Silobreaker Daily Cyber Digest – 30 July 2019
ATM malware observed making use of Java Instrumentation techniques
- Researchers at Cybaze-Yoroi Zlab analysed a sample of newly discovered Java ATM malware, which they believe is most linked to recent cyber criminal operations against the banking sector.
- Unlike previously observed ATM malware, this sample does not rely on standard communication interfaces, but rather uses Java Instrumentation techniques to manipulate the control flow of legitimate Java-based ATM management software.
- The researchers suggest the involvement of an insider to explain how the malicious actors are capable of developing such ad hoc malware. Other explanations could be the long term compromise of the whole target network or a small subset of mailboxes, or a compromise of the software development supply chain.
Source (Includes IOCs)
Malware developers adopt subscription model for Alpha Keylogger
- Researchers at Cofense have observed a new piece of malware, dubbed Alpha Keylogger, being sold for $13 on a monthly subscription basis. The developers behind the malware claim that Alpha Keylogger can exfiltrate data over email, FTP, or via the API of Telegram. These claims are overstated, and subscribers must choose between FTP or email exfiltration.
- The Telegram API extraction feature is also bugged and the malware attempts to exfiltrate information even when the configuration is blank. Failed attempts to exfiltrate information from Telegram’s API causes HTTPS requests on infected machines that network defenders can use to identify malicious activity.
- The researchers stated that although the subscription model is growing in popularity among malware developers, it also benefits network defenders and law enforcement, as updates can be used to identify distributors.
Source (Includes IOCs)
New ransomware family targets Android devices
- ESET researchers discovered that the new ransomware, dubbed Filecoder, has been active since at least July 12th, 2019. Filecoder is hosted on two malicious domains which users are duped into visiting through posts which are either pornographic or technology related. At present, the researchers have identified links to the attacker’s domains on Reddit and Android developer forum, XDA Developers.
- When downloaded, the malware immediately attempts to self-propagate by sending SMS messages containing malicious links to all contacts on an infected device. Filecoder supports 42 languages and customises the messages by prefixing them with the contacts name, followed by accessing storage volumes, and encrypting most of the data found.
- Due to poor encryption implementation, victims are able to decrypt their files. However, researchers warned that if the developer fixed these flaws then the malware would be a serious threat.
Source (Includes IOCs)
Lenovo Iomega NAS devices attacked by hackers demanding ransom payments
- Users on BleepingComputer forums discovered that their files were disappearing and being replaced with a ransom note. The note claimed that the victim’s files have been encrypted and demanded a Bitcoin payment for their safe return. In actuality, the files were being deleted rather than encrypted.
- BleepingComputer speculated that attackers were gaining access to the publically accessible Iomega NAS devices through the web interface.
Source (Includes IOCs)
New version of TrickBot targets Windows Defender
- Security researcher Vitali Kremez and researchers at Malware Hunter Team discovered a new variant of Trickbot that features 12 new methods to target Windows Defender and Microsoft Defender ATP.
- The new methods attempt to use Registry setting or the Set-MpPreference PowerShell commands. The methods are largely unsuccessful as they are blocked by TamperProtection.
Click-fraud scam pretends to offer WhatsApp users 1000GB of internet data
- ESET researchers in Latin America observed the click-fraud campaign being spread via WhatsApp. Users received a message claiming that they would receive 1000GB of free data to celebrate WhatsApp’s anniversary, alongside a suspicious link.
- The link which would take users to a survey about WhatsApp. Targets were then encouraged to pass the offer to 30 people to become eligible for a large reward. In reality, users do not receive any reward for any of their actions, and instead the campaign authors were using the fake survey to deliver advertisements as part of a click-fraud scheme.
Campaign of targeted RFI attacks leveraged to deploy phishing kits
- Security researcher Larry Cashdollar discovered a campaign of targeted remote file inclusion (RFI) attacks leveraged to deploy phishing kits, with a popular European bank being the latest target. The campaign was discovered following the detection of such attempts on Cashdollar’s personal website.
- Targeted RFI attacks allow attackers to remain undetected unless a server administrator monitors their logs and could lead to the contents of an externally called file being output, and possibly executed by the server, leaving it vulnerable to cross-site scripting attacks, denial-of-service attacks, and sensitive information disclosure.
- Cashdollar concluded that phishing must still be a profitable attack technique with a high success rate, as the threat actor could have uploaded anything malicious they wanted, such as a cryptocurrency miner, as opposed to a fake landing page.
Leaks and Breaches
Sephora data breach affects Southeast Asia customers
- Sephora notified its customers of a data breach that may have exposed personal data to unauthorized third parties. Potentially exposed data includes names, dates of birth, gender, email addresses, encrypted passwords and data related to beauty preferences. Sephora does not believe any personal data was misused.
- The breach affects customers using its online services in Singapore, Malaysia, Indonesia, Thailand, Philippines, Hong Kong SAR, Australia and New Zealand.
Capital One data breach exposes information of 106 million people, FBI arrest suspect
- On July 29th, 2019, Capital One announced that an individual gained unauthorized access to the data of 106 million people by exploiting a configuration vulnerability. Capital One discovered the attack on July 19th, 2019 and determined that the attacker had accessed the data on March 22nd and 23rd, 2019.
- Those impacted are either existing Capital One credit card customers or individuals who applied for credit card products. The breach impacted approximately 100 million individuals in the US and approximately 6 million individuals in Canada. The largest category of those affected are consumers and small businesses who applied for credit card products from 2005 to early 2019.
- Compromised data includes names, addresses, email addresses, phone numbers, self-reported income, Social Insurance Numbers, Social Security Numbers, and more. Credit information such as credit scores, credit limits, payment history, and more, were also disclosed.
- The US DoJ announced on July 29th, 2019, that an individual identified as Paige A. Thompson has been arrested in connection with the attack. Thompson allegedly posted information about the theft on GitHub.
LAPD Police officer and applicant information exposed in data breach
- On July 29th, 2019, the Los Angeles Police Department confirmed that the personal information of 2,500 LAPD Officers and 17,500 applicants had been exposed in a data breach. Compromised data includes names, dates of birth, partial Social Security Numbers, email addresses, and passwords.
- The city’s Information Technology Agency stated that it was contacted by an individual who provided files which showing portions of the data downloaded in the leak. The individual claimed to have accessed and downloaded the data.
University of Alabama informs clients of data breach
- The University of Alabama informed roughly 1,400 former clients, employees and medical providers of a data breach at its Tuscaloosa-based Brewer-Porch Children’s Center. The data breach may have exposed names, addresses, Social Security numbers, dates of birth, demographic information, billing credentials and more.
- The breach was first discovered in June 2019, when staff discovered that unauthorised logins had occurred on an old server. The third-party logins occurred between October and December 2009, and may have affected users of Brewer-Porch’s services between September 2002 and December 2008.
Online voting system provider Everyone Counts exposes randomised dummy data
- Security Discovery identified the publicly available MongoDB database on July 5th, 2019. The database contained the ‘randomized and anonymized’ data of more than 85,000 election workers and voters from New Jersey. Personally identifiable information included voter status, party, name, phone number, voting preference, and more.
- Despite containing an array of information, the data was scrambled so that the multiple details could not be attributed to any one individual. Security Discovery contacted the Everyone Counts team and the database was secured on July 6th, 2019.
11 zero-day vulnerabilities found in VxWorks real-time operating system
- Researchers at Armis Labs discovered 11 wormable vulnerabilities, dubbed URGENT/11, of which six are critical. The flaws affect VxWorks’ TCP/IP in all versions since version 6.5, which was released in 2006. Patches for the flaws were released on July 19th, 2019.
- URGENT/11 could allow an attacker to take control of a device without interaction from the user and bypass perimeter security devices, such as firewalls and NAT solutions. The researchers warn that the industrial and healthcare sectors are at severe risk, as VxWorks is commonly used in these sectors.
- The six critical zero-days are CVE-2019-12256, a stack overflow flaw, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263, which are all memory corruption vulnerabilities, and CVE-2019-12257, a heap overflow issue.
Vulnerability in WordPress Facebook Widget plugin
- An authenticated cross-site scripting vulnerability was found in a WordPress Facebook Widget used for Facebook page feeds called ‘facebook-pagelike-widget’. The vulnerability was discovered by Plugin Vulnerabilities following the closure of the plugin on the WordPress Plugin Directory, who were alerted because it was in the top 1,000 most popular plugins category.
Man-in-the Middle attack can bypass contactless limits of Visa cards
- Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov have discovered flaws that allow attackers to bypass the UK contactless verification limit of £30 on Visa contactless cards. The attack is possible with cards and terminals within and outside of the UK.
- Attackers can perform a Man-in-the Middle attack by utilising a device which intercepts the communication between the card and the terminal. The device tells the card that verification is not necessary and the terminal that verification has already been approved. The attack can also be performed on mobile wallets and can be used to charge up to £30 even when the phone remains locked.
Zurich police issue warning over increase in ransomware attacks
- The Zurich police force has warned about an increase in the number of attacks involving ransomware such as LockerGoga, Ryuk and MegaCoretex. It specifically advised companies to be cautious when opening suspicious external emails containing links and attachments.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.