Threat Reports

Silobreaker Daily Cyber Digest – 21 November 2019



Researchers analyse Dtrack variant used in KNPP attack

  • Cyberbit researchers analysed four samples of Dtrack malware discovered in the Indian Kudankulam Nuclear Power Plant (KNPP). The RAT is believed to have been written by the North Korean Lazarus Group
  • The analysis showed that the KNPP variant had been stripped of its RAT capabilities, yet still contained APIs, for example, ones related to HTTP communications, that were not used by the malware. Its purpose was mainly to collect information about the infected machine to create an identifier for it, after which further information was collected, including ipconfig output, running processes, browser history, and more.
  • The analysed samples included three droppers that showed similarities to the banking trojans BackSwap and Ursnif. One of the samples used the same obfuscation technique as BackSwap by masquerading as a legitimate programme, whilst two of the samples made use of the ‘NX-bit not set’ technique which has previously been observed in Ursnif. 

Source (Includes IOCs)


Researchers discover downloader and bot modules for Roboto Botnet

  • Researchers at Netlab discovered two ELF files, the first of which was discovered on August 26th, 2019 and was identified as a P2P bot program. The second file, which was found on October 11th, 2019, was revealed to be the bot program’s downloader. The researchers named their finding the Roboto Botnet.
  • The botnet downloader is spread via a Webmin remote code execution vulnerability, tracked as CVE-2019-15107. Following successful exploitation, the downloader retrieves, decrypts, and executes the Roboto Bot program from a ‘specified URL according to the CPU architecture’.
  • Roboto Botnet can execute systems commands, self-uninstall, gather process network information, run encrypted files, and more. The researchers speculated that the botnet also has a vulnerability scanning module and a P2P control module.

Source (Includes IOCs)


Ongoing Campaigns

IRS phishing campaign targets over 100,000 victims worldwide

  • Akamai researchers discovered a phishing campaign that delivered a fake IRS phishing site to targets. The researchers tracked the campaign over 47 days, during this time frame the attackers employed 289 domains and 832 URLs. 
  • The majority of the domains hosting the malicious pages are compromised websites. Each domain displays the same visual elements, however, in an attempt to avoid signature detection the attackers randomly generated parts of each page.
  • The campaign, which peaked in late August 2019, sought to gather the target’s email addresses and passwords. The researchers stated that IRS themed phishing campaigns usually take place during the tax season in the US, however, recent political turmoil and uncertainty surrounding tax regulations allows attackers to conduct tax-themed campaigns out of season.

Source (Includes IOCs)


Microsoft assure consumers that Dopplepaymer is not spread through Microsoft Teams

  • On November 20th, 2019, Microsoft Security Response Centre released a statement regarding the spread of Dopplepaymer ransomware. The company refuted suggestions that the ransomware could be spread through Microsoft Teams, or via Bluekeep.
  • The researchers stated that the malware spreads across enterprise networks, via remote human operators, using existing Domain Admin credentials.



New NukeSped variant targets Korean users

  • Trend Micro researchers observed a campaign targeting Korean users by delivering a new variant of the Mac backdoor NukeSped via an Excel document containing an embedded macro. NukeSped has been attributed to North Korea’s Lazarus Group and the attack is similar to a previously observed attack by the threat actor.
  • A difference to the previous attack method is the use of a mac app bundle containing malicious and legitimate versions of Adobe Flash Player. As a method of separating the Mac attack chain, the legitimate Flash Player is run with a decoy alongside the malicious one.

Source (Includes IOCs)


Hacker Groups

Researchers analyse HYDSEVEN activity

  • Researchers at Carbon Black analysed the C2 protocol used by threat actor HYDSEVEN, also known as CRYPTO-3, for its communication with NetWire RAT. HYDSEVEN are known for targeting virtual currency exchanges.
  • NetWire is a commercially available remote access tool that uses a TCP-based C2. Typically, an ‘authentication packet’ is exchanged by the RAT and C2, including information for the packed payload encryption. However, HYDSEVEN has previously been observed using a customised C2 protocol that uses a different data format. The researchers also found that a different algorithm for encryption key generation was used in the threat actor’s NetWire variant.
  • Throughout the researchers’ analysis, no responsive C2 servers were found, which could mean that HYDSEVEN is not currently active or is no longer using the customised NetWire. Other possibilities could be that HYDSEVEN changed the hard-coded data in their NetWire samples, or that the C2 is only accessible to IP addresses targeted by the threat actor.

Source (Includes IOCs)


Supply-chain-attacks foster mutual cooperation in Russian cybercrime underground

  • AdvIntel’s most recent report on the Russian cybercriminal underground stressed the ‘conservative’ divide between skilled elitist hackers who use APT type methods, and ransomware operators who focus on financial gain. The researchers assert that this divide is being eroded as both groups work together to pursue supply-chain-attacks.
  • The researchers state that wealthy ‘ransomware collectives act as patrons’ for skilled hackers who can deliver access to supply chains. An example of this cooperation is the  English-speaking threat actor, known as, who has been working with ransomware operators. During September 2019 breached a US energy company and attempted to sell access to ransomware operators.
  • The researchers stated that they expect to see mutual cooperation between supply-chain specialists and ransomware operators continue to grow, ‘making ransomware even more deadly’.

Source (Includes IOCs)


Leaks and Breaches

VEED leaks private videos of individuals and businesses

  • vpnMentor researchers discovered an unsecured Amazon Web Services S3 bucket belonging to the video editing platform VEED on October 12th, 2019. As yet, the company has not responded to the incident and the data remains accessible.
  • Thousands of private videos of individuals, such as family videos and home-made pornography, as well as marketing material belonging to businesses are currently exposed via the database. The researchers note that the video content can be accessed without a user’s login details and that certain content, such as the home-made pornography, could be used by criminals for blackmail and extortion purposes.



AccorHotels subsidiary Gekko Group exposes 1 terabyte database

  • Researchers at vpnMentor identified an exposed elasticsearch database belonging to Gekko Group. The French-based company owns smaller hospitality brands, such as Teldar Travel and Infinite Hotel, who owned the majority of the exposed information. Additionally, the data of external websites and platforms that communicate with Gekko group platforms were exposed in the breach.
  • The database, which was hosted in France on servers owned by OVH SA, contained information such as login credentials for client accounts, hotel and transportation reservation, personally identifiable information, and more.
  • The personal information exposed belonged to citizens throughout Europe, and included names, home addresses, email addresses, financial information, login credentials, PII of children, and more.



French hospital hit by ransomware attack

  • The Rouen University Hospital-Charles Nicolle was targeted by a ransomware attack on November 15th, 2019 that affected all of the hospital’s five sites. As a precaution, all IT systems were shut down and the hospital is currently operating in ‘degraded mode.’ No ransom demand has been made.




Escalation of Privilege vulnerability found in Windows 7

  • Security researcher Eduardo Braun Prado discovered a vulnerability in the User Account Control mechanism of Windows 7 that could allow a user to perform actions ‘as SYSTEM via a circuitous route of UI operations.’
  • The flaw, tracked as CVE-2019-1388, was patched by Microsoft in November 2019.



WordPress Jetpack plugin exposes millions of sites

  • Security, performance and site management plugin Jetpack contains a vulnerability which is related to the manner in which embed code is processed. The vulnerability, discovered by Adham Sadaqah, impacts all versions of Jetpack from 5.1 onwards.
  • Jetpack’s developers released a patch for the issue and warned that they now expected to see malicious actors attempt to exploit the flaw.



Cisco UCM administrator portal contains SQL injection issues

  • Researchers at F-Secure identified a SQL injection issue in the Cisco UCM administrator portal.  The researchers stated that once the issue is discovered SQLMap, or similar tools, can be used for further exploitation. Using SQLMap led to the discovery of an Informix SQL database which contained passwords and sensitive data. 
  • The researchers found that SQLMap could not be used to exploit the issue, instead they created two scripts which allowed for full exploitation. 
  • The researchers informed Cisco of the issue and patches are currently being developed. A full analysis of the researcher’s attack is available via the F-Secure blog.

Source (Includes IOCs)


The Silobreaker Team 

Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • COVID-19 Alert – 08 July 2020

    Silobreaker's Daily COVID-19 Alert for 08 July 2020
  • Cyber Alert – 08 July 2020

    Cyber Alert: Exposed dating service databases leak sensitive info on romance-seekers...
  • COVID-19 Alert – 07 July 2020

    Silobreaker's Daily COVID-19 Alert for 07 July 2020
View all News

Request a demo

Get in touch