Silobreaker Daily Cyber Digest – 1 August 2019
QR code scam used to steal money from bank accounts
- Dutch police recently arrested two individuals engaged in a QR scam in which they asked individuals to scan a QR code to pay for parking. The scammers would offer cash to the victim, whereas the QR code sent all sensitive banking login details to the scammers, allowing them access to the victim’s funds.
- Malwarebytes Labs explains the details of how the scam works to raise awareness in case this type of scam is used in other cities.
New Mirai malware contains C2 that is hidden in the Tor network
- Researchers at Trend Micro discovered a new variant of Mirai malware that leverages the Tor network to conceal its C2 server to evade IP tracking and being shut down by hosts if discovered. Besides the relocated C2, there were no other changes to the malware’s capabilities or functionality.
Source (Includes IOCs)
FileCoder ransomware for Android harder to decrypt than previously thought
- On July 29th, 2019, ESET researchers reported that they identified a new strain of Android ransomware called FileCoder. The researchers stated that ‘because of the hardcoded key value that is used to encrypt the private key, it would be possible to decrypt files’, consequently advising that the malware did not pose a significant threat.
- Security researcher Alexey Vishnyakov indicated that this was not the case and that the hardcoded key is in fact a RSA-1024 public key which is ‘close to impossible’ to decrypt. Therefore, the threat posed by FileCoder is far more greater than previously thought.
Source (Includes IOCs)
U.S. government websites defaced by ‘VandaTheGod’ hacktivists
- On July 30th, 2019, the website of Randolph County, North Carolina, was hacked by an attacker using the alias ‘VandaTheGod’. The group or individual behind the attack also defaced dozens of other government websites with anti-government messages featuring a picture of Guy Fawkes.
Leaks and Breaches
Backdoor leaves over 4 million Club Penguin Rewritten accounts compromised
- A former administrator of the online game Club Penguin Rewritten (CPRewritten) allegedly installed a backdoor on the game’s website by leaving behind PHP files that allow access to the website’s database. The backdoor was first discovered on July 26th, 2019, when data began to leak from its database.
- As a result, data from 4,007,909 accounts, 2.9 million IP address logs for registrations and login dates were stolen by attackers. Data present in the accounts includes email addresses, usernames and passwords stored as bcrypt hashes.
- CPRewritten previously suffered a data breach in January 2018. The breach was disclosed in April 2019 and exposed roughly 1.7 million unique email addresses, usernames and bcrypt hashes for passwords.
Honda Motor Company leaks database containing information about internal systems
- Security researcher Justin Paine found the unsecured Elasticsearch database while searching Shodan on July 4th, 2019. The database was not protected by any means of authentication and contained roughly 134 million documents totaling 40GB of data.
- Information in the database appeared to data back to March 13th, 2019 and related to Honda’s internal networks and computer systems. Details included machine hostnames, internal IPs, OS versions, status of Honda’s endpoint security software, and more. The database also contained details about the laptop of Honda’s CEO, including the CEO’s email address, full name, MAC address, OS versions, endpoint security status, and device type.
- Paine contacted Honda on July 6th, 2019, and the database was secured the same day.
Pearson data breach affects thousands of accounts
- Educational software maker Pearson announced that 13,000 school and university accounts, mostly based in the US, have been affected by the data breach. Exposed data included names, dates of births and email addresses.
- The breach happened in November 2018 and led to the unauthorised access of accounts on the company’s student monitoring and assessment platform AIMSweb. The vulnerability has now been fixed.
- Pearson reported that there is no evidence that any of the exposed data has been misused, and that they have informed affected users.
Tibor Rubin VA Medical Center may have exposed patient data
- Staff at Tibor Rubin VA Medical Center in Long Beach, California, potentially exposed the records of 133 patients to outside parties between 2013 and late 2017. A report by the Veterans Administration’s Office of the Inspector General (OIG) found that staff used their personal accounts in order to get around an incompatibility between an esophagus diagnostic tool and the medical center’s record-keeping software.
- As a result, sensitive information, including Social Security numbers, were transferred using unsecured email accounts, text messages and flash drives. The OIG report did not find the data to have been compromised and the agency’s National Data Breach Responsive Service stated that they did not classify the incident as a data breach.
Two vulnerabilities found in Western Digital and SanDisk SSD Dashboard applications
- The first, tracked as CVE-2019-13466, is an issue where customer report data in the SanDisk Dashboard application is protected using a hard-coded password before being sent to SanDisk for examination.
- The second vulnerability, CVE-2019-13467, could be exploited by attackers when users run the application in an untrusted environment. The application uses HTTP rather than HTTPS to communicate with SanDisk site, meaning that attackers could create a rogue hotspot or launch a man-in-the-middle attack, enabling them to send malicious content via the app. SanDisk has switched to HTTPS to fix this flaw.
- Users of the applications are advised to update to at least version 22.214.171.124.
US CISA warn that Prima Systems FlexAir contains multiple critical vulnerabilities
- The advisory, published on July 30th, 2019, warned of multiple critical vulnerabilities in Prima Systems FlexAir, version 2.3.38 and prior. FlexAir is an access control system used to operate elevators, door locks, parking lots, gates, and other systems.
- Discovered by security researcher Gjoko Krstic, the vulnerabilities can be exploited remotely by an attacker who possesses a low level of skill. Successful exploitation would allow an attacker to upload malicious files, bypass normal authentication, discover login credentials, gain full system access, and more.
- CVE-2019-7670, an OS command injection issue, has been assigned a CVSS rating of 10.0, and could allow an attacker to execute commands directly on the OS. Other highly rated vulnerabilities included CVE-2019-7669, which could allow a remote unauthenticated attacker the ability to ‘upload and execute malicious applications within the application’s web root with root privileges.’ A full vulnerability overview is available in the CISA advisory.
Chrome 76 releases patch for 43 vulnerabilities
- The latest patch for Chrome 76 was released on July 30th, 2019, and contained fixes for five vulnerabilities rated as high severity, four rated as medium severity and seven rated as low severity.
- CVE 2019-5850 is rated as the most critical of the flaws and is a use-after-free in offline page fetcher issue.
Flaw in Amcrest IP2M-841B camera allows remote unauthenticated access to audio
- Researcher Jacob Baines identified CVE-2019–3948, a vulnerability in the Amcrest IP2M-841B IP camera. An attacker can gain access to audio files by pointing their browser or a tool such as VLC at the camera’s endpoint. A simple script can be used to extract audio files, at no point in the attack process is authentication required.
- An examination of the firmware in the Amcrest IP2M-841B IP camera showed researchers that the device is a rebranded Dahua product. Many other companies also rebrand Dahua cameras but maintain the devices through their own patches, it is therefore unclear how many cameras remain open to this exploit.
Researchers believe Bluekeep will soon be actively exploited
- Rapid7 Labs observed a sharp increase in malicious RDP activity since the release of CVE-2019-0708, commonly referred to as Bluekeep.
- At present, at least one known working commercial exploit is available and Rapid7 Labs suspects that attackers may begin to abuse the Bluekeep vulnerability soon. This is because the patch was first released nearly three months ago, which is approximately the average time before active exploitation is observed in complex remote code execution vulnerabilities.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.