Silobreaker Daily Cyber Digest – 25 November 2019
Broad campaign targeting Kazakhstan discovered
- Qihoo 360 researchers discovered a new campaign targeting individuals and organisations in Kazakhstan, including government agencies, military personnel, foreign diplomats, journalists, and others. According to researchers, this is a new threat actor called Golden Falcon or APT-C-34. In contrast, Kaspersky believe it to be the Russian-speaking DustSquad, a group that has been active since 2017.
- After gaining access to the group’s C2, researchers discovered a variety of data stolen by the group, some of it sorted by the 13 largest cities in Kazakhstan. To gain access to a victim’s data, Golden Falcon makes use of the HackingTeam surveillance kit Remote Control System, as well as a backdoor trojan called Harpoon that appears to have been developed by the group itself.
- The researchers also found contracts, including one for the procurement of Pegasus, a mobile surveillance toolkit, and another for defense contractor Yurion. In both cases no further evidence indicates whether the products were purchased. These contracts also contained legal digital signatures, allowing the researchers to track down four of the group’s members and one organisation.
APT33 begin to target industrial control systems in the energy sector
- Microsoft security researcher Ned Moran revealed that the Iranian hacking group APT33 have begun to target industrial control system (ICS) equipment that is used in oil refineries, electrical utilities and manufacturing.
- In a presentation given at CYBERWARCON, Moran disclosed that during October and November 2019, the group focused their efforts on targeting approximately 2,000 organisations per month with password spraying attacks directed against multiple accounts. Approximately half of the top 25 targeted organisations were responsible for the manufacture, supply or maintenance of ICS equipment.
- Moran speculated that the group are targeting ICS producers and manufacturers in order to impact their customers’ infrastructure.
Phishing emails attempt to trick users with Microsoft Excel block
- BleepingComputer issued a warning regarding a phishing scam themed around Microsoft Excel. The email informs victims that they will be unable to gain access to Excel unless they provide login details.
- Targets who click the ‘Configure Excel and PDF meeting’ prompt will be directed to a SharePoint hosted login form which purports to be an Excel shared document. The form requests that the user enter their email address and password. Entered details are then saved and can be accessed by the attackers at a later date.
Trickbot updated to target OpenSSH and OpenVPN data
- In early November 2019, security researchers at Palo Alto Network’s Unit 42 identified an update to Trickbot’s password grabber module which appears to target OpenSSH and OpenVPN data.
- Upon further investigation, the researchers discovered that the stealer fails to function correctly. HTTP POST requests caused by the grabber for OpenSSH and OpenVPN do not contain any data. The researchers confirmed the grabbers failure to export data, by testing the malware on Windows 7 and Windows 10 environments with configured OpenVPN and OpenSSH applications.
- Trickbot is still able to steal SSH passwords and private keys from PuTTY SSH client, with updates to the password grabber module suggesting that Trickbot is continuing to evolve.
Source (Includes IOCs)
Clop Ransomware attempts to disable anti-virus products including Windows Defender
- Security researcher Vitali Kremez discovered that Clop ransomware operators are attempting to disable anti-virus products by running a ‘small program’ before the ransomware encrypts a target’s system.
- The attackers attempt to disable Windows Defender by configuring Registry values, this attack patch can be stopped if the target has Tamper Protection enabled in Windows.
- The program also attempts to uninstall Microsoft Security Essentials and Malwarebytes Anti-ransomware program.
Source (Includes IOCs)
Leaks and Breaches
Ransomware attack on IT company affects 110 nursing homes
- Virtual Care Provider Inc (VCPI) was hit by a Ryuk ransomware attack on November 17th, 2019, impacting around 110 nursing homes to which it provides its services. All of the company’s core offerings are affected, including internet service and email, as well as access to patient records, client billing, phone systems, and VCPI’s own payroll operations.
- A ransom of about $14 million in Bitcoin was demanded, which VCPI’s owner Karen Christianson said her firm could not afford to pay, adding that some of VCPI’s clients may be forced to close down if the company cannot recover.
Data of 1.2 billion individuals exposed in major data leak
- Security researchers Bob Diachenko and Vinny Troia discovered an unsecured Elasticsearch server hosted on Google Cloud containing 4 billion user accounts that could be linked to 1.2 billion individuals. The database contained more than 4TB of data, including names, email addresses, phone numbers, LinkedIn and Facebook profile information, and more.
- The data sets have been linked to People Data Labs and OxyData, two data enrichment companies, with the majority of the data marked as ‘PDL.’ The server itself does not belong to these companies and it remains unclear who the owner is and how they gained access to the data.
Catch Hospitality Group reveal POS systems infected with card stealing malware
- Catch Hospitality Group has begun to notify Catch NYC and Catch Steak customers of a security incident related to the detection of card stealing malware on their point-of-sale (POS) devices. The company stated that only certain POS devices were infected.
- The malware compromised devices at Catch NYC, including Catch Roof, from March 19th, 2019, to October 17th, 2019. Catch Steak was impacted from September 17th, 2019, until October 17th, 2019.
- The malware which infected the POS devices had the capability to search for ‘track data’, this could include the cardholder’s name, the card number, expiry data, and internal verification code.
Smartphone maker OnePlus discloses data breach incident
- Chinese smartphone maker OnePlus has revealed that an unauthorised third party accessed their customer’s order information. Data exposed in the breach includes names, contact numbers, email addresses, and shipping addresses. The company stated that the incident did not impact all customers, and the exact timeframe of the incident is unclear.
Church’s Chicken warns that security incident impacted payment processing system
- US restaurant franchise Church’s Chicken disclosed that payment cards used at certain restaurants in 2019 may have been impacted after they detected unauthorised activity related to their payment processing system. Church’s Chicken said that potentially exposed information includes card numbers, cardholder names, and expiration dates.
- The incident, which was detected in late October 2019, impacted company-operated locations in Alabama, Arkansas, Florida, Georgia, Illinois, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Texas.
- The company stated that their investigation is ongoing and that the time frame and the exact location of impacted restaurants will be disclosed upon discovery.
Southern First Nations Network of Care impacted by ransomware
- On November 21st, 2019, child welfare agency the Southern First Nations Network of Care, which represents 36 Southern First Nations in Manitoba, was hit by a ransomware attack. The authority represents 10 different agencies, however, a spokesman for the organisation stated that the attack did not impact all 10 groups.
- Authorities have been notified and an investigation into the incident is ongoing.
37 vulnerabilities found popular in VNC implementations
- Kaspersky’s ICS CERT discovered 37 vulnerabilities in four common Virtual Network Computing (VNC) implementations, some of which have existed since 1999. All flaws are memory corruption vulnerabilities, which, among other things, could enable an attacker to cause a denial of service condition, gain unauthorised access to information, or install malware on the affected device.
- The bugs were found in TurboVNC, TightVNC, LibVNC, and UltraVNC, the latter of which contains a total of 22 flaws. The majority of vulnerabilities have been fixed, yet the ones found in TightVNC were not patched as the company no longer supports its first version of the system.
Truecaller fixes flaw in its API
- Security researcher Ehraz Ahmad discovered a vulnerability in the call-blocking app Truecaller that could allow ‘an attacker to inject his malicious link as the profile URL,’ meaning anyone viewing this malicious profile could get exploited without any indication.
- Truecaller applied a patch to its core APIs within the platform, however the company recommends users to update to the latest version of the Truecaller app.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.