Threat Reports

Silobreaker Daily Cyber Digest – 27 June 2019


Ongoing Campaigns

Symantec discover 152 fake Jio Android apps delivering malicious ads 

  • The apps were discovered circulating online, masquerading as legitimate apps from Reliance Jio Infocomm Limited, the largest 4G network in India. 
  • The apps were developed under 21 different package names and claim to provide additional data allowance of 25GB or 125GB for Jio customers, however, when downloaded the devices are used to generate advertising revenue for app’s developers. 
  • When the malware is launched, the main screen uses the same user interface and structure as the legitimate app. The app requests the victim’s mobile phone number and loads a dummy loading spinner to convince the victim that their eligibility for the free data is being checked. 



Cloud Hopper campaign targeted eight major information technology service providers

  • A Reuters investigation into the global cyber-espionage campaign called ‘Cloud Hopper’ has revealed that a total of eight technology service providers were targeted as part of the campaign. Alongside Hewlett Packard Enterprise (HPE) and IBM, the investigation found that Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology were also targeted. It remains unclear how many companies were breached as a result.
  • The Cloud Hopper campaign was first discovered in 2016 after Ericsson found that their systems had been infiltrated by threat actors via HPE’s cloud computing service. Its aim is said to be to steal corporate and government data and secrets to boost Chinese economic interests.
  • It is believed the campaign is connected to the Chinese Ministry of State Security and APT10. Two Chinese nationals, allegedly members of APT10, were indicted by the US for identity theft and fraud in December 2018 in relation to the campaign. The Chinese government has denied any involvement.



YouTube scams pushing njRAT trojan

  • Security researcher ‘Frost’ discovered a new campaign that pushes the known information stealing backdoor njRAT via YouTube videos promising free Bitcoins.
  • The videos usually have the string ‘FREEBITCO IN’ in their titles, or descriptions and a link that redirects to a site requesting the user to download a ‘Freebitcoins 2019 Update Script’ which contains the hidden malware. 
  • Frost believes such video scams will continue as the price of Bitcoin continues to rise.



Wipro breach related to much larger ‘Gift Cardsharks’ campaign

  • Following the breach of IT supplier Wipro in April 2019, RiskIQ’s analysis reveals this breach to be part of a much larger ‘Gift Cardsharks’ campaign targeting major gift card retailers, distributors and card processors. The campaign is believed to be ongoing since at least 2016, with over 50 companies from various industries targeted.
  • Using phishing emails, the threat actors gained access to companies’ gift card infrastructure as part of a monetizing process, indicating a financial motive behind the campaign.
  • Commercially available and open-source software was used in the attacks, making attribution difficult. These include the PowerShell script BabySharkPro, commonly associated with North Korean threat activity, however, it may have also been put in place to mislead researchers.



GreenFlash Sundown exploit kit used in new campaign

  • Researchers at Malwarebytes Labs observed the GreenFlash Sundown exploit kit being used in a new campaign targeting the US and Europe, marking the first time it has been used beyond Asia.
  • The attackers behind GreenFlash Sundown are known to compromise ad servers run by website owners to inject malware into ads served by the publishers. People navigating to an affected site will be sent to the exploit kit, which downloads a ransomware, as well as dropping Pony and a coin miner.

Source (Includes IOCs)


Researchers analyse ViceLeaker Operation

  • Researchers at Kaspersky Lab analysed the so-called ‘ViceLeaker’ Operation, a mobile espionage campaign targeting devices belonging to Israeli citizens. The campaign was first discovered in May 2018.
  • A Smali injection technique is used by the attackers to backdoor legitimate applications, which allows them to disassemble the code of the original app and add their malicious code. This allows the attackers to exfiltrate SMS messages, call logs and other data.



Hacker Groups

Analysis published on similarities and differences between MuddyWater and APT34

  • Cybersecurity researcher Marco Ramilli published an analysis comparing the Python coding style of the MuddyWater group and APT34.
  • According to Ramilli the main differences between the two groups are the printing function and writing style. The main similarities include the usage of code functions and loops.

Source (Includes IOCs)


Iranian threat actor prepares for widespread activity primarily targeting Saudi organizations

  • Insikt Group has found that the Iranian hacker group APT33, or a closely aligned threat actor, appears to be conducting and preparing for widespread activities. Researchers conducted domain analysis and observed 728 domains communicating with infected hosts.
  • The attackers also appear to have a predilection for commodity malware and publicly hosted tools. This allows the group to hide amongst the activity of other threat actors and hackers.
  • The attacks have targeted a diverse array of organizations, primarily in Saudi Arabia. Researchers warned organizations in Saudi Arabia and the West who had been targeted by APT33 in the past to remain vigilant.

Source (Includes IOCs)


Leaks and Breaches

Sun Prairie, Wisconsin, suffers data breach

  • On June 25th 2019, the city of Sun Prairie notified individuals of a data breach that affected employee’s email accounts between January 16th and March 6th 2019.
  • The city notified individuals whose details may have been in the email accounts. Details included names, Social Security numbers, financial account numbers, medical information, and more.



Hackers steal over $4.5 million worth of cryptocurrency from Bitrue

  • A hacker or hacking collective stole 9.3 million Ripple coins and 2.5 million Cardano coins, worth approximately $4.25 million and $225,000.
  • The company revealed the theft via a twitter statement on June 26th 2019. Moreover, they stated that they had tracked the funds to accounts at several other cryptocurrency exchange platforms and were in the process of recovering the stolen capital.




Safety flaw discovered in Boeing’s 737 Max airplanes

  • During simulator tests the manufacturers discovered that the 737 Max’s new control software locked up a microprocessor resulting in the plane entering a nosedive. The code that affected the hardware was part of a firmware update to address other significant flaws in MCAS. 



Chrome updates released with mitigations for Microarchitectural Data Sampling vulnerabilities

  • The Chromes OS 75 update includes mitigations for speculative execution side Microarchitectural Data Sampling (MDS) vulnerabilities that could leave systems open to attacks. The vulnerabilities called RIDL, Fallout and ZombieLoad, were disclosed in May 2019. 
  • The speculative execution attacks could allow malicious programs to access memory locations and steal data.  
  • To mitigate the attacks Chromes OS 74 disabled hyper-threading by default. It is unknown whether hyper-threading will be enabled in this OS 75.



AMD patch flaw in Secure Encrypted Virtualization technology.

  • AMD discovered that ‘if using the user-selectable AMD secure encryption feature on a virtual machine running the Linux operating system, an encryption key could be compromised by manipulating the encryption technology’s behaviour’. 
  • The flaw affects AMD Epyc servers running SEV firmware version 0.17 build 11 and previous. 



SEMrush patch remote code execution flaw in SaaS platform 

  • The flaw could have enabled an attacker to send a malicious image to its service and generate a reverse shell. It exists due to a problem with how SEMrush handled logo images uploaded to the platform, in addition to the use of an unpatched version of ImageMagick. 
  • The vulnerability only impacted a specific portion of the platform, that was responsible for generating reports. 
  • Details of the flaw were shared by a white hat hacker on Monday of this week, after it was first reported in August 2018, and fixed within an hour. 



EA vulnerability could have led to account takeover and theft of user data

  • Check Point researchers identified two vulnerabilities that had the potential to leave 300 million users at risk.  Researchers took advantage of EA’s cloud-based structure to hijack an unused Microsoft Azure based subdomain and monitor requests made by EA users.
  • An attacker who performed this process would then be able to use EA Games authentication tokens with the oAuth Single Sign-On and TRUST mechanism to access user’s login details.   
  • Check Point researchers notified EA who resolved the issue prior to the details of the vulnerability being published.

Source (Includes IOCs)


X-VPN tunneling software poses risk to network operators and VPN users

  • Researchers at Palo Alto Networks Unit 42 observed that X-VPN can be used to bypass security and policy enforcement mechanisms, by mimicking popular protocols and services to bypass security policies. Consequently, protections systems are unable to inspect the data packer, which can allow malicious traffic to enter the network and sensitive data to leave the network.
  • X-VPN uses custom encryptions of TCP and UDP payloads, approximately 10,000 server instances and replaces 300-500 server instances daily.

