Silobreaker Daily Cyber Digest – 11 June 2019
MuddyWater uses multi-stage backdoor POWERSTATS V3 and new post-exploitation tools
- Trend Micro researchers detected new campaigns that appear to be operated by MuddyWater Group. Their analysis of the campaigns reveal the group’s use of new tools and payloads.
- One of the campaigns targeted a university in Jordan and the Turkish government. Spear phishing emails were used to install a new multi-stage PowerShell-based backdoor called POWERSTATS V3.
- Other MuddyWater campaigns involved a change in their delivery methods and dropped file types. In January, the group used two different backdoors, SHARPSTATS and DELPHSTATS. The group also used multiple open-source post-exploitation tools, including the EmpireProject stager, which exploits CVE-2017-11882. The LaZagne credential dumper was also patched to drop and run POWERSTATS.
Source (Includes IOCs)
Scam campaign exploits Google Calendar notifications
- Kaspersky researchers detected sophisticated scam campaigns targeting users via fraudulent Google Calendar notifications that lure them into giving away personal information.
- The scam emails exploited Gmail’s automatic addition and notification of calendar invitations on smartphones. The invitations included links to a phishing site, which contained a simple questionnaire and offered prize money upon completion. Users were asked to provide their credit card details, name, phone number and address.
DNS compromise redirects users to high risk stock trading scheme
- My Online Security observed a malspam campaign that appears to be delivered via the Necurs botnet and may have involved a DNS compromise. The campaign targets UK users; only a UK IP number will result in redirection to the high-risk stock site.
- The campaign’s authors have used Google’s DNS resolver, a short time-to-live and DNS txt records to redirect users to the target domain.
- All the domains resolve to a well known Ukrainian based hosting company have a “dubious reputation” for malware, phishing and scams.
Source (Contains IOCs)
BlackBerry Cylance researchers publish technical analysis of Quasar RAT
- Researchers at BlackBerry Cylance tracked QuasarRAT and its use by the MenuPass threat group.
- QuasarRAT is a lightweight remote administration tool that collects system information, uploads files, logs keystrokes, runs shell commands, and more. Researchers observed several distinct loader variants that were used to target specific groups. Campaigns utilizing QuasarRat were observed targeting several verticals across the EMEA region.
- There have been no new variants of QuasarRAT observed in the wild since several members of MenuPass were indicted by the FBI in late 2018.
Ray Ban sunglasses phishing scam on Instagram
- Instagram users have been warned of a phishing scam promising discounted Ray Ban sunglasses. It is believed the scam first spread via Instagram accounts purchased on the dark web.
New activity by FIN8 discovered
- Researchers at Morphisec Labs observed a campaign active between March and May 2019 using a new variant of the ShellTea/ PunchBuggy backdoor malware. The campaign is targeting networks within the hospitality industry.
- ShellTea was last documented in 2017 in a POS malware attack, which suggests this latest attack was also an attempted POS attack. This latest variant has been improved to bypass standard POS defenses, making such networks easy targets.
- The researchers believe FIN8 to be behind the attack, although some overlaps with known FIN7 attacks were also observed.
Hackers targeted Nine Dutch Bangla Bank’s ATMs
- The Dutch Bangla Bank recently reported a theft from two of its ATMs in Dhaka, however, investigators discovered that a total of nine had been compromised and Tk 16 lakh (£14,918) stolen. Other banks and ATMs are believed to have also been affected.
- The attackers infected the ATMs with malware, enabling them to sever the connection between the machines and the bank’s server, which gave them access to the money without records of the transactions being sent to the server. The technique has been seen in other countries, where criminals deployed Tyupkin malware to empty ATMs.
- The investigators suspect a group of 12 to 15 Ukrainians, believed to be members of the Lazarus Group, also known as Hidden Cobra, to be behind the attacks. The Lazarus Group was previously involved in the 2016 Bangladesh Bank heist. Twelve of the suspects have been detained.
Leaks and Breaches
CBP says hacker stole traveller photos and license plate images
- The US Customs and Border Patrol (CBP) reported that a subcontractor transferred copies of license plate images and traveller images collected by the CBP to their company network. The subcontractor’s network was then breached, resulting in the theft of the images.
