Silobreaker Daily Cyber Digest – 21 January 2019
Check Point release an update on GandCrab variant
- Check Point have published an update to their previous report on GandCrab, reviewing how the new variant comes loaded with trojan malware, and does not rely on PowerShell for encryption. The new analysis details how the variant instead uses PowerShell as an entry point, and delivers Betabot and a variant of AzorUlt as secondary payloads.
Source (Includes IOCs)
DarkHydrus APT uses Google Drive to send commands to RogueRobin trojan
- Palo Alto Networks’ Unit 42 discovered that the DarkHydrus APT group is using a new variant of the RogueRobin trojan that enables them to send commands to the malware via Google Drive. The researchers were led to their discovery through the analysis of delivery documents attributed to DarkHydrus, which were recently uncovered by 360’s Threat Intelligence Center.
- RogueRobin was found to contain a new command called ‘x_mode’ that allows it to receive jobs using Google Drive API requests. The command is disabled by default but can be enabled via a command received through DNS tunnelling. The trojan was also observed checking for a debugger every time it issues a DNS query and will exit if it detects its presence.
Source (Includes IOCs)
Tuition email scam targets another UK school
- Fraudulent emails were sent to parents of students attending the Royal Grammar School in Newcastle, UK, offering them a 25% discount on tuition fees if the payment was made via Bitcoin.
- A similar attack was previously reported by the St Lawrence College in Ramsgate, UK.
Leaks and Breaches
Website of WPML WordPress plugin hacked
- During the hack, users received an email titled ‘WPML Updates’ claiming that the plugin contains multiple vulnerabilities.
- According to WPML’s developers, the hack was caused by a former employee who left a backdoor on the site. The hacker obtained users’ names and emails, however no payment information was compromised.
Philippine financial services provider suffers data breach
- The firm Cebuana Lhuillier suffered a breach that resulted in the compromise of data belonging to 900,000 clients. Data including birthdates, addresses and sources of income were all exposed after they were accessed by a third party on an email server used for marketing.
RupeeRedee lending firm inadvertently leaking customer details
- A security enthusiast under the Twitter handle Gareth, observed vulnerabilities in startup RupeeRedee’s Amazon cloud stored data stack.
- The flaw left some data publicly accessible, including scanned copies of customers’ Aadhaar or Pan cards.
Microsoft Partner Portal leaves support tickets accessible to all partners
- The Register reported that Microsoft support partners are able to view the titles of all support request tickets on the Microsoft Partner Portal.
- Microsoft stated it had addressed the issue, which had affected some functions on its Partner Centre portal.
Several vulnerabilities found in WiFi chip firmware
- The flaws were discovered in ExpressLogic’s real-time operating system ThreadX, which has over 6.2 billion deployments. The firmware also powers the Avasta 88W8897 SoC from Marvell, which is present in Sony Playstation, Microsoft Surface, Xbox One, Samsung Chromebook, and more.
- One of the flaws is a block pool overflow that can be triggered when the WiFi chip is scanning for networks. Embedi company researcher Selianin stated that this flaw gives attackers the opportunity to exploit with ‘zero-click interaction at any state of wireless connection.’
- A further stack-based buffer overflow flaw was discovered in the code Marvell WiFi driver, which is present because the Linux kernel used by Marvell does not include mitigations for exploiting the binary.
Unpatched critical Cisco flaw exposes small business networks
- CVE-2018-15439 is a flaw in Cisco’s Small Business Switch software that could be exploited by a remote, unauthenticated hacker to bypass the user authentication mechanism of an infected device.
- The flaw is present when the affected device enables a privileged user account without notifying the administrators on the system. An attacker could leverage this flaw by using the account to login to an affected device and executing commands with full admin rights. A successful exploit could allow a remote attacker to compromise an entire network.
National health trust in Cumbria suffered more than 150 cyber attacks in five years
- The BBC reported that the the National Health Service (NHS) in Cumbria, England, was targeted with cyber attacks over 150 times in just five years.
DNC allegedly targeted by phishing attack ahead of 2018 midterm elections
- In an amended complaint filed on January 17th, 2019, the Democratic National Committee (DNC) stated that in November 2018, days before the 2018 US midterm elections, it was targeted by a widespread spear phishing campaign.
- According to the complaint, DNC believes the campaign is linked to APT29 and thus ‘it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers’.
Researcher demonstrates attacks on browser extensions
- Dolière Francis Somé, from Université Côte d’Azur and the French institute INRIA, published a paper documenting how malicious websites can exploit browser extension APIs to run code inside a user’s browser and steal sensitive information such as bookmarks, browsing history and even cookies.
- The researcher developed a tool and tested over 78,000 Chrome, Firefox and Opera extensions. He identified 197 extensions that exposed internal extension API communication interfaces to web applications, permitting websites to access data stored inside a user’s browser. This can potentially allow attackers to hijack users’ active login sessions, access sensitive accounts or trigger the download of malicious files.
Cybersecurity expert Marco Ramilli analyses Collection #1
- The expert has written a partial analysis of the data extracted from the breach, focusing on the most used passwords, the domain names of the most leaked emails, and which sources the data came from.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.