Threat Reports

Silobreaker Daily Cyber Digest – 23 September 2019



Stop ransomware leads as most active ransomware over the past year

  • According to Bleeping Computer, Stop ransomware was most actively distributed in the wild over the last year, with over 159 variants observed so far.
  • The ransomware is distributed via sites promoting fake software cracks or free programs. These ‘cracks’ and ‘programs’ are in fact adware bundles that install various unwanted software and malware onto user devices. Some of these bundles also deliver AZORult Stealer alongside Stop.



Ongoing Campaigns

New spear phishing campaign impersonates VC and PE firms

  • PhishLabs researchers detected a new phishing campaign targeting Office 365 credentials of high-value targets by impersonating venture capital (VC) and private equity (PE) firms. So far it was observed impersonating two firms – Crossplane Capital and Edgemont Partners.
  • The campaign involves emails containing attachments disguised as NDA forms that redirect targets to a phishing site posing as Box, a popular file-sharing site. Victims are instructed to login using their Office 365 accounts to download the document.

Source (Includes IOCs)


Fake trading app observed containing malware and stealing user information

  • Trend Micro researchers discovered a fake app containing malware that disguised itself as the legitimate Mac-based trading app Stockfolio.
  • Upon the app’s execution, it will display an actual trading app interface. However, it will also harvest user information in the background, including username, IP address, file system disk space usage, wireless network information, screenshots, and more. It then uploads the stolen information to a website.
  • The researchers identified two variants of the malware. The first tracked as Trojan.MacOS.GMERA.A, the second tracked as Trojan.MacOS.GMERA.B.

Source (Includes IOCs) 


Campbell County Health hit in ransomware attack

  • On September 20th 2019, Campbell County Health reported that all their computer systems were impacted by a ransomware attack. The hospital stated that they contacted law enforcement but remain ‘very concerned about the security of information and the safety of our patients and employees’. 



Range of Chinese-based Android VPN apps contain adware

  • Researcher Andy Michael of vpntesting discovered four Android apps, named HotSpotVPN, Free VPN Master, Secure VPN, and CM Security Applock AntiVirus, containing adware. The four apps are developed by Chinese-based developers and have a combined download count of over 500 million.
  • The apps connect to various URLs and some of them use the advertisement APIs from Google and Facebook, which ensures that advertisements can be displayed at any time. The researcher stated that the HTTP requests, which were sent by the VPNs, also heat the CPU and drain the phone battery.

Source (Includes IOCs)


Keybase malware delivered to UK users in fake Indofuels email

  • Researchers at My Online Security identified a ‘swathe’ of malicious emails purporting to contain an invoice from Indofuels. The researchers stated that the Indofuels emails were fake and the company has not been compromised or hacked. 
  • The emails contain an ISO file which installs Keybase malware, that is used to steal victim credentials.

Source (Includes IOCs)


CERT-In warns of campaign purporting to be from Income Tax Department

  • The Indian Computer Emergency Response Team (CERT-In) warned that criminals are delivering malware via emails that purport to be from the Income Tax Department. The campaign has been active since September 12th, 2019, and targets both individuals and financial organisations with malware and phishing tactics.
  • Two variants of malware-delivering emails have been identified so far. The first contains a malicious file while the second connects users to a malicious URL where the malware is then downloaded. The malware is designed to steal users’ information and can achieve persistence by modifying the Windows registry.

Source (Includes IOCs)


Agent Tesla malware used to target Italian companies

  • Researchers at Yoroi identified a campaign delivering Agent Tesla keylogger to Italian firms via an email which appears to come from the Liberian division of an oil company. Agent Tesla is a commodity malware and can be customised by criminals to steal information.
  • The attackers infect a target device by sending an email containing an attachment with an obfuscated VBA macro. Targets who open the attachment are asked to enable macros and if this is done, the macro decodes its payload and begins to install the malware. The payload features anti-analysis methods and can terminate itself if it detects that it is running on a virtual machine.
  • If the malware fails to detect a virtual environment, Agent Tesla will steal credentials stored within the victim’s browser. The virus can steal accounts from Google Chrome, Amigo, Cent Browser, Outlook, and many more. Stolen credentials are then exfiltrated to the attacker’s C2 server.

