Silobreaker Daily Cyber Digest – 06 December 2018
ESET report on 21 previously undocumented Linux malware families based on OpenSSH
- ESET’s investigation of the 21 in-the-wild malware samples revealed that 18 of them contained credential-stealing features, enabling them to steal passwords and/or keys used by the infected OpenSSH client and server. 17 out of the 21 samples featured a backdoor mode, permitting attackers to stealthily and persistently connect back to compromised machines.
- Their white paper provides further analysis of how researchers were led to their discovery, an overview of the various families, and results from their implementation in ESET’s custom honeypot architecture.
Source (Includes IOCs)
US DHS warns of SamSam ransomware targeting critical infrastructure
- A new alert by the Department of Homeland Security has stated that SamSam ransomware is targeting industries associated with critical infrastructure in the United States and globally.
- The hackers gain access to networks by exploiting Windows servers, and using Remote Desktop Protocol. The ransomware allows the hackers to escalate privileges, drop malware, and run executable files without being reliant on victims to open a malicious email or visit a compromised website.
WordPress site botnet attacks other WordPress sites
- Hackers controlling a network of 20,000 infected WordPress installations are using it to carry out brute force attacks on other WordPress sites. The botnet attempts repeated log-ins with different credential combinations in order to try and access the targeted account.
- Threat researcher Mikey Veenstra spotted the hackers using four C&C servers to send requests to more than 14,000 proxy servers, anonymizing the C&C servers’ traffic. The requests are then sent to the infected WordPress sites.
Foreign hackers reportedly target British DNA project
- Genomics England reported that hackers were targeting NHS’ patients genetic information repeatedly. The project had to move its data to be stored on UK Ministry of Defence servers in order to fend off the attacks.
Cybercriminals report rival cybergangs to Google in order to spread malware
- Torrentfreak reported that malicious parties are exploiting Google’s takedown system in order to remove game piracy sites from the search engine’s results. The criminals report the pirated content in order to promote their ranking and increase traffic to their own malicious sites.
STOLEN PENCIL campaign targets academic institutions
- Netscout researchers discovered a new campaign, dubbed STOLEN PENCIL, targeting academic institutions since at least May 2018, with a large number of victims from the field of biomedical engineering.
- Spear phishing emails are used to lure victims on to websites where they can download malicious Google Chrome extensions such as ‘Font Manager’. According to NetScout, the aim behind the campaign remains unclear but it is likely ‘that the intent is to steal browser cookies and passwords’ and use them in gaining access to accounts and systems. The malicious extensions have since been removed from the Chrome Web Store.
- Once the attackers gain a foothold on the targeted system, they use Microsoft’s Remote Desktop Protocol (RDP) for ‘remote point-and-click access’. NetScout notes that several features of the campaign, such as its use of off-the-shelf programs or Korean language, make it typical of ‘DPRK tradecraft’.
Source (Includes IOCs)
Researchers discover new formjacking campaign targeting popular shopping websites worldwide
- Symantec researchers have reported that the campaign has been active since at least November 25th, 2018. A formjacking script, located on the website of a Parisian retailer, was found to be collecting and sending information to a typosquatted Google Analytics domain. Moreover, websites of over 30 other popular retailers in countries such as the US, Japan, Australia or Germany, redirected users to the same Paris website.
- Another piece of code on the website was observed scanning for the presence of debugging tools in order to prevent researchers from analysing the malicious script.
- According to Symantec, this campaign differs from previous formjacking operations as ‘the redirecting website and the compromised website in many cases come from different areas of the online shopping landscape, dealing in entirely different product spaces’.
415,000 MikroTik routers worldwide infected with cryptojacking malware
- The malware allows hackers to secretly mine cryptocurrency by stealing the computing power of computers connected to the MikroTik routers.
- Initially routers affected were concentrated in Brazil, however further reports have stated that the malware has now been seen infecting routers worldwide, including North America, South America, Africa, Europe, the Middle East and Asia.
- The hackers reportedly exploit a security flaw in the older versions of the router’s firmware to inject the Coinhive script onto every web page that a user visits.
Ukraine claims to have blocked Russia’s cyberattack on judiciary systems
- The Security Service of Ukraine (SBU) reported that it has blocked an attempt by Russian special services to breach information and telecommunications systems used by Ukraine’s judiciary.
- According to SBU’s statement, the attack began with malicious emails, claiming to be accounting documents, that included malware capable of disrupting judicial information systems and stealing data. The malware was operated using C&C servers with Russian IP addresses.
Leaks and Breaches
BeatStars suffers security breach
- BeatStars, an online marketplace for music production beats, stated that they had detected unauthorized access to their servers, which resulted in the defacement of the BeatStars website.
- According to the company, the attacker was attempting to ‘mass delete and mass alter the content and the database’ on the server and no user content or financial data was compromised. It remains unclear whether the attacker was able to access users’ personal records.
Humble Bundle data breach could be the first step in a spear phishing attack
- The breach exposed the subscription status of users of the gaming subscription site. Humble Bundle claim no names, billing addresses, passwords or payment information were exposed.
- However, according to Malwarebytes Labs, this may be the first step in a much larger attack as the compromised subscription information is sufficient to be utilized in spear phishing.
