Silobreaker Daily Cyber Digest – 14 June 2019
Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers
- Trend Micro researchers discovered an ongoing cryptojacking campaign infecting unpatched computers belonging to businesses all over the world with XMRig Monero miners. The campaign was observed using the NSA created EternalBlue and EternalChampion SMB exploits to infect vulnerable Windows computers.
- The hackers behind the campaign are using a ‘shotgun’ approach to compromise any vulnerable machines across a wide range of industries and countries. Countries with larger populations had the most organisations targeted, particularly in China and India, and targeted industries include education, communication, media, banking, manufacturing and technology.
- The campaign uses an auto-spreading EternalBlue based backdoor and a variant of the Vools Trojan to disseminate approximately 80 variants of the XMRig miners on infected computers, using five unique mining configurations with similar usernames and passwords.
Source (Includes IOCs)
Millions of Exim mail servers attacked
- Millions of vulnerable Exim mail transfer agent (MTA) versions are currently being targeted by attackers gaining permanent root level access via SSH on the exploited machines. The vulnerability, tracked as CVE-2019-10149, also known as ‘The Return of the WIZard’, allows attackers to remotely run arbitrary commands as root on exposed servers.
- Threat actors are currently exploiting the flaw by using a Bash script uploaded from a Tor hidden service via tor2web ‘routing’ services, which downloads another script created to check if OpenSSH is installed on the compromised machine. If OpenSSH is not present on the flawed machine, it will install it using the APT package manager, in addition to other tools, and ‘start it to enable root logins via SSH using a private/public RSA key for authentication’.
- A new wave of attacks have been observed on June 9th against vulnerable Exim servers using similar methods to the previous attacks, but additionally downloading a second script that deploys several binary payload variants onto compromised machines. A search using Shodan uncovered that over 3,680,000 servers were running a vulnerable version of Exim.
Adware and PUP families add push notifications as an attack vector
- Malwarebytes Labs discovered that some families of unwanted programs and adware have added browser push notifications to their attack tools. The programs pose as plugins on Chrome and Firefox, and spam users with notifications.
- Malwarebytes identified three unique styles of websites pushing these Chrome extensions, the first and second guide the user through installation and the third strongly promotes the extension. All three sites lead to StreamAll. The identified Firefox extensions are detected by Malwarebytes as Trojan.FBSpammer and are propagated via sites pushing Flash Player updates.
- Both extensions ask permission to send notifications, which in this case invite the user to gamble at an online casino or promotes get rich quick schemes using celebrities as endorsement.
Group behind Scranos malware return with upgraded features
- Bitfender reported that the group behind the campaign that targeted Windows and Android devices across Europe and the US in April, have updated their attacks, techniques and payloads. In April, the threat actors lost the mechanism for persistence and disguise after their use of Authenticode certificates was revoked.
- The new variant of Scranos has an updated infection technique that is based upon a fake application called CClear, modelled from the legitimate CCLeaner application. The malware dropper is delivered via malvertising and is bundled with other software packages.
- Once downloaded, the dropper contacts the C2 server and replaces a host file with a new download, in addition to stealing cookies, login credentials, Facebook information and payment accounts. A legitimate Microsoft executable is placed in the same folder as the malicious DLL to ensure persistence after system reboot, and Scranos is downloaded. The new version of Scranos also comes with a cryptocurrency miner.
Leaks and Breaches
Fortune 500 companies faced with lawsuits over data breach affecting 20 million
- Quest diagnostics LabCorp and American Medical Collection Agency are facing multiple class-action lawsuits after the web payment page of AMCA was breached over an eight month period. The breach exposed the patient medical information, credit card numbers, bank account information and social security numbers of over 20 million patients.
Symantec reports data stolen by hacker was fake
- The stolen data was thought to include passwords, Symantec account numbers and a list of clients that included the Australian federal police, major banks, universities and retailers.
- Symantec has announced that the data was largely fake, and the data was contained to a test environment that it uses for demonstration purposes.
Twitter URLs can be exploited to spread disinformation and malicious content
- Twitter’s URL creation process could be abused for nefarious purposes, including running disinformation campaigns, spreading malware and redirecting users to malicious web pages.
- The URL address bar contains a username and tweet’s status ID, however, only the tweet’s status ID is needed to reach a message on Twitter. If a threat actor modifies the username, people could be tricked into thinking that the wrong Twitter user is promoting a specific tweet, which could be spreading disinformation or propagating malicious content.
- In particular, this technique could be used in disinformation campaigns, to make it look as though politicians are endorsing specific views. In addition, a person could also easily impersonate a Twitter account, and use the technique to lead users to malicious content.
Critical flaw discovered in Infusion System affects medical pumps
- Researchers at CyberMDX discovered two vulnerabilities in Alaris Gateway Workstations, that are used to communicate with infusion pumps and power them during blood transfusions, anesthesia, chemotherapy and dialysis. One of the flaws, tracked as CVE-2019-10959, present in the firmware code of the device, could be exploited remotely without authentication.
- A threat actor operating on the same network as the targeted system would be able to exploit this critical flaw to ‘update and manipulate a CAB file, which stored files in an archived library and utilizes a proper format for Windows CE.’ This level of access would allow threat actors to alter the dosage of drugs being administered by the infusion pumps connected to an AWG.
- The researchers state that although the flaw is easy to exploit, the threat actor would need to understand the Windows CE environment, how communication protocols function in the product, how to modify a CAB file, among other details.
- The second flaw, tracked as CVE-2019-10962, resides in the web-based management interface of AWG, and can be exploited by an attacker to gain access to device monitoring, event logs and configuration of the device.
High severity flaw discovered in Cisco IOS XE software
- CVE-2019-1904 affects outdated versions of Cisco IOS XE and exists in the web-based user interface. The issue exists due to ‘insufficient CSRF protections for the web UI on an affected device’.
- The flaw could be exploited by persuading an interface user to follow a malicious link. Exploitation of the flaw could enable threat actors to run arbitrary actions on an affected device.
Multiple flaws affect WAGO Industrial switches
- An SEC Consult security researcher discovered several flaws in 52-303, 852-1305 and 852-1505 WAGO industrial switch models.
- One of the most critical flaws, tracked as CVE-2019-12550, is the result of hardcoded credentials including usernames and passwords, that could be used to connect the devices via Telnet and SSH. In addition, hardcoded private keys for the SSH daemon in the device’s firmware were also discovered, which could be exploited by an attacker to carry out man-in-the-middle attacks against the Dropbear SSH daemon, without the targeted user noticing any fingerprint changes.
XXS flaw could allow attacks against Google employees and access to sensitive data
- Researcher Thomas Orlita discovered a blind cross-site scripting (XXS) flaw that could have been exploited to attack Google employees, or gain access to invoices and sensitive information. When submitting an invoice, users are required to provide types of information via text fields, however, Orlita discovered that these inputs were not properly sanitized and therefore were vulnerable to XXS attacks.
- An attacker could exploit this flaw by using the feature designed for uploading PDF formatted invoices, to instead upload HTML files but intercepting a request and changing the uploaded file’s name properties to HTML. During tests, Orlita successfully uploaded an HTML file containing an XXS payload that, when triggered, sent him an email every time it was loaded.
Decryptor for pyLocky ransomware released by French authorities
- The decryptor works for versions 1 and 2 of pyLocky ransomware, and was created in collaboration between French law enforcement, the French Homeland Security Information Technology and Systems Service and volunteer researchers.
YubiKey FIPS key allows threat actors to reconstruct private keys
- A flaw impacting Yubikey FIPS Series devices has been found to reduce the strength of generated RSA keys and ECDSA signatures after power-up. The flaw affects YubiKey FIPS, the YubiKey Nano FIPS, the YubiKey C FIPS, and the YubiKey C Nano FIPS.
- The buffer holding the keys derivation random value used by RSA and ECDSA algorithms reportedly contains unpredictable data that causes the value to not be as random as it should be.
- The Yubikey FIPS apps that use ECDSA are at more risk because the weakened signatures could allow threat actors who gain access to some signatures to reconstruct the private key.
Telegram’s CEO blames China for DDoS attack
- Following reports of the DDoS attack against messaging app Telegram, the company’s founder and CEO, Pavel Durov, has publicly blamed China for the attack. Durov tweeted that the traffic was ‘mostly’ coming from Chinese IP addresses, and stated that it was a state-actor sized attack that, ‘coincided with protests taking place in Hong Kong’, that were allegedly coordinated on Telegram.
- The researchers created templates using a record of each environment’s default properties values, which can be used to scan a visiting user and detect environment details based on the default property values that the user’s browser returns. This attack method could be used to overcome anti-fingerprinting systems and privacy-preserving browser extensions.
Cryptomining scheme in China found siphoning power from oil wells
- Chinese publication Global Times reported that a local Chinese man had laid a cable to steal power that was meant to be used to maintain oil wells, in order to mine for Bitcoin. In an attempt to avoid being caught, the man hid the cables in fish ponds.
- Police form the Qiqihar District Public Security Bureau were informed by a manager of an oil well that the electricity was being siphoned from the area. After investigation, police discovered a shed housing 20 active Bitcoin mining rigs.
SEC warns investment firms and dealer-brokers of unsafe storage solutions
- The US Securities and Exchange Commission (SEC) has warned dealer-brokers, investment firms and other companies, of the dangers of storing customer information on NAS devices, database servers and network storage solutions. The SEC’s Office of Compliance Inspections and Examinations (OCIE) sent out the alert after an analysis of companies uncovered that firms did not always use the necessary security features.
- The main issues include companies mis-configuring the security settings on storage systems, inadequate oversight of vendor provided third-party services, and a failure to classify data based on sensitivity.
McAfee’s cryptocurrency trading platform hit by DoS attack upon launch
- It was announced on Twitter that the web servers for the McAffeeMagic cryptocurrency trading platform were hit by a ‘cloaked High Orbit Ion Cannon (HOIC) DoS attack. A HOIC attack consists of ‘flooding target systems with junk HTTP GET and POST requests.’
- The website was operational again on the same day.
Greece’s Deputy Sports Minister Giorgos Vasiliadis’ Instagram account hacked
- The account was hacked by a Turkish group by the name of Anka Neferler Tim on Thursday. The hackers posted two photos on the account, the first of Istanbul’s byzantine cathedral Hagia Sophia, and the second of the group’s logo.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.