Silobreaker Daily Cyber Digest – 9 May 2019
New Dharma ransomware samples use AV tool to distract users from malicious activities
- Trend Micro researchers detected new samples of Dharma ransomware that use software installation to help hide their malicious activities.
- The samples are being distributed via spam emails that lure victims into downloading a file. Once the victim clicks the download link, the malicious file is dropped along with an old version of ESET AV Remover, to divert attention from the malware encrypting files in the background.
Source (Includes IOCs)
Over 100 e-commerce sites globally infected with skimmers
- The domain generates a 403 error to browsers that try to visit it, however, a number of URLs were found to host code created to extract names, numbers, expiration dates and CVVs of payment cards used to make purchases.
- Malwarebytes researcher Jérôme Segura stated that the campaign isn’t new as the domain ‘has been around for several months’ and allegedly targeted 203 sites in total. Netlab researchers found evidence of it stealing credit card information over the last five months.
Two new leaks expose Iranian cyber espionage operations
- One of the leaks claims to consist of operational data from MuddyWater group and is being sold via two different Telegram channels and two different dark web portals. The leak contains images displaying source code of a C2 server used by the group as well as images of MuddyWater’s C2 server backends with unredacted IP addresses of some of their victims.
- The other leaked data was published on a public website as well as on a Telegram channel. The data appeared to contain documents associated with the Iranian Ministry of Intelligence and described the Rana Institute – a contractor hired for cyber espionage operations.
- The Rana leak involved personal details of some of the Institute’s members and information on past campaigns, which involved attacks on airlines, travel booking sites, insurance, IT, telecom firms, and government agencies worldwide. Rana hackers were also found to have developed a malware aimed at SCADA industrial control systems.
- This incident follows a previous leak, from April, in which Lab Dookhtegan hackers leaked source code of several malware samples associated with APT34.
Accountancy SaaS CCH takes service offline after discovering malware infection
- The global SaaS platform, owned by the Netherlands based Wolters Kluwer, has re-launched some applications and platforms online, however, multiple services still remain offline as a precaution after seeing irregularities on 6 May, 2019.
- It was confirmed in a report from Accounting Today that the outage was the result of an unspecified malware that had infiltrated the network. There is no indication yet that customer data has been accessed through the malware.
UC browser users exposed to phishing attack
- Researcher Arif Khan has discovered a flaw in the widely used UC browser and UC browser mini Android Apps.
- The flaw could allow attackers to change the URL displayed in the address bar of a browser, tricking users into believing they are using trusted sites. The flaw is present due to some mobile browsers using bad regex checks.
Private data of 30,000 Italian lawyers made public by LulZSec and Anonymous Ita
- Sensitive data belonging to 30,000 Roman lawyers has been leaked online, including that of Rome’s Mayor Virginia Raggi, and lawyers registered with the Orders of Matera and Catanzaro. Exposed data includes emails, personal information and evidence of accesses to certificated email accounts.
- The data leak is the result of a hack undertaken by LulZSec and Anonymous Ita against the Italian Ministry of the Environment. The groups published links the the data via Twitter.
Leaks and Breaches
RobbinHood ransomware used in Baltimore City government attack
- Following reports of a cyber-attack on Baltimore City government, a spokesperson confirmed that the networks were attacked by RobbinHood ransomware. The FBI reportedly identified the strain as a ‘fairly new variant’ of the malware.
- The malware was reverse engineered and analysed, and found to only target files on a single system and not spread through network shares. Security researcher Vitali Kremez stated that the malware ‘is believed to be spread directly to the individual machines via psexec and/or domain controller compromise’.
Over 275 million records exposed by unsecured MongoDB database
- Security researcher Bob Diachenko discovered a total of 275,265,298 records, belonging to Indian citizens, in an unprotected MongoDB database that was left accessible online for over two weeks. The database contained names, genders, dates of birth, emails, phone numbers, details of education, professional information, and more.
- The names of the data collections reportedly suggest that the cache was collected as part of a large scraping operation. The owner of the database has not yet been identified.
Canada’s Freedom Mobile database exposes customer information
- Noam Rotem and Ran Locar from vpnMentor discovered an open Elasticsearch database on April 17, 2019 containing 5 million records related to 1.5 million Freedom Mobile customers. Freedom Mobile has stated the number of affected customers was much lower at 15,000 and has closed access to the database.
- The database contained files with email addresses, home and mobile phone numbers, home addresses, dates of birth, customer types, IP addresses connected to payment methods, encrypted credit card and CVV numbers, account numbers, and more. Some files included information on credit scores, credit class, and credit card accounts.
Vulnerability in Jenkins exploited to deliver Kerberods malware
- According to researchers at the SANS Institute Internet Storm Center, attackers have been exploiting CVE-2018-1000861 to deliver Kerberods malware that deploys a Monero cryptocurrency miner and searches for other victims on the internet and local network.
- The vulnerability affects the Stapler HTTP request handling engine, used by the Jenkins open source software development automation server. It was discovered in late 2018.
Google Android security update addresses 15 flaws
- The new Android Security Bulletin for May 2019 includes a patch for four critical remote code execution (RCE) flaws. In total, the security update addresses 15 vulnerabilities.
- Three of the flaws, CVE-2019-2045, CVE-2019-2046 and CVE-2019-2047, exist in the System portion of the Android platform architecture responsible for core apps such as the dialler, email and camera. The fourth RCE flaw, CVE-2019-2044, exists in the Android OS Media framework.
Flaw in Alpine Linux Dockers image leaves root account unlocked
- The Official Alpine Linux Docker images contain a NULL password for the root user. The flaw, tracked as CVE-2019-5021, exists due to a regression introduced in December 2015.
- Systems deployed using the affected versions of the Alpine Linux container that use Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.
Debate whether Cryptographic flaw in a new Russian-made algorithm was intentional
- ISO experts recently discussed Russia’s new encryption algorithm at an International Organization for Standardization (IOS) working group meeting, after they discovered that it contained a flaw that could undermine the security of the data that it encrypts.
- The debated component of this algorithm is the so-called ‘S-Box’, which is also shared by the two Russian-made algorithms Streebog and Kuznyechik. The experts requested six months to determine the exact security implications of the flaw.
- Whilst Russian cryptographers claimed that this flaw was coincidence, some experts believe it to have been intentional. The current risks of the flaw are not known yet. Potential risks include the ability for third-parties to access encrypted material.
New report finds Microsoft, PayPal and Netflix as most impersonated brands in Q1 2019
- The report, published by Vade Secure, details the 25 most impersonated brands in phishing attacks during Q1 2019. Apart from Microsoft, PayPal and Netflix, other top impersonated brands include Facebook, Bank of America, Credit Agricole, DHL or Apple.
- Vade Secure experts also noted that the cloud continues to represent the most phishing URLs, followed by financial services. They also detected a surge in phishing on Facebook and Instagram.
F-Secure report on spam trends over the last 3 months
- According to F-Secure researchers, spam campaigns have been using ZIP files to send out GandCrab ransomware, and DOC and XLSM files to distribute Trickbot banking trojan.
- The researchers also detected a large campaign targeting American Express, using PDF file attachments. A new trend of disc image files, ISO and IMG, being used to distribute malware, such as AgentTesla or NanoCore RAT, was also registered.
Source (Includes IOCs)
Siblings pursued over Crypto Ponzi scheme
- Self-titled CryptoQueen and founder of the OneCoin cryptocurrency Ruja Ignatova, and her brother Konstantin Ignatov, are being sued in a New York Federal Court by investor Christine Grablis, following accusations that the couple ran a “$4bn ponzi scheme” for a coin offering that reportedly never existed.
- Federal prosecutors have previously arrested Konstantin on charges of wire fraud related to OneCoin and are seeking Ruja on charges of wire fraud, securities fraud and money laundering.
- FBI’s Assistant Director-in-Charge William Sweeney stated “OneCoin was a cryptocurrency existing only in the minds of its creators and their co-conspirators.”
FIN7 remains operational
- Researchers at Kaspersky Lab’s Global Research and Analysis Team have spotted similar TTPs as to those used by the FIN7 cybercrime ring between 2015 and 2018.
- The TTPs center on spear phishing attacks and the use of malware to target unpatched systems in corporate environments for financial gain.
- This recent research shows that the group has not been impacted by the arrest of several key members in 2018.
Spam attacks targets Romanian energy providers
- Researchers from FortiGuard SE have discovered a malicious spam campaign directed against Romanian critical infrastructure energy providers.
- Recipients of emails sent from “BEN GASTRA” are encouraged to click on a link to confirm receipt of an unknown payment. When clicked on, this link uses a combination of formbook infostealer malware and Fareit/Pony to compromise the user’s system.
- At present there is no information as to the origins of the attack.
Online scammers profit from holidaymakers
- The UK Action Fraud service reported that in 2018, they were contacted about losses totalling over £7m.
- Over 50% of cases related to those booking flights while a further 25% of cases were linked to those who were purchasing rental accommodation.
The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.