Silobreaker Daily Cyber Digest – 07 January 2019
Malvertising campaign delivers Vidar and GandCrab
- Malwarebytes Labs researchers detected a new malvertising campaign in which the Fallout Exploit Kit is used to distribute Vidar Stealer and GandCrab Ransomware.
- According to their blog post, Vidar is a recently identified malware capable of stealing browser histories and cryptocurrency wallets, capturing instant messages, and can be customized depending on what data the attacker is interested in. Vidar also contains a loader feature that was used, in this case, to download GandCrab as a secondary payload.
Source (Includes IOCs)
‘Retro games’ iOS apps found to be communicating with Golduck malware server
- Wandera security researchers discovered 14 iOS applications, all promoted as ‘retro-style’ games, that communicate with a C&C server associated with Golduck Malware. The game apps were observed sending data such as the IP address, device type, and in some cases location, to the Golduck server.
- According to the researchers, although the apps themselves do not contain malicious code, they provide access to the user’s iOS device as the ad space could be used to display links that lure users into downloading malicious payloads. A secondary ad area on the application is also being used to provide content from a known malicious server.
- Golduck Malware was previously found targeting Android devices, infecting them with malware and potentially leading to complete device compromise.
‘WhatsApp Gold’ hoax remerges
- The campaign involves the distribution of hoax messages claiming that ‘WhatsApp Gold’ will be launched via a video called ‘Martinelli’, distributed via WhatsApp. The message then claims the video is a virus and warns users against clicking on it.
- Despite there being no evidence of such videos being distributed, the messages reference an actual malware campaign from 2016. Users are warned against forwarding the message.
- The referenced ‘WhatsApp Gold’ campaign was first identified in 2016 and involved users being lured into clicking links that offered them exclusive access to a ‘premium’ WhatsApp version, but actually infected their devices with malware.
Leaks and Breaches
Whistler municipality website suffers security breach
- The website of the Resort Municipality of Whistler, Canada, was hit by a cyber attack that led to personal information being collected via web forms. According to an official statement, credit card data and Social Security numbers were not affected.
Hacker sends spam via Australian Early Warning Network
- A hacker reportedly accessed the network and used it to send spam to Queensland residents that read ‘EWN has been hacked. Your personal data is not safe’.
- The hacker gained access using an authorized user’s credentials.
Singapore Airlines data breach affects 285 accounts
- A software vulnerability resulted in the compromise of 285 frequent flyer members’ information, including passport and flight data.
- The vulnerability in the software resulted from a change to the airline’s website on January 4th, 2018, allowing some of its members to view other travellers’ information.
Titan Inc suffers data breach
- Test and assembly systems manufacturer Titan reported that its computer system had been infected with malware between November 23rd, 2017, and October 25th, 2018. It is unclear what malware was used in the breach.
- Customers who purchased from the company’s online stores may have had their names, addresses, phone numbers and payment information stolen.
California Department of Insurance flaw potentially exposes individuals’ SSN numbers
- Indian cyber security firm Banbreach alerted the California Department of Insurance that interactive[.]web[.]insurance[.]ca[.]gov was hosting an Oracle reporting server that had generated over 24,450 reports in 24 hours. The reports included agent’s names, renewal IDs, and Tax identification numbers (TIN).
- Many use their social security numbers (SSN) as their TIN, therefore the breach could potentially have exposed names alongside SSNs.
Town of Salem breached passwords cracked
- Following reports of the Town of Salem game’s data breach, in which the hashed passwords of approximately 7.6 million accounts were exposed, BleepingComputer has reported that at the time of writing over 27%, or 2,108,552, of those passwords had already been cracked. The breach involved the information of over 8,388,894 users with 7,633,234 unique email addresses.
- The passwords were cracked by the community-driven password recovery site Hashes.org. The site does allow users to download the cracked password lists, but they do not include identifying information.
Humana report Bankers Life breach exposing personal information
- Humana have reported that an unauthorised third party accessed credentials of Bankers Life employees exposing personal information of people who have applied for a Humana policy. Data accessed includes names, addresses, birth dates, the last four digits of social security numbers, and more.
- The breach occurred between May 30th and September 13th, 2018.
CERT/CC reports two critical vulnerabilities in Microsoft Windows and Windows Server
- The first flaw, tracked as CVE-2018-8611, is an elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory. The flaw could be exploited to run arbitrary code in kernel mode.
- The second flaw, tracked as CVE-2018-8626, is a remote code execution flaw in Windows DNS servers when they fail to properly handle requests. The bug could be exploited to run arbitrary code in the context of the Local System Accounts.
Flaw in Skype for Android permits authentication bypass exposing user data
- Researcher Florian Kunushevci discovered a vulnerability in Skype for Android that permits an attacker to access photos and contacts, and open links in a browser via the app.
- To successfully exploit the flaw, the attacker requires physical access to the target device. Next, the attacker needs to receive a Skype call and answer it, which would then allow them to access user data even when the device is locked.
Opera Blacklists Tampermonkey extension
- A version of Tampermonkey that has been offered on the Chrome Web Store has been blacklisted by Opera due to its installation via Windows malware, which prevents the extension from working in the Opera browser.
- Opera stated that the extension was being installed manually via the Registry or a JSON file and is ‘being used as a vehicle to circumvent [their] acceptance criteria for browser extensions’.
NSA release a free software reverse engineering toolkit
- The NSA is releasing a software reverse engineering tool for free public use. The tool, dubbed GHIRDA, has been used internally at the NSA for over decade, and despite being already leaked by Wikileaks, will be released and made publicly available on March 5th, 2019, at the RSAC 2019 conference.
- The software allows developers and researchers to ‘hook’ into black box proprietary software, as well as perform code analysis, debugging, neutralising of malware and adding functionalities to proprietary software.
Marriott reports smaller data breach than originally thought
- A data breach that occurred on the hotel chain’s Starwood guest reservations database between 2014 and September 2018, may have impacted 383 million records, in many cases with multiple records relating to the same individual. This figure was revised from the 500 million guests originally thought to be impacted by the breach.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.