Threat Reports

Silobreaker Daily Cyber Digest – 22 October 2019



Winnti Group use new backdoor to target Microsoft SQL servers

  • Researchers at ESET identified a new backdoor, dubbed Skip-2.0, used by the Winnti Group to achieve persistence on Microsoft SQL (MSSQL) server versions 11 and 12. The exploit is similar to the PortReuse backdoor that the group previously employed in supply chain attacks against the video game and software industry. Both backdoors use the same custom packer and VMProtected launcher. 
  • The malware requires administrative privileges to be properly deployed and consequently can only be used on MSSQL servers that have already been compromised. Once deployed, Skip-2.0 can be used to connect to MSSQL accounts. These connections are hidden from the logs which helps the malware to remain undetected. 
  • The backdoor can be used to steal, modify or delete database content. The researchers stated that the group could use the backdoor to manipulate in-game currency for financial gain.

Source (Includes IOCs)


Ongoing Campaigns

Buran ransomware campaign discovered targeting German organisations

  • Bromium researchers observed a new Buran ransomware campaign against German organisations since October 1st, 2019. Buran is a variant of Buhtrap malware and was first discovered being sold as a ransomware-as-a-service on Russian-speaking underground forums in May 2019. According to the developers, Buran will not run in countries of the former Commonwealth of Independent States.
  • The campaign involves the attackers sending an email purporting to be from the legitimate online fax service eFax. The email contains a link to a PHP page that contains a malicious Word document which is used to download the Buran payload. Each malicious document contains four XML files with junk data, most likely to vary the file size in an attempt to evade detection.
  • The researchers discovered strings that suggest the current campaign uses a version referred to as ‘Generation V’ of Buran by the developers. ‘Buransupport,’ a user advertising the ransomware on forums, announced the previous version on August 7th, 2019.

Source (Includes IOCs)


New Microsoft phishing campaign uses compromised LinkedIn accounts

  • Heimdal Security researchers observed a new phishing campaign specifically targeting Office365 users, relying on compromised LinkedIn accounts to spread its message. However, general users with a Microsoft account may also be targeted.
  • The campaign is similar to a business email compromise attack, in which attackers convince victims they are speaking to an acquaintance, in this case by sending a message on LinkedIn. The message contains a link that leads the victim to a fake OneDrive portal. Upon clicking on the attachment, the victim is redirected to a fake Microsoft Office365 portal.
  • The researchers identified two domains behind the attack, one of which has all its information blocked or altered to show it is blocked due to GDPR requirements, concealing information on its registrant. The second domain is handled from an address in Texas. Both domains were updated 5 months ago, suggesting the campaign has been active for some time.



Gustuff banking trojan altered to increase threat

  • Researchers at Cisco Talos discovered that the developers behind the Gustuff trojan for Android made a series of alterations to the malware which increases its offensive capabilities and lowers its detection footprint. The malware continues to primarily target individuals in Australia and uses SMS messages as its chief infection method. 
  • When the malware was first detected in April 2019, it was primarily used to target banking and cryptocurrency wallets. The newer version, that the researchers examined, also targets hiring sites’ mobile applications and Australian Government websites.
  • To reduce its static analysis footprint, the malware operators removed hard-coded lists that were present in older versions of the virus. Additionally, the operators have added a ‘poor man scripting engine’ which allows them to ‘execute scripts while using its own internal commands backed by the power of JavaScript language’.
  • Despite the coverage that Gustuff is receiving, the researchers stated that its operators seem determined to continue developing and deploying the virus.  

Source (Includes IOCs)


Shikata Ga Nai payload encoding scheme still used by APTs

  • Researchers at FireEye found that advanced persistent threats (APTs) continue to use the Shikata Ga Nai (SGN) payload encoding scheme, which is included in the Metasploit framework, to modify existing malicious code to bypass defender’s detection systems.  Attackers can use SGN to improve the compatibility and obfuscation of their shellcode.
  • The researchers stated that they detect hundreds of SGN payloads per month. Notable groups who use SGN included APT20, APT 41, and FIN6. A full analysis of SGN is available via FireEye.

Source (Includes IOCs)


New Remcos RAT variant detected in the wild

  • Researchers at Fortinet identified a new campaign that delivers Remcos RAT via phishing emails. The emails appear to come from a valid domain and contain a password and ZIP file purporting to relate to payment advice. In actuality, the file is a Windows Shortcut. Users who open the file are prompted to enter the password from the body of the email.
  • When the password is entered, the attached file retrieves and executes a PowerShell script. The script then runs through a process which results in Remcos being dropped on the affected system.
  • Remcos can perform a number of functions including downloading and executing files, executing a keylogger, recording the target from audio input, and more. The malware communicates with it C2 server using RC4 to encrypt and decrypt traffic.

Source (Includes IOCs)


Leaks and Breaches

Home Group customer data potentially stolen in data breach

  • The Newcastle-based charity Home Group informed 4,000 of its customers of a data breach that lasted approximately 90 minutes and is believed to have resulted in data theft. Potentially stolen data includes customer names, addresses, and contact information. No financial data was stolen.



Private data of veterans exposed to Department of Veteran Affairs employees

  • An audit by the Department of Veteran Affairs’ Office of Inspector General (VA OIG) found that sensitive data belonging to veterans has been exposed internally on shared network drives, allowing around 25,000 Department of Veteran Affairs employees to access the data.
  • Some of the data dates back to 2016 and exposed data includes names, addresses, dates of birth, contact telephone numbers, disability claims information, and more. It is unclear how many veterans are affected.
  • The Veteran Affairs’ Data Breach Response Service did not class this incident as a data breach and impacted veterans were not informed. However, VA OIG stated that it could potentially expose veterans to fraud and identity theft. It recommended remedial training to users on the correct handling and storage of sensitive information.



Canada Post resets customer passwords following potential compromise in 2017

  • As of October 16th, 2019, Canada Post is resetting all online customer account passwords due to reports of a compromise of login credentials in 2017. Canada Post stated that the company itself did not suffer a cyberattack, but rather login credentials stolen in other data breaches have been used to gain access to Canada Post accounts. Customers who had their information compromised are notified directly.



NordVPN, TorGuard, and VikingVPN compromised by hackers

  • On October 21st, 2019, NordVPN released a statement acknowledging that they were involved in a security incident in March 2018. The company stated that an unauthorised party had gained access to a data centre where they were renting a server. The attacker accessed the server via an insecure remote management system.
  • The hacker stole a TLS key which could be used to perform man-in-the-middle attacks. The key was posted by an anonymous user on 8Chan in May 2018. The company stated that the key expired in October 2018.
  • The hacker on 8Chan also claimed to have root access to TorGuard, NordVPN, and VikingVPN servers. Gaining root access would allow the hacker to steal OpenVPN keys and configuration files which could be used to decrypt traffic.

Source 1 Source 2


Avast internal network accessed by hackers

  • On October 21st, 2019, Avast revealed that they were compromised by a hacker who was likely attempting to perform a supply chain attack by targeting their CCleaner antivirus software.
  • Avast first learned of the suspicious activity on September 25th, 2019, however, a subsequent investigation revealed that an unidentified attacker had been attempting to gain network access since May 14th, 2019.
  • The attacker was probing the network using a temporary VPN account which they had acquired the username and password for. Although the account did not have admin privileges, the attacker was able to acquire them by performing a privilege escalation attack.
  • Avast stated that the attack was ‘extremely sophisticated’ and that the unidentified perpetrator acted with ‘exceptional caution in order to not be detected’. It is not known if this recent incident is linked to an attack on CCleaner in 2017 which impacted the systems of 2.27 million users.



Autoclerk leak exposes details of hundreds of thousands of travellers

  • Researchers at vpnMentor identified an unsecured database that belonged to Autoclerk. The company, which was recently acquired by the Best Western Hotels and Resort Group, provides a combined reservation system for a range of companies in the travel and hospitality industry. Much of the exposed information belonged to these companies.
  • The database, which was hosted by Amazon Web Servers, held over 179GB of data and contained hundreds of thousands of booking details for customers worldwide. Exposed information included, names, phone numbers, addresses, masked credit card details, check-in times, room numbers, and more.
  • The leak also exposed the information of individuals related to the US government, US military, and the Department of Homeland Security. The researchers were able to see the travel plans and personal details of senior staff members such as US army generals travelling to Moscow, Tel Aviv, and other locations.
  • The researchers discovered the database on September 13th, 2019, and contacted US CERT on the same day. However, as US CERT did not respond, they contacted Pentagon representatives on September 26th, 2019. The database was closed on October 2nd, 2019.



Major German manufacturer hit by ransomware attack

  • Pilz GmbH & Co. KG, a German producer of automation tools, was targeted in a BitPaymer ransomware attack on October 13th, 2019, that impacted all servers and PC workstations globally. BitPaymer’s authors are known for targeting high-value targets.
  • As a response to the attack, all of the company’s locations across 76 countries were disconnected from the main network. The company has since restored its email service and product order and delivery systems, however, it continues to be unable to check orders. Production capabilities were not impacted.




RCE vulnerability found in nhttpd

  • A remote code execution vulnerability, tracked as CVE-2019-16278, was found in the open-source web server nhttpd, also known as Nostromo. All versions are vulnerable, including the latest release, version 1.9.6.
  • The flaw is present due to nhttpd failing to verify a URL and could allow an attacker to force the server points to a shell file and execute arbitrary commands. It is related to an old path traversal vulnerability, tracked as CVE-2011-0751, that could still be triggered despite a patch.



Flaw in Trend Micro’s antivirus could be exploited to run malware

  • Bug hunter John Page, also known as hyp3rlinx, discovered an arbitrary code execution flaw, tracked as CVE-2019-9491, in the Trend Micro Anti-Threat Toolkit (ATTK). It could allow an attacker to load and execute any arbitrary EXE file if it uses ‘cmd[.]exe’ or ‘regedit[.]exe’ as its filename. This could potentially allow attackers to run malware on devices running ATTK.



General News

Czech authorities uncover Russian espionage network

  • The head of the Czech counterintelligence service Michal Koudelka stated that Czech authorities had shut down a Russian espionage network that was attacking targets in the Czech Republic and abroad.
  • Koudelka said that the group had links with Russian intelligence services and were funded by Russia and the Russian embassy.



Criminals observed using Discord to conduct business

  • CBS News found numerous criminals using the Discord app as a platform to sell stolen credit card numbers, customer accounts, doxxing services, forged money, and malware. Additionally, security researcher Ryan Jackson also discovered OpenBullet, a tool modified by criminals to automate hacking tactics to crack accounts, being sold on Discord.
  • The chat application consists of a network of private and semi-private groups referred to as ‘servers,’ including the so-called ‘money servers’ that are used to sell stolen card data. This often also includes personal data such as email addresses, passwords, phone numbers and home addresses.
  • Popular items for sale are loyalty points from American Express, Hilton and Delta accounts on a server called ‘Nightmare Market,’ the name of a former dark web market that was taken offline in the spring of 2019. Depleting loyalty points is less likely to raise the attention of credit card warning systems and are often used to buy account credits, such as gift cards, or make purchases on Amazon, Hulu or Delta.
  • A Discord spokesperson stated that the company takes ‘immediate action, including content removal, banning users and shutting down servers’ when it becomes aware of any illegal activity on its platform.





The Silobreaker Team 

Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Daily Alert – 21 February 2020

    Daily Alert: Data breach hits agency overseeing White House communications...
  • Threat Summary: 14 – 20 February 2020

    14 – 20 February 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Daily Alert – 20 February 2020

    Daily Alert: PhotoSquared data leak leaves 94.7GB of customer data exposed online including names, addresses...
View all News

Request a demo

Get in touch