Threat Reports

Silobreaker Daily Cyber Digest – 23 May 2019



Decryptor released for newly discovered GetCrypt ransomware

  • A threat analyst known as ‘nao_sec’ discovered a new ransomware called GetCrypt that is being installed via malvertising campaigns that redirect victims to the RIG exploit kit. Following its discovery, Emsisoft released a free decryptor for the ransomware.
  • Security researcher Vitali Kremez analysed the ransomware and found that, once installed, GetCrypt will check if the Windows language is set to Ukrainian, Belarusian, Russian or Kazakh. If any of these languages are detected, the ransomware will terminate.
  • GetCrypt will also ‘utilize the WNetEnumResourceW function to enumerate a list of available network shares’ in an attempt to encrypt files on these shares. If it fails to connect to a share, it will attempt brute force credentials for the shares and mount them using the WNetAddConnection2W function.  

Source 1 Source 2


Alphabet’s Chronicle analyses signed malware exploited in the wild

  • Chronicle recently investigated signed malware present in Windows PE Executable files. Executable files in Windows are signed by trusted certificate authorities (CAs), backed by a trusted parent CA, to guarantee its authenticity. Malware authors, however, have been purchasing and abusing such certificates.
  • The investigation found a total of 3,815 malware samples, of which ‘100 or more malware samples account for nearly 78% of signed samples’.
  • The only solution to a compromised certificate is for the CA to revoke it, which happens regularly according to Chronicle.



Ongoing Campaigns

ESET researchers analyse APT28 backdoor

  • ESET researchers released new analysis of APT28’s Zebrocy Delphi backdoor, focusing on what the operators do post-compromise. The report focuses on a campaign from August 2018 in which phishing emails were used to distribute shortened URLs that delivered the first stage of Zebrocy components.
  • The researchers found that the operators run commands manually to collect information from infected systems, such as documents, pictures, or databases stored by web browsers and email clients.

Source (Includes IOCs)  


Rise in instances of Emotet banking ransomware detected

  • Seqrite researchers detected a growing number of daily intrusions by Emotet banking malware since 2018. The malware is delivered via phishing emails and proves problematic to remove due to it polymorphic, self updating and spreading capability.
  • Emotet attempts to access financial data by password stealing, email harvesting and spamming.
  • Additionally, Emotet also deploys other malwares such as Qakbot, TrickBot and Ryuk Ransomware in order to maximise disruption.



Krebs On Security published report on the use of legal threats in phishing lures

  • Brian Krebs analysed a recent spam campaign that sent fake legal threats including malware to over 100,000 business email addresses. The scams typically state that the recipient is being sued and instructs them to review the attached file.
  • The emails were sent to two antivirus firms, with attached malicious Microsoft Word files, using a phishing kit that was being traded on the dark web, that allows you to choose from five malicious Microsoft Word documents. In this instance the trojan was used to drop an unreported malware.
  • The scam used a spoofed law firm domain that redirects to the website for a legitimate, Connecticut based law firm, RWC LLC.



Unit 42 publishes analysis on Shade Ransomware

  • Palo Alto Networks’ Unit 42 research shows the top countries affected by Shade Ransomware are the United States, Japan, India, Thailand and Canada. Shade Ransomware, also known as Troldesh, was first spotted in late 2014 and is distributed via malspam and exploit kits.
  • Recent reports have focused only on the ransomware’s distribution via Russian-language emails, which suggests that most of the activity can be found in Russia and former Soviet Union countries. Unit 42’s research, however, found that the majority of URLs hosting Shade Ransomware executables were reported outside Russian language countries.
  • The most frequently targeted sectors are High Tech, Wholesale and Retail, and Education.



Millions stolen from San Francisco Bay Area residents in SIM swap scams

  • NBC Bay Area reported that more than 800 US residents have fallen victim to SIM Swap scams since early 2018 amounting to a loss of $50 million. San Francisco Bay Area in particular saw a large amount of SIM Swap activity, with more than 50 victims losing $35 million.
  • Joel Ortiz, arrested for his involvement in a string of cyber heists, is the first SIM swapper to be sentenced to prison time in the United States. Further cases in the San Francisco Bay Area are pending.



US Air Force opens investigation into a malware infection

  • The US Air Force opened an investigation into an alleged cyber intrusion by a US Navy prosecutor. The investigation concerns US Air Force lawyers defending a US Navy Seal over war crimes.
  • A US Navy prosecutor allegedly planted malware onto the devices of US Air Force lawyers and the editor of the Navy Times via emails containing hidden tracking software. According to Air Force Times, the US Navy prosecutor suspected information had been leaked to the Navy Times editor.



Leaks and Breaches

Truecaller allegedly suffers data breach

  • The Economic Times reported that call identity app Truecaller has suffered a data breach which they claim exposed the personal data of users. The exposed data allegedly includes names, phone numbers and email addresses of users.
  • The Economic Times claims that user information is for sale on the dark web and that the data of Indian users is selling for €2000 and the information of global users is selling for €25,000.
  • Truecaller refutes the claim, stating that ‘We would like to strongly confirm at this stage that there has been no sensitive user information being accessed or extracted, especially our users financial or payment details’



Redtail Technology customer data exposed

  • Redtail Technology confirmed a data leak took place on March 4th, 2019. According to the company’s CEO Brian McLaughlin, less than 1% of its clients were affected.
  • Further details concerning the exact number of affected customers, the data in question and whether the data was accessed by unauthorised parties are not known.



Travel plans of Israeli Prime Minister, government officials and security agents leaked

  • An anonymous hacker reported to Calcalist that they had gained access to the travel details of Israeli officials via a compromised database of an online platform used by Israeli travel agents. The database also contained the information of millions of Israeli citizens.  
  • Information contained in the database included the details of 36 million booked flights, 15 million passengers, over 1 million hotel bookings and 700,000 visa applications.
  • The information was passed to the Israeli National Cyber Directorate and the breach has been addressed.




ActiveX Controls in South Korean websites affected by critical vulnerabilities

  • Risk Based Security discovered several critical flaws in South Korean ActiveX controls, that are still used by several government sites due to a 20-year-old law that requires the use of Internet Explorer with ActiveX running. Microsoft no longer supports ActiveX in Microsoft Edge.
  • According to experts at IssueMakersLab, from 2007 to 2018 North Korea linked attacks have exploited a large number of zero-day flaws in ActiveX. Due to this, the law invoking mandatory use of ActiveX controls was lifted, however several websites continue to use them.
  • During analysis undertaken since January 2019, 40 flaws have been discovered across 10 of the most popular controls. These include buffer overflow flaws and unsafe exposed functionality, that allows the execution of code on other people’s systems.



More Windows zero-day exploits released

  • On Wednesday 22nd May, a developer known as SandBoxEscaper released a privilege escalation code exploiting a flaw in Windows Error Reporting service that allows attackers to modify files to which they normally wouldn’t have access.
  • Another exploit was released for Internet Explorer 11 that allows attackers to execute JavaScript that runs higher system access than normally permitted by the browser sandbox.
  • These two exploits follow another zero-day exploit for a local privilege escalation flaw in Windows Task Scheduler that SandBoxEscaper released on Tuesday, May 21st.



Critical flaws in Khan Academy could allow account takeover attacks

  • Two critical cross-site request forgery (CSRF) flaws have been discovered in Khan Academy’s website that could be exploited to perform account takeover attacks. The flaws were the result of a lack of CSRF tokens, which are used to double-check account log-in requests to ensure there aren’t CSRF attacks.
  • One of the flaws could have allowed an attacker to takeover accounts that were created using the Google or Facebook login option, and the other could have allowed an attacker to takeover any unconfirmed account on Khan Academy.
  • The flaws were resolved by adding a CSRF token check to the password-change request.



XXS flaw discovered in Slimstat WordPress plugin

  • The flaw could be exploited to allow a malicious user to inject arbitrary JavaScript code on the plugin access log function. An attacker could forge an analytics request by pretending their browser has a specially crafted plugin to inject arbitrary code on the plugin access log.



