Silobreaker Daily Cyber Digest – 13 June 2019
Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet
- Unit 42 have discovered a variant of the Hide ‘N Seek botnet using two new exploits, including CVE-2018-20062, which targets ThinkPHP installations, and CVE-2019-7238, a remote code execution flaw in Sonatype Nexus Repository Manager.
- The report includes a technical analysis of this new variant, and the newly discovered exploits.
Source (Includes IOCs)
Cyberbit researchers discover new dropper in Formbook samples
- According to the researchers, the new dropper has improved persistence and obfuscation capabilities. For Formbook malware, the infection method usually involves an email campaign that contains a malicious PDF, DOC or XLS attachment, which, when clicked upon causes Formbook’s dropper to load the malware on the infected machine.
- The new dropper does not just unpack the malware, but instead installs a file that creates two post-infection processes, a Microsoft HTML Application Host (mshta[.]exe) and a dropper (Rhododendrons8[.]exe). Mshta[.]exe executes HTML files and runs Visual Basic Scripts for extra persistence, by adding an obfuscated copy of the malware to the registry autorun key on the system. Rhododendrons8[.]exe unpacks the formbook payload, which is encrypted within the code section of Rhododendrons8[.]exe.
- The researchers assess that the discovery of the new dropper suggests that a data-theft attack could be imminent.
Malwarebytes Labs publish analysis of Megacortex malware
- Megacortex is a new ransomware family that was observed attacking businesses in May, 2019, and is part of an identified trend in which threat actors create ransomware specifically for targeted attacks. Detections of the malware have now slowed, similarly to that of Troldesh and CrySIS.
- Malwarebytes Lab’s report includes an analysis of the ransomware’s distribution and execution.
New ‘Fishwrap’ influence campaign discovered disseminating old terrorism news
- The new social media-based campaign, dubbed ‘Fishwrap’ was found using over 215 social media accounts to recycle and disseminate images and reports from past terrorist attacks, presenting them as new news.
- Some of the reports used in the campaign related to riots in Sweden over police brutality, that claimed Muslims were protesting Christian crosses. The story was later picked up by ‘right-wing’ news accounts in the UK, however, the report actually used images of students protesting in Chile in 2016.
- Clusters of accounts were used in the campaign, the first from May to October 2016, the second from November 2018 to April 2019, with some accounts maintaining activity throughout the entire period. Most accounts have now been suspended.
Telegram targeted with DDoS attack
- Users of Telegram in specific parts of the world were unable to exchange messages after the service was targeted in a DDoS attack which caused a service outage for users on the East Coast of the Americas, the UK, the Netherlands, Germany, Ukraine, Russia and China.
- The DDoS attack involved a botnet sending large amounts of traffic to Telegram servers resulting in the service being no longer able to handle requests.
Outlaw hacker group spread miner and perl-based backdoor
- Trend Micro reported that they detected activity in which a URL was used to spread a botnet with a Monero miner. The researchers observed that the activity displayed similar techniques to those used by Outlaw hacking group’s previous campaign.
- The researchers also discovered the use of an executable Secure Shell (SSH) backdoor and found the components to be installed as a service to ensure persistence to the malware. In addition, the observed Perl-based backdoor is capable of launching DDoS attacks, which allows the cyber criminals behind the campaign to make monetize their activities via cryptomining and offering DDoS-for-hire services.
- Trend Micro assess that this threat is still in the testing and development phase due to the shell script components left in the TAR file being unexecuted.
Source (Includes IOCs)
Two hacker groups responsible for significant spike in hacked Magento sites
- Founder of Sanguine Security William de Groot reported that two hackers are responsible for the significant spike in the number of hacked Magento 2.x sites. The spikes are thought to be the result of the discovery of a SQL injection flaw in the Magento 2.x content management system. The issue can be exploited by remote, unauthenticated hackers to take control of unpatched machines.
- By running a scan on the top million sites, de Groot found that the recent activity is the result of two groups, one responsible for 70%, and the other for 20%, of the attacks.
Former Chinese hacker used USB sticks to steal data from hotel guests
- Bo Chou, a former hacker from China’s People’s Liberation Army, has reportedly used a common type of malware, delivered via a USB, to steal data from hotel guests. Chou loaded the malware onto each USB, and placed them in the lobbies of hotels, among other places, advertising them as free USBs for guests.
- Once the USB installs the malware on the victim’s computer, Chou retrieves as many spreadsheets as possible, and sells the stolen business data to other companies via a legitimate US based website for freelancers.
Ransomware stops production at airline supplier company ASCO
- A large supplier of airplane parts, ASCO, has stopped production in their factories after a ransomware infection was discovered at its plant in Zaventem in Belgium. The attack resulted in the company sending home approximately 1,000 of its workers, after an official downtime was planned for 3 days.
- The attack affected factories in Belgium, Germany, Canada and the US. The ransomware used in the attack remains unnamed.
Cyber-attack in city of Lahti disrupts services
- Malware was detected on a single machine in the city of Lahti’s information network systems on Tuesday afternoon. The malware did not spread to many other machines on the system, due to an antivirus software preventing further infection.
- The connection between the city of Lahti and the Päijät-Häme welfare group in southern Finland was cut off to prevent further infection, which could cause delays in provisions to customers, and to the welfare group’s human resources and financial systems.
Trend Micro report on the latest techniques and RATs used by TA505 Group
- Trend Micro has published a report based on their analysis of TA505 over the last few months. In the group’s latest campaign, targeting users in South Korea, they used HTML attachments to deliver malicious .XLS files that downloaded the FlawedAmmyy downloader and backdoor.
- The analysis covers the group’s recent activity, their evolving tactics and payloads, and suspicious activity that could be associated with the group. In addition, the report covers the group’s use of legitimate software, as well as an email stealer and MSI installer.
Leaks and Breaches
Exam registration company Total Registration announces data leak
- Total Registration was used by Fayette, Scott and Woodford Country school districts to register students for tests such as the PSAT and Advanced Placement. The company stated that during a security audit, a researcher discovered a misconfigured file on their system.
- Exposed data could have included students’ names, grade levels, genders, dates of birth, student IDs, student ethnicities, addresses, phone numbers and email addresses. The information would have been accessible for 48 hours.
- There is no evidence that a third party has accessed the information.
Critical flaw discovered in Evernote Web Clipper Chrome extension exposes data
- The flaw, tracked as CVE-2019-12592, is a universal cross-site scripting vulnerability that is present due to an Evernote web Clipper logical coding error. The issue could have allowed an attacker to, ‘bypass the browser’s same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote’s domain.’
- Attackers could redirect victims to hacker-controlled websites that load hidden iframes with the targeted third-party websites, and trigger an exploit created to ensure Evernote injects a malicious payload into all loaded iframes. The malicious payload would be capable of stealing cookies and private information, as well as performing actions as a user.
- Once Chrome’s site isolation security feature is broken, data held in user accounts on third party websites, including authentication, financials, private social media conversations, and more, is no longer protected. Due to the popularity of the extension, the flaw could have affected approximately 4,600,000 users, at the time the issue was discovered. The flaw has been patched.
La Liga fined 250,000 euros for privacy issues with app
- The fine was implemented by Spain’s national data protection agency (AEPD) after it was discovered that La Liga had failed to make it clear that their Android application can activate microphones on user’s phones and monitor their location.
- The app was designed to ask for access to the microphones on user’s devices to check that the captured audio fingerprint matched with the sound of a football broadcast. In combination with the GPS tracking, this was designed to establish which public venues were showing games illegally.
- The app was found to be in breach of GDPR regulations.
Philadelphia courts still down following cyber-attack in May
- Following a cyber-attack on May 21st, 2019, on Philadelphia’s online court system for filing and docketing, issues continue to remain throughout the country. The networks of the Luzerne County Correctional Facility in Pennsylvania are still impacted, resulting in inmates being unable to order items from the jail commissary. The attack continues to be investigated.
Amazon accused of recording and storing children’s voices through Alexa
- Amazon is faced with two lawsuits brought forward by the guardians of unnamed children ages 8 and 10 years old, who both allege that Amazon is illegally profiting from the analysis of the request and commands that children make to Echo devices.
- The lawsuit also alleges that Amazon are storing the recordings in a database, some of which include the private details users.
FBI warns that phishing sites now feature HTTPS and green padlock
- The FBI has issued a warning, stating that internet users should not automatically trust websites with HTTPS certification, or green padlocks, after they found that cyber criminals are using these verification tools in domain spoofing campaigns.
Akamai Threat Research uncovers extent of attacks against gaming industry
- Akamai has found that hackers have carried out 12 billion credential stuffing attacks against various gaming websites within a 17-month period, suggesting that attacks against the gaming industry are rising rapidly.
- Akamai threat researcher Martin McKeay stated that the gaming industry is an attractive target for hackers because they are able to exchange in-game items for profit. In addition, he states that ‘gamers are a niche demographic known for spending money, so their financial status is also a tempting target’.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.