Silobreaker Daily Cyber Digest – 30 October 2019
Researchers discover new ransomware
- Qihoo 360 Technology researchers discovered new ransomware, dubbed CCryptor, which is spread via phishing emails and exploits the known Microsoft Office vulnerability CVE-2017-11882.
- The malware is written in C# and encrypts files in 362 different formats using RSA+AES256 encryption. The researchers note that the use of strong RSA+AES256 encryption and the fact that the files are deleted within 10 days makes decryption extremely difficult.
Source (Includes IOCs)
New Adwind jRAT variant uses Java commands to hide activity
- Researchers at Menlo Security discovered a new variant of Adwind jRAT that is capable of bypassing security solutions by acting like a normal Java command. The new variant targets Windows devices, popular Windows applications, such as Explorer and Outlook, as well as Chromium-based browsers.
- The variant is spread as a JAR file via phishing emails or downloaded from a site with insecure third-party content, in particular outdated and illegitimate WordPress sites. The JAR file is obfuscated, making static signature-based detection ineffective, and allowing it to initialize the RAT with its C2 undetected.
New techniques observed in sextortion scam targeting French individuals
- Sucuri researchers discovered a new approach being used in sextortion scams that does not rely on typically used emails. Instead, threat actors use compromised websites, made to look like that of the French national police, which contain payment phishing forms. The sites contain a message stating that the victim’s device has been blocked due to downloading and distributing illegal content and that a fine needs to be paid to unblock it.
- Once a victim loads the scam website, full screen mode is triggered and several browser function hotkeys are disabled. The scam website is made to look like a replica of a Windows desktop with an open browser window, tricking the victim into thinking their device is actually blocked. The payment form does not charge a victim’s card, but rather steals credit card information, which is then sent to an email address controlled by the scammer.
Hackers target Indian nuclear power plant
- Pukhraj Singh, a former analyst at India’s National Technical Research Organization (NTRO), linked a Dtrack malware report on VirusTotal to an attack on India’s Kudankulam nuclear power plant. Dtrack malware has previously been associated with North Korea’s Lazarus Group. Ars Technica stated that the attack would have targeted research and technical data, rather than the plant’s reactor controls.
- Officials at the plant initially denied the attack, however, it was later confirmed as genuine by the Nuclear Power Corporation of India (NPCIL). The NPCIL stated that the attack affected a device that was isolated from the plant’s critical internal network.
Malicious spam campaign delivers Maze ransomware to Italian users
- Security researcher JAMESWT reported a spam campaign that distributed emails which purport to come from the Italian Revenue Agency. Users who attempt to open an attached Microsoft Word document are told to ‘Enable Content’ in order to properly view the file.
- Users who ‘Enable Content’ will inadvertently download and execute Maze ransomware. The malware will encrypt files on a target device and display a ransom note as wallpaper on the infected machine. At present there is no decryption key available for the ransomware.
Source (Includes IOCs)
Neshta file infector continues to prose threat to range of organisations
- Researchers at Blackberry Cylance reported that Neshta malware, first discovered in 2003, continues to infect targets. In 2018, the malware infected organisations in the manufacturing industry, financial sector, energy sector, and more.
- Neshta infects victims’ devices through other malware or by unintentional downloading. It infects Windows executable files and can achieve persistence by modifying the registry. Neshta collects system information and returns the data to the attacker’s C2 via POST requests.
Source (Includes IOCs)
Leaks and Breaches
Personal details of nearly 2.5 million Colombians exposed online
- ESET researchers discovered a misconfigured ElasticSearch database that exposed personal details, including names, email addresses, phone numbers, and more, of nearly 2.5 million Colombian citizens. The database has since been secured. The researchers did not identify the owners of the database, only stating it was difficult to track down the responsible party.
Prisma Health patient data exposed in data breach
- Prisma Health is informing affected patients and volunteers of a data breach, first discovered on August 29th, 2019, that exposed personal information. The breach was due to compromised login credentials of an employee’s account. It is unclear how many patients and volunteers were affected.
- The breached data includes information given on patient pre-registration and volunteer registration forms that had been completed on the Palmetto Health website. This includes names, addresses, dates of birth, Social Security numbers, as well as some health and insurance information. No medical records were exposed.
MikroTik routers vulnerable to backdoor creation
- Tenable researchers discovered four vulnerabilities in MikroTik’s RouterOS that could be chained to gain backdoor access. An unauthenticated remote attacker could engage in DNS cache poisoning, perform a RouterOS downgrade, reset system passwords, and then potentially gain a root shell.
- The vulnerabilities are tracked as CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, CVE-2019-3979. A patch was released with version 6.45.7.
Flaw in Europe’s electronic ID system allows impersonation of EU citizens
- Researchers at SEC Consult discovered vulnerabilities in the electronic IDentification, Authentication, and trust Services (eIDAS) used by EU member states. The eIDAS is used by citizens, governments, and businesses in one country to access services in another member country.
- The flaws related to an issue with the eIDAS code, which fails to correctly handle cryptographic certificates that are passed during the eIDAS-Node communication process. This could allow a malicious actor to impersonate a stranger by faking security certificates.
Rittal Cooling System contains critical vulnerabilities
- Researchers at Applied Risk discovered two critical authentication related vulnerabilities, tracked as CVE-2019-13549 and CVE-2019-13553, in the Rittal SK 3232-series chiller. The vulnerabilities can be exploited by an attacker to alter temperature settings on units or to turn units on and off.
- The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned that vulnerable units are used in various sectors worldwide, including IT, energy, critical manufacturing, and more.
NSO Group sued by Facebook over alleged WhatsApp hack
- WhatsApp owner Facebook accused the NSO Group of developing a WhatsApp exploit which allowed them to install spyware on approximately 1,400 devices. The zero-day, which was found in May 2019, was allegedly used to target human rights activists, journalists, and other members of civil society. The company is seeking to prevent NSO from using Facebook and WhatsApp services.
- Facebook claims ‘that the attackers used servers and internet-hosting services that were previously associated with NSO’. Additionally, the lawsuit states that the company associated certain WhatsApp accounts used in the attacks with NSO.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.