General News

Authorities take down Bestmixer[.]io cryptocurrency laundering service

  • The Dutch Fiscal Information and Investigation Service, in cooperation with the Europol and authorities in Luxembourg, took down one of the three largest cryptocurrency mixing services Bestmixer[.]io.
  • The service was launched in May 2018 and allegedly achieved a turnover of at least $200 million. It offered customers services for laundering their Bitcoins, Bitcoin Cash, and Litecoins.



US considers barring Chinese video surveillance firms from US components and software

  • According to Bloomberg, the Trump administration is considering blacklisting Chinese firms Megvii, Zhejiang Dahua Technology Co, Hangzhou Hikvision Digital Technology Co, Meiya Pico, and Iflytek Co Ltd. The blacklist will prevent them from buying American components and software for their surveillance technologies.
  • The potential ban comes as a response to the companies’ involvement in the surveillance and mass detention of Uighurs, a mostly Muslim ethnic minority.



Financial Conduct Authority claims that £27 million was lost in the UK to crypto scams last year

  • The UK financial regulator warned that £27 million (approximately $34 million) was lost to cryptocurrency and foreign exchange investment scams that promised high returns.



A year after GDPR instigated 145,000 complaints have been registered

  • The complaints have led to several penalties for companies such as Google, who were targeted by France and made to pay a 50 million euro fine for failing to inform users on how their data was used.



EU gains new powers to respond to cyber-attacks

  • Ministers of the EU are able, for the first time, to impose asset freezes and travel bans on individuals, firms and state bodies that are involved in cyber-attacks. Sanctions on these entities will be considered if the cyber-attack is thought to have had a significant impact.



G Suite users’ purchases also tracked

  • According to Bleeping Computer, a Reddit user found that when a user uses Google’s Takeout service and exports ‘Purchases & Reservations’, all purchase receipts and confirmations sent to their G Suite inbox will be part of the downloaded archive in JSON format. This confirms that purchase history is being collected for paid G Suite accounts even though the information isn’t displayed on the accounts’ Purchases page.
  • This report follows Bleeping Computer’s finding that purchase information is also being scraped and collected from users’ Gmail inboxes.



Spotify resets passwords for some accounts due to ‘suspicious activity’

  • Spotify reset the passwords of a select number of accounts, informing its users of ‘detected suspicious activity.’ According to Spotify’s statement given to TechCrunch, the company experienced a credential stuffing attack. TechCrunch has raised doubts to its accuracy.



Edmonton Economic Development Corporation files lawsuit following phishing scam

  • The EEDC filed a lawsuit to recover $375,000 plus $225,000 in damages following a phishing scam that began on October 31st, 2018.
  • The EEDC received an email from a compromised Edmonton Regional Airport Authority account which requested payment by wire transfer on November 27th, 2018. Following the payment, the EEDC were informed that the transaction was flagged as suspicious.
  • The EEDC filed the suit against a numbered company and its incorporator Sithira Pranavan Arutjothy.



Deutsche Telekom records growing number of cyber attacks

  • Research by Deutsche Telekom recorded 46 million daily attacks on its honeypots by the beginning of April 2019. For the same period last year, the average daily attack figure was recorded as 12 million.
  • Additionally, research showed that 51% of attacks were aimed at compromising network security, 26% were concerned with taking control of another computer while a further 7% were aimed at compromising passwords.
  • Botnet attacks also rose from 330 billion fired data packets in April 2018, to 5.3 trillion data packets in April 2019.



German data protection authorities impose fines totaling €449,000 over GDPR breaches

  • 75 personal data breach cases have been reported since GDPR came into effect on May 25th, 2018.
  • GDPR fines have been issued in six of the sixteen federal states. Seven cases were reported in Baden-Wurttemberg where fines totalled €203,000.
  • The fines often related to GDPR violations such as inadequate organisational security, non-compliance with information duties and unauthorised marketing emails.



UK invests £22 million in new cyber-operations center for British army

  • The facility, set to open in 2020, will aim to bridge the gap between the abilities of the security service and the military.
  • Foreign Secretary Jeremy Hunt is also due to talk today at the NATO Cyber Defence Pledge Conference. He is expected to focus on the global threat that Russia poses to critical infrastructure and government networks.
  • This follows the recent addition of ‘Cyber’ as a legitimate military domain by NATO.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch