Silobreaker Daily Cyber Digest – 19 August 2019
Search hijacker pretends installation failed
- Researchers at Malwarebytes Labs found a new search hijacker family, called QxSearch, that is delivered via multiple Chrome extensions. It is a descendant of SearchPrivacyPlus, with entries on Chrome Web Store almost identical for both hijackers. Search hijackers are capable of reading and changing data to redirect users to their own domain.
- QxSearch contains a new feature that involves the hijacker issuing a notice of a failed installation or that an extra step is required to complete the installation, despite the extension already having been installed. The failure takes place when the extension is meant to add an icon to the browser’s menu bar, which results in no icon being installed, making the hijacker more difficult to remove.
- The researchers also found another search hijacker family, named OptionalSafely, that uses this method of failed installation, however, in this case the failure refers to the installation of a second extension that is triggered by OptionalSafely. This second extension is a “newtab” hijacker called Media New Tab.
Source (Includes IOCs)
At least 23 Texan local government entities hit with ransomware
- On the morning of August 16th, 2019, local government entities in Texas began to report that they had been victims of a ransomware attack. The attack appears to be coordinated by a single threat actor.
- The response to the attack is being led by The Texas Department of Information Resources (DIR) and involves Federal and State agencies. The DIR confirmed that the systems and networks of the State of Texas have not been impacted.
- Although the DIR have not named the ransomware, ZDNet claim to have learned from a local source that devices are infected with Nemucod malware.
xRAT variant delivered via fake Indian Tax calculator
- Researchers at Fortinet identified a variant of xRAT malware being delivered through an Excel file purporting to be a tax calculator from the Indian Income Tax department. The attack is designed to target those seeking to file their income tax returns before the deadline on August 31st, 2019.
- The variant of xRAT that the researchers identified utilizes Portmap to send encrypted traffic to the attackers C2. The malware has multiple features and can run remote desktop and remote shell, download and execute files, and access computer commands.
Source (Includes IOCs)
Adware detected on 85 apps on Google Play
- Researchers at Trend Micro identified 85 photography or gaming apps that had been collectively downloaded over 8 million times. The apps contains a persistent adware that evades detection through a time and behavior-based trigger. Displayed adverts also prove difficult to close and are displayed in full screen.
- The researchers reported these issues to Google who removed the malicious apps from the Google Play Store.
Source (Includes IOCs)
Fake free game giveaway site used to steal Steam Accounts
- Hackers who accessed compromised Steam Accounts have been sending messages to the user’s friends stating that they can get free games by clicking on a link within the message. Targets who access the link are sent to a scam site which tells them they can claim their game by logging into their Steam account via a fake login page.
- If Steam Guard blocks the malicious login attempts the scammers ask users to provide them with the code sent to their email or phone.
- When a user successfully enters all their details the criminals carry out an automated attack that changes the user’s password, email address and phone number. Bleeping Computer tested the attack and found that the IP address of the device which stole their account was located in Russia.
Win32.Bolik.2 banking trojan spread through copies of popular software
- Researchers at Dr Web observed the banking trojan Bolik being distributed via fake websites that purported to offer downloads for corporate office software and NordVPN. The attackers created a fake NordVPN site with a similar design and domain name as the valid website, the site also featured a valid SSL certificate.
- The campaign, first identified on August 8th, 2019, is directed against English speaking users. The malware features properties of a multicomponent polymorphic file virus and allows attackers to perform web injection, traffic intercepts, steal information from bank-client systems, and more.
- The criminals behind this recent attack conducted similar attacks in April 2019, distributing Bolik via a compromised video editing software website.
Source (Includes IOCs)
Leaks and Breaches
Michigan Medicine suffers data breach
- The private health data of roughly 5,500 Michigan Medicine patients may have been compromised as a result of an email phishing attack on July 9th and July 12th, 2019. Three employees had their accounts compromised, two of which contained identifiable patient information. The compromised accounts have been disabled.
- Although no evidence of data theft was found, potentially stolen data includes names, medical record numbers, Social Security numbers, addresses, and more.
Virginia Gay Hospital patient data potentially exposed
- The Iowa-based Virginia Gay Hospital is notifying its patients of a data breach that potentially exposed patient data. The breach was first discovered on June 18th, 2019, where it was found that an email account containing patient information may have been accessed by an unknown third-party.
- No evidence of unauthorized access was found, however, potentially exposed data includes names, dates of birth, Social Security numbers and medical information.
Northern Territory Department of Education left teacher and student data exposed
- The Student Administration Management System (SAMS), used since 2017, was found by the auditor general’s office to contain an ‘excessive’ amount of user accounts and could be accessed by terminated staff members. Additionally, no security patches had been applied to the server since June 2018.
- Exposed data included information about attendance rates, demographic data about students and parents, and student’s health and behavior. At present there are no plans to investigate if the data was accessed by unauthorized parties.
Researchers discover private data in public sandboxes
- From August 12th to August 15th, 2019, Cyjax researchers monitored public submissions of online sandbox services and found a large amount of data exposed. The researchers warned that such data could easily be used by threat actors to target multiple industries and steal the identity of numerous individuals.
- The most frequently uploaded documents were invoices and purchase order documents, for example, one company submitted payment documents containing information that could potentially be used by malicious actors for spear phishing or BEC fraud campaigns.
- Insurance certificates were also uploaded frequently, exposing personally identifiable information, including names, phone numbers, addresses and email addresses. In addition, Professional Certificates and CVs were also uploaded exposing private data of individuals, including ID photographs and addresses. Other findings included documents from US CENTCOM, as well as medical and legal documents.
- The researchers also monitored a URL scanning service and found many users scanning Google Drive links that redirect to sensitive folders whilst using public submissions, exposing them for anyone to see and access.
Patched LibreOffice vulnerabilities can be bypassed
- Security researchers discovered three new vulnerabilities in LibreOffice that allow a threat actor to bypass previous patches and which can be chained to remotely execute malicious commands on a targeted device. All vulnerabilities were addressed in LibreOffice version 6.2.6/6.3.0.
- The researchers found that the patch for the remote code execution flaw in LibreOffice, tracked as CVE-2019-9848 and released in July 2019, could be bypassed by malicious actors by exploiting two newly discovered vulnerabilities, tracked as CVE-2019-9850 and CVE-2019-9851.
- The third vulnerability, CVE-2018-16858, initially patched in February 2019, could be bypassed by exploiting CVE-2019-9852.
Phone numbers exposed by lack of standardization in account recovery methods
- Security researcher Martin Vigo discovered that he could abuse multiple site’s password reset processes to gain user’s phone numbers. When resetting passwords with SMS or phone calls, the UI displays part of a user number. Various sites such as eBay, PayPal, Yahoo and others, provide different parts of the number.
- Combining this with publicly available information such as the North American Numbering Plan Administrator (NANPA) and bruteforcing methods allowed Vigo to discover a target’s phone number.
- Users in countries which use shorter phone numbers face an increased risk from this type of attack as online services, such as eBay and LastPass, do not adjust the amount of displayed numbers.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.