Threat Reports

Silobreaker Daily Cyber Digest – 18 June 2019


Ongoing Campaigns

Researchers detect novel way of bypassing SMS-based 2FA on Android devices

  • ESET researchers discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS two-factor authentication (2FA) messages without using SMS permissions. This method bypasses Google’s recent restriction of SMS and Call Log permissions in Android apps. ESET tracks the malware as Android/FakeApp.KP.
  • The apps impersonated Turkish cryptocurrency exchanges BtcTurk and Koineks, and phished for login credentials to the services. The malicious apps retrieved OTPs from notifications appearing on the compromised device and can also dismiss these notifications to prevent victims from noticing ongoing fraudulent transactions.

Source (Includes IOCs)


Malspam campaign observed pushing Dridex malware

  • Security researcher Brad Duncan analysed a recent malspam campaign that uses password-protected Word documents to infect devices with Dridex malware. The email claims to contain an invoice attachment that requires a password and upon entering the password, opens a Word document asking the user to disable macros, allowing Dridex to be downloaded.
  • The attack is the same as in previous Dridex infections, however, in this case the Dridex DLL files are 64-bit DLLs using file names loaded by legitimate Microsoft Windows system EXEs. The file paths, names and associated SHA256 hashes change with every login by the victim.

Source (Includes IOCs)


Indian cyber group deface Turkish websites

  • The group, dubbed the Indian Cyber Soldiers, displayed images of Amitabh Bachchan holding the Indian flag on Turkish websites. The group claimed that their attacks were in retaliation for Turkish-based hackers gaining access to the Twitter accounts of actor Amitabh Bachchan and singer Adnan Sami.  



Leaks and Breaches

Student scrapes and publishes 7 million Venmo transactions on GitHub

  • Dan Salmon, a student at Minnesota State University, was able to scrape seven million Venmo transactions to demonstrate that users’ public activity can be easily accessed.
  • Salmon stated that the data is ‘publicly available for anyone to grab without even an API key’. The exposed transaction details include usernames, full names, profile pictures, recipient information, and more. The data set was posted on GitHub.  
  • Users are advised to switch their Venmo accounts as well as ‘Past Transactions’ to private.



Australian Catholic University suffers data breach

  • The Australian Catholic University (ACU) stated that the breach was the result of a phishing attack which was discovered on May 22nd, 2019. Emails redirected victims to fake ACU login pages that phished for their details.
  • Staff who entered their details gave attackers access to their email accounts, calendars and bank account details.



Florida-based Rosenbaum Dental Group notifies patients of data breach

  • The dental group alerted 1,200 patients that their information may have been compromised after an unauthorized party gained access to this information through malware.
  • The affected information includes names, addresses, phone numbers and health insurance information.



Indiana-based medical practice suffers ransomware attack

  • Talley Medical Surgical Eyecare Associates PC reported that 106,000 individuals, consisting of former and current patients and employees, were affected by a data breach following a ransomware attack on the practice.
  • Compromised information includes names, addresses, Social Security numbers, medical information, including diagnosis and treatment, and other related personal information.



NHS Highland exposes private data of 37 HIV patients

  • NHS Highland’s health board apologised to its patients after accidentally exposing the names and email addresses of 37 recipients to one another while sending out invitations to a support group for HIV patients.



Job search site Talanton exposes data of over 1.6 million users

  • Researchers at SafetyDetective discovered an open Elastic server containing 3GB of data from over 1.6 million Talanton users. Talanton is an Indian-based job-seeking portal specializing in professional job openings.
  • The server was first discovered on May 30th, 2019, but had been exposed since May 17th until June 15th, 2019. The database contained private phone numbers, direct emails, salary information, as well as ethnic backgrounds, gender and more.
  • Various methods of sourcing were used to add individuals to the database, meaning data of professionals unaware of having been added to the database was also exposed. This includes personal information from people across the globe, including direct numbers and emails of CISOs, CEOs, and high-ranking government employees.



UMass Memorial Community Healthlink suffers data breach

  • Massachusetts-based health care system UMass Memorial Community Healthlink is informing its patients of a data breach that took place on April 18th, 2019, as a result of a phishing attack.
  • It was confirmed that the hackers had access to patients’ information, including patients’ names, dates of birth, client identification numbers, diagnosis and treatment information, health insurance information, and in some cases, Social Security numbers.



Private medical details of NHS 24 employees leaked in data breach

  • The details of employees who were off work due to illness were accidently sent to all NHS 24 staff by the employee relations team in the human resources department. Upon realising the error the email was recalled and employees were informed of the breach.




TCP networking vulnerabilities found in FreeBSD and Linux Kernels

  • Netflix Information Security researcher Jonathan Looney identified three vulnerabilities tracked as CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479. The vulnerabilities relate to minimum segment size (MSS) and TCP Selective Acknowledgment (SACK) capabilities.
  • CVE-2019-11477, dubbed SACK Panic, has been classed as the most important in severity and allows a remote attacker to trigger a kernel panic in systems running the affected software. The vulnerability can be triggered by ‘sending a crafted sequence of SACK segments on a TCP connection with small values of TCP MSS’

Source 1 Source 2


Researcher discloses two CSRF flaws in Facebook WordPress plugins

  • A security researcher claims he discovered cross-site request forgery (CSRF) flaws in two WordPress plugins developed by Facebook. The two plugins are Facebook for WooCommerce and Messenger Customer Chat. The vulnerabilities were published on the Plugin Vulnerabilities website ahead of notifying the developer and therefore have not been addressed to date.
  • Facebook for WooCommerce has 20,000 installs and allows users to connect WooCommerce products to Facebook. Messenger Customer Chat has 200,000 installs and allows customers to integrate Facebook’s chat tool to their WordPress site.



