Silobreaker Daily Cyber Digest – 10 October 2018



10th October 2018

Silobreaker Daily Cyber Digest – 10 October 2018

Ongoing Campaigns

Panda Banker trojan targeting North America and Japan

  • Cylance researchers spotted Panda Banker banking trojan targeting banks in the US, Canada and Japan.
  • The trojan is reportedly being delivered by Emotet, and focuses on stealing bank account, credit card and web wallet data.

Source (Includes IOCs)

URSNIF campaign uses new technique to spread malware

  • The new URSNIF campaign uses hijacked email accounts to send malware by replying to an existing email conversation with a malicious attachment. A victim may not realise what is going on, due to the continuation of a legitimate and ongoing conversation.
  • The payload itself delivers URSNIF, with its primary purpose being to exfiltrate data. This includes system information, lists of running processes, the device’s external IP address, email credentials, cookies, certificates, screen captures and financial information. It also includes some anti-analysis mechanisms that are capable of detecting if the executable is being run via a sandbox, in an attempt to hinder research into it.

Source (Includes IOCs)

Leaks and Breaches

Shopper Approved breached by Magecart Group

  • The third-party software is used by multiple online stores, subsequently putting any payment data on customer’s platforms at risk. Magecart Group did not directly impact a single store, and were instead trying to skim payment information from multiple stores at once by compromising Shopper Approved. This was done via modifying a script that provides the Shopped Approved site seal functionality on shopping websites.
  • The skimmer was active between September 15th and 17th before it was removed. It is not believed that many customers were affected, as the Shopper Approved script is not active on the majority of their customer’s checkout pages.



US Department of Defense weapons systems contain numerous vulnerabilities

  • A report by the US Government of Accountability Office (GAO) revealed that the DOD’s weapon systems under development are increasingly vulnerable to cyber threats, due to basic security issues including poor password management and unencrypted communications.
  • Test teams simulating attacks on the weapons systems found other issues such as the misconfiguration of alert systems and ineffective defense measures.
  • The vulnerability of the DOD weapon systems to cyber attack is reportedly due to the increasingly computerized nature of its weapons, as well as its failure to prioritize cyber security in the past.


Millions of cameras and DVRS manufactured by Chinese firm vulnerable to remote attacks

  • SEC Consult revealed critical vulnerabilities in products manufactured by the firm Hangzhou Xiongmai Technology Co. Ltd, a provider of security surveillance products.
  • Security vulnerabilities identified include predictable cloud IDs for the XMeye P2P Cloud feature (CVE-2018-17915), a default admin password, insecure default credentials for user default (CVE-2018-17919), multiple unencrypted communication channels (CVE-2018-1791), and unchecked firmware update integrity.


Microsoft patches critical vulnerabilities

  • 12 critical vulnerabilities were patched across Microsoft Edge, Internet Explorer, Office, Windows and Microsoft Exchange Server. These include CVE-2018-8473, a memory corruption vulnerability in Microsoft Edge that could lead to remote code execution, CVE-2018-8489, an issue in Hyper-V that could lead to remote code execution, and CVE-2018-8513, another memory corruption flaw that exists in the Chakra Scripting Engine.
  • The patch also included a fix for CVE-2018-8453, a zero-day that was being actively exploited in the wild by a Middle Eastern-based APT known as FruityArmor. Kaspersky Labs report that the group regularly exploit zero-days to escape sandboxes and execute malicious code.

Source 1 Source 2 (Includes IOCs)

Whatsapp patches vulnerability in mobile app for Android and iOS

  • The memory corruption flaw in WhatsApp’s non-WebRTC video conferencing implementation allowed hackers to potentially take over the app if users answered malicious video calls from the hackers.


KRACK attack variants disclosed

  • Discovered by Mathy Vonhoef and Frank Piessens who originally disclosed the KRACK attack, have disclosed new variants. The original KRACK attack allows an attacker to decrypt WiFi data without knowing the password. It works against WPA1 and WPA2, and the WPA-TKIP, AES-CCMP and GCMP ciphers.
  • The new variant, described as a more-practical method, does not rely upon hard-to-win race conditions, and uses a new method to carry out a man-in-the-middle attack, leveraging Channel Switch Announcements to trick clients to switch to a rogue channel, which is more reliable than jamming channels.
  • It was successfully tested on Linux, Android, iOS and macOS devices.


General News

Russian financial sector lost $49.4 million to cyber attacks between 2017 and 2018

  • Group-IB reported that Russian banks lost millions to APT groups, infection vectors and hacker tools.
  • The report identified four APT groups that pose a significant threat to the Russian financial sector: Russian-speaking Cobalt, MoneyTaker, Silence, and North Korean Lazarus Group.
  • Group-IB registered a decline in smartphone Android trojan infections, and a rise in web phishing attacks.


The Silobreaker Team

Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

Original links