Silobreaker Daily Cyber Digest – 29 January 2019
Threat actors exploit Mali top-level domains to target Dutch organizations
- Anomali Labs researchers observed an increase in the abuse of the Mali country code top-level domain ‘.ml’ by threat actors to host malicious sites resembling Dutch-based organizations. The most targeted sectors include financial services, professional/consultancy services, and telecommunications. Financial institutions in other countries such as the US, Canada, Australia, the UK and UAE were also targeted.
- The researchers discovered that attackers set up phishing sites with .ml domains that impersonated Dutch companies and attempted to steal login credentials for online banking accounts.
- In other cases, the threat actors launched whaling attacks against C-level executives from three different Dutch-headquartered firms with a Microsoft Office-themed credential harvesting page.
New spam campaign uses links to fake NSFW adult dating sites
- The emails contain attachments with links that redirect the user recipient to fake not-safe-for-work (NSFW) adult dating sites or similar. The emails are sent from the user name ‘Gell’ with random names in the text, and random PDF files attached.
- Clicking on the links sends the user through a series of redirects before landing them on an adult site. The fake sites attempt to harvest contact information to use for future phishing and spam campaigns.
- A researcher linked this spam campaign to 70 separate IP addresses.
Shade ransomware campaign targets Russia
- The malicious emails impersonated legitimate Russian organizations such as B&N Bank or retail chain Magnit. ESET believes that this activity is likely a follow-up to a Shade ransomware campaign from October 2018.
- Although 52% of the total detections of the campaign were found in Russia, other countries such as Ukraine, France, Germany and Japan were also targeted.
Source (Includes IOCs)
Minerva Labs discovers AZORult trojan stealing passwords while hiding as Google update
- The researchers received a GoogleUpdate[.]exe binary which was signed with a valid certificate from a customer who was blocked by Minerva’s Anti-Evasion Platform. The binary was, however, signed with a certificate issued to ‘Singh Agile Content Design Limited’ instead of Google.
- AZORult stealer was discovered posing as a signed Google update installer and was found to be capable of achieving persistence by replacing the legitimate Google Updater program on compromised machines. The malware replaces the Google’s updater program and therefore can achieve persistency without bothering to alter the Windows registry or add scheduled tasks.
- AZORult was created to exfiltrate as much data as possible from files, passwords, cookies, browser history, banking details and cryptocurrency wallets.
Leaks and Breaches
Australian web hosting providers breached
- Eight web hosting providers located in Australia were compromised via vulnerabilities within their web applications to get access to web servers in order to install password-stealing tools and remote access trojans such as Gh0st.
- The attacks took place in 2018, according a report produced by the Australian Cyber Security Centre. Two of the compromised hosts showed evidence that a hacker had deployed cryptocurrency mining software to mine Monero.
- The hosting providers were running older versions of Microsoft products, such as Windows Server 2008, of which some versions are no longer supported by Microsoft. It is unclear what exact vulnerabilities were exploited to gain access to the provider’s servers.
Discover Financial Services suffer data breach
- The breach, which was discovered on August 13th, 2018, potentially left hackers able to access an undisclosed amount of customer information, which could include account numbers, expiration dates and security codes.
- Discover have not supplied any information on the number of customers that were affected in the breach. The company issued new cards for all customers that may have had their card details stolen.
Transparency advocates publish hacked Russian documents
- The New York Times reported that a group of transparency advocates called DDoSecrets released 175 GB of hacked and leaked Russian documents online. The documents allegedly ‘[shed] light on Russia’s war in Ukraine, as well as ties between the Kremlin and the Russian Orthodox Church, the business dealings of oligarchs, and much more’.
- Some of the files were found to contain hundreds of thousands of messages and files from Russian politicians, journalists, businessmen, religious figures, and nationalists/terrorists in Ukraine. The documents also include material hacked from Russia’s Military of Internal Affairs.
