Silobreaker Daily Cyber Digest – 11 January 2019
Cisco Talos release free decryption tool for PyLocky ransomware
- The newly released tool requires the capture of the initial PyLocky ransomware C&C traffic of an infected machine to be able to decrypt files and for that reason it will only work in cases where this traffic has been monitored. This is due to the initial traffic containing information that is used in the encryption process.
Alcatel Android smartphones had pre-installed adware apps
- Upstream reported finding pre-installed applications on Alcatel phones belonging to the Chinese tech manufacturer TCL Corporation. The apps collect and transmit data including locations, email addresses and IMEIs to a Chinese server, and include several privacy invasive permissions.
Criminals relying on smart card technology Fuze Cards for fraud
- Brian Krebs reported that fraudsters are relying on Fuze Cards, data storage devices that can hold account data on multiple credit cards, in order to avoid suspicion when using multiple cards at a register. If a stolen card’s transaction is declined, the criminals can press a button to change which credit card is being used to carry out the transaction.
Ryuk ransomware being deployed interactively following TrickBot malware infections
- FireEye observed attackers successfully demanding large ransom payments from targeted organizations. The operation, dubbed TEMP.MixMaster, is using EMPIRE and RDP connections in order to have lateral movement capabilities in victim environments. FireEye reported that it did not have evidence that Ryuk ransomware is attributable to North Korea, and surmised that the TrickBot administrator group is providing the malware to various criminal actors.
Leaks and Breaches
202 million resumes of Chinese job seekers exposed online
- In late December 2018, researcher Bob Diachenko discovered an unprotected MongoDB database that exposed the details of 202 million Chinese job seekers.
- Diachenko reported that following the incident, a tool called ‘data-import’ was discovered on GitHub and is believed to have been developed to scrape resumes from different Chinese classifieds. The tool was found to contain ‘source code with identical structural patterns as those used in the exposed resumes’.
Patches for Windows 7 SP1 and Windows Server 2008 R2 SP1 causing network and license issues
- Microsoft released the KB4480960 and KB4480970 security updates on January 8th, 2019. Users are now reporting that the fixes caused their license being deactivated or resulted in them not being able to connect to network shares.
McAfee analyse recently patched critical RCE flaw in Internet Explorer’s scripting engine
- The vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in Microsoft’s Internet Explorer versions 9 to 11 and has been exploited in the wild. A patch was issued on December 19th, 2018.
- In their blog post, McAfee detailed the context of the vulnerability, its technical details and provided a proof-of-concept. They concluded their analysis with a warning that exploit kits, deploying a weaponized version of the flaw, can be expected to emerge soon and advise users to ensure their systems are able to withstand the threat.
Juniper Networks release patches for 19 serious vulnerabilities
- This includes a fix for a critical vulnerability, tracked as CVE-2019-0006 in Junos OS 14.1X53, 15.1, and 15.1X53 running on EX, QFX and MX units.
- Numerous flaws affecting a wide range of Juno OS versions have also been patched. This includes those tracked as CVE-2019-0001, CVE-2019-0003 or CVE-2019-0012. The full list of vulnerabilities, including a link to the software updates, can be found on Juniper Networks’ website.
US Government shutdown leads to expired TLS certificates on .gov websites
- Researcher Paul Mutton found that tens of government sites can no longer be accessed or are marked as insecure due to their TLS certificates not being renewed as a result of the ongoing US government shutdown.
- According to Mutton, users who visit these sites may be exposed to man-in-the-middle attacks, stealing their personal data, or fraud and identity theft. Sites belonging to the US Department of Justice, NASA or the Court of Appeals are some that have been affected.
Hacktivist sentenced over DDOS attacks on healthcare organizations
- Martin Gottesfeld was sentenced to 10 years for launching the attacks on the Boston Children’s Hospital and the Wayside Youth and Family Support Network in 2014. He carried out the attacks in dispute of a judge’s decision to award custody of a Massachusetts teen, Justine Pelletier, to the state.
- The attacks led to over £600,000 in damages and lost donations.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.