Source (Includes IOCs)


Leaks and Breaches

Indian citizens’ information exposed via Gujarat government data leak

  • On September 19th, 2019, security researcher Baptiste Robert reported a leak affecting the Gujarat government’s real estate regulatory authority website. Exposed data included PAN cards, passport size photos, income tax details, Aadhaar cards, and more.



Tesco parking app exposes tens of millions of Automatic Number Plate Recognition images

  • The Register discovered a Microsoft Azure blob that exposed tens of millions of Automatic Number Plate Recognition (ANPR) images from 19 Tesco car parks across the UK. The ANPR images were linked to Tesco’s parking validation web app that customers use to avoid parking charges. The car park monitoring service was provided by Ranger Services.
  • The Register also discovered an exposed AWS bucket belonging to car park operator NCP. The unprotected database exposed tens of thousands of ANPR images.




Privilege escalation vulnerability patched in Forcepoint VPN Client for Windows

  • The flaw, tracked as CVE-2019-6145, was discovered by researcher Peleg Hadar and affects all versions of the product earlier than 6.6.1.
  • The bug could be exploited to achieve privilege escalation, persistence and in some cases defence evasion. This is due to the app attempting to run an executable from incorrect locations, which could be exploited by an attacker to run malicious files with SYSTEM permissions.



Google updates stable release of Chrome to address four security issues



XSS vulnerability in DELUCKS SEO WordPress plugin may already be targeted by hackers

  • On September 21st, 2019, researchers at Plugin Vulnerabilities identified hackers probing for vulnerabilities in DELUCKS SEO plugin. The plugin contains a persistent XSS vulnerability which could be abused to cause malicious JavaScript code to appear on websites.

Source (Includes IOCs)


Critical vulnerabilities patched in Jira products

  • The first patched flaw, tracked as CVE-2019-14994, is a URL path traversal resulting in information disclosure and affects Jira Service Desk and Jira Service Desk Data Center.
  • The second bug, tracked as CVE-2019-15001, is a template injection in Jira Importers Plugin, impacting Jira Server and Jira Data Center.



D-link DNS-320 device contains critical remote code execution vulnerability

  • Security researchers at CyStack Security identified a remote code execution vulnerability, tracked as CVE-2019-16057, in D-Link DNS-320 ShareCenter versions 2.05.B10 or lower. The flaw exists in the device’s SSL Login and can be exploited by a remote unauthenticated attacker to access all application commands with root permissions.



General News

Facebook releases update on ongoing app developer investigation

  • In a new blog post, the company stated that it continues to monitor and review apps that access large amounts of user data. It suspended tens of thousands of apps associated with about 400 developers, to date. Suspended apps include ones that were used to infect users’ phones with malware or quiz apps scraping user data.



Twitter suspends additional accounts involved in state-affiliated information operations

  • Twitter announced that they suspended thousands of accounts across five different jurisdictions that were allegedly involved in state-backed information operations on the platform.
  • A network of 271 accounts originating in the United Arab Emirates and Egypt were suspended due to their involvement in a ‘multi-faceted information operation’ targeting Qatar, Iran, and others. The accounts were also distributing messages supportive of the Saudi government. Accounts originating in Saudi Arabia were also suspended, including the account of Saud al-Qahtani, the former advisor of Crown Prince Mohammed bin Salman.
  • Other suspended accounts were involved in information operations in Spain, Ecuador, and China and Hong Kong.



Iran denies claims that cyber attack disrupted oil infrastructure

  • On September 21st, 2019, Iran stated that cyberattacks had not impacted its oil infrastructure or other crucial infrastructure. The statement follows a report from Netblocks which showed disruption to internet connectivity in Iran. Netblocks tweeted that there were reports of ‘disruptions and outages affecting online industrial and government platforms’.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • COVID-19 Alert – 08 July 2020

    Silobreaker's Daily COVID-19 Alert for 08 July 2020
  • Cyber Alert – 08 July 2020

    Cyber Alert: Exposed dating service databases leak sensitive info on romance-seekers...
  • COVID-19 Alert – 07 July 2020

    Silobreaker's Daily COVID-19 Alert for 07 July 2020
View all News

Request a demo

Get in touch