Silobreaker Daily Cyber Digest – 11 December 2018
MuddyWater remains active targeting 30 organizations in two months
- Symantec researchers have found that from September 2018 to mid-November 2018 the MuddyWater Group has targeted a total of 131 victims in 30 organizations worldwide, particularly in telecommunications, government agency IT services, and the oil and gas sector.
- Targets were primarily located in Pakistan and Turkey, but also in Russia, Saudi Arabia, Afghanistan, Jordan. European and North American organisations with ties to the Middle East were also targeted.
- The researchers found evidence of both MuddyWater and APT28 infections on a computer within the Brazil-based embassy of ‘an oil-producing nation’. This led them to the discovery of a new backdoor, dubbed Powemuddy by Symantec, that was first spotted by Trend Micro in MuddyWater’s campaign against Turkey last month.
- Other tools used by the threat actor include new variants of the Powerstats backdoor and a variety of modified and unmodified open source tools. Symantec also discovered the Group’s GitHub repository that is used to store their scripts.
Source (Includes IOCs)
Massive campaign scanning for Internet-exposed Ethereum wallets and mining rigs
- Troy Mursch reported that attackers are scanning for wallets and rigs with port 8545 exposed.
- The campaign is finding exposed wallets and mining equipment in order to steal funds from Ethereum addresses.
Volkswagen car giveaway scam redirects victims to ad networks
- Sucuri researchers discovered a new scam spreading via Facebook and WhatsApp, in which messages purporting to be from Volkswagen announce the giveaway of 20 free cars. The messages include a link to a website that, once opened, redirects victims to a third-party ad server.
Leaks and Breaches
Bug in Google+ revealed data of over 52 million users to app developers
- The leak lasted for six days in November 2018, and occurred as a result of a bug in the Google+ People API, built to access profile data with the owner’s consent. The data was available to all app developers who had requested permission to view data that users had configured to remain private.
- Data was also exposed from users who had not given their consent to the app to get their profile information, but had shared their details with a profile that had given the app this permission.
- There is no evidence that the app developers were aware of their access to this information or used it for any illegitimate purposes.
German plastics manufacturer suffers ransomware attack
- KraussMaffei was targeted in a ransomware attack that affected emails and landline phone systems. Manufacturing and production at the firm’s sites, including its Munich site, were halted for two weeks due to the attack.
University of Maryland Medical System suffers malware attack
- The medical system was targeted by an unknown source over the weekend and was restored on December 10th, 2018.
Oregon city attacked with ransomware
- The city of North Bend suffered a ransomware attack which rendered it impossible for civil administration employees to access their computers and databases.
- City officials did not pay the $50,000 worth of Bitcoin demanded by the attackers, reportedly located in Romania, as the city’s systems were backed up.
Exploit code released for recently disclosed Kubernetes flaw
- Several demo exploits have been released for the recently disclosed bug in Kubernetes tracked as CVE-2018-1002105. Soon after the flaw was disclosed, code demonstrating the vulnerability was found in public repositories.
Flaws in Samsung mobile left users open to account theft
- Artem Moskowsky stated that the three patched cross-site request forgery bugs could have allowed attackers to reset passwords and takeover accounts. The bugs were the result of the way that the Samsung[.]com account page handles security questions.
- When a user forgets the password, they can answer the security question to reset it, during which the web application checks the ‘referer’ header to ensure that the data requests only come from sites that are supposed to have access. The flaw in this process means that those checks are not properly run, resulting in any site being able to access that information.
GlobeImposter ransomware recovery website abandoned by hackers
- Coveware reported that the perpetrators behind the GlobeImposter ransomware seem to have abandoned the TOR site used in their ransomware notice, leaving victims with no means to pay for the decryption of files or to contact the attackers.
IBM X-Force analyse remote overlay malware used in Brazilian financial cybercrime
- In the second part of their two-part series, IBM X-Force focus on a remote overlay trojan that uses a dynamic link library (DLL) hijacking technique. The trojan was spotted being used in attacks against Brazilian banks as well as cryptocurrency exchanges.
US House report that Equifax breach was ‘entirely preventable’
- A US House Oversight Committee report has concluded that the 2017 Equifax breach could have been prevented had the credit rating agency put in place basic security measures. The report affirmed that the credit agency had not patched a known vulnerability in Apache Struts, allowing hackers to access its website and databases for months.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.