Silobreaker Daily Cyber Digest – 23 August 2019
Asruex variant exploits old MS Office and Adobe vulnerabilities
- Researchers at Trend Micro discovered an Asruex variant that exploits the known vulnerabilities CVE-2012-0158 and CVE-2010-2883 to inject code into Word and PDF files.
- Asruex is known for its backdoor capabilities. This variant, however, can also act as an infector, which may throw off researchers who assume that the malware acts only as a backdoor.
- The variant has only been observed in the wild for a year, indicating that threat actors purposely built it with the knowledge that many users have not patched the MS Office and Adobe vulnerabilities. Users still using Adobe Reader versions 9.x up to before 9.4 and Acrobat versions 8.x up to before 8.2.5 are vulnerable.
Source (Includes IOCs)
Researcher analyses APT34’s TwoFace webshell
- Security researcher Emanuele De Lucia analysed the TwoFace webshell, which has been associated with APT34. TwoFace comes with a loader that contains an embedded key and the webshell payload. The loader is used to decrypt the main webshell payload, which is a fully featured webshell that uses HTTP Cookie parameters to handle commands.
Source (Includes IOCs)
Malwarebytes publishes investigation into Bitcoin sextortion scams
- Researchers have stated that sextortion scams are on the uptick, and are also becoming more creative. Email spam is leveraged to contact potential victims, and in the example shown, extortionists lie about having cracked the victim’s email password, stating that they have recorded both their webcam and internet usage to record them watching pornographic material. They then ask for $1000, to be paid via Bitcoin within two days, to keep these recordings secret.
- Malwarebytes followed the extortion chain, finding that the perpetrators have made over 21.68 Bitcoin over a short duration, with a current market value of $220,000.
Leaks and Breaches
Massachusetts General Hospital suffers data breach
- A data breach in the neurology department of the Massachusetts General Hospital exposed the private information of nearly 10,000 individuals participating in its research programmes. Exposed data includes names, dates of birth, medical record number and medical histories. Social Security numbers and financial data were not exposed.
Unprotected WeDidIt database exposes private data
- On July 11th, 2019, security researcher Jeremiah Fowler discovered an unprotected database belonging to the online fundraising platform WeDidIt, which contained millions of records, some of which included the private data of individuals. The database has since been secured.
- Exposed data included full names, user account numbers, home addresses, email addresses and more. IP addresses, Port, Pathways and storage information were also present, which could be exploited by malicious actors to gain deeper access into the network.
Ukrainian employees connect nuclear power plant to internet to mine cryptocurrency
- The Ukrainian Secret Service (SBU) is investigating a possible data breach at one of the country’s nuclear power plants after several employees connected parts of its internal network to the internet to mine cryptocurrency. The incident took place in July 2019 at the South Ukraine Nuclear Power Plant.
- Because nuclear power plants are considered critical infrastructure, the incident may be seen as a breach of state secrets. No arrests have been made.
Cardholder data from Hy-Vee breach found for sale
- Two sources who have spoken to KrebsOnSecurity have stated that card data stolen in the Hy-Vee breach is being sold on Joker’s Stash, under the code name ‘Solar Energy’. The data was stolen via compromised restaurants, coffee shops and gas pumps owned by the supermarket chain. Hy-Vee owned Market Grilles, Market Grille Expresses and Wahlburgers were also compromised.
- The Solar Energy sale is comprised of over 5.3 million cardholder accounts, across 35 states, with each record being sold from $17 to $35. A Hy-Vee spokesperson stated that they are working with both payment card networks and banks to initiate heightened monitoring on vulnerable accounts.
Public exploits available for Cisco Smart Switch vulnerabilities
- Following the patches for the critical remote code execution vulnerabilities CVE-2019-1913 and CVE-2019-1912 and the command injection issue tracked as CVE-2019-1914, Cisco has updated their advisory to inform customers that exploit code to leverage these flaws has been made public. Even though Cisco PSIRT is not aware of malicious use of this vulnerability, it is strongly recommended that all users update their Cisco Small Business 220 Series Smart Switches to the latest patch.
Vulnerabilities discovered in Squid Servers
- CVE-2019-12527 exists in Squid version 4.0.23 up to 4.7. It is caused by incorrect buffer management, which could lead to a heap overflow and remote code execution by a malicious actor sending a crafted HTTP request to a target server. Unsuccessful exploitation will cause irregular termination of the Squid process.
- The vulnerability was fixed with the release of Squid 4.8 in July 2019, and it is recommended to patch as soon as possible. A workaround for servers that are unable to patch has also been published.
Valve responds to bug bounty controversy
- Valve, the developer behind the Steam online gaming platform, has issued a statement, stating that the turning away of researchers who found vulnerabilities in the product was a mistake. They have since updated policy to include ‘any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope.’
- This is likely in response to researcher Vasily Kraverts, who found a vulnerability in Steam that allowed hackers to access privileged parts of an operating system.
Microsoft tops target for phishers
- Vade Secure’s Phishers’ Favorites Q2 2019 report found that Microsoft remains the top target for phishing campaigns, with 20,217 unique Microsoft phishing URLs detected in the quarter. A variety of attacks were observed, including suspended account claims, links to OneDrive or SharePoint documents, voicemail recordings and faxes.
- The report also found a major increase in Facebook phishing, placing it third after Microsoft and PayPal, most likely due to a rise in social sign-on using Facebook accounts, which could allow an attacker to compromise multiple accounts.
80 individuals charged in large cyberfraud scheme
- A 252-count indictment from US federal prosecutors accuses 80 individuals in the US and Nigeria of laundering funds through a Los Angeles-based money laundering network in a massive fraud scheme that involved business email compromise frauds, romance scams and schemes targeting the elderly.
NCSC advises developers to stop using Python 2
- The UK National Cyber Security Centre has advised developers to move their Python 2.x codebases to Python 3.x, due the upcoming end-of-life of the product, currently scheduled for January 1st, 2020. They warned that companies who do not migrate may end up in the same position as Equifax or WannaCry victims.
Israel eased cyber weapons export rules
- The Ministry of Defense of Israel changed some rules regarding the export of cyber weapons, including the addition of a marketing-license exemption that can be granted under certain conditions. The change is said to have gone into force a year ago.
- Whilst Israeli companies say that they ensure its technology is used for legitimate purposes, some human rights groups claim that Israel’s controls on the sale of cyber weapons are inadequate and that its export licenses have resulted in human rights abuses.
Lawsuit filed against StockX
- A lawsuit on behalf of a minor from Kansas and other minors affected by the StockX hacking has been filed in the US District Court. The lawsuit accuses StockX of having been slow in informing users that their private data had been stolen.
Researchers observe increase in drive-by malvertising
- Researchers at RiskIQ observed a 186% increase in drive-by malvertising in the past six months. Drive-by malvertising is a method that does not require a user to click. An increase in malware instances was also detected, whilst a decrease in phishing and scams was observed.
Instagram hoax claims private data could be made public
- A fake post stating that Instagram will implement new policies that would allow the company to make users’ private data public is spreading online. Instagram assured its users that no changes to their content rights is being made.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.