link initiated an exploit chain that implanted a DLL backdoor onto machines, giving attackers remote access.
Source (Includes IOCs)
Magecart’s Group 11 are now skimming admin credentials
- Researchers at RiskIQ reported that Group 11, which was behind the recent breach of VisionDirect, have started using keyword filtering to target admin credentials in addition to card data.
Leaks and Breaches
National Republican Congressional Committee breached
- The NRCC’s managed security service provider discovered the breach in April 2018. An unauthorized third party had accessed and surveilled the email accounts of four senior aides for several months.
- The method of compromise and identities of the aides have not been disclosed. The FBI is investigating.
Medical marijuana dispensary suffers data leak
- AltMed, a Florida-based medical marijuana dispensary, was notified that customer information was viewable via their website’s search function.
- The website was taken down shortly after, with a data breach notice being posted on their Facebook page on Sunday. It is unclear what types of information may have been accessed as a result of the data leak.
Critical vulnerabilities patched in Google Android
- 11 critical bugs, including four remote code execution flaws (CVE-2018-9549, CVE-2018-9550, CVE-2018-9551 and CVE-2018-9552) were patched by the Google Security team in their latest update. The vulnerabilities could have allowed an attacker to use a specially crafted file to execute code as a privileged user.
Machine-to-machine protocols open to abuse
- Researchers at Trend Micro analysed two popular machine-to-machine protocols, ‘Message Queuing Telemetry Transport’ and ‘Constrained Application Protocol’, both used in Industrial Control Systems. The vulnerabilities discovered allow a malicious actor to either execute arbitrary code or cause a denial-of-service condition, which could pose a large risk to an industrial system.
- There is no evidence to suggest that any actors or malware have leveraged these protocols, but researchers believe it will not take long until they are used for malicious activity.
AOL fined nearly $5 million for violating children’s privacy laws
- AOL, which is owned by Verizon, has been fined $4.95 million by the Attorney General’s office for helping advertisers track and serve targeted ads to children.
- These practices took place between October 2015 and February 2017 and are illegal under the Children’s Online Privacy Protection Act (COPPA).
Russian charged with hacking Pittsburgh National Golf Course
- Ilya Kulkov, of Barnaul, Russia, has been charged with five offences including money laundering, computer fraud, and wire fraud. It is alleged that Kulkov hacked into a desktop computer at Pittsburgh National Golf Course to systematically purchase and export products to Barnaul via fraudulent means.
- Kulkov faces a fine up to $250,000 and a minimum sentence of 20 years in prison if found guilty.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.