Silobreaker Daily Cyber Digest – 12 November 2019
Researchers analyse banking trojan Cerberus
- Anomali researchers, in partnership with a major European financial institution, analysed Cerberus, a banking trojan first discovered by ThreatFabric in June 2019, but which is believed to have been active since at least 2017.
- Cerberus is offered as a malware-as-a-service on the Russian hacking forum XSS[.]is by a Premium account holder going by ‘Android’. The malware is also advertised on the Twitter account ‘AndroidCerberus’, which claims to be from the Ukraine.
- The threat actor states that their starter kits are pre-packaged with injections for the US, France, Turkey and Italy, however the researchers found the injections include targets across 16 countries. The majority of samples analysed targeted banking organisations, whilst some also targeted the e-commerce, FinTech, and telecommunications industries.
- A full technical analysis is available on Anomali’s blog.
Source (Includes IOCs)
TCP reflection attacks increasingly used by threat actors
- Researchers at Radware have observed a steady increase in TCP reflection attacks over the last two years. One such attack is known as a TCP SYN-ACK attack in which an attacker sends a spoofed SYN packet to a range of IP addresses, having changed the original IP with the victim’s IP, resulting in amplification. The typical amount of amplification depends on the number of SYN-ACK retransmits by the reflection service.
- The researchers observed an increase in collateral damage arising from such attacks compared to UDP amplification attacks. Not only the targeted victims, usually large corporations, are affected, but small businesses and individuals also suffer from secondary outages.
- An example is the recent attack in October 2019 against Eurobet, which at first appeared to be part of a ransom denial-of-service campaign. The attack lasted a number of days and caused smaller businesses to assume that they were a target of SYN flood attacks.
RIG Exploit campaign delivers Sodinkokibi to targets in Asia
- Security researcher mol69 identified an malvertising campaign targeting Internet Explorer users in Vietnam, Korea, Malaysia, and potentially other countries in Asia. The attack is being deployed on blogs and low-quality web games. Visitors to these sites are redirected to a RIG exploit kit gateway.
- The exploit kit attempts to take advantage of Flash vulnerabilities in the browser. Successful exploitation will result in Internet Explorer crashing. RIG EK then executes a JScript command which downloads an obfuscated VBScript, which proceeds to download and execute Sodinokibi ransomware.
- Victims who are infected with the ransomware will have their files encrypted and a ransomware note will be set as their desktop wallpaper. At present there is no free decryption method for Sodinokibi ransomware.
Two new carding bots discovered targeting e-commerce sites
- Researchers at PerimeterX identified two new carding bots, dubbed canary bot and shortcut bot, that are being employed to target e-commerce sites.
- Canary bot targets e-commerce platforms that are used by thousands of businesses. Before the bot executes the carding attack it mimics user activity by creating a shopping cart, adding products, and setting shipping information.
- Shortcut bot attempts to reduce attack time by avoiding e-commerce websites and directly targeting the card payment vendor APIs used by websites or mobile apps. The researchers stated that in some cases the attackers are discovering paths with API calls that website operators are unaware of.
Recent BlueKeep attack caused machines to crash due to Meltdown patch
- Recent attacks which exploit the BlueKeep vulnerability, tracked as CVE-2019-0708, in an attempt to deliver a cryptocurrency miner, were causing targeted machines to crash with a Blue Screen of Death error.
- Researcher Sean Dillion, who is one of the developers of the BlueKeep Metasploit module, determined that the crashes were caused by the presence of an Intel CPU patch for the Meltdown vulnerability.
- Dillion stated that the BlueKeep Metasploit module will be updated to ensure that the Meltdown patch will no longer cause targeted machines to crash.
Leaks and Breaches
Pemex hit by ransomware attack
- Mexico’s oil company Pemex was targeted by a Ryuk ransomware attack on November 11th, 2019, affecting multiple computer servers and stopping administrative work at the firm. Its oil production and storage were not affected.
Delta Dental informs patients of data breach
- An unauthorised individual gained access to an employee email account of Delta Dental in July 2019. The Arizona-based dental plan system has since informed patients of the potential data breach, in which protected health information may have been exposed. Potentially exposed data includes Social Security numbers, financial account information and credit or debit card information.
Fishing retailer The Orvis Company Inc exposes internal passwords
- Security researcher Brian Krebs reported that The Orvis Company Inc inadvertently exposed hundreds of internal plaintext usernames and passwords on Pastebin. The credentials were used to manage most of the security products and online services used by the company.
- The exposed information gave access to internal systems such as firewalls, administrator accounts, database servers, routers, FTP credentials, security cameras, and more.
- A spokesperson for Orvis stated that the data was only available for a day, however, Hold Security and 4iq[.]com stated that the information was posted twice, once on October 4th, 2019, and a second time on October 22nd, 2019. Hold Security founder Alex Holden stated that the data exposure was most likely caused by a third-party partner.
ZoneAlarm alerts forum users of data breach
- An unauthorised individual gained access to the private data of the ZoneAlarm discussion forum users. Exposed data included names, email addresses, hashed passwords and dates of birth. ZoneAlarm stated that only users registered with ‘forums[.]zonealarm[.]com,’ which has about 4,500 subscribers, are affected. The company advised its users to change their account passwords immediately.
- A ZoneAlarm spokesperson confirmed that the attacker had exploited the known remote code execution vulnerability CVE-2019-16759 found in vBulletin. The flaw was publicly disclosed in September 2019 and affects versions 5.0.0 to 5.5.4.
Magento’s Security Team urges users to patch vulnerability
- Magento’s Security Team recommended that users install the latest security patches to protect against a remote code execution vulnerability, tracked as CVE-2019-8144. The flaw, which exploits a vulnerability in preview methods, impacts unsupported versions of Page Builder, Magento Commerce 2.3.1 and Magento Commerce 2.3.2.
- The security team also stated that store owners should check to ensure that their sites had not been compromised before the patch.
Labour Party targeted in DDoS attack
- The UK Labour Party revealed that their digital platforms were targeted in a distributed denial of service (DDoS) attack which occurred on November 11th, 2019. A Labour source informed the BBC that the majority of the attacks originated in Russia and Brazil.
- The party’s executive director Niall Sookoo stated that the attacks failed, and said that the incident had been reported to the National Cyber Security Centre.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.