Silobreaker Daily Cyber Digest – 12 April 2019
GarrantyDecrypt ransomware poses as EnigmaSoft’s SpyHunter
- G DATA researchers observed GarrantyDecrypt ransomware disguising itself as Enigma SpyHunter5, a ‘malware remediation utility’ developed by EnigmaSoft. The malware uses the application’s icon as well as the filename ‘SpyHunter5[.]exe’.
- GarrantyDecrypt was seen checking for the system’s default language and terminating if Russian, Ukrainian, Kazak, Belarusian, or Tartar was detected.
Source (Includes IOCs)
Uniden’s hacked commercial site harbours Emotet trojan
- Uniden’s website for commercial security products was hacked to host a word document that delivers a variety of the Emotet trojan. The malicious word file is stored in the wp-admin folder and includes a macro that downloads a variant of Emotet.
Emotet inserts malicious links into old email threads
- The hackers behind Emotet malware have been observed using old email conversation threads to distribute malicious links and malicious file attachments. Users previously involved in the email conversations received emails spoofed to appear from one of the previous correspondents when they were actually coming from Emotet’s servers.
- According to ZDNet, this is not a new tactic and has been previously observed in 2017 when a North Korean hacking group used it to hack into email accounts one by one. In comparison, Emotet leverages email threads that the hackers mass-harvested from victims infected in October 2018.
- Both English and German email threads are being used in this campaign.
Website of VSDC hacked to spread password stealing malware
- Dr Web researchers discovered an intrusion on the website of the free multimedia editor VSDC, after attackers hijacked download links on the website, causing visitors to download a banking trojan identified as Win32.Bolik.2, in addition to KPOT stealer, also tracked as Trojan.PWS.Stealer and editing software.
- Visitors who downloaded and launched the compromised version of VSDC video editor and video converter will have been infected. The trojan is designed to perform web injections, traffic intercepts, key logging and information stealing from different banking systems. The info stealer will take information from browsers, Microsoft accounts, messengers and additional programs.
- Dr Web found that at least 565 users had their computers infected with Win32.Bolik.2, while a further 83 downloaded the VSDC software infected with KPOT stealer.
Fortinet publish LockerGoga analysis after several attacks target critical infrastructure
- Earlier this year, Fortinet detected LockerGoga ransomware attacking industrial companies and compromising several of their operations. The attacks began when the malware was detected attacking an engineering consultancy firm based in France, going on to disrupt the operations of an international manufacturer, followed most recently by two American companies.
- Fortinet’s analysis of LockerGoga includes details on the initial execution, the master and slave processes and the ransom note.
Source (Includes IOCs)
HTML5 ping feature abused to lure Chinese users into joining DDoS attack
- Imperva researchers recently detected a distributed denial-of-service (DDoS) attack targeting users in Asia. The attackers used a common HTML5 attribute, the <a> tag ping, to trick users into unknowingly joining a large-scale DDoS attack that flooded a website with roughly 70 million requests in four hours.
- Almost all victims of the attacks were mobile users of the QQBrowser developed by Tencent and Chinese language speakers.
Leaks and Breaches
Home Office leaks emails of hundreds of EU citizens
- The UK Home Office has issued an apology to 240 EU citizens after accidentally leaking their email addresses due to an ‘administrative error’. The citizens, who had their emails leaked, had requested to be considered for settlement status in the UK as part of the EU Settlement Scheme program.
- The applicants received an email form the Home Office asking them to re-submit their information, however, these emails contained all the recipient’s email addresses in plain text within the CC field. This incident follows the leak of another batch of 500 emails belonging to the Windrush compensation scheme on Monday this week.
Source (Includes IOCs)
Stone Mountain Memorial Association suffers ransomware attack
- The association in Georgia confirmed that a ransomware attack impacted its computer systems. No payroll, credit card and other public financial records were affected.
Garfield County suffers ransomware attack
- The Colorado county paid ransom in Bitcoin after a ransomware attack compromised its computer systems, stealing all accessed data. The attack occurred after an employee opened a phishing email earlier this year.
Greenville N.C hit by ransomware attack
- The attack led to the city’s IT department shutting down the majority of its servers to mitigate the effects of the breach. The attack began on April 10th, 2019, when the ransomware was first spotted by a member of the police department. A ransom note was received, and servers are being brought back online to assess the extent of the damage.
- Police, fire and emergency communications were unaffected as they operate on a separate network. No further details have been released.
