Silobreaker Daily Cyber Digest – 20 November 2018
Outlaw hacking group distributes botnet for crypto-mining, scanning, and brute force
- After previously reporting their discovery of Outlaw hacking group, Trend Micro has published an update detailing the host part of the botnet operated by the group, which they found attempting to run a script on IoT honeypot. The bot used a tool named ‘haiduc’ to search for systems to attack, for which it leverages the command injection vulnerability tracked as CVE-2017-1000117.
- Trend Micro have since spotted two variants of activities from Outlaw. The script used in the first version of the bot has both a miner and a Haiduc-based dropper. For the miner part the code has two forms, one is plaintext/Perl script, and the other is an obfuscated Perl script that avoids detection by content-inspecting intrusion prevention system (IPS).
- The second variant of the code distributed by the bot is designed to brute force and exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel to escalate privileges. The researchers also discovered a list of servers which run a vulnerable library with the vulnerability tracked as CVE-2013-4788.
Source (Includes IOCs)
Cisco Talos warns of Black Friday and Cyber Monday scams
- Cisco Talos reported that 71 percent of emails mentioning Black Friday or Cyber Monday in 2017 were spam, and warned that a prevalent domain attackers use for malvertising is hxxp://bags-black-friday[.]top. Attackers reportedly use the hailstorm method of registering numerous domains and sending multiple spam emails in a short period of time, before abandoning those domains completely.
Source (Includes IOCs)
FireEye release details on suspected APT29 phishing campaign
- Following recent reports, FireEye released an analysis of the phishing campaign suspected to be linked to APT29. The campaign has been targeting a range of industries including US military, think tanks, law enforcement, media, imagery, transportation, pharmaceutical, government, and defence contracting.
- The campaign involves the distribution of phishing emails pretending to be from a Public Affairs official at the US Department of State. The emails contain links used to download a ZIP archive which launches a benign decoy document as well as the Cobalt Strike Beacon backdoor.
- Based on the TTPs detected, FireEye links this campaign to APT29. Their report provides a further analysis of the campaign, its similarity to previous APT29 activity, and technical details of the phishing emails, execution, network communication and dropped files.
Source (Includes IOCs)
Leaks and Breaches
Hackers infect visitors of Make-A-Wish website with cryptojacking script
- Trustwave researcher Simon Kenin discovered that the website for the Make-A-Wish foundation had been compromised. A script was embedded in the site that was using the computing power of visitors to mine cryptocurrency.
- The mining script was hosted on the same domain used in a campaign known for exploiting Drupalgeddon2 in the wild since 2018.
New York Oncology Hematology in Albany notifies patients and employees of a phishing attack
- The attack occurred between April 20th and April 27th, 2018, during which an unauthorised party obtained the login credentials of several employees and gained access to their email accounts. Some of the infected accounts contained personal health information as well as further data pertaining to other patients and employees. The Center has notified it patients and employees of the data breach.
Magecart responsible for Vision Direct data breach
- The recently disclosed incident, in which full credit card details and personal information of Vision Direct customers were breached, was found to be the result of Magecart malware present on Vision Direct’s website. The malicious script was disguising itself as Google Analytics code.
New Gmail bug allows users to conceal email sender
- Software developer Tim Cotten has found another vulnerability in Gmail that allows the hiding of an email’s source address. By replacing some text in the ‘From:’ header with a <object>, <script> or <img> tag, the developer was able to display a blank space instead of the sender’s address.
- Less than a week ago Cotten reported on another Gmail bug that permits a user to insert an arbitrary email addresses in the sender field.
EA Origin bug permits unauthorised access to users’ account data
- A security researcher, known as Beard on Twitter, discovered a bug in EA’s Origin online gaming and distribution platform that permits attackers to access users’ account data.
- The bug is the result of an auto-login URL working regardless of a user’s IP address or browser, meaning anyone can steal the auto-login URL and login as the end user. Auto-login URLs are provided when EA Origin users request to edit their account settings through the EA[.]com website.