Singapore’s Ministry of Health suffers data breach
- Confidential data from Singapore’s HIV registry had been illegally accessed and leaked by US citizen Mikhy K Farrera Brochez, who resides in Singapore. 14,200 individuals diagnosed with HIV were affected, composed of 5,400 Singaporeans and 8,800 foreigners.
- Details exposed include names, identification numbers, contact details, HIV test results and related medical information. The Health Ministry stated that it has begun contacting affected individuals, and are working to disable access to the information.
Flaw in FaceTime lets callers spy without permission
- The flaw allows users access to the microphone and front facing camera of the person that they are calling, even when that person does not answer the call.
- The caller could FaceTime anyone with an iOS device and add themselves as an additional contact to Group FaceTime. This causes the microphone of the receiver of the call to turn on, allowing the caller to listen through it. In addition, if the call is muted by the receiver using the power button then the front facing camera also turns on.
- The bug works in iOS 12.1.2, however during testing on the Apple Watch the audio part of the bug did not work.
Windows System Guard Launch causes boot issues on Windows systems with UEFI
- Those who have deployed Microsoft Security Baseline and enabled System Guard Secure Launch have had boot issues on Windows 10 v1809 and Windows Server 2019 systems with UEFI Secure Boot. The bug requires this specific combination of factors in order to be triggered.
- Microsoft’s Aaron Margosis stated that the bug causes the device to reboot into a blank screen after an update. Furthermore, he states that ‘the issue has been root caused to a problem with catalog file validation and whether it shows up is highly dependant on set and signed components in the boot path.’
Threat actors compromise WordPress sites through zero-day flaws in Total Donations plugin
- Security firm Wordfence reported that following the abandonment of the Total Donations WordPress plugin by its developers, attackers have been exploiting multiple critical flaws in the plugin, tracked as CVE-2019-6703, to gain administrative access to websites running the CMS.
- The vulnerabilities permit threat actors to carry out site takeover, access, modify, and delete recurring stripe payment plans, access Constant Contact and Mailchimp mailing lists, and more. Wordfence recommend users delete the vulnerable plugin as soon as possible.
Vulnerability in Python.org revealed
- Identified as CVE-2018-5010, the denial-of-service vulnerability exists in the X509 parser. A specially crafted certificate can cause a NULL pointer dereference, causing a denial of service. The flaw was responsibly disclosed to Python prior to the release of this information, and it is recommended that users running versions 2.7.11, 3.6.6, 3.5.2 and 3 update their software.
Vulnerabilities discovered in WibuKey
- The three vulnerabilities discovered by Cisco Talos researchers were capable of allowing remote code execution and memory disclosure at the kernel level, with one of them able to be triggered remotely.
- CVE-2018-3991 is a heap overflow vulnerability in WIBU-SYSTEMS WibuKey Network server management. An attacker can send a specially crafted TCP packet to exploit the vulnerability. CVE-2018-3990 is a buffer overflow vulnerability that can be exploited by an attacker via a specially crafted IRP request, leading to arbitrary code execution and privilege escalation.
- The third discovered vulnerability is CVE-2018-3989, and can be exploited by an attacker to read kernel memory information.
Authorities shut down xDedic cybercrime marketplace
- According to a newly released statement by the US Department of Justice, the FBI, IRS, Europol, and other law enforcement authorities from Belgium and Ukraine, jointly took down the xDedic marketplace on January 24th, 2019. The authorities believe that the marketplace facilitated more than $68 million in fraud.
- xDedic was a popular marketplace for cyber criminals that was used to sell access to compromised computers and personally identifiable information. Victims are located across a wide range of sectors including local, state, and federal government infrastructure, hospitals, 911 and emergency services, call centres, major metropolitan transit authorities, accounting and law firms, pension funds and universities, worldwide.
Europol tracks down DDoS-for-hire service users
- Europol has announced that several websites offering distributed denial-of-service-for-hire services have been taken down by Europol, and as a result, they have been able to track down the users and take action against them. This includes users of webstresser[.]org, Downthem and Quantum Stresser.
- In a statement, Europol said that ‘…all levels of users are under the radar of law enforcement, be it a gamer booting the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain’.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.