Matrix website suffers cyber-attack causing widespread credential leak
- Matrix has had to reorganise its entire production infrastructure and inform its users of a widespread credential leak, after an unknown attacker gained access to the servers hosting the Matrix website.
- The hacker obtained access to a production database which could have granted them access to unencrypted message data, password hashes and access tokens. The organisation had to pull its home server and production infrastructure offline immediately after the breach was detected, resulting in hours of downtime, after which Matrix stated that they had discovered issues with rebuilding their production.
- The incident was the result of vulnerabilities in the production infrastructure, such as outdated versions of Jenkins. CVE-2019-1003000, CVE-2019-1003001, and CVE-2019-1003002 were used to hijack and steal internal SSH keys to access the production infrastructure. The breach impacted websites, databases, synapse, LBs, and media repositories.
VMware releases patches for its ESXi, Workstation and Fusion products
- CVE-2019-5516 is an out-of-bounds read bug in the vertex shader functionality. Exploitation requires authentication and can only be successful if the 3D acceleration feature is enabled on the VM, which is enabled by default on Fusion and Workstation, but not ESXi. The flaw could lead to information disclosure or a DoS condition in the virtual machine.
- CVE-2019-5517 is an out-of-bounds read bug in the shader translator, which could result in information disclosure and a DoS condition. CVE-2019-5520 is also caused by an out of bounds read bug in a graphics component which can be exploited for information disclosure.
Multiple VPN apps insecurely store authentication/session cookies
- Carnegie Mellon University CERT/CC warned that at least four Virtual Private Network (VPN) applications sold or made available to enterprise customers share security flaws. Applications from Cisco, F5 Network, Palo Alto Networks and Pulse Secure were found to be affected. However, the researchers suspect many more VPN applications could be affected.
- As the authentication and/or session cookies are stored in a non-encrypted form inside a computer’s memory or in log files saved on disks, an attacker with access to the computer, or malware running on the computer, can retrieve this information and use it on another system to resume the victim’s VPN session, without the need for authentication.
- Through this, the attacker can gain direct and unimpeded access to a company’s internal network, intranet portals and other sensitive applications.
Kaspersky Lab researchers detail SIM swap fraud in Brazil and Mozambique
- According to the researchers, both countries have registered a high rate of SIM swapping attacks. Through social engineering, bribery and phishing, attackers seize control of users’ phone numbers in order to receive mobile money transactions or collect banking one-time passwords to complete a transfer of funds or steal a victim’s money.
- In Brazil, hackers were seen targeting politicians, government and high-profile businessmen in addition to normal citizens. The researchers observed a new attack type dubbed ‘WhatsApp cloning’ in which after a SIM swap an attacker loads a victim’s WhatsApp chat and contacts and begins messaging contacts asking for money for an emergency situation.
- In Mozambique, citizens heavily rely on mobile payments, making SIM swapping a lucrative business. In their blog post, the researchers provide a detailed account of how the organized crime developed their own ecosystem, as well as how Mozambique dealt with the situation.
Sextortion scammers change techniques and tactics to bypass spam protection
- Researchers analysed a sextortion campaign that took place between August 30th and October 5th last year, which made almost $150,000 in bitcoin. The scammers behind the campaign adopted some simple methods to get their messages past spam filters.
- The code behind the spam messages contained a mix of plain text letters with HTML character entities, of which the recipient only sees the rendering of the email client. This alone does not necessarily enable the evasion of scam filters, therefore the scammers also embedded images of the message in the body of the email, which is not processed by the anti-spam protection mechanisms.
- In addition, Cisco Talos have reported that despite increased efforts to employ new techniques and increase the volume of spam, the profits from sextortions scams are radidly falling.
Man accused of hacking Western Union and stealing $32,000
- 42-year-old Vasile Savu is accused of using a USB infected with malware to hack into computers of an Opa-locka, Florida, Western Union branch.
EFF voice concerns over LA’s scooter location data
- The Electronic Frontier Foundation (EFF) have expressed concern about how the location data of the public scooters in LA could be de-anonymised to identify individual riders and routes. The EFF stated that ‘even with names stripped out, location information is notoriously easy to reidentify, particularly for habitual trips.’
Dark0de hacking forum is back online
- According to Forbes, Dark0de’s site is back online under new ownership, offering ‘tools, exploit, 0days, accounts that have been cracked, configs for tools, and email/password combinations.’ The underground marketplace was taken offline in 2015 by a joint operation by the FBI and Europol.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein