Threat Reports

Silobreaker Daily Cyber Digest – 15 January 2019

 

Malware

New ransomware includes PayPal phishing in its ransom note

  • A new ransomware which is currently under development has been discovered attempting to encrypt victims’ files and steal PayPal credentials.
  • While the campaign attempts to steal funds through a normal Bitcoin ransom payment, the ransom note also offers a choice to pay via PayPal. If the PayPal option is chosen, the user is redirected to a phishing site that attempts to steal the victim’s PayPal credentials.

Source

 

Ongoing Campaigns

Phishing scam targets companies registering for Australian commercial projects

  • Anomali Labs have observed a phishing scam that attempts to trick companies into believing they have been invited by the Australian government to submit a tender for projects.
  • The link to an online portal purporting to belong to the Department of Infrastructure and Regional Development is actually a page designed to steal users’ login credentials.

Source (Includes IOCs)

 

Singapore Airlines warn of phishing scam

  • Following recent reports of a data breach affecting Singapore Airlines (SIA), the airline has now issued a warning against scams and phishing sites promising users free airline tickets.
  • In particular, a fraudulent survey is being distributed via WhatsApp, asking users if they have travelled with the airline and claiming that SIA are offering free tickets in celebration of their anniversary.
  • According to SIA’s warning, the scam is designed to trick users into providing their personal and credit card information.

Source  

 

New Valentine’s day themes malspam campaign discovered

  • A large malspam campaign has been observed using romantic email subjects in an attempt to infect recipients with ransomware, miners, and more. The emails contain subjects such as ‘Love You’ and ‘This is my love letter to you’, and the content includes a ZIP file containing a JavaScript file.
  • When executed, the obfuscated JavaScript file runs a PowerShell command that downloads malware dubbed krablin[.]exe and executes it. Once executed, the malware attempts to download and execute five other malware samples GandCrab ransomware version 5.0.4, a Monero XMRig miner and the Phorpiex spambot.

Source

 

Cold River targeting Middle Eastern organisations

  • Researchers at Lastline discovered Cold River, a threat actor who has reportedly been leveraging DNS tunnelling, certificate spoofing and DNS subdomain hijacking activities against Middle Eastern organisations.
  • Two Microsoft Word documents with malicious macros were also discovered, which both in turn dropped payload variants called AgentDrable. AgentDrable primarily operates as a reconnaissance tool capable of running commands given by the attacker’s C&C server, downloading and executing files, and exfiltrating data.
  • The campaign operates multiple C&C servers and several domains that appear to have had their DNS entries taken over via TLS exchange interception.

 Source (Includes IOCs)

 

Vulnerabilities

Flaws in Schneider Electric’s vehicle charging stations patched

  • Three vulnerabilities in Schneider Electric’s EVlink Parking vehicle charging stations have been patched. The flaws affected EVlink Paring v3.2.0-12_v1 and earlier.
  • The first vulnerability, CVE-2018-7800, permits access with maximum privileges, enabling hackers to stop the charging process, switch the device to reservation mode and unlock the cable during charging.
  • The second vulnerability, CVE-2018-7801, allows attackers to execute arbitrary commands in the system, and the third vulnerability, CVE-2018-7802, enables hackers to bypass authorization and gain access to the web interface with full privileges.

Source

 

Flaws found in PremiSys IDenticard building access control systems

  • Tenable researchers discovered several vulnerabilities in PremiSys IDenticard, an identification and building access management system.
  • One of the flaws, tracked as CVE-2019-3906, relates to a hardcoded backdoor account that can provide attackers with administrative access to the system, allowing them to dump contents of the badge system database or modify its contents.
  • Another flaw, tracked as CVE-2019-3907, is linked to a weak encryption method used for hashing credentials and other sensitive data. The researchers also found a flaw, CVE-2019-3909, that leads to the backups and the database, installed by the IDenticard service, using default passwords that can be easily obtained and cannot be changed by the user.  

Source

 

Intel issues patches for vulnerabilities in Software Guard Extensions

  • The first flaw, CVE-2018-18098, is an improper file verification that allows an escalation of privilege via local access.
  • The second flaw, CVE-2018-12155, is a data leakage in cryptographic libraries that could allow an attacker with local access to retrieve information used by Intel IPP.

Source  

 

36-year-old SCP implementations vulnerable to four bugs

  • All Secure Copy Protocol implementations from 1983 onwards were discovered to include four vulnerabilities that could allow a malicious SCP server to carry out unauthorized changes to a client’s system, as well as ‘hide malicious operations in the terminal’.
  • Researcher Harry Sintonen discovered the vulnerabilities, which are identified as CVE-2018-20685, CVE-2019-6111, CVE-2019-6109 and CVE-2019-6110.

Source

 

Researchers discover a way to execute commands on Play with Docker Servers

  • Researchers have been able to use improperly secured privileged containers on the Play with Docker (PWD) testing platform to escape Linux containers and run arbitrary code on the host system. An attacker exploiting this flaw could have gained high-level access to PWD and have access to all running containers.
  • The exploit leverages the fact that containers all use the same kernel code. ‘Escaping the container’ is the first step in the attack, as many enterprise infrastructures run public facing containers, leading into the enterprise network.
  • The researchers then gained access to the root directory and were able to set up a reverse shell command and run arbitrary code on the host.

Source

 

Multiple flaws found in popular web hosting platforms

  • Researcher Paulos Yibelo discovered that websites hosted on Bluehost, Dreamhost, HostGator, OVH or iPage could be compromised with one click client-side vulnerabilities. At least one vulnerability was found on each of these platforms.
  • The most severe flaw relates to a misconfiguration of cross-origin-resource-sharing in Bluehost, which could allow a domain, controlled by a malicious actor, to send requests to a legitimate domain, permitting the harvesting of data.
  • Other flaws Yibelo discovered on these platforms could lead to man-in-the-middle attacks, cross-site scripting or account takeover.

Source

 

General News

Cybersecurity risks still affect the Pentagon network

  • A recent audit undertaken by the Defence Department Inspector General has found that the Department of Defence is still lacks urgency in addressing cybersecurity recommendations that have been advised to reduce the risks affecting the Pentagon’s network.
  • The audit discovered a total of 266 different unresolved issues that were discovered dating back to 2008.  

Source

 

Ethereum Classic hacker returns $100,000 in stolen funds

  • The hacker who carried out a 51 percent attack on the cryptocurrency exchange reportedly returned $100,000 of the cryptocurrency funds, while keeping an estimated $1 million for themselves.
  • It is currently unknown why the hacker returned a portion of the funds.

Source

 

British cybercriminal jailed for conducting DDoS attacks

  • Daniel Kaye, from Egham, Surrey, has been sentenced to two years and eight months for conducting attacks that resulted in disruption to a Liberian telecommunications provider. He pled guilty to creating and using a botnet and possessing criminal property.
  • He was paid by a rival Liberian network provider to conduct distributed denial-of-service attacks on Lonestar MTN in October 2015. His botnet created such a large volume of traffic that it disabled internet access in Liberia.

Source

 

GoDaddy injects JavaScript that could break customer sites

  • Domain registrar GoDaddy has been observed injecting JavaScript into US customer websites resulting in the possibility of the websites failing. An administrator discovered the issue after investigating issues with the admin interface of the website, finding an error triggered by a JavaScript file failing to load.
  • GoDaddy reportedly justified injecting the JavaScript into websites without consent by stating that they were collecting metrics to improve performance.

Source

 

Potential rise in threat actors peddling physical crime on cyber crime platforms

  • Trend Micro report that cybercriminals are increasingly evolving into professional crime groups that can rival traditional organized crime. These cyber crime groups are expanding their revenue streams by delving into physical crime, while organized crime groups are increasingly aware of cyber crime’s profitability.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 15 February 2019

      Malware GandCrab exploits software flaw to infect customers of remote IT support firms Hackers have exploited a two-year-old-flaw, tracked as CVE-2017-18362, in the...
  • Silobreaker Daily Cyber Digest – 14 February 2019

      Malware New Shlayer variant targets macOS users and disables Gatekeeper protection mechanism A new malware variant, dubbed Shlayer, has been observed in the...
  • Silobreaker Daily Cyber Digest – 13 February 2019

      Malware New Trickbot variant is capable of stealing remote application credentials According to Trend Micro researchers, the new Trickbot variant is delivered via...
View all News

Request a demo

Get in touch