Silobreaker Daily Cyber Digest – 08 October 2019
Fake Russian Federal Bailiffs Service used to infect users with Trojan
- Researchers at Doctor Web discovered a copy of the Russian Federal Bailiffs Service (FSSP) website that redirects users to Trojan.DownLoader28.58809. When a user tries to interact with the website they are redirected to a page informing them to update Adobe Flash Player. An EXE File will also be downloaded to the target device, if a user launches the file they will infect their system with the malware.
- The trojan achieves persistence by adding itself to autorun, and then connects to the attackers C2 before downloading an additional malware module, dubbed Trojan.Siggen8.50183. The trojan can move files, run processes, delete files, obtain files, and more.
Source (Includes IOCs)
Ongoing Mustang Panda campaign seen targeting minority groups and multiple organisations
- Anomali researchers observed a campaign by what is believed to be the Chinese-backed APT Mustang Panda, that has been ongoing since at least November 2018, and potentially dates back to 2017.
- The campaign involves the same TTPs observed in a previous Mustang Panda campaign, in which victims are sent a ZIP file with a LNK extension containing an embedded HTA script. Upon execution, the script will drop and open a decoy document and run a malicious payload in the background. Observed payloads include Cobalt Strike Beacon, PlugX and other yet unidentified payloads.
- Definite targets could not be determined, however the documents involved in the campaign suggest Mustang Panda is targeting individuals interested in the UN Security Council Committee resolutions regarding ISIL, MIAT Mongolian Airlines, the non-profit China-Zentrum e.V., the Communist Party of Vietnam, and the minority group Shan Tai. Targeted countries include Germany, Mongolia, Myanmar, Pakistan and Vietnam.
Source (Includes IOCs)
New AgentTesla keylogger campaign uses Iraqi government site as C2
- My Online Security observed a new AgentTesla keylogger campaign that uses an Iraqi government site, hosted on a shared Hostgator server, as its C2. It is unclear which email addresses are used for the C2, because the attackers are using SMTP port 587 and Start TLS, which encrypts email addresses and other content.
- The attack is similar to other AgentTesla attacks, in which an email purporting to be a proof of purchase or a purchase order is sent. The email contains an ISO file, which is capable of bypassing many antivirus products, and usually contains password stealing components aiming to gain access to victims’ bank accounts, PayPal accounts or other financial credentials.
Source (Includes IOCs)
Drupalgeddon2 RCE vulnerability in Drupal CMS platform actively used in attack
- Akamai researcher Larry Cashdollar discovered attackers exploiting the Drupalgeddon2 unauthenticated remote code execution vulnerability in the Drupal CMS platform. The vulnerability, tracked as CVE-2018-7600, was patched in March 2018.
- Unpatched systems are vulnerable to the attack, which runs code that is embedded inside a gif file. The campaign delivers two pieces of malware to the victim, the first can scan local files for credentials, show system information, upload files and more. The second virus contains RAT and DDoS functionality and uses Internet Relay Chat to handle the attackers C2.
- At present the attack traffic is not widespread and appears to be directed towards a ‘random assortment of high profile websites’.
Source (Includes IOCs)
Ramnit spread via GitHub Pages
- Researchers at Netskope have blocked several GitHub sites that were found to be infected by Ramnit. Victims attempting to clone their Github pages repository following an attack found that their pages were still infected by the virus, due to the malware being copied over to the new templates via infected HTML files. Any new web pages that are generated from the copied GitHub file are therefore also infected.
- Users who then visit the compromised GitHub sites while using Internet Explorer received a message that tells them to enable Microsoft script Runtime ActiveX. Targets who engage with the message will unknowingly run a script to drop the Ramnit payload, which allows the malware to continue spreading.
Source (Includes IOCs)
Leaks and Breaches
391,472 Sarrell Dental patients affected by ransomware attack
- Sarrell Dental is informing its patients of a ransomware attack in July 2019 that may have exposed the sensitive data of 391,472 of its patients. Compromised data included patient names, addresses, dates of birth, Social Security numbers, insurance information, and more.
- According to Sarrell Dental, no evidence of data misuse was found. However, the dental provider noted that it could not be certain whether, or how much data, was exposed.
Cancer Treatment Center of America suffers data breach
- As a result of a phishing attack, an unauthorised individual had access to a Cancer Treatment Center of America (CTCA) employee email account from July 22nd, to July 29th, 2019, which potentially exposed protected health information of 3,290 patients. This is the fifth data breach CTCA has reported since November 2018.
- Although no evidence of data misuse was found, potentially accessed data included names, addresses, phone numbers, dates of birth, health insurance information, and more. No Social Security numbers were exposed.
TransUnion Canada exposes credit information following credential stuffing attack
- Between 28th, June and July 11th, 2019, an unauthorised party retrieved consumer credit files on a TransUnion Canada business portal. The attacker gained access to the systems by using the credentials of TransUnion customer CWB National Leasings Inc.
- Performing a successful credit file lookup search would have allowed an attacker to view consumer’s names, dates of birth, addresses, loan obligations, payment history, and more.
- TransUnion issued a letter to customers that stated that the issue was not related to a breach in their systems but was instead ‘a crime of credential theft’.
Hacker accesses Toms Shoes’ mailing list
- On October 6th, 2019, a hacker accessed Toms Shoes’ mailing list and sent a message to subscribers telling them to go outside. The hacker, going by the name of Nathan, told Motherboard that he did not have malicious intent towards the company. The method through which the hacker gained access to the mailing list has not been revealed.
New Zealand’s Commerce Commission information potentially exposed via stolen laptop
- On October 8th, 2019, New Zealand’s Commerce Commission revealed that a laptop belonging to an external provider had been stolen. The laptop could contain up to 200 meetings and interview transcripts that may date back to 2016.
- Confidential information on the device could relate to that which had been provided to the Commission by businesses and individuals. The Commerce Commission revealed that they would no longer work with the external provider.
Customer data of Russian ISP Beeline sold online
- Russian news agency Kommersant reported that that data belonging to 8.7 million customers of Russia ISP Beeline is available online. The security incident which led to the disclosure of the data occurred in 2017, however, the breach was never publicly disclosed.
- Following Kommersant’s report, Beeline revealed that the information belonged to Russian customers who signed up for broadband connections prior to November 2016. Exposed information includes names, mobile and home phone numbers, and addresses.
iOS users using old Twitter API vulnerable to man-in-the-middle attacks
- Researchers at Fraunhofer SIT discovered that 45 German iOS applications continue to use a flawed TwitterKit library that had been replaced by Twitter in October 2018, impacting millions of Germans. Globally, tens of thousands of apps may still be using the flawed TwitterKit library.
- The vulnerability, tracked as CVE-2019-16263, does not properly validate the api[.]twitter[.]com SSL certificate and could leave users of apps containing the old library vulnerable to man-in-the-middle attacks. Affected apps include ones that allow users to login via their Twitter Access Token.
- According to Fraunhofer SIT’s Jens Heider, the flawed library continues to be available on the Twitter GitHub library, with no indication that the code is vulnerable to attacks. Heider notes that many developers may not update their apps, as the code appears to be working without issues.
Zero-day published for old versions of Joomla CMS
- Security researcher Alessandro Groppo published details of a PHP object injection vulnerability in older versions of Joomla CMS, which could lead to remote code execution.
- The flaw is similar to CVE-2015-8562, which continues to be exploited today, yet has a wider impact due to it being independent from the environment, making it more reliable. The newly discovered vulnerability affects versions 3.0.0 to 3.4.6.
RobbinHood ransomware authors update ransom note
- Security researcher Joakim Kennedy discovered an updated ransom note in a new RobbinHood variant. The malware authors emphasize the strength of their encryption by directing users to a Wikipedia page about the RSA algorithm system that they use in their attacks.
- The malware operators also tell victims to look up previous RobbinHood attacks in Greenville, North Carolina, and Baltimore City. The note tells victims not to work with the FBI or other security organisations, and threatens users with permanent file deletion after a period of 10 days.
User infected with Muhstik ransomware hacks attacker to recover decryption key
- Since the end of September 2019, a hacker has been encrypting files on publicly exposed QNAP NAS device with Muhstick ransomware. Following the infection the criminals demand a bitcoin ransom of approximately $700.
- Muhstik victim Tobias Frömel paid the ransom and then tried to hack the attacker’s C2. Frömel found web shells on the server that contained the PHP script used to generate passwords. Using the same web shell Frömel was able to create a new PHP file to output HWIDs and decryption keys.
- The decryption keys for 2,858 Muhstik victims were generated in this way. Emsisoft have also released a decryptor that runs on Windows and can be used to recover encrypted files.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.