Silobreaker Daily Cyber Digest – 29 November 2019
Dutch NCSC reveals over 1,800 businesses infected with Ryuk, MegaCortex, and LockerGoga
- The Dutch National Cyber Security Centre (NCSC) warned that Ryuk, MegaCortex, and LockerGoga ransomware have infected at least 1,800 companies worldwide. BleepingComputer speculated that the number of infections may be far higher than reported, due to organisations choosing not to disclose ransomware incidents.
- The attacks, which are thought to have begun in July 2018, used the same infrastructure and may have exploited zero-day vulnerabilities.
- The names of the victims, which have not been revealed, include entities operating in automotive, construction, chemical, health, food, and entertainment sectors. The attacks targeted larger companies with revenue streams of millions or billions.
Malware distributors use Thanksgiving themed emails
- BleepingComputer discovered a malicious email which contained a Word document purporting to be a Thanksgiving eCard. When opened the attachment prompts the user to ‘Enable Content’. If the target complies with this request, obfuscated macros contained in the document will extract malware from an embedded payload or download malware from a remote host.
- Researchers at Cryptolaemus also identified a Thanksgiving themed campaign which notified the recipient of holiday closing hours and prompted them to download an attached file. The researchers warned that the attackers are using trojans, including Emotet, and other forms of malware.
Source (Includes IOCs)
JPCERT/CC issue warning about Emotet malware targeting Japanese speakers
- The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) revealed that they received reports of Japanese speakers being targeted with Emotet malware.
- JPCERT/CC stated that they had been receiving reports of the malware since the second half of October 2019. Emotet is commonly delivered via Word documents which contain malicious macros.
RedCurl group steal documents and mine for Monero
- Group IB researchers discovered a threat actor, dubbed RedCurl, targeting a range of organisations with custom trojans and an XMRIG miner. The group, first detected in late 2019, have been observed targeting organisations in the consulting, mining, ironwork, retail, construction, and insurance sectors. The majority of their targets are based in Eastern Europe, however, one compromised company was based in North America.
- RedCurl uses high quality phishing attacks which are customised for each victim. Target systems are infected with a custom trojan that seeks to exfiltrate important documents, after which they deploy an XMRIG to mine for Monero.
- Group IB researchers stated that they are unsure if the group is state-sponsored. A full analysis of RedCurl, and the researcher’s other recent findings is available in their ‘Hi-Tech Crime Trends 2019/2020’ report.
RevengeHotels criminal group targets hospitality and tourism industry
- Researchers at Kaspersky identified a cybercriminal group, dubbed RevengeHotels, seeking to steal credit card data from customers of hotels, hostels, and hospitality and tourism companies. The group has been active since at least 2015, but have increased their activity in 2019. RevengeHotels infected more than 20 hotels, 8 of which are located in Brazil. Other victims are based in Argentina, Bolivia, Chile, and more.
- The attackers compromise target systems with spear-phishing emails containing malicious Word, PDF, and Excel documents. In some cases the malicious documents use VBS and PowerShell scripts to load CVE-2017-0199. The attackers proceeded to deploy custom versions of RevengeRAT, NjRAT, 888RAT, NanoCoreRAT, and other custom malware types.
- The researchers found evidence on underground forums that the group have infected front desk machines and are selling remote access to these systems. Users with access to front desk machines can steal credit card details and credentials that are used on hotel administration software.
- A second group, named ProCC, was also identified targeting the hospitality and tourism industry. Both groups use similar tactics, techniques, and procedures, however, the researchers assert that they are separate entities.
Source (Includes IOCs)
Leaks and Breaches
Cloud solutions company Datrix Ltd customer details following phishing attack
- Datrix Ltd informed customers that an unauthorised party accessed an employee’s email account after the employee clicked on a malicious link. The link was contained in an email which had been sent from a compromised account belonging to one of Datrix’s suppliers.
- The unauthorised party used the Datrix employees’ email account to send around 300 emails to customers. The attacker then contacted Datrix’s finance department and attempted to trick them into paying fake invoices linked to a fake domain.
City of Charlottesville, VA. investigates possible data breach on tax collection site
- The City of Charlottesville, Virginia, has disclosed that a security flaw was discovered in the online payment transaction software of a third-party vendor. The City of Charlottesville’s Treasurer Office used the software to collect real estate and personal property tax.
- Following the discovery of the flaw the software, which is also used by other government localities in Virginia, was disabled. An investigation into the incident is ongoing.
Palo Alto Networks exposes employee information
- Business Insider reported that seven current and former Palo Alto Networks employees had their data exposed by an external service company. The breach, which was detected on February 2nd, 2019, included information such as names, dates of birth, and Social Security numbers.
- A former employee of Palo Alto Networks told Business Insider that the incident went undetected for months. The company responded to the breach by terminating their relationship with the third-party provider.
RCS mobile technology exposes users to range of attacks
- Researchers at SRLabs identified numerous issues with the implementation of Rich Communication Services (RCS) technology. RCS, which will serve as a replacement for SMS, is based on SIP and HTTP internet protocols. At present RCS is being deployed in 67 countries, including on all Android phones in the US.
- The researchers found that poor implementation of RCS functionality on a phone could allow an attacker to steal RCS configuration files that contain SIP and HTTP credentials. The Android Messages RCS client, which is the most prevalent at present, can be exploited by an attacker using a DNS spoofing attack. The issue, which is caused by insufficient domain and certification validation, could allow an attack to intercept and manipulate communications.
- The researchers discovered a host of exploitable issues that could be performed against certain RCS deployments. The vulnerabilities, which do not impact all RCS deployments, could allow attackers to track users, intercept texts, injecting traffic, and more.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.