Silobreaker Daily Cyber Digest – 07 October 2019
Microsoft Windows Defender targeted by Novter Trojan
- Researcher Vitali Kremez reverse engineered the recently identified Novter malware and discovered that the virus attempts to deactivate Windows Defender by adding a variety of Windows policies.
- The policies ensure that Windows Defender is disabled and prevents new Windows updates from being automatically installed. A full list of the created policies is available via BleepingComputer.
Source (Includes IOCs)
sLoad malware continues to evolve
- Researchers at Yoroi identified changes to sLoad malware, which has been used to target entities in Italy, the UK, and Canada. The most recent attack identified leverages a convincing phishing email that purported to come from the Italian Revenue Agency. The attackers also used a certified PEC mailbox in order to dupe targets.
- The malicious email includes a ZIP attachment containing a corrupted PDF file and VBScript. The attack chain primarily utilises a mixture of PowerShell scripts and VBScripts.
- The malware features new ‘Exec’ and ‘Eval’ commands which allow it to download further code through the Bitsadmin utility, and swaps out the ‘ScreenCapture’ function in order to improve persistence through scheduling tasks.
Source (Includes IOCs)
Researchers observe campaign using tailored PHP web shells targeting US company
- Check Point researchers have observed a targeted campaign against a US-based engineering company that leveraged a command-injection technique over HTTP, injecting a PHP web shell into the Asterisk server’s outgoing directory. It is unclear whether a vulnerability was exploited.
- The researchers initially spotted scanning activity targeting 1,500 unique gateways of 600 companies lasting for five months in 2018, after which it resumed again in February 2019 targeting only the specific US company. Once the company’s server was compromised, the attacker gained complete control and access to databases, call recordings, metadata, and information on individuals involved in calls. A call file was also injected, which caused the server to make external calls and play canned messages using the company’s identity.
- The attacker has been linked to a LinkedIn account of an individual working for the Palestinian Ministry of Telecommunications, describing themselves as a ‘security enthusiast.’ The exact motive behind the attack remains unknown.
Buggy WordPress infection campaign continues with new obfuscation techniques
- A total of 89 sites were already indexed by PublicWWW to contain this code. Recently exploited plugins include the Rich Reviews plugin, as well as the Blog Designer plugin.
Iranian linked Phosphorus group targets US presidential campaign
- Researchers at Microsoft discovered the Phosphorus group, who have links with the government of Iran, targeting the email accounts of individuals associated with a US presidential election campaign, former and current US officials, journalists, and prominent Iranians living out with Iran.
- The researchers identified over 2,700 attempts to identify Microsoft customer email accounts that occurred in a 30-day period during August and September 2019. The attackers then proceeded to launch attacks against 241 accounts by abusing the password reset and account recovery functions.
- Although the attack method was crude, Phosphorus did gather a ‘significant amount of personal information’ in order to identify, and in some cases attack their targets. The researchers stated that 4 accounts were successfully compromised, however, these did not belong to individuals associated with the US presidential election campaign, or to former or current government officials.
Leaks and Breaches
Sephora and StreetEasy data breach information added to Have I Been Pwned
- StreetEasy was impacted by a data breach in June 2016 that exposed roughly 988,000 email addresses, names, usernames, and SHA-1 hashes of passwords. The information appeared for sale on the dark web in February 2019.
- Sephora Southeast Asia had the data of 780,073 customers stolen in January 2017. Exposed information included names, dates of birth, email addresses, ethnicities, and more. Sephora customer data has also appeared on online hacker forums.
Auction of details of 92 million Brazilians hosted on underground forums
- A user on the criminal underground, going by the name of X4Crow, is advertising a database which they claim contains the details of 92 million Brazilians. The seller states that the records are separated by province and includes names, dates of birth, taxpayer numbers, and more. The database is apparently 16GB in size when in SQL format.
- The seller is auctioning the database for $15,000, and is also offering to provide information retrieval on citizens and businesses. X4Crow claims that that they can return information such as driving licenses, phone numbers, voter title numbers, and much more. An unnamed security researcher told BleepingComputer that the seller is likely drawing this information from other data sets.
- BleepingComputer saw a portion of the database and concluded that it was legitimate. BleepingComputer were also told that it was an unidentified government database, this led them to theorize that the data belongs to employed citizens in Brazil.
UAB Medicine exposes customer details following phishing attack
- On August 7th, 2019, UAB Medicine employees were targeted by attackers that sought to gain access to the payroll system. The attackers posed as executives who were conducting a staff survey, the phishing email asked staff to provide their username and password. A number of employees provided the hackers with the required information.
- The attackers then attempted to redirect employee payments into their own account. The attack failed but the hackers had access to the information of 19,557 patients via the compromised accounts.
- Exposed data included names, medical record numbers, dates of service, and more. A small number of patients also had their Social Security numbers divulged. UAB Medicine stated that there is no evidence at present that the hackers were ‘looking for, accessed or stole any protected health information’.
Recent ransomware attacks on hospitals involved Ryuk ransomware
- The recent ransomware attacks on three of DCH Health System hospitals, as well as on the Ontario-based Michael Garron Hospital, Listowel Memorial Hospital and Wingham & District Hospital, involved Ryuk ransomware. Ryuk is believed to come from Russia and, according to Crowdstrike, originates from the hacker group WIZARD SPIDER.
- DCH Health System opted to pay the ransom demands to restore it systems, however it remains unclear when the hospitals will reopen to new patients. At present, only critical patients are accepted.
- The Ontario hospitals did not pay the ransom demands and are in the process of restoring its systems.
Investigation into Tū Ora Compass Health’s website defacement reveals further security incidents
- Following the website defacement of Tū Ora Compass Health on August 5th, 2019, an investigation into the incident revealed previous cyber attacks dating from 2016 to March 2019 that could impact nearly 1 million individuals. Potentially impacted individuals include anyone enrolled with a medical centre from the greater Wellington, Wairarapa and Manawatu regions since 2002.
- It is unclear whether any patient information was accessed. Potentially accessed data includes National Health Index Numbers, names, dates of birth, ethnicities, addresses, as well as some medical information.
Jerez de la Frontera targeted in ransomware attack
- The website of Jerez de la Frontera suffered small outages on October 1st, 2019. This was then followed by the attacker gaining control of the entire city’s servers by October 4th, 2019. It is unclear how much ransom was demanded.
Signal messaging app vulnerability allowed eavesdropping
- Researchers at Google’s Project Zero disclosed a bug in the Signal messaging app on Android that could grant an attacker the ability to listen through a victim’s device. To exploit the vulnerability, an attacker would need to use a custom version of Signal Android software.
- The attack works when an attacker phones the target device and quickly presses the audio mute button which forces the callee device to connect. The issue was resolved on October 4th, 2019.
Microsoft expand in patch for critical remote execution bug in Internet Explorer
- The vulnerability, tracked as CVE-2019-1367, received an original patch which was available on a limited basis via Microsoft Update Catalog. The recent patch expansion is now available on a wider basis via Windows Server Update Services, and Windows Update.
- The new patch also resolves bugs caused by the original patch which led to issues with print jobs, and after installing Features on Demand.
NCSC warns of APTs abusing known vulnerabilities in VPN products
- UK’s National Cyber Security Centre (NCSC) warns of multiple vulnerabilities in Pulse Connect Secure, Fortinet and Palo Alto SSL VPN products that are being exploited by threat actors. The highest-impacted flaws are CVE-2019-11510, CVE-2019-11539, CVE-2018-13379, CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579.
- The vulnerabilities could enable an attacker to retrieve arbitrary files, including ones containing authentication credentials, which could be used to connect to the VPN and change its configuration settings, connect to further internal infrastructure, or even enable attackers to run secondary exploits to access root shell.
Author of HildaCrypt ransomware releases decryption key
- On October 4th, 2019, security researcher GrujaRS posted what he believed was a new variant of STOP ransomware on Twitter. Following the researcher’s post, they were contacted by a ransomware developer who informed them that the sample was in fact HildaCrypt ransomware.
- The ransomware developer than released the decryption key for free, allowing infected users to recover their files. The ransomware author spoke to BleepingComputer and claimed that the ransomware was made for educational purposes.
Canadian Centre for Cyber Security warns of Ryuk ransomware campaign
- Following multiple reports of Ryuk ransomware affecting numerous entities including municipal governments and public health and safety organisations in Canada and elsewhere, the Canadian Centre for Cyber Security issued an alert concerning the current Ryuk ransomware campaign. The alert details the infection chain for Ryuk, which relies on an initial infection by Emotet, followed by Trickbot.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.