Silobreaker Daily Cyber Digest – 05 July 2019
Fallout exploit kit continues to infect users
- Researchers at Cybereason analysed the infection chain used by the Fallout exploit kit (EK), first discovered in February 2019, stating it continues to remain active. Fallout EK uses various exploits hosted on GitHub to weaponize itself, most notably the Flash Player exploit CVE-2018-15982.
- Fallout EK was initially dropping GandCrab ransomware but has since also been observed dropping other ransomware and infostealers, including AZORult infostealer, which the researchers analysed.
- In this case, the infection flow is via a ‘drive-by download’, where a user browses a compromised or malicious webpage. The attack uses PowerShell instead of Internet Explorer to execute the final payload and bypass the Windows Antimalware Scan Interface. Once vulnerabilities are found on the device, the infostealer is dropped to steal data from the victim’s device.
Source (Includes IOCs)
More than 200 new versions of Emotet Trojan added per day
- In the first half of 2019, researchers at G-Data recorded more than 33,000 new variants of Emotet Trojan. Criminals are creating new variants of the malware at a quick pace by using crypters that give the malware a new appearance and allow it to evade antivirus software.
‘Updates for Samsung’ app scam targeting Android users
- Security researcher Aleksejs Kuprins discovered a fraudulent Android app called ‘Updates for Samsung’ that charges for official Android firmware updates. The app has already been downloaded by over 10 million users. Kuprins suggests using Samsung’s designed procedure for downloading firmware updates, which comes directly from the vendor and is free of charge.
- The fraudulent app redirects its users to an ad-filled website and offers users legitimate Samsung firmware. Users have the option between a free, slow download, or a paid, faster one. For the latter, it uses its own payment system, which could potentially risk payment data being intercepted or tracked by a third-party.
Source (Includes IOCs)
NewsBeef APT undergoes a shift in toolset
- Kaspersky Lab researchers examined a change in the tactics of NewsBeef APT in a campaign primarily against Saudi Arabian targets. NewsBeef had previously used the Browser Exploitation Framework (BeEF), however this was not observed being used in the current campaign.
- The current campaign uses macro-enabled malicious Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools to compromise sites, including those belonging to high-profile Saudi Arabian government identities.
- The researchers believe attacks against Saudi Arabian organisations and individuals will continue and expect the group to extend its campaign against other organisations doing business with Saudi Arabian organisations and individuals.
Threat actor TA505 launches new spam campaigns and introduce new malware tools
- Researchers at Trend Micro discovered that the Russian-speaking TA505 group has launched a series of spam email campaigns targeting the UAE, Saudi Arabia, India, Japan, Argentina, the Philippines and South Korea.
- TA505’s campaigns targeting Middle Eastern countries began on June 11th, 2019 and continued throughout the month. Emails dispatched by TA505 were discovered to contain a range of malware including FlawedAmmyy malware, Amadey malware and ServHelper malware.
- From mid-June, TA505 also launched campaigns in Argentina and countries in Asia. Two new pieces of malware were used in these campaigns, AndroMut malware and FlowerPippi backdoor. AndroMut, also called Gelup, is a downloader that employs advanced obfuscation techniques. FlowerPippi is a standalone malware tool that acts as a backdoor and downloader.
Leaks and Breaches
UK’s St John Ambulance hit by ransomware
- St John Ambulance service was hit by ransomware on July 2nd, 2019. The issue is said to have been resolved within thirty minutes and no information is believed to have been stolen.
Two US health care providers inform patients of data breach
- The Arkansas-based Community Physicians Group suffered a data breach on February 19th, 2019, which left the data of 5,400 patients exposed. The breach was first detected on April 24th, 2019, and is the result of a phishing attack. Exposed data included names, medical record numbers, dates of service and a brief description of the nature of the visit.
- Vermont-based Addison County Home Health & Hospice’s data breach also took place on February 19th and was first discovered on April 26th, 2019. The breach exposed private information of 758 patients, including names, clinical information and in several cases medical record numbers and Social Security numbers.
Hackers steal $500,000 from 7-Eleven Japan customers due to weakness in mobile app
- 7-Eleven Japan launched the 7pay mobile payment app on July 1st, 2019, the app contained a password reset function which allowed anyone to request a password reset for other users’ accounts. Attackers who knew a user’s email, date of birth and phone number could request that the password reset link was sent to their account rather than the owners.
- Approximately 900 customers lost a collective ¥55 million ($510,000). 7-Eleven Japan shut the app down on July 3rd, 2019.
Vulnerability in Uttar Pradesh transport site potentially exposed passenger information
- Security engineer Avinash Jain discovered a vulnerability in an application on the Uttar Pradesh State Road Transport Corporation website that potentially exposed a large database containing passenger information.
- This information includes customers’ full names, mobile numbers, addresses, dates of birth, partial debit and credit card numbers, and more. It is unclear whether any data was accessed by hackers and the vulnerability has since been fixed.
Huawei cryptographic keys found in Cisco switches
- Researchers at SEC Consult found that firmware for Cisco SG250 Smart Switches contained X.509 certificates and keys that belong to Futurewei Technologies, a US subsidiary of Huawei.
- Following an investigation, Cisco revealed that the certificates and keys were part of the OpenDaylight GitHub open source package that is used in some Cisco products.
- Cisco 250/350/350X/550X Series Switches are all affected. Cisco stated that no attack vectors had been found as shipped versions of the firmware don’t contain the certificates.
FBI warns of sextortion scam targeting teenagers
- On July 3rd, 2019, the FBI issued a warning via their Twitter account urging individuals not to send their pictures to strangers. The agency published a report at the end of May 2019 which recorded an increase in the number of sextortion scams which have been directed against children.
Lloyd’s of London wants clearer insurance policies regarding cyber attacks
- Lloyd’s said that they want all policies to clearly state whether coverage would be excluded or provided in the event of a cyber-attack. The company stated that starting in 2020 its underwriters who provide coverage for first-party property damage should clarify the status of their cyber coverage.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.