Silobreaker Daily Cyber Digest – 29 May 2019
Sodinokibi positioned to become popular among ransomware distributors
- Researchers at Coveware attribute this to the sophisticated attack vectors of the ransomware and the investment which Sodinokibi developers have made to their payment TOR site.
- The new variant of Sodinokibi utilizes the zero-day deserialization vulnerability CVE 2019-2725 present in Oracle WebLogic. When CVE 2019-2725 is exploited remote code execution is possible without authentication.
- Sodinokibi issues a single decryptor which can be used over an entire network. This resolves the scaling issues present in other ransomware attacks and allows Sodinokibi to target larger enterprises.
Source (Includes IOCs)
Rocke group adds new features to cryptomining campaign
- Researchers at Fortinet’s FortiGuard Labs observed new features being added to malware used by the Rocke Group. Rocke is known for its Linux coin mining campaigns.
- One of the updates includes a new function that exploits systems running Jenkins, an open source automation server, with the hope of infecting more systems. The group has also added new attack stages and new redundancies in its multi-component execution, making the malware more dynamic and flexible.
- The use of a hook library in particular makes the malware more difficult to detect, giving the attackers more time to generate profit.
Source (Includes IOCs)
Emissary Panda attacks sharepoint servers belonging to two middle eastern governments
- Palo Alto’s Unit 42 observed Emissary Panda, also known as APT27, installing webshells on Sharepoint servers in order to compromise government organisations in two different countries in the Middle East. The threat group is believed to have exploited a recently patched remote code execution flaw in Microsoft SharePoint tracked as CVE-2019-0604, to install a webshell.
- A variety of tools were used for various activities on the network, such as dumping credentials, and locating and pivoting to other systems. The threat group also used tools to establish which systems were vulnerable to CVE-2017-0144, the flaw that was exploited by EternalBlue in the Wannacry attacks in 2017.
- The webshells and tools used in the campaign are all detailed in Unit 42’s report, in addition to an analysis of the payloads used in the campaign and an attack overview.
Source (Includes IOCs)
New activity by APT10 discovered
- EnSilo has reported on new activity by APT10, detected in late April 2019, using unknown malware. Both of the loader’s variants and payloads used in the campaign display similar TTPs and code to previous activity associated with APT10. The samples identified have been traced back to the Philippines.
- Payloads identified in the campaign include PlugX and Quasar RAT. Quasar RAT was developed by APT10 and has been identified in previous campaigns in which the group have targeted government and private organisations. PlugX is a malware that is capable of enacting communication compression, encryption, enumeration, file interaction, remote shell operations, and more.
- Ensilo’s report includes an analysis on both loaders and their payloads, TTPs, and the C2 server.
Source (Includes IOCs)
Cyber criminals abuse secure tunneling service to deliver Lokibot
- Researchers at My Online Security discovered a campaign which attempts to deliver Lokibot malware via a phishing email from BBVA Banco Continental.
- The campaign abused NGROK, a secure tunneling service hosted on Amazon AWS. Attackers can use this service to place their malware in the cloud, bypassing security features and firewalls.
- In addition, reporting the malware is ineffective as it is not stored on the Amazon servers, only a link or redirection is provided.
Source (Includes IOCs)
New phishing campaign uses fake Office 365 ‘File Deletion’ alerts
- The phishing emails pretend to be from the ‘Office 365 Team’ and warn users that there has been an unusual amount of file deletions occurring on their account.
- Users are lured into clicking a link to view the alert details. The link redirects them to a fake Microsoft account login page, hosted on Azure, that phishes for their credentials.
New Zealand Treasury confirm systems hacked
- The New Zealand treasury has confirmed that they have been ‘deliberately and systematically hacked.’ There is reportedly no evidence to suggest that any personal information has been accessed or stolen.
Malware infection returns to target Joomla and WordPress
- Researchers at Sucuri discovered a persistent malware infection that re-infected files on a WordPress website after they had been cleaned. The files were repeatedly infected with a cron that scheduled the malware to be re-downloaded from a third-party domain.
- The malware infection is almost identical to a 2014 campaign which targeted WordPress and Joomla. The malware is configured to detect sites running WordPress and Joomla based on their directory structures before determining the best method to infect the websites files.
Source (Includes IOCs)
Techzim warns of hack on Econet website
- Techzim discovered that parts of Econet’s website have been compromised, causing users to be redirected to a fake Econet page when on Econet’s LTE landing page. Econet have since taken the landing page down, however, it is not yet clear whether other parts of the website were also compromised.
Internet provider Sumo Fiber suffered DDoS attack
- A Distributed Denial-of-Service (DDoS) attack was launched against the US internet provider Sumo Fiber from May 24th until May 27th, 2019. The attack caused slowdowns and service disruptions in Utah, but did not disrupt the physical fiber network.
US Coast Guard warns of cyberattacks
- The US Coast Guard has warned of phishing attacks following attempts by unidentified hackers to gain access to ship electronic systems. Using email addresses that pose as official Port State Control authorities, the attackers attempted to gain access to sensitive data, including the contents of an official Notice of Arrival.
- Additional malware attacks aimed at disrupting shipboard computer systems have also been reported to the US Coast Guard.
Saudi satirist claims his phone was hacked by the Saudi government
- Saudi satirist Ghanem Almasarir filed a legal claim alleging that the Saudi government has deployed spyware on his phone to obtain personal information. He claims to be targeted with Pegasus spyware, which was developed by the Israeli cybersecurity firm NSO Group.
- Suspicious text messages were investigated by Citizen Lab, the Canadian laboratory that conducts research on targeted surveillance. According to Middle East Eye, Citizen Lab ‘concluded with a high degree of confidence’ that Saudi Arabia is the ‘state responsible.’
Potential expansion of TA505 activity
- Researchers at Yoroi CERT analysed a recent spear phishing attack against an Italian organisation that showed similarities to previous attacks undertaken by the hacker group TA505, known for targeting the Banking and Retail sectors. This campaign suggests a move away from its usual targets and a focus on other industries.
- The malware used in the campaign avoids detection by using the Remote Manipulator System (RMS) client by TektonIT, encrypted using the MPress PE compressor utility. Acting as a remote administration tool, TektonIT RMS allows the attacker complete access to the victim’s device.
- TA505 had previously deployed a legitimate remote administration tool produced by TektonIT. Some TA505 code pieces were also re-used in this campaign.
Leaks and Breaches
Viewfines website shut down following data breach
- iAfrikan reported on May 24th, 2018, that Viewfines stored personal records on 1 million South African drivers on a publicly available database.
- The information included names, ID numbers, mobile numbers, email addresses, traffic fines and passwords, which were stored in plaintext.
- On May 28th, 2019, the Information Regulator confirmed that all registered users had been contacted by Viewfines. Additionally, the Viewfines website has been removed and all personal information deleted from the database.
Investment Week suffers data breach
- The information of as many as 330,000 readers may have been compromised in the breach which was discovered on April 4th, 2019.
- Compromised details were stored in an unprotected database and included information such as names, email addresses and subscription details.
- Moreover, the database included unencrypted user passwords which could have been cracked in a brute-force attack.
News aggregator Flipboard discloses data breach
- Flipboard disclosed that an unauthorized user accessed and potentially downloaded copies of databases containing user information. The databases were accessed twice, once between June 2nd, 2018, and March 23rd, 2019, and the second time between April 21st and April 22nd, 2019.
- User information including names, Flipboard usernames, hashed and salted passwords, and email addresses, may have been affected. In some cases, digital tokens used to login to Flipboard using site credentials from Google, Facebook, and Twitter, may have also been compromised. The number of users affected remains unknown.
Greene King gift card website suffers data breach
- The UK pub chain Greene King has informed its customers of a data breach that was discovered on 14th May, 2019, affecting customers of its gift card website.
- Exposed customer data included names, email addresses, user IDs, encrypted passwords, addresses and postcodes.
Open database exposes Aadhaar numbers of thousands of farmers
- Security researcher Elliot Alderson discovered an open database belonging to the Andhra Pradesh agriculture ministry exposing the data of thousands of farmers.
- Affected data includes Aadhaar numbers, names, father’s names, mobile numbers, names of associated villages, tractor types, castes and more.
Columbus Community Hospital suffers data breach
- OS, Inc., a company providing claims management services to Columbus Community Hospital, informed the hospital of a phishing campaign targeting them on April 8th, 2019, that potentially resulted in the personal information of patients being exposed. Impacted patients were informed on May 24th, 2019.
- The data that may have been accessed includes names, hospital account numbers, names of insurers, summary of charges and category of service. In some cases, Social Security numbers may also have been exposed.
Cincinnati-based TriHealth informs patients of data breach in June, 2018
- A former physician shared data with a student mentee who was not a TriHealth employee and who was unauthorised to view the data.
- 2433 patients were alerted to the data breach issue. The affected data included patients’ names, dates of birth, ethnicities, life statuses, and more.
Unsecured database leaks user information from Chinese dating apps
- Security researcher Jeremiah Fowler discovered a password-less Elastic database associated with Chinese dating apps that exposed information on American users.
- According to Fowler, multiple dating applications were storing data inside the database. The exposed information includes users’ IP addresses, ages, locations and usernames. The apps in question include Cougardating, Christiansfinder, Mingler, Fwbs and an app referred to as ‘TS’.
Privilege escalation vulnerability discovered in Slick Popup WordPress plugin
- According to Wordfence researchers, the flaw affects all versions of the Slick Popup plugin up to the latest release, version 1.7.1. The vulnerability allows users to gain administrative access to an affected WordPress site. A patch has not yet been released.
