Silobreaker Daily Cyber Digest – 12 November 2018
New cryptomining malware discovered targeting Linux systems
- Trend Micro researchers discovered a new cryptocurrency malware targeting Linux systems, tracked as Coinminer[.]Linux.KORKERDS.AB. The malware was found to be able to upgrade and update itself.
- The malware was discovered to be bundled with a rootkit component, Rootkit[.]Linux.KORKERDS.AA, that serves to hide the malicious processes from monitoring tools. Users of infected systems will only be alerted to performance issues.
- According to the researchers, the infection vector is a malicious, third-party, unofficial or compromised plugin.
Source (Includes IOCs)
Researchers find FASTCash trojan used by Lazarus Group in ATM attacks
- Symantec researchers discovered a new malware, dubbed FASTCash trojan, used by the Lazarus Group in their ongoing stream of ATM attacks.
- FASTCash enables the Group to intercept and approve fraudulent ATM cash withdrawal requests and send fake approval responses. The malware was specifically designed to compromise banking application servers running unsupported versions of IBM’s AIX operating system.
- Lazarus Group have been using this trojan since at least 2016 to steal millions of dollars from ATMs of Asian and African banks.
Source (Includes IOCs)
New EMOTET trojan campaign detected
- ESET researchers detected a new spam email campaign distributing the EMOTET trojan.
- In this campaign, EMOTET is being distributed via malicious Word or PDF attachments, claiming to be invoices, payment notifications or bank account alerts from seemingly legitimate organizations such as Bank of America.
- After victims enable macros in the Word document or click a link in the PDF attachment, EMOTET is installed and launched on the device. The secondary payload was found to be installing TrickBot malware and IcedID trojan on targeted systems.
- According to ESET, this campaign has been most active in North and South America, the UK, Turkey and South Africa. The campaign was first detected on November 5th, 2018.
Source (Includes IOCs)
JexBoss tool exploited by threat actors
- The US National Cybersecurity and Communications Integration Center (NCCIC) has issued a warning that the open-source JBoss Verify and Exploitation (JexBoss) tool is being used by attackers to test and exploit vulnerabilities in the JBoss Application Server (JBoss AS) and several other Java applications and platforms.
- JexBoss is used by cybersecurity hunt teams to test and exploit vulnerabilities. The tool also automates all phases of a cyberattack, making it an effective weapon for threat actors.
- JexBoss was previously used in the SamSam ransomware campaign in March 2016 to gain initial access to the target network.
Leaks and Breaches
Alabama hospital notifies job applicants of online application vendor Jobscience data breach
- Huntsville Hospital in Alabama reported to its job applicants that their information may have been compromised when the cloud computing firm Jobscience suffered a breach.
100,000 Filipinos affected by Cathay Pacific Airways data breach
- Cathay Pacific Airways reported to the Philippines’ National Privacy Commission that a major data leak in late October 2018 had compromised the passport numbers, identity card numbers, email addresses and credit card details of passengers.
Hackers exploit critical flaw in WordPress GDPR Compliance plugin
- Wordfence researchers reported that unauthenticated hackers could exploit the vulnerabilities to carry out privilege escalation and infect other vulnerable websites.
- Wordfence observed cases of websites being infected via the flaw, with hackers using the ability to update arbitrary options values in order to install administrator accounts on the targeted websites.
VMware patched critical vulnerabilities disclosed during GeekPwn2018 hacking competition
- A Chaitin Tech researcher at the Shanghai hacking competition disclosed the virtual machine guest-to-host escape exploit, as well as an information disclosure bug. The vulnerabilities (CVE-2018-6981 and CVE-2018-6982) are caused by an uninitialized stack memory usage flaw in the vmxnet3 virtual network adapter.
Chinese headmaster caught using Ethereum mining rig on school grounds
- Principal Lei Huaw was fired from a school in Chenzhou, Hunan Province for mining cryptocurrency in the school dorms, costing the school $2,000 in electric bills.
Bug bounty hunter found to operate doxing service
- Security researcher Brian Krebs reported that Ryan Stevenson, a bug hunter recognized by several telecommunications companies for finding and reporting security issues, has been offering various doxing services online.
- Particularly, Stevenson was found to be offering services aimed at customers of major broadband and telecommunications companies including Verizon, AT&T, Sprint, T-Mobile, MetroPCS and Boost Mobile. According to Krebs, Stevenson ‘leveraged the same flaws’ to sell customers’ personal data as the ones he reported to telecoms providers.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.