Silobreaker Daily Cyber Digest – 31 May 2019
Compromised cryptocurrency-mining containers target exposed Docker hosts
- Trend Micro researchers observed attackers scanning for Docker hosts with exposed APIs to use them for cryptocurrency mining by deploying malicious, self-propagating Docker images. The images were found to contain Monero-mining scripts, as well as Shodan scripts that search for other suitable targets.
Source (Includes IOCs)
North Korean hackers suspected in South Korean cryptocurrency phishing attack
- According to East Security researchers phishing emails have been sent to a number of users of the South Korean cryptocurrency exchange UPbit. The researchers suspect the North Korean hacker group Kim Soo-ki to be behind the attacks.
- A file containing a malicious payload was sent in the email, claiming the user’s exchange requires more customer information. Once the malicious code is loaded on a device, the attacker gains access to the user’s private key and login credentials, allowing remote control access to UPbit exchange.
Russian group TA505 utilize spear phishing techniques and legitimate remote access tools
- Researchers at Cyberint observed that TA505 have adapted their attack method to include the use of remote access trojans, malicious downloaders and weaponised Microsoft Office files.
- The attack begins with highly personalized phishing emails which include attachments in Microsoft Word format, containing malicious macros. The malicious macros prompt a payload from the attackers C2, which is followed by the installation of trojans including Remote Manipulator Systems (RMS).
- TA505 have used these TTPs to target companies in a range of sectors including retail, hospitality, food and beverage, and finance. The group have recently begun focussing on ensuring that each target receives a highly personalised attachment, a technique which is hard to achieve in large campaigns.
Magecart campaign steals 185,000 card details over past year
- Fortinet researchers analysed a Magecart campaign that stole approximately 185,000 payment card details over the last year. Although it is in decline, the campaign remains operational.
Source (Includes IOCs)
Delhi’s BJP website hacked
- The website of India’s Bharatiya Janata Party’s (BJP) Delhi unit was hacked on May 30th, 2019. Details of the party’s leadership, history and constitution was replaced with a beef menu. Hacker ‘Shadow V1P3R’ claims to be behind the attack.
- The hack was first discovered by security researcher Elliot Alderson and the website managers responded quickly by redirecting the website to the main party website.
Leaks and Breaches
LandMark White suffers second data breach
- LandMark White (LMW) revealed that PDF valuation documents and operationally related commercial documents were posted to Scribd. The company stated that they believed that the breach originated with an individual rather than as a result of a flaw in IT security.
- A previous data breach in February 2019 affected the company, and resulted in 137,500 valuation records and 1,680 supporting documents being posted online.
Lewes Board of Public Works warns customers of potential data breach
- Customers were notified on May 29th, 2019, that their information may have been compromised. The Lewes Board of Public Works were notified of the possible breach by the Department of Homeland Security.
- Compromised information potentially included customer names, credit and debit card information, and other financial information.
Data breach affects several hotels managed by the Pyramid Hotel Group
- VpnMentor researchers discovered that hotel brands managed by the Pyramid Hotel Group have suffered a data leak. 85.4 GB security audit logs were discovered on an unprotected server, exposing monitoring and alerts, reported system errors, misconfiguration, policy violations, potential attempted malicious breaches, various cybersecurity events, and personally identifiable information of employees.
- Hotels such as the Marriott, Sheraton Plaza and Hilton Hotel have been affected, as well as others that the Pyramid Group manages in the US, Hawaii, the Caribbean, Ireland and the UK. The data was exposed since April 19th, 2019.
Unprotected Elastic database exposes 385,000 records from Vapor Beast
- Security researcher Jeremiah Fowler discovered a publicly accessible Elastic database belonging to California-based company Vapor Beast on May 11th, 2019. The database has since been secured.
- The database contained 385,000 records including customers’ and wholesale vendors’ emails, phone numbers, orders, internal notes and more. Evidence of ransomware was also discovered inside the database, however, it is unclear whether the data has been downloaded.
McAfee Labs reports discovery of second flaw in Mr Coffee coffee maker with WeMo
- During an investigation into a flaw discovered in the Mr. Coffee coffee maker in February 2019, the McAfee Threat Research Team discovered another attack vector which they have now revisited.
- During analysis, it was discovered that it was possible to set up a server that returns a file containing the necessary Linux commands, and host it on the local machine. When a rule containing a command injection is sent, it reaches out to the local server and executes everything as root.
- In addition, using the technique of piping wget into Ash bypasses character filtering, making it possible to execute any command.
Apple patches four SQLite and twenty-one Webkit Bugs in iTunes and iCloud
- The four SQLite flaws are listed as CVE-2019-8577 and CVE-2019-8602, which could allow an application to gain elevated privileges. Additionally, CVE-2019-8600 could lead to arbitrary code execution, and CVE-2019-8598 could allow an application to read restricted memory.
- CVE-2019-8607 affected WebKit and could lead to the disclosure of process memory when processing maliciously crafted web content.
- A full list of the vulnerabilities is available via Apple.
Critical flaws discovered in Process Control Systems by B&R Automation
- Researchers at Positive Technologies have discovered several flaws in APROL industrial process control systems from Austria based B&R Industrial Automation. The flaws impact 12 components of the products, used by oil & gas, energy and mechanical engineering companies.
- The flaws are related to the FTP, finger, SSH, VNC, TbaseServer, LDAP server, web server, EnMon, IosHttp, AprolLoader, AprolSqlServer, and AprolCluster components.
- One of the most severe flaws could allow a remote attacker to execute arbitrary code on the APROL system. In addition, the other flaws could be leveraged to cause power outages and oil leaks. The flaws can be exploited by an attacker who has access to the targeted organisation’s network.
Cryptocurrency mixing service Bitcoin Blender shuts down
- The business shut down its operations this week, asking all users to withdraw their funds. The service has been active since 2014.
- Bitcoin Blender’s closure follows the shutting down of another cryptocurrency mixing service, Bestmixer, by authorities last week.
50% increase in exposed data in the last year
- Digitals Shadows released a report revealing a 50% increase in exposed data in the last year. The exposed data is largely the result of misconfigured file storage technologies.
- The same study undertaken by Digital Shadows in 2018 showed 750 million files were exposed, in contrast to the most recent study, which has demonstrated a leap to 2.3 billion.
Administrator of Silk Road 2.0 gets reduced sentence
- An administrator of Silk Road 2.0, Blake Benthall, known by the handle Defcon, may only be prosecuted for tax crimes in exchange for cooperating with authorities.
- Silk Road 2.0 was seized by the FBI resulting from Operation Onymous, during which information was gleaned by researchers at Carnegie Mellon University’s Software Engineering Institute to deanonymize users on the Tor network.
- Benthall was charged with narcotics trafficking conspiracy; conspiracy to transfer fraudulent identification documents; conspiracy to commit computer hacking, and money laundering conspiracy, according to court records. Despite being charged similarly to Ross Ulbricht, the original founder of the first Silk Road, it seems unlikely that Benthall will be faced with a similar life sentence.
Google targets Chrome extensions with ‘deceptive installation tactics’
- Google announced that it will begin removing browser extensions with ‘deceptive installation tactics’ from the Chrome Web Store as of July 1st.
- These ‘tactics’ include misleading interactive elements, unclear or inconspicuous disclosures on marketing collateral preceding the item listing, or adjusting the listing window with the effect of withholding or hiding extension metadata from users.
GCHQ’s ‘Ghost Proposal’ condemned by technology giants
- Apple, Google, Microsoft and WhatsApp are among the 47 signatories of an open letter written on May 22nd, 2019 to GCHQ, voicing concern over GCHQ’s proposal of ‘silently adding a law enforcement participant to a group chat or call.’
- The so-called Ghost Proposal would allow encrypted conversations to be viewed in plain text by third parties. The open letter argues this proposal would create risks and be in violation of fundamental human rights, such as privacy and freedom of expression.
NSA adviser points to responsibility of administrators in patching flaws
- Following the discovery that NSA’s leaked exploit EternalBlue was a key component in Baltimore’s recent ransomware attack, NSA’s senior adviser Rob Joyce stated that a patch for the leaked NSA tool EternalBlue has existed for two years.
- Speaking at a CrowdStrike security conference, he said there is no ‘indefensible nation-state tool propagating ransomware’ and that network administrators are responsible for patching their systems, especially concerning critical flaws.
Untrustworthy VPN services may be intercepting US government communications
- Director of the DHS Cybersecurity and Infrastructure Security Agency Chris Krebs admitted that no overarching policy exists for federal employees regarding the downloading of VPN services on their mobile devices.
- The use of an untrusted VPN service could result in the rerouted traffic being spied on, meaning there is a ‘low to moderate risk’ of overseas VPN services intercepting US government communications.
ProtonMail accused of voluntarily aiding authorities to spy on users
- Lawyer Martin Steiger attended a presentation given by Stephen Walder, head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, during which Steiger claimed that Walder stated that Swiss based ProtonMail had voluntarily aided law enforcement authorities who sought real-time surveillance of users.
- ProtonMail refuted Steiger’s claims and stated that they do not voluntarily cooperate with the authorities and only cooperate when faced with an order by a Swiss court or prosecutor.
Russian military transition from Windows to Astra Linux appears imminent
- On April 17th, 2019, the Russian developed OS Astra Linux was granted security clearance by the Russian Federal Service for Technical and Export Control. Consequently, Astra Linux has been granted full security clearance and can be used to handle all Russian government information.
- Moreover, Astra Linux has also been granted certificate of conformity from the FSB and the Ministry of Defense.
Criminals move away from Tor and towards Invisible Internet Project (I2P)
- An increase in law enforcement operations and the Tor network’s vulnerability to DOS and DDOS attacks has caused criminals to consider a move to I2P.
- On May 29th, 2019, Libertas Market announced that they will abandon Tor for I2P. Users of Dream Market, Wall Street Market, Cryptonia, and the Empire Market, have requested that these marketplaces also move to I2P alternatives.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.