Threat Reports

Silobreaker Daily Cyber Digest – 12 July 2019

 

Ongoing Campaigns

YouTube channel promotes online game cheating tools containing AZORult trojan

  • Security researcher .sS.! discovered a YouTube channel called ‘Pirate Hack’, promoting cheating tools for games including Counter Strike Global Offensive, PlayerUnknown’s Battlegrounds, Rust, and more. Pirate Hack provides a link in their video description which leads to a downloadable ZIP folder containing multiple files.
  • BleepingComputer tested the link and found instructions within the ZIP file that told users to disable their antivirus software. Users who try and install the cheats will infect their system with the AZORult Trojan. AZOrult collects browser history, browser and FTP passwords, and more. The stolen data is then relayed back to the attacker.

Source (Includes IOCs)

 

Buhtrap group observed using zero-day exploit in latest campaign

  • Researchers at ESET observed the Buhtrap group exploiting the recently fixed Microsoft zero-day vulnerability CVE-2019-1132 in a campaign targeting a governmental institution. 
  • The group was originally known for targeting financial institutions in Russia and was motivated primarily by financial again. According to the researchers, this campaign demonstrates Buhtraps shift to conducting cyber espionage in Eastern Europe and Central Asia.

Source (Includes IOCs)

 

Magecart campaign more widespread than previously reported 

  • According to RiskIQ, the Magecart supply-chain skimmer attack reported on in May 2019 is more widespread than previously reported. The campaign started in early April 2019 and over 17,000 domains have since been impacted, including websites in the top 2,000 of Alexa rankings.
  • By actively scanning for misconfigured Amazon S3 buckets, the actors behind the campaign have automated their process of compromising websites with skimmers. Misconfigured buckets allow them to inject their skimming codes into JavaScript files and overwrite the script on the bucket, as anyone with an Amazon Web Services account can read or write content.

Source (Includes IOCs)

 

180,000 Brazilians had their DNS hijacked in the first half of 2019

  • Avast found that 180,000 of its users located in Brazil had their DNS hijacked in RouterCSRF campaigns between February and June 2019. The most hijacked domains were found to belong to banking institutions and Netflix.
  • RouterCSRF attacks are distributed via malvertising campaigns and modify DNS settings on victims’ routers, reconfiguring them to use rogue DNS servers that redirect victims to phishing pages. Avast observed more than 4.6 million attacks in Brazil between February 1st and March 30th, 2019.

Source (Includes IOCs)

 

Hacker Groups

Proofpoint release analysis of threat actor TA544 

  • Proofpoint researchers published an analysis of the financially-motivated threat actor TA544. Since February 2017, the group delivered more than six unique malware payloads in high-volume campaigns to victims across Western Europe and Japan.
  • Active malicious campaigns are currently ongoing in Italy and Japan, where the group are deploying Ursnif and URLZone banking trojans. Targeted sectors in Japan include marketing, advertising and technology, whereas targets in Italy are primarily in the manufacturing and retail sectors.
  • TA544’s primary payload delivery mechanism are malicious Microsoft VBA macros, although the researchers also detected an increase in the use of steganographic images.

Source

 

Leaks and Breaches

Shingle Springs Health and Wellness Centre targeted in ransomware attack

  • The attack against the California-based Shingle Springs medical center occurred on April 7th, 2019. The attack may have compromised the data of 21,513 patients. Personal data that may have been affected includes names, health insurance information, provider names, Social Security numbers, and more.
  • Shingle Springs stated that they have not seen any evidence that patient information was compromised.

Source

 

Vulnerabilities

Walkie Talkie Apple Watch app disabled due to unspecified vulnerability

  • Apple disabled the Apple Watch Walkie Talkie app until a fix can be applied to an unspecified vulnerability. The app will remain installed on users’ devices but will remain inaccessible until a patch is released.
  • Apple were made aware of the bug via their ‘report a vulnerability’ portal. The company stated that there is no current evidence that the flaw has been exploited in the wild.

Source

 

Vulnerabilities found in legacy unit of Uniguest Kiosk software

  • Security researcher Adrian Pruteanu discovered a publicly exposed website containing what appeared to be all the tools Uniguest technicians would need to deploy or manage a kiosk on location.
  • Among the pre-packaged software and manuals, Pruteanu discovered SystemSleuth, an application deployed to legacy kiosks that seems to collect information such as product keys, asset tags, passwords, and various other data. This data is then sent to the Salesforce API. By decompiling SystemSleuth, the researcher found hardcoded Salesforce API credentials. He was then able to use the API to dump all data in the Uniguest database including admin, router and BIOS passwords, product keys, and other sensitive information, which appeared to belong to all of Uniguest’s customers. This information could be used by attackers to deploy keyloggers, remote access trojans, and various other forms of malware.
  • The company has since secured the website behind an authentication portal, however SystemSleuth and the now disabled API credentials can still be found on their managed systems.

Source

 

Cisco patches denial-of-service vulnerability in ASA and FTD products

  • CVE-2019-1873 is a ‘high’ severity vulnerability found in the cryptographic driver of Cisco’s Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software products. The vulnerability could potentially allow a remote attacker to cause a denial-of-service condition by sending a crafted TLS/SSL packet to an interface on the targeted device.

Source

 

Juniper Networks patch multiple vulnerabilities

  • Juniper Networks released 11 security alerts, two critical, five high and four medium, for a number of vulnerabilities detected across several of its product lines.
  • The critical vulnerabilities are found in Steel Belted Radius Carrier Edition and Junos Space.
  • Patches and updates have been made available and it does not seem that any of the vulnerabilities have been exploited in the wild.

Source

 

General News

Service disruption issue triggers Twitter worldwide outage

  • An internal configuration change caused Twitter to experience a worldwide outage on July 11th, 2019, which lasted for approximately an hour. All Twitter APIs were impacted by the outage. Additionally, Tweetdeck was down and displayed an error message when users attempted to login.

Source

 

Google contractors listen to audio files recorded by Google Home and Google Assistant

  • VRT NWS reported that Google subcontractors are trying to improve Google’s language algorithms by listening to recordings made via Google Home smart speakers and the Google Assistant smartphone app. In their terms and conditions, Google state that these devices record and store information, but they do not state that employees listen to this information. 
  • VRT NWS listened to over a thousand excerpts recorded via Google Assistant, clearly hearing private information such as children’s conversations,  medical queries and addresses. The journalists also heard 153 conversations which should not have been recorded as the ‘Okay Google’ command was not clearly stated.
  • The recordings that VRT NWS accessed were being analysed in an attempt to improve Google’s Dutch language algorithms. The reporters stated that thousands of employees worldwide use the same system to analyse audio excerpts. 

Source

 

The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Threat Summary: 11 – 17 October 2019

    11 – 17 October 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Silobreaker Daily Cyber Digest – 17 October 2019

      Malware Graboid cryptojacking worm spreads between unsecured Docker hosts Researchers at Unit 42 identified a new cryptojacking worm, dubbed Graboid, that has infected...
  • Silobreaker Daily Cyber Digest – 16 October 2019

      Malware  Researchers publish analysis of LOWKEY malware FireEye researchers analysed LOWKEY malware, a backdoor that has been observed being used in highly targeted...
View all News

Request a demo

Get in touch