Silobreaker Daily Cyber Digest – 26 July 2019
Guildma malware expands beyond Brazil to target users and services globally
- Researchers at Avast revealed that they blocked more than 155,000 infection attempts by Guildma malware since the start of 2019. Attacks have been detected against 27,000 users, 130 banks and 75 other web services. Targets include Netflix, Facebook, Amazon and Google Mail.
- The malware is spread via personalized phishing emails posing as invoices, tax reports and other similar messages. Guildma contains RAT, spyware, password-stealing, keylogging, and banking trojan capabilities. The malware can also download and execute additional files.
- Guildma was originally confined to targeting users in Brazil and only infected computers running in Portuguese. The researchers detected recent upgrades to the malware which allow it to target other languages, but the malware still avoids systems running in English.
- SecurityWeek speculated that Guildma is ‘almost certainly’ the same as Astaroth malware.
Infected devices running on telecom company networks
- Researchers from BitSight have claimed that 15% of telecom companies globally have devices infected with Triada trojan running on their networks. This was discovered using telemetry gathered from Triada-infected C2 domains. Other malware discovered included Ztorg, found to be running on 20% of networks, and PrizeRAT, found on 25% of them.
- These three strains of malware have been found infecting devices at a supply chain level, as low-cost Android devices have been shipped with them.
Loader malware leverages Doppelgänging technique
- Dubbed TxHollower, the loader implements Process Hollowing through a hybrid variation that also incorporates Process Doppelgänging – first reported by Malwarebytes in relation to Osiris banking trojan. The hundreds of samples discovered by enSilo researchers predate Osiris by a few months.
- Researchers have published a detailed breakdown of the loader, including the seven variants that currently exist in the wild. The earliest discovered sample is from March 3rd, 2018, which delivered NetWire RAT.
Source (Includes IOCs)
Leaks and Breaches
Ransomware attack hits Johannesburg electric provider City Power
- The infection hit City Power’s systems on July 24th, 2019, encrypting the company’s database, internal network, web apps, and official website. Customers are unable to buy electricity or upload invoices. Additionally, the provider warned that they may be slow to respond to power outages due to the system compromise.
- City Power, which is owned by the City of Johannesburg, has not disclosed the name of the ransomware used in the attack.
ACT Policing confess to unauthorized access of metadata in 2015
- In a statement released on July 26th, 2019, ACT Policing admitted to accessing metadata on 3,249 occasions in 2015. Some of the data was forwarded to case officers and may have been used in prosecutions. ACT Policing declined to comment on which cases the data was used in.
Brazilian financial services provider exposes 250 GB of data via unprotected server
- Data Group researchers discovered the server, which contained personal information including scanned ID and Social Security cards. Other exposed files included documents that provided proof of address and service request forms.
- A large amount of the data related to Banco Pan, however the bank denied that they owned the server and stated that it was managed by their commercial partner.
Office 365 webmail displays user’s IP address in emails
- Bleeping Computer reported that a sender’s local IP address is injected into their message as an extra mail header when sending an email through the Office 365 webmail interface. The reporters also tested webmail interfaces for Gmail, Yahoo, AOL and Outlook[.]com, and the tests revealed that the issue only affected Office 365.
- Users who wish to avoid this issue can create a new rule in the Exchange admin center to remove the header.
FormGet servers suffer data leak
- An exposed Amazon S3 bucket belonging to FormGet was discovered by an anonymous security researcher. The bucket contained hundreds of thousands of documents dating back to 2013, including user-submitted scans of passports, paychecks, driving licences, loan and mortgage information, confidential internal documents belonging to several banks, resumes, invoices, and more.
- According to TechCrunch, the company has 43,000 customers, but it is unclear how many of these had their data exposed.
Hunt Memorial Hospital District suffers data breach
- Nearly 4,000 patient records have been exposed as the result of a data breach. Stolen data includes patient medical records, Social Security details and related health information.
- All of those affected have been notified, and the hospital is investigating the incident with the FBI.
Louisville Park DuValle Health Center suffers ransomware attack
- Approximately 20,000 health records relating to patients have been encrypted by an unnamed ransomware, and the clinic chose to pay a $70,000 ransom in Bitcoin for the data’s release. The clinic has stated that they should regain full access to the information by August 1st, 2019.
The English Whisky Company suffers data leak
- A database that appears to belong to the English Whisky Company of Norwich, UK, was found by Jeremiah Fowler, a security researcher. The database contained 26,400 records, with the majority of them being customer accounts.
- Fowler attempted to disclose the breach multiple times, but the database remained exposed for weeks, with no response from the company at all. At the time of publication, the database was finally taken offline, still with no response.
Enterprise VPN vulnerabilities exposed in Palo Alto Networks, Fortinet and Pulse Secure products
- DEVCORE researchers found unauthenticated remote code execution vulnerabilities in Palo Alto Networks GlobalProtect, FortiGate, and Pulse Connect Secure and Pulse Policy Secure.
- The various flaws could allow an attacker to perform a range of malicious actions including infiltrating corporate networks, obtaining sensitive information and accessing communication.
- All the bugs have now been patched by the companies.
BlueKeep exploit sold as part of new penetration kit
- On July 23rd, 2019, US cyber-security company Immunity Inc announced the inclusion of a weaponized BlueKeep exploit as part of their CANVAS v7.23 penetration testing toolkit. The BlueKeep module released by the company can achieve remote code execution but is not wormable.
50 states’ voting processes ‘probably’ compromised by Russia during 2016 election
- The Senate Committee on Intelligence published the first volume of their report on Russian interference in the 2016 US Presidential election.
- Monitoring suspicious IP activity led the FBI and DHS to conclude that Russian intelligence activity had ‘probably’ occurred in 50 states. The report found that Russian actors collected data on ‘general election-related web pages, voter ID information, election system software, and election service companies’
- The investigation found that Russia had the capability to manipulate voter data but at present there is no evidence that they did. Investigators proposed that the compromised data could be used in the future and also suggested that Russia wanted to erode Americans’ confidence in the democratic process.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.