Silobreaker Daily Cyber Digest – 8 May 2019
ATMitch malware sample spotted in the wild
- Yoroi-Cybaze ZLab researchers detected a new ATMitch malware sample, possibly active since 2017.
- ATMitch interacts with ATM drivers to retrieve information about the current balance and to dispense money at a specified time. According to the researchers, the malware ‘may be part of an advanced attacker arsenal targeting the banking sector.’
Source (Includes IOCs)
Scammers attempted to trick YouTubers into giving up passwords
- The owner of the TeslaJoy channel on YouTube received an email pretending to be from YouTube support, stating that her channel was in violation of several YouTube policies. In order to solve the issue, the email stated that analysis was needed, which would require information, including the victim’s password.
- The scammers added the incorrect postal address at the bottom of the email and delivered the email to TeslaJoy’s public email address. These instances, among others, meant that the victim did not fall for the scam.
GandCrab ransomware targets Japanese manufacturing firm
- Cybereason researchers reported on a new campaign in which GandCrab ransomware was used to target an international company based in Japan. The researchers concluded that this campaign demonstrates how the perpetrators have combined multiple evasive techniques to achieve a successful ransomware infection.
- The last stage involves connecting to pastebin[.]com to download the final payload containing GandCrab. According to the researchers, the Pastebin URL and page content seem to be undetected by antivirus vendors.
Source (Includes IOCs)
Turla espionage group uses LightNeuron malware to target Microsoft Exchange servers
- ESET researchers investigated a sophisticated backdoor dubbed LightNeuron, used by the Turla APT group, that has been targeting Microsoft Exchange mail servers since at least 2014. Victims of this campaign include an Eastern European ministry of foreign affairs, a Middle Eastern regional diplomatic organisation and an unknown organisation in Brazil.
- LightNeuron is believed to be the first malware specifically targeting Microsoft Exchange email servers. It uses steganography to hide its commands inside a PDF file or a JPG image. It also uses a Transport Agent to achieve persistence, something that has not been observed before.
- Through their investigation, the researchers were led to believe that the perpetrators are based in Russia.
Source (Includes IOCs)
Wisconsin Bureau of Consumer Protection warns against hospital texting scam
- Individuals in southern Wisconsin have been warned against a phishing scam that involves text messages, claiming to have information on a person’s condition, that include a phishing link.
Lucy Security Simulated Phishing template allegedly used in recent phishing attack
- Upon further investigation, it was found that Lucy’s Simulated Phishing software was not involved in the attack, but the perpetrators did copy some of Lucy’s designs to use for malicious purposes.
JASK report on new cryptojacking campaign led by Outlaw threat group
- The campaign was discovered in the wild in November, 2018, after firewalls detected brute force authentication attempts on an educational institution’s network’s SSH server. Once the SSH was breached, the researchers assessed that malicious payloads were being installed and operated from.
- A malicious Perl script was identified and found to be an obfuscated version of Shellbot IRC malware, which, when run, unpacks functions and makes a connection to the attacker’s IRC server for C2. Once a connection was established, XMR-Stak is downloaded and installed on the victim’s machine to generate cryptocurrency.
- JASK attributed the attack to the Outlaw cybercrime group due to several similarities spotted between this attack and previous attacks attributed to the group. In this case the only difference in their attack infrastructure was that they added obfuscation to the Perl script.
Scammers adopt cloud services to find new victims
- Netskope researchers have identified a new technique being used by scammers to reach potential victims, in which they send links to common services such as AWS, Google Docs, Alibaba Cloud, and more.
- The researchers have observed scammers hosting tech support scams in Alibaba, AWS and Azure, ‘rotating from one object store to another, using seemingly arbitrary names’.
- Scammers were also observed abusing Google Docs to create presentations and sharing them through phishing and smishing. The presentations act as bait and hide the malicious link. Using Google Doc links also enables attackers to bypass spam filters.
Leaks and Breaches
Wyzant online tutoring platform suffers data breach
- Wyzant disclosed a data breach that led to the compromise of some users’ personally identifiable information. The breach was the result of a hacker who infiltrated Wyzant systems on April 27th, 2019.
- The breached information includes names, email addresses, and ZIP codes. The Facebook profile pictures of users who signed into Wyzant using their Facebook account were also affected. The tutoring platform believes no passwords, activity records or financial information has been compromised. It is unknown how many users were impacted.
The servers of Baltimore City Hall, Amarillo and Potter County hit by ransomware
- Baltimore City Hall servers were infected by a ransomware strain that spread to other computers on the network, including to CBS Baltimore. The attack has resulted in late water bill fees for city and county customers due to the network issues, and the City’s finance department are unable to accept cash payments.
- Potter County have `managed to get some of their computers back online, after it was impacted by an attack on April 22nd, 2019. 550 employees were forced to use paper and pencils during the shutdown. The county was reportedly hit by two separate viruses.
Kentucky library suffers ransomware attack
- Daviess County Public Library suffered a ransomware attack that encrypted information on the library’s server. No personal or financial information was affected.
Burger King children’s online shop exposes customer information
- Bob Diachenko discovered an unprotected ElasticSearch cluster that exposed 37,900 records of Kool King Shop customers. Kool King is a French online shop for children who purchase Burger King menus.
- The database held plaintext data that has been accessible online since April 24th, 2019, and includes emails, passwords, names, phones, dates of birth, voucher codes and links to externally stored certificates. Also exposed were the details of 25 Burger King administrators.
Wolters Kluwer takes down cloud services following malware infection
- The maker of cloud-based tax and accounting software suffered a malware attack that led the company to take down its customer-facing systems worldwide. No evidence of a data breach has been found.
American Baptist Homes of the Midwest suffer ransomware attack
- According to a statement by the healthcare provider, the incident affected ‘company emails and general file systems.’ An unauthorized party may have accessed individuals’ names, addresses, Social Security numbers, medical information and financial information.
Hackers steal $41 million in Bitcoin from Binance crypto exchange
- Binance stated on Tuesday that hackers managed to steal over 7,000 bitcoins, worth over $41 million. The hackers allegedly took the bitcoins from a hot wallet that stored approximately two percent of the company’s holdings.
- The hackers supposedly obtained a large number of user API keys and two-factor authentication codes, and leveraged phishing, malware and various other techniques to undertake the attack.
Cisco fixes critical flaw affecting Elastic Services Controller
- CVE-2019-1867 is present due to the improper validation of API requests, and can be exploited by an unauthenticated, remote attacker on deployments that have REST API enabled.
- A successful exploitation could result in a bypass of authentication on the REST API and the ability to run arbitrary actions with administrative privileges.
- Exploitation is possible over the network and requires no privileges or user interaction.
Vulnerability in Confluence exploited to deliver cryptocurrency miner with rootkit
- Trend Micro researchers observed threat actors exploiting a widget connector vulnerability, tracked as CVE-2019-3396, in Confluence, a popular collaboration and planning software.
- The researchers also found that the flaw is being exploited to deliver a cryptocurrency miner containing a rootkit designed to hide its activities. Kerberods trojan is used to drop the miner and its rootkit.
Source (Includes IOCs)
Critical vulnerability in TRON network could render TRON blockchain unusable
- According to HackerOne researcher Danish Shrestha, using a single computer, an attacker could consume the CPU power of the TRON network with distributed denial-of-service (DDoS) attacks.
Researcher discovers new method to track mouse movements bypassing Ad blockers
- A new method has been discovered that allows websites to track user’s mouse movements of visitors by using HTML and CSS, which can bypass tracking protections.
- Researcher Davy Wybiral did this by creating a grid of HTML DIVs that use CSS :hover selectors to request a new background image when the mouse moves over a box on the grid. Because the image requests are done in the background, the browser does not indicate that they are making a connection and therefore requests are hidden from the user.
DeepDotWeb seized by FBI for taking commissions from illegals sites
- The dark web directory DeepDotWeb has been seized and arrests have been made following allegations that affiliate commissions were generated by referring traffic to illegal sites. DeepDotWeb acted as a directory for websites running on Tor, which offered news related to the dark web, but also offered a directory to dark web sites, including marketplaces that sold illegal services and weapons.
- An operation run by the FBI, Europol and Federal law enforcement agencies from Germany, Israel, the Netherlands and Brazil culminated in members of the directory being arrested, and the website being seized.
SafeGuard Cyber releases new data on Russian social media influence
- Russia is reportedly continuing to attempt to meddle in elections, with its latest campaign involving the spread of misinformation via social media pertaining to the EU parliamentary elections at the end of May. Malicious actors including bots, trolls and hybrids are exacerbating existing tensions in relation to contentious issues in order to try and influence the public’s perception of events.
- One example found that the day that French president Emmanuel Macron published his article on the future of France, bad actor activity rose 79%, in attempts to discredit Macron’s ideas.
Ponemon Institute report major increase in IoT attacks
- According to the report, there has been a significant uptick in attacks and breaches related to IoT devices. The Institute noted that there has been a remarkable increase in the number of organisations reporting on IoT-related data breaches.
Boeing admits knowing about 737 MAX software issue a year prior to accidents
- In a newly released statement, the company admits that in 2017, ‘engineers at Boeing identified that the 737 MAX display system software did not correctly meet the AOA Disagree alert requirements.’ However, Boeing adds that the issue ‘did not adversely impact airplane safety or operation.’
- According to the CNN, preliminary investigations into the incidents suggest that faulty data from an AOA sensor triggered the aircrafts’ anti-stall software, which pitched down the nose of the airplanes, resulting in the pilots struggling for control over the aircraft.
Hacker who reported flaw in Magyar Telekom arrested
- Last year, Hungarian law enforcement arrested a 20-year-old hacker for discovering and exploiting serious vulnerabilities in the systems of the major Hungarian telecommunication company Magyar Telekom.
- The hacker discovered a serious security flaw in the website of the company, after which he reported the flaw to the company, and was invited to a meeting to discuss the possibility of testing systems in the future. The company decided to not permit him to test the systems.
- Despite this, the hacker continued to test their systems, discovering another flaw in May. The flaw could have allowed a threat actor to access all public and retail mobile and data traffic and monitor the servers of the firm. The hacker’s activities were detected, and the hacker was arrested.
Verizon releases 2019 Data Breach Investigations Report
- Some of the key findings of the report include that a quarter of all breaches in 2018 were associated with espionage. C-level executives were 12 times more likely to be the target of social incidents and 9 times more likely to be a target of social breaches.
- Verizon also observed an increase in attacks against cloud-based email servers via the use of stolen credentials and that cybercriminals are also increasingly opting for payment card web application compromises as opposed to physical terminal compromises.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein