Silobreaker Daily Cyber Digest – 29 July 2019
NAS devices targeted with brute-force attacks
- Synology has advised users of their network attached storage (NAS) devices to strengthen their passwords, after reports that they are being targeted by brute-force attacks in an attempt to deploy ransomware.
- This warning comes shortly after NAS devices from a variety of other vendors have experienced a wave of brute-force attacks in an attempt to hold their contents ransom.
Magento websites targeted by skimmer using fake Google domains
- The skimmer was calibrated to run on Chrome and Firefox and could capture and exfiltrate data from dozens of payment gateways. Captured data was exfiltrated to a C2 that also displayed a fake Google domain.
Source (Includes IOCs)
Zegost info stealing malware campaign targets Chinese government agencies
- This recent campaign is described as ‘emergent’ and targets a Chinese government agency that provides statistical collection efforts on China’s population, economy and other record keeping metrics.
- According to Fortinet researchers, the attacks originated via a spear phishing email that instructed the target to download a web plugin to view a video. Targets who accessed the link would download Zegost. The virus was first identified in 2011 and has been used in multiple campaigns. It is associated with Chinese cyber criminals and its principle function is information theft.
- Zegost exfiltrates information such as running processes, RDP port number and QQ login. The malware also records keystrokes and can capture video via webcam. Historically, Zegost’s infrastructure has been based in China. In this case, the malware uses multiple subdomains for C2, based on Dynamic DNS domains, and located in other countries including Singapore, Taiwan, and the US. Netblocks using the same infrastructure have been associated with the distribution of malicious Android APKs, backdoors, DDoS botnets and spear phishing emails.
Unusual steganography technique can compromise even patched websites
- Trustwave reported on a rare but still active steganography technique, in which an attacker uploads malware onto a targeted website by implanting PHP code into the EXIF headers of JPEG files.
MyDoom malware dating back to 2004 is still actively used in 2019
- Researchers at Unit 42 published an analysis of MyDoom malware, identifying that it accounts for approximately 1.1% of all emails they see that contain a malicious attachment. The malware is spread using SMTP, and emails are predominantly disguised as reports stating that a message has failed to deliver. Malicious attachments in these emails are either executable files or zip archives that contain executable files.
- A Windows host that is infected with MyDoom is turned into a spam bot which sends further MyDoom email. This process occurs even if the infected host does not have a mail client.
- The vast majority of MyDoom emails originate from Chinese IP addresses; 349,454 emails from Chinese IPs were identified in the first six months of 2019. MyDoom is predominantly used to target organisations in the US and China. The researchers noted that the high tech industry received the majority of MyDoom emails.
Bellingcat journalists targeted in phishing campaign
- The ProtonMail Team has reported that an email phishing campaign against investigative journalists at Bellingcat has been misreported, with articles incorrectly stating that the service itself was compromised. They have stated that no breach of their systems occurred, and that the attack was against the users itself.
- The phishing emails attempted to both redirect the journalists to one of dozens of fake ProtonMail domains, and exploit their email clients using an unpatched vulnerability. The attack did not succeed due to ProtonMail’s anti-phishing measures and the vigilance of its users.
- Due to similarities in the techniques and resources used by the attackers to APT28, as well as motivations behind targeting Bellingcat journalists specifically, the ProtonMail Team believe that, whilst they cannot irrefutably prove it, the attacks were of Russian-origin. They have also published a technical analysis of the attack which includes indicators of compromise. ProtonMail contacted the webhosts and registrars to ensure the domains were suspended, and offered advice on how to identify genuine ProtonMail emails.
Leaks and Breaches
Multiple North Carolina governments targeted by cyberattacks
- Lincoln County suffered a ransomware attack on July 24th, 2019, which destroyed a recent system backup and encrypted information on the main server. No data was exposed externally.
- Anson County and the city of Concord in North Carolina also suffered cyberattacks. Hackers defaced local government websites with vulgar language, but there was no evidence of a data breach.
Grays Harbor Community Hospital suffers ransomware attack
- The hospital has not published very much information regarding the attack, although reports surfaced on the issue in the middle of June. Michael Bruce, a board chairman at the hospital, has stated that ‘Nothing has changed in terms of patient care’ and that surgeries and regular procedures in the hospital are still functioning.
- It is not clear what strain of ransomware the hospital was hit by, or when access to systems will be restored.
Illegal copies of Schengen database allegedly made by UK authorities
- The EU-run Schengen Information System contains data on 100,000 missing people, 36,000 criminal suspects and 500,000 non-EU citizens denied entry into Europe, and includes photographs, personal details, fingerprints and arrest warrants.
- It has been alleged that copies were made by UK officials, and were stored insecurely at airports and ports, meaning that updates and removals from the database were not reflected in the copies. Third-party companies such as IBM, ATOS and CGI were also given unauthorised access, and were able to copy it. US officials could request the database from a company under the USA Patriot Act.
Fortinet breached by criminals seeking access to customer systems
- Fortinet released a statement on July 26th, 2019, confirming that an attacker had gained access to technical data that allowed them to impersonate a server. The malicious actor behind the attack was attempting to access customer systems.
- Fortinet stated that they acted to contain and block the activity, and advised customers to install their latest patch update. There is no evidence that customers have been impacted.
Georgia Department of Public Safety suffers ransomware attack
- An employee at the Department of Public Safety first noticed a suspicious message pop up on their screen, and after notifying the Georgia Technology Authority, the organisations servers and network were taken down as a precaution.
- The origin, scale, and type of ransomware used in the attack is unclear, as the department are not currently making any details public. However, they have stated that no operations have been halted as a result.
Two Puerto Rican hospitals hit by ransomware attacks
- On July 19th, 2019, both the Bayamón Medical Center of Puerto Rico and the Puerto Rico Women And Children’s Hospital notified the Department of Health and Human Services of a ransomware attack against their systems. No further details about the attacks have been given, but both incidents combined may impact 522,439 patients.
Code execution vulnerability found in LibreOffice
- The python interpreter remote code execution vulnerability, tracked as CVE-2019-9848, could allow an attacker to run code without prompting a user for permission. The flaw has since been patched.
Outdated steam cipher used by CitiBanamax
- Researchers at Trustwave discovered that smart bank statements from Citibanamex used Rivest Cipher 4, an insecure stream cipher that is over 20 years old.
- After disclosing the issue to the vendor on March 22nd, 2018, the RC4 cipher was replaced with a more secure AES function, with a fix confirmed on July 19th, 2018.
Vulnerabilities discovered in MikroTik’s RouterOS
- Two vulnerabilities have been found in Mikrotik’s operating system, RouterOS. The first vulnerability, tracked as CVE-2019-13954, is a memory exhaustion issue that can be triggered by a crafted POS request sent by an authenticated user. The issue exists because of an incomplete fix to a previous vulnerability, CVE-2018-1157.
- The second vulnerability, tracked as CVE-2019-13955, could allow an authenticated user to trigger a stack exhaustion vulnerability via recurring parsing of JSON.
- Both vulnerabilities can be patched by updating the RouterOS to versions 6.44.6 and 6.45.1.
Sexual orientation and religious beliefs of students in UK stored on government database
- Data obtained via a freedom of information request revealed that the British Department of Education holds details regarding the sexual orientation of 3.2 million people, and data on the religious beliefs of 3.7 million.
- Eight universities failed to inform students that their personal data would be shared and neglected to include a link to the HESA Student Collection Notices. Seven universities have changed their policies after finding they failed to make clear that this information was to be passed to public authorities.
EUROFISC database among stolen data in Bulgarian hack
- The EUROFISC database is said to be among the data stolen in the recent data breach of Bulgaria’s National Revenue Agency. EUROFISC is a network established by the European Commission to simplify the sharing of information in relation to tax fraud.
- According to a Commission spokesperson, all member states have been notified and the situation will continue to be monitored.
US maritime agency vulnerable to cyberattacks
- According to a report by the US Department of Transportation Inspector General, the identity and records of thirteen executives and staff of the US Maritime Administration could have been stolen in a cyberattack, potentially amounting to $103 million in credit monitoring fees.
- The report demonstrates how auditors were capable of gaining unauthorized access, partly because the agency was lacking government-recommended alert systems. The auditors also found that sensitive data was not encrypted.
Brazilian president target of cyberattack
- President Jair Bolsonaro’s mobile phones were targeted by hackers in an incident referred to as ‘a matter of national security’ by the federal police.
- According to the Brazilian Justice Ministry, the attack came from a group of four that were arrested on July 23rd, 2019 on accusations of hacking other government authorities, including Justice Minister Sérgio Moro.
Apology sent to NAB customers for unauthorised data upload
- Approximately 13,000 customers are being contacted by the bank after it was discovered that their data was uploaded to the servers of two data service companies without authorisation. The data itself was deleted within two hours, and included names, dates of birth, contact information, and some government-issued numbers. The upload was due to human error.
- The Chief Data Officer of NAB stated that they take the privacy and protection of customer information extremely seriously, and that they sincerely apologise to those affected. No NAB login details or passwords were compromised.
Facebook removes fake accounts involved in spreading political disinformation
- Facebook removed 12 account and 10 pages that originated in Thailand, the deleted accounts focused on spreading ‘divisive narratives’ on a range of issues including Thai and US politics. Analysts at Facebook found that some of the activity was linked to an individual working for New Eastern Outlook, a Russian government-funded journal that is based in Moscow.
- Facebook also removed accounts that were spreading false information ahead of elections in Ukraine. 18 accounts, 9 pages and 3 groups were created by actors in Russia; some of the accounts impersonated dead journalists. Additionally, 83 accounts, 2 pages and 29 groups that originated in Russia and Ukraine’s Luhansk region were also removed. Some of the accounts impersonated Ukranian military figures and wrote about the military conflict in Eastern Ukraine.
- 181 accounts and 1,488 pages that were linked to individuals working for the Honduran government were also deleted. The deleted pages were focused on Honduran domestic politics and praised President Juan Orlando Hernández.
US sanctions impact GitHub developers
- Crimea-based developer Anatoliy Kashkin discovered that his GitHub account was restricted due to US trade control law restrictions. When Kashkin attempted to access his GitHub-hosted website he was met with 404 error. Additionally, private repositories were inaccessible. Kashkin retained the ability to create public repositories but was unable to delete them.
- The trade control regulations will also impact developers in other sanctioned regions such as Iran, Cuba, North Korea and Syria.
Siri recordings allegedly expose confidential details
- An alleged anonymous whistleblower at Apple has stated that contractors who analyse Siri requests for the purposes of product improvement regularly hear confidential recordings, including medical discussions, criminal dealings and sexual encounters. This data is also supposedly accompanied by location and contact details.
- Staff are encouraged to report accidental activations as a technical issue, with no procedure in place to deal with sensitive recordings. The whistleblower felt that they had to go public with this information, because of fears that recordings could be misused.
- Apple responded to the report by stating that a small amount of Siri requests are analysed to improve Siri, and that no Apple ID information is tied to the request. These requests are also reviewed at a secure facility, with reviewers adhering to Apple’s strict confidentiality requirements.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.