Silobreaker Daily Cyber Digest – 05 November 2019
New functionalities found in Ryuk variants
- Crowdstrike Intelligence’s analysis of new Ryuk variants shows that new features have been added by WIZARD SPIDER, the threat actor known to distribute the ransomware. The new features suggest WIZARD SPIDER is aiming to maximise the number of devices they can infect with Ryuk.
- The first new functionality aims to wake local area network (LAN) hosts in standby power to allow for identification and encryption of files. This is done by sending a Wake-on-LAN magic packet and reading entries in the host Address Resolution Protocol (ARP) cache to identify machines. The researchers note that the number of impacted devices will likely be limited, as MAC addresses will only be present in a remote system’s ARP cache if recently put to sleep.
- The second new feature is Ryuk’s use of ARP ping scanning to identify hosts on the LAN. The malware checks entries in the ARP cache for IP addresses with specific substrings. If they are present, it sends ARP and PING requests to all IP addresses in the Class C network that begin with the specific string value. Once a host responds, it attempts network drive mounting using Server Message Block and encrypts its contents.
Source (Includes IOCs)
Researchers discover multiple Magecart groups attacking same sites simultaneously
- Whilst examining the recent skimming attack against Sixth June, the PerimeterX Research Team observed a new trend in attacks by Magecart Group. Multiple Magecart groups were seen targeting the same websites at the same time. According to the researchers, the attacks had different techniques and did not appear to be coordinated.
- The researchers also found that Magecart attacks have become more organised and that the threat actors are sharing tools in their attacks against sites using e-commerce platforms.
- In their blog post, they provide a breakdown of the attack against Sixth June, as well as an analysis of another attack against PEXSuperstore[.]com which they discovered and that also involved simultaneous attacks by multiple Magecart groups.
- Their analysis also revealed that the perpetrators appear to name skimmers after the targeted websites. Some of the skimmers the researchers came across suggest that ‘upscalestripper’ and ‘galeriedebeaute’ may be targeted in future attacks.
Trik botnet now used to deliver Nemty ransomware to victims
- In early October 2019, researchers at Symantec discovered that the Trik botnet is being used to deliver Nemty ransomware. The botnet spreads Nemty to systems that have exposed server message block (SMB) network communication protocols, which are protected by weak credentials.
- The version of the ransomware identified by the researchers is Nemty 1.6. This new variant now deletes shadow and backup copies pre rather than post encryption. Unlike previous versions of the malware, Nemty now stop services and applications which run files that it is attempting to encrypt. The researchers also found that the malware operators have abandoned their buggy AES-256 encryption implementation in favour of Windows CryptoAPI.
Source (Includes IOCs)
WP-VCD campaign responsible for most prevalent WordPress malware infections
- Wordfence researchers analysed the long-running WP-VCD campaign and found that it is responsible for a higher rate of infection of the WordPress ecosystem than any other WordPress malware since August 2019.
- The campaign spreads WP-VCD malware via ‘nulled’ or pirated plugins and themes. The malware uses self-healing infections to achieve persistence, whilst also making use of an extensive C2 infrastructure. WP-VCD is used for monetisation purposes, which is achieved via viral marketing and malvertising code that creates redirects and pop-up ads.
- An in-depth analysis of the current campaign can be found in Wordfence’s whitepaper.
Source (Includes IOCs)
Leaks and Breaches
Spanish companies impacted in ransomware attacks
- Spanish radio company Cadena SER and IT company Everis Group have taken their networks down following ransomware attacks. As a precautionary measure, the Spanish airport operator Aena also suspended some of their services.
- In an internal notification, Everi Group, which is owned by NTT DATA, informed staff that their network had been disconnected because of ‘a massive virus’. A ransom note left by the attackers demanded a payment of €750,000.
- Security researchers have stated that the malware used in the attack against Everis Group appears to be a variant of BitPaymer ransomware. The malware used in the attack against Cadena SER has not been disclosed.
Brooklyn Hospital Center loses patient files following ransomware attack
- New York’s Brooklyn Hospital Center was targeted in a ransomware attack in July 2019, which encrypted a number of files on the hospital’s servers. ‘Exhaustive efforts’ to recover encrypted files were made, yet some patients’ dental and cardiac images could not be decrypted. The hospital is due to inform impacted patients.
Washington University School of Medicine in St Louis notifies patients of data breach
- On November 1st, 2019, the Washington University School of Medicine (WUSM) released a statement that informed patients of a recent data breach incident related to the Department of Ophthalmology and Visual Sciences.
- WUSM stated that an individual with a personal relationship with an Ophthalmology Department employee had accessed the employee’s personal laptop and WUSM email address. The individual had sent letters to a small number of patients regarding the employee.
- The email account was accessed between April 29th, 2019, and September 3rd, 2019. Potentially exposed data included names, dates of birth, medical record numbers, certain treatment information, and more.
RCE vulnerabilities found in rConfig
- Penetration tester Askar discovered a pre-authorisation remote code execution (RCE) and a post-authorisation RCE vulnerability in rConfig. The flaws, tracked as CVE-2019-16662 and CVE-2019-16663 are present in all versions of rConfig.
- Additionally, security researcher Sudoka found that CVE-2019-16663 can be exploited without authentication in versions prior to rConfig 3.6.0.
- The company was informed of the vulnerabilities in September 2019, however, no patch is available to date.
Voice control systems such as Alexa and Siri can be hacked with laser beam
- Researchers at the University of Michigan and the University of Electro-Communications discovered an attack method, dubbed ‘light commands’, which allowed them to hack smart microphones with laser beams. The attack can be used against smart speakers, tablets or phones, and was tested against devices which used Apple Siri, Amazon Alexa, Facebook Portal, and Google Assistant.
- The researchers found that the MEMS microphones in these devices react to light beams. By modulating the electrical signal of the beam, the microphone acts as if it is receiving an audio signal. The ‘light commands’ can then be used to execute inaudible commands on the targeted device.
- The researchers successfully tested their attack from a distance of 110 meters and found that the attack works even when the device is behind a window.
Investintech Able2Extract Professional contains two remote code execution vulnerabilities
- Researchers at Cisco Talos identified two vulnerabilities, tracked as CVE-2019-5089 and CVE-2019-5088, in Investintech’s Able2Extract Professional. The software is used to convert PDFs and is used on Windows, Mac and Linux.
- Both issues are exploitable memory corruption vulnerabilities. CVE-2019-5089 can be triggered with a specially crafted JPEG file, whereas CVE-2019-5088 can be triggered with a specially crafted BMP file. Successful exploitation in both cases can allow an attacker to arbitrarily execute code on a target device.
City of Ocala loses $742,000 in BEC scam
- In September 2019, a senior accounting specialist working for the City of Ocala in Florida was contacted by a fraudster who posed as an employee of Ausley Construction. The scammer created an email address that appeared similar to Ausley Construction and requested that future payments from the city were sent to a different bank account.
- The scam resulted in the city transferring $742,376.73 to the fraudster’s account. The fraud was discovered on October 22nd, when the city was notified by Ausley Construction that they had not been paid.
C2 server shows threat actor employing range of malicious attacks
- Researchers at Cisco Talos identified a C2 server that hosted a range of malware including DoppelPaymer ransomware samples, credit card capture malware TinyPOS, and various loaders.
- The attackers were primarily using the malware to target medium sized organisations in the industrial sector. An analysis of the files showed that in some cases the attackers had successfully obtained deep level access into victims’ infrastructure.
- The researchers stated that the range of malware on the C2 showed how the attackers were able to use the same infrastructure for a variety of operations.
Source (Includes IOCs)
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.