Silobreaker Daily Cyber Digest – 10 December 2018
New macOS malware DarthMiner combines EmPyre backdoor and XMRig miner
- Malwarebytes Labs researchers discovered a new macOS malware, dubbed DarthMiner, that is a combination of two open source tools: the EmPyre backdoor and the XMRig cryptominer. The malware is being distributed by a fake version of Adobe Zii, a software used to aid in the piracy of a variety of Adobe applications.
- According to the researchers it is currently difficult to say what other operations, apart from cryptocurrency mining, the malware performs. The researchers state that it is possible it also exfiltrates files and captures passwords.
Source (Includes IOCs)
Threat actors customize and localize credit card stealing malware
- Sucuri researchers have detected two credit card stealing campaigns in which attackers have used localized payment forms to better evade detection.
- In one case, a compromised Bulgarian Magento site had a fake form that included hard-coded labels in Bulgarian. The other case involved a compromised Italian website that contained a fake payment form with Italian captions.
- Although Sucuri did not find any connections between the two campaigns, according to them both cases demonstrate how threat actors are customizing their tools to improve their attacks against specific targets.
Hackers steal financial data to justify sanctions against Russians
- Group-IB reported that pro-government hacker groups around the world are gathering intelligence on offenses committed by Russian individuals in order to justify sanctions against them by other countries.
- The hacker groups reportedly exist within Russia, as well as China, North Korean, Iran, the US and more.
Cybercriminals distribe malware on user-generated content sites
- Torrentfreak has reported that scammers are distributing links to malware-laden pirate websites on platforms including Facebook events and Google groups.
My Online Security observed URSNIF malware targeting the UK
- The campaign used fake Lloyds Bank fraud alerts with a PDF attachment, which contained a link to a Google Docs file. The file included a VBScript that downloads the URSNIF malware binary.
Source (Includes IOCs)
Sextortion emails lead to ransomware and info-stealing trojans
- Proofpoint have observed a new sextortion campaign that tricks recipients into installing the AZORult information-stealing trojan which downloads and installs the GandCrab ransomware.
- Instead of asking for Bitcoin, this new campaign prompts the victim to download a compromising video the hackers created of the victim. The downloaded zip file instead contains an executable that will install malware onto the computer.
- In this case, the link was to AZORult stealer and led to infection with GandCrab ransomware. In this case GandCrab demands a payment of $500 in Bitcoin or DASH.
Source (Includes IOCs)
Leaks and Breaches
Redwood Eye Center hit with ransomware
- The California medical clinic notified 16,000 customers that their personal information may have been compromised in a ransomware attack that affected a third-party vendor, IT Lighthouse, that hosts Redwood’s medical records database.
- Redwood Eye Center learned of the attack on September 19th, 2018. The information which may have been affected includes patients’ names, addresses, birthdates, health insurance information and medical treatment information.
Cape Cod Community College suffers data breach
- The community college reported a breach caused by a phishing scheme attack that resulted in a malware infection on several computers. Banking details belonging to the college were compromised, resulting in the theft of $807,130 of its funds.
Unofficial Linux website hacked and defaced
- An attacker seized control over the unofficial Linux[.]org website, defacing it with explicit images. In one version of the site, the attacker also posted an anti-diversity message and the personal information, including the alleged home address and Social Security number, of a transgender Linux developer.
- According to Motherboard, the reason behind the attacks is the project’s new code of conduct which has sparked controversy amongst some members of the Linux community. Twitter user @kitlol5 has claimed responsibility for the attacks.
Citrix forces users to reset passwords following detection of credential stuffing attempts
- Citrix has forced users to reset their passwords after they have detected credential stuffing attacks against ShareFile accounts. According to Citrix’s statement, ‘perpetrators were using credentials obtained from breaches unrelated to ShareFile’.
- The company assured users that the decision is a proactive measure and is not in response to a breach or other cyber incident.
Vulnerability discovered in Rockwell controllers and communications modules
- A potentially serious vulnerability, tracked as CVE-2018-17924, was found in Rockwell Automation MicroLogix controllers and ControlLogix communications modules. The flaw can be exploited to cause denial-of-service (DoS) attacks.
Android hacking tool could create communications channel while smartphone charges
- Oxford University researcher Riccardo Spolaor demonstrated the PowerSnitch attack at the recent London Black Hat conference. The attack involves exploiting vulnerable power banks using a hacking app and a portable decoder device. The victim must download the malicious app onto their Android phone in order to exfiltrate data via the power bank.
WebKit vulnerability affects the latest versions of Apple Safari
- Researcher Linus Henze has published an exploit code for a vulnerability in WebKit, the web browser that powers Safari and other macOS apps such as iOS and Linux.
- The exploit leverages an optimization error with WebKit’s matching of regular expressions, which allows an attacker to execute arbitrary code.
- The vulnerability has been patched in WebKit sources, however a fix has not yet been issued for Safari.
Malicious sites abuse an 11-year-old Firefox bug
- Mozilla have reportedly failed to fix the 11-year-old bug, which was reported in April 2007. The bug ‘narrows down to a malicious website embedding an iframe inside their source code’. The iframe then shows an authentication modal on the malicious site.
- This flaw has been leveraged by cyber criminals to lure users onto malicious sites. Despite the vulnerability being reported seven times, it still remains unfixed.
Japan to ban government purchases of Huawei and ZTE products
- Japan will ban the purchases of telecommunications products from China’s Huawei Technologies Co Ltd and ZTE Corp over concerns regarding the leakage of intelligence and cyber attacks.
- Japan’s decision follows the US ban on government purchases of Huawei technology. Other bans regarding Huawei products came from Australia, New Zealand and the UK, who have decided not to use it in upcoming 5G mobile networks.
Researchers analyse recent MuddyWater campaign
- Yoroi-Cybaze Zlab researchers analysed the recent campaign by MuddyWater Group targeting Lebanon and Oman. They provide a technical analysis of the malicious code, the stages of the infection and the malware’s persistence mechanism.
US Department of Justice sentences California man for DDoS attacks
- David Chesley Goodyear was sentenced to 26 months for launching a DDoS attack on the telescope retailer Astronomics and its partner astronomy forum Cloudy Nights.
- The attacks were launched in August 2016 after Goodyear’s account was suspended by the firm.
Australia passes legislation to force tech developers to intercept encrypted communications
- Australia’s parliament passed a law requiring firms to provide the functionality to decrypt communications in order to aid law enforcement investigations.
- Security experts are concerned that the law will result in less secure encrypted devices and messaging apps, due to backdoors.
Leader of cybercriminal gang sentenced to 3 years in prison
- 19-year-old George Duke-Cohan, the ringleader of a cyber-criminal gang dubbed Apophis Squad, has been sentenced to three years in a UK prison and may also face additional charges from US-based law enforcement.
- The gang were responsible for making bomb threats against 1,700 UK and US schools, colleges and universities, and launching DDoS attacks against websites. Cohan was also responsible for falsely reporting the hijack of a plane bound for the US.
NCSC warns about increase in Office 365 attacks
- The National Cyber Security Centre (NSCS) has issued an advisory regarding the rise in incidents involving the compromise of Microsoft Office 365 accounts within the UK.
- According to the advisory, the compromised Office 365 accounts were used in targeted supply chain attacks, however, ‘the ultimate objective of this type of targeting is not clear and the attacks appear not to be limited to any particular sector or attributed to any single threat actor’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.