Silobreaker Daily Cyber Digest – 28 November 2019
Machete malware delivered alongside PowerPoint presentations
- Researchers at Blackberry Cylance published an analysis of the info-stealing Machete malware. Targets of the malware, who are primarily located in Latin America, believe that they are accessing a PowerPoint presentation, when in actuality they are opening a Nullsoft installer SFX. The researchers discovered PowerPoints with a variety of themes, ranging from adult images to fake military and government documents.
- The malware executes using an SFX Nullsoft installation file, the SFX executables are compiled with Python. Following a successful infection, Machete can steal users’ credentials, pictures, geolocation, and more.
Source (Includes IOCs)
Leaks and Breaches
Security company Prosegur hit with Ryuk ransomware
- On November 27th, 2019, Spanish-based multinational security company Prosegur announced that a security incident impacted their telecommunications platforms. A follow up statement revealed that the infection was a Ryuk ransomware attack.
- The company stated that they would be restricting communications to prevent the propagation of the ransomware. Spanish website Derecho de la Red reported that the entire company network was offline, and that employees had been sent home.
Nearly $50 million worth of Ethereum stolen from UPbit
- On November 7th, 2019, South Korean-based cryptocurrency exchange UPbit had approximately $48.5 million worth of Ethereum stolen from their Upbeat Ethereum hot wallet by an unidentified party.
- The funds were initially transferred to one wallet and are now being sent to further addresses. UPbit responded to the attack by suspending their deposit and withdrawal services.
DiBella’s Old Fashioned Submarines compromised by FIN7
- DiBella’s Old Fashioned Submarines revealed that their customer payment system was compromised by the FIN7 group. The company, who were informed of the breach by the FBI and credit cards companies on August 27th, 2019, stated that as many as 305,000 payment cards could have been affected.
- Stores in Connecticut, Indiana, Michigan, Ohio, New York and Pennsylvania, were impacted between March 22nd, 2018, and December 28th, 2018. Stores in Cranberry, Pennsylvania, may have been affected between September 2017 and December 29th, 2018.
Magento Marketplace impacted by security incident
- On November 27th, 2019, Adobe disclosed a security breach that impacted Magento Marketplace users. the issue impacted customers, and plugin and theme developers. An email sent to impacted users revealed that on November 21st, 2019, Magento discovered that an unauthorised party had access to Magento Marketplace account holder information.
- Exposed data included names, email addresses, billing and shipping addresses, phone numbers, limited commercial information, and more.
- The breach did not reveal passwords or financial data. The Magento Marketplace was temporarily taken offline while the issue was remedied.
Ivy Rehab Network discloses data security incident
- On November 26th, 2019, Ivy Rehab Network disclosed that a number of employee email accounts may have been accessed by an unauthorised party. The incident, which was discovered in May 2019, potentially revealed patient information.
- Data accessible through the email accounts included patient names, protected health information, financial account information, Social Security numbers, and more.
Common Weak Enumeration list of top 25 dangerous software errors updated
- After 8 years the Common Weakness Enumeration (CWE) Team updated their list of ‘Top 25 Most Dangerous Software Errors’. The CWE Team, which is sponsored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s Cybersecurity Division, used a data driven approach to rank weaknesses based on severity and prevalence.
- ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’ scored highest, followed by ‘Cross-site Scripting, and ‘Improper Input Validation’. A full list of the ‘2019 CWE Top 25’ is accessible on the CWE blog.
Only one-third of US presidential candidates use DMARC email security protocol
- Out of the 21 candidates running for the US presidency, only 7 are using and enforcing DMARC email security protocol. DMARC is used to reject spoofed emails and to validate the authenticity of a sender’s email.
- TechCrunch reported that seven candidates, including President Trump, are using a non-enforce policy which does not reject spoofed emails. The remaining seven candidates are not using DMARC in any form.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.