Silobreaker Daily Cyber Digest – 06 November 2018
Cylance dissect VSSDestroy ransomware in new report
- Cylance have published a report detailing a technical analysis of VSSDestroy ransomware, a variant of matrix ransomware created to target Windows workstations. The ransomware was last seen being distributed via Rig Exploit Kit in 2017.
Source (Includes IOCs)
New Twitter spam campaign impersonates Elon Musk and promotes fake Bitcoin giveaway
- A new scam emerged on Twitter in which perpetrators pretend to be Elon Musk and promote a ‘crypto-giveaway’ of 10,000 Bitcoins. The operation has generated a profit of over $180,000 in Bitcoins in a single day.
- The attackers hacked verified Twitter accounts and changed their profile name to ‘Elon Musk’ in an attempt to make the campaign appear credible. Hacked accounts include the official Twitter account of the Colombian Ministry of Transportation or the Indian National Disaster Management Authority.
- The campaign lures users into visiting the websites musk[.]plus, musk[.]fund or spacex[.]plus, on which they are asked to send 0.1 or 0.3 Bitcoins in order to receive 1-30 times more in Bitcoin back.
New spam email campaign distributes Trickbot
- A new spam campaign has been discovered delivering the Trickbot malware. Fake emails pretending to be from HSBC with the subject line ‘FW: Account Review’ are used to distribute malicious XLS file attachments. Upon opening the attachment and enabling macros the victim’s device is infected with Trickbot.
Attackers target Iranian users of Instagram and Telegram
- Cisco Talos have reported on their observations of several techniques being used to attack Iranian social media users and steal their private information. Techniques include the use of fake login pages, malicious apps disguised as their genuine counterparts and BPG hijacking, with which attackers have, in particular, targeted Telegram and Instagram users.
Inception attackers target European users with PowerShell backdoor
- Palo Alto Networks researchers identified a new campaign attributed to the Inception Framework Group. The threat actors exploited the remote templates feature in Microsoft Word, fetching a malicious remote payload via HTTP once a Word document was opened. The researchers observed cases where the templates contained exploits for both CVE-2012-1856 and CVE-2017-11882. The two flaws received patches in 2012 and 2017, respectively.
- The campaign also featured a new PowerShell backdoor dubbed PowerShower. The backdoor was described as an ‘initial reconnaissance foothold’ that is used to download and execute secondary, more complex, payloads. The campaign targeted European users.
Malwarebytes Labs report on browser locker scams
- Researchers at Malwarebytes observed new techniques being leveraged in an attempt to bypass detection and sanitisation techniques in modern browsers, including the use of encoding to bypass signature-based detection.
Scam observed targeting HR professionals with fake job applications
- Scam emails are being sent to employers posing as job applications containing fake resumes. The emails prompt the recipient to enter a password which, if entered, downloads a malicious software.
- Subject lines include ‘application’, ‘job application’, ‘regarding job’, and more, aimed at employers who are looking to fill casual roles over the Christmas season.
Leaks and Breaches
Anonymous Italy leaks personal data of Italian ministries and more online
- Anonymous Italy have attacked websites and databases of Italian ministries, police and research institutions, releasing the stolen data online.
- Full names, telephone numbers and email addresses of the employees and officials of various research institutes of the National Research Council, Equitalia databases and databases of the Ministry of Economic Development were compromised. Moreover, sensitive data of the members of the political parties Lega Nord del Trentin, Fratelli d’Italia and the Democratic Party of the city of Siena were exposed.
- Other released data includes the full names of members of the national policeman association and the Central Institute for Archives.
Five Guys notifies employees of data breach
- The restaurant chain has issued a notice regarding a security incident in which a phishing email led to the unauthorized access of an employee’s email account.
- Through the account, the perpetrator was able to access data that included names, birthdates, Social Security numbers, addresses, hire dates, termination dates and 401K contribution information.
Flaws in popular SSD drives allow bypass of hardware disk encryption
- Researchers Carlo Meijer and Bernard van Gastel from Radboud University have detailed how they were able to modify firmware or use a debugging interface to modify the password validation routine in SSD drives.
- The report titled ‘Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)’, explains how these methods can achieve decryption of hardware encrypted data without a password.
- The methods were tested successfully against popular SSD drives such as MX100, Crucial MX200, Crucial MX300, Samsung 840 EVO, Samsung 850 EVO, Samsung T3 Portable, and Samsung T5 Portable.
Vulnerabilities found in U-Boot permitting arbitrary code execution
- Researcher Andrea Barisani disclosed two vulnerabilities, tracked as CVE-2018-18440 and CVE-2018-18439, in the Universal Boot Loader (U-Boot). U-Boot is an open-source bootloader for embedded devices, that is used for initial hardware configuration and loading the OS kernel.
- These two memory handling issues could allow attackers to execute arbitrary code on the system. Barisani believes that all versions of the U-Boot software are vulnerable to this form of attack.
Icecast security bug leaves online radio stations vulnerable
- The flaw, tracked as CVE-2018-18820, is reportedly severe enough to trigger a segmentation fault in the server process, causing an access violation condition that leads to a crash. Theoretically, the flaw could also allow remote code execution, which could be achieved if an attacker created long enough specially-crafted HTTP headers.
- The bug results from using the ‘snprintf’ function that ‘redirects the data output to a buffer, over ‘snprintf’ to avoid buffer overflow issues by truncating the output if the buffer is not sufficiently large.’
Customers report issues with logging into AOL and Yahoo mail
- Users have reported issues with logging in to their Yahoo and AOL accounts. Those attempting to log in may be shown an error stating that the IP address for servers oidc.mail.aol[.]com and api.login.aol[.]com could not be found.
- It is currently unknown what is causing the outage.
Spammers make ‘Trump’ the top term in 2018 midterm election spam subject lines
- Proofpoint have reported that ‘Trump’ is dominating the subject lines of election-related spam content.
- In political party-related searches, ‘Trump’ appeared 4.6 times as often as the next nearest term, ‘Democrat’. Other high profile candidates such as ‘Cruz’ and ‘Pelosi’ also featured, though not as frequently as ‘Trump’.
- Proofpoint have previously found that higher volumes of spam associated with a particular party or candidate correlate with their positive outcomes in the election.
Facebook blocks accounts involved in suspicious activity ahead of US midterm elections
- Facebook issued an update regarding the blocking of 30 Facebook and 85 Instagram accounts suspected of involvement in ‘coordinated inauthentic behaviour’ by foreign entities ahead of the upcoming US midterm elections.
- The Facebook accounts were mostly in Russian and French, while the Instagram accounts were in English. Facebook has stated they will be conducting further investigation into the matter.
84% of new PCs purchased in Asia and running pirated software contain malware
- A study conducted by Microsoft revealed that 83% of new PCs, purchased in Asia from discount retailers, are using pirated software. The sampled computers were offered at a lower cost or with free software bundles.
- The researchers also found that 84% of PCs with pirated software were also infected with some type of malware, most commonly trojans or viruses.
- The PCs were sampled from retail stores in India, Indonesia, Korea, Malaysia, Philippines, Singapore, Taiwan, Thailand and Vietnam.
Stolen data sold for cheap on the dark web
- An investigation conducted by researchers at Kaspersky Labs found that sensitive stolen personal data was being sold for as little as $1 on dark web marketplaces, with many of the accounts including ‘lifetime warranty’, so if an account no longer worked, the customer can receive a new one for free.
- The stolen personal data for sale includes banking details, social media credentials, application data and even remote access to desktops and servers. David Jacoby, a senior security researcher at Kaspersky Lab, even found a Swedish passport for sale for $4000.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.