Silobreaker Daily Cyber Digest – 31 October 2019
XHelper infects over 45 thousand devices in 6 months
- Researchers at Symantec identified a surge in reports on the malicious Android application XHelper. The application mainly targets users in India, the US, and Russia. The application, which was first identified in March 2019, was originally used for malvertising purposes, however, changes to the code have made the malware more persistent and dangerous.
- XHelper is an application component and is not listed in the device’s application launcher. The app does not contain an application icon and is launched when the device connects to or disconnects from power, when an app is installed or uninstalled, or when the device is rebooted. When a user’s device is compromised the malware communicates with the attacker’s C2, using SSL certificate pinning to prevent interception of communication. The C2 server can download additional payloads such as clickers, rootkits, and droppers.
- The malware is currently being downloaded from an unknown source. The researchers suggested that the malware may be delivered by a different malicious system app.
Source (Includes IOCs)
New WordPress malware campaign uses HTML entities as obfuscation method
- Sucuri researchers observed a new malware campaign in which threat actors embed data URL notation within malicious injections and replace every character in their malicious script with HTML entities, which ensures it is not detected. The malicious code loads an external script that redirects victims to push notification scam sites. Vulnerable WordPress themes and plugins are used to inject the code.
Over 400,000 Vietnamese IP addresses targeted in APT campaign
- Vietnam’s Authority of Information Security warned of an ‘organized malware attack from foreign sources’ that infected over 400,000 IP addresses in Vietnam. According to deputy general director Nguyen Khac Lich, the attack purposely targeted the Vietnamese government and its information infrastructure.
- The malware was spread via emails containing malicious Word documents which then loaded the information stealing malware. The infected devices are also used a part of a botnet, which could be used for further attacks by the threat actors. The Authority of Information Security has provided tools for removal on its website.
Office 365 users targeted in new phishing campaign
- McAfee Labs researchers observed a new campaign targeting Office 365 users, using fake voicemail messages to trick victims into entering their login credentials. Three different phishing kits were discovered in the attacks, which targeted several high-profile companies.
- The victims are sent an email made to appear like a legitimate ‘missed call’ Microsoft message, and contains an HTML file attachment that, once loaded, redirects the victim to the phishing website. A number of different attachments are used, some of which contain actual audio recording, making the email seem more genuine. Once redirected, the victim is prompted to enter their password to access the voice message. Their email address is pre-populated as another way of convincing the victim the website is legitimate. Upon entering the password, the victim is redirected to the official Office login page.
- All three kits harvest email addresses, passwords, IP addresses and locations. Two of the kits, called ‘Voicemail Scmpage 2019’ and ‘Office 365 Information Hollar’, are very similar to each other. The third kit, which is the most prevalent page observed, is unbranded. It contains code from a previous malicious kit that targeted Adobe users in 2017. Researchers believe a new group has most likely reused the code.
Source (Includes IOCs)
Leaks and Breaches
NetworkSolutions[.]com, Register[.]com, and Web[.]com warn users of data breach
- Domain name registrars NetworkSolutions[.]com, Register[.]com and Web[.]com, warned customers that an unauthorised third-party gained accessed to their systems in late August 2019. The intrusion, which was not detected until October 16th, 2019, compromised user’s names, phone numbers, email addresses, and more.
- Web[.]com, which owns NetworkSolutions[.]com and Register[.]com, stated that they do not believe that financial information or passwords were compromised.
Over 21 million credentials belonging to Fortune 500 companies exposed on Dark Web
- Researchers at ImmuniWeb identified over 21 million exposed credentials which belonged to Fortune 500 companies operating in a range of industries. The majority of exposed credentials belonged to technology companies, followed by financial organisations, and entities operating in the healthcare industry. Approximately 16 million credentials have been exposed in the last 12 months.
- The researchers found that 95% of the leaked credentials contained plaintext passwords that were originally unencrypted or had been cracked by the hackers after they were stolen. Password security was also found to be lax as approximately 42% of passwords related to the company name or the breached resource. The retail industry was found to contain the highest volume of weak passwords.
Bed Bath & Beyond suffers data breach
- Bed Bath & Beyond is informing its customers of a data breach that affects a small number of its online customer accounts. The company stated that an unauthorised party had gained access to customer login information. No payment data was affected. Javvad Malik of KnowBe4 stated that he believes the compromise was due to an employee recycling their corporate credentials.
Names and email addresses exposed in Ontario Science Centre data breach
- The names and email addresses of 174,000 Ontario Science Centre members, donors, and others were exposed in a data breach that took place between July 23rd and August 7th, 2019. No further information was exposed.
- The science centre was first made aware of the breach on August 16th, 2019 by Campaigner, an email marketing firm associated with j2 Global, which discovered a former employee’s credentials had been accessed by an unauthorised individual to make a copy of Ontario Science Centre’s subscriber emails and names.
Apple patches vulnerabilities in range of products including macOS Catalina
- The recent patch resolved 33 vulnerabilities in macOS Catalina, which could allow an attacker to perform a range of attacks, including stealing data, executing arbitrary code with elevated privileges, launching DoS attacks, and more.
- Patches were also released for 28 vulnerabilities in iOS and iPadOS. The patched flaws could lead to data exfiltration, memory leaks, cross-site scripting attacks, and more.
Facebook removes coordinated Russian linked campaigns
- On October, 30th, 2019, Facebook announced that it had removed three networks of accounts, Pages and Groups, that targeted various countries in Africa. The first network targeted Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire, and Cameroon. The second campaign focused on Sudan, while the third network targeted Libya. Facebook stated that the campaigns are associated with the Russian financier Yevgeniy Prigozhin.
- The campaigns published posts about local and international politics. The networks that focused on Libya and Sudan also posted information from Russian state-controlled media such as Sputnik and RT.
Emsisoft releases decryptor for Paradise ransomware
- Emsisoft’s free decryptor for Paradise ransomware allows victims to decrypt their files, even if the encryption dates back to 2017. Not all variants of Paradise can be decrypted and victims will need an encrypted and unencrypted pair of files to use the decryptor.
Two men plead guilty to hacking Uber and Lynda[.]com
- On October 30th, 2019, American Brandon Glover and Canadian Vasile Mereacre plead guilty to hacking Uber and LinkedIn owned company Lynda[.]com in 2016. The two men gained access to the companies’ GitHub accounts by using credentials that had been leaked on other sites. Once they gained access to the accounts, they searched for Amazon Web Services credentials which they used to connect to the companies’ backends.
- The two gained access to the details of 57 million Uber customers and drivers. Following the theft, the men contacted Uber and the company paid them $100,000 in Bitcoin and made them sign a confidentiality agreement. The breach at Uber was not made public until November 2017.
- The men also attempted to extort LinkedIn, however, the company refused to pay them and chose to go public with details of the breach.
The Silobreaker Team
Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.