Silobreaker Daily Cyber Digest – 23 January 2019
New ransomware family Anatova discovered on private peer-to-peer network
- McAfee researchers discovered ransomware, dubbed Anatova, that ciphers files before requesting a ransom payment of $700 in DASH cryptocurrency from victims.
- The ransomware disguises itself as a game or application in order to trick users into downloading it.
- Anatova checks the system’s language before encrypting files in order to avoid targeting users in CIS, Syria, Egypt, Morocco, Iraq and India.
Source (Includes IOCs)
JobCrypter ransomware variant observed using new encryption routines
- Trend Micro reported that a JobCrypter variant is using new encryption routines, as well as featuring the ability to email a screenshot of the victim’s desktop screen via SMTP.
- The ransomware ‘prepends the ransom note with the encrypted file’ unlike most ransomware which usually drop other files into the system before deleting the original.
- JobCrypter requests a ransom payment of an estimated $1350 in order to decrypt files.
Doctor Web detects AZORult stealer in cryptocurrency mining tool
- The tool was observed being distributed on English-language forums dedicated to cryptocurrency mining. According to Doctor Web, the tool functions as usual, however, it also installs AZORult in the background. The malware then steals users’ private data, including passwords from cryptocurrency wallets.
Weaknesses in GoDaddy let bomb threat scammers hijack thousands of domains
- An investigation into the December 13th, 2018, spam bomb threat emails that caused mass evacuations, closures and lockdowns mainly in Canada and the US, has revealed that the spam worked by abusing a weakness at GoDaddy that enabled scammers to hijack more than 78 domains belonging to Expedia, Mozilla, Yelp, and more.
- The same exploit also allowed the scammers to hijack thousands of other domains that belong to well-known organisations for use in other malicious email campaigns.
- This tactic of spamming, known as ‘snowshoe spamming’, increases the chances of the emails being delivered, because it weakens the reputation metrics that spam filters rely on.
Lookout researchers discover mobile surveillance effort run by state intelligence agency
- The researchers discovered the surveillance effort whilst in the process of analysing the C&C infrastructure behind a piece of malware. They discovered iOS, Android and Windows versions of the malware, as well as data uploaded from a targeted phone’s WhatsApp data.
- The phone belonged to one of the state-backed surveillance efforts, and the uploaded data included a full contact list for the actors, as well as details of their interactions with hacking companies and evidence of their decision to build their own malware.
- Lookout have not revealed who the creators of the malware are in order to continue to glean information about the campaign.
Leaks and Breaches
Hackers broadcast nuclear missile attack prank through Nest security camera
- A couple based near San Francisco were startled when their Nest camera broadcast a realistic sounding alarm warning that North Korean nuclear missiles were heading to the United States. A hacker had seized control of the camera’s built-in speakers in order to broadcast the message.
- Nest’s parent company Alphabet stated that the firm was not breached and the issue was due to customers using passwords that had been compromised by other websites’ data breaches.
License plate recognition devices exposed online
- TechCrunch discovered that over 150 automatic license plate recognition (ALPR) devices from multiple manufacturers were searchable online. Most of the devices were using default passwords, and were therefore easily accessible.
Unsecured Elasticsearch server exposes information on AIESEC job applicants
- Researcher Bob Diachenko discovered an unprotected Elasticsearch database belonging to AIESEC, a large global youth-run non-profit organization.
- The exposed information includes 4 million applications for AIESEC internships containing applicants’ sensitive information such as emails, full names, dates of birth, and detailed descriptions of their intentions for applying to AIESEC as well as interview details.
Adobe patches vulnerabilities in Adobe Experience Manager
- The patches resolve one moderate and one important cross-site scripting vulnerability (respectively CVE-2018-19727 and CVE-2018-19726) which could result in sensitive information disclosure.
Remote code execution flaw in APT Linux package manager patched
- Researcher Max Justicz discovered the flaw, tracked as CVE-2019-3462, in the APT high-level package manager used by Debian, Ubuntu and other related Linux distributions.
- The flaw could permit man-in-the-middle attackers to execute arbitrary code as root on a machine installing any package. The vulnerability has since been patched.
Windows Contacts app remote code execution flaw patched
- A micropatch addressing the flaw was issued by 0patch. It affects Windows versions from Vista to 10.
- The vulnerability exists in the way VCF and CONTACT files storing contact information are processed on vulnerable systems. An attacker could create a contact file containing a malicious payload in the sub-directory which would then be executed once a user clicks on a link inside the contact file.
Apple fixes several security flaws in iOS, macOS, and more
- Updates have been released for flaws in iCloud, Safari, macOS Mojave, High Sierra and Sierra, tvOS 12.1.2 and iOS 12.1.3. The updates include fixes for code execution, privilege execution and information disclosure flaws.
- CVE-2019-6200 is a Bluetooth attack in iOS 12.1.3 that could allow an attacker to perform remote code execution. CVE-2019-6206, also present in iOS 12.1.3, is notable because it allows password autofill to fill in passwords after they are manually cleared. Lastly, CVE-2019-6224 in iOS 12.1.3., permits remote attackers to initiate FaceTime calls causing arbitrary code execution.
- Flaws present in the macOS include CVE-2018-4467, a hypervisor bug that could allow attackers to elevate privileges. In addition, CVE-2018-4452 could allow remote code execution through the Intel graphics driver.
265 security researchers take down 100,000 malware distribution websites
- The 265 researchers from around the world combined their efforts in a project named ‘URLHaus’ led by the non-profit cyber security organisation abuse.ch, dedicated to sharing URLs used in malicious campaigns. The project has so far taken down nearly 100,000 websites engaged in malware distribution.
- The main malware distributed through the websites in the URLHaus project was Emotet.
DHS issues emergency directive to prevent DNS Hijacking
- The directive requires all US agencies that operate with an agency managed domain to audit their DNS records and servers to verify that they are resolving to the correct IP address. In addition, they are required to harden their security related to DNS accounts and passwords.
- The directive comes after the US Department of Homeland Security (DHS) discovered an ongoing campaign in which attackers attempt to tamper with DNS infrastructure by stealing credentials and ‘using them to redirect government hostnames to IP addresses under the attacker’s control’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.