Threat Reports

Silobreaker Daily Cyber Digest – 26 October 2018



New FilesLocker ransomware distributed as RaaS  

  • The MalwareHunterTeam spotted a new ransomware dubbed FilesLocker that is offered as ransomware-as-a-service (RaaS). FilesLocker was found being marketed on a Chinese hacking and malware forum located on TOR.
  • Affiliates are offered a 60% commission on all ransom payments when signing up and depending on the traffic generated, commissions can be as high as 75%.
  • FilesLocker was found to target Chinese and English language speakers. Although described as ‘not very advanced’, it is fully functional, Bleeping Computer states.



New DemonBot Botnet leverages vulnerable Hadoop installations

  • Attackers have recently sought to increase the power of their botnet by compromising vulnerable Hadoop installations via publicly available exploits. Hadoop servers are reportedly stable and a good alternative to less capable devices.
  • The botnet, DemonBot has grown from using a few servers since September, to 70 servers that search the web for vulnerable Hadoop installations to compromise. Cyber security company Radware have noticed a growth in activity to over one million exploitation attempts daily.



Ongoing Campaigns

Researchers detect new activity and infrastructure attributed to Cobalt Group

  • While investigating ongoing Cobalt Group campaigns, researchers from Palo Alto Networks’ Unit 42 discovered a new infrastructure and activity associated with the attackers.
  • Throughout October 2018, the researchers detected a new phishing campaign in which emails containing malicious PDF documents were sent out to several banking entities worldwide. The legitimate-looking PDF documents lured victims into clicking a link to download a malicious macro.
  • They were able to link this specific campaign to Cobalt Group through ‘specific aspects of the macro builders and metadata the actors left behind’.

Source (Includes IOCs)


Decryption tool for GandCrab versions 1, 4 and 5 released

  • Bitdefender released a new decryption tool for GandCrab ransomware versions 1, 4 and 5. According to their blog post, the antivirus company is also currently working on a decryptor for versions 2 and 3.



Threat actors discuss bypassing CAPTCHA on DDW forum

  • Flashpoint researchers have detected ongoing interest in bypassing CAPTCHA authentication on an ‘entry-level, English-language, black-hat search engine optimization (SEO) forum’.
  • The discussion featured bypassing CAPTCHA using Python and Selenium scripts or implementing open-source and legitimate bypass services that are designed to aid visually impaired or dyslexic individuals.
  • In addition, two illicit tools were being discussed. The first appears to be a stolen copy of a social media marketing software. The second is a SEO software used for spamming internet forums and comment sections.



Malware distributors adopt DKIM to bypass mail filters

  • After US Cert published a report with recommendations on how businesses can mitigate their exposure to the Emotet banking trojan, the criminals behind the attacks have adopted new techniques to bypass these recommendations.
  • One of the US CERT recommendations was to use Domain-based message authentication, Reporting and Conformance (DMARC) which checks if emails are genuine. DMARC relies on ‘Sender Policy Framework’ (SPF) and ‘Domainkeys Identified Mail’ (DKIM) in order to work.
  • The threat actors have reportedly discovered a mechanism to circumvent DMARC controls by using the domain hijacking technique, in which they took hijacked domains and created new subdomains with _domainkey.



Phishing attacks registered targeting 131 universities

  • Kaspersky Lab registered phishing attacks against universities in 16 countries. The majority of the attacks occurred on universities in the US, the UK, Australia and Canada.
  • The most targeted universities in 2018 are the University of Washington, Cornell University and the University of Iowa.



Google blocks new ad fraud scheme present on a number of applications and websites

  • The company stated that it had blocked certain apps and websites generating invalid traffic, after Buzzfeed News alerted them to the fraud.  The malware creates hidden browser windows that visit web pages to fraudulently inflate ad revenue.
  • The web-traffic was generated by a small botnet dubbed TechSnab.



New campaign abuses misconfigured Docker API ports to deliver cryptocurrency miner

  • Trend Micro researchers recently discovered attacks against systems running Docker Engine-Community with Docker API ports exposed. They found that the activity was focused on open ports 2375/TCP and 2376/TCP used by the Docker engine daemon (dockerd). The system was found to be abused for the purpose of installing the XMRig cryptocurrency miner.
  • According to the researchers, the exposed API ports are the result of misconfigurations that were manually set up by the user at administrative level. They also found that many organizations still have misconfigured Docker ports and are particularly located in China. Other countries in which exposed systems were identified are the US, France, Germany, Singapore, Netherlands, the UK, Japan, India, and Ireland. The majority of exposed systems were also found to be running on Linux OS.

Source (Includes IOCs)


Leaks and Breaches

British Airways finds more customers affected by MageCart data breach

  • While investigating the MageCart data breach from September 2018, British Airways have found that the holders of additional 77,000 payment cards may have had their data stolen. This data includes names, billing addresses, email addresses, card numbers, card expiry dates and CVVs. A further 108,000 payment cards were exposed without CVVs.
  • According to the airline’s statement, only customers who made ‘reward bookings between April 21st and July 28th, 2018, and who used a payment card’ were affected. They also state that their investigation revealed that out of the original 380,000 payment card details said to have been compromised, only 244,000 were actually affected.



Democratic fundraising firm exposes client data through unprotected storage device

  • The authentication of a network attached storage (NAS) device belonging to Rice Consulting, a fundraising firm for the Democratic Party, was left disabled, publicly exposing client data and allowing it to be detected by Shodan or Google’s IoT search engine.
  • The exposed data on the Buffalo TeraStation NAS device included client information, details on thousands of fundraisers (phones, names, addresses and companies), contracts, meeting notes, desktop backups and employee details.
  • According to security researcher Bob Diachenko, the most significant exposure was that of passwords to database resources ‘including access details to NGP – a privately owned voter database and web hosting service provider used by the American Democratic Party, Democratic campaigns and other non-profit organizations authorized by the Democratic party’. These were stored in an unencrypted Excel spreadsheet.




Vulnerability discovered in construction crane controllers allows wireless hijacking of equipment

  • US-CERT has issued a warning regarding a vulnerability, tracked as CVE-2018-17935, in Telecrane F25 series controllers which are used by construction crews to remotely control building cranes.
  • The flaw is described as a ‘capture replay vulnerability’ that could permit attackers to intercept radio transmissions between the crane and the controller and potentially spoof commands to seize control over the crane.



Vulnerability discovered in Microsoft Office suite that impacts Office 2016

  • Cymulate discovered a JavaScript code execution vulnerability in an embedded video component of Microsoft Office Suite.
  • The bug resides in the .xml file and could allow hackers to replace the YouTube iframe code with malicious HTML or JavaScript script.



Vulnerabilities discovered in Sophos HitmanPro.Alert

  • Sophos HitmanPro.Alert is a malware detection and protection tool. Both vulnerabilities exist in the IOTCL handler function of version
  • The first vulnerability, tracked as CVE-2018-3970, is an exploitable memory disclosure flaw which could be exploited by sending a specially crafted IOCTL request to the hmpalert device, which results in the contents from the privileged kernel memory returning to the user.
  • The second vulnerability, tracked as CVE-2018-3971, can also be exploited by sending a specially crafted IOCTL request to the hmpalert device, which allows a user to write memory, resulting in remote code execution and privilege escalation.



Linux and BSD distros impacted by vulnerability

  • CVE-2018-14665 impacts the distros using the X.ORg server package, and can be exploited by attackers to elevate privileges and gain root access via a terminal or SSH session.
  • The flaw is caused by improper handling of two command-line options, allowing potential attacks to elevate privileges or overwrite local system files.



Vulnerabilities in ASRock drivers patched

  • The vulnerabilities exist in AsrDrv101[.]sys, AsrDrv[.]sys low-level drivers. Attackers can exploit the flaw to elevate privileges on the system.
  • The four flaws can be abused to run code with elevated privileges (CVE-2018-10709), (CVE-2018-10710), (CVE-2018-10712) and execute arbitrary ring-0 code (CVE-2018-10711).



General News

Chinese and Russians spies eavesdrop on President Trump’s personal phone calls

  • Officials have stated that American spy agencies have become aware, via human sources from inside foreign governments, of China and Russia eavesdropping on the President’s phone calls, as well as intercepting communications between foreign officials.
  • The President has reportedly been informed.



North Korea behind Marine Chain platform cryptocurrency scam

  • The Insikt Group report that an asset-backed cryptocurrency, Marine Chain, was actually a scam run by the North Korean Kim regime designed to raise funds for the latter.
  • The scam was reportedly run by North Korea enablers based in Singapore.



Former Virginia high school teacher pleads guilty to Celebgate hacking scheme

  • Christopher Brannan accessed the email and social media accounts of 200 celebrities by correctly answering the security questions on their Facebook accounts, as well as through phishing emails.



Information Commissioner’s Office fines Facebook over Cambridge Analytica

  • The ICO fined Facebook the maximum fine of £500,000 over its processing of user information without consent. Facebook allowed developers to access users’ and friends of users’ data, which resulted in Aleksandr Kogan harvesting 87 million users’ data and sharing it with Cambridge Analytica.



Australian woman arrested over Ripple cryptocurrency theft

  • The Sydney-based 23-year-old woman was arrested following a 10-month investigation into the half a million dollar theft of Ripple cryptocurrency from a 56-year-old man.
  • The man’s email account was hacked and he was locked out of his Ripple account.



Experts Antonio Pirozzi and Pierluigi Paganini present Botchain

  • Botchain is the first functional botnet built upon the blockchain protocol. It is a system ‘read-only’ by design, resilient to data modification and provides the recording of transactions between parties without the need of a third-party.
  • Pirozzi and Paganini actively demonstrated how the blockchain could be used for malicious purposes, such as delivery of a malware control mechanism, botnet commands or a malware distribution mechanism.
  • Their research demonstrates that it is possible to ‘abuse blockchain technology to set up a command and control mechanism for malware that leverage blockchain.’



The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 14 June 2019

      Ongoing Campaigns Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers Trend Micro researchers discovered an ongoing cryptojacking campaign infecting...
  • Silobreaker Daily Cyber Digest – 13 June 2019

    Malware Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet Unit 42 have discovered a variant of the Hide ‘N Seek botnet...
  • Silobreaker Daily Cyber Digest – 11 June 2019

      Ongoing Campaigns MuddyWater uses multi-stage backdoor POWERSTATS V3 and new post-exploitation tools Trend Micro researchers detected new campaigns that appear to be operated...
View all News

Request a demo

Get in touch