Malware
Nymaim malware dropper gets upgraded
The Nymaim [1] malware dropper has received an upgrade that includes better obfuscation techniques and blacklisting against anti-virus software. The malware has been operating since 2013, but this year saw a 63% rise in attacks - possibly as a result of these new techniques. One strain of Nymaim analysed by Verint was distributed via a macro in infected Word documents. More information. [2]
Leaks and Breaches
Shadow Brokers leak list of systems hacked by NSA
The Shadow Brokers group [3] have dumped a massive list of servers that have been compromised by the NSA [4]. The list mainly contains mail and university servers based in the ASIAPAC region, and date stamps suggest they were compromised around 2001-2003. The true value of the leak has been questioned, as many of the listed servers are nine years old and likely no longer exist. More information. [5]
Converse Australia targeted by point-of-sale malware
Converse [6] Australia recently announced that its ecommerce platform fell victim to malware targeting payment card information. The breach affected customers placing orders on Converse’s Australian site between September 2 and October 12 of this year. Conquest Sports [7] (the company running the site) has remediated the issue, but customers who made purchases within this period are advised to monitor their cardholder statements for unauthorised charges. More information. [8]
Trending Vulnerabilities
Google releases details on unpatched flaw in the Windows kernel
Microsoft [9] has yet to patch a critical vulnerability in the Windows kernel that is being actively exploited in the wild. Google discovered the vulnerability, together with another in Adobe Flash. The bug in question is a local privilege escalation in the Windows kernel, allowing malicious actors to escape the Windows security sandbox. Microsoft has yet to announce when a patch will be released. More information [10].
Critical Vulnerabilities found in Schneider Industrial Control System
Dubbed PanelShock [11], the vulnerabilities can be found in Schneider’s Magelis line of Human Machine Interfaces (HMI). An attacker could use vulnerabilities in the Web Gate web service of the Magelis Advanced HMI to freeze the panel remotely, disconnecting the HMI from the SCADA network. A fix for the vulnerability is not expected until March. More information [12].
General News
Trump Server Communicating with Alfa Bank Server
It has emerged that a server linked to the Trump campaign has been communicating with a server in Moscow registered to Alfa Bank [13]. A team of malware hunters and DNS experts that set out to explore the hack of the Democratic National Committee (DNC) came across strange traffic between a Russian-based server and a destination domain with ‘Trump’ in its name. One of the researchers, under the pseudonym ‘Tea Leaves’, explored the link and has since found that the two servers are communicating in a suspicious manner. After talk that the findings would be made public, both servers stopped communicating entirely. More information. [14]
UK Tax-Rebate scam
A scam utilising the “.gov.uk” domain name has been distributing fake emails claiming regarding tax rebates. It’s believed that the actors running the campaign were targeting up to 50,000 people a day, and it took nearly six-weeks to take down the domain name. The details of this scam have emerged amidst the UK’s decision to invest £1.9billion into cyber security efforts. More information. [15]
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.
[1] https://my.silobreaker.com/view360.aspx?item=11_571123883#?q=Malware:%22Nymaim%20Ransomware%22&rd=true
[2] http://cyber.verint.com/nymaim-malware-variant/
[3] https://my.silobreaker.com/view360.aspx?item=11_1053154831#?q=ThreatActor:%22Shadow%20Brokers%20%28hacker%20group%29%22&rd=true
[4] https://my.silobreaker.com/view360.aspx?item=11_333478#?q=Organization:%22NSA%20US%20National%20Security%20Agency%22&rd=true
[5] https://www.myhackerhouse.com/hacker-halloween-inside-shadow-brokers-leak/
[6] https://my.silobreaker.com/view360.aspx?item=11_4323859#?q=Company:%22Converse%20Inc%22&rd=true
[7] https://my.silobreaker.com/view360.aspx?item=11_1087839060#?q=Company:%22Conquest%20Sports%22&rd=true
[8] http://www.infosecurity-magazine.com/news/converse-ecommerce-site-hacked/
[9] https://my.silobreaker.com/view360.aspx?item=11_304771#?q=Company:%22Microsoft%20Corporation%22&rd=true
[10] https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
[11] https://my.silobreaker.com/view360.aspx?item=11_1104851306#?q=Keyphrase:%22PanelShock%22
[12] http://www.critifence.com/blog/panel_shock/
[13] https://my.silobreaker.com/view360.aspx?item=11_449403#?q=Company:%22Alfa-Bank%22&rd=true
[14] http://www.slate.com/articles/news_and_politics/cover_story/2016/10/was_a_server_registered_to_the_trump_organization_communicating_with_russia.html
[15] http://www.independent.co.uk/life-style/gadgets-and-tech/tax-refund-rebate-scam-fake-hackers-target-people-hmrc-a7390381.html
↧