Silobreaker Daily Cyber Digest – 2 May 2019
Shellbot malware variant discovered in the wild
- The newly discovered version of Shellbot is capable of spreading through a network and terminating other cryptocurrency miners on a victim’s system, thereby freeing up more resources for its own Monero miner. It also uses an old SSH brute force technique to gain entry into Linux servers protected with weak passwords.
- Sam Bisbee, CISO at Threat Stack, stated that the actors behind this campaign seem willing to update their malware with new functionality, even after it has gained a foothold on a victim’s system.
ZQ Ransomware decryptor released
- Emisisoft has released a decryptor for ZQ Ransomware, allowing victims to decrypt their files for free.
Office 365 accounts hacked via ATO attacks and used in BEC scams
- Barracuda Networks researchers reported that over 1.5 million malicious and spam emails have been delivered by threat actors using approximately 4,000 accounts that had been compromised using account takeover (ATO) in March, 2019. The researchers also found that 29% of the monitored organisations had their Office 365 accounts breached.
- The scammers added malicious mailbox rules to the Office 365 accounts to hide their activity and delete the malvertising, phishing and spam emails sent from the accounts. Logins were discovered from Chinese IP addresses, and associated servers were also spotted in Brazil, Russia, the Netherlands and Vietnam.
- To infiltrate the accounts, attackers used brand impersonation, social engineering and phishing, to impersonate high-profile companies such as Microsoft, and convince victims to visit phishing pages and send their account details. Credentials from previous data breaches were also used to gain access to accounts.
Hacker selling zero-days to APT groups
- Researchers at Kaspersky Lab have stated that an actor known only as Volodya has been selling Windows zero-day vulnerabilities to groups including, but not limited to, APT28, FruityArmor and SandCat. Volodya was previously known by the handle BuggiCorp, and had previously sold a zero-day under this alias.
- Previous zero-day vulnerabilities sold by Volodya include CVE-2019-0859 and CVE-2016-7255.
North Korean hacking group blamed for spear-phishing campaign
- The campaigns conducted against North Korea advocacy groups have been blamed on a group dubbed Venus 121. The advocacy groups were emailed attachments that contained malicious code, according to local newspaper JoongAng Ilbo.
- Venus 121 has been active since at least 2017, and the East Security Response Center has stated that they are responsible for other historical attacks that follow a similar pattern.
Leaks and Breaches
Elasticsearch database exposes PII of 137,000 US citizens
- The database was discovered on March 27th, 2019, exposing various types of personally identifiable information including the medical information of over 100,000 individuals, names, addresses, dates of birth and phone numbers.
- Security Discovery researcher Jeremiah Fowler discovered that the database belonged to SkyMed, and that the company’s network may have also been infected with an unknown ransomware.
- The database was reportedly set to open and visible, allowing anyone to edit, download or delete data without administrative credentials. The database has now been removed.
Citrix confirms personal employee data stolen during breach
- Following reports of a data breach affecting Citrix, the company has confirmed that their attackers successfully stole the sensitive information of both former and current employees and had access to internal data, for approximately six months.
- Citrix stated that they believe the hackers ‘removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents’.
- The FBI reportedly believe that the hackers likely used the password spraying technique to gain a foothold in the network, before circumventing additional layers of security.
Flashpoint publish report with further details on Wipro breach
- Flashpoint researchers have discovered links between the Wipro breach and other threat actors and malicious activity dating back at least to 2017. The malicious domains, IP addresses, hashes, and filenames allowed the researchers to determine that six of them were phishing domains hosting templates that suggested they were used in credential phishing attempts.
- The researchers also discovered evidence that the hackers were attempting to spread the malicious remote administration tool Imminent Monitor, and from this discovery were able to make further connections with previous campaigns.
- During further investigation a hash was discovered that led to a Word document containing a message and attachment that matched the same structure of a campaign identified in 2017. The document also contained a URL that was used multiple times to deliver documents and payloads in other campaigns.
Citycomp hackers publish stolen data
- Following yesterday’s report of a breach at Citycomp, the hackers attempted to blackmail the company, threatening to release the compromised data. The company refused to pay a ransom under any condition, so all of the stolen data has been published on an .onion domain.
- This is alleged to be over 516GB of data containing the private and financial information of Citycomp’s clients, including Ericsson, Toshiba, UniCredit and BT.
Cartoon Network websites suffer global breach
- Cartoon Network’s websites were hacked across 16 different regions, and made to display inappropriate videos of a Brazilian male stripper. This incident was a result of a vulnerability in Cartoon Network’s website management platform, and occurred between April 25th and April 28th 2019.
Dell SupportAssist flaws exposes computers to RCE attacks
- Dell has patched a SupportAssist Client software flaw, tracked as CVE-2019-3719, which allows unauthenticated attackers who are on the same network access layer to remotely execute arbitrary executables on flawed machines. The SupportAssist software is preinstalled on the majority of new Dell devices that run the Windows operating system.
- An attacker could ‘compromise the vulnerable system by tricking a victim into downloading and executing arbitrary executables via the SupportAssist client from attacker hosted sites’.
- In addition, an improper validation flaw in SupportAssist Client was also patched. Tracked as CVE-2019-3718, the flaw could allow an unauthenticated remote attacker to exploit the vulnerability to attempt CSRF attacks on users of the impacted system.
Check Point discovers critical flaw in ISPsystem software
- The flaw could allow a hacker to hijack the session of another logged in user and take control of the user’s web-sites, virtual machines, billing data, and more. All ISPsystem products use the same core and are therefore equally affected by the flaw.
- The software provides a user-friendly web interface for managing web-servers, dedicated servers, VPS (Virtual Private Servers) and billing, and can be downloaded for free. The researchers have created a proof of concept for the flaw.
Researchers at Tenable discover 15 flaws in eight wireless presentation systems
- Tenable researchers have discovered 15 flaws in eight different wireless presentation systems after testing Creston AirMedia AM-100 and AM-101 products. Tenable’s research provides a full list of all the flaws.
- CVE-2019-3925 and CVE-2019-3926 are both SNMP command injection flaws that could allow a remote unauthenticated hacker to inject operating system commands on specific versions of the Creston AM-100.
- CVE-2019-3927 is an unauthenticated admin password change flaw that could be exploited by a remote unauthenticated attacker to change the admin and moderator passwords for the web interface on the Creston AM-100.
Vulnerability discovered in Xiaomi security application
- Guard Provider is an application pre-installed on Xiaomi devices that protects users from malware. A flaw has been discovered by researchers at Check Point that exposes users to Remote Code Execution attacks, due to insecure traffic to and from the application, which allows an attacker to carry out a man-in-the-middle attack.
- The application is preinstalled on all Xiaomi phones running MiUI. Xiaomi have since released a patch fixing this vulnerability, and recommend that users update as soon as possible.
Vulnerabilities patched in Cisco network switches
- Identified as CVE-2019-1804, Cisco Nexus 9000 series switches suffered from a vulnerability that allowed an attacker to login as root and hijack a device, if they were able to reach the device via IPv6. This is due to a default SSH key pair being hardcoded into the device’s software.
- A patch has been released by Cisco, and should be applied as soon as possible.
Vulnerabilities discovered in Rockwell Automation Controllers
- ICS-CERT and Rockwell Automation have published advisories stating that the CompactLogix 5370, Compact GuardLogix 5370 and Armor Compact GuardLogix 5370 programmable automation controllers running firmware versions 30.014 suffer from two DoS vulnerabilities, CVE-2019-10954 and CVE-2019-10952.
- CVE-2019-10954 can be exploited by an attacker sending a specially crafted SMTP configuration packet to 44818. This sends the controller into a major non-recoverable fault state, and the device has to be reprogrammed to resume normal operation.
- The second vulnerability, CVE-2019-10952, is an uncontrolled resource consumption issue that can be exploited by an attacker sending a crafted HTTP/HTTPS request, rendering the web server unavailable. The controller must be restarted to put it back into an operational state.
Popular encrypted email clients vulnerable to signature spoofing
- Researchers from the Ruhr University, Bochum and Munster University of Applied Sciences investigated the implementation of the OpenPGP and S/MIME encryption standards and discovered that 14 out of 20 tested OpenPGP-capable clients and 15 out of 22 clients supporting S/MIME were vulnerable to signature spoofing.
- The user signature for both standards ensures end-to-end authenticity is bound to the user. S/MIME uses certificates by certificate authorities and the original PGP approach has been changed to the use of proprietary trust models, such as R2Mail2, and Horde/IMP and OpenKeyChain. The researchers discovered a way to spoof the user signature in both instances.
- Potential attacks include CMS attacks, API attacks, MIME attacks, ID attacks, and UI attacks, which require that the attacker can spoof email from one of the parties, and that they have a single S/MIME or OpenPGP signature for that party.
Dutch intelligence service warns of Russian and Chinese cyber espionage
- The Dutch Military Intelligence and Security Service (MIVD) have warned in their annual report of the cyber espionage activities carried out by Russia and China.
- The report cites several instances indicating cyber espionage, including the Dutch intelligence services arresting two alleged Russian spies who planned to hack a Swiss laboratory where the investigation into the poisoning of Sergei Skripal was taking place. In addition, in April 2018, Dutch authorities expelled four alleged agents from Russia’s intelligence agency (GRU) for attempting to hack the Organisation of the Prohibition of Chemical Weapons (OPCW) in The Hague.
- The report also stated that China were actively attempting to gather military intelligence in the Netherlands.
Hosting provider still offline from ransomware attack
- US-based virtual private server host A2 Hosting has been offline for over a week as a result of a ransomware attack. It is suspected that the host was infected with GlobeImposter 2.0 at its Singapore-based data centre. Customers claim to have seen files appended with the .lock extension shortly before the host was taken offline.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein