Silobreaker Daily Cyber Digest – 10 January 2019
Vengeance Justice Worm malware combines multiple threats
- Cofense analyzed a phishing campaign delivering a hybrid worm/Remote Access Trojan dubbed Vengeance Justice Worm (VJW0rm).
Newly discovered ICEPick-3PC malware steals device IPs
- In December 2018, researchers from The Media Trust discovered a new malware, dubbed ICEPick-3PC, that has targeted a range of businesses including publishers, e-commerce, retailers or healthcare organizations.
- The malware is executed once an attacker hijacks a website’s third-party tool that is designed to incorporate interactive web content such as animation through HTML5. It conducts checks on user agent, device type, battery level, device motion and orientation, and referrer.
- ICEPick-3PC is also capable of extracting and collecting device IPs and was observed targeting Android devices.
McAfee researchers publish Ryuk Ransomware analysis
- McAfee’s analysis states that Ryuk and Hermes Ransomware both have generally equal functionalities, and they agree with other researchers that the authors behind it have access to Hermes source code.
- They hypothesise that Ryuk can be attributed to a cybercrime operation developed from a toolkit sold by a Russian-speaking actor. It remains unclear who the attackers are.
Source (Includes IOCs)
Connecticut school district suffers ransomware attack
- The district of Bridgeport was targeted with ransomware through a suspected phishing attempt.
- The school district’s student information system was unaffected by the attack.
DNS hijacking campaign hits organizations worldwide, possibly linked to Iran
- FireEye researchers identified a DNS hijacking campaign targeting dozens of domains belonging to government, telecommunications and internet infrastructure organizations located in the Middle East, North Africa, Europe and North America. Clusters of this activity have been detected from January 2017 to January 2019.
- According to their blog post, the researchers do not currently associate the campaign with any tracked threat actor, however their initial research suggested the perpetrators have connections to Iran.
- FireEye outline three ways they observed DNS records being manipulated to enable the compromise of targets. These include the altering of DNS A Records, DNS NS Records and DNS Redirector.
- The root cause of the attack remains unknown as FireEye continues their investigation.
TA505 spotted distributing new backdoor
- Proofpoint researchers state that from November 2018, TA505 was spotted distributing a new backdoor, dubbed ServHelper, in a new phishing email campaign. This backdoor has two variants, one of which downloads a RAT named FlawedGrace.
- TA505 appears to be targeting restaurants, retail businesses and banks.
Source (Includes IOCs)
Chinese hackers steal $18.5 million from Indian branch of Italian engineering company
- A Chinese hacker group reportedly sent phishing emails that impersonated the CEO Pierroberto Folgiero, to the Indian managers of Tecnimont SpA, asking for funds for an Chinese acquisition.
- The $18.5 million were transferred in three installments over one week in November 2018, from India to Hong Kong banks.
Leaks and Breaches
Amazon India reports data breach
- Amazon India reported that a technical issue resulted in the disclosure of certain sellers’ financial information while other sellers were attempting to download merchant tax reports.
- The leak occurred only a month after Amazon’s Washington headquarters inadvertently leaked users’ names and email addresses.
DX.Exchange leaks login credentials and users’ personal data
- An anonymous trader discovered that the website of DX.Exchange, a platform for trading currencies and digitized versions of stocks, disclosed other users’ sensitive data in responses sent to requests from a users’ browser. This data included authentication tokens and password-links. The trader also found that he was able to permanently backdoor compromised accounts using the site’s API.
- Moreover, some of the leaked tokens were found to belong to employees of the exchange service. This could allow a hacker, in possession of such token, to gain unauthorized access to accounts with administrative privileges and download entire databases, upload malware, or even transfer funds between accounts.
- As of January 9th, 2019, the flaw has been fixed.
Reddit users’ accounts locked or suspended due to unusual activity
- The accounts of some users have been locked or suspended due to unusual activity that may signify unauthorized access.
- According to Bleeping Computer, the suspected cause is a credential stuffing attack. Some users reported that their accounts have been accessed from different countries such as Italy, Brazil, Russia, Bangladesh or Thailand. Other users believe the incident is the result of a widespread hijacking campaign.
- The number of affected users remains undisclosed. Reddit has been contacting those affected, prompting them to reset their passwords.
Tuition email scam targets parents of students attending St Lawrence College
- Parents, whose children attend the College located in Ramsgate, UK, received an email offering them a tuition discount if they sent tuition payments in advance. According to the school’s statement, the funds were ‘to be placed into non-school accounts or cryptocurrency’. Two parents were said to have fallen victim to the attack.
Phone geolocation data allegedly being sold by US telecoms providers
- An investigation by Motherboard found that it was possible to pay a ‘bounty hunter’ several hundred dollars to retrieve live geolocation data of mobile phones. According to Motherboard, this data is being sold by companies that track location data with little oversight. It is sold to ‘location aggregation’ companies by telecoms providers in the US.
- Motherboard’s research highlights the mobile phone geolocation data sales supply chain, and the lack of awareness in how this data is being used by an end user.
DePaul University suffers data leak
- A group email accidently exposed the names and email addresses of 656 employees at the Chicago based DePaul University. This was due to not using the blind copy feature when sending a congratulatory email out to all employees who completed the school wellness program.
Python Network tool Scapy vulnerable to Denial of Service attacks
- Imperva researchers reported that the newest version of the packet manipulation tool Scapy includes a vulnerability that makes it susceptible to DoS attacks. The tool can be tricked into thinking a network packet is a Radius packet.
Google’s knowledge panel feature may be manipulated for propaganda use
- PwC researcher Wietze Beukema discovered that a Google search engine feature could allow malicious parties to replace search results with fake news.
- Google’s Knowledge Graph card feature allows users to see key facts about a particular search query alongside the list of search results. However, users can link cards to any valid Google Search URL, allowing malicious users to make it seem like different pieces of information are related.
Microsoft patches RCE and information disclosure vulnerabilities in Exchange Server
- The first flaw, tracked as CVE-2019-0586, is a remote code execution (RCE) vulnerability that exists due to Microsoft Exchange Server’s improper handling of objects in memory.
- The second flaw, tracked as CVE-2019-0588, is an information disclosure vulnerability caused by the way Exchange Server’s ‘PowerShell API grants calendar contributors more view permissions than intended’.
Google releases first 2019 patches for vulnerabilities in Android
- The security updates address more than two dozen flaws in the Android OS. The most severe flaw patched, tracked as CVE-2018-9583, is a critical remote code execution vulnerability that could be exploited ‘to execute arbitrary code within the context of a privileged process’.
- A high severity flaw, tracked as CVE-2018-9582, in Framework was also patched. The vulnerability affected Android versions 8.0, 8.1 and 9.
- Other major fixed flaws include CVE-2018-11847, a critical bug in Qualcomm or two information disclosure flaws, CVE-2018-13098 and CVE-2018-13099, in Pixel/Nexus devices.
Intel patches five vulnerabilities across its products
- The most important patched flaw is an escalation-of-privilege vulnerability tracked as CVE-2018-12177, in Intel’s PROset/Wireless Wi-Fi software.
- Another high-severity flaw that was patched is tracked as CVE-2019-0088 and is the result of insufficient path checking in the System Support Utility for Windows.
- Other key flaws addressed in the update include an improper file verification, tracked as CVE-2018-18098, in the install routine for SGX SDK, or an information disclosure bug, CVE-2018-12155, in the cryptographic libraries of SGX’s Integrated Performance Primitives.
Vulnerabilities discovered in Apple OSX kernel extension
- Tracked as CVE-2018-4456 and CVE-2018-4421, the IntelHD5000 kernel extension used in Apple OSX 10.13 suffers from these two use-after-free memory corruption issues.
- A patch for the vulnerabilities was released in December 2018.
Vulnerabilities discovered in Linux component
- The three vulnerabilities have been discovered in systemd, a major component of Linux, used in most Linux distributions. The first two, tracked as CVE-2018-16864 and CVE-2018-16865, are memory corruption flaws, whilst CVE-2018-16866 is an out-of-bounds error that could leak data.
- As a result of coordinated disclosure, the fixes for these vulnerabilities should appear in repositories soon.
Critical vulnerability discovered in Cisco’s Email Security Appliance Tool
- CVE-2018-15453, which is now patched, is a vulnerability in Cisco AsyncOS, allowing an attacker to send a malicious email to a targeted device, resulting in a permanent denial-of-service (DoS) condition. Upon restarting, the software would attempt to resume processing the email, resulting in the DoS condition once again.
- 17 other fixes were issued as part of the patch distributed by Cisco.
Russian Kaspersky Labs reportedly helped in arrest of NSA contractor accused of data theft
- Journalist Kim Zetter reported that Russian cybersecurity firm Kaspersky Labs has significantly contributed to the arrest of a former US National Security Agency (NSA) contractor, Harold T. Martin III, charged with the theft of classified data.
- According to Zetter this revelation is an ‘ironic turn’, as the company has previously been accused of colluding with Russian intelligence to steal and expose classified NSA tools, and its products were banned in the US last year over security concerns.
Imperva releases report on web application vulnerabilities
- The report focuses on the increase in flaws affecting web applications in the past year, particularly those related to injection, such as SQL injection, command injection or object injection.
- Imperva also found that the amount of WordPress-related vulnerabilities has tripled in 2018 compared to the previous year. The number of flaws related to WordPress reached 542 in the last year and 98% of these flaws involved WordPress plugins.
Neiman Marcus settles for $1.5 million in 2013 data breach lawsuit
- The Point-of-Sale (PoS) breach occurred in 2013, affecting roughly 370,000 payment cards that were used in 77 of Neiman Marcus’ department stores.
Hyatt Hotels launch public bug bounty program on HackerOne
- The program will reward researchers for reporting vulnerabilities on three Hyatt Hotels websites and their mobile applications for Android and iOS.
Investigative report on SingHealth cyber attack reveals employee security lapses
- A committee report investigating the attack, which occurred between June 27th and July 4th 2018, found that system flaws and network designers’ and operators’ lack of regular security checks had led to the breach, that was preventable.
- A threat actor group accessed SingHealth’s system and its Sunrise Clinical Manager medical record database, stealing 1.5 million current patients’ data, as well as 160,000 outpatients’ medication records.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.