Silobreaker Daily Cyber Digest – 15 March 2019
New spam campaign installs clipboard hijackers to steal Bitcoins from victims
- Discovered by My Online Security, the campaign involves infecting victims with a clipboard hijacker that is based on the open source BitPing program. The hijacker monitors the Windows clipboard for Bitcoin wallet addresses and, when detected, will swap them for the attacker’s own Bitcoin address.
Several e-commerce sites infected with card-skimming malware
- Researchers discovered seven sites compromised with a previously unseen strain of sniffing malware, dubbed by Group-IB as GMO, that has the capability to steal payment card data as visitors make purchases. Sites affected include Fila[.]co.uk, jungleeny[.]com, Forshaw[.]com, absolutenewyork[.]com, cajungrocer[.]com, getrxd[.]com and sharbor[.]com. Fila has removed the malware from their site in the last 24 hours, however, the remaining sites were infected at the time of writing.
- The sniffing malware uses the gmo domain to send stolen data from infected sites, all of which run the Magneto e-commerce web platform. The domain was registered last May, and the malware has been active since then. GMO was manually injected into all seven sites, is highly obfuscated, and remains dormant when it detects Firebug or Google Developer Tools running on a victim’s computer.
Hackers leverage credential dumps, phishing and legacy email protocols to breach cloud accounts
- Proofpoint researchers detected a large number of attacks using legacy protocols and credential dumps to boost the speed and effectiveness of brute force attacks. Most of these attacks were found to originate from Nigerian IP addresses.
- According to the researchers, the most commonly abused protocol is IMAP, a legacy authentication protocol that bypasses multifactor authentication. Out of all the unauthorized logins analysed, 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks.
- Moreover, the efficacy of password-spraying attacks was boosted by the use of common variations of usernames and passwords exposed in large credential dumps. The education sector was found to be most vulnerable to this form of attack.
- Proofpoint observed threat actors using stolen credentials to infiltrate users’ cloud application accounts, then using this access to send internal phishing emails and move laterally inside the organization to infect other users. The education sector was again found to be most vulnerable followed by retail, finance, and technology.
Chinese government officials attacked by GandCrab ransomware
- A statement by the People’s Government of Yiling District, Yichang, revealed that Chinese officials were targeted by GandCrab ransomware. The attack began on March 11th and it is currently unknown how many devices were affected. Based on a name featured in one of the phishing emails, the officials suspect North Korean hackers may be responsible.
New CryptoSink campaign deploys new miner malware targeting Elasticsearch systems
- F5 Networks discovered the campaign, dubbed CryptoSink, leveraging an exploit from 2014, tracked as CVE-2014-3120, to spread new malware designed to deploy an XMR Monero mining script. The campaign was found targeting Elasticsearch systems running on Windows and Linux platforms.
- The Linux platforms were targeted with several previously unknown malware strains, that kill competing crypto-miners on the infected machine by ‘sinkholing their pool traffic to 127.1.1.1’ to shut down the mining. In addition, the malware also ‘wraps the Linux rm command with a code to randomly reinstall the malware’, which ensures that it survives removal, making it more complex to understand.
- The campaign has also been observed backdooring the server by adding SSH keys and using C&C servers which are currently located in China.
Leaks and Breaches
Students hack school system to change grades and attendance
- Jim Nielsen, the superintendent of Orchard View Schools in Michigan, stated that they discovered a data breach in their PowerSchool student information system last week. An investigation was launched which uncovered that changes to students’ grades and attendance records had been made.
Unsecured database exposes 33 million job profiles in China
- A database with approximately 33 million profiles of people seeking jobs in China has been left unprotected online. Data exposed includes job seekers’ username, gender, age, city, home address, email address, marriage status, and more.
- Although it is not known who owns the database, there were mentions of job recruitment companies such as 51Jobs, lagou and Zhilian. Sanyam Jain who discovered the database, believes that a third-party has been aggregating the information from these companies.
