Threat Reports

Silobreaker Daily Cyber Digest – 17 December 2018



Armor researchers discover Magecart-style credit card sniffer for sale

  • Researchers found the tool for sale on a Russian forum on the dark web for $1,300. The tool is advertised with two components, including a standard universal payment card sniffer and a control panel.
  • The control panel can generate a custom credit card sniffer in a Javascript file that will work on any e-commerce site that employs Opencart, Magento or OsCommerce payments. The researchers also noted that the sniffer used Secure Socket Layer (SSL) protocol to encrypt collected outbound payment card data, which makes it harder for security teams to see which data is being exfiltrated from the e-commerce sites.
  • Armour state that the tool is similar to that used for the British Airways and Ticketmaster breaches earlier this year, and have warned online retailers that the sale of the tool on the dark web suggests it is likely attacks will increase.



Proofpoint researchers discover weaponised document builder service dubbed LCG Kit

  • LCG Kit was discovered in March, 2018 using the Microsoft Equation Editor exploit (CVE-2017-11882), however, most recently its creators have also integrated a VB script exploit (CVE-2018-8174), which has previously been used in various other email campaigns. At the end of December, LCG Kit further gained the ability to use Microsoft Word macros to load shellcode for the purpose of installing malware payloads.
  • LCG Kit code is highly obfuscated using polymorphic shellcode and a Linear Congruential Generator (LCG), an algorithm used to encrypt the final stage of code.
  • Proofpoint predict that LCG Kit may be for sale on underground forums, due to the large amounts of malicious attachments that have been created with it. The Kit is popular with crimeware groups attempting to spread remote access trojans and various stealers.

Source (Includes IOCs)


Ongoing Campaigns

Bitcoin bomb threat scam associated with previous sextortion campaign

  • Researchers at Cisco Talos have reported that the recent wave of bomb hoaxes targeting US public institutions is an evolved version of a sextortion and extortion campaign that they previously reported on in October 2018.
  • According to the researchers, multiple IPs involved in distributing the bomb threats were also used in the October sextortion campaign.
  • Moreover, as of Thursday, December 13th, 2018, the campaign was seen shifting from bomb threats to threatening to throw acid on victims unless a Bitcoin ransom payment is made.

Source (Includes IOCs)


PewDiePie printer hacker undertakes second attack

  • The hacker, known as ‘HackerGiraffe’ on Twitter, was responsible for taking control of approximately 50,000 printers in November and has now reportedly undertaken a second campaign, this time compromising approximately 100,000 routers.
  • The compromised printers were forced to produce printouts that read, ‘PewDiePie is in trouble and he needs your help to defeat T-Series!’, which refers to an online disagreement between YouTuber Felix Kjellberg, aka PewDiePie, and one of India’s largest music labels, T-Series.
  • The hacker stated that his actions were an attempt to highlight the ‘real-life consequences’ of the risks of leaving devices open and accessible. If the hacker was malicious, the computers could have been made to capture data, manipulate jobs or re-write data in continuous loops. Users in the UK, US, Spain, and Australia were believed to be affected.



Cybercriminals are using memes to communicate with malware on a victim’s computer

  • Trend Micro researchers uncovered a campaign in which memes shared on Twitter were used to communicate with malware detected by Trend Micro as TROJAN.MSIL.BERBOMTHUM.AA.
  • The memes contained an ‘embedded command that is parsed by the malware after [the meme] is downloaded from [Twitter] onto the victim’s machine’, allowing the meme to act ‘as a C&C service for the already-placed malware’. The memes also contained a ‘/print’ command which enabled the malware to take screenshots of the infected computer.
  • According to the researchers, the actual malware was not downloaded from Twitter and the malware’s delivery mechanism remains unknown.

Source (Includes IOCs)


New phishing campaign disguises itself as Office 365 ‘non-delivery’ notification

  • Researcher Xavier Mertens discovered a phishing campaign in which emails state ‘Microsoft found Several Undelivered Messages’ and gives users the option to click ‘Send Again’. Once clicked, the link redirects victims to a phishing site impersonating the legitimate Office 365 login page, and attempts to steal the victim’s login credentials.



Leaks and Breaches

Boomoji databases left exposed on unprotected ElasticSearch server

  • The Avatar app maker Boomoji have suffered a data leak after it left two of its ElasticSearch databases unprotected without passwords. The leak reportedly could have affected the app’s entire user base, which includes 5.3 million iOS and Android users worldwide.
  • The app also allows access to contact data, which means that in addition to the 5.3 million user’s vulnerable details, the contact information of an additional 125 million people could have also been compromised.



Bug in Facebook photo API exposed photos of up to 6.8 million users

  • Facebook stated that a photo API bug may have allowed third-party unauthorized access to photos belonging to 6.8 million users.
  • Under normal circumstances, the photo API will grant access to photos posted on users’ Timelines. However, between September 13th and September 25th, 2018, the bug gave developers access to photos shared on Marketplace and Facebook Stories, and photos that users uploaded to Facebook but did not finish posting.



ZipRecruiter suffers data breach exposing names and emails of job seekers

  • According to an email sent out to affected users, those with certain employer user accounts who were not intended to have access to ZipRecruiter’s CV database, were able to access information including the names and email addresses of job seekers who had submitted their CVs.
  • ZipRecruiter claims the issue was fixed within two hours of it being reported. The number of affected users remains unknown.



Schenectady County government website shut down after cyber attack

  • The websites was reportedly shut down after county employees noticed the attack on Wednesday. Restoration of the website is expected to take a week, during which time the site will be closed.
  • Some operations, including the 911 central dispatching center, the Glendale Nursing Home, Board of Elections, and others, were not affected by the malware. There are reportedly no indications so far of a data breach.



Brazilian IT firm Tivit suffers a data leak

  • Def-Con Lab found approximately 1,000 lines of code available on Pastebin, which included client credentials used to access Tivit’s systems, and other information including email exchanges. 19 companies were affected, including the Brazilian bank Original, the insurance company Zurich, and the software company SAP.
  • Last week it was revealed that nine members of Tivit staff were targeted with a phishing attack, that included an email containing a malicious link.




Bug in Twitter allowed third-party access to direct messages without users’ permission

  • Researcher Terence Eden discovered a bug in Twitter’s permissions dialog that exposed direct messages to third parties without the user knowing about it.
  • According to the report, ‘when a select set of applications are authenticated using a PIN or non-intended OAuth flow, the permission dialog that is shown may not show the permissions that the authentication has’.



Researchers find electric vehicle charging stations open to attacks

  • Researchers at Kaspersky Lab reported on a new attack surface in which electric vehicle (EV) charging stations can be hacked to control the charging process.
  • The research team investigated ChargePoint Home EV charging stations and found vulnerabilities in the mobile application, CGI binaries and Bluetooth stack. These flaws can permit an attacker to control the charging process or even adjust the maximum current that can be consumed during charging. ChargePoint has since patched the flaws.  



Siemens patches several vulnerabilities in SINUMERIK controllers

  • The vulnerabilities include denial of service, privilege escalation and code execution flaws, some of which have been classified as critical.
  • The most serious flaw, tracked as CVE-2018-11466, could allow a remote attacker to cause a denial of service condition, or allow the execution of code in the context of the software firewall. This could be exploited by an attacker with network access to the affected systems on port 102/tp.
  • Other critical flaws include CVE-2018-11462, which could be leveraged by an attacker by sending a specially crafted authentication request for privilege escalation to an elevated user, but not root. In addition, CVE-2018-11458 is a flaw in the integrated VNC server on port 5900/tcp which could allow a remote attacker to execute code with privileged permissions, by sending specially crafted network requests to port 5900/tcp.



Keystroke injection flaw in Logitech Options is finally patched

  • The vulnerability allowed an attacker to launch keystroke injection attacks against Logitech keyboard owners that used the desktop app. It was discovered by researcher Tavis Ormandy in September 2018.



Two vulnerabilities render thousands of Jenkins servers vulnerable to data theft

  • Disclosed by researchers from CyberArk, the vulnerabilities expose thousands of Jenkins servers to data theft, takeover, and cryptocurrency mining attacks. Hackers can exploit the flaws to gain admin rights, or login using invalid credentials on the servers.
  • CVE-2018-1999001 allows an attacker to input malformed login credentials that cause the servers to move the config.xml file from Jenkins home directory to another location. When the Jenkins server either crashes and restarts, or restarts on its own, then it will reboot in a default configuration that has no security, allowing administrator access.
  • CVE-2018-1999043 allows an attacker to ‘create ephemeral user records in the server’s memory’, which creates a short period in which attackers can authenticate, using ghost usernames and credentials.



Security flaw in SQLite database engine puts desktop and mobile applications at risk  

  • Discovered by Tencent, the flaw allows an attacker to run malicious code on the victim’s computer, as well as leak program memory or cause program crashes. It can be exploited remotely by accessing a web page if the underlying browser supports SQLite and the Web SQL API that translates the exploit code into regular syntax.
  • Chromium based browsers such as Google Chrome, Vivaldi, Opera and Brave are all affected, as well as applications such as Google Home, which the Tencent security team successfully exploited.



Washington State University discovers flaws in high-performance computer chips

  • A Washington State University research team found that they could impair the on-chip communications system, and deliberately add a malicious workload, causing the chip to stop working much earlier than usual.
  • Three attacks were crafted to test the communications system, which resulted in the additional workload enhancing the ‘electromigration-induced stress and crosstalk noise’. The researchers found some of the crucial vertical links of the communication system to be particularly vulnerable.
  • Boeing Centennial Chair Partha Pande stated that the research demonstrates how an attacker could ‘target the communication system to start malfunctions in the chip’.



General News

US Ballistic Missile Defense Systems inadequately protected against cyber attacks

  • A report by the US Department of Defense Inspector General has stated that US Ballistic Missile Defense Systems (BMDS) are insufficiently protected against cyber threats.
  • BMDS have failed to utilize required security controls such as multi-factor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encryption of transmitted technical information and physical facility security. In addition, they also failed to carry out routine assessments to ensure these safeguards were in place.



Cyber criminal jailed for 20 months after using homemade fraud device

  • A cybercriminal known online as ‘the acid house king’, and offline as Tony Muldowney-Colston, has been sentenced to 20 months in prison for running a fraud campaign using a home-made device.
  • The device was discovered by police and believed to be used to distort Muldowney-Colston’s voice when he phoned banks and attempted to impersonate customers. The machine also played pre-recorded bank messages to trick victims.
  • While police were searching the property, they found a hard drive containing passport and identity card data, 32 credit cards and a spreadsheet detailing names, addresses, email addresses and phone numbers linked to a private members club in London.
  • The attacker’s scamming techniques enabled him to access funds of over £500,000.  



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 17 June 2019

      Malware New variant of Houdini Worm discovered Researchers at Cofense discovered a new variant of the Houdini Worm which targets commercial banking customers....
  • Silobreaker Daily Cyber Digest – 14 June 2019

      Ongoing Campaigns Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers Trend Micro researchers discovered an ongoing cryptojacking campaign infecting...
  • Silobreaker Daily Cyber Digest – 13 June 2019

    Malware Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet Unit 42 have discovered a variant of the Hide ‘N Seek botnet...
View all News

Request a demo

Get in touch