Silobreaker Daily Cyber Digest – 26 June 2019
New Silex malware used to brick IoT devices
- Akamai researcher Larry Cashdollar discovered a new strain of malware called Silex, which is bricking Internet of Things (IoT) devices. The malware campaign has been active less than 24 hours, but has already wiped over 2,000 devices.
- The malware works by trashing an IoT device’s storage, dropping firewall rules, removing the network configuration and then halting the device. Silex targets Unix-like systems, leveraging default login credentials. To recover the device, owners need to reinstall the device’s firmware.
- Security researcher Ankit Anubhav confirmed the author of the malware is a 14-year old teenager going by the pseudonym ‘Light Leafon.’ Light Leafon is said to be planning to rework the malware to become as destructive as BrickerBot, a malware that was active between April and December 2017 and destroyed millions of devices, by adding exploits that can use multiple vulnerabilities.
Steganography phishing scam campaign targets iOS devices
- Researchers at The Media Trust discovered a steganography campaign involving the Stegoware-3PC malware targeting devices using iOS version 12 through a large global demand side (DSP) adtech provider.
- Using fake ads from well-known brands, the campaign embeds PNG files with Stegoware-3PC malware. Once clicked, the victim is redirected to a phishing scam site and prompted to enter personal information to complete a purchase. The personal information is then sent to the malicious C&C server.
- Notably, this malware uses only 149 lines of code compared to almost 2,000 used by ShapeShifter-3PC, a malware with similar purpose.
Phishing scams informs users that Google has awarded them $2.5 million
- Bleeping Computer reported that the phishing email contains the subject line ‘Powered by Google’ and states that is is sent on behalf of Google CEO Larry Page.
- The email comes with an attachment informing recipients of their ‘winnings’ and asks for personal details in return. Requested details include name, address, phone number, age, occupation, and more.
Number of malicious files hosted on Microsoft OneDrive rises by 60%
- Researchers from FireEye charted the increase from Q4 2018 to Q1 2019. WeTransfer, Dropbox and Google Drive also saw an increase in the presence of malicious files during the same period. Google Drive had the second biggest rise behind Microsoft OneDrive, with a jump of just under 20%.
- Researchers wrote that hosting malicious files on reputable file sharing services grew in popularity as it proves easy for attackers to bypass initial domain checks.
ISO disk image files utilized to distribute LokiBot and NanoCore
- Researchers at Netskope Threat Research Labs recorded the new malspam campaign beginning in April 2019. The attack begins with a generic email that contains an invoice and an ISO disk image file attachment. Researchers stated that the malware authors were using an ISO file as they are usually whitelisted by email security scanners and run automatically when clicked on by users.
- The version of LokiBot Trojan that was detected was similar to older versions but contained a new anti-reversing technique which detected if it was running in a VM or debugger. Once installed, the malware launches its stealer function and can probe web browsers, locate email and file transfer clients and check for remote admin tools, and more.
- NanoCore RAT also scans for debugging tools before performing process injection and ensuring persistence though registry modifications. After NanoCore RAT gains a foothold it captures clipboard data and monitors keystrokes, collects information from document files and connects to an FTP server to upload the stolen data.
Riltok trojan now targeting global audience
- The Riltok mobile banking trojan was known to specifically target the Russian audience, however, researchers at Kaspersky Lab discovered the malware has been updated to target victims globally since late 2018.
- Riltok was first discovered in March 2018, and is distributed via SMS with malicious links that prompt the user to download a new version of a popular free ad service app, which actually contains the malware.
- In the Russian version of the malware, it eventually steals bank card details by prompting users to enter the details in a fake window. No such fake windows have been found in the global versions.
Source (Includes IOCs)
Tech support scammers abuse paid search on major internet portals
- Following reports of Microsoft Azure Cloud Services in May 2019 being leveraged to host fake warning pages, researchers at Malwarebytes Labs discovered a major campaign which involves scammers buying ads on major internet portals to lure victims into paying them.
- The ads are displayed as food recipes and once the scammers’ decoy blog is accessed, the victim is redirected to pages on Microsoft Azure that claim their computers are blocked. A phone number is given to call for technical support, where the scammers trick victims into buying a support plan.
- The fraudulent ads have been reported to Google and Microsoft, who have taken down the majority of domains and banned the scammers’ ad campaigns.
Source (Includes IOCs)
Brian Krebs publishes details of Android Supply Chain Attack in bid to assign responsibility
- Following Google’s disclosure on June 6th, 2019 of a breach that resulted in millions of Android devices being preinstalled with the Triada Trojan, security researcher Brian Krebs looked into the possible vendor behind the attack. According to Google, the vendor ‘Yehou’ or ‘Blazefire’ was behind the attack.
