Threat Reports

Silobreaker Daily Cyber Digest – 12 November 2018

 

Malware

New cryptomining malware discovered targeting Linux systems

  • Trend Micro researchers discovered a new cryptocurrency malware targeting Linux systems, tracked as Coinminer[.]Linux.KORKERDS.AB. The malware was found to be able to upgrade and update itself.
  • The malware was discovered to be bundled with a rootkit component, Rootkit[.]Linux.KORKERDS.AA, that serves to hide the malicious processes from monitoring tools. Users of infected systems will only be alerted to performance issues.
  • According to the researchers, the infection vector is a malicious, third-party, unofficial or compromised plugin.

Source (Includes IOCs)

 

Researchers find FASTCash trojan used by Lazarus Group in ATM attacks

  • Symantec researchers discovered a new malware, dubbed FASTCash trojan, used by the Lazarus Group in their ongoing stream of ATM attacks.
  • FASTCash enables the Group to intercept and approve fraudulent ATM cash withdrawal requests and send fake approval responses. The malware was specifically designed to compromise banking application servers running unsupported versions of IBM’s AIX operating system.  
  • Lazarus Group have been using this trojan since at least 2016 to steal millions of dollars from ATMs of Asian and African banks.

Source (Includes IOCs)

 

Ongoing Campaigns

New EMOTET trojan campaign detected

  • ESET researchers detected a new spam email campaign distributing the EMOTET trojan.
  • In this campaign, EMOTET is being distributed via malicious Word or PDF attachments, claiming to be invoices, payment notifications or bank account alerts from seemingly legitimate organizations such as Bank of America.
  • After victims enable macros in the Word document or click a link in the PDF attachment, EMOTET is installed and launched on the device. The secondary payload was found to be installing TrickBot malware and IcedID trojan on targeted systems.
  • According to ESET, this campaign has been most active in North and South America, the UK, Turkey and South Africa. The campaign was first detected on November 5th, 2018.

Source (Includes IOCs)

 

JexBoss tool exploited by threat actors

  • The US National Cybersecurity and Communications Integration Center (NCCIC) has issued a warning that the open-source JBoss Verify and Exploitation (JexBoss) tool is being used by attackers to test and exploit vulnerabilities in the JBoss Application Server (JBoss AS) and several other Java applications and platforms.
  • JexBoss is used by cybersecurity hunt teams to test and exploit vulnerabilities. The tool also automates all phases of a cyberattack, making it an effective weapon for threat actors.
  • JexBoss was previously used in the SamSam ransomware campaign in March 2016 to gain initial access to the target network.

Source

 

Leaks and Breaches

Alabama hospital notifies job applicants of online application vendor Jobscience data breach

  • Huntsville Hospital in Alabama reported to its job applicants that their information may have been compromised when the cloud computing firm Jobscience suffered a breach.  

Source

 

100,000 Filipinos affected by Cathay Pacific Airways data breach

  • Cathay Pacific Airways reported to the Philippines’ National Privacy Commission that a major data leak in late October 2018 had compromised the passport numbers, identity card numbers, email addresses and credit card details of passengers.

Source

 

Vulnerabilities

Hackers exploit critical flaw in WordPress GDPR Compliance plugin

  • Wordfence researchers reported that unauthenticated hackers could exploit the vulnerabilities to carry out privilege escalation and infect other vulnerable websites.
  • Wordfence observed cases of websites being infected via the flaw, with hackers using the ability to update arbitrary options values in order to install administrator accounts on the targeted websites.

Source

 

VMware patched critical vulnerabilities disclosed during GeekPwn2018 hacking competition

  • A Chaitin Tech researcher at the Shanghai hacking competition disclosed the virtual machine guest-to-host escape exploit, as well as an information disclosure bug. The vulnerabilities (CVE-2018-6981 and CVE-2018-6982) are caused by an uninitialized stack memory usage flaw in the vmxnet3 virtual network adapter.

Source

 

General New

Chinese headmaster caught using Ethereum mining rig on school grounds

  • Principal Lei Huaw was fired from a school in Chenzhou, Hunan Province for mining cryptocurrency in the school dorms, costing the school $2,000 in electric bills.

Source

 

Bug bounty hunter found to operate doxing service

  • Security researcher Brian Krebs reported that Ryan Stevenson, a bug hunter recognized by several telecommunications companies for finding and reporting security issues, has been offering various doxing services online.
  • Particularly, Stevenson was found to be offering services aimed at customers of major broadband and telecommunications companies including Verizon, AT&T, Sprint, T-Mobile, MetroPCS and Boost Mobile. According to Krebs, Stevenson ‘leveraged the same flaws’ to sell customers’ personal data as the ones he reported to telecoms providers.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 22 March 2019

      Ongoing Campaigns Dr Web reports Flexnet banking trojan targeting users of Android devices Flexnet banking trojan is reportedly based on GM bot trojan...
  • Silobreaker Daily Cyber Digest – 21 March 2019

      Malware New Carbanak Gang tools discovered by Flashpoint Flashpoint researchers reported on newly discovered tools used by the Carbanak Gang in a campaign...
  • Silobreaker Daily Cyber Digest – 20 March 2019

      Malware Malicious Office document analysed by ZLAB Researchers at Cybaze-Yoroi ZLAB discovered a malicious Office document with a payload capable of bypassing AppLocker...
View all News

Request a demo

Get in touch