Vtech encourages customers to install security update for flaw in children’s tablets
- The BBC have reported that Vtech has been promoting a security patch for its Storio Max tablet, also known as InnoTab Max, that is marketed to children. Although the patch was released in May 2018, according to the BBC the company has failed to actively encourage customers to update their devices’ software.
- The patch addresses a vulnerability in the tablet that can permit attackers to seize remote control of the device and use it to spy on victims. The flaw was discovered by SureCloud researchers earlier this year.
Apple releases security updates for numerous vulnerabilities
- Apple have released patches for several code execution, privilege escalation, and information disclosure vulnerabilities that affect core products including iCloud, Safari, iTunes, High Sierra, and more.
- The patches include the iOS 12.1.1 update that fixes a flaw discovered at the end of October 2018, that allows a user to access a phone’s contacts even when an iOS device is locked.
Adobe fixes zero-day Flash Player vulnerability leveraged in APT attack against Russia
- Qihoo researchers discovered an attack, dubbed ‘Operation Poison Needles’, against Russia’s FSBI ‘Polyclinic 2’ clinic, an establishment known for providing medical and cosmetic services to the executive and higher level employees of the Russian Federation.
- The attack used a fake employee questionnaire, which, when opened, triggered an exploit for the zero-day flaw, tracked as CVE-2018-15982. If a user agrees to click continue, despite the triggered warning displayed by Word, then a command is executed to extract a rar file and start the backup.exe executable contained in it.
- The backup file is a backdoor that poses as the Nvidia Control Panel application, and uses a stolen certificate from IKB SERVICE UK LTD. The backdoor sends information about the computer and installed applications to a remote host, in addition to downloading and executing shellcode on the infected computer.
Researchers discover new attack against AKA protocol affecting 3G to 5G networks
- Researchers from the Association for Cryptologic Research published a paper documenting a new attack against all variants of the Authentication and Key Agreement (AKA) protocol. The AKA protocol is used to provide security between mobile users and base stations.
- The attack leverages a logical vulnerability in the protocol, meaning it affects 3G, 4G and 5G network implementations. It was described as breaching ‘subscriber privacy more severely than known location privacy attacks do’ as it allows attackers ‘to learn information about targeted subscribers’ mobile service consumption even when subscribers move away from the attack area’.
Two men indicted by DoJ for SamSam ransomware attacks newly charged in Georgia
- The US Attorney’s Office for the District of Northern Georgia announced that the federal grand jury had returned indictments against two Iranian nationals who are believed to be responsible for the March 2018 ransomware attack against Atlanta City’s government services.
- Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri are accused of using SamSam ransomware to encrypt files on 3,789 City of Atlanta computers in an attempt to extort Atlanta officials for Bitcoin. The two perpetrators were similarly indicted by the US Department of Justice (DoJ) on November 27th, 2018.
BT will not use Huawei’s 5G kit in their core network
- According to a report by the BBC, BT have stated that they will not use Huawei equipment in their 5G networks, and have removed it from their 3G and 4G networks. They do, however, still plan to use Huawei’s phone mast antennas and other products that are not at the ‘core’ of the service.
- BT’s decision stems from security concerns regarding the Chinese company’s relations with the Chinese government.
Company named Dr. Shifro provides fake decryption service for Dharma victims
- Checkpoint researchers have discovered a company in Russia, dubbed Dr. Shifro, that claims to guarantee the decryption of files that have been encrypted by the Dharma ransomware strain.
- However, Checkpoint’s undercover investigation has revealed that the company contact the ransomware creator and ask for a discounted price for the decryption key, at approximately $1,300. They then charge the unsuspecting victim the discounted price along with a $1,000 markup for their ‘decryption service’.
Twelve US states file joint cross-state data breach lawsuit against healthcare provider
- The states have filed the lawsuit in an Indiana court against Medical Informatics Engineering and its subsidiary NoMoreClipboard for not adequately protecting their computer systems. In 2015, hackers gained access to the provider’s WebChart web app and stole personal data pertaining to 3.9 million US citizens.
- The data included names, phone numbers, addresses, birth dates, Social Security numbers, passwords and more.
UK Information Commissioner’s Office fines headteacher for downloading students’ data
- Davis Harrison reportedly downloaded information on primary school children from his previous place of employment and uploaded it to the servers at his new place of employment at another primary school.
- The Information Commissioner’s Office fined Harrison £700 pounds for the unlawful processing of sensitive personal data.
Zuckerberg defends confidential email exchanges published by UK parliamentary committee
- Facebook CEO Mark Zuckerberg defended the content of emails and documents published by the company Six4Three at the behest of the UK parliamentary committee.
- Zuckerberg claimed the documents were misleading and that the social media giant had never sold individuals’ data.
University researchers create text-based CAPTCHA solvers
- Researchers at the University of Lancaster in the UK, Northwest University in the US and Peking University in China have described their CAPTCHA cracking system in a paper titled ‘Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach’.
- The researchers used a General Adversarial Network (GAN) to teach their CAPTCHA generation program to create lots of text puzzles, very quickly, to train their basic puzzle solving model. They then fine tune the process ‘via learning to defeat real text jumbles using only a small set of actual samples.’
- The researchers used 33 text-based CAPTCHA schemes, 11 of which were being used by top rated websites this year, and the CAPTCHA’S were cracked in less than 50 milliseconds using desktop GPU.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.