Silobreaker Daily Cyber Digest – 20 August 2019
Researchers analyze MyKings variant
- Researchers at Trend Micro discovered a MyKings botnet infection on one of its client’s systems. Further research revealed the infection began in 2017, suggesting a link to the campaign targeting the Asia-Pacific region in July 2017, which resulted in over 500,000 machines being infected and mined.
- The MyKings variant discovered used multiple methods of retaining persistence, including by using the registry, the task scheduler, Windows Management Instrumentation objects, and a bootkit. A technical analysis of the malware is available on Trend Micro’s blog.
Source (Includes IOCs)
Phishing campaign targets utilities industry with Adwind malware
- Researchers at Cofense identified a phishing campaign that bypasses Microsoft ATP to deliver Adwind malware. The campaign targets the utilities industry, specifically the national grid utilities infrastructure.
- Attackers are using a compromised Friary Shoes account to send emails that appear to contain a PDF file with remittance advice. The PDF icon in the email is actually a jpg file with a malicious hyperlink. Users who click on the link are connected to a Fletcher Specs domain which attackers are abusing to host Adwind malware.
- The malware can take screenshots, harvest credentials from browsers, transfer files, access webcams, and more. Adwind also attempts to avoid detection and analysis by disabling popular analysis and antivirus tools.
Source (Includes IOCs)
Leaks and Breaches
MasterCard user data leaked
- The private data of MasterCard’s bonus program ‘Priceless Specials’ users in Germany was leaked online. MasterCard closed the bonus program platform as a precaution, however, also stated that the company has no connection with MasterCard’s payment network.
- The leaked spreadsheet contained more than 89,400 entries, some of which have been confirmed to be correct data, whilst others included ‘Max Mustermann,’ a name used as a placeholder.
- Data included customer names, addresses, email addresses, phone numbers and the first two and last four numbers of MasterCard card numbers. Such details could be used by malicious actors to conduct phishing attacks.
iPhone jailbreak released after Apple accidentally unpatches vulnerability
- Apple recently patched a vulnerability with the release of iOS 12.3, however, the more recent release of iOS 12.4 saw this vulnerability unpatched again. In response, security researcher Pwn20wnd released a jailbreak for iOS 12.4 on August 19th, 2019.
- According to Pwn20wnd, the vulnerability is very likely already being exploited for malicious purposes. For example, it could be exploited via a malicious app that allows a threat actor to escape the iOS sandbox, enabling them to steal user data.
- Security experts warn users of paying attention which apps they download, as they could contain a copy of the jailbreak. Affected devices are iOS 12.4, any 11.x and 12.x below 12.3.
Multiple vulnerabilities found in OpenWeave and Nest Cam IQ Indoor camera
- Cisco Talos researchers discovered multiple vulnerabilities affecting the Nest Cam IQ Indoor camera, many of which lie in the weave binary of the camera. Some also affect the weave-tool binary, however, these are not usually exploitable.
- Bugs include denial-of-service vulnerabilities, CVE-2019-5043, CVE-2019-5036 and CVE-2019-5037, information disclosure flaws, CVE-2019-5034, CVE-2019-5035 and CVE-2019-5040, and command execution vulnerabilities, CVE-2019-5038 and CVE-2019-5039.
VLC Media Player 3.0.8 fixes 13 security issues
- VideoLan has released VLC Media Player 3.0.8 for Windows, Mac and Linux, addressing 13 security issues. The vulnerabilities are exploitable by a remote user and could trigger issues such as buffer overflows and division by zero.
- Successful exploitation could crash VLC or be used to perform arbitrary code execution. A VLC security bulletin warned that the exploits could potentially be combined to leak user information or perform remote code execution.
Webmin backdoor appears to have been intentionally planted
- Security researcher Özkan Mustafa Akkuş disclosed a Webmin backdoor, tracked as CVE-2019-15107, on August 10th, 2019. The backdoor was present for more than a year and left systems running Webmin vulnerable to remote code execution by users with root privileges.
- On August 19th, 2019, a Webmin developer stated that the bug was not a mistake on their part but ‘malicious code injected into compromised build infrastructure’.
- The Webmin team stated that versions between 1.882 to 1.921 that had been downloaded via SourceForge contained the vulnerability. However, the vulnerable feature is not enabled by default in any installation other than 1.890. On August 18th, 2019, Webmin released version 1.930 which removed the backdoor bug.
Criminals anonymizing traffic by purchasing IP addresses from IPS and mobile data providers
- Brian Krebs discovered that criminals are constructing ‘bulletproof residential VPN services’ by purchasing them from large ISPs and mobile data service providers.
- Krebs identified a company, Residential Networking Solutions LLC (Resnet) that was reselling data services for AT&T, Verizon and Comcast. Krebs found multiple references to Resnet on Hackerforums by a user who was advertising that they had ‘unlimited’ AT&T 4G/LTE data services and more than 1 million residential IPs. The poster suggested that these were perfect for users who wished to run bots or advertising campaigns.
Twitter remove 936 Chinese accounts spreading disinformation about Hong-Kong
- On August 19th, 2019, Twitter announced the removal of 936 accounts that originated within the People’s Republic of China. The accounts were part of a coordinated state backed operation to spread political discord relating to protests in Hong Kong. As Twitter is banned in China many of the accounts were using VPNs, however some were using specifically unblocked IP addresses.
- Twitter also proactively suspended a larger spam network of 200,000 accounts.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.