Silobreaker Daily Cyber Digest – 08 April 2019
New variant of sextortion scams attach password-protected evidence files
- The files contain alleged proof that the sender has a video recording of the recipient. Although these files cannot be viewed, the recipient can see the names of the files, which the perpetrators hope are enough to scare the victim into paying.
- The files cannot be accessed unless the victim purchases the password for them, which victim’s can do for $50 by clicking on the designated link in the email.
Source (Includes IOCs)
FIN6 group adds ransomware to attack infrastructure
- FIN6 has reportedly added LockerGoga and Ryuk ransomware to their extortion jobs in an attempt to further monetize their operations. Having previous targeted POS systems, recent evidence suggests that the group are expanding their activity to include other types of targets.
- After analysing an intrusion at an engineering company, FireEye found that evidence suggested that FIN6 was behind the attack, despite the target being different to their usual victims. In addition to deploying there two ransomware types, the group were also observed using stolen credentials for reconnaissance purposes and Cobalt Strike for running security assessments, as well as other tools such as Metasploit, AdFind and 7-Zip.
Source (Includes IOCs)
LokiBot delivered via spammed PNG file
- Researchers at Trustwave SpiderLabs discovered a campaign in which the LokiBot information-stealing trojan is hidden inside PNG files.
- According to the researchers, the perpetrator most likely used the PNG format to hide the executable from inspection by the email scanning gateway. The PNG files had a .zipx extension, however it was identified as a PNG image by the gateway and additionally resembled a JPG icon.
- In cases where users have WinRAR installed, clicking on the attachment would load WinRAR for the payload exe to be extracted by the user.
Source (Includes IOCs)
New ServHelper version uses Excel 4.0 macro to drop signed payload
- ServHelper is a backdoor malware family associated with TA505 – an actor previously known for their use of the Dridex trojan and GlobeImposter ransomware. The new version of ServHelper, discovered by Deep Instinct, leverages an Excel sheet as a lure and an Excel 4.0 macro to download the payload.
- The payload is an NSIS Installer signed with a valid signature. A PowerShell script is used for reconnaissance, checking for administrative privileges and whether the infected machine is part of a domain. This information is send to a C&C server.
- ServHelper can receive a variety of commands from its C&C, and had a valid signature for its core DLL until last week. The certificate was issued by MASLAK LTD of Uxbridge, Great Britain.
Source (Includes IOCs)
FTC warns against robocall scam
- The Federal Trade Commission has warned against an ongoing phone scam stating that a targets Social Security number has been suspended for suspicious activity. It prompts a target to speak to a government agent to resolve the ‘issue’, instead tricking a user into providing their date of birth and bank account numbers amongst other sensitive information.
Leaks and Breaches
Ohio Medicaid recipients impacted in data breach
- Hundreds of people receiving benefits from Medicaid or the Ohio Department of Job and Family Services (ODJFS) have had their information exposed due to a series of three separate ‘computer errors’.
- The errors took place between February and March, 2019. It resulted in the personal information of 250 users being visible to other users on the platform; the information of 643 users being mailed to 5 unrelated people; and up to 100 users having their data saved to the wrong account.
- Officials have stated that no health or medical records were viewed.
AeroGrow discloses presence of credit card scraping malware on website
- According to the company’s official statement, customers who have purchased products via their website between October 29th, 2018, and March 4th, 2019, had their payment information stolen. This includes credit card numbers, expiration dates and CVVs. The number of affected customers remains unknown.
Newham Council suffers data leak
- The London Borough of Newham has been fined £145,000 by the Information Commissioner’s Office as a result of leaking the personal information of 203 individuals who were allegedly associated with London gangs. The ‘Gangs Matrix’ database was emailed to 44 recipients, some redacted and some unredacted. It included dates of birth, home addresses, supposed gang association, and weapon carrying status.
- The fine was issued under the Data Protection Act 1998, and the council also failed to notify the ICO of the breach.
Over 2 million Apache HTTP servers vulnerable to critical privilege escalation
- CVE-2019-0211 is a flaw discovered by Charles Fol that affects Apache HTTP Server releases from 2.4.17 to 2.4.38. It allows users with limited permissions to get root privileges and is therefore especially problematic in shared hosting instances.
- Based on an analysis conducted by Rapid7, over 2 million servers are currently running vulnerable versions of Apache. The majority of these are in the US, Germany and France.
