Silobreaker Daily Cyber Digest – 10 June 2019
Palo Alto’s Unit 42 report details new Mirai variant
- Unit 42 researchers have discovered a new variant of Mirai with 8 new exploits, including the Oracle WebLogic Servers RCE flaw tracked as CVE-2019-2725. Newly targeted devices include wireless presentation systems, set-up-boxes, SD-WANs and smart home controllers.
- In addition, the researchers discovered that the new variant used an encryption key based on the standard encryption scheme used in the original Mirai source code. There are also several default credentials that the variant uses to brute force, that Palo Alto have not come across in campaigns previously, although they are all available publicly online.
Source (Includes IOCs)
ICEFOG APT malware resurrected for use in new series of attacks
- ICEFOG was initially used by a Chinese APT group, also named ICEFOG, however following a Kaspersky report in September 2013, sightings of the malware tailed off.
- Fireye Researcher, Chi-En Shen observed ICEFOG-P and ICEFOG-M, two new and upgraded variants of the old malware, being utilized in attacks in Europe, Russia, multiple former Soviet states, Turkey, India, the Philippines and more. ICEFOG-P was spotted in attacks starting in 2014 and ICEFOG-M was spotted in 2018.
- Shen stated that since 2013 ICEFOG variants appear to be used by many different Chinese APTs including APT15 and possibly APT9, among others. The malware has been primarily used for political espionage and intelligence gathering, but has also been used to target critical infrastructure and the financial sector.
Source (Includes IOCs)
Spam Campaign uses Office exploit to target unpatched machines
- Microsoft warned on June 7th, 2019, that a new malware campaign is using emails to distribute malicious RTF files that allows attackers to automatically run malicious code when the document is opened. When the attachment is opened it runs multiple scripts, such as VBScript, PowerShell, PHP, and more, in order to download the payload. The campaign targets European users as the emails are sent in a variety of European languages.
- The vulnerability utilizes the Microsoft Office CVE-2017-11882 vulnerability. CVE-2017-11882 allows an attacker to create RTF and Word documents that execute commands once opened without requiring user interaction.
- Microsoft patched CVE-2017-11882 in 2017, but stated that they have seen an uptick in attacks against unpatched machines over the past few weeks.
Scammers infiltrate Google’s ad network to run tech support scams
- Scammers have infiltrated Google’s ad network to redirect users to tech support scams when they click on results from popular search terms such as Lowes, best buy and PayPal.
- When users click on the link they are brought to a site that redirects them to the genuine site or the tech support scam depending on unknown conditions.
- Users of the Firefox browser will have more issues with the scam as their browsers will freeze on the scam site, which requires killing the process to close the scam.
Korean-targeted spam campaign could affect site administrators globally
- In a blog post, security researcher Denis Sinegubko discusses how a spam campaign specifically targeting Korean victims could cause issues for site administrators in other countries.
- As part of their campaign, the hackers compromise and infect vulnerable websites, whilst also polluting search results from sites that have not been hacked. WordPress sites appear to be particularly affected.
- Similarities with the Japanese replica spam campaign, which has been active since 2015, were also found, including evidence that the hackers attempted to verify themselves as site owners of the hacked sites.
CIA extortion scam incorporates new tactics
- Kaspersky reported that the new scam emails pose as correspondence from a CIA officer who has found the recipient’s details in Case #45361978, relating to the possession and distribution of child pornography.
- The scam suggests that the recipient is involved in a recent investigation, and that the CIA are in possession of the victim’s names, phone numbers, emails, and home and work addresses. It then seeks to encourage the victim to transfer $10,000 in Bitcoin to a specific address in exchange for the CIA employee amending and removing the persons details from the case.
Solicitors Regulation Authority issues four email scam alerts
- The Solicitors Regulation Authority (SRA) issued four email scam alerts on June 6th, 2019 regarding emails sent out pretending to be from a law firm or an individual working for the business.
- Three of the four scams attempted to target employees at Glaisyers LLP, Kingsley Napleyy LLP, and CMS Cameron McKenna Nabarro Olswang LLP, whilst two targeted members of the public, asking for payment of deposit funds.
Windstream email service compromise continues to send malicious emails through
- Following the discovery of Windstream’s compromise on June 7th, 2019, researchers at My Online Security found that the recently hacked Orion Keylogger appears to be used in the malspam campaign. The email service continues to be compromised.
Source (Includes IOCs)
Leaks and Breaches
European mobile traffic misdirected through China Telecom for more than two hours
- The incident occurred on June 6th 2019, when Swiss based company Safe Host, improperly updated its routers causing a BGP route leak. Instead of dropping the routes, as BGP filtering practice dictates, China Telecom echoed the routes causing big networks that connect to China telecom to follow them. This caused more than 70,000 internet routes and 368 million IP addresses to be misdirected through the Chinese-government controlled company.
- At present it is unclear if the mishap was accidental or perpetrated intentionally by hackers. Affected networks include Switzerland-based Swisscom’s AS3303, Netherlands-based telecom KPN’s AS1136, French-based Bouygues Telecom AS1130 and French-based Numericable-SFR AS21502.
North Carolina’s voting machines’ passwords leaked online
- Researcher Chris Vickery discovered an insecure, publicly accessible AWS S3 bucket belonging to the North Carolina State Board of Elections, that exposed election-related administrative passwords.
- Further investigation revealed another publicly exposed Board of Elections document that cited several of the same passwords alongside information on how to use the leaked passwords to test, clear and reset the ES&S iVotronic touchscreen voting machine.
Gaming site Emuparadise suffered data breach
- The breach happened in April 2018 and resulted in the exposure of the account information of approximately 1.1 million Emuparadise forum members.
- According to haveibeenpwned.com, they received a database from DeHashed[.]com on June 9th, 2019, that consisted of 1,131,229 accounts from an alleged hack of the Emuparadise vBulletin forums in April 2018.
- Account information exposed in this database included email addresses, IP addresses, passwords stored as salted MD5 hashes, and usernames. Hackers have been selling and trading an Emuparadise database since January 2019, and possibly earlier.
Criminals in Pakistan steal passengers’ data to evade taxes on mobile devices
- According to the Express Tribune, the international travel information and passport numbers of thousands of passengers were stolen by criminals seeking to evade taxes imposed on mobile devices by the Pakistani government.
- 20,000 complaints have been allegedly filed concerning the illegal registration of mobile phones through the Device Identification Registration and Blocking System (DIRBS). The victims allege that criminals are using their passport number and travel data to illegally register the devices, denying them their right to register a duty and tax/free mobile device through DIRBS.
Tech Data Corporation exposes client and employee data
- Researchers at vpnMentor discovered an exposed database containing 264GB of personal data belonging to Tech Data Corporation on June 2nd, 2019. The leaked information has since been secured.
- The database leak affected corporate and personal data of clients and employees, including private API keys, bank information, payment details, usernames and unencrypted passwords and full personally identifying information.
Prince Harry and Meghan’s private wedding photos leaked online
- An internal investigation is ongoing following the leak of private pictures from Prince Harry and Meghan’s wedding on social media websites. The hack is believed to have taken place in September 2018, with the pictures first leaked in June 2019. It is unclear who is behind the leak.
Company fined over data breach affecting Singaporean national servicemen
- Option Gift was fined $4,000 after it was disclosed that the data of 427 national servicemen from the Singapore Armed Forces and Home Team had been compromised.
- The exposed data included their logins, email addresses, delivery addresses, and mobile phone numbers. The servicemen used an online portal maintained by Option Gift. A technical error resulted in the servicemen receiving emails addressed to other users of the portal.
New Windows 10 zero-day bug discovered resulting from bypassing patched flaw
- An exploit code is available for a new zero-day flaw in Windows 10 that could allow attackers to elevate the privileges of a normal user to administrator, with the ability to install programs, and view, change or delete data. The flaw is the second bypass of protections created by Microsoft to mitigate a local privilege escalation bug tracked as CVE-2019-0841.
- The zero-day can be triggered from a normal user account by deleting files and folders that are permitted under its limited privileges. Launching Microsoft Edge will crash the application and causes it to write the discretionary access control list and impersonate the SYSTEM account.
- The proof of concept works on Windows 10 versions 1809 and 1903, running the latest security updates.
