Silobreaker Daily Cyber Digest – 24 June 2019
Fileless AgentTesla keylogger observed
- My Online Security researchers observed a new malspam campaign which runs the AgentTesla keylogger as a fileless malware, running the binary in memory.
- Initial infection starts with a Word document attachment that is actually an RTF file with the CVE-2017-11882 equation editor exploit. The victim is then prompted to follow a link that redirects to a file that the RTF file renames to a .exe file containing AgentTesla.
Bitcoin and Ethereum giveaway scams undergoing a resurgence
- Security researcher Frost warned that the scams were being promoted on Twitter by fake accounts pretending to be from well known brands and figures such as Tesla, Elon Musk and John McAfee.
- Scammers tell users to send either .05 to 5 Bitcoins or .5 to 50 Ethereum to a listed address and in return they will receive up to ten times the original amount. The scam coincides with a rise in the prices of cryptocurrency.
- The scam pages display an indicator of how much cryptocurrency is left in the giveaway and display an alleged live feed of transactions being sent to and from the cryptocurrency address.
Free proxy service runs on botnet of WordPress sites compromised by Ngioweb
- Netlab researchers found evidence that Free-Socks[.]in, a service offering both free and commercial proxy servers, is in fact running on top of a large-scale botnet of compromised WordPress sites.
- According to the researchers, users of any of the service’s proxy servers had their traffic funnelled through a network of hacked WordPress sites. These sites were hacked and infected with a web shell, which acted as a backdoor, and Ngioweb malware, which acted as a proxy agent.
- In their blog post, the researchers provide a technical analysis of Ngioweb and its two separate C2 servers.
Microsoft warns of FlawedAmmyy RAT campaign loading trojan directly in memory
- Microsoft warns of an active spam campaign aimed at Korean targets that distributes FlawedAmmyy RAT malware via malicious XLS attachments, which is loaded directly into memory. FlawedAmmyy RAT is a tool known to be used by TA505.
- TrendMicro recently detected a similar campaign using the same malware targeting South Koreans, which they have linked to TA505.
Steam Users targeted with phishing campaign
- A researcher at Malwarebytes Lab received a message from an acquaintance on the Steam gaming platform offering him a free game if he clicked on a shortened URL link.
- The link redirects users to a free roulette site which claims they can win a free game. If a user clicks the ‘play’ button they are asked for their Steam login information in order to claim their reward.
- The researcher found that this campaign has been ongoing since mid-March 2019.
Source (Includes IOCs)
LooCipher Ransomware spread through spam
- Researcher Petrovic discovered the LooCipher Ransomware, delivered via malicious Word document which asks users to enable macros. If macros are enabled, a connection is established with a Tor server and the LooCipher file is downloaded.
- The ransomware creates a file on Windows Desktop to store the computer ID, a Bitcoin address and a time limit for when the key will allegedly expire. The ransomware then encrypts files and leaves ransom note with a Bitcoin address. The ransom note demands €300 worth of Bitcoin.
Source (Includes IOCs)
Fraudsters allegedly using card number generating algorithms
- CEO of East West Banking Corporation, Antonio Moncupa, stated that there has been an increase in BIN attacks targeting savings and payroll accounts of clients. It is alleged that the software is being used to generate potential card numbers from an existing valid one, which are then tested on the internet until one is a ‘hit’.
- To counter these attacks, Edwin Bautista, president of Union Bank of the Philippines, stated that they look at a range of cards over a short time period, with a predictive algorithm that flags probing, testing and hitting patterns from external sources. As well as this, a randomizer algorithm is used in card number generation, so it isn’t possible to guess card numbers, CVVs and expiry dates.
Leaks and Breaches
WeTransfer sends file transfer emails to incorrect parties
- File transfer service WeTransfer issued a statement on June 21st, 2019, after discovering that file transfer emails were sent to incorrect email addresses on June 16th and 17th, 2019.
- The company stated that it had blocked the impacted transfer links. Additionally, some customers were instructed to reset their passwords and customers were also asked to keep an eye on their account for suspicious or unusual emails.
- WeTransfer has not yet confirmed what caused the incident and how many users were impacted.
Sensitive data stolen in Perceptics hack
- According to The Washington Post, sensitive information, including government agency contracts, budget spreadsheets and Powerpoint presentations, was stolen in the Perceptics data breach that took place in May 2019. Initial reports indicated the stolen data belonging to the US Customs and Border Protection agency was limited to photographs.
Social Engineered user data leaked online
- Data from users of social engineering forum Social Engineered has been leaked online after the forum suffered a data breach on June 13th, 2019. The owner of the forum blamed a vulnerability in MyBB, an open-source software for creating and maintaining forums, for the leak.
- Leaked data includes 89,000 email addresses linked to 55,000 forum account holders, usernames, IP addresses, passwords stored as salted MD5 hashes, and private messages sent by users.
TripAdvisor invalidates passwords that were disclosed in data breach
- TripAdvisor sent emails to users who may have had their email address and passwords recorded on a list of publicly leaked information. TripAdvisor also warned users to change their password on other sites if they used the same one that was leaked in the data breach.
Australian police records database allegedly prone to data breaches
- ABC has reported that the Australian Computerised Operational Policing System Database is vulnerable to data breaches, putting the 40 million records at risk. This is was found after Cooma Police confirmed that an individual suffered a privacy breach, with ‘unusual access to their file’, including the discovery of false records.
Double free vulnerability discovered and patched in Apple macOS
- Researchers at Trend Micro discovered a double free vulnerability, tracked as CVE-2019-8635, in macOS that is caused by a memory corruption flaw in the AMD component. If exploited, an attacker could implement privilege escalation and execute malicious code with root privileges.
10 new Microsoft vulnerabilities discovered by Palo Alto Networks’ Unit 42
- Unit 42 reported ten new vulnerabilities that have been addressed by the Microsoft Security Response Centre (MSRC). The ten vulnerabilities were all given an ‘important’ security rating. Eight of the vulnerabilities were classified as jet database engine remote code execution flaws.
- A full list of patched flaws, including CVE numbers, are available via Palo Alto’s Unit 42 website.
Apple releases AirPort Base Station Firmware update 7.8.1
- Apple released a security update on June 20th, 2019, that addressed eight vulnerabilities in AirPort Express, AirPort Extreme and AirPort Time Capsule wireless routers. Five of the vulnerabilities were exploitable by remote attackers and could be used to leak memory, perform DoS attacks and arbitrarily execute code.
- A full list of patched flaws, including CVE numbers, are available via Apple’s website.
VLC Media Player patches two vulnerabilities permitting attackers to gain full control over devices
- Researcher Symeon Paraschoudis identified CVE-2019-12874 as a MKV double free flaw vulnerability in the function of VideoLAN VLC player. The bug can be triggered when a malformed mkv file type is parsed within the Matroska demuxer.
- CVE 2019-5439 was discovered by zhangyang form Hackerone, the bug is a buffer overflow vulnerability that resides in ReadFrame. The bug allows a remote attacker to create avi or mkv files that will trigger a heap buffer overflow when loaded by the target.
- Both vulnerabilities can be triggered by a target opening a video in versions of VLC Media Player 3.0.6 and earlier.
OpenSSH patch prevents theft of private keys
- OpenBSD developer Damien Miller submitted a new OpenSSH patch, which helps protect against side-channel attacks like Spectre, Meltdown, Rowhammer and Rambleed. Side-channel attacks take advantage of the speculative execution functionality in CPUs and some can be used to read protected kernel memory.
- The new patch encrypts private keys with a symmetric key derived from 16KB of random data while the keys reside in memory and are not actively used. Such a patch could also be used in other software applications to protect keys and secrets in memory.
Eurofins ransomware attack halts UK forensic investigations
- Following Eurofins Scientific’s ransomware attack on June 3rd, 2019, UK police suspended its work with the company. This is said to affect more than 50% of the police’s outsourced case work. A cap has been placed on the volume of forensic work each police force can carry out, meaning delays are to be expected in cases.
5G may interfere with US military systems
- A warning issued by the US military’s Defense Innovation Board to Congress suggests that China’s 5G telecommunications design will interfere with US weapons systems. A Congressional Research Service report details how 5G will directly interfere with US military systems and secure government communications.
New UK security standard for security cameras
- The UK Government announced a new cybersecurity standard for surveillance cameras with the aim of addressing vulnerabilities in the cameras’ systems.
- Manufacturers are now required to demonstrate their products meet minimum security requirements. This includes forcing the installer to change the password on boot up, no hidden user accounts or passwords, disabled ports and communication protocols in default setting, and that HTTPS must be used for communication with any web interfaces.
Former aide to US Senator Maggie Hassan charged with doxxing
- Samantha Deforest Davis, a former aide to Democratic Senator Maggie Hassan, is facing federal charges in relation to the personal information of five Republican senators being posted online. Davis allegedly aided Jackson A. Cosko, another former Hassan aide, who has pleaded guilty to five federal charges, including making public restricted personal information, computer fraud, witness tampering and obstruction of justice.
Russian call center suffers DDoS attacks during Putin’s annual Q&A session
- Rostelecom, the call center for Putin’s annual Q&A session, ‘The straight line with Vladimir Putin,’ was hit by two DDoS attack. The attack caused failures in video calls, however it did not affect the call centre’s operation. The attack is believed to have come from abroad.
US CISA detect increase in Iranian based ‘wiper’ cyber attacks
- Director of the Cybersecurity and Infrastructure Security Agency (CISA), Christopher C. Krebs, warned that Iranian regime actors and proxies are targeting US industries and government agencies. The Director warned that Iranian actors are increasingly using ‘wiper’ attacks to cause maximum damage to targets. These attacks are being carried out using common tactics such as password spraying, credential stuffing and spear phishing.
South Korean crypto exchange Bithumb prosecuted
- Bithumb is being prosecuted for failing to take precautions in keeping personal information safe. Personal data of Bithumb users, including email addresses, crypto transaction histories, usernames and phone numbers, were leaked in a June 2017 data breach that resulted in a loss of $7 million in user funds.
- The company is charged under the information protection article of South Korea’s Information Communication Network Act for failing to employ effective data security, installing security update software and for storing client data on the computers of its staff.
Trump approved cyberattack against Iranian computer systems
- The Washington Post reported on June 22nd, 2019, that the President authorized attacks on June 20th, 2019, which targeted an Iranian computer used by the Islamic Revolutionary Guard Corps to control rocket and missile launches. The attack followed the downing of an unmanned US surveillance drone on June 20th, 2019.
- The attack was launched by US Cyber Command and coordinated by the US Central Command. The White House and US Cyber Command declined to comment on the attack.
Deliveroo and Just Eat customers complain of fraudulent activity on their accounts
- According to the BBC, customers of takeaway services Deliveroo and Just Eat are reporting that their accounts had been used to buy food they did not order. Both companies stated their own systems had not been breached and passwords had been obtained from another source.
US adds five Chinese companies to list of organizations acting against US national interest
- Hygon, Higon, HMC, Sugon and Wuxi Jiangnan Institute of Computing Technology were added to the list of companies alongside their various aliases.
- The ban comes into effect on June 18th, 2019 and limits export licenses while also requiring US companies to gain approval to deal with them. The Department of Commerce stated that there was reasonable cause to believe that the companies acted, were acting or could act against US foreign policy and national security.
- Among the companies listed was AMD joint venture Tianjin Haiguang Advanced Technology Investment Company, an alias of Higon.
Researchers develop technique to ‘vaccinate’ algorithms against adversarial attacks
- Researchers from CSIRO’s Data61 developed a technique to better train and immunize machine learning algorithms against adversarial attacks. The technique involves implementing a weak version of an adversary, such as making small modifications or distortions to the images used in training data sets, in an effort to make the algorithm more robust and immune to these attacks.
Two arrested for phishing fraud
- It has been reported that two brothers originally from Jerusalem, Israel, have been arrested by the Israeli Police Cyber Unit for their involvement in stealing cryptocurrency via phishing schemes, including setting up fake crypto sites, and luring people to use them. It is also alleged that the brothers are connected to the hack of several accounts on the Bitfinex platform in 2016.
- An Israeli Police spokesperson stated that the total sum stolen by the brothers equals to tens of millions of dollars.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.