Threat Reports

Silobreaker Daily Cyber Digest – 30 November 2018

 

Malware

KingMiner targets Windows Servers to mine Monero

  • Checkpoint researchers have discovered a new malware, dubbed KingMiner, that targets Windows Servers to mine Monero coins. KingMiner was first detected in mid-June 2018 and has since been followed by the creation of two new versions.
  • According to Checkpoint’s blog post, KingMiner mostly targets Microsoft IIS and SQL Servers in an attempt to gain access to them via brute-force attacks. The miner is configured to use 75% of the CPU’s resources to mine Monero but was actually observed using 100% of targeted machine’s processing power.
  • KingMiner uses several simple evasion techniques to remain undetected in addition to ‘a private mining pool to prevent any monitoring of its activities’. The researchers have observed KingMiner infections currently spreading from Mexico to India and from Norway to Israel.

Source (Includes IOCs)

 

Yoroi’s Cybaze ZLAB analyse VBS script from recent campaign targeting Italy

  • Following a report by Yoroi’s Cybaze ZLAB on a recent campaign attacking Italian users, Cybaze have further since published their analysis of the VBS script used in the campaign, which was embedded into the zip archives delivered to victims. The researchers discovered an inner Powershell payload designed to download the Gootkit binary from the attacker’s infrastructure.
  • The researchers noted that the initial script at first seems to have very sophisticated obfuscation, however, upon analysis the code uses simple methods such as variable replacement and decimal encoding to hide the script from most popular anti-malware engines.

Source

 

Ongoing Campaigns

APT28 use Brexit themed Word documents in new campaign

  • The alleged Russian hacker group APT28, known by Accenture as Snakemackerel, has been using Brexit themed malicious Microsoft Word documents to target victims with the Zebrocy malware. The researchers identified this new campaign at the same time as UK government leaders announced a draft deal for Brexit earlier this month.
  • The Word document is entitled ‘Brexit 15[.]11[.]2018[.]docx’ which suggests that the hacker group is attempting to exploit current events in their campaigns.
  • Zebrocy, also known as Zekapab, establishes a backdoor on the victim’s system and collects information about the victim.

Source

 

Snake hacker group targets German politicians, lawyers and military personnel

  • German security officials have detected a campaign targeting the email accounts of lawyers, military personnel, and German embassy employees. The campaign was the work of the reportedly Russian hacker group, Snake.
  • It is not yet clear whether any information has successfully been stolen.

Source

 

New ‘Fractured Block’ campaign delivers CARROTBAT malware

  • Researchers from Palo Alto Networks’ Unit 42 have uncovered a new ongoing campaign, dubbed Fractured Block, leveraging a new customized dropper named CARROTBAT. The campaign has been targeting North and South Korea.
  • CARROTBAT is distributed via spear phishing emails with subjects relating to cryptocurrency, cryptocurrency exchanges or political events. The emails’ malicious attachments leverage a Dynamic Data Exchange (DDE) exploit to download SYSCON malware.
  • Further investigation of the domain hosting the SYSCON sample led the researchers to discover CARROTBAT as well as samples of KONNI malware. According to Checkpoint, CARROTBAT was also observed delivering OceanSalt malware samples.

Source (Includes IOCs)

 

Threat actors exploit Chrome’s ‘headless’ feature

  • Imperva researchers reported that hackers are increasingly exploiting the ‘headless mode’ feature in Google Chrome.
  • The feature is based on Chrome running without its Graphical User Interface (GUI), which enables it to ‘run large scale web application tests, navigate from page to page without human intervention, confirm JavaScript functionality and generate reports’. This can be abused by attackers who can use it to evaluate JavaScript or emulate browser functionality.

Source

 

Leaks and Breaches

Marriott International data breach affects 500 million customers’ records

  • According to Marriott’s statement released today, there had been unauthorized access to the hotel group’s Starwood guest reservation database since 2014.
  • Approximately 327 million customer’s data including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, and more was exposed.
  • For other customers, exposed data includes payment card numbers and payment card expiration dates.

Source

 

Sky Brasil exposes 32 million customers’ data

  • Security researcher Fabio Castro found multiple servers in Brazil running Elasticsearch that enabled access to the information without any authentication.
  • The exposed data includes full names, email addresses, service login passwords, client IP addresses, payment methods, phone numbers and street addresses. Several of the records belonged to Brazilian politicians, governors and government employees.
  • Following Castro’s report, Sky Brasil have restricted access to the server with a password. However, as the server remained exposed for a long period of time, Castro states it is possible it may have already been accessed by criminals.  

Source

 

Vulnerabilities

Zero-day vulnerability discovered in NUUO NVRmini 2 Network Video Recorder firmware

  • The flaw in firmware versions 3.9.1 and prior could allow an attacker to execute arbitrary code on the system with root privileges. This could permit them to access and/or modify camera feeds or change the configuration and settings of cameras.
  • NUUO has released a patch for the vulnerability.

Source

 

Report details flaws found in IT infrastructure at Arizona Medicaid organisations

  • The report, published by the Department of Health and Human Services Office of the Inspector General, details 19 vulnerabilities in information systems at two Arizona-based management care organisations.
  • The flaws altogether were related to remote network access, password and login controls, physical security controls, network device configurations and more.

Source

 

Vulnerability patched in Cisco Prime License Manager

  • The flaw, tracked as CVE-2018-15441, is in the web framework code and could permit an attacker to execute arbitrary SQL queries.

Source

 

Vulnerability found in Zoom conferencing app

  • Tenable researchers discovered a vulnerability, tracked as CVE-2018-15715, in the Zoom video conferencing application for Windows and macOS, which can allow attackers to seize control of presenters’ desktops, spoof chat messages and force attendees out of calls.
  • The flaw was described as being the result of insufficient message validation meaning ‘an attacker can spoof Zoom server messages to invoke restricted functionalities reserved for Zoom servers’. The flaw was patched on November 19th, 2018.

Source

 

Flaw discovered in IBM’s Db2

  • The elevation-of-privilege flaw, tracked as CVE-2018-1897, allows logged-in attackers to execute code and commands as an admin. It was found in db2pdcfg, a configuration tool used by administrators to troubleshoot performance problems with the database.
  • IBM has released patches that address this flaw.

Source

 

General News

Bitdefender researchers find evidence of cybercriminals profiting from midterm elections

  • Bitdefender discovered evidence of influence campaigns and cybercriminals using election keywords in money making scams.
  • The researchers discovered typosquatted domains registered by politically-motivated hackers used to spread misinformation, particularly in Texas. In addition, they also observed a website farm spreading propaganda from over 100 sites, used to spread political messages on social media.
  • Those motivated by money focused upon extortion campaigns using phishing emails targeting victims whose passwords were ‘Republican’, threatening them with a ‘sextortion’ scam. The criminals asked for $800 in Bitcoin for not publishing videos allegedly recorded using the victim’s webcam.

Source

 

Indian police arrest tech support scammers

  • 63 suspects accused of working and operating 26 call centers engaging in technical support scams were arrested by Indian police in a series of raids conducted over the last two months. Microsoft have stated that the raids have resulted in seizure of call scripts, voice recordings, live chats and customer records.

Source

 

FBI arrests AriseBank CEO for fraudulent cryptocurrency scheme

  • CEO Jared Rice Sr. was indicted on three counts of wire fraud and three counts of securities fraud.
  • Texas-based AriseBank falsely claimed to be insured by the Federal Deposit Insurance Corporation and to have a partnership with Visa. Moreover, the bank had not been authorized by the Texas department of Banking to conduct business.

Source

 

Checkpoint publish analysis of BackSwap banking malware

  • BacksSwap malware has previously been observed targeting banks in Poland and has since begun targeting Spain. Checkpoint have released a report on the evolution of the malware, including its versions, campaigns and techniques.

Source

 

Complaints filed against Google for covertly tracking users’ movements and violating GDPR

  • The complaints cited a study by the Norwegian Consumer Council that stated Google used ‘deceptive design and misleading information, which results in users accepting to be constantly tracked’. Google is accused of tracking users’ movements through its Location History and Web & App Activity applications.
  • The complaints were filed by consumer groups from Czech Republic, Greece, Netherlands, Norway, Poland, Slovenia and Sweden.

Source

 

The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein. 

More News

  • Silobreaker Daily Cyber Digest – 07 December 2018

      Malware Over 100,000 PCs in China infected with new ransomware The ransomware, dubbed UNNAMED1989, reportedly infected over 100,000 computers in only four days....
  • Silobreaker Daily Cyber Digest – 06 December 2018

      Malware ESET report on 21 previously undocumented Linux malware families based on OpenSSH ESET’s investigation of the 21 in-the-wild malware samples revealed that...
  • Silobreaker Daily Cyber Digest – 05 December 2018

      Ongoing Campaigns Over 100,000 PCs in China infected with ransomware The “poorly written” ransomware encrypts files and steals credentials for Chinese online services...
View all News

Request a demo

Get in touch