Silobreaker Daily Cyber Digest – 21 December 2018
Researchers publish analysis of Danabot botnet sample
- Analysed by researchers at Cybaze-Yoroi ZLab, the Danabot sample was originally designed to infect victims via a macro-enabled Word document. Once executed, it attempts to connect to an attacker’s C&C server to download other components before deleting itself from the file system, creating various registry keys and system services to root itself into the victim’s system.
- The malware has a multitude of functions, including setting a system forwarding proxy, initiating a man-in-the-browser attack, searching for saved credentials within web browsers, and various web injection techniques.
UK hit by HMRC scam calls
- A new HMRC scam is using a threatening automated message in an attempt to trick taxpayers into paying a ‘fine’. The message reveals the fictitious name of an HMRC officer and extension number.
- The message states, ‘If you do not call us back or we do not hear from your solicitors, either, then get ready to face the legal consequences.’ People have reported being asked for payments of up to £3000 in taxes.
- Another variant of the scam includes a message stating that HMRC agents are watching the victim’s property, which will be raided should a payment not be made.
Malspam campaign masquerading as Amazon discovered
- Discovered by researchers at EdgeWave, this latest email campaign distributes emails masquerading as Amazon order confirmations, with subject lines such as ‘Your Amazon.com Order’. The email does not contain much other information, prompting the user to press the ‘Order Details’ button. Clicking this downloads a Word document called ‘order_details.doc’ that asks to enable macros to properly view content.
- Enabling macros will trigger a PowerShell command that downloads and executes the Emotet banking trojan on the victim’s computer. The trojan leverages compromised servers around the world, in countries such as Columbia, Indonesia and the US. The actor behind the campaign is unknown.
Mirai variant discovered in IoT botnet campaign
- Miori, a Mirai variant, is being distributed via a remote code execution flaw within ThinkPHP, a PHP framework. Once it has infiltrated a network, it makes vulnerable machines download and execute malware from an attacker-controlled C&C server.
- Whilst conducting their investigation, Fortinet researchers uncovered two further Mirai variants, IZ1H9 and APEP. All of the variants use Telnet brute-forcing techniques, but APEP additionally exploits CVE-2017-17215, a remote code execution vulnerability in Huawei HG532 routers.
Source (Includes IOCs)
Leaks and Breaches
Nokia deny leak of internal credentials
- An exposed etcd database server belonging to Nokia was discovered last week by researcher Bob Diachenko. He reported that the server contained credentials for a variety of applications including Heketi and Redis, as well as Kubernetes secret keys.
- Nokia have now denied that any sensitive information or credentials were exposed, stating that the AWS server was used by developers for testing.
Caribou Coffee chain announces card breach
- The US coffee chain discovered unauthorised access at its point-of-sales terminals and has issued a statement regarding a security breach affecting 239 of 603 locations.
- Customers who used cards at these stores between August 28, 2018 and December 3, 2018 are affected. Compromised data may include names, credit card numbers, expiry dates and security codes.
Montville Police Department hit by cyber attack
- The Montville Police Department and town hall shut down their systems following an attack. The incident is the second attack on Morris County after Rockaway Township. Its police department were also the victims of a cyber attack on Thanksgiving Day this year.
Kernel buffer overflow in Trusteer Rapport for MacOS
- Trustwave discovered the bug in IBM’s Trusteer Rapport security software for Mac during August, and has worked with the company during the disclosure process. There is currently no patch available, but the risk is mitigated by requiring local access.
Huawei router bug leaks credential status
- CVE-2018-7900 is an information disclosure vulnerability that makes it significantly easier to compromise some Huawei routers. Attackers can use a Zoomeye or Shodan dork to find a specific value on the router’s login page. This value declares whether the router is still using default credentials.
Zero day discovered in Microsoft Windows
- Security researcher SandboxEscaper has released details and exploit code of the zero day vulnerability, which allows an attacker to read data from unauthorised locations by leveraging a Windows executable known as ReadFile.
- This is the third zero day that has been released publicly by SandboxEscaper, rather than being privately disclosed to Microsoft.
Vulnerabilities discovered in WibuKey
- Cisco Talos researchers have discovered multiple vulnerabilities in WibuKey, a Digital Rights Management solution, used in many commercial products.
- These include CVE-2018-3989, an kernel memory disclosure vulnerability that can be exploited via a specially crafted IRP request, and CVE-2018-3990, an exploitable pool corruption vulnerability that can result in a buffer overflow.
Law enforcement seize DDoS domains
- In the run-up to Christmas, law enforcement from the UK, US and the Netherlands have seized domains associated with 15 DDoS-for-hire services.
- The timing of these takedowns indicate a preventative measure on the part of law enforcement – it coincides with a period when DDoS activity has historically increased.
US Air Force’s third bug bounty program fixes 120 flaws and pay $130,000 in bounties
- The month-long hacking event ran from October 19th to November 22nd and resulted in the Air Force fixing 120 bugs. Over the three bug bounty programs to date, 430 flaws have been found and fixed, earning researchers approximately $350,000.
France’s data protection agency fines Uber 400,000 euros over 2016 data breach
- The 2016 breach exposed the personal data of some 57 million clients and drivers all over the world. The French data Protection Authority stated that the breach could have been prevented ‘if certain elementary security measures had been in the place’.
- Uber has already paid $148 million to US authorities to avoid a court case. In addition, a 600,000 euro fine was imposed on the company by the Netherlands, as well as a 385,000 fine imposed by the UK.
United States authorities charge three men in seizure of several attack-for-hire services
- Three men have been charged after US authorities seized 15 different attack for hire services, that provided customers with the ability to launch campaigns capable of knocking websites and network providers offline.
- These hacker for hire services included ‘booter’ and ‘stresser’ sites, advertised typically on dark web forums, chat platforms and youtube. Services are priced depending on the volume of traffic that is needed to overwhelm the target, the duration of attack and the number of concurrent attacks.
US Justice Department indicts two Chinese hackers
- Two hackers tied to Beijing’s security services were indicted for targeting companies and governmental organisations in 12 countries in order to steal sensitive information.
- Zhu Hua and Zhang Shilong are accused of working for the APT10 hacking group, which conducted extensive espionage operations from 2006 to 2010.
- The Five Eyes nations officially apportioned blame to China and its Ministry of State Security for sponsoring the attacks.
Amazon sent 1,700 recordings from Alexa to the wrong person
- According to a report published in the German magazine Heise, a German Amazon user asked Amazon for all data pertaining to him. Amazon accidentally sent this requestee the recordings from a stranger, and later found that the person who made the GDPR request didn’t own any Alexa-connected devices.
- The recipient stated that it was easy to find out details about the victim’s life using the recordings, which revealed data including alarms, Spotify commands and public transport enquiries.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.