Silobreaker Daily Cyber Digest – 7 March 2019
Shade ransomware attacks increase in Q1 2019
- According to Malwarebytes Labs researchers, Shade ransomware has experienced a sharp increase in detection from Q4 2018 and Q1 2019. In a new blog post, the researchers detail the ransomware’s infection vector, behaviour, targeted file extensions and encryption.
Source (Includes IOCs)
Phishing campaign delivers Lime RAT
- Cofense researchers detected a new phishing campaign that delivers Lime RAT, a malware described as a combination of ransomware, cryptominer, stealer, worm and keylogger functionalities.
- Lime RAT is an open source .NET framework malware suite that is also characterized by its anti-virus evasion, anti-virtual machine features, small footprint, and encrypted communications.
Outdated UPnP-enabled devices exposed to attacks
- Out of 1,648,769 results discovered by the Shodan search engine for Internet-connected devices, 35% were found to be using the MiniUPnPd UPnP daemon for NAT routers, and 20% used Broadcom’s UPnP library. Many of these UPnP enabled devices are exposed to attacks specifically designed to exploit the wide range of vulnerabilities present in their outdated software.
- Trend Micro’s Tony Yang stated that hackers are taking advantage of these poorly configured routers that have UPnP service enabled, causing the routers to forward public ports to the private devices, opening them up to be publicly accessible.
- In this instance the attack was not malicious in nature, however, there have been several instances in which threat actors and botnet operators used UPnP vulnerabilities to abuse devices.
Fortinet produce updated report on StealthWorker campaign
- Following a report by Malwarebytes Labs on a new information stealer written in Golang, Fortinet have published an updated analysis of the recent campaign. The attacks have been observed using StealthWorker, also known as GoBrut, which is a brute-force malware with an embedded skimmer that steals personal information and payment details.
- Their report covers a detailed analysis of the connected C&C server and C&C communication. In particular, the report also takes an in-depth look into the updated version of StealthWorker used in this campaign, detailing its new multi-platform functionality.
Source (Includes IOCs)
At least 27 universities worldwide targeted by APT40
- According to the Wall Street Journal, at least 27 universities worldwide have been targeted by APT40 for the purpose of stealing information related to maritime technology developed for military applications.
- Targets include the University of Hawaii, the Massachusetts Institute of Technology, and the University of Washington. Other targeted universities were located in Canada and Asia.
- Wall Street Journal’s article follows a recent report by FireEye that provided a detailed analysis of APT40’s activities, tools and interests.
New campaign dubbed Operation Pistacchietto analysed by Cybaze-Yoroi ZLab
- A new campaign, dubbed Operation Pistacchietto, has been discovered that is composed of several types of malware created to affect devices on both desktop and mobile. The campaign has been identified as Italian in origin due to the inclusion of Italian words in the file names and the location of the majority of connected C&C servers.
- Cybaze-Yoroi ZLab has assessed that the campaign has been active for years, and supports the four main computing platforms, Microsoft Windows hosts, Mac OSX systems, Linux servers and Android mobile devices. The purpose of the campaign remains unclear.
Source (Includes IOCs)
Whitefly espionage group behind SingHealth breach
- Symantec researchers identified the group behind the Singapore SingHealth breach that occurred in July 2018 and found that the group, dubbed Whitefly, is also responsible for other attacks against organizations mostly based in Singapore, with a primary interest in stealing large amounts of sensitive information.
- The researchers found that Whitefly has been active since at least 2017 and has targeted organizations from a wide range of sectors including healthcare, media, telecommunications, and engineering. Apart from Singapore, other victims were located in Southeast Asia, Russia and the UK.
- The group infects targets using a malicious .exe or .dll file disguised as a document or image. Once opened, the file will load Vcrodat, a trojan that will download an encrypted payload that communicates with the group’s C&C server. In other cases the group was seen using Nibatad trojan.
- Next, Whitefly maps the victim’s network and infects other computers using publicly available tools including Mimikatz or a tool that exploits a known Windows privilege escalation flaw tracked as CVE-2016-0051.
Source (Includes IOCs)
Microsoft reports on impact of Iranian hacker activity
- A report published by researchers at Microsoft has said that attacks traced to Holmium, a group linked to Iran, and APT33, an Iranian group, has resulted in secrets being stolen and data being wiped from around 200 companies, affecting thousands of people over the past two years.
- In particular, the groups targeted machinery manufacturers, oil and gas companies, and international conglomerates located in Germany, Britain, India, the US and Saudi Arabia.
Leaks and Breaches
Third party vendor Wolverine Solutions Group suffer ransomware attack
- Hundreds of healthcare facilities, with over one million patients, have had their information exposed following a ransomware attack on a third-party vendor Wolverine Solutions Group (WSG) in September 2018. A local paper reported that 700 companies and 1.2 million people had been affected.
- Information involved in the breach included patient names, addresses, dates of birth, social security numbers, insurance information, medical information, and more.
Database of Chinese private messages discovered online
- Victor Gevers, a security researcher at the GDI Foundation, discovered a publicly exposed database containing over 364 million records, which contained personal identities and private messages from applications such as WeChat and QQ, including citizen ID numbers, photos, names, addresses, GPS location data and information on type of device they use.
- The data was found via Shodan and appears to have been displayed due to an incorrect firewall configuration. It is alleged that the data was ultimately intended for Chinese police stations in cities and provinces, but it is not clear if the data was intended to be used for any active investigation. It primarily consists of private conversations between teenagers.
Google Chrome update patches zero day being actively exploited in the wild
- Google have released an update for Chrome web browser version 72.0.3626.121 warning that it includes a patch for a zero day, tracked as CVE-2019-5786, that is being actively exploited in the wild.
- The flaw is a use-after-free issue in the browser’s FileReader API that can be triggered by employing maliciously crafted web pages designed to allow attackers to use previously freed memory on a visitor’s computer via the Chrome FileReader API to execute binary code and trigger a denial-of-service condition, or takeover the device. Attackers are only able to run the code in the context of the user browser.
Industrial automation companies affected by vulnerabilities in WibuKey DRM
- Originally reported in December, the three serious discovered vulnerabilities in Wibu Systems’ WibuKey DRM were quickly patched with the release of 6.50. Technical information about the flaw was made public, alongside proof-of-concept code. The associated identifiers are CVE-2018-3991, CVE-2018-3990, and CVE-2018-3989.
- WibuKey DRM is used globally, in particular by several industrial automation vendors, many of which may not have had the capability to patch their versions of software using WibuKey DRM. These include Siemens and Phoenix Contact, both based in Germany, and COPA-DATA, based in Austria. Affected firms have been urged to update the affected software as soon as possible.
Analysis published of vulnerability in Windows Deployment Services
- In-depth details have been officially released by researchers at Check Point in regards to a vulnerability discovered in Windows Deployment Services that could have allowed an attacker to hijack Windows Server installations and giving them the further capability to deploy Windows OS versions containing a backdoor.
- Identified as a critical vulnerability, the cause of CVE-2018-8476 was a critical remotely triggered use-after-free bug within the underlying PXE server. The vulnerability was patched in November 2018.
Academics uncover booming underground market for TLS certificates on dark web
- An academic study revealed that TLS certificates are being sold individually or packaged with a wide range of malware on the dark web. Altogether these services provide cyber criminals with means to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks and steal sensitive data.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.