Silobreaker Daily Cyber Digest – 14 January 2019
9 adware apps in Google Play discovered
- The apps have reportedly been installed over 8 million times, with four showing over 500,000 installs, one with over a million and another with over five million installs. They are all advertised as remote-control apps, and are all supplied by the developer Tools4TV.
- When launched the apps hide from the users view and begin showing ads. The most popular app poses as a universal remote control for a television, as well as other household electronics.
FBI warns managed service providers of Chinese hacking threat
- The FBI have updated its warning about the Chinese hacking group APT10, stating that the group was targeting managed service providers that provide cloud computing services to commercial and governmental clients.
Crowdstrike research identifies threat group behind Ryuk ransomware attacks
- Following a report by FireEye detailing the new campaign dubbed TEMP.MixMaster, Crowdstrike have observed that the attackers behind this campaign are a group named Grim Spider, reportedly a small cell connected to the wider criminal enterprise group Wizard Spider.
- The group have been using Ryuk ransomware since August 2018, targeting large organisations for large ransom payments, a tactic referred to by Crowdstrike as ‘big-game hunting’.
DNS hijacking attacks rise to unprecedented level
- Companies are being alerted to a wave of domain hijacking attacks that has been observed using three difference techniques to manipulate the Domain Name System records that enable attackers to find a company’s computers on the Internet.
- Attackers can replace a legitimate IP address for a domain with a malicious address, which can cause the domain to carry out malicious activities, such as harvesting login credentials. These methods also allow attackers to obtain valid TLS certificates that help prevent detection.
- Organisations affected by the latest attacks include telecoms companies, ISPs, and government and commercial entities. Ars Technica detail all three DNS hijacking techniques that have been used in the recent campaigns targeting North America, Europe, the Middle East and North Africa.
Email scam attempts to extort money from residents of Southampton in Massachusetts
- The scam warns individuals their accounts have been hacked and that malware has been tracking them when they log into pornographic sites.
- The scam also informs recipients that their webcam and computer screen are accessible to the scammer, and that the attacker has videos of the recipients’ watching adult content.
- The extortionist demands $1,000 worth of Bitcoin to be transferred in order to avoid the videos being sent to the victim’s family and friends.
Fake movie file steals cryptocurrency and injects content onto high profile sites
- Researcher ‘oxffffo8oo’ discovered that the file for the movie ‘The Girl in the Spider’s Web’ on The Pirate Bay was not a video file but a .LNK shortcut that executed a PowerShell command. VirusTotal analysis discovered a sample of CozyBear, known to be used by threat group APT29.
- The file triggered several counts of malicious behaviour including injecting content from the attacker into websites such as Wikipedia, Google and Yandex Search, as well as stealing cryptocurrency.
- An analysis by BleepingComputer researcher Lawrence Abrams found that the malware monitors webpages for Bitcoin and Ethereum wallet addresses, replacing them with other addresses belonging to the attacker.
Campaign targets oil and gas organization in Italy
- The ongoing phishing attempts have been targeting an Italian oil and gas company by impersonating a supplier’s sale office using fake invoices and shipping order confirmations. The emails contained a malicious Excel file, which leverages CVE-2017-11882, a memory corruption vulnerability.
- Researchers at Cybaze-Yoroi ZLab analysed the payload and found that it contained a stealer composed of publicly available code and multiple AutoIt scripts that are similar to other pieces of malware.
APT10 suspected of involvement in data leaks of Japanese business lobby
- Cybersecurity researchers reported that the Chinese hacking group APT10 was likely involved in the 2016 data leaks of the Japanese Business Federation.
- The type of virus detected and the servers involved in the attack were reportedly identical to those used in previous attacks by the group.
Leaks and Breaches
Canadian city’s parking ticket system exposes credit card data
- The city of Saint John in New Brunswick suffered a data breach impacting thousands of individuals who had paid parking tickets using their credit cards in the last two years.
- An unknown source reportedly accessed customers’ information on multiple occasions.
- Information exposed includes names, credit card details and mailing addresses.
NASA web app leaks project names and employee data
- Vulnerability hunter Avinash Jain reported a vulnerability in NASA’s project management software Jira.
- A misconfiguration issue resulted in the leak of sensitive NASA data including user details, project details, employee names, email addresses and more.
Managed Health Services of Indiana suffers data breach
- Up to 31,000 patients may have had their data exposed in the latest security incident at Managed Health Services of Indian Health Plan. They manage Indiana’s Hoosier Healthwise and Hoosier Care Connect Medicaid programs. The incident occurred sometime between July 30th and September 7th, 2018.
- Exposed data includes names, birthdays, insurance identification numbers, addresses, and descriptions of medical conditions. It is alleged that the vendor was victim to a phishing attack, which led to the compromise.
Amazon Ring reportedly allowed employees to access video feeds
- An anonymous source disclosed that Amazon allegedly granted live video feed access to its Ukrainian research and development team, as well as to US engineers and executives. This also supposedly included access to an Amazon S3 cloud storage folder that contained every video created by a Ring camera globally, searchable by email address.
- Ring has denied this, stating that they do not and have never provided employees access to livestreams of Ring devices.
Reddit lock down accounts after suspected security breach
- Reddit stated that the account lockdown was triggered by customers using simple passwords on the website and from the re-use of those passwords on multiple accounts. Despite this, users have stated that they had been locked out of their accounts despite using strong passwords and not using their credentials on other sites.
- This has led to users suspecting that Reddit shut down the accounts after a possible data breach, though this theory has not yet been confirmed.
Texas city servers targeted with ransomware
- City Hall servers in Del Rio, Texas were attacked with ransomware. City officials are working with the FBI in order to resolve the situation, which has resulted in an interruption of the Internet for the city’s departments.
Vulnerability in Windows JET Engine discovered
- CVE-2019-0538 is a code execution vulnerability in Windows JET Engine Msrd3x40. The vulnerability can be exploited by an attacker using a specially crafted mdb file to trigger a heap corruption, which could result in a code execution exploit.
- It was discovered by FortiGuard Labs researcher Honggang Ren in September 2018, and was responsibly disclosed to Microsoft. The vulnerability was fixed on Patch Tuesday of January 2019.
Vulnerability in Office 365 used to deliver malware
- The vulnerability allows an attacker to use zero-width spaces in malicious URLs to bypass phishing protections and deliver malicious emails to victims. This method, dubbed the Z-WASP attack, bypasses the URL reputation check and the safe link protections.
- The issue was patched on January 9th, 2019 by Microsoft.
Juniper Networks release patches for over 60 flaws in Junos and ATP products
- Juniper Advanced Threat prevention (ATP) appliances contained 13 flaws including persistent cross-site scripting, arbitrary command execution, hard coded credentials, information disclosure and unprotected credentials issues. Three of the flaws rated critical include CVE-2019-0020, CVE-2019-0022 and CVE-2019-0029, and are related to the existence of hard coded credentials and the storage of Splunk credentials in a file accessible to unauthenticated users.
- Eight flaws were patched in the Juno OS operating system and a further 40 flaws were patched in Juno Space network management platform. Many of the Junos Space flaws impact third-party components including QEMU, the Linux Kernel, Intel CPUs, the glibc library, and more.
US Government shutdown leads to expired TLS certificates on .gov websites
- Researcher Paul Mutton found that dozens of government sites can no longer be accessed or are marked as insecure due to their TLS certificates not being renewed as a result of the ongoing US government shutdown.
- According to Mutton, users who visit these sites may be exposed to man-in-the-middle attacks, stealing their personal data, or fraud and identity theft. Sites belonging to the US Department of Justice, NASA or the Court of Appeals are among those affected.
Proofpoint warns of rise in email based attacks
- The report by Proofpoint is focused around traffic that has been captured and analysed by the company to draw meaningful conclusions in the targets and tactics of malicious actors. They found that 99% of email addresses targeted in the previous quarter were not even ranked in their last report, and that email fraud attacks rose to 36 per targeted organisation.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.