Silobreaker Daily Cyber Digest – 19 November 2019
New ACBackdoor targets Windows and Linux devices
- Researchers at Intezer identified a new backdoor, named ACBackdoor, which can be used to target both Windows and Linux machines. Following infection, the backdoor can arbitrarily execute shell commands, arbitrarily perform binary execution, achieve persistence, and contains update capabilities.
- The different variants are practically identical in terms of their functionality and share the same C2. However, slight differences suggest that the threat actors are specialists in Linux-based malware.
- The Linux version is written better and contains different backdoor commands, and certain features, such as process renaming and independent process creation, that are not present in the Windows version.
- The researchers were unable to determine how the Linux version was being distributed. Researchers at nao_sec uncovered that the Windows version of the malware was delivered via the Fallout Exploit Kit.
Source (Includes IOCs)
Over 50,000 unique IP addresses used in credential stuffing attacks every day
- Auth0 reported that it detects a ‘staggering amount of credential stuffing attacks’ from over 50,000 unique IP addresses on a daily basis, which indicates the growing sophistication of cybercrime. Auth0 links the high number of attacks to the ease and low cost of credential stuffing attacks, noting that a first step is gaining access to breached passwords, which are freely available online.
Troldesh ransomware most actively distributed malware via phishing campaigns in H1 2019
- Researchers at Group-IB reported that Troldesh ransomware was used in 53% of malspam email campaigns that the researchers detected and analysed in the first half of 2019.
- Troldesh performs a range of functions including encrypting files, mining for cryptocurrency, and generating revenue from online advertising by diverting traffic. Some older variants of the ransomware can be decrypted with tools created by Intel Security and Kaspersky Lab.
- The researchers stated that ransomware accounted for 54% of malware concealed in emails in the first half of 2019, this represents a 40% increase from 2018. A full rundown of the researcher’s findings is available via the Group-IB blog.
Buran ransomware distributed through Microsoft Excel Web Queries
- Researcher Suspicious Link discovered a new malicious spam campaign delivering Buran ransomware through Microsoft Excel Web Query IQY file attachments. The malicious emails attempt to trick the user into opening the IQY file by stating that they need to ‘Print document in attach’.
- Targets who open the attachment and ignore the Microsoft Excel Security Notice will inadvertently launch a PowerShell command that downloads and executes Buran. Following infection, the malware will encrypt files and leave a ransom note on the victims’ machine.
Source (Includes IOCs)
Threat actors bypass security using malicious HTML files
- Cofense researchers observed a new phishing campaign that manages to bypass Proofpoint’s secure email gateway. The campaign involves a fake payment order that is sent as an HTML attachment containing a malicious redirect code.
- Once a user clicks on the file, they are automatically redirected to a malicious page made to look like a genuine Microsoft Online Excel document, with a user’s email address auto populated.
Source (Includes IOCs)
Leaks and Breaches
UNC School of Medicine notifies individuals of data breach
- The personal information of 3,716 individuals may have been compromised after an unauthorised third party gained access to several University of North Carolina (UNC) School of Medicine email accounts between May 17th and June 18th, 2018.
- An investigation into the data breach revealed that some of these email accounts contained personal information of patients, including names, dates of birth, addresses, health insurance information, Social Security numbers, credit card information, and more.
Louisiana state government hit in ransomware attack
- On November 18th, 2019, Louisiana Governor John Bel Edwards published a series of tweets which revealed that a ransomware attack affected some of the state’s servers. In response to the attack, the state’s cybersecurity team, the Office of Technology Services (OTS), took down state servers.
- The removal of the servers by the OTS impacted public state government websites and government servers that manage internal applications and email communications. Impacted websites include the Louisiana State Legislature, the Office of Motor Vehicles, the Department of Corrections, the Department of Transportation and Development, and more.
Macy’s Inc customer information stolen in Magecart attack
- Macy’s disclosed that on October 7th, 2019, an unidentified party hacked their website and placed a Magecart skimming script on their ‘Checkout’ and ‘My Wallet’ pages. The script permits the exfiltration of customer details entered on either of the compromised pages to a remote site controlled by the attackers.
- Customer information that attackers could steal included full names, addresses, phone numbers, card information, and more. The company stated that they removed the script on October 15th, 2019.
Source (Includes IOCs)
Cayman National Isle of Man confirms data breach
- Cayman National Isle of Man acknowledged that a data breach incident occurred after hacktivist Phineas Fisher claimed that they breached the bank in 2016. In a statement given to Motherboard on November 18th, 2019, Cayman National stated that they were victims of a ‘criminal hacking group’.
- Phines Fisher forwarded stolen documents and emails to leaking website Distributed Denial of Secrets. Cayman National stated that neither they or their customers had suffered any financial loss in relation to the incident.
Vulnerability found in Gmail’s AMP4Email
- Security researcher Michał Bentkowski discovered a cross-site scripting (XSS) vulnerability in AMP4Email. Also referred to as ‘dynamic email,’ the new feature in Gmail allows emails to include dynamic HTML content. In certain conditions, an attacker could use DOM Clobbering to perform an XSS attack. Google has since released a fix.
Critical vulnerability affects ABB products
- The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency disclosed a vulnerability affecting all versions of ABB’s Power Generation Information Manager (PGIM) and Plant Connect. The flaw, tracked as CVE-2019-18250, could allow an attacker to gain access to PGIM credentials and potentially also Windows credentials.
- IT specialist Rikard Bodforss first discovered the vulnerability and informed ABB of it in 2014. According to Bodforss, the company had promised to inform customers and provide a patch. However, the company did not release an advisory until November 1st, 2019, one week after Bodforss published a proof-of-concept exploit.
- According to ABB, Plant Connect is already obsolete and the company plans to transition PGIM to limited support in January 2020. Users are advised to update to Symphony Plus Historian, PGIM’s successor.
Iranian government shuts down internet for citizens
- In response to ongoing anti-government protests that started on November 15th, 2019, the Iranian government cut off internet access for its citizens. The protests were in response to an announcement by the government of a 50% increase in fuel prices. According to the government, its response was out of ‘national security interests.’
- Some citizens discovered that a second internet network, which the government and universities can access, is still operational. Iran’s IT minister Mohammad-Javad Azari Jahromi denied suspicions that the government is building its own nationwide ‘internal internet’ that could be used to track citizens and prevent them from accessing the broader global internet.
Belarus block ProtonMail after series of bomb threats
- On November 15th, 2019, Belorussian authorities ordered ISPs to block access to ProtonMail, which provides an end-to-end encrypted email service, following a series of bomb warnings sent from ProtonMail email addresses.
- The emails, which warned about armed TNT devices, were sent to numerous targets in Minsk, including five hotels, three shopping malls, the airport, railway stations, and more. Other messages were sent to private companies at locations throughout Belarus.
- ProtonMail told ZDNet that attempts to communicate with Belarusian authorities have been ignored.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.