Silobreaker Daily Cyber Digest – 22 January 2019
New STOP ransomware variant distributed through software cracks and adware bundles
- A new STOP ransomware variant is being bundled with adware and disguised as software cracks such as KMSPico, or cracks for legitimate programs including Cubase, Photoshop or antivirus software. The variant appends encrypted files with the .rumba extension.
- According to Bleeping Computer, a range of different software crack websites have been observed pushing the adware bundle.
New Phobos ransomware strain being distributed worldwide
- CoveWare researchers reported on a new ransomware dubbed Phobos, which shares many similarities with Dharma variants. It differs from Dharma in its file market structure.
- Phobos distributors are leveraging poorly secured RDP ports as attack vectors.
More than 4 percent of Monero mined by malware botnets over last four years
- Researchers reported that 4.32% of Monero in circulation has been mined by botnets and cyber criminals.
- They estimated that total revenues for criminals mining Monero reached $57 million, and that the cryptocurrency is the most popular amongst criminals.
- The researchers also reported on previously well-known mining campaigns such as Adylkuzz and Smominru, as well as newer groups dubbed Freebuf and USA-138.
Leaks and Breaches
BlackRock data leak exposed 20,000 financial advisers’ information
- Names, email addresses, and further information belonging to advisers of the asset manager’s clients, including 12,000 at LPL Financial, were inadvertently exposed on the BlackRock website.
- The information exposed related to a small number of wealth management platforms impacting approximately 20,000 independent advisors in the US.
- No end clients’ data was exposed, nor was any financial or personal information.
ATLAS game taken offline twice after players hacked admin account
- The hackers used exploits to interfere with other players’ gameplay and spammed other players with ‘Subscribe to PewDiePie’ messages. The hacks impacted the multiplayer servers of ATLAS, a new MNO game developed by Grapeshot Games.
- The first hack was on January 17th during which an unidentified individual hacked the game admin’s Steam account, which the hacker used to log into the game and alter the multiplayer server settings. The hacker used the admin account to create World War II airplanes and tanks inside the server, killing players and damaging ships.
- On January 20th, multiple players discovered and used a technical exploit in the ATLAS game to flood the servers with whales and dragons, placing them in water, on land and in the air. Both incidents led to the game makers having to roll back the servers on both occasions to undo all the spam.
Online casino group leak over 108 million bets from Elasticsearch server
- The leaked details include customers’ personal information, deposits, withdrawals, betting information, names, home addresses, phone numbers, email addresses, and more. The data was leaked from an Elasticsearch server that was left exposed online without a password.
- Researchers found that all the URLs spotted in the servers’ data were running online casinos where users could place bets on classic cards and slots games, as well as other betting games.
Electronics firm Omron addresses multiple flaws in CX-Supervisor
- CX-Supervisor is used to create human-interface machines for supervisory control and data acquisition (SCADA) systems.
- The most severe flaw, tracked as CVE-2018-19027, allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-One CX-Protocol. Exploitation for the vulnerability requires a user to visit a malicious page or open a malicious file.
- Other issues include use-after-free and type confusion flaws, and an issue due to a lack of proper validation for user supplied input.
Flaw in MySQL permits malicious servers to steal files from clients
- A design flaw exists in the file transfer interaction between a client host and a MySQL server that allows an attacker running a MySQL server to access any data the connected client has read access to.
- The issue concerns the LOAD DATA statement used with the LOCAL modifier. File-transfer requests are received by clients based on the information they provided in the LOAD DATA statement. A malicious server could reply with a LOAD DATA LOCAL statement and demand any file for which the client has read permissions.
- The flaw could ultimately allow an attacker to retrieve information such as SSH keys or access details for cryptocurrency wallets.
New research finds malware and user privacy issues in top free VPN Android apps
- Top10VPN released results from their study of the 150 most popular free VPN apps on the Google Play Store. They found that one in five of all the 150 apps were flagged as a potential source of malware when tested using VirusTotal.
- Moreover, 25% of the apps tested positive for DNS leaks, which may lead to the exposure of a user’s browsing history to their ISP, and any third-party DNS server operator that it may use.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.