Silobreaker Daily Cyber Digest – 17 October 2019
Graboid cryptojacking worm spreads between unsecured Docker hosts
- Researchers at Unit 42 identified a new cryptojacking worm, dubbed Graboid, that has infected over 2,000 Docker hosts. The majority of impacted hosts had IP addresses that originated in China. The researchers stated that this was the first cryptojacking worm that they observed spreading using Docker Engine containers.
- The initial breach was achieved by employing a Docker image on an unsecured Docker daemon. Following infection, the malware begins to mine for Monero. The miner is active for 63% of the time. Graboid also periodically searches for new targets to infect.
- By using Docker Containers, the malware’s chance of detection is decreased, as endpoint software frequently ignores data and activities inside containers. The researchers warned that the worm could easily be repurposed to deliver other types of malware such as ransomware.
Source (Includes IOCs)
TA505 group use new Get2 downloader to install range of malware including new RAT
- On September 9th, 2019, researchers at Proofpoint identified a new TA505 campaign distributing a myriad of emails with Greek and English lures to financial institutions in numerous countries. Another large-scale campaign was launched on September 20th, 2019, in which malicious emails targeted a range of verticals in the US and Canada and were written in French and English.
- The emails contained a malicious Microsoft Office attachment with a new downloader, dubbed Get2. The downloader is written in C++ and collects basic system information before sending it to the attacker’s C2. Get2 was then used to download additional malware such as FlawedAmmyy, Snatch, FlawedGrace, and a new RAT named SDBbot.
- SDBbot malware was first identified in a campaign that began on October 7th, 2019, and distributed thousands of English language emails containing URL shortener links to industries in the US. SDBbot is also written in C++ and can perform various functions such as executing commands, shutting down systems, and more.
Source (Includes IOCs)
Fake WordPress plugin observed being used as a backdoor
- Researchers at Sucuri discovered a fake WordPress plugin, called ‘wpframework’, that is being used as a backdoor by threat actors to maintain access to compromised sites, even after it has been removed. Additionally, the plugin was found to contain a cryptocurrency miner. The plugin is capable of executing commands on server level and can run any code through the ‘eval’ function.
Cryptomining malware discovered at European airport
- Cyberbit’s Endpoint Detection and Response team discovered a crypto-mining software installed on over 50% of workstations at an international airport in Europe. The malware involved is XMRig CryptoMiner, which has been linked to the Anti-CoinMiner campaign, first reported on by Zscaler in August 2018.
- The infection was discovered upon noticing the repeated use of the PAExec tool, that is used for running Windows programmes on remote systems. PAExec tool was run repeatedly to launch an executable called ‘Player.’ The malware was executed in system mode, allowing maximum privileges and enabling it to take priority over other applications, whilst also reducing the chance of being detected by security tools.
- After running Player, the malware also used Reflective DLL Loading to load additional DLLs from memory, which allowed it to avoid detection. Additionally, PAExec was added to the registry to achieve persistence.
Criminals embed malicious code inside WAV audio files
- Researchers at Blackberry Cylance identified a threat actor attempting to deliver malware through malicious code within WAV audio files. The attackers utilised code in some of the files that is associated with the XMRig Monero miner. Other files contained Metasploit code that could be used to establish a reverse shell. Both payloads were employed in an attack against the same target.
- The attackers used a variety of techniques to execute the code in the WAV files. The first employs Least Significant Bit steganography to decode and execute a PE file. The second employs a rand()-based decoding algorithm to decode and execute a PE file, while the third also uses rand()-based decoding, but uses it to decode and execute shellcode.
- The researchers stated that certain techniques bear similarities to an attack by Turla group, reported on by Symantec in June 2019. However, there is no definitive evidence that could link the two attacks.
Source (Includes IOCs)
Phorpiex botnet can send up to 30,000 sextortion emails per hour
- Researchers at Check Point found that the Phorpiex botnet, which is active on more than 500,000 hosts, has been engaged in a lucrative sextortion campaign. In the past the botnet pushed various types of malware such as GandCrab and engaged in crypto-mining activity. The researchers suggested that the retirement of GandCrab prompted the criminals to pursue other revenue streams.
- The Phorpiex botnet uses a spam bot to access a database of email addresses that come from leaked credential lists. The criminals can therefore include one of the target’s passwords in the sextortion email. This tactic can be used to convince a victim that the attacker has genuinely infected their system and recorded them.
- The spam bot used in the attack can produce up to 30,000 emails per hour and each campaign can potentially impact 27 million victims. The researchers tracked the campaign over five months and found a wallet associated with it that contained over $110,000 in Bitcoin.
Source (Includes IOCs)
Leaks and Breaches
Pouring Pounds Ltd leaks personal information of 3.5 million individuals
- Safety Detectives researchers discovered an unprotected Elastic Server belonging to Pouring Pounds Ltd, which exposed personally identifiable information of Pouringpounds[.]com and Cashkaro[.]com customers. The leak affects active customers from the UK and India who have logged into the platforms in recent months.
