Silobreaker Daily Cyber Digest – 17 May 2019
New email stealer used by TA505 hacking group discovered
- Following a recent spike in attacks in the banking sector, researchers at Yoroi discovered the use of credential stealing software in attacks by the TA505 hacking group. TA505 has previously been connected to email attacks focusing on retail and banking companies.
- The credential stealing software is delivered via FlawedAmmyy RAT, distributed via the group’s malspam campaign. The purpose of the software is to retrieve emails and password accounts present on the infected device.
- Attacks of this type were observed globally, suggesting the attacks are not targeted.
Source (Includes IoCs)
FBI report US businesses continuously attacked with Ryuk ransomware
- The FBI reported that Ryuk ransomware was used to target more than 100 US companies since August 2018. The attacks primarily targeted logistics companies, tech companies and small municipalities.
- Once systems are infected, Ryuk establishes a presence in the registry and looks for attack opportunities. Ryuk then deletes files relating to the intrusion, making identification of the infection vector impossible.
- The FBI also reported that in one case the ransomware used unsecured or brute-forced RDPs to gain access to systems. The report discourages victims from paying into attackers Bitcoin wallets and instead asks those impacted to contact their local field office.
Russian bots manipulated results of Voice Kids TV talent show
- According to an investigation by Group-IB, over 8,000 text messages were sent from around 300 phone numbers to manipulate votes in favour of a Russian millionaire’s young daughter.
Members of GozNym crime group charged for stealing $100 million
- Law enforcement agencies in the US and Europe have charged 11 alleged members of the cybercrime group behind the GozNym banking trojan, for reportedly stealing $100 million from over 41,000 victims. The indictment states that the group advertised their services on underground, Russian-language forums.
- The leader of the group is thought to be 35-year-old Alexander Konovolov, from Tbilisi, Georgia, who controlled over 41,000 victims’ computers infected with GozNym, and was also responsible for recruiting more cybercriminals to the team. In addition, Vladimir Gorin is thought to have been the developer of GozNym.
- Others included in the indictment are Krasimir Nikolov,Eduard Malancini, Farkhad Rauf Ogly Manokhim, and Konstantin Volchkov, and more, all of whom remain undetained.
Leaks and Breaches
Singapore Red Cross website hack compromised data of over 4,000 potential blood donors
- The Singapore Red Cross’ website was illegally accessed on May 8th, 2019, giving access to the personal details of 4,297 registered potential blood donors to the hackers.
- The accessed personal information includes names, contact numbers, emails, blood types and preferred appointment slot for donation.
Stack Overflow announce hackers accessed their production systems
- Stack Overflow announced that an investigation revealed ‘some level of production access was gained on May 11’. It is as yet unclear whether the hackers accessed Stack Overflow’s internal network.
- No customer or user data is thought to have been affected.
Unsecured database exposes data belonging to 8 million US citizens
- The data belongs to citizens who participated in online surveys, sweepstakes, and requests for free product samples. The database was discovered by Sanyam Jaim, and exposed the personal information of 8 million people, including full names, addresses, email addresses, phone numbers, dates of birth, genders, and IP addresses.
British Transport Police (BTP) website hacked
- The initial compromise made by unknown attackers was thought to only affect the ‘newsroom section’ of the website.
- Following a further investigation by BTP, the National Cyber Security Centre and the National Crime Agency it was revealed that “a small number” of staff details were leaked. At present the content of the leaked details is unclear.
Yeshwantpur-based garment company loses over $20,000 in cyber fraud
- An Indian garment company was persuaded to transfer over ₹14 lakh ($20,090) to a Peruvian bank account following the compromise of their Indonesian-based business partner’s email account.
- Fraudsters gained access to the email account of fabric material supplier Argo Pantes and created a fake email account to facilitate the transfer. Cybercrime police are attempting to trace the attacker by following the IP address and trailing the money transfer.
Two privilege escalation vulnerabilities discovered in Wacom update helper
- CVE-2019-5012 exists in the Wacom driver version 6.3 32-3 update helper service in the startProcess command. A threat actor with local access could leverage this flaw to gain root privileges.
- CVE-2019-5013 exists in the Wacom update helper service in the start/stopLaunchDProcess command. A threat actor with local access could exploit this flaw to raise load arbitrary launchD agents.
Cisco patches numerous vulnerabilities across its products, including critical flaws in PI software
- The critical flaws, tracked as CVE-2019-1821, CVE-2019-1822 and CVE-2019-1823, impact the web-based management interface of Cisco Prime Infrastructure (PI) software and Cisco Evolved Programmable Network Manager. They could allow a remote attacker to execute code with elevated privileges.
- Other patched flaws include 10 high severity issues in AR 9000 Series routers, Webex Network Recording Player for Windows, multiple versions of Small Business Series switches, FXOS, NX-OS, IOS XR Software, Video Surveillance Manager, and Nexus 9000 Series switches. Over 40 medium risk flaws were also patched in NX-OS.
Persistent cross-site scripting vulnerability found in WordPress Live Chat Plugin
- Researchers at Sucuri found that older versions of the WordPress Live Chat Plugin are vulnerable to stored/persistent cross-site scripting (XSS) due to an unprotected ‘admin_init hook’. XSS enables hackers to inject malicious code into websites or apps.
- More than 60,000 users are suspected of being affected. A patch is available and the researchers have advised website administrators and users to update their plugin.
Large number of Ethereum clients remain unpatched leaving network vulnerable to 51% attacks
- Security researchers from SRLabs revealed that only two thirds of Ethereum nodes have been patched ever since a critical vulnerability was discovered in the Parity client, that can be used to run the nodes, earlier this year.
- The flaw is a denial-of-service vulnerability that could permit an attacker to remotely crash the nodes by sending malformed packets. According to ZDNet, when attackers crash nodes, they can overwhelm the network and gain a 51% majority in the blockchain, providing them with the ability to perform double-spend attacks and validate malicious transactions.
EDRi warns about widespread and potentially growing use of deep packet inspections by ISPs
- In an open letter to European policymakers and regulators, the European Digital Rights (EDRi) organization, along with 45 NGOs, academics and companies from 15 countries, warned about the widespread and potentially increasing use of deep packet inspection (DPI) by internet service providers (ISPs).
- DPI refers to the analysis of data packets’ contents and has been criticized as ‘privacy invasive’ and ‘not strictly legal within the EU’. The letter warns that the evaluation of such contents can ‘reveal sensitive information about a user, such as preferred news publications, interest in specific health conditions, sexual preferences, or religious beliefs.’
Google Project Zero releases document listing known cases of detected zero-day exploits
- The Google Project Zero tracks zero-day exploits in the wild and experts of the project have shared the collected data in a publicly accessible spreadsheet. Vulnerabilities include zero-days affecting products from major vendors, such as Adobe, Apple, and Google.
Real estate businesses and home buyers most affected by Baltimore City Hall ransomware attack
- City servers remain disrupted following a ransomware attack on Baltimore City Hall on May 9th, 2019. Real estate businesses and home buyers are said to be most affected due to a lack of access to databases.
Rise in attacks using spam and phishing methods
- Researchers at Kaspersky Lab released their Q1 2019 report on spam and phishing attacks. They recorded a rise in spam mail globally and noted that their anti-phishing systems prevented more than 111,832,308 redirects to phishing sites, a rise of 35,229,650 from the previous quarter.
- Attackers continue to trick users into giving away details with ‘sextortion’ spam, banking related phishing emails and ‘dream job offers’. Attackers also moved beyond mailing lists and started advertising on social media platforms, enticing users to enter their details to receive heavily discounted goods.
- Moreover, attackers focused on high-profile real-world events such as the release of new Apple products, releasing waves of emails advertising discount deals.
Facebook partially restore their ‘View As’ security feature following data breach
- The ‘View As’ feature was at the center of a data breach in September 2018, which impacted 29 million accounts. The attack was made by spammers seeking to profit through deceptive advertising.
- Attackers were able to view the names, phone numbers and email addresses of 15 million users, and the gender, hometown, date of birth, religion, and check-ins of a further 14 million users.
- The feature is being restored gradually and is at present not available to all users.
Dutch intelligence services investigate Huawei for possible spying
- Dutch intelligence and security agency AIVD are investigating Huawei for possibly conducting espionage on behalf of the Chinese government by leaving backdoors to customer data of major telecoms firms.
- Huawei is believed to have hidden backdoors that provide access to customer information of Dutch networks Vodafone/Ziggo, T-Mobile/Tele2, and KPN.
Facebook bans Archimedes Group for creating fake accounts
- Facebook has removed 265 Facebook and Instagram accounts, Facebook Pages, Groups and Events for engaging in fake behaviour. The accounts were created by Archimedes Group, who was also responsible for breaching other Facebook policies such as misrepresentation and coordinated inauthentic behaviour.
- The group focuses on influencing citizens in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, as well as some areas of Latin America and Southeast Asia. The fake accounts ran pages that represented them as local opinion resources, such as local news organisations, and were widely followed.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.