Silobreaker Daily Cyber Digest – 1 May 2019
Magecart skimmer discovered using over fifty payment gateways
- Researcher Willem de Groot discovered a Magecart skimmer that supports 57 payment gateways worldwide, in countries including the US, UK, Australia, Brazil, Germany, and more. The payment card skimmer script consists of a polymorphic loader and an exfiltration mechanism that supports the gateways.
- This sophisticated skimmer allows threat actors to inject it into almost any checkout page, on any website, and begin scraping the card information without the need to customise it for different online shops.
- The skimmer is at present already injected in dozens of Magento-powered e-commerce sites including Puma Australia, which was one of the latest compromised shops de Groot discovered. The loader used to load the script is obfuscated and is designed to look like a Google Analytics script.
Researchers produce analysis of Exobot
- An analysis by researchers at WatchGuard Technologies has concluded that Exobot is a sophisticated malware that makes it difficult for analysis tools to detect and block its traffic.
- It has been designed to adapt itself to different trends and habits in different countries. It is commonly distributed via infected apps on third party app stores and phishing scams.
Critical WebLogic flaw exploited to deliver Sodinokibi ransomware and GandCrab
- Following reports yesterday of the exploitation of the critical WebLogic flaw, tracked as CVE-2019-2725, it has now been reported that attackers are leveraging this vulnerability to deliver a new variant of ransomware dubbed Sodinokibi. This malware attempts to encrypt data in a user’s directory and deletes shadow copy backups in order to make data recovery more difficult.
- After deploying Sodinokibi ransomware, eight hours later the attackers attempted another exploit, this time choosing to distribute GandCrab v5.2.
Source (Includes IOCs)
Accountants targeted with malware hosted on Github
- Starting in October 2018, threat actors ran a malvertising campaign on the Russian Yanex[.]Direct advertising network, targeting Russian organisations, using malicious payloads that were camouflaged as document templates, that were hosted on the Github hosting platform. The malware was designed to encrypt victim’s data and steal cryptocurrency.
- Victims were lured to malvertising landing pages after they searched for phrases such as ‘download invoice template,’ ‘claim complaint example,’ or ‘examples of legal contracts’, which indicates that corporate entities were targeted.
- Two Github repositories were used to host six malware payloads signed using multiple code-signing certificates. Malware distributed in this campaign includes the Buhtrap banking trojan, the RTM banking trojan and the ClipBanker trojan.
DDoS attacks target dark web crime markets
- For the last three months multiple DDoS attacks have been targeting users and operators of dark web crime focused marketplaces. Those targeted include Dream Market, Empire Market and Nightmare Market.
- Dream Market reportedly announced plans last month to shut down after they sustained a wave of DDoS attacks that’s lasted for over seven weeks. In addition, Empire Market has been hit by intermittent DDoS attacks for nearly a month.
Phishing campaign masquerades as FBI director
- BleepingComputer has reported on phishing emails pretending to be from ‘FBI Director Christopher Wray’ stating that they are helping with the transfer of millions of dollars, and that they need the victim to contact a special agent via email. The email itself is badly written, and BleepingComputer reports that it is not a new campaign, and therefore must have been recently restarted.
Muhstik Botnet exploits vulnerabilities in ongoing campaign
- Unit 42 discovered a variant of the Linux based botnet Muhstik, that exploits CVE-2019-2725, a vulnerability in WebLogic server. Even though Oracle released an emergency patch, the vulnerability is still being exploited, targeting systems that haven’t applied it yet.
- The payload dropped appears to be a PHP webshell, which can be leveraged to deploy resources to conduct cryptomining and DDoS attacks.
Source (Contains IOCs)
Unit 42 publishes OilRig analysis
- Unit 42 has published an analysis on OilRig, and in particular, a recent data dump that contained tools, backdoors and webshells used by the group. Researchers were unable to validate the origins of this dump, but it may have originated from a whistleblower or a third party that extracted the data.
- They concluded that the OilRig threat group appears to have a global reach, even though they are assumed to operate primarily in the Middle East, and that organisations, regardless of their regions or industry, should always maintain situational awareness of adversaries and be prepared to defend against them.
Source (Contains IOCs)
Leaks and Breaches
Citycomp suffers data breach
- The hackers behind the breach claim they are in possession of 312,570 files, 51,025 folders and over 516GB of data, including the financial and private information of all of their clients. Clients include Toshiba, British Telecom, Hugo Boss, Oracle, Airbus, Volkswagen and Porsche.
- A ransom has been demanded, and the hackers have threatened to release the data dump to increase pressure on Citycomp. They have not yet given into the demand.
Sophos UTM update fixes three flaws
- The network security platform has received an update that fixed three flaws. Two are related to bundled open source software and one is for a component in inbound mail processing. The update fixes flaws in OpenSSH, Apache HTTP and an incoming mail component.
- CVE-2018-15473 is medium severity and allows user enumeration, CVE-2018-17199 is high severity and under certain circumstances prevents the expiration of cookies, allowing security bypass. The last flaw, discovered in a Sophos UTM component, could have led to a cross-site-scripting attack.
Researchers compromise Netflix’s Stranger Things in Widevine DRM hack
- Fidus researchers created a proof of concept side-channel attack to download an unencrypted raw file for Stranger Things on Netflix in a format that could be distributed to any buyer on the internet. The researchers were able to achieve this due to a bug in the anti-piracy framework Widevine, which is an encryption method created by Google for creators and streaming services.
- The flaw, discovered by David Buchanan, made it possible to ‘download a raw file of Stranger Things from Netflix and fully remove the content protection enables; allowing for illegal distribution of the material’.
60% of codebases used in enterprise contain open-source flaws
- Black Duck by Synopsys published a report analysing the anonymised data of over 1,200 commercial codebases from 2018. The researchers found that out of all the reviewed codebases, 96% contained open-source components, which leaves them more likely to contained vulnerabilities. 60% of the codebases reviewed contained at least one vulnerability.
- Some of the most critical flaws found included CVE-2017-15095, a deserialization flaw in jackson-databind, CVE-2018-7489, a remote code execution FasterXML jackson-databind, CVE-2014-0050, a denial-of-service (DoS) issue impacting Apache Tomcat, JBoss Web, and others, and more.
Bloomberg alleges Vodafone discovered backdoors in Huawei equipment
- Bloomberg reported that Vodafone discovered flaws in products that went back years in equipment built by Huawei for their Italian business. The hidden backdoors could allegedly have given Huawei unauthorised access to the carrier’s fixed line network in Italy, which provides internet service to multiple homes and businesses.
- Vodafone allegedly asked Huawei to remove the backdoors, however further testing revealed that the vulnerabilities remained. Huawei have denied the existence of ‘backdoors’ due to the implication that the vulnerabilities were intentionally planted in the networking equipment, and instead stated that the ‘technical flaws’ in the equipment were fixed.
- Following these allegations, the Register has since stated that the flaws were in fact a Telnet-based remote debug interface. As such, Bloomberg was incorrect in stating that the flaws could have given Huawei unauthorised access to the carrier’s fixed-line network in Italy. The issue was instead nothing more than a LAN-facing diagnostic service that had not been removed after development.
DHS states that federal agencies have 15 days to fix critical flaws
- The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have released a binding operational directive, which asks federal agencies to patch all critical security flaws within 15 days of their detection. The directive is compulsory.
2020 US presidential candidates vulnerable to email attacks
- According to Agari, some of the 2020 US presidential campaigns have been found to be vulnerable to email attacks due to their failure to implement DMARC and advanced security systems.
- Agari analysed the websites of Republican and Democrat candidates and discovered that most of them allow malicious actors to send emails impersonating their campaigns. In addition, many of them had failed to deploy advanced email security solutions.
- The lack of DMARC (Domain-based Message Authentication, Reporting and Conformance) allows threat actors to send out fake emails to donors, voters and the press in the name of the target candidate.
Norsk Hydro estimates cyber-attack cost up to $46 million
- Norsk Hydro has estimated that the cyber-attack that hit the Aluminium producer on March 19th, 2019, caused the company between $41 and $46 million in losses.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein