Silobreaker Daily Cyber Digest – 22 May 2019
Hundreds of US schools remain vulnerable to WannaCry attacks
- While investigating the ongoing Baltimore City ransomware attack, Ars Technica found that the neighbouring Baltimore County public school system had eight publicly accessible servers with configurations indicating they were vulnerable to EternalBlue – the exploit used as part of the 2017 WannaCry outbreak.
- After conducting a Shodan search, Ars Technica found that hundreds, if not thousands, of US school districts are running potentially vulnerable systems. Those with the largest number include the Montebello Unified School District in Los Angeles County, California; the Fresno Unified School District in Fresno, California; the Washington School Information Processing Cooperative in Washington State; and the Cupertino Union School District in San Jose, California.
W97M/Downloader served from compromised websites
- Sucuri researchers have reported that W97M is being served on compromised websites via a custom PHP dropper. The malware uses macros containing VB scripts to download and execute additional malware from C2 servers.
- The dropper is hosted on CMS such as Magento, WordPress and Joomla. W97M has been used to download TeslaCrypt, Dridex and Vawtrak.
Source (Includes IOCs)
16shop commercial phishing kit includes hidden backdoor
- 16shop emerged as a sophisticated tool with multiple layers of defences and attack mechanisms that are able to visually adapt to the victim’s platform. The kit also supports 10 languages and is designed to steal sensitive information from Apple users.
- The author of the kit also added protection against loss of revenue, such as an API-driven system where license validation occurs in real-time, and code-level defences preventing unauthorized copies. Nevertheless, the phishing kit was cracked in late 2018, with pirated versions circulating online soon after.
- Akamai researchers analysed a cracked version of 16shop and found that the kit contains a backdoor used to steal all data obtained by other attackers. It was allegedly developed by an Indonesian individual known as ‘Riswanda’ or ‘devilscream’.
Malware flagged by US Cyber Command involved in active attacks
- Kaspersky Lab and ZoneAlarm researchers linked a malware sample, recently uploaded to VirusTotal by the US Cyber Command, to Russian-speaking group APT28, also known as Sofacy or Fancy Bear. The malware resembles XTunnel, which APT28 used to breach the Democratic National Committee in 2016.
- Researchers observed the malware being leveraged in recent attacks against Central Asian nations, organisations in the Czech Republic, and diplomatic and foreign affairs organisations.
Payment skimmer acts as a payment service provider using a rogue iframe
- Malwarebytes Labs researchers analysed a payment skimmer acting as a payment service provider via a malicious iframe.
- After detecting suspicious activity from a Magento site, the researchers found that the tampered version of the site included an extra form that asked victims to submit their credit card information before they were redirected to a legitimate checkout page.
Source (Includes IOCs)
New campaign combines phishing, steganography and PowerShell to deliver malware
- Cybereason researchers discovered a malware campaign targeting Japan that combines phishing, steganography, PowerShell, and URLZone and Ursnif malware.
- The campaign begins with malicious emails containing weaponized Excel files. These files contain a PowerShell script which downloads steganographic images. Further code is extracted from the images, and downloads a stripped-down version of URLZone. URLZone then downloads the Ursnif banking trojan.
- The campaign is specifically targeting Japanese users and will check a device’s country settings and terminate if the country isn’t Japan.
Leaks and Breaches
TalkTalk failed to inform all customers of 2015 breach
- The company was fined for a breach from October 2015 that exposed the data of 157,000 customers, but failed to inform 4,545 of those customers that their details were part of the breach.
Unsecured Game Golf app database exposed
- Researcher Bob Diachenko found an exposed Elastic database belonging to Game Golf – a golfing app developed by Game Your Game Inc.
- The database contained 218,000 users’ names, logins, hashed passwords and emails, millions of records of golf games played, login data from Facebook, GPS details from courses, and network information for the company itself. It is unknown how long the database was exposed.
Intel fixes numerous high-severity vulnerabilities
- Intel has issued an advisory for 34 fixes across various products, including one for CVE-2019-0153, a critical bug in Intel’s converged security and management engine (CSME). The buffer overflow could allow privilege escalation via network access.
New zero-day exploit developed for flaw in Windows 10 Task Scheduler
- An exploit developer known as SandboxEscaper released a new zero-day exploit for Windows OS that achieves local privilege escalation, granting a limited user full control over files reserved for full-privilege users like SYSTEM and TrustedInstaller.
- According to the researcher, running a command using specific executables that were copied over from Windows XP leads to a remote procedure call to a method that registers a task with the server, exposed by the Task Scheduler service. This leads to a user with limited privileges gaining SYSTEM rights.
Cambridge University researchers develop a ‘Calibration Fingerprinting Attack’
- A Cambridge University team developed a new fingerprinting attack, which uses data gathered from the accelerometer, gyroscope and magnetometer sensors present in smartphones.
