Silobreaker Daily Cyber Digest – 15 November 2018
New DarkGate malware targets Windows users in France and Spain
- EnSilo researchers discovered a new cryptomining and ransomware campaign distributing malware dubbed DarkGate. The malware has multiple evasion techniques, allowing it to remain undetected by most antivirus solutions over long periods of time. DarkGate was found to bear similarities with a previously identified malware named Golroted.
- DarkGate utilizes two infection methods that rely on distribution via Torrent files disguised as popular films and TV shows, that execute malicious VBScripts on victims’ devices. The malware was discovered to be capable of cryptomining, credential stealing, ransomware and remote-access takeovers.
- DarkGate targets Windows workstations, and has so far been aimed at users in Europe, particularly in France and Spain.
Source (Includes IOCs)
Hackers sell luxury travel services at discount prices on underground markets
- Motherboard has reported on the growing underground travel market selling luxury hotel rooms and flights at discount prices. These bookings are often set up by scammers through stolen loyalty point accounts, abused employee discounts or corrupted industry insiders. However, in some instances, Motherboard suspects bookings were obtained through hacking customers’ accounts or by using stolen credit card details.
- Most of these discount travel services were found to be offered on Russian-language underground forums. Others were found on forums in English and Arabic. These services are believed to have been offered as early as 2005.
Researchers find large number of ATMs to be vulnerable to a series of attacks
- Positive Technologies researchers tested a variety of ATMs and found that 69% of them were vulnerable to Black Box attacks. Black Box attacks involve hacking the device to dispense bank notes.
- For some of the models tested, the researchers found that these attacks can be carried out in just 10 minutes. The sampled ATMs include devices by NCR, Diebold Nixdorf and GRGBanking.
- The research team also found 85% of tested ATMs to be poorly secured against network attacks such as spoofing processing centres to approve withdrawal requests or increasing the number of notes dispensed.
E-commerce sites often reinfected with Magecart malware after clean-up
- Security researcher William de Groot discovered that online stores that have been infected by Magecart malware often get reinfected. His study of 40,000 domains revealed that 21.3% of the studied websites were reinfected with Magecart following the its removal.
- De Groot also found that in some cases online stores got reinfected up to 18 times. Moreover, the researcher revealed that reinfections occur within shorter periods of time compared to clean-up times.
Mylobot malware distributes Khalesi malware in ongoing global campaign
- CenturyLink researchers reported on the ongoing global campaign distributing the Mylobot downloader. The malware was found to be capable of executing any type of malicious payload following the infection of a victim’s device. CenturyLink have observed that since June 2018, it has been downloading the Khalesi malware.
- The highest number of infected IP addresses were registered in Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile, and Egypt.
Source (Includes IOCs)
Leaks and Breaches
Unsecured Kars4Kids database leaks personal data of donors
- Security researcher Bob Diachenko found that a misconfigured MongoDB database belonging to Kars4Kids publicly leaked 21,612 customer/donor and corporate records. The corporate records exposed further information such as donors’ vacation vouchers and receipts containing personal data including emails, home addresses and phone numbers.
- Diachenko also discovered evidence of a ransom note which suggests that cybercriminals may have accessed the leaked database. It is not known for how long the database remained exposed. The charity secured the database several days after Diachenko’s report.
City of Bakersfield suffers data breach from hacked Click2Gov system
- The City of Bakersfield has published a data breach notice after a discovery of fraudulent activity on payment cards used legitimately on the Bakersfield website. An unauthorised party had inserted unauthorised code into Bakersfield’s online payment system Click2Gov.
- The code was created to capture payment card data and other information entered into the online payment system between August 11th, 2018 and October 1st, 2018.
- Data breached includes names, addresses, email addresses, payment card numbers, expiration dates and card security codes.
Hackers find flaws in iPhone X, Samsung S9 and Xiaomi Mi6 during Pwn2Own competition
- During the Pwn2Own competition at the PacSec security conference in Tokyo, hackers discovered several bugs in iPhone X, Samsung Galaxy S9 and Xiaomi Mi6, that could allow attackers to completely takeover the targeted device.
- Amat Cama and Richard Zhu of team Fluoroacetate hacked the Xiaomi Mi6 by using the touch-to-connect feature to navigate to a web page that exploited an out-of-bounds write vulnerability in WebAssembly leading to a code execution, and earning them $30,000.
- The team also targeted the Samsung Galaxy S9 with a heap overflow in the baseband component, earning them a further $50,000. In addition, they also targeted the iPhone X with the JIT vulnerability in the web-browser and an out-of-bounds write bug for the sandbox escape and escalation, earning a final $60,000.
Cranes exposed to possible cyber-espionage attacks
- In October, a vulnerability was discovered in Telecrane’s F25 Series remote controls used for cranes that allowed anyone to listen in on the remote control’s communications and subsequently be able to view commands, control the device, replay commands or stop the device from running.
- The F25 series includes a wide range of applications used for cranes that could leave the machinery vulnerable. Telecrane has released a firmware update for the flaw.
Researchers discover new Meltdown and Spectre Attacks
- Researchers from the Graz University of Technology and College of William and Mary, as well as some experts who discovered the original Meltdown and Spectre vulnerabilities have disclosed seven new variants of the Spectre and Meltdown attacks that leverage a technique known as transient execution.
- The report states, ‘transient executions attacks leak otherwise inaccessible information via the CPU’s microarchitectural state from instructions which are never committed’. The researchers found that some transient execution attacks have not been successfully mitigated by the patches released for the original Meltdown and Spectre flaws, whilst others were overlooked.
- The new attacks affect Intel, AMD and ARM processors.
Siemens release seven advisories for SIMATIC SCALANCE vulnerabilities
- Members of China’s CNCERT/CC discovered two high severity flaws in SIMATIC S7 CPUs, which could allow an attacker to cause a denial-of-service condition by sending specially crafted packets, provided that the attacker has access to impacted devices on TCP port 102 via Ethernet, MPI or Profibus.
- Exploitation could cause the targeted device to go into defect mode until it is manually rebooted.
- Siemens also reported to customers that some SIMATIC human-machine interfaces (HMIs) are affected by a high severity flaw that can be exploited by an unauthenticated attacker to download arbitrary files from a device with no user interaction.
State sponsored actors focus their attacks on Asia
- Group-IB have stated in their annual Hi-Tech Crime Trends Report 2018 that ‘in just one year, 21 state-sponsored groups were detected in this area, which is more than in the United States and Europe’.
- In particular, financial institutions and their customers within Asia were hit the worst. The report highlights cases such as the ONI ransomware attacks, which impacted Japanese banks in 2017 and the South Korean Olympics.
CEO and finance director of Pathé’s Dutch branch sacked after BEC Scam
- Edwin Slutter and Dertje Meijer fell victim to a BEC scam that led to criminals stealing $21 million. Both Slutter and Meijer were fired, and are currently suing for unfair dismissal.
- The scam involved a spoofed email address from the alleged CEO of the French film company that was sent to Meijer in March this year. The email claimed the firm was in acquisition talks with a Dubai company and needed to send a confidential payment of $931,600, which would be repaid at the end of the month.
- Meijer authorised the payment to a bank account operated by ‘Towering Stars General Trading LLC’ in Dubai. Three more payments followed, adding up to a total of $21 million.
Bots pose cyber risks to airline industry
- A report by Distil Networks researchers highlights the cybersecurity issues caused by bots within the airline industry. According to their report, 44% of traffic on airline websites, apps and APIs is generated by bots, which is roughly twice as much compared to other industries.
- Bots are used by criminals to steal loyalty rewards, credentials, payment data or personal information, conduct credit card fraud or carry out credential stuffing attacks.
- The majority of bot traffic was found to originate from the US, followed by Singapore and China. The report also notes that not all bot activity can be classified as harmful and in many instances, bots are used for legitimate purposes such as by travel aggregators to scrape prices and other travel information.
Car repair company employee sentenced to jail for data theft
- According to the Information Commissioner’s Office (ICO), Mustafa Kasim has been sentenced to six months in jail after he used his colleagues’ logins to access thousands of customer records without permission, whilst working for Nationwide Accident Repair Services (NARS). Kasim continued to access this data after moving to another firm which used the same software system.
- The data accessed includes customer names, phone numbers, and vehicle and accident information. NARS began an investigation after customers began to complain of receiving nuisance calls, indicating the possibility of the data being sold on to a third party.
The US decline signing cybersecurity pact
- The US have declined to sign the ‘Paris Call for Trust and Security in Cyberspace’ agreement that aims to lay out international laws and guidelines for cyberwarfare as well as support human rights online. The pact has been signed by 51 countries, 90 charities and universities, and 150 tech companies such as Google, Microsoft, IBM and Facebook.
- Countries who have refused to sign the pact include Russia, North Korea and China. The conflict has been described as ‘entities wanting a regulated internet and those who don’t’.
US congressional advisory panel warns US government against purchasing Chinese technology
- In an annual report, the US-China Economic and Security Review Commission warns about the potential risks for the US government and private sector associated with the purchase of Chinese technology. According to the report, ‘China’s role as an economic and military competitor to the United States creates enormous economic, security, supply chain, and data privacy risks for the United States’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.