Silobreaker Daily Cyber Digest – 16 May 2019
Morphisec researchers discover new variant of H-worm with changes in obfuscation technique
- According to the researchers, H-worm is continuously being used in large scale spam phishing campaigns. The new H-worm variant uses a file-less VBScript that leverages DynamicWrapperX, a freeware ActiveX component that is also used by DarkComet and KilerRAT, among others.
New Linux variant of Winnti malware discovered
- Following reports of Winnti malware targeting a German pharmaceutical company in April 2019, Chronicle researchers analysed a variety of campaigns leveraging Winnti.
- While reviewing a 2015 report of a Winnti attack against a Vietnamese gaming company, the researchers discovered a small number of Winnti samples designed specifically for Linux.
- The Linux version of Winnti consists of a main backdoor and a library designed to hide the malware’s activity on an infected system. In their blog post, the researchers provide a technical analysis of the malware, its functionality and its components.
Source (Includes IOCs)
Researchers discover tech support scams using Microsoft Azure cloud platform
- Microsoft Azure uses a feature named App Services to mass deploy websites to the cloud. When the site is deployed, it is hosted on the Azure website’s domain using specific names.
- Researchers have now discovered nearly 200 websites hosted on the Azure App Services platform displaying tech support scams.
- Due to the high volume of abuse reports received by Microsoft, the links tend to stay active for 4-5 days, which gives scammers extended time to create new Azure accounts and mass deploy new websites displaying the support scams.
Magecart skimming malware discovered on Forbes magazine subscription website
- Researcher Troy Mursch discovered that hackers installed Magecart malware on the Forbes magazine website. The malware collects any bank details entered into the site and sends them to another server used by the hackers.
- The payment page has been taken offline. A Forbes spokesperson stated that it does not appear that the hackers have accessed any credit card information.
Rise in ‘cipher stunting’ as bots are used to avoid TLS detection
- Akamai researchers observed attackers using a new technique, named ‘cipher stunting’, to avoid detection by randomizing SSL/TLS signatures.
- Researchers noted a spike in TLS fingerprints following the rise in cipher stunting attacks. Recorded instances rose from tens of thousands of fingerprints in August 2018, to over a billion by February 2019. The rise in attacks correlates with growing adoption rates of SSL/TLS by web applications as their default method of data transportation.
- Attackers are primarily targeting businesses, airlines, banks and dating websites to gather credentials and data.
Proofpoint publish report on threat actor TA542
- TA542 was first discovered in 2014 after reports emerged on activity related to the group’s signature payload, Emotet. The group has used several variations of the malware in widespread email campaigns targeting North America, Central America, South America, Europe, Asia, and Australia. The group uses Emotet to deliver banking malware such as IcedID and GootKit.
- Proofpoint’s report includes a detailed analysis of the evolution of Emotet, and of the group’s campaigns, including delivery emails, attachments, and more.
Leaks and Breaches
University of California San Diego failed to notify patients of data breach
- The university allegedly failed to notify 24 HIV-positive patients that their data was accessible by employees at a partnered non-profit organization in October 2018. The affected patients were involved in the university’s ‘EmPower Women’ study.
- The compromised data included participants’ names, audio-taped conversations, and other sensitive data.
Turkish branch of Microsoft discloses email data breach affecting 1,820 Turkish citizens
- According to the company, the online ID of a support centre executive was illegally obtained, and as a result, the perpetrators managed to access the email accounts of 1,820 Turkish individuals.
- The affected data includes email address lines, folder names, and subject titles from January 1st to March 28th, 2019. Moreover, the contents of emails sent and received by a ‘very few’ users may have also been exposed.
Data breach investigation launched at Scotland’s Highland Council
- The council allegedly used a public waste bin to dispose of documents that contained the private and personal information of 28 children.
- The affected information includes full names, birth dates and patient case numbers. One of the documents contains information on an adoption arrangement.
Australians’ Medicare details continue to be illegally sold on darknet two years after data breach
- Following the initial discovery of Australian Medicare patient details being sold on the darknet in July 2017, patients’ details continue to be available for illegal purchase.
- The data sold could be used for potential identity theft and fraud.
Estimated 150,000 students’ personal information exposed on misconfigured cloud storage
- Colorado-based Total Registration, a firm in contract with multiple schools and school districts that registers students’ data for AP and PSAT exams, failed to secure its Amazon bucket, leaving student and parent information exposed.
- Information on the database contained names, grade levels, gender, date of births, addresses, email addresses, and parent/guardian names.
Data leak exposes passport data of 360,000 Russians
- According to privacy expert Ivan Begtin, at least eight Russian government websites were breached, exposing the passport data of 360,000 Russians, including that of deputy chairman of the State Duma Alexander Zhukov, former deputy prime minister Arkady Dvorkovich and Rosnano head Anatoly Chubais.