- The attack does not require permissions from the user, can extract calibration data within seconds and create a fingerprint that never changes, even after a factory reset. It allows the attacker to track browsing and movement between apps.
- The vulnerability, CVE-2019-8541, affects iOS devices running iOS 12.1 or lower, as well as Google Pixel 2/3 devices. A patch for the vulnerability is available for iOS devices.
Several vulnerabilities addressed in new Mozilla browser version
- Alongside some privacy additions, Mozilla addressed several critical vulnerabilities with its release of Firefox 67 browser.
- One of the most critical vulnerabilities, CVE-2019-9800, could allow an attacker to take control of an affected system, whilst another critical vulnerability, CVE-2019-9814, could allow an attacker to run arbitrary code.
Rapid7 discover and analyse vulnerabilities in two IoT products
- The researchers analysed flaws in Eaton’s HALO Home Smart Lighting System and Blue Cats’ AA Beacon. All the flaws have since been patched.
- Two flaws in AA Beacon, tracked as CVE-2019-5626 and CVE-2019-5627, are low priority information disclosure vulnerabilities in the BC Reveal Android app and iOS app, respectively.
- Three flaws in HALO Home Smart Lighting include a low severity insecure data storage flaw on Android, tracked as CVE-2019-5625. The other two flaws are medium severity insecure direct object reference vulnerabilities which have not been assigned a CVE.
Analysis of worm-like Windows RDP flaw released
- Researchers at McAfee released an analysis of the recently patched CVE-2019-0708. The wormable vulnerability allows remote code execution in Windows Remote Desktop Services (RDP).
Cisco releases firmware patch for high severity vulnerability in Secure Boot
- The patch release fixes CVE-2019-1649 which affects the logic that handles access control to one of the Secure Boot hardware components.
- Secure Boot is utilised by enterprises, militaries and government agencies in routers, switches and firewalls.
- Authenticated local attackers would have the ability to write a modified firmware image, potentially rendering the device unusable.
Report finds poor cyber hygiene amongst political parties
- SecurityScorecard analysed the risk exposure of 29 political parties in North America and Europe, and found indicators of poor security hygiene for nearly all of them.
- The report also found that political parties in France had ‘systematically lower security ratings’ than all other political parties analysed, while the Republican National Committee had higher security scores than the Democratic National Committee in nearly all categories.
Unhashed G Suite passwords stored for over a decade
- Some of Google’s business customers had their G Suite passwords stored in plaintext for 14 years. The issue was caused by an error in the implementation of an outdated feature that allowed domain administrators to manually set and recover passwords for their company’s users.
- According to Google’s statement, the passwords remained in their secure encrypted infrastructure and no indication of improper access or misuse was found.
GDPR complaint against Google claims personal data leak of billions
- A GDPR complaint about Real-Time Bidding (RTB) was filed with Data Protection Authorities in Spain, the Netherlands, Belgium and Luxembourg, alleging that Google and other companies have leaked the personal data of billions to the ‘Ad Tech’ industry.
- RTB allows companies to broadcast the private data of people visiting their sites to other companies in a ‘bid request’, to solicit bids from potential advertisers.
- Data in these bid requests includes the exact locations, inferred religions, sexual and political characteristics of individuals, as well as what users are reading, watching and listening to online, and more.
Former Ombudsman Morales claims her phones were hacked
- Former Filipino Ombudsman Conchita Carpio Morales claims her phones were hacked following a brief detention at Hong Kong Airport. She has previously stated that she believes she is under surveillance by China.
DDoS attacks remain a threat despite law enforcement crackdown
- Kaspersky Lab researchers published a study of DDoS attacks in Q1 2019. The report tracked an escalation in the efforts of law enforcement agencies to combat the attacks.
- The US Department of Justice seized 15 internet domains in January 2019, while Europol targeted attack organizers and customers, arresting 250 users in the UK and Netherlands.
- The full report features a breakdown of the types of attacks and the geographic distribution of attackers and victims.
DHS says lack of proper configurations in Office 365 leaves customers vulnerable
- The US Department of Homeland Security stated that many organizations fail to use proper configurations in Office 365 and other cloud services, posing risks and leading to vulnerabilities. The root cause for poor configurations is the use of third-party firms to migrate services and users to the cloud.
AT&T issues false alarm over data breach
- AT&T warned visitors to their website on May 20th, 2019, that they may have been affected by an AT&T data incident. The message urged users to ensure that their accounts had not been compromised.
- Following customer queries, AT&T ensured users that the message had been posted by mistake during routine testing.
Singapore’s PDPC publishes guidelines on data breach notifications
- The Personal Data Protection Commission (PDPC) of Singapore published guidelines on data breach notifications aimed at strengthening the accountability of organisations.
- This includes the expectation that organisations should complete investigations into data breaches within 30 days and notify authorities not later than 72 hours after completion, as well as mandating breach notifications.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.