Silobreaker Daily Cyber Digest – 20 June 2019
New node.js trojan MonsterInstall targets video gamers
- Doctor Web researchers observed the trojan, named MonsterInstall, being distributed via websites which contain video game cheats.
- When users attempt to download cheats they also download a 7zip archive containing an executable file which downloads the cheats and the trojan components. Upon launch MonsterInstall gathers information about the infected systems which is then relayed to the malware authors server. When a response is registered, the malware installs itself in the autorun and begins to mine TurtleCoin cryptocurrency.
- To spread the malware more effectively the authors of MonsterInstall own several video game cheat websites and have also infected sites that are owned by others. SimilarWeb statistics show that these websites are visited at least 127,400 times per month.
Source (Includes IOCs)
‘Youtube Queue’ Chrome extension hijacks users’ search engine results
- Google removed the extension from the official Web Store after it was found hijacking search engine queries and redirecting users to ad-infested search results. The extension had been installed by nearly 7,000 users.
Cryptojacking extensions discovered on Google Chrome Web Store
- Symantec researchers found two Chrome extensions on the official Web Store that secretly performed coin mining after being installed.
- One of the extensions, called ‘2048’, is a version of a popular strategy game. The second extension, called ‘Mp3 Songs Download’, claims to be an MP3 downloader but instead redirects users to an MP3 download website which secretly launches a coin mining script in the background.
F5 Labs report on recent Gootkit campaign targeting Italy
- Targets of the latest Gootkit campaign mostly include banking organizations and some email servers located predominantly in Italy, with some in other countries such as the US, Austria and Switzerland.
- According to F5 Labs, a section of the malware contained a redirection capability which was used to target additional service providers, including antivirus companies and email providers. The redirections were also used to keep the malware infection alive by blocking access to specific antivirus sites.
- Gootkit also targeted bank site URLs for the purpose of disrupting regular communication with native banking components.
Source (Includes IOCs)
URLZone is the top malware in Japan’s threat landscape
- Researchers at Proofpoint believe that URLZone malware campaigns are being carried out by a single high-volume actor operating primarily in Japan and Italy. Many of the email campaigns reference invoice or payment requests and are targeted against the banking sector.
- Researchers observed that URLZone malware often works in tandem with the Ursnif trojan. URLZone is used as the initial payload and determines if the host environment is suitable. If deemed suitable, URLZone downloads Ursnif which begins to steal information.
- Researchers also observed Emotet malware being widely distributed. Growing instances of URLZone and Emotet attacks via email suggested to researchers that attackers had ‘cracked the code’ for crafting convincing email attacks in the Japanese language.
Leaks and Breaches
Riviera Beach City pays ransom after ransomware attack
- The Florida city decided to pay $600,000 in ransom to hackers who took over its computer systems three weeks ago. The hackers infected the systems with ransomware after an employee clicked on a malicious email link.
Trucking firm A. Duie Pyle hit by ransomware
- The Pennsylvania-based trucking firm was hit by ransomware over the weekend, impacting its network communication systems. The firm confirmed no data was extracted during the incident.
Home Office reports 35 data breaches to the ICO in 2018-2019
- The incidents, reported in the department’s ‘Annual Report and Accounts 2018–19’, represent a significant rise in breaches compared to the two incidents that were recorded the previous year.
- An additional 1,895 data breaches were logged by the Home Office’s data controller but were deemed not within the notification parameters as defined by GDPR.
- Almost three quarters of the data breach incidents resulted from unauthorized or accidental disclosures.
Capitol Cardiology Associates and Southern Maryland Medical Group impacted by Meditab Software breach
- The Meditab Software data breach occurred between January 10th, 2019, and March 14th, 2019, due to an issue in the portal that Meditab used to view its Fax Cloud service statistics.
- At the time of the breach Meditab served as a third-party vendor to Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG).
- The breach exposed the details of CCA and SMMG patients. Data leaked in the breach included names, addresses, dates of birth, medical records, treatments, and more.
Olean Medical Group and Seneca National Health System targeted by possible ransomware attack
- The Olean Medical Group reported that it had been targeted by a ransomware attack that has severely damaged the organizations computer systems. The organization claim that the records of their 40,000 patients are unaffected by the attack.
- Seneca National Health System are also suffering from computer system failure, the cause of the issue is not yet known. The organization claimed that no personal information or protected health information has been compromised.
Tor Browser 8.5.2 released to fix critical Firefox vulnerability
- The Tor Project released the update on June 19th, 2019. Version 8.5.2 resolves the critical vulnerability CVE-2019-11707 found in Mozilla Firefox.
- Updates for the Android version of Tor Browser will not be available until the weekend beginning June 22nd 2019.
Samba releases security updates for vulnerabilities that could lead to DoS attacks
- The flaws, present in Samba 4.9 and all versions from 4.10 onward, could be used to carry out a denial-of-service (DoS) attack.
- One of the flaws, CVE-2019-12435, is a DoS in DNS management server which could allow an, ‘authenticated user to crash the Samba AD DC’s RPC server process via NULL pointer dereference.’
- The second flaw, CVE-2019-12436, is a Samba AD DC server crash in which ‘a user with read access to the directory can cause a NULL pointer dereference using the paged search control.’
Oracle patches critical code-execution vulnerability in WebLogic server
- Researchers at KnownSec 404 Team reported the vulnerability, tracked as CVE-2019-2729, on June 15th, 2019. The vulnerability allows attackers to run malicious code on vulnerable systems due to a bug in the data deserialization process inside WebLogic Servers. Moreover, the attacker does not need to know a remote server’s credentials, therefore attacks can be launched against any internet-accessible WebLogic instance.
- The KnownSec 404 Team claim that the vulnerability exploited a new bug to bypass patches for CVE-2019-2725, a zero day which was exploited in the wild before being patched in April. John Heimann, Oracle’s Security Program Vice-President disputed this and claimed that CVE-2019-2729 is a completely new and unrelated vulnerability.
ACLU argues Fourth Amendment protections should apply to personal data stored in cars
- The American Civil Liberties Union (ACLU) has argued before the Georgia Supreme Court that ‘computerized systems in cars collect a treasure trove of personal data’ along with a ‘plethora of tracking data’, meaning they too should be protected under the Fourth Amendment.
Bithumb, Yeogi Eottae and HanaTour indicted for 2017 data leaks
- Seoul Dongbu District Public Prosecutors’ Office indicted the three companies on charges related to the failure to prevent hacking attacks and leakage of personal information.
- Bithumb leaked personal information of 31,000 after it was stored on an employee’s personal computer. An SQL injection attack gave hackers access to 3.2 million records of 70,000 Yeogi Eottae customers. Lastly, after being hit by a cyber attack, HanaTour leaked personal information of 460,000 customers and 30,000 staff and executives.
Google mistakenly sends out confidential build of upcoming security update to Pixel owner
- Google accidently sent out their employee only build of the upcoming July 2019 security update to a Pixel owner. The user told Bleeping Computer that they received the OTA security update on their Pixel 3a XL. When updated the internal build number is changed to PQ3B.190705.003.
Rise in the number of PC users attacked with fake system cleaners
- Researchers from Kaspersky Lab found that the number of users running ‘hoax’ system cleaners has doubled since the beginning of last year.
- Researchers classified hoax system cleaners as programs that overstated or made up nonexistent issues when scanning machines. Moreover, these programs then compelled users to buy full system cleaners by issuing persistent pop-ups and notifications.
- ‘Hoax’ system cleaners also pose a risk to users as they can be bundled with additional programs such as adware or trojans.
Former Democratic staffer sentenced to four years in jail for ‘doxing’ GOP senators
- Jackson A. Cosko doxed five senators by displaying their phone numbers and home addresses on their Wikipedia pages. Cosko also placed keystroke-logging equipment on senate machines and threatened a staffer who caught him on a computer in Senator Maggie Hassan’s office.
Systems defense company claim they have spoofed the GPS system in Tesla Model 3
- Regulus Cyber claimed that they have spoofed the GPS system in the Tesla Model 3’s Autopilot system. Regulus Cyber stated that installing an antenna on the cars roof allowed them to divert the car from its intended path.
- Tesla stated that the claims were misleading and said that they have no safety concerns relating to the claims.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.