Unpatched vulnerability affects all Docker versions
- All versions of Docker are currently vulnerable to a race condition that could give attackers both read and write access to any file on the host system.
- According to the Bleeping Computer, the flaw is similar to CVE-2018-15664. It stems from the FollowCymlinkInScope function which is vulnerable to a basic time-to-check-time-to-use (TOCTOU) bug.
- Two exploit scripts, one for read and the other for write access, have been created. A patch is yet to be released.
Almost one million devices discovered vulnerable to BlueKeep flaw
- Following reports on the new ‘BlueKeep’ remote code execution flaw in Remote Desktop Services, tracked as CVE-2019-0708, a further report has been released revealing that almost one million devices are vulnerable to the flaw. Due to the vulnerability being wormable, it is likely that should one device be affected, the rest will also be compromised.
- Reports have also confirmed that after an investigation, Siemens discovered that some of its Healthineers products were vulnerable to the flaw, including MagicLinkA, MagicView, Medicalis solutions, Screening Navigator, syngo solutions and teamplay (receiver software only). Security advisories have been released.
Vulnerability in DuckDuckGo Android browser permits URL spoofing attacks
- Researcher Dhiraj Mishra discovered an address bar spoofing flaw, tracked as CVE-2019-12329, in the open source DuckDuckGo Privacy Browser for Android version 5.26.0.
OnePlus 7 Pro accessed by homemade fingerprint scanner
- A vlogger from Max Tech unlocked the phones using a hot glue gun to make a fingerprint impression. The same method could be used to unlock the OnePlus 6T.
Japanese government restrict foreign tech investment
- The Japanese government is reportedly restricting foreign ownership of domestic firms in technology, on the grounds of national security. The restriction applies to the manufacturing of chips, mobile phones, and other sectors including nuclear equipment and arms.
- From August 1st, 2019, foreign companies that wish to invest in over 10% of Japanese firms will need prior approval from the government.
Browser lockers grow in popularity among cyber criminals
- Researchers at AdSecure observed high instances of browser locker attacks among tier 1 countries. In all countries except Canada, browser locker attacks were the highest detected violation from a volume perspective.
- On desktop, 70% of these attacks occurred via the google chrome browser while on mobile 98% of attacks occurred on the chrome browser.
- Moreover, researchers recorded a rise in push locker attacks which take advantage of a flaw in the push notification opt in settings.
Chinese military replace Windows OS amid political tensions with US
- Beijing officials have decided to develop their own custom operating system to replace Windows OS on computers used in the Chinese military.
- The decision was likely made in consideration of the evidence from the Snowden, Shadow Brokers and Vault7 leaks, that provided evidence that US hacking tools can target operating systems such as Windows and Mac. The new software will be developed by the new Internet Security Information Leadership Group.
Three individuals arrested for tech support scam operation
- Gunjit Malhotra, Gurjeet Singh and Jas Pal, were arrested for operating a tech support scam between 2013 and 2019, that generated $1.3 million in profits. The victims were mostly elderly who were tricked into paying for fake computer repair services.
Germany seeks access to encrypted messages sent through messaging applications
- Germany’s Federal Minister of Interior, Horst Seehofer, stated that he wants law enforcement agencies to be able to access end-to-end encrypted messages or calls sent through messaging providers such as WhatsApp, Telegram or Threema.
Victoria’s public health system is ‘highly vulnerable’ to cyber attacks
- The Victorian Auditor-General’s Office (VAGO) has found that the state’s public health system contains security weaknesses within the Department of Health and Human Services’ (DHHS) technology. The weaknesses reportedly increase the likelihood of a security breach in 61% of the state’s health services.
13-year-old Adelaide Schoolboy hacks Apple twice
- The boy, who is now 17, plead guilty to multiple computer hacking charges at the Adelaide Youth Court. The boy hacked the Apple mainframe in December 2015 and in early 2017.
- During his trial the boy’s lawyer informed the court that the defendant believed that his actions would earn him a job offer from Apple.
- The Magistrate did not record a conviction and placed the defendant on a $500 bond of good behavior for nine months.
Proofpoint report on high-volume of campaigns using Emotet
- Proofpoint’s Q1 2019 Threat Report has focused on the high-volume of Emotet campaigns. They have also redefined Emotet as a botnet, rather than its previous description of a banking trojan, due to its use in spam distribution, information theft, and downloading additional malware.
FireEye report on suspected Iranian influence operation
- FireEye researchers investigated a network of English-language social media accounts involved in inauthentic behaviour and misrepresentation, allegedly organized in support of Iranian political interests.
- The researchers found that, in some cases, the fake accounts impersonated real American individuals, including Republican political candidates. The accounts also attempted to lobby journalists and mainstream media outlets to cover certain stories, promoting anti-Saudi, anti-Israeli and pro-Palestinian narratives.
- In some cases, the fake accounts succeeded in having their material published in US and Israeli media outlets.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.