Silobreaker Daily Cyber Digest – 08 July 2019
Croatian government entities targeted in campaign using new SilentTrinity malware
- The Croatian Information Systems Security Bureau recently issued a warning about targeted phishing attacks that have been ongoing since at least August 2018, targeting multiple Croatian government systems.
- The campaign, discovered by Positive Technologies, is detailed in their report, which contains an analysis of the delivery chain, indicators of compromise, and the use of a new post-exploitation framework, dubbed SilentTrinity, powered by IronPython and C#, that they believe has not yet been used.
Source (Includes IOCs)
Leaks and Breaches
American Land Title Association warns hundreds of title company records stolen
- On July 3rd, 2019, the American Land Title Association (ALTA) informed members that an ethical hacker contacted them and provided them with 600 data entries for ALTA members. The data consisted of domain identification, IP addresses, usernames and passwords.
- The information was allegedly acquired in a phishing campaign. ALTA stated that there is no indication that the data came from a specific system breach.
Maryland Department of Labor data breach exposes information of 78,000 customers
- On July 5th, 2019, the Maryland Department of Labor announced that hackers had accessed data which was stored on their Literacy Works Information System (LWIS) and a legacy unemployment insurance service database.
- Impacted files on the LWIS system were dated from 2009, 2010 and 2014, and contained full names, Social Security Numbers, dates of birth, graduation dates and more.
- Files on the unemployment insurance service database originated from 2013 and contained names and Social Security numbers.
City of Griffin Finance Department loses $800,000 in BEC scam
- The City of Griffin Finance Department in Georgia believed that they were transferring the money to PF Moon, a company they used for water treatment facilities. The first transaction was made on 21st, June, 2019 for $581,180.51, and a second transaction followed on June 26th, 2019 for $221,318.78.
- Griffin City’s manager reported that the money has not been recovered and that the FBI has launched an investigation the theft.
Magecart skimming campaign breaches 962 e-commerce stores
- Researchers at Sanguine Security discovered that the stores were all breached with a Magecart malware skimming script that was deployed during a 24 hour timeframe. Founder of Sanguine Security Willem de Groot stated that several victims did not have patches which would have protected them from PHP object injection exploits.
- De Groot said that a few enterprise stores were infected but the majority of victims appear to be smaller businesses. Information collected by the skimmers includes full credit card data, names, phone numbers, and addresses.
Source (Includes IOCs)
Alive Hospice announces data breach
- Tennessee-based end-of-life and palliative care provider Alive Hospice suffered a data breach on May 4th, 2019 which lasted for two days. Although unauthorized access has been confirmed, there is no evidence as yet that patient information has been accessed or stolen.
- Potentially exposed data includes patient names, dates of birth, Social Security numbers, driver’s licenses and more. It is unclear how many patients are affected.
- The California-based medical staffing agency Flexcare LLC has also suffered a similar phishing attack, however there is no evidence yet that any data has been accessed or stolen. Potentially exposed data includes names, addresses, dates of birth, Social Security numbers and more.
LaPorte County hit by malware
- The US County of LaPorte announced it was hit by a malware attack on July 6th, 2019, resulting in employees not being able to access any government emails or websites until the issue was resolved. It is unclear who is behind the attack.
Apple iPhone vulnerable to bricking via iMessage bomb
- Google Project Zero researcher Natalie Silvanovich discovered the vulnerabilities, tracked as CVE-2019-8573 and CVE-2019-8664, on April 19th, 2019. The malformed message flaw can be exploited to cause a Mac to crash and respawn.
- The issue more problematic on iPhones, because the code is in Springboard, so receiving the messages causes Springboard to crash and respawn repeatedly. Users affected by this issue are unable to see their UI and their device will become unresponsive.
- In addition, the condition survives a hard reset and therefore Silvanovich discovered that the only way to fix the phone is by entering recovery mode and performing a restore. Apple fixed the issue as part of iOS 12.3 released on May 13th, 2019.
Unauthenticated stored XSS vulnerability in WordPress plugin
- Researchers at Sucuri discovered a cross-site scripting (XSS) vulnerability in the WP Statistics plugin, which has more than 500,000 active installations. The vulnerability is only exploitable in versions older than 12.6.7 and under certain conditions. Users running default settings are not at risk from the bug.
- The vulnerability exists in a feature of the plugin that allows a website to use the header to locate the site visitors’ IP address. If the user’s IP is not sanitized or validated, it will become part of the page output each time the visitor IP address is used. This allows attackers to confuse the server about the original IP and inject malicious code onto administrative pages, ultimately enabling full website takeover.
Source (Includes IOCs)
Tor Project seek to fix vulnerability exploited for DDoS attacks on Onion sites
- The Tor Project has announced that it is preparing to fix the long-standing bug with the release of Tor protocol 0.4.2.
- The vulnerability takes advantage of the complex connection paths used by the Tor network to secure the connection between users and servers. The process is highly taxing on the CPU and with enough connections can max out the server processor.
- Additionally, the Tor network’s emphasis on anonymity means that incoming connection requests are not verified until the connection is established. Consequently, it cannot be determined if a connection request is genuine or from an attacker until the connection is made.
Cybercriminals prepare scams ahead of the launch of Libra cryptocurrency
- Researchers at Digital Shadows discovered a variety of cryptocurrency scams being prepared ahead of the 2020 launch of Facebook’s Libra cryptocurrency and associated Calibra digital wallet.
- The researchers observed a vast increase in the number of newly registered domains with reference to Libra or Calibra. While many of these sites were innocuous some were impersonating the legitimate sites or promoting scams abusing the Libra or Calibra name.
- Such scams included one which attempted to trick users into exchanging Ether cryptocurrency for a 25% bonus return on Libra. Another scam claims that users can gain access to the unreleased cryptocurrency and wallet for $200, additionally this scam also asked users to open their ports to an unknown source which could allow malware to be dropped on the users device.
Source (Includes IOCs)
New study stresses links between Huawei and Chinese military
- Christopher Balding, associate professor at Fulbright University Vietnam, and London-based think tank the Henry Jackson Society examined the CVs of Huawei employees that were leaked online from unsecure databases.
- Balding stated that key mid-level technical personnel employed by Huawei have close ties to Chinese intelligence gathering and military activity.
- Huawei claimed that they were unable to verify the CVs cited in the study and ‘cannot confirm the veracity of all of the information published online.’
British Airways fined £183 million for 2018 data breach
- The Information Commissioner’s Office fined British Airways £183 million, the highest penalty handed out since the new GDPR rules have come into force.
- The data breach compromised the data of about 500,000 customers, including private information and full credit card details. The breach was first disclosed on 6th September, 2018, however it is believed to have first happened in June 2018.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.