Silobreaker Daily Cyber Digest – 08 January 2019
CryptoMix ransomware exploits stories of children’s cancer treatments
- Coveware researchers reported that CryptoMix ransomware is newly being distributed alongside a ransom note that claims the ransom payments will be donated to a fictional charity supporting child cancer treatments.
- Moreover, the ransom note provides the names, diagnoses and photos of real child cancer patients that have been stolen from legitimate crowdfunding sites and local news stories.
Approximately $500,000 Ethereum Classic coin stolen
- Nearly $500,000 worth of Ethereum Classic (ETC) was stolen after attackers carried out a rollback attack which allowed them to rewrite its blockchain. This allowed the attackers to recover previously spent coins and transfer them to a new entity.
- The attackers ‘double spent’ approximately 88,500 ETC in total, the equivalent of $460,000.
Cyber criminals targeting British TV license holders
- Action Fraud reported a rise in phishing scams over recent months asking victims to correct their TV licensing information and billing information. Over 5,000 complaints were made since October 2018 by victims who inadvertently handed over their personal and financial data to the criminals.
OXO International discloses data breaches spanning two years
- The company stated that over various time periods between June 9th, 2017 and October 16th, 2018, their servers were compromised by attackers attempting to steal customer and payment information.
- BleepingComputer’s analysis of the attacks demonstrated that at least one of the compromises was a Magecart attack.
Researchers discover ChinaZ’s relationships to other Chinese DDoS threat actors
- Intezer researchers analysed recent activity attributed to Chinese threat actor ChinaZ, leading them to uncover the threat actor’s possible relationships to other threat actors within the Chinese Distributed-Denial-of-Service (DDoS) landscape, including those responsible for Nitol backdoor or MrBlack malware, or the Iron Tiger APT.
- They were led to their findings by analysing various tools used by ChinaZ such as the BillGates botnet, Gh0st RAT variants or ServStart trojan.
- Their blog post provides a detailed overview of their initial discovery of ChinaZ, an analysis of malicious payloads used by the group and evidence of the potential relationships to other threats.
Source (Includes IOCs)
Leaks and Breaches
Google email users notified of private data exposed by Google+ API bug
- The bug allowed apps that were given permission to view a user’s profile data to also see private data that those users were not permitted access to. Affected Google users were alerted to which fields were exposed and the associated apps that granted access to them.
- Over 50 million users were affected by the bug that was first disclosed in December 2018.
Australian real estate network First National suffers data leak
- Gareth Llewellyn reported the leak on Twitter, noting that the CVs and cover letters of an estimated 2,000 job applicants to First National were inadvertently exposed online.
- Llewellyn surmised that a third party commercial vendor was responsible for the leak.
Realtime Indian bus data publicly available
- An ElasticSearch server that did not require a password publicly exposed live GPS data of over 11,000 Indian buses for approximately three weeks. Details included licence plates, exact route start and stop locations, names of routes and real time GPS coordinates.
- The server has been accessible since at least November 30th, 2018, however, it is unclear how long the server has been available prior to this date. It is unclear who the server belongs to, though it has been secured by India’s CERT team.
Canadian senator’s personal data leaked following Twitter hack
- Senator Linda Frum’s Twitter account was hacked and the perpetrators behind the attack posted photos of Frum’s driving license online. The hackers referred to themselves as the ‘Spank Gang’.
Credit-card skimmer on DiscountMugs.com website steals four months of customer data
- In an official statement, the online custom mug and apparel retailer disclosed that hackers stole credit card numbers from customers who made orders through their website between August 5th and November 16th, 2018.
- Through a skimmer placed on DiscountMugs.com’s payment portal, the perpetrators were also able to steal other information including credit card security codes and expiration dates, names, addresses, phone numbers, email addresses and ZIP codes. The number of customers affected remains unknown.
New side-channel attack technique discovered
- A research paper published by academics and researchers from the Graz University of Technology, Boston University, NetApp, CrowdStrike and Intel, describes a side-channel attack that targets page caches. It abuses mechanisms designed to allow an application to check if a memory page is present in an operating system’s page cache. They can then create page eviction states that release old memory pages from the page cache, and the data contained within can be deduced by other processes and applications whilst this is happening.
- This attack is capable of recovering large amounts of data at once. It is capable of capturing six keystrokes per second, which is enough to accurately capture keystrokes. Windows and Linux systems are vulnerable to the attack, and macOS systems are thought to be vulnerable too. Microsoft has since produced a fix regarding how Windows deals with page cache reads.
Fortiguard Labs discovers new XSS vulnerability affecting Magento Commerce
- The flaw is caused by Magento failing to sanitise data supplied by users before inserting it into dynamically generated widget form. The flaw could allow a remote hacker to execute arbitrary code on a victim’s browser and access sensitive data by gaining control of high-privilege accounts or take control of vulnerable websites.
- The flaw affects Magento Commerce 2.1 prior to 2.1.16, and Magento Commerce 2.2 prior to 2.2.7.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.