Silobreaker Daily Cyber Digest – 19 December 2018
EMOTET, URSNIF, Dridex and BitPaymer linked by similar loader
- Trend Micro researchers discovered have found similarities in the internal data structure of EMOTET, URSNIF, Dridex and BitPaymer.
- According to their blog post, the researchers suspect that ‘the four malware families’ gangs might be in contact with the same weapon providers for PE loaders’. They also state it is possible the cybercriminals may have established relationships with one another and have exchanged, or are exchanging, resources.
Source (Includes IOCs)
Sucuri researchers discover SEO injection malware targeting WordPress sites
- The malware uses an ‘innovative approach’ by storing spam content in a special repository it creates in the site’s database. The created repository uses a different prefix from legitimate WordPress content meaning the posts won’t load or show up on a site’s admin dashboard.
- When a user visits a WordPress site, the malware will hijack the normal WordPress database connection that would normally occur when loading the page, and redirect the connection to fetch links to the spam posts. It then appends these links to the legitimate content before sending it back to the user’s browser.
- Sucuri found 173 sites containing the malware. The campaign was also observed targeting English and Korean searches that look for free downloads.
Sophos publishes analysis of Ryuk ransomware
- Researchers at Sophos have described Ryuk as an evolution in ransomware, that builds upon previous targeted malware. The group deploy their ransomware by brute forcing their way onto a network before gaining administrator privileges, which they use to spread their ransomware as much as possible prior to encryption. Sophos notes that the group behind Ryuk seek to target victims who can pay five to six figure ransoms, mainly in sectors such as manufacturing, commodities and healthcare.
- Ryuk’s encryption is allegedly based upon older code found in Hermes Ransomware, which is suspected to originate from the North Korean affiliated Lazarus Group.
Phishing campaign pretends to be App Store receipts
- The phishing campaign was observed using emails to distribute a PDF attachment that pretends to be a receipt for apps purchased by the victim’s account for $30 USD. If the PDF attachment is opened by the victim, then they will see that it contains various links that the recipient can use to report a problem or report an unauthorised purchase.
- If the links are clicked, the user will be taken to a page that is identical to Apple’s legitimate Account management portal, and asked to login with their Apple ID. If the login information is entered then a new page states that their account has been locked for security reasons and they must login to unlock it.
- The user is then asked via a form to verify their account information, including name, address, phone number, payment information, security questions and more. The phishing page then redirects the user to the legitimate Apple account.
Chinese hackers target US Navy contractors
- The Wall Street Journal has reported that Chinese hackers have breached US Navy contractors to steal intellectual property including missile plans and ship-maintenance data. In one case, 614 GB of data concerning submarine anti-ship missiles was stolen. The attack originated from a computer in Hainan province, China.
Extortion email threatens to send a hitman unless its paid
- The email has a subject line stating ‘Pretty significant material for you right here 17.12.2018 08:33:00’. The content, written in poorly worded English, states that the sender is the owner of a Dark Web site, which has been contacted by someone requesting a hitman to target the recipient for an ‘instant and pain-free’ execution.
- The email asks for $4,000 in Bitcoin to ‘remove the hitman’. The Bitcoin address has not received any ransom payment, due most likely to the poor quality of the scam.
Leaks and Breaches
Hackers infiltrated EU diplomatic cables
- The New York Times has reported that hackers have intercepted the European Union’s diplomatic communications, known as ‘diplomatic cables’, over a period of several years. The attack was discovered by cybersecurity company Area 1.
- According to the article, ‘the techniques that the hackers deployed over a three-year period resembled those long used by an elite unit of China’s People’s Liberation Army’. The attackers infiltrated cables regarding topics such as the Trump administration, Russia and China, the risk of the revival of Iran’s nuclear program and global trade. European officials have stated that no confidential or secret information was compromised.
- The hackers also infiltrated networks belonging to the United Nations, AFL-CIO, the ministries of foreign affairs and finance worldwide.