NETGEAR routers affected by two bugs in KCodes NetUSB

  • The NetUSB kernel module contains vulnerabilities CVE-2019-5016 and CVE-2019-5017 that could allow attackers access to information on NETGEAR wireless routers.
  • CVE-2019-5016 is an exploitable arbitrary memory read vulnerability that impacts at least two NETGEAR Nighthawk Routers. A specially crafted index value can cause invalid memory read, causing a DoS or remote information disclosure.
  • CVE-2019-5017 exists in the KCodes NetUSB.ko module that enables the ReadySHARE printer vulnerability in at least two NETGEAR Nighthawk routers. Unauthenticated, remote attackers can calculate the dynamic base address of the module by sending a packet containing an opcode that triggers the kernel module to return several addresses.



General News

New York Times alleged that the US is targeting Russian infrastructure

  • On June 15th, 2019, the New York Times alleged that US Cyber Command have been targeting Russia’s electrical power grid network. The report claimed that over the past three months, American computer code has been deployed inside the electrical grid and inside other classified targets.
  • Russian Presidential Spokesman, Dmitry Peskov, stated on June 17th, 2019, that any intrusion into Russian infrastructure meant that cyberwar with Russia was a ‘hypothetical possibility’

Source 1 Source 2


Free decryption tool allows victims to decrypt all versions of GandCrab

  • The GandCrab ransomware decryption tool was released on June 17th, 2019 and was developed collaboratively by law enforcement agencies and Bitdefender. The tool allows users to counter GandCrab versions 1 to 4 and the latest versions 5 to 5.2.
  • The release of this latest decrypter comes less than a month after GandCrab’s operators announced that they were shutting down their ransomware-as-a-service operation.



Civil rights group Liberty challenge British government over Investigatory Powers Act

  • Liberty are challenging the government at the High Court; the group claim that data gathered by the security services and other agencies is too wide ranging and intrusive.
  • Sir James Eadie QC  argued that the Investigatory Powers Act ‘strike an appropriate balance between security and individual privacy.’



Major CMSs use outdated hash functions by default

  • Academics at the University of Piraeus found that a large number of content management systems (CMSs) use old and outdated hashing schemes such as MD5. These include WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, X3cms, and Composr.
  • In their research paper, they also outline other issues in CMSs such as an arbitrary number of iterations, lack of password policies or salting functions. They conclude that programmers often seem to take the easy route, by implementing poor password security, and that all web application frameworks should come with strong defaults for password hashing.



2018 Coincheck security breach potentially linked to Russian hackers

  • New information suggests that Russian hackers may have been behind the January 2018 Coincheck security breach, which resulted in a loss of 500 million NEM coins ($530 million) for the Tokyo-based cryptocurrency exchange.
  • By sending out emails containing Netwire and Mokes malware, the attackers managed to gain control of their victims’ machines, enabling them to access the money. After an analysis of the malware used in the attack, cybersecurity expert Ashani Shimbum believes the attackers may be from Russia or Eastern Europe.
  • The breach had previously been linked to North Korea, with cybersecurity company Group-IB suggesting a link to the Lazarus Group. The South Korean National Intelligence Service continues to investigate any links to North Korea.



Cellebrite announces it is capable of hacking into any iOS device

  • Mobile device forensics company Cellebrite announced that it can ‘perform a full file system extraction on any iOS device,’ as well as on Android devices. The company seeks to sell this service to law enforcement agencies, without the need for the devices to be sent to Cellebrite.
  • Cellebrite is believed to be the company behind the hacking of the iPhone 5C of the San Bernardino killer Syed Rizwan Farook, after Apple refused to code a backdoor for iOS due to concerns that such a backdoor could be leaked. Cellebrite’s penetration tools were eventually discovered on the open market in February 2019.



Iran allegedly discovered and dismantled a CIA spy network

  • According to the Secretary of Iran’s Supreme National Security Council Ali Shamkhani, Iran has uncovered an elaborate CIA spy network, which is said to have led to the arrest of multiple US intelligence officers. More details are said to be provided ‘in the near future.’
  • Shamkhani also stated that Iran and its allies have formed an ‘international anti-spying network’ against the US.



Parliamentary authorities investigate claims of cyber security breach

  • The website, which contained bills currently before Parliament, was allegedly exposing private folders. Moreover, a Twitter user also claimed to have found passwords that had been leaked online.
  • A parliamentary spokesperson said that an investigation was ongoing but that the site was not thought to contain Parliamentary data.



Former GCHQ employee warns of hackers using AI to mimic colleagues

  • Former GCHQ employee and director of technology for Darktrace Dave Palmer warns of phishing emails that appear to be from work colleagues. According to him, hackers use artificial intelligence (AI) bots to learn the writing style of the initial victim in order to mimic it and send out emails containing ransomware.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Threat Summary: 11 – 17 October 2019

    11 – 17 October 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Silobreaker Daily Cyber Digest – 17 October 2019

      Malware Graboid cryptojacking worm spreads between unsecured Docker hosts Researchers at Unit 42 identified a new cryptojacking worm, dubbed Graboid, that has infected...
  • Silobreaker Daily Cyber Digest – 16 October 2019

      Malware  Researchers publish analysis of LOWKEY malware FireEye researchers analysed LOWKEY malware, a backdoor that has been observed being used in highly targeted...
View all News

Request a demo

Get in touch