Silobreaker Daily Cyber Digest – 14 November 2018
Researchers release extensive analysis of groups operating under Magecart
- RiskIQ and Flashpoint researchers have released a joint report providing an extensive analysis of the Magecart Group, including the infrastructure supporting the Group’s operations, the malware used and how victims are accessed and compromised.
- In their report, the researchers have identified seven separate hacker groups behind Magecart, each differing in their capabilities and approaches to targeting victims. Further analysis led the research team to merge two of the groups based on their use of the same reshipping scheme. Moreover, RiskIQ and Flashpoint state that there are likely more groups and individuals behind Magecart that have not yet been identified.
- The report also details the commercial aspect of Magecart’s operations that include the sale and distribution of stolen cards through underground markets, means of monetization and the supply chain.
Un-renewed domains used by criminals to steal credit card information
- Security researcher Brian Krebs reported that expired and un-renewed domains are being used by criminals to set up fake e-commerce websites for the purpose of stealing users’ credit card details.
- Krebs provides an example in which criminals purchased an expired domain of a photographer’s website and set up a legitimately-looking online shoe shop to gather payment data.
- Krebs notes that his example is in line with the newly released report by RiskIQ and Flashpoint who have thoroughly documented Magecart Group’s operations and their use of credit card skimmers on e-commerce websites.
Magecart malware found on Infowars online store
- Researcher Willem de Groot found Magecart malware on the Infowars online store. De Groot discovered the malware hidden inside a modified block of Google Analytics code. The malicious code harvested data from checkout form fields and sent it to a remote server hosted in Lithuania.
- According to Infowars owner Alex Jones, the credit card skimming malware may have affected up to 1,600 users.
‘Secret Sister’ scam resurfaces
- Malwarebytes researchers reported on the re-emergence of a scam called Secret Sister. The campaign has been targeting users via Facebook and Reddit.
- The scam involves luring female users into joining a ‘secret sister gift exchange’ in which they are asked to contribute with a $10 gift in exchange for receiving up to 36 gifts from other participants.
- Malwarebytes states that the scam is essentially a pyramid scheme and poses a risk of identity theft or mail fraud penalties.
Leviathan APT attacks UK engineering firm and Cambodian entities using Russian hackers’ TTPs
- Researchers have discovered that Chinese threat actor Leviathan APT, also known as TEMP.Periscope, is most likely behind an attack that targeted a UK-based engineering company in July 2018. The attack was also found to have targeted an email address associated with a Cambodia-based freelance journalist and an employee of a Cambodian NGO.
- In their report, the researchers state that they believe Leviathan APT reused TTPs from Russian threat actors Dragonfly and APT28. It is possible the group reused TTPs to increase chances of success of to lay false flags, the researchers claim.
Source (Includes IOCs)
Leaks and Breaches
Media Prima hit by crippling ransomware attack
- Malaysia’s largest media company, Media Prima, has been hit by a ransomware attack that has rendered its internal email systems unusable. The attackers demanded a ransom of 1,000 bitcoins, the equivalent of approximately RM15 million, or 3.5 million USD.
- The extent of the data breach is, as yet, unknown, and the system remains locked until the ransom demand is met.
Adobe releases patch Tuesday update for flaw in Acrobat
- The vulnerabilities affected Flash Player (CVE-2018-15978), Acrobat, Reader (CVE-2018-15979) and Photoshop CC (CVE-2018-15980) and can all lead to information disclosure. The patches were published by Adobe alongside a proof of concept.
Facebook flaw exposed personal information of users
- Security researcher Ron Masas discovered a vulnerability in Facebook that permitted attackers to access the personal information of users and their contacts.
- The bug involved Facebook’s use of iframe elements in search results that allowed Masas to develop an attack flow that was based on ‘manipulating Facebook’s graph search’ allowing him to ‘craft search queries that reflect personal information about the user’.
- The vulnerability was reported to Facebook in May 2018 and has since been patched.
Microsoft patches 12 critical vulnerabilities and one zero-day
- Microsoft have released patches for a total of 64 vulnerabilities, 12 of which have been labelled as critical. The critical flaws could lead to code executions, which could be leveraged to allow an attacker to execute commands and take full control of a vulnerable computer.
- Eight of the flaws were found in the Chakra Scripting Engine, whilst the other bugs were found in the Windows Deployment Services TFTP Server (CVE-2018-8476), Windows VBScript Engine (CVE-2018-8544), Microsoft Graphics Components (CVE-2018-8553) and Microsoft Dynamics 365 (CVE-2018-8609).
- In addition, Microsoft also released a patch for a zero-day flaw, tracked as CVE-2018-8589, that enabled an unnamed APT group to escalate privileges on targeted systems including Windows 7, Server 2008 and server R2 systems, in the Middle East. The fault lies in the Windows device driver ‘Win32k[.]sys’ and could allow an attacker to escalate privileges and run arbitrary code in the context of the local system.
SAP patches critical vulnerabilities in HANA Streaming Analytics
- Two vulnerabilities, tracked as CVE-2018-1270 and CVE-2018-1275, have been discovered in the Spring Framework Library used by SAP HANA Streaming Analytics. The flaws, which have been allocated the CVSS score of 9.9, could be exploited for unauthorised remote code execution allowing an attacker to access arbitrary files and directories found in the SAP server file system.
- Another security update addressed an additional four critical vulnerabilities tracked as CVE-2018-2488, CVE-2018-2491, CVE-2018-2489, and CVE-2018-2490 in SAP Fiori for Android. The vulnerabilities include a remote HTML injection flaw, denial of service issues, missing authorisation checks and an information disclosure issue.
Unpatched Android OS flaw allows threat actors to track user location
- The flaw, tracked as CVE-2018-9581, could allow an attacker to track the location of users within a WiFi router’s range, providing that they too have physical proximity to the router.
- The issue resides in the mechanisms that Android uses to share information between applications. A fault in the ‘intent’ messaging system has resulted in Android OS regularly broadcasting information about the WiFi connection. No special permission is needed to access this information.
- The flaw could allow an attacker to predict, based on WiFi strength, the location of a person within a home or an office. Information such as this could be used to enact physical harm or robbery.
The US Office of Personnel Management’s (OPM) systems remain insecure
- The OPM have only implemented 51 out of a total of 80 proposals, made to them by the US Government Accountability Office (GAO), to improve their security.
- The proposals were made after it was found that the agency did not protect some of the systems from unauthorised information exchange, failed to enforce password policies for authenticated access or restrictions to specific individuals, and had no significant logging system to help monitor and audit its systems.
Scammers impersonating Elon Musk hack Target’s Twitter account
- A message announcing a fraudulent Bitcoin giveaway scheme was posted on the retailer’s verified Twitter account. Target stated that the unauthorised access lasted approximately 30 minutes and the company is investigating the incident.
Bitmain sues anonymous hacker for theft of $5.5 million
- The Chinese mining company Bitmain is suing the anonymous hacker after $5.5 million was stolen last April from the company’s account on Binance. The hacker successfully took over the company’s account and then used Bitcoin stored in the account to buy ether tokens, which were subsequently used to buy and manipulate the price of an altcoin known as MANA coin.
- The unknown suspect, dubbed ‘John Doe’ in court documents, then transferred the MANA into his Binance account and reversed the same trades between Bitmain’s wallet and his personal wallet using a deflated MANA price. John Doe then continued to place an order to sell MANA from Bitmain’s digital wallet at a deflated price.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.