Razer Intel notebooks have well-known critical firmware vulnerability
- CVE-2018-4251 is an issue with the Intel Management Engine that can allow malware with administrative rights to write to a system’s firmware, giving it the ability to survive reboots and wipes. Researcher Bailey Fox noticed that Razer’s notebooks are still vulnerable to the flaw.
- Razer has acknowledged the issue and released a patch for shipped products. New laptops will ship with an update to remove the vulnerability.
Dropbox uncovers 264 vulnerabilities after one-day bug bounty programme
- During a bug bounty programme hosted in Singapore by HackerOne, experts discovered a total of 246 flaws in the cloud storage vendor’s systems.
Qt5-Based GUI apps vulnerable to remote code execution
- Applications that configure custom protocol handlers are developed using the Qt5 graphical user interface framework, that can be exposed to a remote code execution flaw. When the Qt5 framework is used, it adds command line arguments that could be used to change how the framework works.
- A report by Zero Day Initiative describes how Qt5 based applications that create custom URI handlers and do not properly sanitize their command line arguments are susceptible to remote code execution. Zero Day demonstrated this using two previously disclosed flaws in Malwarebytes (CVE-2019-6739), and Cisco WebEx (CVE-2019-1636).
MikroTik report on year-old DoS flaw that allows attacks on MikroTik routers
- CVE-2018-19299 affects unpatched MikroTik equipment that routes IPv6 packets. To exploit the flaw, an attacker must send a specific string of IPv6 packets that would increase RAM usage on the router. If exploited, the flaw can lead to a denial-of-service (DoS) condition.
Third-party patches released for Java vulnerabilities
- The four Java RE heap-based out-of-bounds vulnerabilities were discovered by Google Project Zero. These were initially reported to Oracle, but were later publicly disclosed, as Oracle later stated it would only address the issues in a future release.
- 0patch by ACROS Security announced the availability of patches for two of the Java SE vulnerabilities, with patches for the remaining bugs due to be released soon.
Patches released for Allen-Bradley Stratix industrial switches
- Rockwell Automation has released several patches to fix vulnerabilities in their Allen-Bradley Stratix industrial switches, that were introduced by Cisco software. The vulnerabilities are identified as CVE-2018-0466, CVE-2018-0470, CVE-2018-0473, CVE-2018-0467 and CVE-2018-15373. The issues all result in denial-of-service conditions, and they stem from resource management errors and improper input validation.
Vulnerable Magneto installs still being used globally
- Security Affairs has reported that of the 300,000 and more stores running Magento, the majority of them are still running vulnerable versions. The PRODSECBUG-2198 patch fixes many exploits, including one that allows a hacker to gain administrative control, which in turn allows them access to credit card data. They are also able to digitally skim customer cards, meaning they could sell this data or leverage it themselves.
- It is recommended that all stores running Magento update to the latest version as soon as possible.
Airbnb guest discovered hidden surveillance camera via WiFi network
- A family from New Zealand staying in an Airbnb property in Ireland discovered a camera in the living room with a live feed. Andrew Barker, who works in IT security, discovered the camera after scanning the house’s WiFi network, and subsequently found the physical camera which appeared to be a fake smoke alarm. The Airbnb host was subsequently banned from the site.
74 Facebook cybercrime groups discovered on Facebook with 385,000 members
- Researchers from Cisco Talos compiled the list of cybercrime groups, some of which acted as marketplaces for the buying, selling, and trading of stolen payment card data and hacked account credentials, as well as the sale of spamming and phishing tools.
- All 74 Facebook groups have now been removed, however, groups created to take their place have already been discovered.
Former US Senate employee pleads guilty to theft of personal data
- 27-year-old Jackson A. Cosko plead guilty for five federal offenses that steam from illegally posting online the home addresses and telephone numbers of five Republican senators. The incident occurred while the perpetrator worked as a computer systems administrator for the office of Senator Maggie Hassan.
- Cosko allegedly ‘copied dozens of gigabytes of data from [Senator] Hassan’s computers, including dozens of user names and passwords belonging to Senate employees’ and ‘contact information for numerous sitting US senators.’
Motel 6 paying settlement for sharing info with ICE
- A $12 million settlement is being paid to Washington state after it was revealed that Motel 6 shared information on 80,000 guests to Immigration and Customs Enforcement over a two-year period, without a warrant. This is a result of Motel 6 employees at seven locations in the state sharing guest lists with ICE. These lists were then used to target individuals with Latino-sounding names.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.