Threat Reports

Silobreaker Daily Cyber Digest – 28 May 2019


Ongoing Campaigns

WalletGenerator website found hosting new code including a backdoor

  • Researchers from MyCrypto discovered that the website for WalletGenerator was generating suspicious private keys that left funds stored in the wallets open to theft. The website provides code for the creation of paper wallets for 197 cryptocurrencies.
  • The researchers compared the code hosted on Github and WalletGenerator and found that between August 17th and 25th, 2018, the WalletGenerator code was altered to change the way it produced random numbers, that are a key element in ensuring private keys are secure.
  • In the previous code, mouse movements and key presses provided by the user ensured the random input necessary to produce unpredictable numbers, however, the changed code ignored this random input, instead using images supplied by the site. In addition, the researchers discovered that the changed code also requested the user to download an image which served a backdoor.



Attackers target business users with HawkEye Keylogger

  • A report by IBM X-force states that attackers have been observed targeting businesses globally over the last two months with the HawkEye keylogger, aimed at business users. The attackers used malspam to target organisations in several industries including transport, logistics, healthcare, marketing, agriculture, and more.
  • Hawkeye is capable of stealing information from infected devices and can also behave as a loader by leveraging botnets to fetch other malware into the infected device, as a service for third party cyber criminals. In this instance, the keylogger is being used to steal credentials and sensitive data from business users for future business email compromise attacks.
  • The malspam emails contain fake commercial invoices which drop the malware in the background when opened by the recipient. The malware then gains persistence on the victim’s computer by using an autoscript in the form of an executable, which adds itself as an AutoRun entry to the Windows Registry.



Bitcoin scam installs ransomware or password stealing trojans

  • The scam, discovered by a researcher under the alias ‘Frost’, consisted of a series of websites pushing a scam that promised $5-30 worth of bitcoins a day for running their Bitcoin Collector program, but instead delivered ransomware and trojans.
  • The scam is promoted via sites that promise to pay in Ethereum if you refer others to the site, which includes an image stating you can earn $15-45 Ethereum a day ‘for free and automatically’. If the image is clicked upon, an additional page promoting ‘Bitcoin Collector’ will be loaded.
  • If the site visitor downloads the attached Zip file then numerous other files will be generated, including an executable called BotCollector[.]exe, which launches a program called ‘Freebitco[.]in – Bot’, which subsequently launches a malware payload. The campaign drops either a ransomware, which in this case was Marozka Tear ransomware, or a password stealing trojan, which in this instance was the Baldr infostealer.



Email scam targeting online banking customers

  • An email scam targeting users of ANZ online banking has been discovered. It attempts to phish usernames, passwords and answers to secret questions by sending an email stating that the victim’s BPAY payment has been successful, with a link to view a transaction history included at the bottom. Upon clicking on this, a user will be redirected to a clone of ANZ’s site, asking them to log in.



GandCrab Ransomware found targeting MySQL Databases

  • Security researchers at Sophos discovered attackers targeting MySQL servers to install the GandCrab ransomware on May 19th, 2019.
  • The attacker initially established whether the database server was running MySQL, and then, using SQL database commands, uploaded a small helper DLL to the server, and finally invoked this DLL as a database function to retrieve a GandCrab payload.
  • The attacks targeted insecure or misconfigured MySQL databases or firewalls, including MySQL servers with exposed port 3306, the default port used by MySQL.

Source (Includes IoCs)


Ride hailing platform Yidao Yongche targeted in ransomware attack

  • Yidao Yongche announced on May 26th, 2019 that their core data had been encrypted and that attackers were demanding a large payment in Bitcoin.
  • Consequently, the company has shutdown some of their servers while they attempt to resolve the issue.



Streaming platform Twitch flooded with controversial content

  • Online users have flooded a section of the gaming streaming platform Twitch with clips from the latest season of Game of Thrones, pornographic content and footage of the recent Christchurch terror attack, alongside comments including hate speech directed towards Muslims. The videos were streamed under the ‘Artifact’ category.



