Silobreaker Daily Cyber Digest – 23 October 2019
Researchers observe new ransomware-as-a-service dubbed Project Root
- Researchers at SentinelOne discovered a new ransomware-as-a-service (RaaS) called Project Root, being offered for both Windows and Linux systems, with support for Android to come soon. Its payloads are written in Golang, similar to previously observed RaaS like LockerGoga, allowing them to bypass traditional signature-based detection and static machine-learning detection engines.
- Project Root is advertised as two versions that require an ‘up front’ payment. The standard version can generate unlimited ‘basic’ payloads via the sellers’ portal and includes management and key distribution components. The ‘Pro’ version, officially launched on October 17th, 2019, promises ‘better support, longer term of free updates and increased evasion options,’ as well as full access to the source code.
- The researchers observed that up until around October 14th, 2019, the payloads did not work, making the RaaS appear to be a scam. However, since then the payloads have been functional.
Source (Includes IOCs)
New virus sample may be part of BadPatch malware set
- Researchers at Fortinet analysed a recently discovered ‘multi-component python-compiled’ malware sample, dubbed B3hpy. The malware shares strong similarities with tools that were used in the BadPatch campaign. The BadPatch campaign was first reported in 2017 and was potentially carried out by the Gaza Hackers group, who have actively targeted the Middle East since 2012.
- The researchers analysed a sample of the malware which had been uploaded to VirusTotal. The executable file comes as an SFX executable file which contains a decoy document and a file designed to execute on 64-bits Windows machines.
- When the malware is installed on the target’s device it steals files, takes screenshots, steals passwords and more. Stolen data is exfiltrated to the attacker via SMTP. The researchers found that 96% of the malware victims reside in Palestine.
Source (Includes IOCs)
Cache Poisoned Denial of Service attack used to knock websites offline
- Researchers at the Technical University of Cologne developed a new attack, dubbed Cache Poisoned Denial of Service (CPDoS) which can be used to take legitimate websites offline by poisoning content delivery networks (CDN). CDNs store cached copies of websites and are widely used to alleviate pressure on web servers.
- The attack works by continually connecting to a website with a request containing a malicious oversized HTTP header, until the request generates a new CDN entry. The CDN allows the malicious header to pass to the legitimate site at which point the header crashes the web server and generates an error page. This page is cached on the CDN and displayed to other visitors. By spreading to other nodes of the CDN’s network the cached error appears to create outages at legitimate sites.
- The researchers developed three variants of this attack which focused on HTTP Header Oversize, HTTP Meta Character, and HTTP Method Override. The team also demonstrated the feasibility of the attack by launching it against a site’s CDN server and tracking it across the CDN provider’s network.
MedusaLocker ransomware infects victims worldwide
- In mid-October 2019 researchers at MalwareHunterTeam uncovered a new ransomware, dubbed MedusaLocker. Since its initial discovery the malware has steadily infected a stream of users worldwide.
- Following infection, the method of which is unclear, the ransomware creates registry values and sets a registry key to enable access to mapped drive. MedusaLocker then restarts LanmanWorkstation to ensure that mapped network drives are accessible, and that Windows networking is running.
- The virus then terminates security processes, clears shadow volume copies and begins the encryption process. Files are encrypted with an AES key which is then encrypted with a RSA-2048 public key in the ransomware executable. A ransom note is then left on the victim’s system. At the time of writing no decryption key is available for MedusaLocker.
Source (Includes IOCs)
Domain analysis shows potential link between Magecart Group 5 and Carbanak APT
- Researchers at Malwarebytes identified a set of domains associated with Magecart Group 5 that were registered with an email address that was also associated with domains that were used in a number of Dridex phishing campaigns. The Carbanak group are believed to be responsible for the Dridex attacks.
Source (Includes IOCs)
Leaks and Breaches
The Heat Group hit by ransomware attack
- On October 20th, 2019, the cosmetic company The Heat Group was hit by a ransomware attack that impacted the company’s computer systems and prevented the shipping of products.
- The attackers demanded a ransom of $40,000 in Bitcoin, however, this was not paid. According to the founder, Gillian Franklin, she was initially open to paying the ransom until it became clear that the attackers had lost some of the company’s files. Instead, the company’s IT team is now working on restoring the systems. The attack is said to have cost the business $2 million.
Multiple medical databases discovered leaking sensitive data of millions
- Wizcase researchers discovered nine unsecured medical databases exposing sensitive data of millions of patients, some of which belong to third-party companies providing data management and insight for medical institutions. All databases were accessible without a password. Some of the databases have since been secured, yet some remain unsecured.
- The databases belong to Biosoft from Brazil, Canada’s ClearDent, Essilor in France, Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS), Saudi Arabia’s Stella Technology, DeepThink Health and VScript in the US, and Tsinghua University Medical College and Sichuan Lianhao Technology Group Co. Ltd in China.
- Exposed data includes patient names, addresses, Social Security numbers, email addresses, and phone numbers. It also includes employee information, research-related information, medical observations, prescriptions, and more.
Kalispell Regional Healthcare data breach could affect 130,000 patients
- Kalispell Regional Healthcare is informing its patients of a phishing attack, first discovered in August 2019, that may have exposed private data of up to 130,000 patients. The data may have been accessed since May 24th, 2019.
- Exposed information includes patient names, addresses, and in some cases Social Security numbers, and medical information. The hospital does not believe any information has been misused.
Malaysia’s National Neurology Registry website exposes personal data of patients
- According to an anonymous source speaking to Free Malaysia Today, the private data of 17,000 patients was exposed on a website belonging to the government-linked Malaysia’s National Neurology Registry. Exposed patient data includes NRIC numbers, phone numbers, addresses, and more.
- The data leak is due to an HTML scripting error, which showed a link to the database with its required username and password. All data is downloadable and editable and the link to the database appears on Google search.
Financial service provider Billtrust impacted by ransomware attack
- On October 17th, 2019, Billtrust was affected by a malware attack which resulted in disruption to the company’s services. The company provides a cloud-based service which allows companies to deal with their finances. BleepingComputer reported that the ransomware strain that impacted the company was Bitpaymer, however, this has not been confirmed.
- In conversation with KrebsOnSecurity the CEO of Billtrust Steven Pinado, said that the company was in the process of restoring their services. Pinado would not comment on the details surrounding the attack, and declined to disclose if a ransom had been paid to gain access to a decryption key.
Religious Website builder Clover Sites Inc. exposes customer data for second time
- On May 22nd, 2019, researchers at Security Discovery identified an exposed database that belonged to Clover Sites. The database had been exposed for at least 6 to 7 months and contained 65,800 records, this accounted for all the company’s customers both past and present. Exposed details included, names, billing information, and the last 4 numbers of customers credit cards. The database also exposed internal information such as IP addresses, customer email communications, and other details.
- This is the second incident in which Clover Sites have exposed their full database of customers. The first exposure was also discovered by Security Discovery and reported to the company in April 2019.
- The database that was discovered in May remained open until the researchers contacted Clover Site’s parent company Ministry Brands LLC in early October 2019.
OpenBSD contains TCP SACK vulnerability
- Researchers at CheckPoint security identified a vulnerability, tracked as CVE-2019-8460, in OpenBSD. A malicious actor can exploit the flaw to force OpenBSD kernel to ‘create long chains of TCP SACK holes that cause very expensive calls to tcp_sack_option() for every incoming SACK packet’. An attacker who successfully performs this attack can cause a denial of service condition.
Vulnerability in WordPress Bridge theme that has been downloaded more than 120,000 times
- Researchers at Wordfence discovered an open redirect vulnerability in the Bridge theme for WordPress. The flaw exists in two of the theme’s pre-packaged helper plugins Qode Instagram Widget and Qode Twitter Feed, which both contain redirect scripts, which can allow open redirects.
- An attack could exploit the vulnerability to launch a spearphishing attack against the site’s administrator. The issue has since been patched by the Bridge developer Qode Interactive.
Iranian hackers believed to be behind campaign targeting US satellite companies
- According to The Daily Beast, court documents suggest that the FBI believes Iranian hackers are responsible for breaching computers belonging to US satellite companies. The Iranian Dark Coders Team, believed to be a collection of freelancers and responsible for multiple website hackings, is said to be behind the campaign.
- The campaign involved the threat actors sending spear phishing emails purporting to be from the satellite imagery firm DigitalGlobe. The emails contained links to a website for downloads of a legitimate-looking app for finding satellite orbits. Another attempted hacking saw the threat actors using the compromised email address of a geology professor to send the spear phishing email. This one would ask the recipient to download and test a parallel image-processing application that is hosted on Dropbox.
- The reason behind the campaign remains unclear. The US Department of Justice has not commented on the matter.
Spanish Police arrest three people over multimillion-euro BEC scam
- The Guardia Civil arrested three people who were allegedly involved in a business email compromise (BEC) scam that stole approximately €10.7 million from 12 companies. The groups activities impacted organisations in the UK, Chile, Belgium, Venezuela, Bulgaria, the US, Norway, Germany, Luxembourg, and Portugal.
- Prosecutors assert that the accused, who reside in provinces across Spain, created 83 companies and 185 bank accounts to launder the stolen funds. So far, authorities have recovered €1,290,000 that was spread across 16 accounts.
- The arrests form part of Operation Lavanco, which was launched in 2016, and involved multiple law enforcement agencies, such as Interpol, Europol, and the FBI.
Amazon Web Services’ DNS impacted by DDoS attacks
- On October 22nd, 2019, Amazon Web Services DNS systems were impacted by a DDoS attack from an unknown source. Amazon stated that certain back-end hosted systems such as S3 buckets were temporarily impacted.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.