Silobreaker Daily Cyber Digest – 15 April 2019
New ransomware dubbed RobbinHood targets entire networks
- RobbinHood ransomware aims to gain access to entire networks and encrypt all connected computers, appending all encrypted files with ‘_robbinhood.’. The ransomware then drops ransom notes under four different names at the same time, that include information on the victim’s files, ransom amounts, and links to TOR websites where victims can communicate with the attackers, or decrypt 3 files up to 10MB for free.
- Payments amount to 3 bitcoins per computer or 7 bitcoins for decryption of an entire network. On the fourth day, the ransom increases by $10,000 per day. The Tor payment page states that the attackers care about the victim’s privacy, and the encryption keys and IP addresses will be deleted following payment.
- The city of Greenville in North Carolina has already been attacked with RobbinHood ransomware on Wednesday, which led to their network being shut down.
Source (Includes IOCs)
Dr Web discover trojan that exploits critical flaws in Android to install software
- The trojan, tracked by Dr Web as Android.InfectionAds.1, exploits several flaws in Android, to infect software, and install and uninstall applications independently from the user. The trojan is embedded in software and distributed via popular third-party Android stores, such as NineStore and Apkpure.
- When a program containing the trojan is launched, the malware extracts auxiliary modules from file resources to decrypt and launch as well. The trojan uses overlays advertising banners on the system, and if asked to by the C&C server it can modify the code of advertising platforms such as Admob, FaceBook and Mopub by replacing their advertising identifiers with its own identifier, ensuring profits from ads are transferred to the attackers accounts.
- The trojan exploits a critical vulnerability in Android, tracked as CVE-2017-13315, which allows it to launch system activities, and install and uninstall programs automatically without the user’s knowledge.
Fake Instagram assistance apps on Google Play steal passwords
- Malwarebytes discovered three fake apps on Google Play that claimed to assist users boost their likes and increase followers on Instagram. One such ad, named Followkade opens a splash page after installation that asks for Instagram credentials. If the victim presses login, the username and password entered are sent to a known malicious site.
Land Lordz SaaS used in Airbnb scams
- A new software-as-a-service (SaaS) named ‘Land Lordz’ is being used to automate the creation and management of fake Airbnb websites. The fake sites phish for victims’ credentials and demand deposits for the listed properties.
- Currently all the fraudulent listings are for properties in London as well as other places in the United Kingdom.
‘The Nasty List’ phishing scam targets victims on Instagram for login credentials
- ‘The Nasty List’ scam is being spread via hacked Instagram accounts, sending messages to followers stating that they were spotted on the ‘Nasty list’. The profile descriptions for hacked accounts include a link that supposedly allows the recipient to see the ‘Nasty List’ and find out why they are on it.
- If clicked upon, the link takes the recipient to a realistic looking login page for Instagram, however the URL for the page suggests that the page is not legitimate.
Miner malware spreads beyond China using EternalBlue and PowerShell
- The malware, identified by Trend Micro as Trojan.PS1.LUDICROUZ.A, uses multiple propagation and infection methods including methods to drop a Monero cryptocurrency miner onto multiple systems and servers.
- The malware was previously observed in China in early 2019, exploiting weak passwords using the password hash technique, leveraging Windows admin tools, as well as brute force attacks with publicly available codes. The latest instance observed in Japan, however, displays the use of the EternalBlue exploit and the abuse of PowerShell to hack the system and evade detection.
- In addition, the attackers now appear to be expanding their operations to other countries including Australia, Taiwan, Vietnam, Hong Kong and India. The PowerShell script is tracked as Trojan.PS1.PCASTLE.B, the dropped trojan is tracked as TrojanSpy.Win32.BEAHNY.THCACAI.
Source (Includes IOCs)
Scammers targeting US Tax season with fake apps
- Fake tax filing websites and applications are targeting consumers and businesses in the US, many of whom are in a rush to file their taxes before the deadline passes. Researchers at RiskIQ identified 4.2 million mobile apps that use common tax-related keywords and brands, with 1.2 million of these found to be behaving suspiciously and therefore blacklisted. These applications have been seen on many third-party app stores, as well as the official Apple App Store and Google Play.
- One fake application pretends to be an H&R Block application and requests permission to record audio, access the camera, download data and modify device settings without the user’s knowledge. 1,235 instances of phishing sites were also discovered, and one e-filing service was discovered targeted by over 19,500 instances of domain impersonation.
Reputable brands spoofed in cyber campaign
- Researchers at GreatHorn found that attackers have been spoofing headers on phishing emails, making them appear to have gone through multiple legitimate hops on a reputable server before being sent. For example, an email pretending to be from Barracuda, can be crafted to appear to have received headers from Barracuda Networks domains. Office 365 then appends the received header details, making it appear more legitimate.
Campaign with suspected ties to APT28 discovered
- Researchers at Yoroi have analysed a suspicious Office document found in the wild that references the elections in Ukraine. It references the different candidates, conflicts between Ukraine and Russia, and contains a copy of a Daily Express article.
- The document contains a protected macro, that can only be executed with the correct password. Researchers bypassed it, and after several deobfuscation stages, found an embedded PowerShell command capable of disabling Powershell ScriptBlock logging and the Antimalware Scan Interface.