Bitcoin mining pools conduct counterattack against malicious miner

  • BitMex reported that Bitcoin Cash’s most recent update resulted in a ‘double spend’ of $1.35 million worth of digital coins. Following this, a total of 25 transactions involving 3392 BCH were not included in the reorganisation chain, suggesting that the sum remained in the attacker’s control.
  • In response to this attack, the two mining pools BTC[.]com and BTC[.]top carried out a ’51 percent attack’ to reverse the attackers’ transactions. The double-spend attack was caused by three factors, including an empty blockchain problem, an asymmetric chainsplit and a coordinated two block reorganisation.



Leaks and Breaches

Charles River Laboratories suffers data breach

  • According to a notice published on their official site, Charles River state that there is no indication of data being deleted, corrupted or altered on their servers. However, they believe that a small number of clients may have had their data copied, and these individuals have been notified.
  • The exact date, time and circumstances of this data breach remain unclear, but they are working with several cybersecurity experts as well as US federal law enforcement to conduct an investigation.



Medical Informatics Engineering reach data breach settlement

  • The US medical records services firm agreed to pay a $100,000 fine as a result of ‘potential’ privacy regulations. This is due to an incident in July 2015, when cyber criminals had compromised the user IDs and passwords of 3.5 million people, and it was found that MIE had not conducted a sufficient risk analysis prior to the breach.



CI build logs continue to expose company secrets

  • Security researchers found that several Continuous Integration (CI) services, such as Travis CI, leak company secrets via build logs. CI is used to find bugs early on in the coding process to avoid any extensive rewrites. Travis CI had previously fixed related issues by replacing API keys and other secrets with the word ‘[secure]’.
  • Leaks were found at Grammarly, Discourse, a public cryptocurrency program and an unknown organisation. According to the researchers, ‘the most impactful findings were predominantly GitHub access token leaks.’
  • Attackers could also search CI build logs for certain terms, which will give them the names of dead packages still used in active projects. This enables attackers to re-register those packages and use the rogue library for backdooring legitimate projects.



Australian firm Canva suffers data breach affecting 139 million users

  • Threat actor ‘GnosticPlayers’ informed ZDNet of their hack into the Australian graphic design service Canva. Since February, GnosticPlayers has stolen data from 45 companies, selling the data of 1,071 billion users on the dark web.
  • The data stolen from Canva included customer usernames, real names, email addresses, location information. Password hashes were present in 61 million cases.
  • According to Canva, there has been no evidence of users’ credential compromise. Canva detected the breach on May 17th, 2019, and has closed their database server.



AmazingCo exposes over 200,000 records

  • Security researcher Jeremiah Fowler discovered an unprotected Elasticsearch database belonging to Australian firm AmazingCo on May 11th, 2019. The database contained a total of 212,220 records, including a folder entitled ‘Customers,’ which contained 174,000 records.
  • The records contained usernames, email addresses, phone numbers, internal notes and more. The internal notes were directly linked with personally identifiable data.



First American Financial Corp leaked hundreds of millions of documents

  • KrebsOnSecurity was contacted by a customer of First American who reported that a portion of the First American website was leaking records.
  • KrebsOnSecurity researchers confirmed that 885 million files dating back more than 16 years were accessible without authentication.
  • Customer details included social security numbers, account statements, driver licenses and PDF files displaying information of home sellers and buyers.



Shubert Organisation suffers data breach

  • The attacker had access to an employee’s email accounts which contained customer details. Information included, names, credit card numbers and credit card expiration dates.
  • Following an investigation, the Shubert Organisation confirmed that the unauthorised access occurred between February 8th, 2019 and February 11th, 2019.




Cisco patch could render hardware unusable

  • Since releasing a fix for CVE-2019-1649, also dubbed thrangrycat, it has been reported that there is a chance of irreparable damage to Cisco equipment when patching this vulnerability. This is because the fix requires a semiconductor component to by physically reprogrammed, and due to its sensitivity the device may become unusable and require a hardware replacement.
  • Cisco has since emailed a statement, stating that if an affected product becomes unusable and requires replacing, they will replace the product according to the terms set out in the customer’s support contract.



Unpatched Gatekeeper bypass details published online

  • Details of an unpatched flaw in macOS 10.14.5 (Mojave) have been released, stating that the vulnerability could allow an attacker to execute arbitrary code without user interaction. The flaw can be leveraged to bypass Gatekeeper.
  • Filippo Cavallarin, a researcher at Italian cyber security company Segment, stated that Gatekeeper treating external drives and networks as safe locations can be combined with other verified features on macOS to execute untrusted applications.
  • In Cavallarin’s proof-of-concept, he modified the files of the Calculator app, to include a bash script that launches iTunes, as well as changing the Calculator app’s icon. Cavallarin’s video demonstration shows how this can be used to obtain a reverse shell on the target computer.



Vulnerability in T-Mobile left customers’ names and account information exposed

  • Hacker and developer Daley Bee discovered a vulnerability in T-Mobile’s systems that would allow anyone to obtain customers’ names and account numbers.
  • The vulnerability was found in an endpoint used by T-Mobile customers to activate their devices. When submitting details as part of a verification process, the raw response from the query was sent back to Bee, indicating this could also be done with a direct request. An attacker could have obtained information on customers using a script to test all possible phone numbers. The vulnerability has since been patched.



General News

US Navy to create a 350 billion record social media archive

  • United States Navy researchers are attempting to build a global social media archive containing 350 billion digital data records to assist the ongoing research conducted by the naval Postgraduate School from Monterey, California.
  • The research project hopes to provide, ‘enhanced understanding of fundamental social dynamics, to model the evolution of linguistic communities, and emerging modes of collective expression, over time and across countries’.
  • The archive will be created from publicly available messages, comments, and posts between January 7th, 2014 and December 12th, 2016.



Sectigo respond to Chronicle’s report on abused certificates signed by their company

  • Following Chronicle’s study on signed malware registered on VirusTotal scanning service over a year period, Sectigo decided to follow with their own investigation on the abused certificates. Sectigo discovered that the majority of abused certificates that Chronicle found to be issued by them had expired, were revoked, or were duplicates. These accounted for 90% of the certificates that were attributed to Sectigo.



Twitter based disinformation in European parliamentary elections investigated

  • Researchers at F-Secure and journalists from Yle launched an investigation into the prominence of misinformation and fake accounts on twitter.
  • Researchers identified two linked accounts, NewsCompact and PartisanDE, which showed signs of inorganic engagement.  Both accounts published factually inaccurate stories, moreover, in the run up to the EU elections, both accounts were in the top three most engaged accounts in the EU election conversation space.
  • Tweets authored by these accounts had very high engagement from new accounts, 200 of which were created two days prior to the publication of the research. Researchers allege that NewsCompact and PartisanDE showed unrealistic engagement rates and suggest that these accounts were purchasing retweets and followers.



NSA’s EternalBlue malware linked with Baltimore attack

  • The New York Times reported that a key component of the malware that was used to target Baltimore was EternalBlue. EternalBlue was developed by the NSA and leaked in April 2017 by an unidentified group calling itself the Shadow Brokers.
  • EternalBlue allows attackers to exploit a vulnerability in unpatched software that allows malware to spread faster and further.



UK firms lose over £1bn to attacks on IoT

  • Research conducted by Irdeto shows that UK organisations in transport, manufacturing and health have lost on average £224,000 in IoT attacks. Over half of respondents reported that they had suffered downtime as a result of attacks and 41% stated that customer data had been compromised.
  • Moreover, 28% of organisations reported that cyber attacks had compromised end-user safety.



Instagram bans social media company Chtrbox following data leak

  • Instagram has revoked the access of an Indian media marketing company after an investigation was undertaken into how the personal details of some of its users were found in an unprotected database online. The number of affected users was first reported at 49 million, however, the database contained only 350,000 records.
  • The exposed data included email addresses, phone numbers, and other data that was not initially believed to be public. Most of the data, however, was already made public. Despite this, Chtrbox’s scraping of information from social media profiles still violates Instagram’s platform policies.



The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 20 September 2019

      Malware Agent Tesla leveraged in email campaign Discovered by Xavier Mertens, the email campaign attempts to deliver an ACE archive labelled ‘Parcel Frieght...
  • Silobreaker Daily Cyber Digest – 19 September 2019

      Malware Ramnit returns with new capabilities Researchers at RSA Security observed several changes in the functionality, targets and methods of distribution of Ramnit....
  • Silobreaker Daily Cyber Digest – 18 September 2019

        Malware New TSCookie variant uses new configuration and communication protocols Researchers at Japan’s Computer Emergency Response Team Coordination Center observed a new...
View all News

Request a demo

Get in touch