- Based on Krebs’ research, these names can be traced back to a Chinese company operating under the names of Shanghai Blazefire Network Technology Co. Ltd., Shanghai Qianyou Network Technology Co. and Shanghai Wildfire Network Technology Co., Ltd.
- The companies appear to be involved in multiple businesses, including mobile phone pre-installation, the development of internet mobile games, and the development of plug ins.
Leaks and Breaches
Ohio county hit by ransomware
- Fayette County of Ohio has been hit by a ransomware attack, which has resulted in employee emails not being able to be used and some data to be inaccessible. No evidence of corruption or breach of information has been found. The county is currently restoring its data from a cloud storage backup.
Lake City pay cyber criminals following ransomware attack
- Following a ransomware attack on June 10th, 2019, Lake City council paid a ransom demand of 42 Bitcoin, worth approximately $500,000. The attack crippled the cities computer systems, leaving only the police and fire department unaffected.
- A week prior to Lake City’s payment Rivera City, Florida, paid hackers a ransom of 65 Bitcoin approximating to $600,000.
Dominion National discovers 9-year old breach in its computer systems
- Dominion National discovered on April 24th, 2019, that their computer systems had potentially been exposed to an unauthorized party since August 25th, 2010.
- The breach is suspected to have revealed clients’ personal details, Social Security numbers and bank details. There is no evidence that this information has been misused by the intruder.
Industrial tech company ABB patches a dozen vulnerabilities in HMI products
- Researchers at Darkmatter’s XEN1THLABS, discovered 12 vulnerabilities in ABB human-machine interface (HMI) products. The bugs impact CP635 and CP651 control panels and PB610 Panel Builder 600 engineering tools for designing HMI applications.
- The vulnerabilities can be exploited to bypass authentication, execute arbitrary code, and gain access to information.
- A full list of the vulnerabilities is accessible via XEN1THLABS.
Vulnerabilities in BlueStacks Android emulator allows attackers to perform remote code execution
- Security researchers Nick Cano discovered the vulnerability, tracked as CVE-2019-12936 in April 2019.
- The vulnerability allows an attacker using DNS rebinding to gain access to the BlueStacks App Player IPC mechanism via a malicious web page. Successful attackers could then abuse various exposed IPC functions.
- A fix to the vulnerability was released on May 27th, 2019 and should be applied to all BlueStacks version prior to v220.127.116.116.
Sh115 trillion (£888 billion) case filed against Safaricom over alleged data breach
- Benedict Kabugi alleged that 11.5 million Safaricom subscribers had their data exposed. Kabugi claims to have seen the information which belonged to gamblers who used their Safaricom mobile numbers to gamble on various Kenyan registered betting platforms.
Security concerns prompt DJI to assemble drones in US
- Chinese drone maker DJI revealed on June 24th 2019, plans to assemble drones in California and to construct high security drones for the US government. DJI’s plans are currently pending approval from relevant US departments.
- DJI’s announcement was preceded by an open letter to Congress that rebutted security concerns of US officials and agencies. DJI denies that data is ever sent back to China or shared without the expressed permission of the drone pilot.
Six individuals arrested for €24 million cryptocurrency theft
- In a joint operation between UK’s South West Regional Cyber Crime Unit, the Dutch police, Europol, Eurojust and UK’s National Crime Agency (NCA), six individuals have been arrested in relation to a €24 million cryptocurrency theft. The arrests were made in both the UK and the Netherlands.
- The individuals were allegedly part of a typosquatting incident, in which the perpetrators stole funds of at least 4,000 victims in 12 countries by imitating a legitimate cryptocurrency exchange.
Senate Republicans block Democrats attempt to bring Election Security Act to vote
- Senator Amy Klobuchar tried to call up the act which contained proposals for backup paper ballots, $1 billion in funding for states to enhance their cybersecurity, and a Presidential cyber security strategy detailing how to protect US institutions from cyberattack.
- Republican Senator James Lankford opposed the bill, citing his belief that election security should not become a partisan issue.
- Lankford and Klobuchar previously proposed the Secure Elections Act during the last Congress and are expected to reintroduce the bill following alterations to certain legislations.
Several US federal agencies have neglected to adequately protect personal data
- An investigation by the U.S. Senate’s Committee on Homeland Security and Governmental Affairs into eight major US departments has revealed that all eight are still using outdated computer systems that no longer receive security updates and fail to protect personal data, with seven of the eight departments having been assigned the lowest cybersecurity rating by the Office of Management and Budget.
- The 10-month investigation spanned the past 10 years and looked into the Department of Homeland Security, the Department of State, the Department of Transportation, the Department of Housing and Urban Development, the Department of Agriculture, the Department of Health and Human Services, the Department of Education, and the Social Security Administration.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.