Google’s June 2019 security patch addresses flaws in Android OS and Pixel devices
- The Android Security Bulletin includes patches for three critical flaws, including CVE-2019-2093, CVE-2019-2094 and CVE-2019-2095, in the Media framework and one critical flaw, CVE-2019-2097, in System. Other critical vulnerabilities were patched in Qualcomm components and closed-source components. In total, 22 flaws were patched in Android.
- The most severe, is a critical flaw in Media framework that could enable a remote attacker using a specially crafted document to execute arbitrary code within the context of privileged access.
- The Pixel Security Bulletin addresses functionality issues in Pixel 2, Pixel 2XL, Pixel 3 and Pixel 3XL.
Flaws in Hardware Security Modules (HMS) impact banks, cloud providers and governments
- Researchers at Ledger disclosed several vulnerabilities in the HSM of a major vendor. The flaws allow a remote unauthenticated attacker to take full control of the HSM, permitting the retrieval of all HSM secrets remotely, including cryptographic keys and administrator credentials. The researchers could also exploit a cryptographic flaw in the firmware signature verification to upload a modified firmware to the HSM.
- HSMs are hardware-isolated devices that use advanced cryptography to store, manipulate, and work with sensitive information. They are commonly used by financial institutions, government agencies, data centres, cloud providers and telecoms operators. The unnamed vendor published firmware updates that address these flaws.
Lab21’s LS Web Design prone to SQL-injection
- Cyberizm researcher KingSkrupellos discovered a vulnerability in Greece-based Lab21’s LS Web Design that could be exploited by an attacker with an SQL-injection. The vulnerability is due to a lack of sanitised user-supplied data before it is used in an SQL query.
ATM operator Diebold Nixdorf warns of RCE bug in older ATMs
- Security researcher group NightSt0rm found that older Opteva ATM terminals featured an external facing OS service that could be abused to plant reverse shells on exposed systems and take over devices.
- Diebold Nixdorf confirmed that the service only runs on older versions of the Opteva version 4.x software. Moreover, the company stated that the vulnerability could only be exploited if the ATM owners disabled the firewall.
Six flaws in Amcrest HDSeries model IPM-721S cameras disclosed
- The most serious flaws include CVE-2017-8229, which could allow an unauthenticated user to download admin credentials of the camera in order to control the device, and CVE-2017-13719, an unauthenticated memory corruption bug.
- In order to exploit these flaws, an attacker would need to use Shodan to identify vulnerable Amcrest model IPM-721S cameras. Following this for the admin credential stealing flaw, an attacker could put the IP address of the camera in a common URL string to access a configuration file. For the memory corruption flaw, an attacker could send a specially crafted HTTP request to trigger a memory corruption issue in the camera’s API.
- Other flaws include CVE-2017-8226, a default account bug, and CVE-2017-8230, which allows low privileged accounts to add an admin user. CVE-2017-8227 is an account lock-out failure that results from an attacker brute forcing access of the web admin password via the ONVIF specification. Lastly CVE-2017-8228 allows a user to add a new camera to the user’s account by taking advantage of the Amcrest cloud services.
Trend Micro confirms Oracle WebLogic Server vulnerability exploited to install cryptocurrency miners
- Researchers at Trend Micro confirmed that the vulnerability in the Oracle WebLogic Server, tracked as CVE-2019-2725, is being exploited to install cryptocurrency miners. A patch for the vulnerability was released in April 2019.
- The researchers also found the malware hides its malicious code in certificate files as a way to avoid detection. However, following the execution of the PS command from the decoded certificate file, non-hidden malicious files are downloaded via the certificate file format, suggesting the effectiveness of the obfuscation method is currently being tested.
Source (Includes IOCs)
Cybercriminals run extortion scam where they threaten to destroy website reputation
- Cybercriminals are using website contact forms to send messages to site owners with the subject line “Abuse and lifetime blocking of the site – example[.]com. My requirements”.
- The extortionists threatened to send millions of emails from the target’s domain, send abusive messages from the target’s domain, and leave negative site reviews, all done with the aim of ruining the sites reputation and getting them blacklisted for spam.
- The attacker demands a payment of .3 bitcoin (approx. $2,500) in order to prevent the attack.