- Part of the script is capable of communicating with an attackers C&C server, and it is suspected, but not confirmed, to be attributed to APT28. This is due to similarities with an older sample that belongs to them, which was studied by security researcher Vitali Kremez. There is an apparent likeness between function names and the usage of WMI connector used to launch a malicious process.
Source (Includes IOCs)
Leaks and Breaches
Hacker group leaks data from several FBI-affiliated websites
- The FBI National Academy Association (FBINAA) has issued a statement noting that three unnamed chapters have been affected by the data breach. Personal information from the websites, in the form of spreadsheets, has been put up for sale by the actor.
- The spreadsheets contain around 4,000 unique records including personal and governmental email addresses, postal addresses, names, titles and phone numbers. The attack vector is currently unknown, but the FBINAA has noted that all three of the compromised chapter websites used ‘a third-party software’.
- TechCrunch contacted one of the actors responsible for the breach. They claimed to have used public exploits targeting outdated plugins to gain access to the data, and to be part of a group of more than 10.
Hackers gain limited access to Microsoft email services
- On April 13th, Microsoft confirmed that unknown actors had breached a subset of customer email accounts between January 1st and March 28th. Access was gained via a set of compromised credentials belonging to a Microsoft support agent, who had the privileges required to access email content in addition to folder names, subject lines and account details.
- Although the leaked credentials were eventually disabled, the data breach affected a wide variety of non-corporate accounts, including Outlook, MSN and Hotmail. The number of compromised customers has not yet been disclosed, but Microsoft has stated that email content was impacted in around 6% of this group.
Rehabilitation Hospital of Northwest Ohio suffers data breach
- The breach occurred due to unauthorised access to employee email accounts in October 2018. It is unclear how many patients were affected as a result, but information including names, Social Security numbers, driving licence numbers, health insurance and patient information was exposed.
Ecuadorian Government websites suffer cyber attacks
- Over thirty websites belonging to the Ecuadorian government were knocked offline or defaced in a coordinated campaign in response to the arrest of Julian Assange. In addition, the identification card numbers belonging to 728 people who work for the Ecuadorian government have also been leaked. These attacks have been arranged and carried out by supporters of WikiLeaks and Assange.
Security researcher exposes zero-days leading to in-the-wild exploitation
- Several critical zero-day flaws in WordPress plugins have been publicly disclosed in the last few weeks by a security researcher, before patches had been made available. The disclosed flaws are now being exploited as part of a wider campaign run by the same threat actor, who has also been exploiting flaws in Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins.
- One of the most recently discovered flaws, is a privilege escalation bug that exists in the Yuzo WordPress plugin. The flaw could allow potential attackers to update arbitrary options on vulnerable installations. After successful exploitation, the malicious actors could change the site and the home URLs with an unauthenticated SQL injection.
- The exploits appeared after the vulnerabilities were disclosed in detail alongside proof-of-concept codes on a site called ‘Plugin vulnerabilities’. The exploits caused all sites using these vulnerable plugins to redirect users to sites pushing tech support scams. The security researcher reportedly published the exploits as a protest against ‘the moderators of the WordPress Support Forum’s continued inappropriate behaviour’.
Mailgun resolves security incident resulting from WordPress plugin hack
- The email automation and delivery service was one of those affected by the recently discovered cross-site scripting flaw in Yuzo Related Posts plugin. Mailgun’s webpage re-directed users to sites outside of their domain.
Siemens patches several serious flaws across its products
- In total, Siemens issued patches for 11 vulnerabilities. These include a high-severity denial-of-service (DoS) flaw, tracked as CVE-2019-6575, affecting some of the SIMATIC, SINEC-NMS, SINEMA, SINUMERIAK and TeleControl industrial products.
- Another DoS vulnerability, tracked as CVE-2019-6568, was patched in the web servers component used by many CP, SIMATIC, SINAMICS, SITOP and TIM industrial products.
- A high-severity DoS flaw, CVE-2017-12741, was also fixed in SIMOCODE pro V EIP.
Zero-day discovered in Internet Explorer
- The vulnerability leverages the way that Internet Explorer processes MHT files, allowing an attacker to steal files from a targeted Windows system. MHT files are set to open in Internet Explorer by default, so a user only needs to double-click on a file for it to execute.
- Page disclosed the vulnerability to Microsoft, who stated that a fix for the issue will be considered in a future version of the product/service, and they have closed the case. Following this, Page publicly disclosed the zero-day.
Lithuanian defense minister targeted by sophisticated fake news campaign
- The disinformation attack began on the 10th April, with a series of emails from a forged Lithuanian Ministry of National Defense address. The emails stated that there was an ongoing corruption case against Defense Minister Raimundas Karoblis, for the acceptance of a USD 586,000 bribe related to weapons procurement.
- The fake story was also inserted into online news portals, including “Kas vyksta Kaune”, the “Baltic Times” and “OpEdNews”. A simplistic animation was also posted to Youtube, which reflects the same fake story.
Facebook, Instagram and Whatsapp services went down worldwide
- The outage occurred on April 14th for users in Europe, Malaysia and parts of the US.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein