Silobreaker Daily Cyber Digest – 17 January 2019
Lojax rootkit campaign remains active eight months after discovery
- In May 2018, researchers from Netscout reported on the discovery of LoJax malware, which they attributed to the Russian government. LoJax is a backdoor that is capable of staying on the infected system after operating system re-installs and hard drive replacements.
- Netscout issued a new report stating that they have discovered two of the identified C&C servers still live, and uncovered additional LoJax domains.
Criminal group inject Magecart into hundreds of sites at once
- Trend Micro and RiskIQ reported that hundreds of ecommerce sites have been affected by a Magecart attack, via a compromised advertising script from the French online advertising agency Adverline.
- Trend Micro detected a malicious skimming code loaded on 277 e-commerce websites that were providing ticketing, touring, flight booking services, and more. The attackers injected Magecart into customer sites by compromising the script to display ads on customer webpages.
- The script first determined if the visitor was a legitimate customer by using a fingerprinting script, and then checked to see if the URLs contained any English, French, or German keywords. If the visitor was on a targeted page, the Magecart toolkit would load the skimmer, which would attempt to steal data entered in the form fields.
Fake Flash Player Chrome extension remains on Chrome Web Store, stealing payment card details
- The extension, called ‘Reader Flash’, has been available on the Chrome Web Store since February 2018 and has been downloaded by roughly 400 users.
- Reader Flash contains code that intercepts any form of submissions made on any web page the users visits. The extension scans form contents to detect card number patterns specific to Visa, Mastercard, American Express and Discovery. However, it was not observed collecting other data such as issuer names, expiration dates or CVV codes.
Leaks and Breaches
Click2Gov breach compromised credit card date of Hanover country residents
- Officials in Hanover County, Virginia, disclosed to residents that credit card information they had used to pay utility bills online through the County’s Click2Gov system had been compromised.
- A vulnerability in the system allowed unauthorized individuals to steal credit card data between August 1st, 2018 and January 9th, 2019, in order to make unauthorized charges.
Hackers breach South Korean government agency
- Thirty computers belonging to South Korea’s Defense Acquisition Program Administration (DAPA), part of the South Korean Ministry of National Defense, were breached in a hack that took place in October 2018. DAPA is responsible for the acquisition of weapons and munitions for the country’s military forces.
- According to ZDNet, internal documents were stolen from at least 10 of the computers. The documents contained information on arms procurement for South Korea’s next-generation fighter aircraft.
- The hackers breached the devices by gaining access to a server of the Data Storage Prevention Solution app, a software installed on government computers to prevent sensitive files from being downloaded and saved on internet-connected devices.
‘Collection #1’ data breach exposes over 87GB of email addresses and passwords
- Security researcher Troy Hunt discovered that just under 773 million unique email addresses and 21 million unique passwords were exposed on the cloud service MEGA. The data, dubbed ‘Collection #1’, is a set of email addresses and passwords that were allegedly collected from a variety of sources.
Oklahoma Department of Securities’ unsecured server exposes millions of files
- The exposed files contained personal data, systems credentials, internal mission documents and communications relating to the Oklahoma Securities Commission.
- The data was exposed due to an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services. The exposure resulted in any user with the same IP address being able to download the files stored on the server.
- Much of the data exposed was reportedly not encrypted.
Unsecured VOIPO database exposes millions of customers records
- VOIPO, a Californian voice-over-internet provider, admitted that a development server had been accidentally left publicly accessible, exposing millions of customer call logs, SMS message logs and credentials, in plain text.
- The exposed database was discovered by researcher Justin Paine using the Shodan search engine on January 8th, 2019. According to Paine, the database had been left open since June 2018.
- Up to 6.7 million call logs, including partial numbers both called and received, time stamps and duration of calls, were exposed dating back to July 2017. In addition, 6 million SMS/MMS logs, dating back to December 2015, including timestamps and content of messages, were also exposed. Other exposed information included nearly a million logs with references to internal hostnames, plaintext usernames and passwords for those systems, and one million logs containing API keys for internal systems.
Hackers can abuse industrial controllers’ legitimate features in order to hijack them
- Software engineer Roee Stark demonstrated an attack that leverages the legitimate features in industrial controllers and abuses Common Industrial Protocol commands in order to allow an attacker to gain unauthorized access to networks.
Remote code execution vulnerability discovered in Drupal core
- Drupal Security Team reported a remote execution vulnerability in PHP’s built-in phar stream wrapper when file operations are performed on an untrusted phar:// URI.
- Exposure to this vulnerability is present if the Drupal code performs file operations on insufficiently validated user input.
Proof-of-Concept for Safari browser security issue published
- Security researcher Dhiraj Mishra reported that by using a multi-gesture trackpad with Safari browser in MacBook Pro, he is able to view cached Safari browser data.
- He discovered that the most recent activity of websites stored in Safari’s cache can be retrieved with the use of a multi-gesture trackpad.
Flaws in Fortnite authentication left accounts vulnerable to ATO attacks
- The flaws could have allowed an attacker to break into Fortnite accounts and steal virtual currency, resell virtual goods, access account information, eavesdrop on other players, and more.
- The flaws include a cross site scripting vulnerability discovered in the Epic games’ subdomain which could be leveraged by an attacker by creating a malicious link using a legitimate Epic Games’ subdomain, and convincing a user to click on it. This enables an attacker to launch a second stage OAuth Account Takeover attack using the victim’s credentials.
Oracle addresses 248 flaws in quarterly security update
- The patches covered nine remotely executable vulnerabilities in Enterprise Manager Products Suite that could be exploited without user credentials. In addition, three flaws in MySQL have been patched that could be remotely exploited without authentication, and 57 flaws in Fusion Middleware products were fixed, that could have led to remote execution.
Microsoft releases patches for Windows 10
- The security updates concern Windows 10 releases 1803, 1709 and 1703. They resolve an issue that left third-party applications having difficulty authenticating hotspots.
- A patch was also released for Windows 10 19H1 concerning an issue in File Explorer and an problem with password change for Active Directory users.
TLS certificates left to expire for more US government domains
- Due to the current federal shutdown, over 130 TLS certificates are now left expired without renewal for US government websites, rendering them inaccessible.
- Websites affected include those relating to the Federal Aviation Authority, the National Archives, the Department of Agriculture, and more.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.