- A total of 2TB of data was found, exposing private data of over a million PouringPounds users and 2.5 million CashKaro users. Exposed data includes full names, phone numbers, email addresses, login credentials, bank details, emails to users, and IP addresses, all of which was stored in plain text.
- The leak was first discovered on September 2nd, 2019, but the data is believed to have been publicly accessible since August 9th, 2019. Pouring Pounds Ltd was informed of the leak and resolved it on September 21st, 2019.
Job applicants’ CVs exposed in data leak
- Security researcher Gareth Llewellyn discovered two unsecured and publicly available Amazon Web Services buckets belonging to Authentic Jobs, a US-based jobs board, and Sonic Jobs, a UK-based retail and restaurant jobs app. The exposed buckets contained 221,130 and 29,202 CVs, respectively. The buckets have since been secured.
Private data of 1,344 Wheaton High School students exposed in data breach
- The private data of 1,344 Wheaton High School students was exposed in a data breach, in which an individual gained access to a college preparation programme Naviance. According to Montgomery County Public Schools, a student not affiliated with Wheaton High School used brute-forcing to gain access and then download the personal information.
- Exposed data included students’ names, dates of birth, highest ACT scores, highest SAT scores, GPAs, addresses, and ethnicities. No Social Security or financial information was accessed.
Oracle patches 219 vulnerabilities
- Oracle’s most recent Critical Patch Update contains 219 patches across multiple products, including ones concerning Fusion Middleware, Java SE and MySQL.
- The most critical Fusion Middleware vulnerabilities are remote code execution flaws, tracked as CVE-2019-2904, CVE-2016-1000031, and CVE-2019-2905, which are found in Oracle JDeveloper and ADF, Oracle Virtual Directory and Oracle Business Intelligence Enterprise Edition. A remote code execution flaw affecting MySQL Workbench and tracked as CVE-2019-8457 was also patched.
- A full list of all patched vulnerabilities can be found on Oracle’s site.
WordPress fixes six bugs in ‘short-cycle security release’
- WordPress released version 5.2.4, which fixes six security issues, including a cross-site scripting flaw. Version 5.1 and earlier have also been updated. Version 5.3 is due to be the next major release.
Critical flaw found in Cisco’s Aironet access points
- A flaw in Cisco’s Aironet access points, tracked as CVE-2019-15260, could allow an attacker to view sensitive information and replace options, enabling them to disable the AP or create a denial-of-service condition. Affected products include ones from the Aironet 1540, 1560, 1800, 2800, 3800 and 4800 series.
Researcher publishes POC code for recently discovered Android zero-day
- Security researcher Grant Hernandez developed and published a proof-of-concept (POC) code, named Qu1ckR00t, that enables a user to root an Android device.
- The POC is for a recently discovered zero-day flaw, tracked as CVE-2019-2215, that was found in the system kernel code of Android OS. Google security researcher Maddie Stone had also released a POC code, however, her’s only granted read/write access.
US officials claim that cyber-attack was successfully launched against Iran
- Speaking to Reuters, the two unnamed officials claimed that a cyberattack was launched against Iran in late September 2019. The officials divulged that the strike impacted physical hardware that was used for propaganda purposes.
- Iranian Minister of Communications and Information Technology Mohammad Javad Azari-Jahromi denied the attack and stated that the officials ‘must have dreamt it’.
Over 550 typosquatting sites take advantage of US 2020 election traffic
- Researchers at Digital Shadows identified over 550 typosquatting sites that relate to either the US 2020 election or the Democratic and Republican candidates who are currently running. The sites could be divided into three main categories. Misconfigured or illegitimate sites made up 8% of typosquats, non-malicious sites account for 24% of sites, while 68% of pages redirected the user to different websites.
- The researchers found some typosquatting redirects sent visitors to the pages of their political rivals. For example, incorrectly searching for Elizabeth Warren would send users to a site about Donald Trump.
- Six redirection sites sent visitors to pages which contained Google Chrome extensions related to secure browsing or file converters. The researchers found that these sites asked for overly intrusive permissions.
Source (Includes IOCs)
New information shows BriansClub may have been hacked by rival criminals
- Following the release of a BriansClub database, which contained the details of 26 million stolen cards, the site administrator has been in contact with security researcher Brian Krebs. The criminal behind the store told Krebs, who originally reported the breach, that the data centre used to serve the site had been hacked in February 2019.
- An administrator on the long running Russian cybercrime forum Verified claimed that the attack was carried out by the owner of competing card shop ‘MrGreen’. As a result of providing the database to Brian Krebs, ‘MrGreen’ was banned from the Verified forum.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.