Silobreaker Daily Cyber Digest – 10 May 2019
New KPOT version silently steals account information and more
- Proofpoint researchers observed new samples of KPOT malware, tracked as v2.0, being distributed via spam emails that lure users into opening malicious attachments.
- KPOT is a stealer that focuses on exfiltrating account information and other data from various software applications and services. For example, it is capable of stealing cookies, passwords and autofill data from browsers, or account details for Skype, Telegram, Discord, Steam, Jabber, and more.
- The researchers warned that KPOT v2.0 is being sold online and can be used by those with little technical experience. Client desktops running applications such as web browsers, instant messengers, email, VPN, RDP, FTP, and more, are particularly at risk.
Source (Includes IOCs)
FBI and DHS discover new ELECTRICFISH malware used by Lazarus Group
- The FBI and the US Department of Homeland Security released a report detailing a new malware strain dubbed ELECTRICFISH, used by the Lazarus Group to exfiltrate data from victims.
- According to the report, ELECTRICFISH ‘implements a custom protocol that allows traffic to be funnelled between a source and a destination IP address.’ Furthermore, the malware ‘continuously attempts to reach out to the source and the destination’, permitting either side to initiate a funnelling session.
- ELECTRICFISH can also be ‘configured with a proxy server/port and proxy username and password’, permitting ‘connectivity to a system sitting inside of a proxy server’, which allows the threat actors to ‘bypass the compromised system’s required authentication to reach outside of the network.’
Source (Includes IOCs)
Fake Pirate Chick VPN delivers AZORult Infostealer
- According to the BleepingComputer, adware bundles and fake Adobe Flash Players have been installing a fake VPN software called Pirate Chick that downloads and installs malicious payloads such as the AZORult information-stealing trojan.
- Pirate Chick pretends to be a legitimate VPN software but instead downloads the trojan in the background. The program also checks for a victim’s IP address and will skip the malicious payload if a user is located in Russia, Belarus, Ukraine or Kazakhstan. It will also skip the malicious payload if a user is running under VMware, VirtualBox, or HyperV.
Fake KeePass password manager websites distribute malware
- According to the BleepingComputer, fake websites promoting the popular KeePass password management software are actually infecting visitors with malware.
- The websites were observed delivering adware bundles once users clicked to install KeePass. In one case, a researcher observed the adware collecting information on the user’s computer hardware, location, if the user is using a VPN, their admin rights, and more.
Jokeroo ransomware-as-a-service performs exit scam
- Jokeroo RaaS Tor sites began displaying a notice that claims their server was seized by the Royal Thai Police in cooperation with the Dutch national police and Europol. According to BleepingComputer, the notice is fake and Jokeroo’s operators are in fact performing an exit scam.
- Following an investigation of the notice, BleepingComputer contacted the law enforcement agencies, with Europol stating it has not been involved in the case. The other two agencies have not yet responded.
Unit 42 find increase in attacks by SilverTerrier Nigerian cybercriminals in 2018
- Palo Alto Networks’ Unit 42 has been monitoring the evolution of business email compromise (BEC) in Nigeria, particularly focusing on activities by a threat group tracked as SilverTerrier. They found that over the past year the number of SilverTerrier actors surpassed 400, with over 51,000 malware samples and 1.1 million attacks attributed to them in the last four years.
- In 2018, SilverTerrier focused their attacks on high-tech firms, wholesalers, manufacturing firms, the education sector, and professional and legal services. The actors commonly used information-stealing malware, but also focused more of their attention on Remote Administration Tools towards the end of 2018.
- Unit 42’s new report provides an overview of BEC trends in Nigeria, including a list of commonly used malware, Remote Administration Tools, targeted industries and common delivery applications.
Source (Includes IOCs)
Fxmsp hackers sell data stolen from 3 US antivirus companies
- AdvIntel researchers discovered that a Russian- and English-speaking hacker collective known as Fxmsp is selling data stolen from three US-based antivirus software vendors.
- The stolen data includes code for antivirus agents, analytic code and security plugins for web browsers. Fxmsp are attempting to sell the stolen code and network access for $300,000.
- According to the researchers, this hacker collective is known for its previous attacks on global companies and government organisations.
Rocke and Pacha cryptomining groups compete over unsecured Linux servers
- Intezer researchers discovered that two rival cryptomining groups, Rocke Group and Pacha Group, are competing over unsecured Linux cloud-based environments to infect them with malware and use their server resources to mine cryptocurrency.
- Intezer’s investigation revealed that both Pacha Group’s and Rocke Group’s malware is attempting to detect and mitigate implants belonging to the other group. Their clash is believed to have been active since 2018.
Source (Includes IOCs)
Leaks and Breaches
Exposed database containing PII of Indian citizens is hijacked by threat group
- Following reports yesterday of the exposure of 275 million records belonging to Indian citizens via an unprotected MongoDB database, it has been reported that a hacker group has removed the exposed data and replaced it with a ransom note.
- The database was discovered by Bob Diachenko, who alerted Indian CERT. However, the database remained open until May 8th 2019, when the Unistellar hacking group replaced the contents with a message that contained an email address for the database owner to contact the hacker group to ‘negotiate the return of data.’
Augustana College hit by ransomware attack
- Augustana College has released a notification that one of their servers has been hit by ransomware. The attack was initially discovered in February 2019 and an internal investigation confirmed the attack in March 2019.
- It is unclear what information was accessed or what strain of ransomware was used in the attack, but Augustana College has confirmed that the affected server contained personal information.
Samsung’s development lab leaks source code and secret keys for internal projects
- Researcher Mossab Hussein discovered that a development lab used by Samsung engineers was leaking code, credentials and secret keys for several Samsung apps, services and projects, including Samsung’s SmartThings and Bixby services.
- The projects were left on a GitLab instance hosted on a Samsung-owned domain, on which the projects were set to ‘public’ and lacked password protection. Moreover, in one of the leaked files, Hussein discovered private GitLab tokens in plain text which allowed him to access a further 135 projects, one of which contained more than 100 S3 storage buckets, complete with logs and analytics data.
- Following the discovery, Samsung revoked all keys and certificates for the testing platform.
Spectrum Health Lakeland patients notified about data breach
- Spectrum Health Lakeland has allegedly been notifying patients of a data breach involving their billing provider, OS Inc. The breach reportedly took place between October and December 2018, after an employee’s account was accessed without authorisation.
- Information contained in the account includes names, addresses, type of health service provided, dates, diagnosis information and health insurance providers. The number of patients affected is not clear, however breach notifications have been sent to approximately 1,000 potential victims.
California-based medical centre falls victim to phishing attack
- The St. Vincent Medical Centre, part of Verity Health System, suffered a phishing attack after a hospital pathologist’s email account was compromised on March 15th, 2019.
- A review of the emails showed that patient names, addresses, phone numbers, Social Security numbers, and more, were accessible. It is unconfirmed whether any of this information was accessed or copied by the attacker.
- This attack is the latest in a series of successful phishing attacks targeting Verity Health Systems in the past few months.
Patches released for flaws in Drupal and TYP03 CMSs related to Phar archives
- The Phar archive package format allows users to place all the files of a PHP application inside a single archive. Researcher Sam Thomas discovered last year that the PHP archive can be abused for insecure deserialization and arbitrary code execution, by disguising malicious Phar files as text or images.
- Identified as CVE-2019-11831, the flaw was addressed by TYP03 developers; however, researchers have now discovered that the Phar stream wrapper interceptor, that was introduced to deal with the issue, can be bypassed. The issue has now been successfully addressed.
- One of the bypass methods was also found to impact Drupal, which also uses the TYP03 interceptor. Drupal have also released a patch.
Microsoft SharePoint vulnerability exploited by hackers
- According to Saudi Arabia’s National Cybersecurity Authority (NCA), attackers have been exploiting the remote code execution vulnerability CVE-2019-0604 in Microsoft SharePoint, for reconnaissance purposes.
- Information on Microsoft Exchange and SQL servers is also being gathered by hackers, which the NCA stated suggests that ‘the attack is still in its first stages’.
- The flaw can provide a foothold on the network, allowing attackers remote access and the ability to deploy a web shell script that can be used to change data on a server. The vulnerability applies to older versions of the application, for which Microsoft has released a patch.
Remote code execution vulnerability discovered in SQLite
- Cisco Talos researchers reported on a remote code execution flaw, tracked as CVE-2019-5018, in SQLite – a client-side database management system. The flaw could be exploited by an attacker sending a malicious SQL command. The vulnerability has been patched in version 3.26.0 and 3.27.0.
Vulnerability discovered in ‘Unhackable’ eyeDisk USB stick
- EyeDisk is a USB stick that uses iris recognition to unlock a person’s drive. Pen Test Partners researcher David Lodge tested the USB stick and discovered that in order to work, the retinal mechanism has to pass something to the device in order to unlock the associated contents.
- Lodge activated packet sniffing using the packet analyser Wireshark and found that within the CDB’s string was his password and another 16-byte hash, which he assesses could have been an iris hash.
- In addition, he also discovered that the device unlocks the volume by sending a password through in plaintext. Obtaining the password/iris can be achieved by sniffing the USN traffic to get the password/hash in cleartext.
Websites collect PII data insecurely
- According to research by RiskIQ, based upon 48,949 active financial service organisation’s websites, 4,512 of them were capturing PII via data entry points accessible by site visitors, and 522 were found to be capturing this information insecurely.
- Data protection advisor Jon Baines stated that the results suggest a failure to comply with the security principle of GDPR.
DHS issues warning over weak passwords
- An increase in ‘password spray’ brute attacks against government agencies has prompted the Department of Homeland Security to issue security advice.
- The advice follows the indictment of nine Iranian nationals in 2018 who were associated with the Mabna Institute and were involved with brute force attacks.
- The agency encouraged users to adopt National Institute of Standards and Technology guidelines over passwords and to implement Multi-Factor Authentication.
Hackers steal from Amazon merchants
- 100 accounts of merchants who were trading via Amazon were compromised between May and October 2018.
- It is believed that sellers were tricked into handing over login information to their accounts which allowed thieves to alter bank details and divert cash.
SMS Bombing Operation uncovered
- Security Researcher Bob Diachenko has found an open and unprotected MongoDB database named ApexSMS that was indexed by several public search engines. The database contained data relating to an SMS operations center, with one folder containing 80,055,125 records including MD5 hashed emails, first and last names, addresses, IP addresses, phone numbers, sent messages, and more.
- Diachenko stated that the alleged owners of the database could have an official cover as MobileDrip, however this has not yet been confirmed. ApexSMS relies on MobileDrip, a ‘cloud based sms platform that’s optimized for high volume messaging’.
- The database also contained messages that had been sent to millions of people, containing links to scam websites, that pretended to come from a family member or friend. Notably, the database name, ApexSMS is also the name of an SMS Bombing program with the same name, that is advertised on black hat and hacker forums.
Air India has failed to recover money lost through phishing scam in 2017
- Posing as employees of Pratt & Whitney, Nigerian hackers managed to steal £230,905 from Air India in 2017. The company has so far failed to recover the money.
Ex-Intelligence analyst charged with leaking reports to a press
- 31-year-old Daniel Everette Hale, a former government intelligence analyst from Nashville, Tennessee, has been arrested and charged with leaking classified documents pertaining to military campaigns against al-Qaeda to a reporter.
- Hale has been charged on several counts including obtaining and disclosing national defence information and theft of government property. Hale previously worked as an intelligence analyst for the Air Force and later as a contractor for the government’s National Geospatial-Intelligence Agency.
- Hale reportedly began communicating with the reporter in 2013 and provided 11 Top Secret or Secret documents over the course of their interaction. The documents included a military campaign against al-Qaeda, a top-secret intelligence report on an al-Qaeda operative, and a PowerPoint slide ‘outlining the effects of the military campaign targeting Al-Qaeda overseas’.
Swiss government warns of ransomware attacks on Swiss SMEs
- As a result of an increase in ransomware attacks on Swiss small and medium enterprises (SMEs), the Swiss government has published a blogpost covering technical details regarding the recent ransomware attacks and possible countermeasures.
Source (Includes IOCs)
Chinese national charged by Feds over Anthem breach
- Federal prosecutors have charged Chinese national Fujie Wang over the alleged data breach of health insurer Anthem in 2015.
- Wang is accused of being part of a hacker collective, dubbed Black Vine, that utilized spear phishing emails to dupe employees into downloading malware. The breach allowed the hackers to access the personal details of nearly 80 million people.
- Researchers at Symantec state that the hacker group breached more than a dozen companies between 2012 and 2015. Moreover, they stated that Anthem were only a secondary target as the hackers pursued aerospace, energy, military and technology companies.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.