Threat Reports

Silobreaker Daily Cyber Digest – 28 October 2019



FuxSocy ransomware has strong similarities with Cerber ransomware

  • Researchers at MalwareHunterTeam identified a new ransomware, dubbed FuxSocy, which is heavily modelled on the now defunct Cerber ransomware. Security researcher Vitali Kremez discovered that FuxSocy and Cerber contain identical file exception lists, and scramble filenames and extensions in a similar way. The ransom note displayed by the new malware is also almost identical to the one displayed by Cerber.
  • Despite these similarities the new malware is not an identical clone of Cerber. The developers behind FuxSocy have added features that attempt to prevent their malware from running inside a virtual machine. The new ransomware also contains a feature that ensures that the malware fails to encrypt the entire file, however, these files still cannot be accessed by the user.  A decryption key for FuxSocy ransomware is not currently available.

Source (Includes IOCs)


Malicious spam campaign delivers AutoIT-compiled payloads

  • Researchers at Trend Micro identified a malware campaign that was delivering the AutoIT compiled payloads Negasteal malware and Ave Maria RAT, via spam emails. The emails that the researchers identified purported to be related to a shipment advisory and a financial document. 
  • In order to evade detection the campaign uses AutoIT-obfuscated ISO images files, as well as RAR and LZH-compressed archive attachments. The Negasteal malware variant can log and monitor keystrokes, monitor webcams, collect information saved on clipboards, and more. The researchers discovered that later versions of the campaign contained an Ave Maria RAT variant that can escalate privileges, modify Windows Defender, log users keystrokes, steal usernames and passwords, drop and create arbitrary files, and more. 
  • The researchers stated that upgrading email payloads from a ‘ typical trojan spy to a more insidious RAT’ suggests that the criminals are willing to deploy more destructive ransomware. 

Source (Includes IOCs)


Ongoing Campaigns

Procter & Gamble’s First Aid Beauty online store infected in stealthy Magecart attack

  • Sanguine Security researcher Willem de Groot discovered a MageCart skimming script on the online store for First Aid Beauty. The payment skimmer was deployed on May 5th, 2019 and targeted US customers. If a user in another country accessed the site, the script would not run. The attack also fails to execute if a customer uses the Linux operating system. 
  • The attack was described as ‘fairly advanced’, and the script was encrypted and heavily obfuscated. The attack sought to acquire a victim’s card number, card expiration date, name of owner, and the card CVV code.
  • The researcher contacted First Aid Beauty on October 20th, 2019 but received no reply. Despite reporting the issue, the script remained active until approximately October 25th, 2019.

Source (Includes IOCs)


Leaks and Breaches

Patient data potentially compromised following ransomware attack on health centre

  • Betty Jean Kerr People’s Health Center is informing its patients of a ransomware attack on September 2nd, 2019, which led to a data breach affecting 152,000 patients. Potentially breached data includes patient, health care provider, and employee names, dates of birth, addresses, Social Security numbers, and more. No patient medical records were exposed.



Pos Malaysia hit by ransomware attack

  • The Malaysian postal service Pos Malaysia was hit by a ransomware attack on October 20th, 2019. Initially, the company’s website displayed a message stating that it was under maintenance, yet the company has since managed to restore several of its systems and online services. According to the Pos Malaysia, no customer data or personal information was compromised in the attack.



Optus customer data leaked in White Pages

  • Optus is informing 50,000 of its customers of a data leak that exposed customer names, phone numbers, and addresses, after the information was accidentally published in Sensis’ White Pages. The customers’ details were listed both online, as well as in printed version of White Pages, meaning that the details may remain exposed in older printed versions.
  • According to Optus, in the majority of cases, customer data was leaked before joining Optus. Sensis denies this claim and stated that ‘This is an Optus issue.’



UniCredit data breach exposes 3 million records

  • UniCredit suffered a data breach that exposed a file from 2015 containing about three million records relating to Italian clients. An internal investigation into the cause has been launched.
  • Exposed data includes names, cities, telephone numbers, and email addresses. UniCredit stated that the data did not include any bank details that could enable an unauthorised third-party to gain access to customer accounts or complete transactions.



Nearly 7.5 million Adobe Creative Cloud user records exposed online

  • On October 19th, 2019, security researcher Bob Diachenko identified an exposed and unprotected Elasticsearch database which contained the nearly 7.5 million Adobe Creative Cloud user records.
  • Exposed information included email addresses, member IDs, payment status, account creation data, and more. Comparitech stated that the data could be used in phishing campaigns.
  • Diachenko estimated that the data was exposed for approximately one week. Adobe were immediately notified of the breach and the database was closed on the same day that it was discovered.  



Electronic Settlements Limited exposes customer data twice in one year

  • Security Discovery researchers discovered unsecured databases containing customer data belonging to CashEnvoy and PayPad, both of which have the Nigerian-based Electronic Settlements Limited as their parent company.
  • The first database was a publicly accessible CouchDb database discovered in February 2019 and contained over 8 million records with names, account information, CashEnvoy wallet data, and more. The company quickly closed public access to the database upon being notified by the researchers, yet did not confirm whether it had informed users, merchants or partners of the leak.
  • The second database leak was discovered in October 2019 and included 2.59 million records relating to PayPad’s credit and debit card transactions, displaying card numbers in plain text. Additionally, the database contained IP addresses, ports, pathways and storage information that could also be exploited by criminals.




Remote code execution bug in PHP7 exploited in the wild

  • Security researchers at Bad Packets reported that a remote code execution vulnerability, tracked as CVE-2019-11043, impacts PHP7. The bug can be easily exploited and can be triggered by an attacker using a specially crafted URL. Attackers who successfully perform the exploit can run commands on servers.  The attack only impacts NGINX servers with PHP-FPM enabled.



Xiaomi FurryTail smart pet feeder vulnerability leaves devices open to attackers

  • Security researcher Anna Prosvetova identified numerous security vulnerabilities in Xiaomi FurryTail backend API and firmware. A flaw in the API showed 10,950 devices worldwide which could be altered due to a flaw in the ESP8266 chipset that the pet feeder uses.
  • The researcher stated that the vulnerability could be exploited by attackers looking to add devices to an IoT DDoS botnet.
  • Xiaomi were notified of the issue and stated that they were working on a fix for the bug.



General News

Shadow Kill Hackers not behind DDoS attacks on South African banks

  • The cyberattack on Johannesburg on October 24th, 2019, initially thought to be a ransomware attack, did not encrypt any of the city’s computers. Rather, Shadow Kill Hackers, who claim to be behind the attack, stated they had gained access to the city’s Active Directory server and were the ones responsible for taking down the city’s website.
  • Additionally, initial reports stated that Shadow Kill Hackers were also responsible for Distributed Denial-of-Service attacks on several South African banks, yet the group has since denied such claims. Instead, these DDoS attacks may have been part of a global campaign by a group pretending to be the Russian group Fancy Bear.



The Silobreaker Team 

Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Daily Alert – 21 February 2020

    Daily Alert: Data breach hits agency overseeing White House communications...
  • Threat Summary: 14 – 20 February 2020

    14 – 20 February 2020 Silobreaker’s Weekly Cyber Digest is a quantitative summary of our threat reports, published every Thursday. The reports are created...
  • Daily Alert – 20 February 2020

    Daily Alert: PhotoSquared data leak leaves 94.7GB of customer data exposed online including names, addresses...
View all News

Request a demo

Get in touch