Silobreaker Daily Cyber Digest – 12 March 2019
New RaaS Yatron advertised on Twitter plans to spread using EternalBlue NSA Exploits
- The new ransomware-as-a-service (RaaS), dubbed Yatron, encrypts files and appends them with the .Yatron extension, and sends the unique ID and encryption password back to the ransomware’s C&C server. When encryption is finished an interface with a 72-hour countdown is displayed, after which the files are deleted.
- According to Michael Gillespie, the ransomware is based upon HiddenTear, but the encryption algorithm has been modified so it cannot be decrypted using current methods. Yatron attempts to use EternalBlue and DoublePulsar to spread to Windows machines on the same network, using patched SMBv1 flaws. However, the code to use these exploits is currently incomplete, therefore they are not currently active.
Source (Includes IOCs)
Fortinet analyses new Emotet modules
- Following Fortinet’s recent analysis of a new variant of Emotet, they have further detected three modules connected to its C&C server. The report covers an in-depth analysis of the newly detected modules, as well as their associated anti-analysis techniques.
Source (Includes IOCs)
Fake APKs masquerading as popular Android games
- Four fake APKs related to Apex Legends have been discovered by researchers at Yoroi-Cybaze ZLab. These were all available from websites pretending to be an official source of an ‘Apex Legends for mobile’ APK.
- It appears that these games instead deliver spyware, asking for a broad range of permissions on the infected device.
Source (Includes IOCs)
New sextortion campaign email states victims are infected via adult sites
- The new sextortion scam includes the email subjects ‘This is my final warning’, and states that the recipient has 72 hours to send a $2,000 payment in Bitcoins or a video will be released to their family and friends. The email also states that the hacker infected the victim’s computer while they were visiting an adult site, which allowed them to access and record on the victim’s webcam.
Winnti Group backdoors products from Asian gaming companies
- According to ESET researchers, Chinese Winnti Group have compromised two games and one gaming platform in Asia with a backdoor trojan.
- The malicious code is included in the games’ main executable, and is decrypted at runtime and launched into execution in the PC’s memory while the original game or platform runs as intended.
- In early stages, the malware was observed checking for the system language and stopping if Russian or Chinese was detected. Victims of this campaign are mostly Asian with the majority located in Thailand, followed by the Philippines, Taiwan and Hong Kong.
- One of the games was identified as Infestation by Thai game developer Electronics Extreme, while the others remain undisclosed. According to the researchers, despite being notified, Electronics Extreme has not yet addressed the issue and is still offering a backdoored version of their product.
Source (Includes IOCs)
Leaks and Breaches
Ransomware attacks target college admissions data
- Three US colleges suffered a ransomware attack that impacted data on students applying for admissions to the schools. The perpetrators demanded a payment of $3,800 in Bitcoin in exchange for the stolen data.
- According to the Wall Street Journal the impacted colleges are Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College, New York. The attackers gained access to the student information after phishing for credentials from college staff.
Unprotected database reveals details of over 1.8 million women
- The database contains phone numbers, GPS coordinates, URLs to photos, addresses, ID numbers, and more.
- Most controversially, the database registers whether an individual is ‘BreedReady’, which researchers have speculated means that the women are of childbearing age. In addition, the database has a HasVideo status, which the researcher Victor Grevers believes could indicate the women are being monitored.
- However, based on varying language interpretations, the exact meaning of these statuses has been contested. The owner of the database has not been identified.
Fortune 100 companies’ websites at risk of data breaches through hidden third-party tags
- Crownpeak researchers found more than 1,700 tag redirects on websites belonging to companies in the Fortune 100. These hidden third-party tags can permit unauthorized access to user data.
Arizona HealthCare Cost Containment System suffers data breach
- The Medicaid agency’s system was targeted earlier this year, affecting over 3,100 individuals after their IRS 1095-B forms were delivered to the wrong addresses. An internal investigation discovered that the data breach was the result of a programming error.
- Data exposed includes names and dates of birth.
XSS flaw in WordPress plugin permits site takeover
- Defiant researcher Mikey Veenstra reported that a cross-site scripting (XXS) flaw exists in the Abandoned Cart Lite for WooCommerce WordPress plugin. According to Veenstra, several attacks abusing this flaw have been observed in the last few weeks.
- The plugin, with over 20,000 installations, permits site administrators to view abandoned shopping carts. Attackers are now automating operations against WordPress WooCommerce-based stores to generate shopping carts that contain products with malformed names.
- Exploit code is added in one of the shopping cart’s fields, the site is then left, resulting in the exploit code getting stored in the shop’s database. When the site administrator accesses the shop’s backend to view a list of the abandoned carts, the exploit code is executed.
Vulnerabilities discovered in Moxa Industrial Switches
- Multiple vulnerabilities have been found in Moxa’s EDS-405A, EDS-408A, EDS-510A and the IKS-G6824A series ethernet switches. Several major sectors, such as maritime logistics and oil and gas use these particular switches for their industrial networks.
- Three of the vulnerabilities were deemed ‘highly dangerous’, allowing an attacker to intercept cookies over a network via cross-site scripting, in order to extract sensitive information, credentials, and passwords. This could allow control of the switch, and potentially the entire network. The IKS-G6824A series switches were discovered storing passwords in plaintext on the device, allowing an attacker to reboot the device, and potentially alter configuration via a web interface.
- Moxa have advised to disable all unneeded equipment, and follow their security advisory for issued resolutions.
Backdoor discovered in Swiss voting system
- Researchers have discovered a critical vulnerability in the source code of an internet voting system that Switzerland plans to roll out in 2019. This vulnerability could allow someone to swap legitimate ballots with fraudulent ones whilst remaining undetected.
- The system is currently part of a public penetration test, offering a bug bounty to anyone who can find flaws in the code. The results of the test will be published in several weeks.
Google patches several critical vulnerabilities
- Google’s March Security Update includes patches for eleven critical bugs in Android OS, including CVE-2019-1989 and CVE-2019-1990, which are both critical media framework vulnerabilities, and CVE-2019-2009, a critical vulnerability affecting the Bluetooth component.
Source (Includes IOCs)
Medical IoT devices with outdated operating systems exposed to hacking
- CheckPoint researchers reported on the risks associated with medical IoT devices running on outdated operating systems. In one case, the researchers were able to access an entire database of patient ultrasound images from an ultrasound machine running on Windows 2000 – an operating system that no longer receives patches or updates.
- According to CheckPoint, the motivation for attacking healthcare organizations is not just to cause mass disruption. The personal information obtained can be used by criminals to gain access to expensive medical services, prescription medication as well as government health benefits.
- In addition, the researchers note that the healthcare sector has registered the highest cost to remedy data breaches in comparison to other sectors.
Three Romanian citizens plead guilty to vishing and phishing scheme
- Robert Codrut Dumitrescu, Teodor Laurentiu Costea and Cosmin Draghici recorded messages and texts that tricked victim’s into revealing their Social Security numbers and bank account information. From 2011 to 2014, the men compromised computers located in the US and installed bulk emailing software and interactive voice response on them.
- The computers initiated thousands of texts and phone calls that tricked recipients into disclosing their personal information, including accounts numbers, Social Security numbers and PINs. The information was stored on the compromised computers, and later sold to a third party. At the time of arrest, the three men collectively possessed 42,793 financial accounts numbers.
North Korea used cyberattacks and blockchain to steal foreign currency
- Reporting to the UN Security Council, a panel of experts has claimed that North Korea amassed around $670 million in foreign and virtual currency through cyberattacks, using blockchain technology to cover its tracks.
- The experts’ report states that North Korea waged cyberattacks on foreign financial institutions from 2015 to 2018 to circumvent economic sanctions that have been imposed on the country. Between January 2017 and September 2018, North Korea launched at least five successful attacks on Asian cryptocurrency exchanges, with losses amounting to $571 million.
- North Korea was also seen using social media sites, such as YouTube or Instagram, to advertise their military equipment – the sales of which are subject to international sanctions. The report is due to be published next week.
Facebook files lawsuit over quiz apps that steal data
- Two Ukranian nationals, Gleb Sluchevsky and Andrey Gorbachov, are being sued by Facebook over two quiz apps that secretly stole user’s data. The apps, including ‘Supertest’, ‘Megatest’, and ‘FQuiz’, were developed as browser extensions that allowed the developers to harvest data and push advertisements on victim’s Facebook pages.
- Once installed, the apps collected names, genders, ages, profile pictures as well as connected friends’ data. Sluchevsky and Gorbachov created the fake apps using 13 fake Facebook profiles under pseudonyms. The apps affected 63,000 browsers between 2016 and 2018. Facebook estimate the apps have caused $75,000 worth of damages.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.