Silobreaker Daily Cyber Digest – 19 June 2019
Researchers analyse new modular backdoor dubbed Plurox
- Researchers at Kaspersky Lab analysed a new malware named Plurox, which can spread itself over a local network, provide access to the attached network, and install miners and other malicious software on the victim’s device. Due to the backdoor being modular, its functionality can also be expanded by using plugins.
- Similarities between the malware’s UPnP and EternalSilence plugin were found, and its SMB plugin appears to be identical to the wormDll32 module from Trickster, suggesting the creators of Plurox may be linked to the creators of Trickster.
Source (Includes IOCs)
New variant of Ryuk Ransomware adds IP address and computer blacklisting
- Discovered by MalwareHunterTeam and examined by researcher Vitali Kremez, the new variant of Ryuk ransomware checks the output of arp-a for IP address strings. If the partial IP addresses 10.30.4, 10.30.5, 10.30.6, or 10.31.32 are found Ryuk will not encrypt the computer.
- Similarly, Ryuk also compares the computer name to the strings ‘SPB’, ‘Spb’, ‘spb’, ‘MSK’, ‘Msk’, and ‘msk’. If any of these strings are spotted, then Ryuk will not encrypt the computer.
- Kremez stated that he believes the ransomware is making these checks to avoid encrypting computers in Russia.
Kaspersky Lab warns of blackmail letters
- Kaspersky recently observed a new version of blackmail letters, in which cybercriminals threaten to undermine the reputation of websites belonging to small and medium-sized companies and are demanding 0.3 to 0.5 bitcoin.
- The threats include offensive letters signed by the victim’s company to be sent to 33 million sites, advertisement letters sent with promises of free iPhones to 19 million addresses, and a continuation of spam on 35 million forums. The goal is to get the company’s site recognized as a source of spam, resulting in the site being blocked, which can damage the company’s reputation.
- Kaspersky researchers believe this disinformation campaign requires too much time to be profitable for the criminals, and hence, does not believe any victims should pay the criminals.
Netflix Ireland warns customers of phishing scam
- Netflix customers in Ireland have been warned of an email phishing scam that asks for personal details as a part of a verification process. The company stated it does not ask for personal details via email.
‘Bouncing Golf’ cyberespionage campaign targeting Middle East
- TrendMicro researchers discovered a cyberespionage campaign targeting Middle Eastern countries, dubbed ‘Bouncing Golf.’ The campaign uses GolfSpy malware, which is capable of embedding malicious code in apps that operators repackaged from legitimate applications.
- More than 600 Android devices have been infected with the GolfSpy malware, with a high amount of stolen information relating to the military.
- Similarities in the string of codes suggest a possible connection to the mobile cyberespionage campaign ‘Domestic Kitten’, believed to be of Iranian origin.
FortiGuard Labs publish analysis of new HawkEye variant
- Researchers at FortiGuard Labs have observed a HawkEye malware variant, which is being spread via phishing emails. The email appears as an airline ticket confirmation and urges recipients to click on a link.
- Once downloaded, HawkEye suspends ‘RegAsm[.]exe’ and moves a portable execution file ‘HawkEye_RegAsm’ into ‘RegAsm[.]exe’. ‘HawkEye_RegAsm’ then sets up a clipboard and keyboard logger, spawns two child processes to collect victim credentials and sends collected data to a Yandex email address at 10-minute intervals.
Source (Includes IOCs)
Fake Booking.com emails contain Sodinokibi ransomware
- Security researcher Bianca Soare warns of fake emails appearing to be from Booking[.]com being sent out containing Sodinokibi ransomware, a strand of the GandCrab ransomware.
- The emails contain an attachment with macro code, which once run will spawn a shell that will run the ransomware loader.
Malicious email campaign employs multiple methods to try and deliver Remcos Rat
- Researchers at My Online Security observed a new campaign attempting to deliver Remcos Rat malware. The email appears as an invoice request ostensibly from hydrotech-eg.
- The email contains three different attachments, a zip file containing a Remcos binary, an RTF file that exploits CVE-2017-11882 to contact a server and download Remcos, and a Word document that also attempts to leverage the same vulnerability.
- Both binaries use the same C2 and both office documents download from the same domain.
Source (Includes IOCs)
Leaks and Breaches
tsoHost discover unauthorized code injected into servers in data centers
- On June 11th, 2019, UK based hosting provider tsoHost informed customers that their servers were offline due to a security breach caused by ‘unauthorized code’. The unknown issue lasted for several days and customers were reporting as recently as June 17th, 2019 that they still did not have access to their services.
- tsoHost have not confirmed the exact details of the issue. It is not known if customer data has been impacted but tsoHost encouraged customers to monitor their accounts for any suspicious activity.
Oregon DHS informs its clients of data breach
- The Oregon Department of Human Services (DHS) has notified 645,000 of its clients about a data breach that took place on January 9th, 2019. The breach was first confirmed on January 28th, 2019, after discovering that nine employees had fallen victim to a phishing scam.
