Silobreaker Daily Cyber Digest – 17 April 2019
NamPoHyu ransomware targets remote Samba servers
- According to the Bleeping Computer, NamPoHyu is behaving differently than other ransomware. Attackers are running it locally and using it to remotely encrypt accessible Samba servers, rather than running an executable on the victim’s computer.
- NamPoHyu searches for accessible Samba servers, brute forces their passwords and then remotely encrypts their files and creates ransom notes.
- The ransomware was first seen in March 2019 and was known as MegaLocker virus. Since then, it has renamed itself to NamPoHyu and now includes a link to a Tor payment in its ransom note, rather than providing a Bitcoin wallet address for the ransom payment.
Source (Includes IOCs)
Malwarebytes Labs researchers detail recent attacks on Electrum wallet
- Since at least December 2018, a large number of Electrum wallet users have fallen victim to a series of phishing attacks that have generated approximately $4 million in profits for the perpetrators.
- The attacks resulted from cybercriminals tricking victims into downloading a malicious version of the Electrum wallet by exploiting a weakness in the Electrum software.
- In a new blog post, the researchers detail the phishing scheme, malware infections, and the DDoS botnet that was used to attack Electrum servers as retaliation against developers who were trying to fix the issue.
Source (Includes IOCs)
Aggah campaign leverages Pastebin, Blogspot and Bit.ly
- Unit 42 have investigated a large campaign, that they have dubbed Aggah Campaign, targeting the education, media/marketing, government, technology, retail, manufacturing, hospitality and professional services verticals, with a RevengeRAT payload.
- Affected regions are the Middle East, United States, Europe and Asia. The attack vector is a spoofed email containing a delivery document that tries to load another document containing malicious macros via template injection. The macros follow bit.ly URLs to Blogspot and Pastebin, where additional scripts are downloaded and executed.
- The activity was initially associated with the Gorgon Group after its discovery in March 2019. Since then, the targeted verticals and regions have increased and no direct overlaps with Gorgon Group’s previous activity have been found.
Source (Includes IOCs)
Ransomware attackers turn to Google Ads for communication following Dream Market takedown
- Following the takedown of the Dream Market dark web hacking forum last month, Coveware researchers observed cybercriminals using Google Ads in an effort to re-establish communication with ransomware victims.
eGobbler malvertising campaign uses Chrome vulnerability to target iOS users
- Confiant researchers detected a new malvertising campaign run by threat actor eGobbler. The campaign exploits a vulnerability in the Chrome for iOS mobile browser to redirect iPhone and iPad users to adware, scams, and other malicious sites.
- The flaw allows malicious code hidden in online ads to break out of sandboxed iframes and redirect users to other sites, or display a pop-up on top of a legitimate site.
- The campaign has targeted iOS users in the US, exposing over 500 million user sessions since April 6th.
Garfield County suffers ransomware attack
- The local government of Garfield county, Utah, appears to have suffered a ransomware attack as a result of an employee clicking on a phishing link that subsequently resulted in the computer network encryption. As a result, the county has had to briefly switch to paper-based administration.
- It is unclear what type of ransomware hit them, and it appears that they have paid a Bitcoin ransom to retrieve some files. The courts, elections and sheriff’s office are said to have been unaffected.
APT-C-35 uses new StealJob malware in recent campaigns
- 360 Threat Intelligence researchers recently observed APT-C-35 using an upgraded malicious Android APK framework, dubbed StealJob. StealJob is disguised as an app called ‘KashmirVoice’ and is believed to be targeting users in Pakistan.
Source (Includes IOCs)
New BEC scheme reroutes paychecks by direct deposit
- According to Trend Micro, a new business email compromise (BEC) scam has emerged in which perpetrators posing as CEOs, CFOs or payroll directors email HR personnel, asking them to change an employee’s bank account and routing information so that paychecks are deposited directly into a fraudulent account.
- One of the targets is Kansas-based KVC Health Systems, a non-profit agency for child welfare, that received an average of two or three of these emails a month.
Leaks and Breaches
Bangladesh Bank’s server infected with malware
- According to The Financial Express, a data server belonging to the Bangladesh Bank has been infected with malware. Investigators observed data being sent and received from the bank’s server to suspicious servers located in the US, Canada and Germany.
Blue Cross Idaho suffers breach
- The company has released a notice stating that on March 21, 2019, an unauthorized user accessed the company’s online portal with the intention of rerouting financial transactions. This activity was blocked, but the user was able to access remittance documents on the 22 March.
- Approximately 5,600 people, or 1% of Blue Cross Idaho’s membership, had their data breached. This included but was not limited to names, claims payment information, account number, procedure code and healthcare provider. No banking or social security information was leaked.
Flaw in EA Origin exposed users to attacks
- Security researchers Daley Bee and Dominik Penner discovered that the EA Origin app on Windows could be tricked into running any app on the user’s computer.
- The issue could be abused to send malicious PowerShell commands or steal a user’s account access token, gaining access to their account without the need for a password.
- Electronic Arts released a fix for the flaw on April 15th.
Cisco Talos disclose multiple vulnerabilities in Shimo VPN Helper
- The privilege escalation vulnerabilities are CVE-2018-4004, CVE-2018-4005, CVE-2018-4006, CVE-2018-4007, CVE-2018-4008 and CVE-2018-4009. All require local access to the machine.
- After multiple attempts to contact the vendor in question, the vulnerabilities have been disclosed without a patch.
Oracle patches hundreds of vulnerabilities in quarterly update
- 296 vulnerabilities in total were patched across Oracle software, including five remote code execution vulnerabilities in Java SE, each with a CVSS score of 9.0, and 53 in Fusion Middleware, 42 of which are capable of being exploited remotely.
Ecuador hit by 40 million cyber attacks since Assange arrest
- Ecuador’s deputy minister for information and communication technologies, Patricio Real, has claimed that websites belonging to the country’s public institutions have experienced 40 million cyber attacks since Julian Assange’s political asylum was revoked last week.
- The majority of attacks appear to be DDoS attempts, and no organisations have reported information theft or deletion.
ATMs stolen in physical attacks in Northern Ireland
- Nine incidents of ATMs being stolen with diggers in Northern Ireland have already been reported in 2019. The criminals use digging equipment to break down walls, scoop ATMs and place them into the back of modified trucks and vans, contributing to the rise of physical attacks on ATMs.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein