Threat Reports

Silobreaker Daily Cyber Digest – 27 September 2019



Downloader malware uses Microsoft SQL to deliver RATs, keyloggers, and downloaders

  • In late August 2019, researchers at Proofpoint discovered an unidentified attacker using Microsoft SQL queries to retrieve next stage payloads. The downloader malware, which the researchers dubbed WhiteShadow, has been observed delivering Crimson RAT, Agent Tesla, AZORult malware, keyloggers and downloaders. 
  • Upon opening a malicious Microsoft Office document and enabling macros, WhiteShadow runs SQL queries against Microsoft SQL Server databases that are controlled by the attackers.  The database contains ASCII-encoded strings, when retrieved the macro decodes the string which is written to disk as a PKZip archive of a Windows executable.
  • Since WhiteShadow was first discovered, the attackers have added simple obfuscation techniques, such as changing code by adding randomised strings and altering the spelling of variables.

Source (Includes IOCs) 


Nodersok malware infects thousands of machines

  • Researchers at Microsoft identified Nodersok malware, which infects victims when they download and run an HTML application file through compromised adverts. The attack chain uses JavaScript and PowerShell scripts to download and install the Nodersok payload.  During the infection process, various instances of PowerShell attempt to disable Windows Defender, disable Windows updates, and more.
  • The attack uses two legitimate tools, Nodejs framework and WinDivert, to achieve persistence on a victim’s machine. The attackers aim to compromise the target system in order to turn infected machines into proxies to relay malicious traffic.
  • The campaign has targeted consumers and organisations in the US and Europe.

Source (Includes IOCs)


Ongoing Campaigns

Fake DHL email targets Chinese recipients with REvil ransomware

  • Security researcher ‘onion’ discovered that unidentified threat actors are targeting Chinese recipients with an email which purports to come from DHL. The email contains a form which purports to be a custom document, but is in actuality an executable. 
  • Targets who attempt to download the attachment will infect their system with REvil ransomware
  • Once downloaded, the ransomware will delete the target’s Shadow Volume Copies, encrypt their files, and leave a ransom note on the target’s system with direction to a Tor payment site.

Source (Includes IOCs)


Hundreds of fake apps found to be disguising as legitimate apps

  • Researchers at Trend Micro discovered hundreds of fake apps masquerading as legitimate apps that, once downloaded, turn into gambling apps. The apps were discovered on Google Play and iOS App Store, some of which were ranked in the Top 100, but have since been removed.
  • The apps were found to be able to bypass the app stores’ security checks by initially being submitted as a normal app for the first review, after which the threat actors would switch off the API, allowing them to decide whether to show or hide the actual app content. With the API switched off, the threat actor would then update the app with implanted WebView and have the app go through a second review before switching the API back on.
  • The researchers noted that generally gambling apps are allowed on the app stores, however that they are illegal in certain countries and the app stores have strict rules regarding such apps, which could be a reason the threat actors decided to bypass the security checks.

Source (Includes IOCs)


Leaks and Breaches

DoorDash hack exposes data of 4.9 million people

  • On September 26th, 2019, DoorDash revealed that an unauthorised third party accessed company data. The breach took place on May 4th, 2019,  and exposed the details of approximately 4.9 million customers, workers, and merchants who used DoorDash before April 5th, 2018.
  • Exposed data includes names, email addresses, delivery addresses, hashed and salted passwords, and more. DoorDash have not revealed details about the cryptographic hashing method which was used to protect passwords.
  • Financial details were also exposed in the breach, and delivery workers and merchants had the last four digits of their bank accounts exposed, whereas customers had the last four digits of their payment card leaked.



Vodafone customers in New Zealand able to view other customer’s details

  •  On September 25th, 2019, Vodafone customers in New Zealand who used the company’s app were able to see account details for other customers. An error caused by an ‘unexpected caching issue’ app caused customers to see another user’s information when they attempted to log into their own account.



Two Canadian hospitals targeted in cyberattack

  • Listowel Memorial Hospital and Wingham & District Hospital, who share the same infrastructure through Listowel Wingham Hospitals Alliance, were hit by a cyberattack on September 25th, 2019. As a precaution, the hospitals’ networks were taken offline. The nature of the attack remains unclear. No evidence has been found that patient records were compromised.



Italian online football shop exposes 408,995 records

  • Researchers at Security Discovery identified an exposed Elasticsearch cluster that belonged to Italian football accessory shop Calcioshop. The database exposed the 408,995 records which contained names, email, phone numbers, billing information, IP addresses, and more.
  • Security Discovery contacted the company but received no response. The database was removed on September 19th, 2019, after the researchers contacted the Italian CERT.

Source (Includes IOCs)



Cloud hosting companies using OnApp vulnerable to server take-over

  • A vulnerability in the cloud orchestration product from OnApp, tracked as CVE-2019-12491, could allow an attacker to compromise an entire private cloud and achieve remote code execution with root privileges. According to the researchers that discovered the flaw, it could impact all companies using OnApp, with 100,000 of servers and business potentially vulnerable to compromise.
  • OnApp has since released a patch. OnApp noted that only OnApp Control Panel needs to be updated and that there is no need to compute resources or backup servers.

Source 1 Source 2


VMware ESXi vulnerable to command injection vulnerability

  • Researchers at Fortinet identified a vulnerability, tracked as CVE-2017-16544, in VMware ESXi. The issue is caused by the built-in BusyBox function failing to sanitize filenames. An attacker could trigger the flaw by creating a PoC file which triggers when a legitimate user attempts to access, modify, or delete the file.



General News

Airbus targeted multiple times in past year

  • According to two security sources, several suppliers of Airbus were targeted in four major cyberattacks in the past 12 months and the sources ‘suspected a China link.’ Rolls-Royce, Expleo and two other French contractors are said to have been targeted.



Microsoft plans to expand list of banned file extension in Outlook for the Web

  • Microsoft is planning on adding 38 new file extensions to their list of blocked extensions in Outlook. The file extensions are often used to deliver malware, additionally, Microsoft stated that ‘the newly blocked file types are rarely used’. The additional file extensions include certain Java, Python, and Powershell file types. 



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • COVID-19 Alert – 06 June 2020

    Silobreaker's Daily COVID-19 Alert for 06 June 2020
  • Cyber Alert – 06 June 2020

    Cyber Alert: CPA Canada Breached and 329,000 Members' PIIs Exposed...
  • COVID-19 Alert – 05 June 2020

    Silobreaker's Daily COVID-19 Alert for 05 June 2020
View all News

Request a demo

Get in touch