Locky ransomware variant ‘Diablo6’ distributed via VBS file archived through zip to avoid detection
> Locky Diablo6 has been distributed via spear phishing emails, and targets numerous different file types.
> Cylance reports that all Diablo6 domains are connected to Locky, and have been used to serve other kinds of ransomware.


Hacker Groups

Symantec reports on Sowbug APT targeting South American and Southeast Asian institutions
> The group appears to be carrying out espionage campaigns on foreign policy institutions and diplomatic targets. Symantec alleges that the discovery of Felismus RAT in March 2017 is the first evidence of the group’s existence.
> In early May, Sowbug reportedly exfiltrated data from one South American foreign ministry, and deployed two unknown payloads to the infected server. Symantec reports that Sowbug impersonates commonly used software packages such as Windows or Adobe Reader to appear legitimate.
> It is still unknown how Sowbug performs its initial infiltration of a target’s network. There was evidence that Felismus was installed using the Starloader trojan, but not how the trojan was first installed on the machine.

APT28 leveraged the DDE technique to deliver Seduploader via document named “IsisAttackInNewYork”
> APT28 has distributed a malicious Word document which leverages the Dynamic Data Exchange feature with PowerShell commands to execute code regardless of whether macros are enabled. The document ultimately downloaded a version of Seduploader.

Bronze Butler APT is distributing new Daserf backdoor variants
> Bronze Butler has been targeting several Japanese and South Korean organisations, employing the Daserf backdoor to execute commands, exfiltrate data, and take screenshots. New campaigns targeting Russian, Singaporean, and Chinese enterprises have been detected delivering a Daserf variant.
> The Daserf variant uses steganography to conduct second-stage C&C communication, and retrieve a backdoor. Steganography also enables the backdoor to bypass firewalls.
> Trend Micro reports that Bronze Butler uses a variety of techniques to infect a victim, notably spear phishing emails and watering hole attacks. The security firm also reports on the APT leveraging CVE-2016-7836.


Leaks and breaches

Scottish charity website leaks sensitive data of rape victims, volunteers and more
> The Scottish Appropriate Adult Network’s (SAAN) website has leaked names, phone numbers and IP addresses of approximately fifty people. Those affected by the breach include rape victims, individuals with mental illnesses, volunteers and more.
> It is still unclear what caused the leak, and how long the site has been leaking information. The charity was reportedly contacted about the breach last year but failed to act after messages were not delivered because of an “error with the site”. SAAN shut down the site after being alerted by the Scottish newspaper.



New code injection technique PROPagate exploits legitimate Windows GUI management APIs
> A Hexacorn researcher developed a PoC which abused applications that use Windows GUI controls and popular GUI frameworks to inject malicious code inside other applications. These include Windows Explorer and Total Commander.
> The technique, named PROPagate, works on both Windows 10 and Windows XP, and the author reported that in order to carry on the attack, one has to have access to the targeted system.

USB drivers in Linux Kernel rife with security flaws
> Andrey Konovalov discovered 14 vulnerabilities in the Linux Kernel USB subsystem. These are part of a larger list of 79 flaws that Konovalov has found in the Linux Kernel USB drivers during the past months.
> Most vulnerabilities are DoS bugs that freeze or restart the OS. Some also allow attackers to elevate privileges and execute untrusted and malicious code.

Vulnerability in Brother printers can be abused to cause a DoS on the device
> The issue affects all Brother printers with the Debut embedded webserver. If the printer is internet accessible, the bug can be exploited with a single malformed HTTP POST request.

Unknown user triggers bug in source code of Parity Ethereum wallet freezing $285 millions
> The bug, discovered and accidentally triggered by an unknown user, only affected Parity multi-signature wallets that require signatures from multiple users before moving funds to new accounts.
> Parity reports that the flaw resides in a previous patch that was released in July to fix a bug that was exploited by hackers. The flaw allows attackers to ‘turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it by calling the initWallet function.’
> A Pastebin post circulated online lists 71 of the affected accounts, holding nearly $285 million in funds.
Source 1 Source 2


General News

Amazon updates AWS dashboard following a number of leaks due to misconfigured S3 servers
> Amazon added a warning to the AWS dashboard to let admins know whether their buckets are publicly accessible.
> The decision is due to a series of leaks after S3 buckets were left exposed online. Notably those affected included Booz Allen Hamilton, Verizon, and Dow Jones.

Popular gaming keyboard 104-key Mantistek GK2 includes built in keylogger
> Gamers discovered that the popular mechanical gaming keyboard includes a component that silently records keypresses, subsequently sending them to a Chinese server maintained by Alibaba Group.
> Tom’s Hardware notes that the keyboard’s Cloud Driver only logs how many times each key is pressed, further alleging that the keyboard maker may only use the data to see the lifetime of its keyboard’s keys.

German Twitter users bypass 140-character limit, posting 30,000-character tweet
> The users exploited a Twitter rule made in 2016 that links would no longer count in the 140-character limit by formatting the message as a URL. Twitter removed the posts and suspended both user’s accounts.
> As of today the 140-character limit has been officially increased by Twitter to 280-characters.


The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Silobreaker Daily Cyber Alert

Sign up for the latest news on data breaches, hacker groups, malware and vulnerabilities.

This website uses cookies.
See our privacy policy at