SAP’s May 2019 Patch Day addresses missing authorization checks
- SAP released a series of eight security notes, five of which fix missing authorization check issues. The missing checks affected SAP’s Treasury and Risk Management products, Solution Manager and ABAP managed systems, dbpool administration, and Enterprise Financial Services.
- The security notices also address one high-priority flaw, tracked as CVE-2019-0301, in SAP Identity Management REST Interface Version 2. By exploiting this flaw, under certain conditions users would have the ability to request role modification or privilege assignments.
- A full list of the patched vulnerabilities is accessible on SAP’s website.
ACCC patches flaw in its CMS following early disclosure of mitigation decision
- The Australian Competition and Consumer Commission (ACCC) patched a flaw in its Content Management System (CMS) after they inadvertently disclosed the decision to block the merger between Vodafone Australia and TGP. The decision was leaked on May 8th and was live for 8 minutes, despite the original intention of disclosing it the following day.
- The information was written into the back end of the mergers register, and due to the CMS flaw, a third party was able to access the existing webpage at the moment it was updated.
Google’s Bluetooth Titan security keys accessible by nearby hackers
- Google warned that their Bluetooth Low Energy (BLE) version of the Titan security key can be compromised by attackers within 30 feet of the key.
- When signing into an account, users are asked to press the BLE security key to pair the key with their device. However, this pairing process can be hijacked by another user if they connect their own device to the security key before the original user is able to complete the process.
- For the attack to be successful the attacker would have to be aware of the target’s username and password. Successful attackers would have the ability to change their device to appear as a Bluetooth keyboard or mouse, and could potentially take actions on the compromised device.
Budget radios can spoof plane navigation systems
- Research conducted at Northeastern University in Boston shows that unencrypted and unauthenticated radio signals used in instrument landing systems (ILS) can be spoofed by $600 software defined radios.
- ILS systems are employed at practically all civilian airports in the industrialized world. Spoofed signals can be used to deviate an aircraft’s course during landing.
- Pilot and radio operator Vaibhav Sharma commented on the research, stating that an ILS attack is realistic but its effectiveness would depend on visibility and the attackers proficiency using aviation navigation systems.
Trump declares national cyber emergency against foreign adversaries
- Donald Trump has signed an executive order which bans US companies from using foreign telecoms that allegedly pose security risks. Although no particular companies have been mentioned, the order is believed to be aimed at Huawei. The US is reportedly pressuring allies to not involve Huawei in their 5G technology.
- A White House statement reported that the order aims to ‘protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services’.
Safeguard breaches committed relating to data handling at MI5
- Home Secretary Sajid Javid reported to parliament that MI5 committed serious breaches of surveillance safeguards when handling information obtained under interception warrants. The Investigatory Powers Commissioner’s Office (IPCO) has deployed a team of inspectors into the intelligence agency for a week to investigate.
- Javid notified parliament of ‘compliance risks MI5 identified and reported within certain technology environments used to store and analyse data, including material obtained under the Investigatory Powers Act’. The risks are thought to be related to material obtained via ‘lawful interception’.
ARIN revokes over 757 thousand fraudulently obtained IPv4 addresses
- The American Registry for Internet Numbers (ARIN) discovered in late 2018 that an individual had fraudulently acquired 757,760 IPv4 addresses worth between $9,850,880 and $14,397,440.
- The accused allegedly used multiple deceptive websites and false identities to obtain the IPv4 addresses.
- The individual and company behind the scheme were charged in federal court with twenty counts of wire fraud. Following the arbitration, ARIN revoked the fraudulently obtained IPv4 addresses.
Israeli Eurovision webcast interrupted by hackers warning of rocket attack
- Hackers interrupted the Israeli Kan public broadcaster streaming of Eurovision with a two-minute video message containing a fake warning from the ‘Israel Defense Forces’ advising viewers to take shelter from an imminent rocket attack. The message concluded with ‘Israel is not safe, you will see’.
- It is not clear who is behind the hack, but the broadcaster suspects pro-Palestinian groups to be responsible.
Reports show increase in ransom amounts and that ransom is most often paid by recovery firms
- Coverware reports a 89% increase in the cost of ransom amounts in Q1 2019. This increase correlates with an increase in ransomware attacks.
- ProPublica’s report found that Proven Data and Monster Cloud, two data recovery firms promising ‘high-tech [alternative] ransomware solutions’ to paying demanded ransoms, most often pay the ransom to the hackers.
Documents on Department of Energy’s hacking incident in 2015 show difficulty in tracing attacker
- Records released under the Freedom of Information Act show the difficulty in tracing a hacker involved in a Department of Energy phishing scam in 2015. The hacker, posing as an employee, sent emails advertising jobs with the Department of Energy’s ‘Department of Petroleum and Natural Resources’.
- The hacker was traced back to Gambia, which is not a member of the international cybercrime agreement, meaning no requests for information could be made. The investigation has since been closed.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.