Silobreaker Daily Cyber Digest – 17 June 2019
New variant of Houdini Worm discovered
- Researchers at Cofense discovered a new variant of the Houdini Worm which targets commercial banking customers. Houdini Worm has existed since 2013 and shares similarities with njRAT and njWorm.
- This new variant has been dubbed ‘WSH Remote Access Tool (RAT)’ and was released on June 2nd, 2019 by the malware’s author. The malware is spread via email attachments containing URLs, .zip or .mht files. Once opened, the attachment downloads a keylogger, a mail credential viewer and a browser credential viewer to steal online banking credentials.
- The WSH RAT configuration appears to be an exact copy of the Houdini Worm’s configuration. The three executable files also appear to be from third parties, rather than original work.
Android Trojan can redirect users to hacked or malicious websites
- Researchers at Dr. Web discovered Android.FakeApp.174 Trojan spamming users with push notifications redirecting them to questionable websites. The trojan is delivered via the Google Play store and comes disguised as programs for a variety of well-known brands.
- When opened, the Trojan launches Chrome and redirects users to various affiliated pages where they are prompted to allow notifications. Users are then targeted with spam push notifications even when the browser is closed. Many of the websites that users are redirected to are involved in fraudulent schemes. Google removed the malware early in June.
Researchers analyse Nanocore sample using a Delphi wrapper
- Researchers at Cybaze-Yoroi Zlab analysed a sample of the Nanocore Remote Administrator Tool (RAT). Nanocore is a ‘general purpose’ malware that is sent out via email attachments which, once opened, download the payload.
- The researchers noticed the payload was embedded inside a resource without any encryption or obfuscation. The Delphi wrapper contains many embedded resources, including the entire Nanocore RAT payload.
Source (Includes IOCs)
City of Burlington in Ontario falls victim to phishing attack
- The city’s staff was targeted by a phishing email that requested them to change banking information for an established vendor. A single transaction of approximately $375,000 was made to the fraudulent account.
Insurance House Group services disrupted following phishing attempt
- Following a phishing attack on June 9th, 2019, Insurance House Group shut down its systems for several days as a precaution. Of the Group, the most affected company is the underwriting agency ProRisk, whose services remain disrupted.
- The attack took place over the weekend of June 9th, 2019 and seeded malware onto the company’s network. No client information is believed to be compromised.
Phishing scam seeks to dupe targets by pretending to be alert from email servers
- Bleeping Computer reported that the campaign attempts to dupe users into believing that they are receiving a communication from their email server which contains an encrypted message.
- When users click ‘View Encrypted Email’, they are redirected to a fake OneDrive for Business page and asked to enter email credentials. Attackers can then retrieve this information at a later date.
New Mirai variant, Echobot, targets IoT devices and Enterprise Apps
- Researchers at Akamai observed 26 different exploits being used by the Echobot malware, the majority of which are command execution vulnerabilities in a range of networked devices.
- The malware author also included targets beyond IoT devices and included exploits for Oracle WebLogic Server, VMware SD-WAN and SaaS based enterprise applications. Some exploits were older than a decade.
Web-based DNA sequencer applications targeted by mysterious hacker group
- On June 12th, 2019, security researcher Ankit Anubhav discovered attacks on dnaLIMS – a web-based DNA sequencer application – that exploit a still-unpatched vulnerability. The vulnerability is tracked as CVE-2017-6526 and was first discovered in 2017.
- The group is operating from an Iran-based IP address and are abusing the vulnerability to plant shells and remotely gain control of the underlying web server.
- The attackers may seek to exfiltrate hashes of DNA sequences, which could be sold on the black market.
XENOTIME group targets electrical sector
- Researchers at Dragos reported that the threat actor tracked as XENOTIME has been persistently gathering information and enumerating network resources associated with US and Asia-Pacific electric utilities. None of XENOTIME’s activities have so far resulted in a known, successful intrusion into the target organizations.
- XENOTIME have been responsible for attacks on the oil and gas sector, hitting a Saudi Arabian oil and gas facility with TRISIS malware in 2017. Following this, the group expanded their activity to target oil and gas enterprises beyond the Middle East.
- Researchers at Dragos warned oil and gas companies to remain vigilant, cautioning that XENOTIME’s activity represent an expansion of the threat they pose rather than a shift in operational scope.
New threat actor ITG07 targets transportation sector with TREKX malware to conduct surveillance
- IBM X-Force researchers reported on a threat actor tracked as ITG07, which is targeting various organizations in the transportation sector over the last 9 months.
- According to researchers, ITG07’s activity closely aligns with that of APT39 and Chafer Group. The threat actor uses the customized TREKX Trojan to gain a foothold in targeted environments. This Trojan was previously associated with Chafer activity. Similarities were also found between TREKX and a Google Drive-based RAT used by APT34.
- Ultimately, ITG07 seeks to exfiltrate valuable data from its targets. Within the transportation sector, the threat actor seems to be primarily engaged in surveillance and tracking of individuals.
Source (Includes IOCs)
Leaks and Breaches
Humana vendor suffers data breach
- Availity, one of Humana’s authorised vendors, has suffered a data breach resulting in the compromise of healthcare information of 5,569 members. Further investigation found a series of data breaches from January 2016 to November 2018 that exposed data including patient names, Humana member identification numbers and benefit information.
- Humana is offering victims a year of credit monitoring and identity theft protection through Equifax.
Oregon State University suffers data breach
- It is alleged that a hacking incident that occurred in May 2019 may affect up to 636 students and their family members. This occurred as a result of an employee’s email account being hacked, and then leveraged to send phishing emails. The account’s mailboxes also contained sensitive information.
Vulnerabilities in xSocialMedia databases exposes private medical information
- On June 2nd, 2019, researchers at vpnMentor discovered vulnerabilities in multiple databases run by xSocialMedia, a Facebook marketing agency focusing on running campaigns for medical malpractice lawsuits. The databases have since been closed.
- Nearly 150,000 personal records were exposed, alongside personal medical testimonies, identifying information and contact information. The personal records included first and last names, email addresses, street addresses, phone numbers, IP addresses and more.
- The databases also exposed the company’s own bank account information, as well as their clients’ names, addresses, phone numbers and email addresses.
Cetera Financial Group suffers data breach
- Cetera Financial Group confirmed that a data breach that took place on March 27th, 2019 put the information of roughly 2,000 clients at risk. The breach was a result of compromised email accounts belonging to two employees.
Graceland University, Oregon State University, and Missouri Southern State University report data breaches
- Graceland stated on June 14th, 2019, that an unauthorized user had gained access to employee email accounts on March 29th, 2019 and from April 1st to April 30th and April 12th to May 1st, 2019. The details of people who had interacted with the email accounts were compromised. Accessible information included full names, social security numbers, dates of birth, addresses, and more.
- Oregon State published a press release on June 14th, 2019, stating that 636 student records and family records of students were affected by an employee email compromise in May 2019. The university stated that personal information was potentially affected by the breach.
- Missouri Southern State sent notice of a data breach to the Office of the Vermont Attorney General on June 13th, 2019. The breach was triggered by a phishing email on January 9th, 2019. Data compromised in the attack included employee names, social security numbers, dates of birth, telephone numbers, and more.
Trans charity Mermaids UK apologises for data breach
- Mermaids UK apologised for a data breach that exposed intimate details, names and addresses of transgender children via emails that were made public online.
- According to Mermaids UK, the emails date back to 2016 and 2017 and could only be found ‘if certain precise search-terms were used,’ however The Times reported the emails could be found by typing the charity name and number into a search.
- Those affected have been contacted and an independent investigation is due to be launched.
N.E.O. Urology hit by ransomware attack
- Ohio-based medical practice N.E.O. Urology was hit by a ransomware attack on June 10th, 2019. Its IT firm suspects the hack to have originated from Russia.
- The company’s IT firm used a third party to pay the hackers $75,000 via Bitcoin.
FBI assists PrimeCare following ransomware attack
- One of Yuma’s PrimeCare Urgent Care centres suffered a ransomware attack on April 12th, 2019 that demanded $250,000. The company notified the FBI about the incident and the investigation found that the company’s EMR system, which stores patients visit history, was infected with ransomware.
- Patients were informed of the incident on June 5th, 2019. It is unclear how many patients were affected.
User emails leaked by OnePlus application
- The Shot on OnePlus application is a wallpaper library application that shares photos taken on OnePlus with other OnePlus users to view in their gallery. This application uses an API to link between the OnePlus server and the application. This API was easy for security researchers to access, with only an access token and an unencrypted key required.
- When accessing the API in this way, the response contained sensitive data that should not be publicly accessible. It also contains the gid, an alphanumeric code used to identify a user, that can be used to get the name, email and country of a user.
- OnePlus has since made changes to their API to prevent it from leaking the gid and emails of users who publicly post photos.
API misconfiguration in Docker Engine-Community allows attackers to run botnet malware
- Researchers at Trend Micro discovered threat actors scanning for exposed docker APIs on port 2375. Upon identification of an open port, a connection asking for running containers is established. When a running container is spotted, a docker exec command drops AESDDoS botnet malware. AESDDoS allows shell access to all applicable running containers within the exposed host, while also attempting to hide its own presence.
- Attackers are able to gain ownership of the host, granting them the ability to run malware and to gain remote access to victims’ servers and hardware resources.
- AESDDoS also allows attackers to launch various types of DDoS attacks such as SYN, LSYN, UDP, UDPS and TCP flood.
Source (Includes IOCs)
Yubico plans to replace vulnerable YubiKey FIPS due to firmware flaw
- The firmware flaw reduces the randomness of cryptographic keys generated by YubiKey FIPS models. Keys running the firmware versions 4.4.2 and 4.4.4 contain a bug that, for a short time, allows keys to be recovered in part or full when the device is booted up.
- YubiKey FIPS authentication keys are approved for use on US government networks.
Mozilla and Google release patches for flaws in Thunderbird and Blink browser engine
- Two high severity flaws, tracked as CVE-2019-11703 and CVE-2017-11704, were patched in Thunderbird. Both concern a heap buffer overflow in which processing certain email messages can result in a potentially exploitable crash.
- A use-after-free flaw, tracked as CVE-2019-5842, was patched in Blink. The flaw exists in Blink for Windows, Mac, and Linux.
Microsoft issues warning about a Linux worm spreading via Exim servers
- Following the recent disclosure of a Linux Exim mail server vulnerability, tracked as CVE-2019-10149, Microsoft has issued a warning that an active Linux worm is targeting vulnerable servers and affecting some Azure installations.
- The worm exploits the flaw to take over a server, then scans the internet for other servers and attempts to infect thosel before dropping a cryptocurrency miner on the current host.
Seven cybercriminals arrested in India
- Seven suspected fraudsters were arrested by the Ahmedabad cyber cell on 13th June, 2019. It is alleged that they operated from multiple addresses, duping 4,725 individuals into sharing their online bank accounts.
ISIS Tech News Bulletin highlights BlueKeep vulnerability
- ISIS’ latest cybersecurity bulletin highlights the Microsoft Bluekeep vulnerability, as well as discussing the recent DDoS attack affecting the Telegram App. Its bulletin was first introduced in January 2016 to ensure its supporters know how to encrypt their conversations and avoid online detection.
Infowars founder claims to be a victim of a malware attack
- The founder of Infowars, Alex Jones, claims a malware attack embedded child pornography on his servers. He has linked the attack to someone connected to the families of children killed in the Sandy Hook shooting, an incident Jones claims to be a hoax and offered $1 million to whoever finds who was responsible. An FBI investigation into the matter is ongoing.
FCC complaint filed against AT&T, Sprint, Verizon and T-Mobile over sale of real time location data
- Multiple activist groups filed a complaint with the FCC on June 14th, 2019. Complainants allege that the carriers distribute customer location information widely and without customer consent, sometimes through the reselling of data. Moreover, the complainants assert that the actions of the carriers endanger public safety.
Twitter deletes thousands of fake accounts connected to Iran
- 4,779 accounts expressing sentiments that reflected the views of the Iranian government were deleted. The deleted accounts were shut down due to breaching Twitter’s ‘platform manipulation’ rules.
- Twitter also deleted four Russian accounts associated with the Russian Internet Research Agency.
- Additionally, 130 accounts associated with the Catalonian independence movement and 33 accounts originating from Venezuela were deleted.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.