BJC HealthCare notifies 5,850 individuals of data breach
- On November 19th, 2018, BJC Healthcare found that its online payment portal was compromised, potentially exposing credit card information that was entered via the website.
- Other data that may have been compromised includes names, birthdates, billing account numbers and addresses. According to the company, no Social Security numbers or medical information was affected.
US Healthcare facilities suffer data breach
- Elizabethtown Community Hospital in New York has acknowledged that an employee’s email account had been remotely accessed on October 9th, 2018. The email account contained personal data of approximately 32,000 patients, as well as some social security numbers and addresses.
- The hospital notified impacted individuals, and has stated that there has been no evidence of any fraud associated with this event.
- In a different incident, the Dallas-Fort Worth branch of CCRM fertility clinic has posted a breach notification regarding an incident on October 4th, 2018. A third party gained access to a former nurse’s email account, and used it to distribute spam emails to patients. The intruder did have access to private data including names, addresses, email addresses, social security numbers, and medical history information, but there is no evidence to suggest this was accessed.
NASA discloses previous data breach
- An unknown intruder gained access to an internal server at NASA, that stored personally identifiable information including social security numbers, on both current and former employees. The breach was discovered on October 23rd 2018, but an internal memo notifying employees of this was not published until December 18th, 2018.
- NASA has stated that they are working with federal cybersecurity partners ‘to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals’. Identity monitoring services are being offered to those affected by the result of the breach, and NASA also stated that it does not believe any missions were jeopardised as a result of this.
PDA Union members report on Well Pharmacy leak
- An email entitled ‘Xmas Payments’, that included a spreadsheet containing pharmacists’ data was inadvertently sent to locum pharmacists last week. No patient data was included, however, the records did contain up to 24,000 lines of personal data about individuals from locum pharmacists.
Vulnerabilities found in ABB GATE-E1 and GATE-E2 devices
- Applied Risk researchers discovered multiple vulnerabilities in ABB Pluto Gateway products. The flaws affect GATE-E1 and GATE-E2 versions of the Gateway Ethernet devices, which are used in Pluto Safety PLC systems. According to ABB, the flaws will not be patched as both products are at their end of life.
- CVE-2018-18995 is a missing authentication vulnerability that can be exploited to cause a denial-of-service (DoS) condition by continuously resetting the product.
- CVE-2018-18997 is cross-site scripting (XSS) flaw that could be exploited to inject malicious code via the administrative HTTP and telnet interfaces.
ASUS and GIGABYTE drivers contain code execution vulnerabilities
- Four drivers from ASUS and GIGABYTE contain vulnerabilities that can be exploited to gain higher permissions on the system and execute arbitrary code. In total, there are seven flaws that affect five Aura Sync and GLCKIo and Asusgio drivers.
- When added to the system, Aura Sync installs the GLCKIo and Asusgio drivers which are affected by vulnerabilities tracked as CVE-2018-18537, CVE-2018-18536 and CVE-2018-18535, that all allow code execution.
- CVE-2018-18537 can be exploited in the GLCKIo driver if an attacker writes an arbitrary ‘double word’ [D WORD] to an arbitrary address. CVE-2018-18536 affects both GLCKIo and Asusgio drivers by exposing a way that permits reading and writing data to and from IO ports. CVE-2018-18535 affects Asusgio by exposing a read/write method for model-specific registers (MSRs).
LokiBot utilising Microsoft Excel vulnerability
- An email campaign distributing LokiBot that previously used RTF exploits, Word documents and Excel macros has switched to utilising CVE-2017-11882, a stack overflow vulnerability in Microsoft Equation Editor. The email claims to be distributing a payment slip, and asks for account details to ‘send the remaining balance to’. A victim may become curious to find out the balance, and open the malicious Excel document, triggering the vulnerability.
Exploit code published for file inclusion bug in Kibana console for Elasticsearch
- CVE-2018-17246 is a critical Local File Inclusion vulnerability that affects versions of Kibana before 6.4.3 and 5.6.13. The flaw allows an attacker to run local code on the server, as well as upload code with other services on the server using the file upload functionality, allowing remote code execution.
WordPress patches privilege escalation vulnerabilities
- RIPS Tech Security has discovered privilege escalation vulnerabilities in WordPress that allow attackers to access features that were intended only for administrators.
- The cause of the flaws lies in the way WordPress creates blog posts, leading to a Stored XSS and Object Injection in the WordPress Core. This causes several more vulnerabilities in the WordPress plugins Contact From 7 and Jetpack.
- WordPress security checks could be bypassed to create posts of any type and misuse the features of custom post types. The flaws can be leveraged by an attacker with a contributor user role.
Cisco Talos publish a report on three mining cybercrime groups
- The three groups, Rocke, 8220 Mining Group and tor2mine are all known for their ability to compromise enterprise services to install cryptominers. Altogether, they have generated a combined income of 1,200 Monero coins, which at one point were worth approximately $400 each.
- Cisco Talos have identified that these groups have very similar TTPs, such as hosting tools and scripts in Github repositories, Pastebin, and [.]tk domains, as well as using JPEG files to contain hidden scripts, open source XMRig miner and tools such as XHide Process Faker and PyInstaller.
Trend Micro releases report detailing risks posed by HolaVPN and its use in cybercrime
- According to their report, although the service claims to enable users to share their internet connections with one another to evade surveillance or censorship, rather, web traffic is routed through roughly a thousand exit nodes hosted in data centers.
- Each device with HolaVPN is turned into an exit node that is monetized by a commercial service called Luminati, owned by Hola Networks Ltd. Luminati was selling the bandwidth of HolaVPN users to third parties by offering a residential proxy network.
- Trend Micro discovered that the residential proxy network was being abused by former members of the KlikVip gang in a click fraud scheme. A large part of the Luminati traffic was also scraping online content such as subscription-based scientific magazines, private contact details of physicians and attorneys, inmate data, and more.
- Evidence was also discovered of the Luminati network being used to verify leaked email credentials.
Facebook tracks users’ locations for ads even when location tracking is disabled
- Aleksandra Korolova, an academic from the University of Southern California, found that even when users turn off Facebook location tracking, it stills track their location to display location-based ads. The platform gathers data from sources, such as IP addresses, WiFi connections and Bluetooth.
Truecaller releases report on spam calls in 2018
- Truecaller reported that spam calls grew by 300% in the last year. The most targeted countries include Brazil, India, Chile, South Africa or Mexico.
- Other findings include large surges in spam calls in European markets and Latin America.
Healthcare companies suffer from multiple ransomware attacks
- According to a survey conducted by researchers at Kaspersky, a third of healthcare companies have suffered ransomware attacks more than once, with 27% of employees claiming that their employer experienced a ransomware attack on their systems within the past year. Only 23% of respondents said that they trust the cybersecurity strategy of their organisation.
- Rob Cataldo of Kaspersky stated that healthcare companies have become a major target of criminals due to the repeated success of cyber attacks on these businesses.
Flashpoint report on Chinese speaking underground using RDP for carding
- Flashpoint have reported that there have recently been several discussions about RDP access on Chinese-speaking Deep & Dark web forums. Most participants are attempting to seek advice on how to get remote code access to machines and solicitations for port-scanning tools that can be used to look for exposed RDP connections to the internet.
- The criminals on these sites are also reportedly seeking advice on carding, for which they are being led towards RDP rather than proxying connections or running their activity through a VPN. The use of Telegram for these conversations has also been noted as ‘a one stop shop for carding needs’.
Malicious emails bypassing email security systems
- Researchers at Mimecast discovered that within this quarter of 2018, over 17,000 malicious files were incorrectly deemed safe by email security systems, resulting in the attachments being delivered to their intended targets.
- Matthew Gardiner, a cybersecurity strategist at Mimecast, stated that criminals will continue to adapt their email based attacks and find new ways to evade both email detection and security solutions.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.