- Motherboard suspects the incident may be related to an attack from last month in which a hacker known as ‘Boris Bullet-Dodger’ compromised a license plate reader company called ‘Perceptics’.
Shanghai Jiao Tong University leaks 9.5 billion rows of email metadata
- The data leak was discovered by researcher ‘xxdesmus’ when they came across an Elasticsearch database that lacked authentication.
- The researcher discovered 8.4 TB of data consisting of 9.5 billion rows that appeared to be from self-hosted email platform Zimbra. The exposed data included IP addresses and user agents of the person checking their email. The database has since been secured.
City of Fort Stockton warns of possible security breach
- The city in Texas warned residents of a possible security breach affecting its data servers. The breach was the result of a ransomware infection and may involve customer and vendor personal information.
Pennsylvania County suffers malware attack affecting county’s courthouse computers
- According to officials, there is no evidence that any sensitive information was stolen in the attack. No ransom payment has been demanded; however, county offices are unable to access information such as property assessment records, deeds and civil court filings. The investigation remains ongoing.
Nova Scotia Health Authority (NSHA) suffers data breach
- NSHA is informing its patients of a data breach that took place on May 8th, 2019. The breach occurred via a phishing attack that compromised an employee’s email account. The breach was first discovered on May 13th, 2019.
- The breach affects 2,841 NSHA patients and potentially accessed data is related to ‘surgical procedures scheduled or going to be scheduled.’
Auburn Food Bank in King County, Washington, victim of ransomware attack
- Auburn Food Bank became infected on June 5th, 2019, with GlobeImposter 2.0 ransomware, which encrypted all but one of the computers on their network. It remains unclear how hackers gained access to the charity’s network.
Ethiopian Information Network Security Agency (INSA) agents’ passwords revealed
- Researchers at SafetyDetective discovered a database online which contained the email addresses and passwords of a few hundred INSA agents.
- The passwords were neither salted or hashed. Moreover, out of 300 passwords, 142 were ‘p@$$w0rd’ and 62 passwords contained a ‘123’ sequence.
- The database scrape appears to have occurred some time ago and the credentials no longer work, indicating that the INSA reset passwords or changed the internal email server.
Private data of Russian banks’ clients leaked online
- Three Russian banks had private databases leaked online at the end of May 2019, including the country’s largest commercial bank Alfa Bank. The databases are believed to have been gathered a few years ago, yet experts fear the data could still be misused by malicious actors.
- DeviceLock first discovered two leaks from Alfa Bank on June 7th, 2019. One of the databases dates back to 2014/2015 and included over 55,000 clients’ data, including full names, phone numbers, addresses and place of work. Whilst the second database contained only 504 entries, it is more recent, dated 2018/2019, and additionally includes year of birth, passport data, the Alfa Bank branch and account balances of clients.
- It is unclear who is behind the leak, however, it is believed to have been an insider or someone aware of who to target for information. The more recent database is believed to have been leaked by an employee responsible for combating fraud.
Vulnerabilities patched in VLC Player 3.0.7 release
- A total of 33 bugs were patched in VLC Player, including two flaws rated as high severity. The first is an out-of-bound write flaw in the faad2 library. The other high severity flaw is a stack buffer overflow in VLC 4.0 only, found in the new RIST module.
Critical vulnerability found in WordPress WP Live Chat
- Alert Logic researchers discovered a critical authentication bypass in the WP Live Chat plugin for WordPress. The vulnerability, listed as CVE-2019-12498, is exploitable in WP Live Chat plugin versions 8.0.32 and earlier.
- The flaw is located in the restricted REST API endpoints. The endpoints are vulnerable to attacks by unauthenticated remote attackers due to a flaw in the ‘wplc api permission check()’ function.
- Attackers who exploit the vulnerability could extract chat history, pose as agents and inject messages into chat sessions, retroactively edit messages for concealment purposes, and end chat session as part of denial-of-service attacks.
Source (Includes IOCs)
Multiple vulnerabilities in Schneider Electric Modicon M580
- Researchers at Cisco Talos have detected eighteen vulnerabilities in the Schneider Electric Modicon M580. These vulnerabilities could lead to issues such as denial-of-service attacks and the disclosure of sensitive information. The majority of the bugs exist in UMAS requests made while operating the hardware.
- A full list of the vulnerabilities are available via Cisco Talos.
Vulnerability discovered in Linux’s Vim and Neovim
- Security researcher Armin Razmjou discovered a high-severity OS command execution vulnerability, tracked as CVE-2019-12735, in Linux’s command-line text editing applications Vim and Neovim. The maintainers of the applications have since released patches.
- The vulnerability can be exploited through the Vim ‘modelines’ feature, which includes sandbox protection. However, this sandbox can be bypassed by using the ‘:source!’ command, allowing an attacker to take remote control over the victim’s Linux system.
Indian actor Amitabh Bachchan’s Twitter account hacked
- Bachchan’s Twitter account was allegedly hacked on June 10th, 2019 by a group calling itself ‘Ayyildiz Tim Turkish Cyber Army.’ The group replaced his profile picture with that of Pakistan Prime Minister Imran Khan and changed his bio to state ‘Love Pakistan’ with an emoji of the Turkish flag. They also posted multiple tweets, including one with a link to the group’s Instagram page.
FBI issues warning over TLS secured websites being used in phishing campaigns
- The FBI issued a warning on June 10th, 2019, that cybercriminals are abusing HTTPS and ‘the lock icon’ to perform phishing attacks. Cybercriminals are incorporating website certificates when sending emails that imitate trustworthy companies or email contacts.
Open source tools increasingly popular with cybercriminals
- Researchers at Fortinet observed cybercriminals converting open source security and malware tools into new attacks. Cyber criminals are repurposing these tools to penetrate attack surfaces, establish a presence with little chance of detection, and move across networks with little resistance.
IRS issues warning over post Tax deadline phishing and telephone scams
- The US Internal Revenue Service (IRS) observed two new variations of tax-related scams following the April filing deadline.
- The first involves scammers claiming that the victims Social Security number is under threat of suspension or cancellation; scammers may also mention overdue taxes. Scammers are attempting to scare victims to phone them back and divulge personal information.
- The second scam involves scammers mailing letters threatening victims with an IRS lien or levy and mention a non-existent ‘Bureau of Tax Enforcement’ to confuse targets.
Huawei denies links to the Chinese government before Technology and Science Select Committee
- Huawei’s cyber-security chief John Suffolk appeared before the Technology and Science Select Committee to answer MP’s questions on the security of its devices and links to Beijing.
- Suffolk defended Huawei, stating that the company has never been asked by the Chinese government or any other government to act in a way that would weaken the security of Huawei products. Moreover, Suffolk said that Huawei are not required to share information with Chinese intelligence agencies.
- MPs also quizzed Suffolk on Huawei’s ability to access the UK’s 5G network via its equipment. Suffolk stated that ‘we have no access to any of the data that is running across that network,’.
Over 2.6 million phishing attempts reported to HMRC in past three years
- According to a recent Freedom of Information request, UK’s HM Revenue & Customs (HMRC) received over 2.6 million reports of phishing emails, texts and phone scams from 2016 to 2019. The HMRC is believed to be the UK government’s ‘most abused brand.’
- The most common messages were fraudulent emails related to tax rebate, with 1,957,003 reports in the three-year period. Although email and text phishing reports decreased in the past years, phone scams have increased significantly, rising from 407 in 2016/2017 to 104,774 reports in 2018/2019. Overall, the phishers had a success rate of less than 1%.
Flashpoint researchers report on Brazilian darknet marketplaces
- Brazilian actors were observed starting their own marketplaces following the takedown of other darknet marketplaces in the region. One example is Mercado Negro which emerged after the shutdown of Trishula.
- The researchers also state that threat actors within the region ‘continue to perceive their dark web activity as unaffected by the takedowns of large English-language marketplaces such as AlphaBay and Hansa.’ New marketplaces were also observed as using a decentralized model, which is ‘relatively unique to the Brazilian underground’.
Hacker sentenced to four years imprisonment for series of attacks
- Daniel Kelley was sentenced on June 10th, 2019, to four years detention following a series of hacking attacks against government networks and businesses between September 2013 and November 2015.
- Kelley was involved in a 2015 attack targeting TalkTalk where the personal data of more than 150,000 customers was stolen. Multiple hacks cost the company an estimated £77 million.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.