Silobreaker Daily Cyber Digest – 15 August 2019
Norman cryptominer uses variety of techniques to avoid detection
- Researchers at Varonis discovered Norman malware while investigating a cryptomining attack which had infected nearly every device at an unnamed company.
- Norman is an XMRig-based cryptominer that mines for Monero cryptocurrency. Norman avoids detection by temporarily terminating when a user opens task manager. The malware also maintains communication with the attackers C2 and can be terminated or suspended as required.
- The researchers also discovered that compromised devices were infected with an interactive PHP shell which was continually connected to a C2. Conclusive evidence could not be provided to link the PHP shell to the cryptomining campaign.
Source (Includes IOCs)
Malware campaign targeting devices in the Balkan’s since 2016
- Researchers at ESET identified a long running campaign targeting organisations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina. The attacks are targeted against organization’s financial departments. The researchers assessed that the campaign was financially motivated.
- The attacker has been distributing two tools, BalkanDoor malware and BalkanRAT, via links in emails that lead to the download of a malicious file. The attacker uses both tools in conjunction to gain control of command-line interface through BalkanDoor and graphical interface via BalkanRAT.
Source (Includes IOCs)
Attackers use Sendgrid to avoid security detection and deliver Orcus RAT
- Researchers at Cofense discovered that the attacks begin with emails purporting to be from the Better Business Bureau. The malicious emails contain a link to communication platform Sendgrid.
- Sendgrid is generally whitelisted by security applications and allows attackers to avoid detection. Users who follow the link are then redirected to download a ZIP file which contains a Visual Basic script. The VB script then connects to Zippyshare, users who click the ‘download now’ button infect their systems with Orcus RAT.
- The malware can perform remote code execution, webcam monitoring, access the microphone, steal passwords, and more.
Source (Includes IOCs)
Leaks and Breaches
Credit Karma website exposing user data to other users
- Users of Credit Karma across Reddit and Twitter have stated that when they initially log in, they are presented with their own, correct data. However, after refreshing, they are presented with data belonging to someone else. Every subsequent refresh presents users with a different set of data.
- Other user’s credit files can be accessed, as well as their full credit reports, which contain personally identifiable information such as names and addresses.
- A spokesperson for Credit Karma has denied that a data breach has occurred, instead stating that there was a technical malfunction, which has since been fixed.
Ohio ophthalmologist suffers ransomware attack
- Eye Care Associates, based in Youngstown, Ohio, were hit by a ransomware attack on July 28th, 2019. No sensitive information was stolen, and the incident report was filed on August 12th, 2019, stating that ‘unknown computer hacking software had taken control of the entire Eye Care Associates computer system’.
- The company did not pay the ransom, and instead restored backup copies of data.
Charleston County Employees data exposed in email leak
- An email containing data of 824 current and former Charleston County employees was accidently sent out by a member of human resources. Data leaked includes names, dates of birth, social security numbers, salaries and hire dates. The employee who sent the email will be subject to a disciplinary process, and credit monitoring is being offered to those affected.
Renown Health suffers data breach
- The data breach occurred on June 30th, 2019, as the result of a misplaced USB drive. Breached data included names, diagnosis information, clinical information and medical record numbers. It is not clear how many customers have been impacted by the breach.
Biometric Security breach leaks details of millions of people
- Researchers at vpnMentor identified an unprotected Elasticsearch database that belongs to web based biometric security smart lock platform BioStar 2.
- Information in the database included employee details such as unencrypted usernames and passwords. Additionally, the database contained 1 million fingerprint records and facial recognition information.
- The app is built by Suprema and is used by Nedap in their AEOS access control system. AEOS is used in 83 countries by 5,700 organizations including governments, banks, the Metropolitan Police, and more.
Grays Harbor Community Hospital hit by ransomware
- The ransomware attack was originally discovered in June 2019, and affected both Grays Harbor Community Hospital and Harbor Medical Group in Grays Harbor County.
- Most patient health care information has since been restored, and the hospital stated that no personal information was ever released to unauthorised parties. However, some data remains encrypted and may never be recovered.
Vulnerabilities discovered in VoIP telephones
- Researchers at the Fraunhofer Institute for Secure Information Technology have discovered 40 vulnerabilities in VoIP telephones that could allow attackers to deactivate devices, intercept calls, and gain access to a company network. 33 VoIP devices across 25 different manufacturers were tested, with a comprehensive list available on their website.
- The device manufacturers have been contacted, and all of the vulnerabilities outlined have been patched.
Vulnerability discovered in Apache Solr
- Information on a parameter injection in Apache Solr has been published on GitHub by a user named ArtSploit. The vulnerability allows an attacker to modify and view all data within the Solr cluster, potentially going one step further and allowing them to exploit all known vulnerabilities to achieve remote code execution.
- Vulnerabilities that can be chained to achieve remote code execution include CVE-2017-12629, CVE-2019-0193 and CVE-2013-6397.
Intel patches vulnerabilities across seven product lines
- Intel’s NUC, Processor Identification Utility for Windows, and Computing Improvement Program, contained vulnerabilities that were rated as high severity. The issues are tracked respectively as CVE-2019-11140, CVE-2019-11163, and CVE-2019-11162.
- Four medium rated issues were patched in Intel RAID Web Console 2, Authenticate, Driver & Support Assistant and Remote Displays SDK.
Trend Micro Password Manager DLL vulnerabilities lead to privilege escalation
- Researchers at SafeBreach Labs and Infiniti Team identified two DLL hijacking vulnerabilities in Trend Micro Password Manager 5.0 that could allow an attacker to gain higher privileges.
- CVE-2019-14684 could be exploited by an attacker to load an arbitrary unsigned DLL into the signed service’s process. CVE-2019-14687 is a similar vulnerability but uses a different DLL. Both issues have now been resolved by Trend Micro.
SAP patches three critical vulnerabilities in products
- SAP released 12 security notes, three of which are new critical vulnerabilities, and one of which is an update to a security note for a critical vulnerability in their Business Client, released in April 2018.
- The three new critical vulnerabilities are present in NetWeaver UDDI Server, Commerce Cloud, and NetWeaver Application Server for Java.
Siemens SCALANCE X-200 switches vulnerable to DoS attack
- Nozomi Networks researchers identified the vulnerability, tracked as CVE-2019-10942, which could cause DoS conditions when an attacker sends large message packages to the Telnet service. To exploit the vulnerability, an attacker would need access to the network housing the switches.
- Siemens have not patched the issue, instead advising customers to disable Telnet services on affected devices.
Lenovo ThinkPad contains unpatched vulnerability
- CVE-2019-6171 is rated as a medium-severity vulnerability and could allow an attacker with administrative privileges or physical access to escalate their privileges by updating the embedded controller with unsigned firmware.
- The vulnerability is present in ThinkPads sold from 2015 to 2016. Lenovo have not yet patched the flaw.
Huawei technicians allegedly assisting in political opponent spying
- An investigation by the Wall Street Journal claims that Huawei technicians in Uganda and Zambia have assisted in spying on political opponents by intercepting encrypted communications and tracking opponents using cellphone data.
- One of the claims is that a WhatsApp group belonging to Bobi Wine, a political opponent of President Yoweri Museveni, was accessed via the usage of Israeli-made spyware. Bobi Wine was then arrested alongside supporters as a result of data found in the group.
- Huawei has responded to the claims, stating that they have never engaged in any hacking activities.
Educational institutions targeted by trojans and ransomware in 2018-2019
- Malwarebytes Labs researchers have reported that educational institutions were the biggest target for trojan malware and adware. Education was also the second-most desired industry target for attackers using ransomware.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.