Threat Reports

Silobreaker Daily Cyber Digest – 19 October 2018

Ongoing Campaigns

Canadian Centre for Cyber Security official warns of increasing cyber threats to 2019 election

  • André Boucher, assistant deputy minister of operations at the center, which is overseen by the Canadian foreign signals intelligence agency CSE, stated that the number of threats to the federal election were increasing faster than previously forecast.
  • Boucher said that the main danger was not to election systems such as voting machines, but mainly to politicians, political parties and the media.



Scammer targets thousands of cryptocurrency wallets with variety of info stealers

  • The scammer runs a large and diverse business that includes phishing and fraud operations designed to tempt users with offers to make digital coins easily, whilst actually tricking them into installing information stealing malware and backdoors.
  • The main cryptocurrency of interest is Dogecoin. The scams involve setting up websites that impersonate legitimate exchange services, run fake online lotteries and encourage people to rent inexistent cryptocurrency mining pools.



VestaCP suffers supply-chain attack

  • Discovered by researchers at ESET, user suspicions were first raised when they were alerted to have been using an abnormal amount of bandwidth by their service providers. This was a result of the servers being used to launch distributed denial-of-service attacks using ChachaDDoS malware, distributed to users because of a supply-chain attack on VestaCP installations from May 2018 onward.
  • Researchers stated that the particular strain of malware, Linux/ChachaDDoS, appears to be a new variant of ChachaDDoS. Comprised of multiple stages, it includes a persistence mechanism, download and encryption functionality, and a hardcoded Lua payload that periodically downloads tasks.
  • The only observed function was the DDoS mechanism, performing a SYN DDoS attack against them.

Source (Includes IOCs)


New NFCdrip attack permits exfiltration of data from large distances

  • Security researcher Pedro Umbelino demonstrated a new form of attack, dubbed NFCdrip, that allows data exfiltration between devices communicating via the near-field communication (NFC) protocol.
  • Umbelino found that NFC can work over much greater distances than was previously believed, potentially allowing attackers to exfiltrate small amounts of data such as passwords or encryption keys. He was able to exfiltrate at least some amount of data from a distance of more than 60 meters.
  • Umbelino also found that this range can be extended using an AM antenna and software defined radio (SDR). In some cases, the researcher found the attack to work for devices in flight mode. The attack was also discovered to not be limited to devices running Android and could be conducted on laptops and other devices too.



Leaks and Breaches

Game studio Facepunch breach suffered data breach in 2016

  • HaveIbeenpwned reported that 343,000 Facepunch users’ data was compromised in 2016, including their usernames, email and IP addresses, dates of birth and salted MD5 password hashes.
  • Some users reported that they were never informed of the breach.



Bronze Butler targeting East Asia

  • Cisco Talos has reported on Bronze Butler, a group also known as Tick and Redbaldknight, targeting South Korea and Japan in ongoing cyberattacks and espionage campaigns since 2016. They appear to leverage malware including Datper, xxmm backdoor and Emdivi, and have compromised many websites, including a Korean laundry site, to use them as command-and-control hosts for their malware.
  • The hijacked, legitimate South Korean and Japanese hosts may have been purchased by Bronze Butler, rather than directly compromised, and some of these compromised sites may have shell commands run on their machines, resulting in information leakage.

Source (Includes IOCs)



Five vulnerabilities discovered in Vecna telepresence robots

  • Security researcher Dan Regalado discovered five vulnerabilities in Vecna VGo Celia telepresence robots from Vecna Technologies, two of which have been patched and the other three are pending an update. These devices are frequently employed in hospitals, schools and factories.
  • The three unpatched flaws are tracked as CVE-2018-17931, CVE-2018-8858 and CVE-2018-17933. The first allows attackers to hijack the device via a USB thumb drive as the robots will execute firmware stored on USB sticks with root privileges. The second permits attackers to recover Wifi passwords the robot uses to connect to an internal network or XMPP credentials the robot’s owner uses to connect to the device remotely. The final unpatched flaw is in the XMPP client, linking the remote user and the robot’s internal functions. Given the XMPP access rights, attackers can alter firmware, steal chat logs, pictures or even access live video streams.
  • The two patched flaws are tracked as CVE-2018-8860 and CVE-2018-8866.



Splunk patches multiple vulnerabilities in Enterprise and Light products

  • The most severe vulnerability, tracked as CVE-2018-7427, is a ‘highly severe’ cross-scripting (XSS) flaw in the Splunk Web interface. Another serious vulnerability, tracked as CVE-2018-7429, allows attackers to trigger a denial-of-service (DoS) condition through sending a malicious HTTP request to Splunkd, the system process that is responsible for indexing, searching and forwarding.
  • A similar DoS flaw, tracked as CVE-2018-7432, can also allow specially-crafted HTTP requests to be sent to Splunkd.
  • The final vulnerability, tracked as CVE-2018-7431, is a path traversal flaw permitting attackers to download arbitrary files from the Splunk Django app.



Zero day discovered in jQuery plugin

  • Discovered by Lawrence Cashdollar, a researcher at Akamai, the vulnerability lies in the way that .htaccess is being used by thousands of projects, leaving them vulnerable to unauthorised access and subsequent file upload attacks. Identified as CVE-2018-9206, the issue exists in the jQuery File Upload plugin, and has gone undetected for at least three years. Attackers can leverage the vulnerability to upload malicious files onto victim’s servers.
  • The vulnerability appears to have been known about relatively publicly by hackers, as YouTube tutorials of how to exploit the vulnerability exist as far back as 2015, but it went unreported. Out of the thousands of projects derived from the original plugin on GitHub, only 36 were deemed not vulnerable.

Source 1 Source 2

General News

Trustwave releases analysis of dark web job market

  • In a blog post, Trustwave researchers detail the job market’s hierarchy, the different employers and employees, and the functioning of the underground economy.



Facebook suspects data breach was caused by social media spammers

  • Facebook reported that the data breach of 300 million user access tokens was possibly perpetrated by criminal hackers pretending to be a digital marketing firm, as opposed to nation-state actors.



Twitter releases data store of posts connected to Russian ‘troll factory’

  • The Internet Research Agency (IRA), otherwise known as the Russian ‘troll factory’, used Twitter and Facebook to conduct influence campaigns, causing political turmoil during the 2016 US presidential election.
  • Twitter has released a store of data consisting of posts from 3,841 accounts that are supposedly associated with the Research Agency, in addition to a further set of data connected to 770 accounts thought to be connected to an Iranian influence campaign.
  • The data includes over 360 gigabytes and includes more than 10 million tweets and over 2 million images and other media. The data provides details of how state-sponsored agencies have used the Twitter platform.



Group-IB reports crypto exchanges lost $882 million to attacks between 2017 and 2018

  • Group-IB stated in its annual Hi-Tech Crime Trends Report that the hacking of 14 crypto exchanges resulted in a total loss of $882 million. Lazarus Group was linked to attacks on Yapizon, Coins, YouBit, BitHumb and Coinckeck.
  • Phishing remained an important attack vector on crypto exchanges, with 56% of the funds stolen in this manner.



Researcher livestreams 51% attack on Altcoin blockchain

  • A researcher, using the handle GeoCold, made a promise on Reddit to run a 51% attack on the blockchain of a small cryptocurrency called Einsteinium (EMC2), in order to demonstrate the ease of the process. The researcher carried out the attack, managing to gain control of about 70% of the network of a different cryptocurrency Bitcoin private (BTC) on a livestream.



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein

More News

  • Silobreaker Daily Cyber Digest – 14 June 2019

      Ongoing Campaigns Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers Trend Micro researchers discovered an ongoing cryptojacking campaign infecting...
  • Silobreaker Daily Cyber Digest – 13 June 2019

    Malware Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet Unit 42 have discovered a variant of the Hide ‘N Seek botnet...
  • Silobreaker Daily Cyber Digest – 11 June 2019

      Ongoing Campaigns MuddyWater uses multi-stage backdoor POWERSTATS V3 and new post-exploitation tools Trend Micro researchers detected new campaigns that appear to be operated...
View all News

Request a demo

Get in touch