Source (Includes IOCs)


Huawei devices contain wealth of vulnerabilities

  • Finite State scanned for vulnerabilities in more than 1.5 million files within nearly 10,000 firmware images, which supported 558 products. Researchers found that 55% of devices had at least one backdoor and on average each firmware had on average 102 vulnerabilities.
  • One of the reasons attributed to the multiple vulnerabilities was Huawei’s development process which included engineers using software libraries that were two decades old.
  • Researchers concluded that ‘Compared to similar devices from other vendors, we quantitatively demonstrate that Huawei has substantially worse security’. 

Source 1 Source 2


Microsoft Excel tool weakness allows attackers to remotely embed malicious payload

  • Researchers at Mimecast Threat Centre found and developed a technique using the Excel Power Query tool to launch remote Dynamic Data Exchange attacks into an Excel spreadsheet.
  • Power Query is a Business Intelligence tool that allows users to integrate their spreadsheets with other data sources. Linked sources can be loaded and saved into spreadsheets or loaded dynamically.  The researchers found that attackers could drop and execute malware by embedding malicious content in data sources which are linked in the spreadsheet.
  • They stated that the exploit is so powerful that attackers could use Power Query to gain pre-payload and pre-exploitation controls allowing them to fingerprint a sandbox or a target’s machine.  

Source (Includes IOCs)


Cisco’s Data Center Network Manager (DCNM) affected by vulnerabilities

  • Security researcher Pedro Riberio discovered multiple vulnerabilities in Cisco’s DCNM product, two of which are classed as critical. An information disclosure issue was also found, which could be exploited to obtain log files and diagnostic information from targeted devices.
  • The critical flaws, tracked as CVE-2019-1620 and CVE-2019-1619, allow for the potential upload of arbitrary files to the affected device and execution of code with root privileges by unauthenticated attackers. In addition, they also enable attackers to bypass authentication and perform arbitrary activities with admin privilege, respectively. The third vulnerability, CVE-2019-1621, classed as high severity, enables a remote attacker to access and download sensitive files.
  • Patches have been released for the three vulnerabilities. No patch is available for the information disclosure issue.



General News

Australia and the US create new cybersecurity center in Adelaide

  • The Jeff Bleich Centre for the US Alliance in Digital Technology, Security and Governance, opened on June 26th, 2019 at Flinders University.  The center is designed to allow South Australian researchers to work with the US to improve cyber intelligence capabilities.
  • Ambassador Bleich opened the center, stating that ‘Our nations – both separately and together – must operate in new ways to preserve our values and protect our people and allies in new battle spaces.‘



Information Commissioner’s Office (ICO) issues Met with notice following GDPR failure

  • The ICO issued the Metropolitan Police (Met) with two enforcement notices after failures under GDPR and its precursor the Data Protection Act 1998.
  • The ICO found that the Met failed to respond to subject access requests (SARs) from citizens. More than 1,100 SARs requests were still open and 680 of those requests were over three months old.



Google faces a class action lawsuit for allegedly violating EU data privacy laws

  • UFC-Que Choisir, a French consumer rights group, announced on June 26th, 2019, that it had commenced a lawsuit against Google in order to ‘end the insidious exploitation of users’ personal data, particularly those using Android devices with a Google account, and compensate them for up to 1,000 euros’.
  •  According to the claimants, Google’s terms of service violate its user’s privacy rights, as determined by the EU’s data privacy laws.
  • This class action is the third lawsuit Google will face in a French court this year, after earlier being accused of violating the EU’s General Data Protection Regulation and of maintaining abuse clauses in its service conditions.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Threat Summary: 11 – 17 October 2019

    11 – 17 October 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Silobreaker Daily Cyber Digest – 17 October 2019

      Malware Graboid cryptojacking worm spreads between unsecured Docker hosts Researchers at Unit 42 identified a new cryptojacking worm, dubbed Graboid, that has infected...
  • Silobreaker Daily Cyber Digest – 16 October 2019

      Malware  Researchers publish analysis of LOWKEY malware FireEye researchers analysed LOWKEY malware, a backdoor that has been observed being used in highly targeted...
View all News

Request a demo

Get in touch