Silobreaker Daily Cyber Digest – 21 May 2019
Fortinet publishes update on Satan ransomware’s new techniques
- Fortinet has reported that in a recently discovered campaign, Satan ransomware was observed using a crypto-mining malware as an additional payload in order to maximise profits.
- In addition, Fortinet has discovered new remote code execution exploits including CVE-2017-8046, CVE-2015-1427 and a ThinkPHP 5.X remote code execution flaw.
- The report also includes an analysis of propagation techniques, targeted networks and exploitation.
Source (Includes IOCs)
Emsisoft releases free decryptor for JSWorm 2.0 ransomware
- Emsisoft researchers released a decryptor for a new strain of ransomware dubbed JSWorm 2.0. Infections by JSWorm 2.0 have been observed since January 2019, with victims located in South Africa, Italy, France, Iran, Vietnam, Argentina, the US, and other countries.
- JSWorm 2.0 is written in C++ and uses Blowfish encryption. According to the researchers, some of the ransomware’s strings suggest it was created by the same author as JSWorm.
New variant of Facebook Cryptominer malware discovered
- Maharlito Aquino and Kervin Alintanahin of Cyren Security Lab discovered the re-emergence of the 2017 Digmine campaign, in which Facebook Messenger was used to distribute CoinMiner malware.
- The new cryptominer payload observed in the re-emerged campaign uses the files section of Facebook groups and minor changes have been made to the downloader, however, overall the tactics remain similar to those used in 2017.
Source (Includes IOCs)
Hawkeye keylogger malware sent from Spytector keylogger email address
- Researchers at My Online Security discovered a version of Hawkeye keylogger that is sent from an email address registered to spytector, an online retailer which sells keylogger and info-stealer malware. The stolen information is also sent back to the same email address.
- The email is delivered via the Oracle cloud delivery SMTP system and contains an attachment which downloads Hawkeye malware.
Source (Includes IOCs)
New Trickbot campaign delivers malware via redirection URL in spam
- Trend Micro discovered a new variant of Trickbot using a redirection URL in a spam email to avoid detection by spam filters. The spam email is reasonably convincing, with content that indicates that a processed order is ready for shipping, including fake freight numbers, delivery disclaimers, seller contact details and social media icons.
- In this instance, a Google redirection URL was used to trick victims and deflect from the hyperlink’s actual intention, which is to redirect the user from Google to a Trickbot download site. The malicious site downloads a VBS script that is the Trickbot downloader.
- Due to its modular structure, once Trickbot is executed it can quickly deploy new capabilities based on the modules that it downloads and installs.
Source (Includes IOCs)
MuddyWater APT uses new anti-detection techniques
- Researchers at Cisco Talos have assessed with moderate confidence that a newly observed campaign, dubbed BlackWater, is associated with MuddyWater APT. Samples analysed from this new campaign indicate that the group have added three steps to their operations to allow the bypassing of security systems.
- The threat actor first adds an obfuscated Visual Basic for Applications (VBA) script which establishes persistence as a registry key. The script then triggers a PowerShell stager which is likely an attempt to appear as a red-teaming tool rather than a threat actor. Finally, communication is made with a threat actor controlled server to obtain a component of the FruityC2 open-source framework on Github, which ‘further enumerates the host machine’.
- This multi-layered approach makes detection more difficult by ensuring that an ‘errors[.]txt’ file is not generated. In addition, some variable strings were replaced by the threat actors, which Cisco assess suggests an attempt to avoid signature-based detection from Yara-rules.
Source (Includes IOCs)
Leaks and Breaches
HCL exposed employee information and client details online
- UpGuard researchers discovered publicly accessible pages belonging to technology services provider HCL that exposed information on HCL’s staff and clients.
- The researchers were able to access an actively used HR portal displaying information on 364 new hires. The data included, names, phone numbers, cleartext passwords, and more.
- The researchers were also able to access HCL’s SmartManage portal that contained project details for over 2000 customers, including Fortune 1000 companies. This data included internal analysis reports, weekly customer reports and installation reports.
Multiple Airbnb customers victims of scam
- A number of Airbnb users were charged for non-refundable reservations at fake destinations. According to Airbnb, these are isolated events where the victims’ accounts were accessed using correct login credentials that had been ‘compromised elsewhere.’
Michigan health practice shut down following ransomware attack
- Brookside ENT and Hearing Center, in Battle Creek, Michigan, was targeted in an attack that encrypted all files including patient information, patient records and appointment schedules.
- Attackers demanded $6,500 to decrypt the files which the practice refused to pay. The practice was scheduled to close down on April 30th, 2019.
Cancer Treatment Centers of America targeted by phishing attack
- Cancer Treatment Centers of America (CTCA) released a notice stating that on March 11th, 2019, an employee provided account details and login credentials to a phishing email.
- CTCA stated they could not rule out unauthorized access to the patient data that includes addresses, phone numbers, medical record numbers, government ID and more.
- This incident follows a similar report from December 2018, in which CTCA notified 42,000 patients that their data had been compromised in a phishing attack.
Data of Instagram users exposed on unsecured database
- Security researcher Anurag Sen found an unsecured database hosted by Amazon Web Services containing over 49 million records related to Instagram influencers, celebrities and brand accounts. The database is linked to Mumbai-based social media marketing firm Chtrbox.
- The leaked information includes Instagram biographies, profile pictures, the number of followers, location, and more, as well as private contact information, including email addresses and phone numbers.
194 out of the top 1000 docker containers lack root passwords
- Following Cisco Talos’ discovery that the Alpine Linux distribution Docker image contains a blank root password, CVE-2019-5021, security engineer Jerry Gamblin found that 194 out of the 1000 most popular Docker images also have no root passwords. Allowing users to login as root without requiring a password is said to ‘drastically [increase] the possibility of exposing the system to a security breach’.
Remote code execution vulnerability in Microsoft Remote Desktop Service can be exploited
- Following Microsoft’s recent warning and release of a patch for its remote code execution (RCE) flaw, CVE-2019-0708, in Windows Remote Desktop Services, security researchers have confirmed the flaw is exploitable. The discovery of the exploit suggests that hackers will most likely create their own exploits shortly.
Removing capability SIDs from permissions could cause Windows components to break
- Microsoft has warned that removing Windows account security identifiers (SIDs) that don’t have a ‘friendly’ name from security permissions could create problems in Windows and installed apps.
- Microsoft introduced a new security identifier called capability SIDs to Windows 2012 and Windows 8, that enable a Windows component or UWP application to access specific resources on a PC. When the SIDs are shown in the security access list, they are not resolved to a friendly name such as TrusterInstaller or System, but rather a series of numbers and characters.
- Removing capability SIDs could cause the app or Windows feature to lose access to a resource that it requires to be able to run.
Australian Government employee charged for using government IT systems for crypto mining
- The Australian Federal Police arrested and charged a 33-year-old man for allegedly abusing his position as a government IT contractor to use the processing power of his agency’s computer network to mine cryptocurrency.
Former CIA intelligence officer sentenced to 20 years for leaking secrets to China
- 62-year-old Kevin Patrick Mallory from Leesburg was found guilty of delivering national defence information to aid a foreign government and making material false statements. Mallory was reportedly paid $25,000 for giving classified documents to Chinese intelligence officer Michael Yang.
- The leaked documents allegedly included information about CIA informants, which Mallory scanned onto an SD card at his local FedEx.
New research finds most hacker-for-hire services ineffective
- A new white paper by Google researchers and a team of academics from the University of California San Diego showed that most account hacking services are scams and ineffective.
- The studied services didn’t use automated tools and relied on social engineering. The white paper concludes that the market for email hijacking services is ‘far from mature’.
DHS warns that Chinese drones can send data back to their manufacturers
- Concerns were expressed by the US Department of Homeland Security (DHS) that the Chinese government also has access to any information sent back to the drone manufacturers.
- The DHS warning does not mention a specific manufacturer but over 79% of drones operating in the US and Canada and 74% globally are manufactured by DJI, based in Shenzhen, China.
- DJI drones have been banned from use in the US army following similar security concerns in 2017.
Researchers analyse Wajam adware and find malware-like techniques
- Concordia University researchers tracked Wajam adware for nearly six years and found that the adware uses multiple techniques similar to malware. These include browser process injection attacks, anti-analysis, anti-evasion and anti-detection techniques, security policy downgrading, and data leakage.
- Based on their findings, the researchers highlight the need for the security community to not dismiss adware as a less important threat compared to others such as malware or ransomware.
Louisville Regional Airport Authority hit by ransomware attack
- In a statement from May 20th, 2019, Louisville Regional Airport Authority confirmed a ransomware attack affecting ‘localized Louisville Regional Airport Authority files,’ yet further details on the nature of files affected has not been given.
- The encrypted files have since been deleted and are being replaced with back-ups.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.