Silobreaker Daily Cyber Digest – 25 June 2019
Campaign discovered using AgentTesla keylogger and Nanocore RAT
- The malware is propagated using ISO attachments that are generally not detected by anti-virus scanners because they tend to detect the extracted file instead.
New malware OSX/Linker attempts to leverage zero-day in MacOS Gatekeeper
- The MacOS Gatekeeper bypass flaw reported by Filippo Cavallarin in May, could allow an attacker to execute arbitrary code without user interaction. Intego’s malware research team discovered the first known exploitation of this flaw using disk image files disguised as Adobe Flash Player Installers.
- Intego observed four examples uploaded to VirusTotal on June 6th, all of which were linked to an internet accessible NFS server and uploaded from IP addresses in Israel and the US. The researchers assess that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware.
Operation Soft Cell targeting telecommunications providers
- Researchers at Cybereason observed an advanced persistent attack targeting global telecommunications providers from at least 2017, possibly longer. The campaign, dubbed Operation Soft Cell, aimed to obtain data stored in the active directory of a large telecommunications provider, including call detail records (CDR), usernames and passwords, personally identifiable information (PII), and more.
- The technique used in the persistent attack involved abandoning one thread of attack when the other was detected and stopped, and then returning later with new tools and techniques.
- The tools and techniques used in the campaign have previously been linked to the Chinese-affiliated threat actor APT10, which has led the researchers to believe a state actor linked to China to be behind the attacks, most likely APT10 or a group sharing or emulating the methods of APT10.
New wave of Troldesh ransomware attacks observed
- Group-IB observed a new wave of phishing attacks involving Troldesh ransomware targeting Russian companies. Troldesh, also known as Shade, was first discovered in 2015.
- More than 6,000 instances were observed in Q2 2019, with over 1,100 emails containing the malware discovered in June alone. The number of attacks was also 2.5 times higher in Q2 2019 compared to the whole of 2018.
- In recent campaigns, Troldesh not only encrypts files, but also mines cryptocurrency and generates traffic to sites.
Sodinokibi ransomware observed being dropped via Exploit Kits and Malvertising
- Sodinokibi ransomware has previously been distributed via server exploits and MSP backends. However, researchers at nao_sec have now observed the malware spreading via malvertising that redirects to the RIG exploit kit, via advertisements on the PopCash ad network.
Hacker exploit MSP software to launch ransomware attacks
- Engineers at UBX Cloud discovered hackers exploiting a new attack path targeting to launch ransomware attacks at the managed IT industry. The new attack path uses applications commonly used by managed IT service providers, such as the remote monitoring and management (RMM) software from Kaseya and Webroot.
- Kaseya and Webroot have stated that the attacks used compromised credentials rather than breaches or software vulnerabilities.
Leaks and Breaches
Taiwan’s civil service suffers data breach
- In a notice on June 24th, 2019, Taiwan’s civil service system stated it was made aware of a security breach on June 22nd, 2019.
- The data of more than 590,000 employees has been leaked online, including the personal information of 243,376 civil servants. This data also includes information on individuals holding government posts between January 1st and June 30th, 2005, and exposed their ID numbers, names, agency information, and job titles.
Philippines Bureau of Customs website hacked
- The Philippines Bureau of Customs’ (BOC) homepage was hacked on June 24th, 2019 and defaced, leaving the message ‘Hacked by Ultimate Haxor.’ The website’s main content was preserved and the BOC stated that the hack did not affect the agency’s operations, however, the BOC website is currently unavailable. It is unclear who is behind the hack.
Illinois and California clinics report ransomware attacks
- Illinois-based Quantum Vision Centers and Eye Surgery Center has notified its patients of a ransomware attack on its systems on April 18th, 2019. It is unclear how many patients have been affected.
- The encrypted files contained personal information of patients, including names, dates of birth, addresses, health insurance information and Social Security numbers. The ongoing investigation suggests no data was stolen and the only purpose of the attack was to gain profit.
- California-based Marin Community Clinics also reported a ransomware attack, which took place on June 19th, 2019. The company paid an undisclosed percentage of the ransom demand to recover its files. No patient data is believed to be compromised.
Canadian school district confirms malware attack from January 2019
- In a statement, the Canadian Southeast Kootenay School District confirmed a malware attack that took place on January 23rd, 2019, in which computers at the School Board Office and the Fernie Learning Center had been infected with Emotet malware.
- New information has revealed that the email files had been compromised during the attack, which could have resulted in the disclosure of personal information, including addresses, phone numbers, email addresses and more. However, the higher risk is believed to be the further spread of the malware.
Incomplete fix for Kubernetes leads to further vulnerability
- Joel Smith, a researcher at the Kubernetes Product Security Committee announced that incomplete fixes for CVE-2019-1002101 had led to a new vulnerability tracked as CVE-2019-11246.
- CVE-2019-11246 is a high security vulnerability that impacts kubectl, the command line interface which is used to run commands against Kubernetes clusters. The issue is a client side defect, which requires user interaction for exploitation. Successful exploitation enables directory traversal and could allow an attacker to replace or create files on a targeted station.
- To resolve the issue users should upgrade to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later.
Incomplete fix for Apache Tomcat leads to further vulnerability
- An incomplete fix for CVE-2019-0199 did not address the window exhaustion on write. This resulted in a new bug, tracked as CVE-2019-10072, which could allow clients to cause server-side threads to block, leading to an eventual DoS.
- The vulnerability affects Apache Tomcat 9.0.0.M1 to 9.0.19 and Apache Tomcat 8.5.0 to 8.5.40.
Vulnerabilities in Phoenix Contact Automationworx can be exploited by remote code execution
- Researchers at the 9sg Security team reported three vulnerabilities to the National Cybersecurity & Communications Integration Centre who issued an advisory on June 20th, 2019. CVE-2019-12870 and CVE-2019-12871 are classified as high severity while CVE-2019-12869 is classified with a CVSS score of 3.3.
- All three vulnerabilities allow for remote code execution on targeted systems. The flaws impact PC Worx and Config+ which are found in Automationworx versions 1.86 and earlier.
Researchers analyse attack abusing vulnerability in Exim servers
- Researchers at Yoroi ZLAB analysed an information stealing attack that abuses the ‘Return of the WiZard’ flaw found in Exim servers. Developed by the University of Cambridge, Exim is a message transfer agent (MTA) for Unix systems connected to the internet.
- The vulnerability, tracked as CVE-2019-10149, allows attackers to execute code under the Exim process access level via malformed emails. Researchers recommend updating Exim servers to avoid attacks.
- The analysis by the researchers describes one of many possible attack scenarios and the vulnerability could also be abused by cryptominers, botnets and ransomware, as well as APT groups.
Source (Includes IOCs)
Fox News host Tucker Carlson victim of doxxing
- The Antifa-related group ‘All Out DC’ has been posting the personal information of Fox News host Tucker Carlson on social media, accusing the host of being a racist. Facebook removed the post in question, whilst Twitter removed the tweet and temporarily suspended the group.
Hacked Tesco twitter accounts promote Bitcoin scam and impersonate Bill Gates
- On June 24th, 2019, Tesco’s twitter account tweeted about a Bitcoin scam in which users were encouraged to send funds to a Bitcoin wallet and receive double in return.
- The malicious actors who had control of the account then changed the profile name and image to Bill Gates and attempted to get customers who were complaining about the quality of Tesco produce to send them their name, address and postcode.
Anonymous Belgium member arrested
- Belgian police managed to identify and arrest a member of the Anonymous Belgium hacker collective, Brecht S., after they discovered a USB key belonging to him. Brecht S. had dropped it whilst or after throwing a Molotov cocktail at Crelan Bank in 2014.
- The investigation showed Brecht S. had a long history of cyber-crimes, including DDoS attacks against Crelan’s e-banking portal, and was an active member of the known hacking groups Anonymous Belgium and Cyber Crew.
- Brecht S. received an 18 month prison sentence and has to pay €3,000 to Crelan Bank in compensation, in addition to serving a three-year prison sentence for the Molotov cocktail attack. A co-conspirator who allegedly exchanged hacking tools with Brecht S. and was involved in multiple cyberattacks was also arrested and fined €1,200.
ATM Skimmers dropped in favor of Shimmers
- Researchers at Flashpoint observed that the implementation of Europay Mastercard Visa payment methods which rely on chip cards to store payment data has led to attackers focusing on capturing chip data.
- Attackers are using ‘shimmers’ fitted with flash storage and a microchip to grab chip data at ATM points and point-of-sale systems.
- Researchers warned that criminals target older ATM models with outdated security features. Currently the best protection against ATM ‘shimmers’ is the presence of a Card Protection Plate (CPP). CCPs prevent objects being inserted into ATM card readers and are difficult to remove.
‘Overlord’ tool allowed employees to spy on MySpace users
- Former employees of MySpace told Motherboard that despite strict access control and monitoring, employees used the ‘Overlord’ administration and moderation tool to see users’ passwords and messages.
- One of Motherboard’s sources claimed that the tool was used to access the login credentials of employee’s ex-partners.
- Multiple sources confirmed to Motherboard that the abuse happened about a decade ago when MySpace was at the height of its popularity.
Minneapolis Policewoman awarded $585,000 in punitive damages following illegal DMV searches
- Officer Amy Krekelberg filed the suit in 2013, alleging numerous violations of the Driver’s Privacy Protection Act between 2009 and 2013. The complaint alleged that multiple municipal employees had accessed records which showed her address, weight, height and driver’s license pictures.
- On June 18th, 2019, a federal jury ruled in Officer Krekelberg’s favor awarding her $585,000 in damages. Of the awarded amount $285,000 is to come from the city of Minneapolis, and two fellow officers who accessed her records are each to pay $150,000.
Managed IT service provider Red Mosquito Data Recovery allegedly pay off ransomware authors
- Emsisoft researcher Fabian Wosar told ProPublica that his sting investigation into Red Mosquito Data Recovery showed that the company sought to pay off ransomware authors to recover data.
- Wosar set up two email accounts and posed as both the hacker and the victim. Wosar says that Red Mosquito Data Recovery contacted his fake hacker email address ‘within minutes’ and ‘made no effort to not pay the ransomware’.
- Wosar posing as the malware author demanded payment of $900 for the decryption key, the next day a representative of Red Mosquito Data Recovery contacted Wosar confirming that they could recover his files for $3,950.
US bill proposes to force tech companies to reveal data collection and retention practices
- Senators Mark Warner and Josh Hawley proposed the Designing Accounting Safeguards to Help Broaden Oversight And Regulations on Data (DASHBOARD) Act, to congress on June 24th, 2019.
- The bill proposes that tech companies with over 100 million monthly active users will have to inform end users and US regulators about the data collected on users and how it is monetized.
Fake Presidential alerts can be sent en masse to users’ phones
- Researchers at the University of Colorado Boulder have demonstrated that the US Wireless Emergency Alert system can be spoofed using portable mobile phone base stations and specially adapted software.
- Using four low power base stations, an attacker could send a message to all phones in a large stadium, potentially causing widespread panic.
- Researchers stated that ‘the spoofing attack is easy to perform but is challenging to defend in practice.’
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.