Threat Reports

Silobreaker Daily Cyber Digest – 20 May 2019


Ongoing Campaigns

Attacks attempting to use EternalBlue exploit continue to grow

  • According to ESET researchers, EternalBlue has reportedly only grown in popularity since it was used in the WannaCry ransomware outbreak two years ago. Its use has been growing consistently since 2017, particularly due to the large amounts of machines with exposed ports in the wild, particularly in the US, Japan and Russia.



Over 12,000 MongoDB databases deleted by Unistellar cyber group

  • After deletion, Unistellar left a message asking the owners of the databases to contact the group to get the data restored. Typically, in these types of ‘Mongo Lock’ attacks, threat actors search for these databases using BinaryEdge or Shodan, and then delete them and demand a ransom for their return.
  • News of further database deletions follow a recent report that detailed Unistellar group deleting a database containing 275 million records belonging to Indian citizens, after the database was reported as exposed.



Hackers access Trump’s Golf Association account to add fake golf scores

  • Trump’s US golf association account was hacked to add four fake golf scores for games reportedly played at Trump National in New York and the Cochise Course at Desert Mountain in Scottsdale, Arizona. Trump typically scores in the 70s and 80s, while the hackers posted scores of 100 and above.



Million dollar livestock deal interrupted by hackers

  • Two unnamed companies went to court to settle a dispute concerning the interception of a payment, between the seller and buyer, by hackers who disrupted email communications and changed the bank account details for the payment.
  • Both companies discovered the hack after 20 days, resulting in a 13% shortfall on the purchase price due to a change in exchange rates. The court proceedings resulted in the buyers having to pay the remainder of the payment.



City College Hyderabad website hacked

  • The Government City College webpage no longer contains information about the college but instead displays a message from ‘Devil Killer’.
  • The message reads ‘Hacked by Devil Killer’ and displays text reading ‘Pak Cyber Agent’ alongside a link to the ‘Pak Cyber Agent’ Facebook page. The groups Facebook page contains a list of other websites which they claim to have hacked.

Source (Includes IOCs)


Over 600 computers infected at Montpellier University hospital

  • The virus appears to be a mutated strain of the Wannacry virus. It is believed that the attack originated from a phishing message.
  • The French hospital stated there was no impact on medical records or medical secrecy as internet access was locked.



Leaks and Breaches

Over 20,000 Linksys wireless routers leak historic records of all devices

  • The routers leaked records of every device that has ever connected to them, including the device’s unique identifiers, names and operating systems used. The leaked information also includes whether the device’s default password had been changed. A scan found that approximately 4,000 vulnerable devices were still using default passwords.
  • Researcher Troy Mursch stated that the leak was the result of a flaw in several of the Linksys routers. Linksys has stated that they have been unable to reproduce the information disclosure flaw on routers that installed a patch released in 2014. A scan for vulnerable devices last week revealed 25,617 were at risk.



Over 400 Jersey and Guernsey based LibertyBus customers impacted in hack

  • A fake login page was created for the Jersey and Guernsey based websites from the 29th April. The phishing attack intercepted the link between the main websites and the top-up shop website for the Puffin pass and Jersey’s AvanchiCard.
  • 361 residents of Jersey and 82 residents of Guernsey had their email addresses, top up card numbers and top up password information compromised and were issued with automatic password resets. No financial details were accessed during the attack.



Microsoft’s invoicing system leaks customers’ Azure in Open invoices

  • A Microsoft researcher alerted The Register after finding 187 emails in his inbox yesterday morning that contained an attached invoice with customer’s details, order numbers, and their Azure subscription ID associated with the invoice.
  • The invoices were connected to the Azure in Open licensing scheme in which cloud resellers and integrators purchase Azure credits which are then applied to customer accounts. Microsoft’s invoicing system sent all 187 invoices to every customer rather than to the associated customer.



TeamViewer confirms data breach from 2016

  • TeamViewer has confirmed that it was the victim of an undisclosed cyber-attack allegedly undertaken by a group of Chinese origin using the Winnti backdoor, in autumn 2016. The attack was reportedly discovered before the threat actors were able to do any damage, and experts found no evidence of data being stolen.
  • TeamViewer decided not to publish details on the attack because they were certain that no damage had been done. A thorough investigation was undertaken at the time to remove any backdoors that could have been placed on the systems during the attack.



Hacker forum OGUsers hit by data breach

  • Hacker forum OGUsers released a statement confirming a server breach on May 12th, 2019, ‘through a custom plugin in the forum software’. OGUSERS is a known hacker forum popular for trading online account information, especially for social media accounts.
  • The data was uploaded on another hacker forum, Raidforums, stating that 112,988 users were affected. The breached data contains OGUsers’ usernames, passwords hashed with the MD5 algorithm, emails, IP addresses, source code, website data and private messages.



Stack Overflow hack exposes private data for about 250 users

  • In a new update, Stack Overflow stated that hackers obtained private data of approximately 250 Stack Exchange users. This data may include IP addresses, names, and emails.
  • The company first disclosed the hack on May 16th. The incident involved an attacker gaining access to Stack Overflow’s development tier as well as escalating their access on the production version of the company’s website.



