Silobreaker Daily Cyber Digest – 08 November 2018
BleepingComputer warns of sites pushing unofficial Notepad2 adware bundles
- Researcher Lawrence Abrams observed that when searching on Bing for Notepad2, the first result was ‘Notepad2[.]com’. After an attempt to download the executable from this site, ESET blocked the file from being downloaded.
- During further analysis, Abrams found that when downloaded, the installer presented several options to download additionally, including Opera and War Thunder. Once these offers are installed, a zipped copy of Notepad2 is installed and saved to the Downloads folder.
New BCMUPnP_Hunter botnet targets router equipment
- Netlab360 researchers reported on a new botnet, dubbed BCMUPnP_Hunter, targeting router equipment. They first detected the botnet in September 2018.
- BCMUPnP_Hunter targets routers that have enabled the BroadCom Universal Plug and Play (UPnP) feature. The botnet exploits a five-year-old ‘remote preauth format string vulnerability’ in the UPnP feature.
- According to Netlab360, the botnet is rapidly growing, and the number of potential infections may be as high as 400,000.
Source (Includes IOCs)
US Secret Service issued alert warning of thieves abusing Informed Delivery for identity theft
- The internal alert was sent on November 6th, 2018 to its law enforcement partners, stating that thieves are using the Informed Delivery feature ‘to identify and intercept mail, and to further their identity theft fraud schemes.’
- Informed Delivery is a new offering from the US Postal Service (USPS) that lets residents view scanned images of incoming mail.
- ID thieves have constructed a way to hijack identities and order new credit cards in the victims’ names before the USPS send their notification. Krebs suggests that they could possibly be waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.
Fake banking app on Google Play Store used in SMiShing attacks
- Trend Micro researchers discovered a fake banking app, Movil Secure, being used in a SMiShing campaign targeting Spanish-speaking users. The app, claiming to be a mobile token service, was first discovered on October 22nd, 2018 on the Google Play Store and registered more than 100 downloads over a six-day period.
- Movil Secure associated itself with Banco Bilbao Vizcaya Argentaria (BBVA), a popular Spanish banking group. However, it was found to be a spyware, collecting SMS messages and phone numbers from infected devices and sending them to the threat actor’s C&C server. Furthermore, it hid itself from the victim by not displaying any icon on the user’s phone screen.
- Through investigating the app’s developer, the researchers also identified three additional fake banking apps Evosecure, Bankia Secure and Compte de Credit.
Source (Includes IOCs)
Several large internet service providers (ISPs) in Cambodia hit by large scale DDoS attacks
- Users reported difficulties in accessing online services all week when using EZECOM, SINET, Telcotech and Digi. According to sources in the region, DDoS attacks totalling almost 150Gbps hit the ISPs on Monday, causing internet access speeds to slow all week.
- Motivations for the attacks are yet unclear and no ransom demands have been issued.
Leaks and Breaches
Personal information of Ontario Cannabis Store’s customers breached
- An individual accessed approximately 4,500 orders made through the Ontario Cannabis Store (OCS) via Canada Post’s delivery tracking tool.
- According to a statement by OCS, the information accessed included postal codes, names or initials of people who signed upon delivery, date of delivery, OCS reference numbers, Canada Post tracking numbers and the Store’s corporate name and business address. The company highlights that no other information, including payment information, was accessed.
Unprotected MongoDB server exposes personal data of American Express India customers
- Security researcher Bob Diachenko discovered an unsecured MongoDB server exposing the personal data of 689,272 customers of an American Express (AmEx) branch in India.
- The data was stored in plaintext, exposing names, email addresses, phone numbers and card types. The database also stored links to files hosted on the AmEx India website that included names, phone numbers and PANcard numbers. Other data on the server was found to be encrypted and included over 2.3 million records.
- Following Diachenko’s report, AmEx has stated that they have no evidence of unauthorized access to the data. The server has since been taken down.
Bankers Life data breach potentially compromises half a million individuals’ information
- 566,217 people were reportedly affected when unauthorized third parties accessed the credentials of certain Bankers Life employees for company websites, as well as, potentially, the policyholders’ and applicants’ personal information.
Windows 10 bug breaks changing of default file associations
- Users of Windows 10 have been reporting an inconsistent bug in Windows 10 that prevents them from changing the default program associated with a file type.
- When attempting to change the default program used to open files extensions such as .txt files, users aren’t permitted to associate it with a Notepad replacement such as Notepad++. It is, however, possible to make other applications such as IrfanView, VLC or Google Chrome as a default.
- The bug has been found to only affect certain users with certain programs and under certain conditions, and is therefore particularly difficult to fix.
Police in Netherlands decrypt messages after breaking IronChat crypto app
- Dutch police have decrypted 258,000 messages sent using the IronChat app, after they managed to intercept and decrypt communications during an investigation into money laundering. IronChat is often used by criminals due to its provision of end-to-end encryption.
- The owners of the application have been arrested on charges related to money laundering and participation in criminal organisations. The information that the police accessed allowed them to shut down a drug lab in Enschede, confiscate automatic weapons and large quantities of MDMA and cocaine, as well as confiscate 90,000 euros in cash.
US Cyber Command publicly shares malware samples
- The US Cyber Command has launched a project in which unclassified malware samples will be publicly shared on VirusTotal. The malware will be shared on their account CYBERCOM_Malware_Alert. Users can also keep track of shared samples by following the @CNMF_VirusAlert Twitter account.
Flashpoint report on increasing popularity of mobile overlay attacks on underground forums
- Flashpoint have reported that mobile overlay attacks have become a highly trafficked commodity on the dark web. In particular, some Russian speaking marketplaces reportedly sell hundreds of overlays alongside injections attacks, that are created to run over legitimate applications and steal user details.
- The report states that the gowing effectiveness of overlay attacks is suggested by the increasing number of posts on the subject on underground forums, regularly offering new overlays.
Turkish police arrest SIM swapping group involved in theft of cryptocurrency funds
- The Turkish police has arrested 11 individuals for stealing $80,000 worth in cryptocurrency through SIM swapping.
- The group used fake IDs to persuade telephone providers to send them new SIM cards with the victim’s phone number. The victim’s phone number was subsequently used to reset the victim’s cryptocurrency account passwords through two-factor authentication. The perpetrators then transferred cryptocurrency funds to their personal accounts.
Indian intelligence agency warns Chinese military plans attacks on Indian defence installations
- An unnamed Indian intelligence agency has issued an alert claiming that Unit61398 of the Chinese People’s Liberation Army (PLA) is preparing to launch an attack against Indian defence installations.
- The source also claims that Unit61398 is involved in geo location intelligence collection, tracking information sources, and intercepting and deciphering global digital communications.
DerpTrolling hacker pleads guilty to attacks against gaming servers
- Hacker Austin Thompson has admitted to being a member of hacking group DerpTrolling and pleaded guilty to a series of denial-of-service (DoS) attacks against Twitch streamer James Varga (‘Phantoml0rd’ on Twitch) in late 2013.
- Thompson was accused of being the ‘technical brain’ behind the group’s operations and is facing a maximum penalty of 10 years in prison.
- DerpTrolling is also responsible for attacks against League of Legends and Dota 2 servers, and the Battle[.]net platform in December 2013.
Canadian man allegedly behind ISIS’ high profile cyber-attacks
- An Islamic State media outlet has stated that a Canadian man is responsible for the terror group’s high-profile cyber attacks, which include the takeover of the Twitter account belonging to the US military’s Central Command.
- The perpetrator, who was reportedly killed by a drone strike in Syria, also allegedly undertook attacks against banks in order to finance fighting, hacked the US Department of Defence as well as airports, ‘hundreds’ of US soldiers and international media organisations.
Snowden claims NSO Group spyware used by Saudi Arabia to monitor late journalist Kashoggi
- Edward Snowden claimed, during a video conference from Moscow, that it was possible the Saudi Arabian government used Pegasus malware on a Saudi dissident’s phone in order to monitor their contact with Kashoggi and understand his whereabouts.
Adobe sued after Premier Pro deleted valuable media files
- David Keith Copper sued Adobe on Wednesday, claiming that a bug in the application caused it to erase expensive footage for his projects when he pressed the ‘Clean Cache’ function. Cooper reportedly subscribed to Premier Pro Creative Cloud, upgrading to version 11.1.0 in 2017.
- In an attempt to create space on his drive, he told the application to use the ‘Videos’ directory on his external storage device to store cached materials. When the suite’s cache was later emptied, rather than deleting the ‘Media Cache’ folder in the ‘Videos’ directory, it instead deleted everything that had not been accessed within 90 days from the whole ‘Videos’ directory.
- 500 hours of videos clips, approximately 100,000 individual video clips and commissioned work worth approximately $250,000 were lost.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.