Russia threatens to ban 9 VPN providers unless they connect to Russian State Information System
- On March 28th, 2019, Roskomnadzor, Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, ordered VPN providers to connect to the Russian State Information System (FGIS) and restrict access to internet resources that are prohibited in Russia.
- Head of Roskomnadzor, Alexander Zharov, stated that repercussions from non-compliance could occur within a month. Moreover, Zharov stated that if VPN providers fail to comply they will end up being subject to the FGIS which will block access to their sites.
- Out of the 10 VPN providers contacted, only Kaspersky Security Connection connected to the registry. Other providers, such as Tor Guard stated that would not apply to the compliance letter and that they had taken steps to remove their servers from Russia and will not conduct business with data centers in the region.
Court releases indictment against alleged Darkcode hacking forum members
- 26-year-old Thomas McCormick from Washington State, 32-year-old Matjaz Skorjanc from Slovenia, 40-year-old Florencio Carro Ruiz from Spain, and 35-year-old Mentor Leniqi from Slovenia, have been charged with racketeering conspiracy and conspiracy to commit wire fraud and bank fraud for reportedly distributing malware on the now shut down hacking forum, Darkode.
- Officials have stated that the group was responsible for $4.5 million in victim’s losses between September 2008 and December 5th, 2013.
Researchers develop method for ‘hackproofing’ smart meters
- University of British Columbia researchers developed an automated program that improves the security of smart meters. First, the program creates a virtual model of the smart meter and displays how attacks can be carried out against it. Next, the smart meter’s code is analysed in search for any vulnerabilities that could be exploited.
Polish cryptocurrency exchange Coinroom shuts down, stealing customers’ funds
- The cryptocurrency exchange shut down, taking multiple customer accounts worth up to $15,000 with it. The total amount of stolen funds is unknown and there is currently no way to contact the exchange’s founders.
- Coinroom announced its closure in early April and customers were given exactly one day to withdraw their funds, which required directly contacting the exchange administrators.
German Interior Ministry’s draft law would allow intelligence agencies to hack encrypted devices
- The draft law features provisions which would allow German domestic and foreign intelligence agencies the permission to access servers, computers and smartphones. Moreover, authorities could intercept encrypted traffic to and from publishing companies, journalists, and radio and television broadcasters.
- Reporters without Borders stated that the new law had the potential to damage press freedom domestically and internationally.
South African politician Ace Magashule claims his Twitter was hacked
- Magashule claims his Twitter account was hacked after a tweet was sent from his account that ‘directly contradicted a statement freshly issued by [South African president] Ramaphosa’. The statement referred to the ongoing debate over the independence of the South African Reserve Bank.
Spain extradites 94 Taiwanese people to China on charges of phone scamming
- The extraditions resulted from a 2016 investigation into scam operations in Spain that targeted victims in China. The amount involved in the scams total 120 million yuan, the equivalent of approximately $17 million.
- Spain has extradited 225 suspects to date for involvement in scams, 218 of whom were Taiwanese nationals.
Fort Worth employees file whistleblower charges against the city
- William Birchett, former IT manager of Fort Worth, Texas, and his former co-worker Ronald Burke have filed whistleblower charges against the city. The two men claim to have been fired for informing officials of concerns regarding the city’s state of cybersecurity following a phishing scam that affected the city in October 2017.
WordPress XML-RPC can be used to discover IP address of servers behind a reverse proxy
- In a blog post, security researcher Ziyahan Albeniz explains how the WordPress XML- Remote Procedure Call (RPC) protocol can be used to discover the real IP addresses of servers behind a reverse proxy by using the WordPress feature called ‘pingback.’
- XML-RPC was developed to allow different platforms to conduct data transfer, yet it has also been abused by hackers to send arbitrary XML data that forces websites to execute certain code or exfiltrate data.
New study shows hackers could steal password by listening to user typing password
- Using a machine-learning algorithm, researchers at the University of Cambridge, England and Linköping University, Sweden successfully guessed 31 out of 50 four-digit login-screen pin codes that participants had typed.
- During the study, the researchers fed audio recordings of participants typing passwords into the machine-learning algorithm that was built to pinpoint each vibration to a certain point on the device’s screen.
- The researchers believe hackers would find such an approach too challenging at present, however, they did not exclude the possibility of such attacks being used in the future.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.