Silobreaker Daily Cyber Digest – 14 March 2019
New GlitchPOS malware advertised on crimeware forums
- Cisco Talos researchers discovered a new point-of-sale malware named GlitchPOS being advertised on crimeware forums.
- GlitchPOS contains a small number of functions with the primary function being the exfiltration of credit card numbers from the memory of infected systems. It is being promoted via screenshots and tutorial videos that demonstrate its ease of use.
- According to the researchers, the malware’s developer, known as ‘edbitss’ on hacker forums, is also responsible for DiamondFox malware.
Source (Includes IOCs)
DMSniff PoS malware used to target small- and medium-sized businesses
- Flashpoint researchers discovered a new strain of point-of-sale malware dubbed DMSniff that has been actively used in attacks against small- and medium-sized businesses such as restaurants and theatres.
- According to the researchers, DMSniff uses multiple techniques to protects its C&C communication from researchers and law enforcement. One technique its uses is a domain generation algorithm to ‘create lists of C&C domains on the fly’, meaning it can still communicate, receive commands or share stolen data even after its domains are taken down.
- DMSniff has been active since at least 2016 and has remained undetected until now. Flashpoint believes that ‘attackers using DMSniff could be gaining an initial foothold on devices either by using brute-force attacks against SSH connections, or by scanning for vulnerabilities and exploiting those’.
Source (Includes IOCs)
Google Play applications discovered containing aggressive malware
- Checkpoint researchers have discovered a campaign, dubbed SimBad, involving over 210 malicious apps on Google Play, which have reportedly been downloaded almost 150 million times.
- The apps are built to hit users with ads, even when the app isn’t open. They have the ability to carry out spear-phishing attacks by causing a browser to open an attacker-chosen URL and open the apps for Google Play and third-party market 9Apps with specific keyword searches or a specific applications page.
- The apps remove the icon from the device launcher to make it harder for users to uninstall them. They also all used a software development kit called RXDrioder, which the researchers assess is used to conceal its capabilities from app developers.
Chinese IT services use apps to collect contact data
- CheckPoint researchers discovered that servers controlled by Chinese IT and Hangzhou Shunwang Technology have been collecting phone contact lists, geolocations, and QQ messenger login information via a data-stealing component present in almost a dozen Android applications, in an operation dubbed ‘Operation Sheep’.
- The information-stealing code sits in a data analytics Software Development Kit (SDK), named SWAnalytics, which is integrated into the seemingly legitimate apps, delivering scraped details whenever the infected device reboots or the app starts.
- The majority of applications are system utilities, that can be installed from popular application stores such as Tencent MyApp, Wandoujia, Huawei App store, and Xiaomi App store. The apps have been downloaded at least 11 million times.
Threat Actors targeting recently patched Windows Zero-Day
- CVE-2019-0797 is a privilege escalation vulnerability that affects the Win32k component. It was patched by Microsoft in their latest Patch Tuesday. However, groups such as FruityArmor and SandCat have been targeting this vulnerability, attempting to attack systems that have not yet applied the patches.
- Kaspersky has stated that they do not have any other information regarding the targets of the attacks leveraging this vulnerability, but that it is the fourth zero-day being actively exploited in recent months.
Leaks and Breaches
Ad network Sizmek investigates security breach
- Security researcher Brian Krebs reported that Sizmek Inc is investigating an incident in which a hacker was reselling access to a Sizmek Advertising Suite (SAS) user account with the ability to modify ads for a number of large advertisers.
- The offer appeared on a Russian-language cybercrime forum with bids starting at $800. According to a Sizmek spokesperson, the breached account had the ability to add or modify the advertising creatives that get run on customer ad campaigns.
- Exploiting this access could allow a hacker to hijack existing campaigns by inserting malicious scripts into the HTML code of ads that run on popular sites, or hijack referral commissions intended for others and otherwise siphon ad profits from the system.
- Sizmek has reset all SAS account passwords and continues to investigate the incident.
Massachusetts based Emerson hospital notifies 6,314 patients of a data breach
- The breach occurred between the 9th and 17th of May 2018 and was the result of MiraMed Global Services sending patient files to an unauthorised third party. Potentially exposed information includes names, addresses, Social Security numbers and insurance policy information.
Nova Scotia government believe 600 missing files from data breach have been destroyed
- Over 600 files that were downloaded during the largest information breach ever recorded in Nova Scotia seem to have been destroyed without being shared.
- An internal investigation led by the Atlantic School of Theology, where the information was downloaded, has concluded that the laptop used to access the 600 files, and the information that was on that laptop, has been destroyed.
British school suffers ransomware attack
- The Sir John Colfox Academy in Bridport, Dorset, has suffered a ransomware attack resulting in the encryption of important data, including some student GCSE coursework. This is the result of a member of staff mistakenly opening an email containing a malicious attachment.
- It is unclear what ransomware infected their computer systems, but Dorset Police report that no ransom has been paid.
Delaware Guidance Services pays ransom fee
- The ransomware attack took place on December 25th, 2018, and encrypted files containing names, addresses, dates of birth, social security and medical information. DGS stated that it paid a ransom to secure the release of records.
- It is unclear how much was paid, or what strain of ransomware they were infected by.
WordPress 5.1.1 fixes XSS flaw which could allow website takeovers
- The flaw could allow potential attackers to perform stored cross-site-scripting attacks using maliciously crafted comments on WordPress websites that have the comments modules enabled. This could allow attackers to take over websites using a cross-site request forgery (CSRF) vulnerability by tricking a logged-on administrator into visiting a malicious website that contains an XSS payload.
- The XSS payload is then loaded and executed using a hidden iFrame, allowing unauthenticated attackers to execute arbitrary HTML and script code, allowing for a potential complete takeover of vulnerable WordPress websites.
- WordPress core contributor Peter Wilson estimated that around 20,000 websites could have been affected by the flaw.
Vulnerabilities discovered in Windows 10
- 19 vulnerabilities were patched in total by Intel, with two of them deemed high-severity. These are CVE-2018-12216, and CVE-2018-12214, which could both lead to a privileged user executing arbitrary code via local access.
- The other vulnerabilities include CVE-2019-0129, an escalation of privilege flaw in Intel’s USB 3.0 creator utility, and CVE-2019-0122, an information-disclosure and denial-of-service flaw in Intel’s software guard extensions SDK.
New BitLocker attack permits extracting encryption keys from devices
- Researcher Denis Andzakovic developed a new way to extract BitLocker encryption keys from a computer’s Trusted Platform Module (TPM) that requires a $27 FPGA board and some open-source code.
- The attack requires physical access to the device and will result in the device’s destruction as the attacker needs to hard-wire the TPM chip to sniff communication via the Low Pin Count (LPC) bus. The attack works against TPM 1.2 and TPM 2.0 chips.
Tesla accused of spying on whistleblower
- Sean Gouthro, a former security manager at Tesla, has claimed that the company hacked, spied upon, and conducted a smear campaign against Martin Tripp, a whistleblower who leaked information regarding Tesla’s production problems, scrapping of raw materials, and spending large amounts of cash to produce Model 3s.
- A Tesla spokesperson has dismissed the story as ‘untrue and sensationalised’.
Automated licence plate reader database used by ICE for alleged spying
- It is alleged that US Immigration and Customs Enforcement are using a large surveillance database in order to spy on immigrants. The database supposedly gives ICE access to over five billion points of location information, gathered via readers in police cars, road signs, and bridges, giving agents the ability to pinpoint drivers locations.
- The American Civil Liberties Union has stated that ‘it’s appalling that ICE has added this mass surveillance database to its arsenal, and that local law enforcement agencies and private companies are aiding the agency in its surveillance efforts’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.