Bad Rabbit ransomware spreads rapidly in Ukraine and Russia
>Reports suggest that Bad Rabbit shares similarities with the NotPetya ransomware. It is distributed via drive-by-download, in which some popular websites have been compromised and have malicious JS injected in their HTML body.
>Infected websites display a popup asking the target to download a fake Flash Player update. Once initiated, the executable locks a their machine and displays the ransom note. This redirects victims to an onion site which initially demands a 0.05 bitcoin ransom, increasing gradually until the victim pays.
>Bad Rabbit spreads laterally via SMB, but does not exploit EternalBlue like NotPetya. It drops copies of itself using its original name and executes them using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. Bad Rabbit also contains additional binaries such as Mimikatz to harvest credentials, and DiskCryptor to encrypt target systems.
>Organisations affected so far include the Kiev Metro, Odessa naval port, Odessa airport, Ukraine’s ministries of infrastructure and finance, and Russian media organisations including Interfax. ESET adds that the dropper component has only been seen targeting Ukrainian organisations 12.2% of cases. 65% of sightings however, have been made on occasions it has been targeting Russian organisations.
Source 1 Source 2 Source 3Read Silobreaker’s longer report on Bad Rabbit

Iran CERTCC issues a security alert concerning Tyrant ransomware
> Tyrant ransomware has been disguised as the legitimate VPN app Psiphon. Tyrant is a strain of a larger DUMB ransomware family, first discovered in January 2017.
> The first samples of the DUMB family were poorly coded, self-decrypting the affected files once the ransom note window was closed. Iran CERTCC confirms that Tyrant shares the same low coding quality and sometimes fails to encrypt files.


Ongoing Campaigns

Kaspersky discovers compromised servers allegedly used by the Lazarus group for C&C
> According to a statement from the security company, the servers are located around the world, including in India, Indonesia, Bangladesh and more.
> It is believed that the attackers leveraged
CVE-2017-7269 in Microsoft IIS to install the the Manuscrypt malware on targeted servers.
Source –  


Leaks & Breaches

Tarte Cosmetics leaks data on 2 million customers online
> The data was discovered by Kromtech Security on two misconfigured MongoDB databases which allowed public access. Exposed information includes names, addresses and the last 4 digits on the credit cards of customers who made purchases via the firm’s online shop between 2008-2017.
> The information appears to have been accessed by the group Cru3lty, who left a ransom note inside the database demanding 0.2 bitcoins to recover it. The data however does not appear to have actually been encrypted.
> Although the databases have now been secured, Tarte has yet to comment on the incident.

Appleby suffered data breach in 2016
> The Bermuda based law firm admitted that a “data security incident” last year compromised some company data of an unspecified nature.
> The firm is in the process of warning clients who may have been implicated by the incident.

One of Dell Inc’s customer support websites hijacked for around a month
> The ‘Dell Backup and Recovery Application’ allows customers to restore their data to factory default state. The program regularly checks a website which provides Dell’s customer data backup, recovery and cloud storage solutions.
> The website was reportedly hijacked from early June to early July, and its domain was assigned to an r actively malicious Amazon server.

Coinhive’s DNS server hacked to replace legitimate Coinhive JS in-browser miner
> The legitimate miner has been replaced with a version that mines Monero for the hacker’s own wallet.
> The hacker reportedly logged into the company’s Cloudflare account using an insecure password. They then replaced DNS records with a new IP pointing to a new server which pushed a custom version of the coinhive.min.js file.



New variant of Microsoft DDE attack uses Outlook meeting invites rather than attached documents
> A security vulnerability in the Microsoft Office Dynamic Data Exchange (DDE) protocol was recently discovered allowing attackers to deliver malware via “macro-less” malicious attachments.
> Researcher Kevin Beaumont has discovered that the flaw can similarly be leveraged to deliver malware embedded in the body of an Outlook email or calendar invite. Rather than requiring a target to open an attachment, the DDE exploit is instead triggered once the email or invite is opened.

Multiple security flaws discovered in anonymous feedback app Sarahah
> According to researcher Scott Helme, flaws in the app make it vulnerable to attacks including cross-site scripting. It is also trivially easy to bypass the app’s Cross-Site Request Forgery (CSRF) protection, allowing an attacker to force end users to execute unwanted actions on web applications.
> Sarahah has acknowledged the issues, claiming that they are working to address them.

DUHK attack passively decrypts VPN and encrypted browser traffic
> DUHK stands for ‘Don’t Use Hard-coded Keys’. The attack relies on a host of implementation errors in old versions of certain firewall appliances and VPN gateways to trigger an issue in the ANSI X9.17/X9.31 PRNG.
> The PoC published by John Hopkins University reveals that researchers were able to recover encrypted traffic from FortiGate VPN gateway products using FortiOS version 4. These are still used by companies as firewalls, or to create private VPN networks.


The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

This website uses cookies.
See our privacy policy at