Malware
Android Spyware targets high-level individuals
Skycure [1] researchers have uncovered a new mobile malware targeting Android devices. The spyware package, named Exaspy [2], targets high-value enterprise executives to gain access to their data. Distributed primarily through phishing campaigns, once installed Exaspy masquerades as a legitimate app, “Google Services”. After gaining a presence on the victim's phone, the malware app can access messages, pictures, and audio. It can also monitor and transmit local files and execute shell commands. More information. [3]
New exploit kit based on Sundown EK targets South-East Asia
Bizarro Sundown Exploit Kit [4] is a new exploit kit spreading multiple versions of the Locky ransomware. Mainly targeting users in Taiwan and Korea, the kit has been spotted in two versions, both loosely based on the Sundown exploit kit [5]. Bizarro has added anti-analysis features and changed its URL format to closely resembles legitimate web advertisements. Bizarro Sundown is currently being used in the ShadowGate campaign [6], which is known for targeting advertising servers to distribute malware. More information. [7]
Vulnerabilities
Outlook Web Access 2FA can be bypassed
A flaw in Outlook has been exposed that allows attackers to easily bypass 2FA [8] and access an organisation’s email inboxes, calendars, contacts and more. The flaw stems from the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside Outlook Web Access (OWA), which is not covered by two-factor authentication. EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with stolen credentials can remotely access EWS and gain access to a user’s inbox. More information. [9]
Ongoing Campaigns
DDoS attack takes Liberia offline
Network infrastructure in Liberia has been targeted with continued short duration DDoS attacks over the past week, affecting internet usage across the nation. The outages were caused by a Mirai-based botnet, named Botnet 14 [10] or Shadows Kill, harnessing a network of compromised computers to intermittently flood the IP addresses of the two Liberian companies which operate fiber cable in the country. The attacks were over 500GBps in size, making Botnet 14 one of the largest DDoS botnets seen. This level of activity makes it likely that the botnet is owned by the same actors responsible for attacking Dyn two weeks ago. More information. [11]
Phantom Squad claim responsibility for Steam attacks
A Twitter user claiming to be a representative of Phantom Squad [12] has claimed responsibility for the downtime on Steam yesterday. Although many believed the downtime to be part of an ongoing maintenance operation, the group has claimed responsibility. Phantom Squad are claiming that the attack on Steam [13] is just the beginning and are threatening to take more action in the future. More information. [14]
William Hill back online after being targeted by DDoS attacks
Many of William Hill’s [15] sites were unusable this week as the betting agency was hit with a DDoS attack. At present it appears as though the site is back online, however, this has taken a number of days to resolve. The downtime experienced by William Hill could have cost them as much as £4.4 million. More information. [16]
New email scam spreading Locky Ransomware
An email scam requesting payment for an unnamed maintenance service is delivering ‘.vbs’ files via an attached zip file. The payload of the email is the notorious Locky Ransomware [17] and in most cases the subject of the email is “Bill”. This new distribution campaign was discovered by MX Lab researchers and although the file name is sometimes changed it is normally seen as “_bill_04fcbb9.zip” which contains the file “TN C612A439.vbs”. More information. [18]
Ukrainian network of hacking groups threatens to leak Putin’s spokesman emails
The Ukrainian Cyber Alliance (including RUH8 [19], Trinity [20], FalconsFlame [21] and CyberHunta [22]) claims it will release information proving that Russian officials are involved in stoking separatism in Ukraine. After releasing a second batch of emails on Thursday, the group is now threatening to leak information on Dmitry Peskov, Putin's chief spokesman. Some emails involving the Russian official Vladislav Surkov suggest strong links with separatist forces, claims the Kremlin deny. More information. [23]
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.
[1] https://my.silobreaker.com/view360.aspx?item=11_439460465#?q=Company:%22Skycure%22&rd=true
[2] https://my.silobreaker.com/view360.aspx?item=11_1106975897#?q=Malware:%22Exaspy%22&rd=true
[3] https://www.skycure.com/blog/exaspy-commodity-android-spyware-targeting-high-level-executives/
[4] http://www.silobreaker.comabout:blank
[5] https://my.silobreaker.com/view360.aspx?item=11_869898279#?q=Keyphrase:%22SunDown%20Exploit%20Kit%22&rd=true
[6] https://my.silobreaker.com/view360.aspx?item=11_1107737131#?q=Keyphrase:%22ShadowGate%20%28Hacker%20Op%29%22&rd=true
[7] http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/
[8] https://my.silobreaker.com/view360.aspx?item=11_576342127#?q=Keyphrase:%22Two%20Factor%20Authentication%22&rd=true
[9] http://www.blackhillsinfosec.com/?p=5396
[10] https://my.silobreaker.com/view360.aspx?item=11_1107634677#?q=Keyphrase:%22Botnet%2014%22&rd=true
[11] https://medium.com/@networksecurity/shadows-kill-mirai-ddos-botnet-testing-large-scale-attacks-sending-threatening-messages-about-6a61553d1c7#.uuqm8398z
[12] https://my.silobreaker.com/view360.aspx?item=11_225299889#?q=ThreatActor:%22Phantom%20Squad%20(hacker%20group)%22&rd=true
[13] https://my.silobreaker.com/view360.aspx?item=11_494405340#?q=Product:%22Steam%20Services%22&rd=true
[14] http://www.itechpost.com/articles/49699/20161103/phantom-squad-claims-to-be-responsible-for-the-steam-attack-says-steam-is-just-the-beginning.htm
[15] https://my.silobreaker.com/view360.aspx?item=11_1086866#?q=Company:%22William%20Hill%20plc%22&rd=true
[16] http://www.theregister.co.uk/2016/11/02/william_hill_ddos/
[17] https://my.silobreaker.com/view360.aspx?item=11_966417407#?q=Malware:%22Locky%20Ransomware%22&rd=true
[18] https://blog.mxlab.eu/2016/11/03/new-vbs-malware-in-email-with-subject-bill-locky-ransomware/
[19] https://my.silobreaker.com/view360.aspx?item=11_945725722#?q=ThreatActor:%22RUH8%22&rd=true
[20] https://my.silobreaker.com/view360.aspx?item=11_1107688963#?q=ThreatActor:%22Trinity%20%28Hacking%20Group%29%22&rd=true
[21] https://my.silobreaker.com/view360.aspx?item=11_992254414#?q=ThreatActor:%22FalconsFlame%22&rd=true
[22] https://my.silobreaker.com/view360.aspx?item=11_1098849781#?q=ThreatActor:%22CyberHunta%22&rd=true
[23] http://uk.reuters.com/article/uk-ukraine-crisis-cyber-russia-idUKKBN12Y2PD
↧