Silobreaker Daily Cyber Digest – 31 October 2018
New CommonRansom ransomware demands admin credentials from victims
- Researcher Michael Gillespie discovered a new ransomware, called CommonRansom, that has been described as ‘bizarre’ due to its request for the victim’s admin credentials in order for the affected files to be decrypted.
- Following the ransom payment of 0.1 BTC, the victim is asked to open Remote Desktop Services on the infected device and send their admin credentials to old@nuke[.]africa.
- According to Bleeping Computer, no additional information and no ransomware sample has been found to date, apart from a Bitcoin wallet address identified in the ransom note.
New technique used to escape malware detection and infect millions of smartphones
- The Media Trust has reported that three global demand side platform (DSP) providers were recently targeted in a campaign involving third party code that enables smart malware delivery. The malware, dubbed JuiceChecker-3PC, has the ability to bypass scanning using Base64, and has been observed in millions of page views in the last three weeks.
- After the scanning is bypassed, the malware checks to see whether the user agent was mobile specific, whether the battery level is between 20-76% and whether the referrer was specified. If the conditions are met, the JuiceChecker will redirect the user to a malicious site.
- The report states that in this instance the malware was ‘inserted into creative posing as a legitimate ad for one of the largest department store retailers in the US.’
Symantec reports on ongoing SamSam ransomware attacks
- Symantec has reported on the persistence of attacks distributing the SamSam ransomware throughout 2018.
- According to the report, new attacks have been launched against 67 different targets predominantly located in the US. The incidents include an attack on the city of Atlanta in March 2018 or on the Colorado Department of Transportation in February 2018.
- Other targets were located in Portugal, France, Australia, Ireland and Israel. 24% of the attacks in 2018 were focused on the healthcare sector.
New EMOTET campaign harvests email content
- Researchers from Kryptos Logic have observed a new EMOTET trojan campaign that exfiltrates victims’ email content.
- According to the report, a new EMOTET module allows it to harvest sent and received emails from victims from the past 180 days. It was found that it can be deployed in any existing systems infected by EMOTET. However, the module was discovered to only work with Microsoft Outlook installations.
- The campaign was found to target several organizations worldwide, with a particular focus on the US. The motives behind the campaign remain unknown.
Leaks and Breaches
Millions of voter records found for sale on underground markets ahead of midterm elections
- Carbon Black have reported that they have found 20 different databases available for purchase on the dark web, with several from swing states. The voter databases emerged on Empire Market with records from 20 different states from a total of 81,534,624 voters.
- Details include voter IDs, full names, current and previous addresses, phone numbers and more. This information is enough to craft scams that are hard to detect and commit identity fraud.
- In addition, the report states that in the run up to midterm elections, threat actors are increasing cyber attacks, exposing databases, operating influence campaigns and eroding voter confidence.
Over 600,000 log-ins belonging to UK construction firms found on the dark web
- RepKnight report that 450,000 of the log-ins were from construction firms, 110,000 from architecture practices and just over 47,000 were from property developer business, all in the UK.
- The leak is most likely the result of breaches from third party sites that employees had signed up to using their corporate email. These credentials could be used to access sensitive information including corporate and client data.
Apple releases patches for vulnerabilities in core products and withdraws Watch OS update
- Apple has released security updates for several products that include iOS 12.1, Safari 12.0.1, iCloud for Windows, iTunes, watchOS 5.1, tvOS 12.1 and macOS.
- The iOS 12.1 update contains patches for four vulnerabilities in FaceTime. These include a fix for a code execution flaw, tracked as CVE-2018-4367, that could allow a remote attacker to initiate a FaceTime call from an iOS device. The other three patches address memory corruption issues that could lead to arbitrary code execution.
- Other updates include a patch for a heap buffer overflow vulnerability, identified as CVE-2018-4407, that could allow an attacker to crash macOS High Sierra or iOS 11 devices connected to the same WiFi network.
- The Watch OS 5.1 update was withdrawn following multiple reports of the update ‘bricking’ users’ Series 4 watches.
U.S. DoJ charges Chinese intelligence officers for theft of commercial aviation data
- The U.S. Department of Justice (DoJ) has released a statement regarding the charges of ten Chinese intelligence officers that have been accused of ‘repeated intrusions into private companies’ computer systems in the United States and abroad’ from at least January 2010 to May 2015.
- The perpetrators’ focus was on the underlying technology of a turbofan jet engine used in US and European commercial airliners. Other attacks targeted manufacturers of parts for the turbofan engines, including firms based in Arizona, Massachusetts, Oregon and France.
- The charged individuals were found to have worked for the Jiangsu Province Ministry of State Security (JSSD) in Nanjing, China, which has been identified as a ‘provincial foreign intelligence branch’ of China’s Ministry of State Security (MSS).
- The attackers’ methods included spear phishing, watering hole attacks, malware infections or domain hijacking.
Trend Micro report on vulnerable water and energy infrastructures
- Trend Micro have reported on the increasing challenges in securing technology related to IoT devices and critical infrastructure. Using internet scanning, they have identified several exposed and vulnerable Human Machine Interfaces (HMIs) used by small to medium businesses from all over the world.
- They also identified several vulnerable sub-sectors such as oil & gas, biogas, and power, with most exposed HMIs from the oil and gas sectors coming from the US, whilst most vulnerable biogas facilities were found in Germany, France, Italy and Greece.
- The report also details the real-world and supply chain implications of these vulnerable systems.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.