Silobreaker Daily Cyber Digest – 09 October 2019
Charming Kitten observed attacking cybersecurity researchers
- The Iran-linked group Charming Kitten, also known as Phosphorus or APT35, targeted ClearSky Cyber Security researchers with malicious emails purporting to be from an antivirus company. A phishing website, made to appear like the legitimate ClearSky website, was also found, along with a web-mail page targeting the company’s clients.
- ClearSky recently published a report on four new spear-phishing methods used by Charming Kitten in an escalation of a campaign that overlaps with one that Microsoft recently uncovered. Both campaigns saw similar attack vectors and victim profiles that included academic researchers, human rights activists, opposition to Iran’s regime, and journalists.
Source (Includes IOCs)
Over 6000 e-commerce websites hosted on Volusion potentially compromised
- Other websites that operate using Volusion showed the same malicious code exfiltrating credit card information to an outside domain. The researcher found 6,593 web pages that ‘are probably hosted by Volusion and are probably compromised’.
Source (Includes IOCs)
Phishing campaign observed using Digi branding
- Heimdal Security researchers discovered a new phishing campaign targeting Romanian users. However, due to its poor grammar and spelling, the researchers suspect it may exist in other language variations, most likely targeting users across Europe.
- The campaign involves a user accessing malicious domains via Google search results that lead them to a page with a message in Spanish asking the user to verify they are not a robot. Upon verification, they are redirected to a page in Romanian that imitates the Digi brand and asks the user to complete a survey to win a smartphone. Upon completion of the survey, the user is asked to enter their name and credit card details to purchase the phone for 4.99 RON (€1).
- The researchers note that the malicious domains can only be accessed via organic Google results and not directly via a browser. The researchers had also previously observed the Digi branding being used in five fake Facebook accounts, believed to be part of a potential electoral fraud campaign.
Microsoft identify spear-phishing emails delivering LokiBot malware
- In early July 2019, researchers at Microsoft discovered a large-scale spear phishing campaign that attempted to deliver malicious emails to over 100 organisations. The targeted companies were primarily located in the UAE, Portugal, and Germany.
- In one attack, that targeted a pharmaceutical ingredient supplier, the attackers used three different emails, each with the same malicious attachment. The emails were designed to be as convincing as possible and employed industry-specific terms.
- When opened, the malicious attachment connected to a compromised WordPress site and loaded a document which attempted to exploit CVE-2017-11882. Following successful exploitation, LokiBot malware would be installed on the victim’s system. The malware can steal credentials and exfiltrate information to the attacker’s C2 server.
Linux system targeted by new Golang ransomware
- Researchers at Fortinet discovered new ransomware written in Golang that was designed to target Linux systems. At present, the malware is comprised of just over 300 lines of source code. The researchers stated that the virus might still be in the development phase.
- Upon execution, the malware checks the systems location and if it detects that it is on a device running in Belarus, Russia, or Ukraine, it terminates. If the location check is passed, the malware executes and encrypts files using the AES-256-CFB algorithm. The virus then displays a ransom note on the infected system which demands payment in return for file decryption services.
Source (Includes IOCs)
New sextortion campaign uses Litecoin to evade detection
- Researchers at Cofense observed a new sextortion campaign that is using a Litecoin wallet address, instead of the typical Bitcoin addresses. This is believed to be a new attempt to avoid detection by antivirus products, which typically scan for Bitcoin addresses.
France’s ANSSI warns of campaigns against ISPs and engineering companies
- In a technical report, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) warns of two ongoing campaigns targeting enterprise networks of service providers and design offices to gain access to data and the companies’ client networks.
- Both campaigns appear to be separate, with one involving PlugX, whilst the other focuses on legitimate tools and credential theft. No attribution was made, however PlugX was previously observed being used by Chinese-backed groups.
- A separate report published by ANSSI looks at another ongoing campaign targeting country officials and think tanks dating back to 2017 and involving phishing and credential gathering. ANSSI links some TTPs to ones that were reportedly used by threat actors Kimsuky and Group123.
Leaks and Breaches
Phishing attack may have exposed Methodist Hospitals patient data
- Two Methodist Hospitals Inc employees fell victim to phishing attacks that resulted in an unauthorised individual gaining access to their email accounts. One was accessed on June 12th and from July 1st to July 8th, 2019, whilst the other was accessed from March 13th to June 12th, 2019.
- No evidence of actual or attempted misuse of data was found, however, potentially accessed data included names, dates of birth, addresses, Social Security numbers, driver’s licenses, passport numbers, payment card information, and more. Affected individuals are being notified.
Women’s Care Florida patient data potentially exposed following cyberattack
- On July 27th, 2019, North Florida OB-GYN, part of Women’s Care Florida, discovered that parts of its computer systems were compromised on or before April 29th, 2019 by file-encrypting malware. Most files have since been decrypted. Officials did not confirm whether it was a ransomware attack.
- The incident potentially left private health data of 528,188 patients exposed, including names, demographic details, dates of birth, Social Security numbers, driver’s licenses, and more.
Investigation into Sberbank data leak shows data of 5,000 clients was sold on dark web
- An investigation into the recent Sberbank data leak found that the individual responsible had sold the data of 5,000 clients online. However, according to the bank, a large portion of the data is outdated or inactive. The bank had previously stated that the leak affected at least 200 individuals.
- An internal investigation revealed that one of the bank’s employees was responsible for the leak and has since been arrested.
Freedom Healthcare Staffing exposes nearly a million records
- On September 16th, 2019, researchers at Security Discovery identified an unprotected database that belonged to Freedom Healthcare Staffing. The database contained 957,000 records that related to internal notes and communications.
- Exposed information contained personal and sensitive conversations about employees and several records also contained Social Security numbers. The database also contained information such as IP addresses, ports, pathways, and storage information.
- The researcher contacted Freedom Healthcare Staffing who removed public access to the database.
Microsoft patch 59 vulnerabilities with October patch
- On October 8th, 2019, Microsoft released their monthly security update addressing 59 vulnerabilities. Nine of the vulnerabilities are listed as critical, while 49 flaws are deemed important. None of the disclosed vulnerabilities are under attack or were publicly known.
- Among the critical bugs is an Excel flaw, tracked as CVE-2019-1327, which could be exploited by an attacker to achieve remote code execution once a victim opens a malicious file.
- A full list of vulnerabilities and impacted products is available via Microsoft.
Schneider Electric Modicon M580 contains multiple vulnerabilities
- Researchers at Cisco Talos identified eight vulnerabilities in the Schneider Electric Modicon M580 programmable automation controller. The majority of the bugs exists in the use of FTP, with five of the vulnerabilities potentially leading to a denial-of service-condition.
- A full list of the vulnerabilities is available via Cisco Talos.
Google patches RCE vulnerabilities in Android OS
- Google patched a total of 26 vulnerabilities in Android OS, three of which were classed as critical remote code execution flaws that could allow attackers to ‘execute arbitrary code within the context of a privileged process.’
- The flaws, tracked as CVE-2019-2184, CVE-2019-2185 and CVE-2019-2186, are present in the Media framework on Android 7.1.1, 7.1.2, 8.0, 8.1 and 9.
- CVE-2019-2185 and CVE-2019-2186 also affect Android 10, however are only deemed as medium risks due to previous safety improvements on the operating system.
Apple release patches for range of products
- On October 7th, 2019, Apple released patches for macOS Catalina 10.15, iTunes 12.10.1 for Windows, and iCloud for Windows 7.14 and 10.7. A full list of vulnerabilities in all products is available via Apple.
Two vulnerabilities discovered in Beckhoff TwinCAT PLC Environment
- Researchers at Rapid7 identified two vulnerabilities, tracked as CVE-2019-5637 and CVE-2019-5636, in the TwinCAT PLC environment. Both bugs can lead to denial-of-service conditions. Both vulnerabilities have been acknowledged and addressed by Beckhoff.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.