- The breach exposed private information of clients, including names, personal health information and Social Security numbers.
EatStreet suffers data breach
- Online food service EatStreet informed its customers and partners of a data breach that took place on May 3rd, 2019. The breach was first discovered on May 17th, 2019.
- A number of customers’ payment information may have been accessed by third parties, including names, credit card ending in numbers, expiration date, card verification code, billing address, email address and phone number.
- Information from the company’s partners may also have been accessed, including company names, clients names, company address, phone number, email address, bank account and routing numbers.
ResiDex Software hit by ransomware incident
- ResiDex Software, a provider of software for assisted living homes, group homes and sheltered housing, became aware of a data security incident on April 9th, 2019 which took their systems offline and impacted their server infrastructure.
- The incident may have resulted in unauthorized users gaining access to protected health information including medical records, and personal information such as names and social security numbers. Individuals impacted potentially included staff members and present, former and prospective residents.
- ResiDex Software began providing notice to impacted parties on June 7th, 2019.
Mozilla releases Firefox 67.0.3 to patch zero-day that is being abused in the wild
- Samuel Groß of Google Project Zero and researchers at Coinbase Security were credited with discovering the critical vulnerability, tracked as CVE-2019-11707.
Avast hacking of coffee maker demonstrates vulnerabilities in IoT devices
- Avast security researchers recently hacked into a coffee maker to demonstrate the vulnerabilities in Internet of Things (IoT) devices, especially where no Wi-Fi passwords are required to connect to a home network. Such settings make it easier for attackers to upload malicious code into the device.
- During the hacking, they succeeded in configuring the coffee maker to distribute ransomware, and made the device’s burner overheat, which could potentially lead to a fire. Researchers also used it as a gateway to spy into any connected devices on the home network.
Critical RCE vulnerability found in TP-Link Wi-Fi extenders
- IBM X-Force researcher Grzegorz Wypych discovered a zero-day remote code execution (REC) vulnerability in a TP-Link Wi-Fi extender that could be exploited to gain complete control over the device via a malformed user agent field in HTTP headers.
- The vulnerability, tracked as CVE-2019-7406, affects TP-Link RE365 Wi-Fi extender with firmware version 1.0.2, build 20180213 Rel. 56309, as well as RE650, RE350 and RE500. A patch has been released.
Microsoft Management XSS bugs and XML external entity issues allow Windows Takeover
- Check Point researchers found the bugs, tracked collectively as CVE-2019-0948, in the Microsoft Management Console.
- A misconfigured WebView in MMC allows attackers to take advantage of the integrated Snap-In component. An attacker can choose the link to Web Address snap-in to insert a URL to the server which contains an html page with a malicious payload.
Source (Includes IOCs)
FBI warns private sector partners that foreign intelligence services may target them via social media
- The FBI issued a warning on April 1st, 2019 informing private sector partners with government clearance that foreign intelligence services are identifying, recruiting and conducting operations against them on social media.
- The FBI also reminded clearance holders to remain vigilant and to adhere to operational security protocols both online and offline.
Free open source programs repackaged and sold on Microsoft Store potentially dangerous
- Users of PortableFreeware[.]com spotted clones of popular free open-source programs being sold as apps on the Microsoft Store.
- There are no reports that the apps are malicious but as the apps are unofficial and can be old versions, they could have security vulnerabilities. One user highlighted that the downloadable version of Putty was running the old 0.70 version which had a vulnerability which allowed the connected server to take over the users’ system.
UN special rapporteur on freedom of speech suggest moratorium on sale of spyware
- Special rapporteur David Kaye submitted his recommendations to the UN Human rights council on June 18th, 2019. Kaye stated that the sale and use of surveillance software should be suspended until there are rules in place preventing governments from utilizing it to spy on critics and opponents.
- Kaye citied the NSO Group’s Pegasus software in his report which has been deployed to target individuals in 45 countries. Kaye stated that there was ‘an extraordinary risk of abuse’ present in the current system.
AMCA files for bankruptcy following data breach
- Retrieval-Masters Creditors Bureau Inc., the medical debt collector also known as American Medical Collection Agency (AMCA), has filed for bankruptcy following its data breach that resulted in confidential data of over 20 million clients to be compromised.
Instagram ‘backdoor’ feature exposes children’s contact details
- Data scientist David J Stier, who initially discovered a data leak affecting 49 million Instagram users, also discovered personal contact information belonging to minors to have been leaked online for months.
- Instagram has since changed the functionality that shows the contact information on the HTML page, however the information remains accessible via its ‘Contact button.’
North Korea attempts to negate impact of sanctions through cybercrime
- The Financial Times reported that North Korea is increasingly relying on cybercrime to gain access to foreign currency. The report stated that funds gathered through cybercrime are thought to make up North Korea’s principle revenue stream.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.