Silobreaker Daily Cyber Digest – 29 November 2018
BANLOAD trojan spreads globally
- Cybereason has recently observed the BANLOAD trojan used worldwide in attacks against banks in more than 60 countries.
- The malware was originally developed by a Brazilian hacker in 2015 and has previously been used in campaigns targeting Brazilian bank customers.
MuddyWater Group targets victims in Lebanon and Oman
- Clear Sky researchers observed MuddyWater targeting victims in Lebanon and Oman with a spear phishing campaign using an Israeli web-developer’s compromised domains.
- In the first stage of the attack, the hacker group delivered a macro-embedded document, which is either a fake job application or a letter from Lebanon’s or Saudi Arabia’s Ministry of Justice. MuddyWater then retrieves and executes obfuscated source code hosted on the compromised domains for POWERSTATS Backdoor propagation.
Source (Includes IOCs)
Bing warns that VLC Media Player is unsafe
- The website for VLC Media Player, VideoLan[.]org, is triggering a warning for users from Bing stating the site ‘might be dangerous’ and could ‘lead to malicious software that can harm your device.’
- Bing’s Site Safety page for VideoLan[.]org states that the site is showing ‘indications of malicious activity’. When testing on VirusTotal only 1 out of 62 security vendors detected the software as malicious.
US electrical grid being targeted by Russian cyber espionage campaign
- At the CyberwarCon forum in Washington DC FireEye researchers reported that the Russian hacker group Energetic Bear is continuing to target the US electrical grid, using ‘living off the land’ techniques, as well as custom backdoors and spear phishing.
Attackers open router SMB ports to infect devices with malware in new EternalSilence campaign
- Akamai researchers found that attackers are continuing to exploit vulnerabilities in Universal Plug and Play (UPnP) services, installed on some home and small office routers, in a new malware campaign dubbed EternalSilence.
- The researchers state that threat actors are exploiting these flaws to inject special rules into routers’ NAT tables which allows them to connect to the SMB ports of devices on the internal network and infect them with malware. They suspect that the campaign intends to leverage EternalBlue and EternalRed exploits.
- According to Akamai, 277,000 routers with vulnerable UPnP services are exposed online, out of which 45, 113 have been compromised in this campaign.
RDP attacks target Indian organizations
- Cybersecurity firm Seqrite claims to have blocked an average of 35,000 Remote Desktop Protocol (RDP) brute-force attacks targeting Indian businesses per day over the last 3 months.
- According to Seqrite, these attacks are being used to deploy cryptomining malware and ransomware on infected systems.
Leaks and Breaches
Dell hacked to steal customers’ personal information
- On November 9th, 2018, Dell detected intruders on it’s systems attempting to extract customer information from Dell sites, including Premier, Global Portal, support.dell[.]com and dell[.]com.
- The hackers attempted to extract customer information including names, email addresses and hashed passwords. There is not yet any conclusive evidence that customer information was successfully extracted.
- Dell has performed a mandatory reset on all Dell[.]com accounts.
City of York data breach is actually a data leak
- On November 16th, 2018, the City of York reported that the One Planet York waste management mobile application had suffered a data breach after a third party was found to have accessed sensitive information including names, email addresses, phone numbers and more.
- It has now been revealed that the reported data breach was in fact a data leak. The vulnerability that caused the data leak was reported by a developer at RedSpike, who stated that accessing the app ‘Leaderboard’ screen caused the API to push the app’s top-ten users’ personal data, in plain text, to the app. This allowed legitimate users of the app to see the private details of One Planet York’s users.
- The Redspike developer was the third party that had initially accessed the app and reported the vulnerability to the City of York.
Dunkin’ Donuts franchise suffers credential stuffing attack
- The company notified customers with rewards accounts that their profiles and personal data may have been hacked.
- Data potentially stolen includes names, email addresses, Dunkin’ Donuts Perks account numbers and QR codes.
ElasticSearch server exposes data of nearly 57 million US citizens
- Security researcher Bob Diachenko discovered the misconfigured server database on November 20th, 2018.
- The exposed data includes full names, employers, email addresses, addresses, phone numbers and more. The researcher also found another index of the same database that exposed over 25 million records which appear to be business entries.
- Diachenko traced the breach to data management company Data & Leads Inc. The database has since been taken down.
Urban Massage app leaks data on 309,000 customers
- The data breach was discovered by security researcher Oliver Hough who found it was the result of an ElasticSearch server database with no password protection.
- The exposed data includes customers’ names, emails and phone numbers. The database also contained over 351,000 booking records and more than 2,000 records on Urban Massage therapists, including their names, emails and phone numbers. Some of the records also contained allegations of sexual misconduct by clients, which included customers’ personally identifiable information.
Cisco re-patches Webex meetings flaw
- Over a month ago Cisco patched a flaw, tracked as CVE-2018-15442, in Cisco Webex meetings desktop. The flaw could be exploited by an unauthenticated attacker to execute arbitrary commands as a privileged user.
- After the patch was released on October 24th, researchers at SecureAuth discovered that it was incomplete and could be bypassed using DLL hijacking. SecureAuth reported its findings, and a new patch was released by Cisco shortly afterwards.
US lawmakers propose Stop Grinch Bots Act of 2018
- The Washington Post has reported that ‘a group of democratic lawmakers is trying to make it illegal for people to use automated accounts to inflate the prices of consumer products online.’
- The bots enable hackers to circumvent the security controls used by e-commerce sites, which allows them to deploy automated tools to buy highly sought after products before regular consumers get a chance and sell them on for a much higher profit.
- The lawmakers have proposed the Stop Grinch Bots Acts of 2018, which would make this practice illegal.
US Department of Justice indicts four Iranian nationals for SamSam ransomware attacks
- Two of the perpetrators were indicted for infecting victims’ systems with SamSam ransomware, while the other two were indicted for their involvement in converting illegal proceeds from the attacks into Iranian riyal.
- These attacks targeted more than 200 organizations including hospitals, municipalities and public institutions, causing over $30 million in losses to victims.
Trend Micro publish strategies on abusing Microsoft’s PowerShell Core
- Trend Micro have published a report on several strategies that hackers could potentially employ to abuse Powershell Core, with the intention of developing a greater understanding of potential future threats. The POCs were conducted on Linux, Windows and Mac operating systems.
Kaspersky release report on cryptocurrency mining trends
- In their report, Kaspersky track the rises and falls of miner related attacks in 2018 and display the most downloaded threats between 2017 and 2018. The report also covers the various factors that affect the distribution of miners, the miner distribution methods, and predictions on the evolution of cryptocurrency mining in the future.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.