Silobreaker Daily Cyber Digest – 07 November 2018
Cryptojacking attack hits St. Francis Xavier University in Canada
- St. Francis Xavier University in Antigonish, Nova Scotia, has issued a notice regarding an incident in which the University’s systems were attacked for the purpose of using their computing power to mine Bitcoin.
- In response to the attack the University disabled all network systems. No evidence was found of personal data of students or staff being accessed.
Cyren discover fileless malware campaign targeting suppliers of Christmas goods
- The campaign has been observed targeting suppliers of Christmas goods with emails that use the subject line ‘Christmas Order’. Attached is a malicious document which, when opened, sends a Windows alert to the victim warning them about running unverified software, as well as an Autolt Script Loader Module which begins the second payload.
- The second payload drops the NetwiredRC backdoor which allows the attackers to log keystrokes, steal login credentials stored in multiple browsers, and steal email login credentials.
Source (Includes IOCs)
Leaks and Breaches
HSBC data breach exposes account information and personal data of US customers
- HSBC has released a notice of a data breach in which US customers’ online accounts were accessed by unauthorized users between October 4th and October 14th, 2018. According to Bleeping Computer, the breach affects about 1% of HSBC’s US accounts.
- The data accessed includes full names, mailing addresses, phone numbers, email addresses, birthdates, account numbers, account types, account balances, transaction history, payee account information and statement history.
- Bleeping Computer states that the credentials were likely gained through a previous data breach. The data stolen was subsequently used in a credential stuffing attack on HSBC.
Cryptocurrency exchange Gate.io suffers supply-chain attack
- Web analytics platform StatCounter, a service that is used by companies to gather statistics on visitors to their websites, were breached on the 3rd November. The company have over two million-member sites and computes statistics on more than 10 billion-page views per month.
- The attacker modified the StatCounter URL by adding malicious code in the middle of the script. The code first checks for Bitcoin URLs and, at the time of writing, ESET found that Gate.io was the only cryptocurrency exchange live with a valid page for this URL at the time of writing.
Source (Includes IOCs)
Apache Struts urges users to apply FileUpload library updates to combat old flaws
- Version of the Commons FileUpload library prior to 1.3.3 have a deserialization issue with Java Object, tracked as CVE-2016-1000031, that could be exploited to copy or write files to arbitrary locations on the disk. In addition, the original security advisory, released in March 2018, states that this exploit can be combined with ysoserial to ‘upload and execute binaries in a single deserialization call’.
- Apache have reissued a recommendation for users to install a version of Commons FileUpload library newer than 1.3.2, to protect their projects from remote code execution attacks.
WordPress design flaw and WooCommerce vulnerability allow remote code execution
- Researcher Simon Scannel discovered a design flaw in the WordPress permission system used by plugins and a file deletion vulnerability in WooCommerce, a popular ecommerce plugin. The flaws could permit an attacker to gain full control over a WordPress site and execute code on the server.
- The vulnerabilities were patched in WooCommerce version 3.4.6 released on October 11th, 2018.
Zero-day vulnerability found in VirtualBox
- In a detailed technical write-up, researcher Sergey Zelenyuk disclosed a zero-day vulnerability he found in VirtualBox. The flaw can be exploited in virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode. This is a default setting that allows guest systems to access external networks.
- The vulnerability permits attackers to escape the virtual environment of the guest machine and ‘reach the Ring 3 privilege layer, used for running code from most user programs, with least privileges.’
Google release November bulletin patch bundle
- The bulletin detailed three remote code execution flaws and a number of information disclosure and elevation of privilege flaws in Android.
- The remote code execution flaws were discovered in Android media framework, two rated critical (CVE-2018-9527 and CVE-2018-9531), and one rated high (CVE-2018-9521). The vulnerabilities could be exploited by an attacker using a malicious video or multimedia message, allowing the malicious code within the material to be executed with sufficient privileges to spy on the phone’s owner.
- Two critical elevation of privilege bugs tracked as CVE-2018-9536 and CVE-2018-9537 were also found in the media framework. Others, such as the Android system component and the Libxaac media library, were also affected.
Flaw in Windows Evernote app permits XSS attacks
- Researcher TongQing Zhu discovered a vulnerability, tracked as CVE-2018-18524, in Evernote for Windows.
- The flaw could permit cross-site scripting (XSS) attacks. It was patched in the October 2018 release of Evernote version 6.16.1 beta.
China Telecom misdirects internet traffic
- In a blog post, researcher Doug Madory described how China Telecom has been misdirecting internet traffic, starting in 2015 and lasting approximately two and a half years.
- Madory provides an example in which the large telecommunications provider, with close ties to the Chinese government, rerouted traffic originating from Los Angeles through a Chinese Telecom facility in Hangzhou, before reaching its final destination in Washington, DC.
- The researcher found this to be the result of China Telecom’s AS4134 autonomous system ‘mishandling routing announcements’, sending data destined for Verizon Asia-Pacific through China Telecom, instead of using normal multinational telecoms.
UK government warns 5G network providers of security review
- The UK government has warned 5G telecommunication companies to ensure that their suppliers are thoroughly vetted for security. The 5G supply chain of several UK telecoms companies could potentially be impacted by a review of the UK’s infrastructure that was launched in July.
- The report highlighted Huawei as having ‘only limited assurance’ that their equipment poses no threat to national security. National security concerns were furthered after a report in The Australian cited a nation security source that claimed Huawei staff helped Chinese Intelligence ‘get access to codes to infiltrate a foreign network’.
Microsoft and Google apps are in top 20 for creating vulnerabilities in enterprise services
- Cybersecurity firm Tenable have found that the most prevalent vulnerabilities that could affect 20 to 30 percent of enterprises are found in products by Microsoft, .Net Office, Adobe Flash and Oracle’s Java.
- Approximately half of the vulnerability-based enterprise threats are the result of problems with Adobe Flash, while 20 percent belong to Microsoft Office. In particular, CVE-2018-8202, a privilege escalation flaw in Microsoft’s .NET framework, reportedly has the potential to impact 32 percent of enterprises.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.