New Jersey-based orthopedic surgeon informs patients of data breach

  • Ronald Snyder, owner of ActivYouth Orthopedics, informed his patients of a ransomware attack on an office computer server that took place on January 9th, 2019. The breach is believed to have affected 24,176 patients.
  • Information on the affected server includes names, dates of birth, addresses, genders, patient status, and more. In some cases, Social Security numbers may also have been exposed.



Delaware-based cancer treatment center suffers data breach

  • Medical Oncology Hematology Consultants informed patients that their protected health information was exposed as a result of an email security breach that occured in June 2018. The breach exposed names, dates of birth, Social Security numbers, government ID numbers, and more.




Slack patches flaw in Windows client used to hijack downloads from Slack users

  • Tenable researchers discovered a vulnerability in the Windows version of the Slack desktop  application that could be leveraged to change the default save location of files downloaded from a Slack conversation.
  • The flaw could be exploited to steal downloaded files or to inject the downloaded files with malware in the hope of infecting the user.
  • The vulnerability is present due to a weakness in the way the ‘slack://’ protocol handler has been implemented in the Windows application. Exploitation of the flaw requires an attacker to create a crafted link and post it in a Slack channel to change the default download directory to an alternative location.  



General News

Salesforce suffers global outage following change to production environment

  • Salesforce was forced to shut down large portions of its infrastructure after a change in its production environment broke access permission settings across organizations and gave employees access to all of their company’s files.
  • The company stated the issue was the result of a ‘database script deployment that inadvertently gave users broader data access than intended.’ The script only impacted customers of Salesforce Pardot, a B2B marketing-focused CRM. Customers in Europe and North America were the most impacted.



Company behind LeakedSource website pleads guilty

  • According to a press release from the Royal Canadian Mounted Police, Defiant Tech Inc, the company behind the LeakedSource website, plead guilty to charges related to the trafficking of hacked or leaked data.
  • During 2016 and 2017, the LeakedSource website listed information for over 3.1 billion accounts including usernames, real names, home addresses, phone numbers, and even plain text passwords. These were obtained either from leaks in the public domain or from hackers willing to sell them.



Israeli NSO Group faces lawsuit following WhatsApp spyware attack

  • Following the recent WhatsApp spyware attack, which has been linked to Israeli company NSO Group, Amnesty International is backing a lawsuit filed against the company. Amnesty International believes its staff could continue to be targeted, citing previous hacking attempts in 2018 linked to NSO Group.
  • The lawsuit calls for a banning of the export of NSO’s Pegasus software, a software capable of taking control over a mobile phone, and enabling access to its data and microphone for surveillance.



Iran develops firewall against Stuxnet virus

  • The Iranian communications minister announced the development of a firewall to protect the country’s industry against Stuxnet. Stuxnet was first discovered after an attack on Iran’s Natanz nuclear site in 2010, the first known case of a virus being used to attack industrial machinery.



Kuwaiti Embassy targeted in Sri Lankan cyber attack

  • The embassy was targeted alongside several other .com and .lk websites.  The attackers defaced the websites of the impacted parties.
  • Ravindu Meegasmulla, Information Security Engineer for the Sri Lanka CERT, stated that no government websites had been compromised in the attack.
  • The attacks coincide with the tenth anniversary of the end of the war against the Liberation Tigers of Tamil Eelam.



Gmail tracks users’ purchases

  • According to the Bleeping Computer, users’ Gmail inboxes are being scanned for purchases that are then displayed in their Google account. The purchase history is allegedly difficult to remove.
  • In response to the report, Google stated that the information is not used for advertising purposes and exists to help users ‘easily view and keep track’ of their past purchases.



Indonesian police uncover terror cell planning on using IEDs enabled via Wi-Fi

  • Multiple members of a terror cell linked to Jemaah Ansharut Daulah were arrested during an Indonesian police raid. The members were planning on carrying out remotely detonated IED attacks by using Wi-Fi technology, rather than regular mobile phone signals, which are often jammed by the police during protests.
  • Other members of the cell are still at large, which has resulted in an increase in security in the run-up to the country’s presidential elections results.



Windows update causes websites to be unreachable via Edge and IE

  • Some websites have become unreachable due to the top-level domain being added to Microsoft’s HTTP Strict Transport Security (HSTS) Preload List in an update from May 14th.
  • A HSTS Preload List is a list of websites that are known to support secure connections so that a browser never connects to them using the insecure HTTP protocol. However, despite being listed, some sites do not support HTTPS, meaning they will be unreachable via Microsoft Edge or Internet Explorer (IE).



Baltimore’s systems remain down as city refuses to pay ransom

  • Mayor Jack Young stated that the city will not pay ransom despite the expiration of the hackers’ 10-day deadline for making the payment in exchange for the city’s files. The FBI continues to investigate the incident.



Researchers investigate VidMate app over suspicious behaviour

  • Researchers at Upstream discovered that VidMate displays hidden ads, subscribes users to paid services, drains battery life and drains mobile data. Moreover, VidMate also collects personal information such as users’ unique numbers associated with their phone and their IP addresses.
  • CEO of Upstream, Guy Krief, stated that users who download VidMate surrender their phone and information to a third party. Moreover, he alleged that the phone becomes part of a botnet which is used to commit ad fraud.
  • The Chinese app has over half a billion users and is used to download YouTube videos.



Ohio-based Coventry Local Schools closed after malware attack

  • Coventry Local Schools cancelled classes on May 20th, 2019, after the district’s network and computers were infected by the Trickbot virus.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch