Silobreaker Daily Cyber Digest – 26 November 2018
Dr.Web discover new multifunctional Linux cryptocurrency miner
- The miner is tracked by Dr.Web as Linux.BtcMine.174, and was observed exploiting two privilege escalation vulnerabilities tracked as CVE-2016-5195 and CVE-2013-2094. It distributes by searching for any remote servers the infected device has connected to via SSH in an attempt to connect to them too.
- Upon infecting a device, the miner will search for and terminate the processes of other cryptominers and begin mining Monero. It is also capable of finding and disabling Linux-based antivirus solutions on a device.
- Dr Web also observed the miner downloading BillGates Malware, a DDoS malware with backdoor-like functions.
Source (Includes IOCs)
GreyEnergy use sophisticated phishing to launch attacks on ICS
- Nozomi Networks has observed the GreyEnergy APT group using tactics and tools that have allowed them to remain undetected by typical detection tools. GreyEnergy is known for targeting industrial networks across Ukraine and Eastern Europe for several years.
- Discovered in Ukraine and Poland, the group used phishing emails, carrying a malicious Word document written in Ukrainian, to infect its victims with ICS malware. Once opened, the document tries to load a remote image, before the viewer enables macros. The code is then decompressed and extracted using the oledump tool.
- Security researcher Alessandro Di Pinto stated that the threat actors had implemented custom algorithms that are ‘not too hard to defeat, but hard enough to protect the malicious payload.’ In addition, he wrote that they used a broad range of anti-forensic tools such as wiping in memory strings.
New Zealand online stores affected by credit card skimmers
- According to a report by the New Zealand Herald, security researcher William de Groot found that 24 online shopping sites with .nz domains contained credit card skimmers. The compromised sites were reported to New Zealand’s CERT.
AppRiver researchers uncovered phishing campaign targeting Spotify
- Discovered in November this year, the campaign used emails to trick Spotify users into providing account credentials. The messages contained a link leading to phishing websites, prompting users to enter their usernames and passwords.
- Attackers used these credentials to compromise Spotify accounts, as well accounts using the same credentials on other services.
Two Ohio hospitals hit by ransomware
- The Ohio Valley Medical Center and East Ohio Regional Hospital were attacked by ransomware on November 23rd, 2018.
- A spokesperson for the two hospitals stated that no patient information was breached.
Leaks and Breaches
Dolce & Gabbana reports Instagram hack
- The fashion house stated that offensive remarks towards Chinese people published on its Instagram account, and that of its co-founder Stefano Gabbana, were the work of a hacker.
Data breach affects employees of Australian emergency services
- The Australian government is investigating a data breach that affected several emergency service providers in the state of Victoria. The data, which was exposed online, includes personal details of emergency services staff such as addresses and medical information.
Largest Brazilian professional association suffers data leak
- Security researcher Bob Diachenko found three exposed databases belonging to Brazil’s Federation of Industries of the State of Sao Paulo (FIESP). The data leaked includes names, IDs, Social Security numbers, full addresses, emails and telephone numbers. The largest exposed data source contained 34.8 million records.
- Diachenko discovered that the databases could be accessed through the Elasticsearch engine on November 12th, 2018. According to the researcher, the data remained exposed for several days until the databases were taken down by FIESP.
VMWare patch Workstation flaw disclosed at Tianfu Cup PWN Competition
- CVE-2018-6983 is an integer overflow vulnerability in the virtual network devices that could allow a guest to execute code on the host. The vulnerability was discovered by Tianwen Tang of Qihoo, who received $100,000 for his demonstration of a successful exploitation of the flaw.
- The flaw affects Workstation 14.x and 15.x on any platform, and fusion 10.x and 11.x on macOS.
Unpatched DoS vulnerabilities found in Linux Kernel
- CVE-2018-19406 resides in the kvm_pv_send_ipi function of the Linux kernel, affecting versions up to 4.19.2. The flaw could allow attackers with local access to the vulnerable machine to trigger a DoS state using specially crafted system calls. The flaw is triggered because the Advanced Programmable Interrupt Controller fails to initialise properly.
- CVE-2018-19407 resides in the kvm_pv_send_ipi function found in the Arch/x86/kvm/lapic.c source code file. Local attackers can exploit the vulnerability by submitting maliciously crafted system calls that trigger a NULL pointer deference condition. The flaw is triggered because the I/O Advanced Programmable Interrupt Controller fails to initialise.
US government report states China increased hacking attempts to steal American technology
- The report from the Office of the United States Trade Representative stated that during the period of mid-2017 to mid-2018 Chinese state sponsored hackers were allegedly attacking firms in sectors associated with cloud computing, IoT, agricultural intelligence, biomedicines, rail and more.
- In addition, Crowdstrike observed that Chinese state hacking had increased in pace and volume, while FireEye/Mandiant have stated that previously inactive hacking groups had now been reactivated. Chinese state sponsored hackers have also reportedly become more sophisticated, developing new ways of concealing their attacks, and using tools that leave few unique traces.
Social network website Knuddels.de fined under GDPR
- The German chat platform suffered a data breach in July 2018 which resulted in the compromise of 808,000 email addresses and 1.8 million usernames and and passwords.
- The platform was fined €200,000 over the breach by the Baden-Württemberg Data Protection Authority. It had stored the passwords in plain text and had not ensured any form of protection for sensitive data.
Ukrainian police arrest hacker on charges of infecting 2,000 users worldwide with DarkComet
- The hacker was arrested for infecting victims with the DarkComet remote access trojan. The RAT is able to take screenshots, log keystrokes, steal documents as well as install additional malware, disable OS features, and steal passwords.
UK MPs seize Facebook documents to investigate Cambridge Analytica controversy
- The UK parliament used legal powers to force the American software company Six4Three to hand over internal documents relating to Facebook, after Facebook founder Mark Zuckerberg refused to answer to MPs.
LinkedIn violates data protection law through targeted advertising aimed at non-members
- A report by the Irish Data Protection Commissioner (DPC) revealed that LinkedIn used 18 million email addresses of non-members in a targeted advertising campaign on Facebook in 2017. It remains unclear where the emails were obtained from.
- Further investigation by the DPC uncovered that LinkedIn was also pre-constructing suggested professional networks for non-members.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.