Pakistani government site leveraged in malware campaign
- The compromised site is a subdomain of the Directorate General of Immigration & Passport of the Pakistani Government. The unknown attacker planted the Scanbox Framework, a malicious payload previously used in a variety of watering hole attacks to gather information about visitors to a site in order to later tailor attacks toward these visitors.
- At the time of the publication of Trustwave’s post, the site remained compromised. Trustwave researchers contacted those responsible for the government site but have not yet received a response.
Attackers discovered exploiting WinRAR UNACEV2.DLL vulnerability
- Check Point researchers discovered a 19-year-old code execution flaw, tracked as CVE-2018-20250, in the WinRAR compression tool. A patched version of the tool was released on February 26th, however attackers are still releasing exploits for systems that have not yet been patched.
- The flaw is exploited by attackers to install persistent malicious applications when a victim opens a compressed ZIP file using any version of WinRAR. The absolute path traversal makes it possible for archive files to extract to the Windows StartUp folder without producing a warning. Malicious payloads are then automatically run the next time the computer reboots.
- McAfee reported that over 100 unique exploits for this flaw have been identified in the first of the vulnerabilities’ exposure, with the majority of targets residing in the US.
Denial-of-service flaw found in Cisco SPA514G IP phones
- The vulnerability, tracked as CVE-2018-0389, affects the Cisco Small Businesses SPA514G IP phones running firmware release 7.6.2SR2 or earlier. The flaw is in the implementation of Session Initiation Protocol processing and could permit attackers to render the phone unresponsive, resulting in a denial-of-service condition. Cisco has not yet issued a patch.
Intel patches high severity flaws in Graphics Driver for Windows
- Intel has fixed 20 vulnerabilities in the Intel Graphics Driver for Windows, which could lead to escalation of privilege, denial of service, or information disclosure, if exploited by hackers who have access to the attacked system.
- Two of the flaws, CVE-2018-12214 and CVE-2018-12216 were rated as high risk and could lead to escalation of privileges for local users following a potential memory corruption in Kernel Mode Driver and insufficient input validation in Kernel Mode Driver.
- The remaining 18 flaws were all exploitable via local attack vectors and required no user interaction.
Qihoo 360 release technical details of zero-day flaw in Windows Win32k
- The flaw, tracked as CVE-2019-0808, was recently patched by Microsoft and could allow an authenticated attacker to elevate privileges and execute arbitrary code in kernel mode. It affected Windows 7 and Windows Server 2008.
- Qihoo 360 researchers have now released a detailed analysis of the flaw in which they explain how it can be triggered, as well as how Microsoft has addressed this issue. The researchers also developed a proof-of-concept exploit that they have only partially disclosed.
Vulnerability discovered in Cisco Common Services Platform Collector
- Tracked as CVE-2019-1723, the vulnerability is the existence of a default account with a static password. The account doesn’t have administrative privileges, but it could be easily exploited by an attacker to gain remote access.
- The vulnerability has been patched with the release of CSPC 184.108.40.206 and 220.127.116.11.
Cross-site request forgery vulnerability discovered in WordPress
- Discovered by security researcher Simon Scannell, the vulnerability exists in the comment section of all WordPress versions prior to 5.1.1. An attacker can trick a website administrator into visiting an attacker-controlled website, performing a cross-site requests forgery exploit against the WordPress blog in the background.
- The WordPress development team have released WordPress 5.1.1, which addresses this issue.
Vulnerability discovered in Sonatype Nexus Repository Manager
- Tracked as CVE-2019-7238, the vulnerability is a critical remote code execution issue in NXRM 3. The vulnerability doesn’t require any form of authentication, allowing an attacker to send a specially crafted request to execute malicious code.
- Sonatype released a patch for the vulnerability on January 11th, 2019.
Researcher publishes raw findings on binary planting zero-days for Windows
- Researcher Frédéric Bourla released his raw findings related to binary planting on Windows installations. Bourla presents opportunities for binary planting, an example of exploitation and details on remediation.
- Bourla contacted Microsoft after discovering that most Windows installations were vulnerable to binary plating, but Microsoft have stated that the issue is not a vulnerability as the security had been weakened by third party applications.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.