- The researcher notes that this can easily occur when a user is connected to an unsecured network or a public WiFi hotspot. ZDNet also warn that auto-login URLs could be harvested by IoT malware or botnets on infected home routers, allowing threat actors to automate the process of collecting EA customers’ account data.
DirtyCOW and Drupalgeddon2 flaws exploited in new attack
- Researcher Nadav Avital found that the DirtyCOW flaw was being exploited in an attack affecting some Linux-based systems on October 31st, 2018.
- The attack also exploited the Drupalgeddon2 vulnerability, along with other system misconfigurations, to infect vulnerable Drupal web servers and seize control over users’ machines.
Flaw in Safari permits IDN homograph attacks
- A security researcher, known as ‘xisigr’, discovered an issue with how the Safari browser handles Unicode characters. Safari failed to render the small lower apostrophe of the letter dum (ꝱ), instead displaying it as the Latin letter ‘d’.
- This flaw permits attackers to carry out IDN homograph attacks, in which lookalike domains are registered using Unicode characters and used in phishing campaigns to mimic legitimate domains.
- The flaw is tracked as CVE-2018-4277, and has been patched in Apple’s July 2018 updates for Safari, iOS, macOS, tvOS and watchOS.
Multiple vulnerabilities disclosed in TP-Link routers
- Cisco Talos researchers have disclosed multiple vulnerabilities in the TP-Link TL-R600VPN router. The researchers found that the two root causes of these flaws were ‘a lack of input sanitisation and parsing errors’. Altogether, the vulnerabilities could lead to remote code execution.
- The flaws include a denial-of-service vulnerability (CVE-2018-3948), an information disclosure bug (CVE-2018-3949) and two remote code execution vulnerabilities (CVE-2018-3950 and CVE-2018-3951).
Windows 10 issues affect compatibility with iCloud and F5 Networks VPN
- The Windows 10 October 2018 Update, version 1809, has been experiencing compatibility issues with Apple’s iCloud and F5 Networks’ VPN.
- According to a report by ZDNet, the issue with iCloud leads to problems with syncing shared albums. The F5 VPN problem is caused by a bug in Windows 10 and results in breaking network access. Microsoft estimates that updates addressing these flaws will be available by the end of November 2018.
Kaspersky Lab find Nigerian and Bangladeshi mobile phones are most targeted by malware
- Kaspersky Lab’s 2018 third quarter Information Technology threat evolution report indicates that Nigerians had 28.54% of their mobile devices targeted by malware, while in Bangladesh, 35.91% of mobile device users were targeted.
- Asacub malware was used in the largest number of attacks, affecting 250,000 users in September 2018.
Russian hacker Nastra arrested in Bulgaria for $7 million ad fraud
- Nastra, a Russian hacker whose real name is Alexander Zhukov, was arrested in Bulgaria for possible involvement in a Google ad fraud scheme. Zhukov reportedly operated a network of 50 servers rented to others for use in inflating video ad views.
UK government report reveals critical national infrastructure vulnerable to cyber attack
- The Joint Committee on the National Security Strategy published a report warning that the government was not acting urgently enough to protect critical national infrastructure from a major cyber attack from hostile foreign state actors.
Top free VPNs in Apple App Store and Google Play are run by secretive Chinese companies
- An investigation conducted by Top10VPN found that over half of the most popular free VPN apps were Chinese-owned or based in China, and had few formal privacy protections or user support.
Proposed kernel patch could limit defence against Spectre 2
- The patch has been suggested because code runs up to 50% slower on Intel CPUs that use Hyper-Threading with the security defence enabled, however, it would result in the disabling of a Spectre variant 2 defence mechanism by default, rather than leaving it on automatically.
- The Spectre V2 mitigation was added to Linux 4.20 and backported to Linux 4.19.2. It prevents the processor’s branch prediction engine from being exploited by malware to steal passwords, encryption keys and other details from memory.
- The defence mechanism causes performance to slow significantly, leading Linux’s Linus Torvalds to suggest that the mitigation should not be applied in all cases.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.