Silobreaker Daily Cyber Digest – 4 January 2019
F-Secure report on updates to NRSMiner
- F-Secure have reported that from mid-November 2018 they observed the new version of NRSMiner cryptominer using the Eternal Blue exploit to infect vulnerable systems, predominantly based in Vietnam.
- NRSMiner is capable of downloading a cryptocurrency miner and updated modules, as well as deleting files and services installed by its previous versions.
- F-Secure’s report includes a full analysis of the new version of NRSMiner.
Spyware discovered disguised as Google Play Android apps
- Trend Micro researchers spotted the spyware, detected as ANDROIDOS_MOBSTSPY, disguised as Android apps in order to gather data from users.
- MobSTSPY is hidden by apps including Flappy Birr Dog, FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird.
- The spyware steals information such as user location, SMS messages, call logs and clipboard items.
PewDiePie hacker terminates activities amid fears of FBI investigation
- The hacker known as TheHackerGiraffe has been hacking Internet-connected printer jobs and Chromecast devices to promote YouTuber PewDiePie.
- In a live Periscope recording, the hacker announced he won’t be conducting any more hacks after receiving a series of death threats and messages claiming the FBI is building a case against him.
New phishing technique avoids detection using custom web fonts
- Proofpoint researchers spotted a phishing kit used in a credential harvesting scheme that was using customized web fonts to escape detection.
- The phishing scheme uses customized web fonts in order to implement a substitution cypher via CSS, swapping letters in the alphabet around so that the intended text will still be shown in the browser, but scrambled text will appear in the source code. This bypasses automated phishing detection, allowing the attacker to render phishing pages to steal credentials from a major US retail bank.
New advanced Apple phone-based phishing scam
- The scam begins with an automated call that displays the Apple logo, address and real phone number, and warns the recipient of a data breach at the company. If the recipient is an iPhone user and requests a call back from Apple’s legitimate customer support, the fake call will be indexed in the ‘recent calls’ list as a call from Apple’s legitimate support line.
- The scam suggests that Apple’s own devices are unable to differentiate between a call from Apple and an attempt to imitate the company. Krebs on Security assessed that the scam is likely to be an attempt to extract payments from victims.
TheDarkOverlord release teaser for alleged 9/11 lawsuit documents
- In a Pastebin post from Wednesday, January 2nd, 2019, TheDarkOverlord announced that they had released ‘a teaser’s worth of documents to verify [their] claims’. This is an update on the group’s announcement from December 30th, claiming they possess documents related to 9/11 insurance cases.
- TheDarkOverlord mentioned their motivations for releasing the files are financial and will disclose all the information once they are ‘paid in full’. As of Thursday, 3rd January, the threat actor’s Bitcoin wallet received three payments.
Leaks and Breaches
German politicians’ personal data hacked and put online
- Hackers stole data from members of all major German political parties, barring the far right AfD party, and posted it online.
- Data exposed includes addresses, letters, and identity card copies.
Abine blur leak update
- Following reports on the exposure of registered account details belonging to Abine Blur, it has been confirmed that data relating to over 2.4 million users of the password manager have been leaked as a result of an exposed Amazon S3 storage file.
- The exposure was discovered on December 13th, 2018, and it is unclear how long the data was exposed for.
Dublin tram service Luas hacked
- Luas, the Dublin based tram provider, reported that their website was hacked after a message was posted on the site demanding a payment of one Bitcoin. The hacker reportedly breached the website after Luas failed to address security issues that the attacker previously reported to the company.
- The website has been temporarily removed and does not interact with other sites that hold sensitive customer information.
Data breach affects Alaskan Department of Revenue Permanent Fund Dividend web application
- The online application went offline due to a data breach that may have compromised some applicants’ personal information.
- The Department was notified of the incident through reports from customers who were able to access other applicants’ information via the platform. The exposed information includes birthdates, contact information, bank account information and Social Security numbers. It remains unknown how many individuals were affected by the breach.
Adobe patches two critical vulnerabilities in Adobe Acrobat and Reader
- The first vulnerability, tracked as CVE-2018-16011, is a use after free flaw that could permit arbitrary code execution. Attackers could exploit the flaw to execute commands, such as downloading malware, on the victim’s computer.
- The second vulnerability, tracked as CVE-2018-19725, is a security bypass flaw that could allow attackers to execute code at a higher privilege.
Photos fool facial recognition on smartphones
- A study by Netherland’s Consumers Association revealed that 42 out of the 110 tested smartphones could be unlocked using only a high-quality photo of the phone’s owner. The devices that failed the test include those produced by Alcatel, Asus, Blackberry, Huawei, LG, Motorola, Nokia, Samsung, Sony and Xiaomi.
SentinelOne describe how malware is able to bypass Apple’s Gatekeeper technology
- In their blog post, SentinelOne detail how Gatekeeper is launched only in some cases such as when software is installed via other apps like Safari, Mail or Messages.
- According to the researchers, the most common way unsuspecting users infect their macOS devices with malware is through running a trojan installer masqueraded as an installer for legitimate applications. The most popular fake installer is for Flash Player. Other ways devices can be infected is when attackers gain entry to the system via SSH or remote login. To support their findings, the researchers provide a recent example of WindTail OSX.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.