Silobreaker Daily Cyber Digest – 29 April 2019
RobbinHood ransomware analysed by BleepingComputer following recent attacks
- RobbinHood ransomware has been recently observed being distributed via various methods including the hacking of remote desktop services, and the use of remote access trojans. BleepingComputer’s report includes an analysis of a recently discovered sample of the ransomware that they subsequently reverse engineered to establish its behaviour.
- Recent attacks using RobbinHood ransomware have included the attack on the City of Greenville on April 10th, 2019, which knocked the entire city offline. The City is reportedly still recovering from the attack, and it’s systems are not yet back online. There is no completion date for the recovery process and help from other municipalities has been brought in to aid the investigation.
Flawed confluence servers exploited by attackers to drop GandCrab and the Dofloo trojan
- CVE-2019-3396 is a critical server-side template injection flaw that was discovered in the Widget connector in Atlassian Confluence servers, that allows ‘remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection’. Atlassian patched the flaw on March 20th, 2019.
- The vulnerability is being remotely exploited by attackers to compromise Linux and Windows servers, to drop GandCrab ransomware and the Dofloo trojan. Several exploits for the flaw are publicly available, and swiftly added to malicious toolkits.
- Once a server has been compromised, attackers have been observed downloading the Empire PowerShell post-exploitation toolkit, which is used to download GandCrab. The Dofloo trojan allows attackers to collect large numbers of compromised servers and create botnets that can be used to launch DDOS attacks and mine for cryptocurrency.
Fake Windows PC cleaner discovered dropping AZORult trojan
- Researchers discovered a website delivering what appears to be a PC cleaner tool for Windows that secretly drops the AZORult info-stealing trojan. AZORult is capable of stealing user’s browser passwords, FTP client passwords, cryptocurrency wallets, desktop files and more.
- The website named gcleaner was discovered advertising a Windows junk cleaner tool called G-Cleaner or Garbage Cleaner, which claims to remove temporary files, broken shortcuts and unnecessary Registry entries.
- When the program is installed, it will extract a random named file to the %Temp% folder and execute it. The random file is the malware, which will attempt to steal passwords, data, wallets and other information. The malware communicates with the C&C server and will remove itself as a last communication.
Malicious skimmer scripts hosted on GitHub
- MageCart Group actors have compromised hundreds of Magento installations, injecting them with skimmer scripts that are hosted on GitHub. It was uploaded on April 20th, 2019 by a user called momo33333 and is obfuscated using hexadecimal encoding. The script has now been removed from GitHub.
- Even though the card skimming script has been removed from GitHub, compromised websites are still at risk as the attackers can easily inject a new script hosted on another service into them. It is recommended that site owners keep their CMS and site plugins up to date to avoid a website compromise.
Unit 42 analyses further BabyShark malware campaign
- Researchers at Unit 42 found that malicious attacks leveraging BabyShark malware have continued throughout 2019. Whereas they were previously targeting US national think tanks with spear campaigns, they are now also targeting the cryptocurrency industry, pointing to interest in financial gain. Recent activities also show that the actors behind the malware also have an interest in espionage of the Korean peninsula’s national security issues, and nuclear security.
- The observed BabyShark sample delivers KimJongRAT and PCRat, but researchers note that these can easily be swapped with other malware families in the future. As well as this, custom developed tools are being used in the campaign, such as Cowboy Converter – a tool that converts a PE file into a payload that can be leveraged in the attack chain.
Source (Contains IOCs)
Leaks and Breaches
Docker Hub database exposes sensitive information of 190,000 users
- According to a security notice published late on Friday evening, an unauthorised person gained access to a Docker Hub database on April 25th, 2019, exposing the personal information of approximately 190,000 users. Information exposed includes usernames, hashed passwords and tokens for GitHub and Bitbucket repositories.
- Access to this information could allow a threat actor to gain access to private repository code and modify it, depending on the permissions stored in the token. If tokens are misused to modify code, it could lead to serious supply-chain attacks as docker hub images are often used in server configurations and applications.
University of Alaska suffered historical data breach
- A hacking between January and February 2018 may have compromised multiple email accounts that contained a large amount of personal information. It is not known how many people were affected, but accessed data includes names, dates of birth, financial account information, student identification numbers, and health insurance information.
- The University of Alaska is attempting to contact people affected by the breach.
City of Columbia website suffers data leak
- Discovered by Arif Khan, an independent security researcher, a misconfigured search tool on the official City of Columbia, S.C. website may have resulted in an exposed database and SMPT server passwords. If the search tool was unable to find any results for a search, a 404 page for developers would appear, which included the passwords on the page.
Millions of IoT devices exposed via P2P flaw in iLnkP2P software
- A peer-to-peer (P2P) communications technology that is used in millions of security cameras, webcams, baby monitors, smart doorbells and digital video recorders, has been found to contain several critical flaws that expose the devices to eavesdropping, credential theft and remote compromise.
- The flaws were discovered in iLnkP2P, a software developed by the China based Shenzhen Yunni Technology. The devices using this software have no authentication of encryption, allowing attackers to establish a direct connection to the devices and bypass any firewall restrictions.
- The security researcher who discovered the flaws, Paul Marrapese, stated that his proof of concept script identified over two million flawed devices worldwide. In addition, Marrapese built a proof of concept attack that was able to steal passwords from devices by abusing their built-in ‘heartbeat’ feature.
Proof-of-concept WooCommerce exploit released
- Researchers have released proof-of-concept code to exploit an unpatched arbitrary file upload vulnerability in WooCommerce Checkout Manager plugin. This code was publicly disclosed due to researchers protests against the maintainers of the WordPress support forum. It is currently recommended to disable the ‘Categorize Uploaded Files’ option within the plugin, or disable it entirely.
Vulnerability discovered in Qualcomm chips
- A flaw in the Qualcomm Secure Execution Environment can be exploited by attackers to perform a side-channel attack, extracting potentially sensitive data from a Qualcomm secure keystore, such as private keys and passwords. This affects most modern Android devices that use a Qualcomm chip. Tracked as CVE-2018-11976, the vulnerability was originally discovered in March 2018, but has only just become publicly disclosed, after patches fixing the issue have been released.
Vulnerabilities patched in BIND
- Three vulnerabilities have been patched by the Internet Systems Consortium, that could have led to denial of service conditions if exploited. These are identified as CVE-2018-5743, CVE-2019-6467 and CVE-2019-6468.
- The ICS is recommending that all users update to the latest version.
Slacks warns investors that it is targeted by nation state attackers
- Slack has files an S-1 securities registration form with the Securities and Exchange Commission that stated that the company faces threats from ‘sophisticated organised crime, nation-state, and nation-state supported actors.’ In addition, the report states that Slack also suffer from attacks from traditional computer hackers, malware, employee theft or misuse, phishing, credential stuffing and denial of service attacks.
Russian hackers found guilty
- A 19-year-old resident of the Saratox region was found guilty of unauthorized access to computer information, after hacking into the website of the Omsk company and exploiting a system intended to be used to make utility payments. He copied sensitive information, and offered to fix the vulnerability in the system for a fee.
- Another unnamed hacker group was also found guilty of hacking management systems of ATMs using special devices. They worked at night, disabling security systems and opening the payment terminals. They were detained whilst making a theft, and the total amount of damage is estimated to be 15 million Russian Rubles, approximately $231,900 USD.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein