Silobreaker Daily Cyber Digest – 09 November 2018
Altus Baytown Hospital in Texas infected with Dharma ransomware
- A hospital in Baytown, Texas was reportedly hit with Dharma ransomware, which encrypted files containing patient names, contact information, birth dates, addresses, Social Security numbers, driver license numbers, credit card information and more.
North Korean hackers infiltrate South Korean security program
- ESTsecurity’s Security Response Center reported that the hackers used Hangul Word Processing files infected with Kimsuky malware in order to leak victims’ system and user account information, as well as collect files.
- Devices infected with the malware send collected information to two Korean language websites, that are likely compromised and sending on the information to other locations.
New TrickBot module pwgrab steals data from browsers and software applications
- Fortinet researchers recently discovered a new variant of TrickBot Malware that uses a new module named pwgrab.
- This new variant was found to be distributed through an Excel file using a malicious Macro VBS code that is executed once the file is opened. The malicious code is used to download TrickBot onto the targeted device.
- The newly added module pwgrab steals credentials from Internet Explorer, Firefox, Chrome and Edge browsers. Pwgrab was also found to steal credentials from client software sources Outlook, Filezilla and WinSCP. Other information collected includes browser history or autofill data.
Source (Includes IOCs)
DJI drones permit unauthorized access to sensitive information
- Checkpoint researchers discovered that cyber espionage can be conducted through account takeover of drones manufactured by DJI, a vendor accounting for 70% of the global commercial and consumer drone market.
- The researchers detail how attackers can access data such as drone flight records and photos taken during flights, user account information (including credit card details), the drone’s real time camera, the drone’s microphone and map view, and a live view of the drone pilot’s camera and location. Checkpoint highlights this can be carried out without the user being aware.
- The research team also provides an in-depth discussion of the current importance of drones in business operations, the potential damage caused by these attacks and the attack mechanics.
Metamorfo campaign targets customers of Brazilian financial institutions
- Cisco Talos researchers recently identified two ongoing malware campaigns infecting users with banking trojans. The two campaigns were detected in late October and early November 2018. The campaign was previously dubbed Metamorfo from researchers at FireEye.
- The campaign was found to target customers of the following banks: Santander, Itaù Unibanco, Banco do Brasil, CaixaBank, Sicredi, Banco Bradesco, Safra, Sicoob, Banco da Amazonia, Banco do Nordeste, Banestes, Banrisul, Banco de Brasilia and Citibank.
- Through their investigation of these campaigns, the researchers also discovered the attackers are using a remote administration tool to create a botnet of systems dedicated to the creation of spam emails. Other features of these campaigns include the use of link-shortening services to better mask the actual distribution servers used.
Source (Includes IOCs)
Cryptominer uses Windows Installer and other techniques to remain undetected
- Trend Micro researchers observed that a cryptocurrency miner, tracked as Coinminer.Win32.MALXMR.TIAODAM, has been using multiple obfuscation techniques to remain stealthy.
- One example is packaging the malware as a Windows Installer MSI file, as Windows Installer is a legitimate application used to install software and thus may not appear suspicious to the victim.
- Another example is that the malware uses a ‘custom Windows Installer builder WiX as a packer, most likely as an additional anti-detection layer’ which Trend Micro states further proves the threat actor’s efforts to remain undetected.
Source (Includes IOCs)
Cambodian Internet Service Providers hit with large DDOS attacks
- EZECOM, SINET, Telcotech and Digi were reportedly hit with the largest DDOS attacks Cambodia has ever historically experienced. The motivations behind the attacks remain unclear.
Leaks and Breaches
Risk Based Security reports almost 4,000 breaches disclosed in 2018
- The 2018 Q3 Data Breach QuickView report found that 3,676 data breaches were disclosed between January 1st and September 20th, resulting in the exposure of 3.6 billion records.
- The report disclosed that the number of reported breaches had fallen by 8% compared to 2017.
- Business data breaches made up 38% of the breaches, the government sector 8.2%, the medical sector 7.8%, education 3.9%, and 43% could not be classified.
Microsoft releases information on securing BitLocker drives from Thunderbolt DMA attacks
- Microsoft has released a support bulletin informing users of ways they can protect BitLocker drives from Thunderbolt direct memory access (DMA) attacks.
- One way Microsoft encourages users to protect themselves is to utilize the Kernel DMA Protection feature available on Windows 10.
- The notice follows recent reports of flaws in SSD drives permitting the bypassing of hardware disk encryption, which were also found to affect BitLocker on Windows.
Flaw in Windows activation service downgrades users’ Windows 10 Pro licenses
- A bug in Microsoft Windows’ activation service has caused Windows 10 Pro licenses to be downgraded to Windows 10 Home. Users were then displayed a message saying that Windows cannot be activated on their device.
- Reports of this issue came from users located in Japan, Korea, the US and several other countries. A Microsoft spokesman said the flaw was a result of an ‘issue with Microsoft’s activation server’. The flaw has since been fixed.
Threat actor exploits recently patched vulnerability in Adobe ColdFusion
- Volexity researchers found that a recently patched vulnerability, tracked as CVE-2018-15961, in Adobe ColdFusion, has been exploited in the wild.
- The researchers found that the flaw is being exploited by what they believe is a China-based APT group. The perpetrators are using the critical unrestricted file upload vulnerability to upload the China Chopper webshell to a vulnerable server. The attack occurred two weeks after Adobe released a patch for the bug on September 28th, 2018.
- Several of the targeted websites were found to include defaced index files that attributed the attack to AnoaGhost, a hacktivist group of Indonesian origin and with ties to a pro-ISIS hacktivist group.
Source (Includes IOCs)
Cisco inadvertently ships in-house test exploit code with its TelePresence software
- Cisco reported that it had accidentally included sample dormant exploit code to be shipped with its Cisco Expressway Series and TelePresence Video Communication server software. The code includes an exploit for the Dirt CoW (CVE-2016-5195) vulnerability.
Default account makes Cisco Small Business switches vulnerable to remote attacks
- Cisco reported that malicious actors could leverage the default account provided with Small Business switches in order to log into devices and execute arbitrary commands with full administrator privileges.
- The vulnerability involved is CVE-2018-15439.
Attack exploits vulnerabilities in InPage and outdated VLC media players
- Microsoft observed a targeted attack using the language-specific Word processor InPage. The attackers are using spear-phishing emails containing a malicious InPage document named ‘hafeez saeed speech on 22nd April[.]inp’. The document contains exploit code for the buffer-overflow vulnerability in InPage, CVE-2017-12824.
- The document drops an outdated VLC media player version vulnerable to DLL hijacking. The final malware is encoded in a JPEG file format and allows the hackers to execute arbitrary command on victims’ machines.
Three vulnerabilities patched in nginx web server
- Several vulnerabilities in the nginx open source web server software were patched earlier this week.
- One of the bugs, tracked as CVE-2018-16843, is a flaw that can cause excessive memory consumption, while another flaw, tracked as CVE-2018-16844, can result in excessive CPU usage.
- The final patched vulnerability, tracked as CVE-2018-16845, permitted attackers to cause the worker process to crash or leak memory by having the ngx_http_mp4_module process a specially-crafted MP4 file.
Bug in Steamworks permitted access to activation keys of any game on Steam
- Researcher Artem Moskowsky discovered a bug in Steamworks, a platform helping developers build and publish games via Steam, which allowed him to access activation keys for any game ever made available through the Steam gaming platform.
- The flaw was located in the Steam web API and was patched shortly after Moskowsky’s report in August 2018.
Beijing increasingly spying and stealing trade secrets from American businesses
- A panel speaking at the Aspen Cyber Summit warned that the 2015 truce the Obama and Xi Jinping administrations struck is no longer being upheld, and that Chinese hackers are increasingly targeting the US, due in part to the escalating trade war between the two countries.
Hackers charged in South Korea for cryptojacking 6,000 computers
- Five men were arrested by the South Korean National Police Agency Cyber Bureau for injecting crypto mining software into desktop computers. The hackers reportedly sent malware-laced emails to 30,000 job applicants, in order to carry out the cryptojacking attacks.
Pakistan’s central bank reports mass skimming operation but denies mass bank data breach
- 20,000 debit and credit cards from 22 Pakistani banks were skimmed, resulting in the theft of at least $20,000. The State Bank of Pakistan reported that no banks had been hacked, contrary to media news stories.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.