Vulnerabilities and Threats

Health-ISAC Daily Security Intelligence Report – March 14, 2019

 This information is marked TLP GREEN: Information within the TLP GREEN category
     may be shared with H-ISAC members and trusted partners (e.g., CERTS, law
enforcement, government agencies and other ISACs). Information in this category is not
                 to be shared in public forums or over public channels.

Vulnerabilities and Threats

Cisco addresses a critical static credential flaw in Common Services Platform Collector
Cisco released security updates to address a critical vulnerability in its Cisco Common
Services Platform Collector (CSPC) software.
Cisco released security updates to address a critical flaw, tracked as CVE-2019-1723,
that consists in the presence of a default account with a static password. The account
hasn’t admin privileges, but it could be exploited by an unauthenticated attacker to gain
remote access to the system.

https://securityaffairs.co/wordpress/82391/security/common-services-platform-collector-
flaw.html

Intel Windows 10 Graphics Drivers Riddled With Flaws
Intel has patched several high-severity vulnerabilities in its graphics drivers for Windows
10, which could lead to code execution.
Intel has patched 19 vulnerabilities across its popular graphics drivers for Windows 10,
including two high-severity flaws.

https://threatpost.com/intel-windows-10-graphics-drivers/142778/

BitLocker attack puts laptops storing sensitive data at risk
A security researcher has come up with a new method of extracting BitLocker
encryption keys from a computer's Trusted Platform Module (TPM) that only requires a
$27 FPGA board and some open-sourced code.
To be clear, this new BitLocker attack require physical access to a device and will result
in the device's destruction as the attacker needs to hard-wire equipment into the
computer's motherboard.
https://www.zdnet.com/article/new-bitlocker-attack-puts-laptops-storing-sensitive-data-
at-risk/

Attackers Sending Fake CDC Flu Warnings to Distribute GandCrab
Digital attackers are sending out fake flu warnings that appear to come from the U.S.
Center for Disease Control (CDC) in order to distribute GandCrab ransomware.
An attack begins when a user receives a fake CDC email. The sender field claims that
the email came from “Centers for Disease Control and Prevention.” But a closer look
reveals the sender to actually be “Peter@eatpraynope.com,” an email address which
has nothing to do with the CDC.

https://www.tripwire.com/state-of-security/security-data-protection/attackers-sending-
out-fake-cdc-flu-warnings-to-distribute-gandcrab/

GlitchPOS: New PoS malware for sale
Point-of-sale malware is popular among attackers, as it usually leads to them obtaining
credit card numbers and immediately use that information for financial gain. This type of
malware is generally deployed on retailers' websites and retail point-of-sale locations
with the goal of tracking customers' payment information. If they successfully obtain
credit card details, they can use either the proceeds from the sale of that information or
use the credit card data directly to obtain additional exploits and resources for other
malware. Point-of-sale terminals are often forgotten about in terms of segregation and
can represent a soft target for attackers. Cisco Talos recently discovered a new PoS
malware that the attackers are selling on a crimeware forum. Our researchers also
discovered the associated payloads with the malware, its infrastructure and control
panel. We assess with high confidence that this is not the first malware developed by
this actor. A few years ago, they were also pushing the DiamondFox L!NK botnet.
Known as "GlitchPOS," this malware is also being distributed on alternative websites at
a higher price than the original.

https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html

DMSniff Point-of-Sale Malware Silently Attacked SMBs For Years
A Point-of-Sale (POS) malware which uses a domain generation algorithm to create
command-and-control domains on the fly was deployed in attacks against small and
medium-sized businesses during the last past four years—since at least 2016—
according to a team of security researchers from Flashpoint.
The Flashpoint team believes that the malware they dubbed DMSniff "could be gaining
an initial foothold on devices either by using brute-force attacks against SSH
connections or by scanning for vulnerabilities and exploiting those."
https://www.bleepingcomputer.com/news/security/dmsniff-point-of-sale-malware-
silently-attacked-smbs-for-years/
DMSniff POS Malware Actively Leveraged to Target Small, Medium-Sized Businesses
https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-
medium-sized-businesses/

39% of all existing Counter-Strike 1.6 game servers online are malicious

Experts at security firm Dr. Web revealed that 39% of all existing Counter-Strike 1.6
game servers online are malicious, an attacker is exploiting zero-day flaws in game
clients.
Bad news for gamers of the popular game Counter-Strike, according to the experts at
the security firm Dr. Web, 39% of all existing Counter-Strike 1.6 game servers online
are malicious.
https://securityaffairs.co/wordpress/82371/breaking-news/counter-strike-1-6-flaws.html
Study of the Belonard Trojan, exploiting zero-day vulnerabilities in Counter-Strike 1.6
https://news.drweb.com/show/?i=13135&lng=en

Operation Sheep: Chinese IT Services Giant Hangzhou Shunwang Technology
Harvests Contacts, Tracks Android Users
Servers controlled by Chinese IT and services giant Hangzhou Shunwang Technology
collect phone contact lists, geolocation, and QQ messenger login info through a data-
stealing component present in up to a dozen Android apps available from major third-
party stores in the country.

https://www.bleepingcomputer.com/news/security/chinese-it-services-giant-harvests-
contacts-tracks-users/

'Read the Manual' Bot (RTM Bot) Gives This Phishing Campaign a Promising Future
Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could
easily broaden, given the sophisticated development of its tactics. For now, it’s taking
aim at financial departments in Russia and neighboring countries, using the Read the
Manual (RTM) Bot to deliver a banking trojan.
Among other capabilities, the malware steals data from accounting software and
harvests smart card information. The newest version uses The Onion Router (TOR)
communication protocol, whose privacy and extra encryption are signs the threat actors
could be serious about developing the banking trojan for future campaigns.

https://cofense.com/read-manual-bot-gives-phishing-campaign-promising-future/

Emotet revisited: pervasive threat still a danger to businesses
One of the most common and pervasive threats for businesses today is Emotet, a
banking Trojan turned downloader that has been on our list of top 10 detections for
many months in a row. Emotet, which Malwarebytes detects as Trojan.Emotet, has
been leveled at consumers and organizations across the globe, fooling users into
infecting endpoints through phishing emails, and then spreading laterally through
networks using stolen NSA exploits. Its modular, polymorphic form, and ability to drop
multiple, changing payloads have made Emotet a thorn in the side of cybersecurity
researchers and IT teams alike.

https://blog.malwarebytes.com/cybercrime/2019/03/emotet-revisited-this-pervasive-
persistent-threat-is-still-a-danger-to-businesses/

The CVE-2019-0797 vulnerability

https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/

CVE-2019-7238: Insufficient Access Controls in Sonatype Nexus Repository Manager 3
Allows Remote Code Execution
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-7238-insufficient-
access-controls-in-sonatype-nexus-repository-manager-3-allows-remote-code-
execution/

Nymaim config decoded
First documented in 2013 [1], Nymaim was originally identified as both a first-stage
downloader and second-stage locking malware. Primarily distributed via the Blackhole
exploit kit, most users found out they were infected because of the screen lock that
demanded varying ransoms. In 2016, we documented distribution of the Ursnif banking
Trojan via email campaigns and the presence of webinjects within Nymaim itself [2].
More recently, Nymaim has evolved into an even more robust downloader that includes
a range of information stealing and system profiling capabilities. This incarnation of
Nymaim has appeared in both global campaigns as well as attacks targeting North
America, Germany, Italy, and Poland. In this respect, Nymaim is following global
malware trends, with a focus on persistent, non-destructive infection to collect
information long-term and flexibly download additional malware of the threat actor’s
choosing.

https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded

GoDaddy, Apple, and Google misuse more than 1M certificates
A major operational error has resulted in the issuance of at least one million browser-
trusted digital certificates from GoDaddy, Apple and Google that don’t comply with
binding industry mandates.
The misconfiguration is the result of open source EJBCA software package that many
browser-trusted authorities use to generate certificates that secure websites, encrypt email,
and digitally sign code, independent security researcher Adam Caudill said in a blog post

https://www.scmagazine.com/home/security-news/a-major-operational-error-has-resulted-
in-the-issuance-of-at-least-1-million-browser-trusted-digital-certificates-from-godaddy-
apple-and-google-not-complying-with-industry-mandates/
https://adamcaudill.com/2019/03/09/tls-64bit-ish-serial-numbers-mass-revocation/

Saudi Cybersecurity Company Tried to Buy Zero Day Exploits
Zero days—exploits that take advantage of vulnerabilities the vendor, such as Apple,
doesn’t know about—are a hot commodity. With a zero day, a hacker, perhaps working
for a government, can have a better chance of being able to break into a target’s
computer or phone. If Apple or Google aren’t even aware of a security issue with their
products, hackers don’t have to worry about a target’s device being patched to defend
against it.

https://motherboard.vice.com/en_us/article/xwbk5j/saudi-cybersecurity-company-tried-
buy-zero-days-from-me-haboob-darkmatter

'Privacy Is Becoming a Luxury': What Data Leaks Are Like for the Poor
When Jayne checked her email on the morning of February 13, she didn't expect to find
anything particularly exciting. The 34-year-old, who asked her real name be withheld out
of fear that speaking out could affect her housing benefits, was enjoying a rare moment
of relative peace on a snow day in a household with five kids. But when she opened the
attachment from a note sent by the Seattle Housing Authority, she did not see the
routine newsletter she anticipated. Instead, she was staring at a list of names,
addresses, e-mail addresses, and tenant code numbers for the more than 500 clients of
the city’s Scattered Sites low-income housing program, which includes low-income
complexes that are typically smaller and more family-oriented than bigger housing
projects. Jayne's own name and personal information were included on the list.

https://www.vice.com/en_us/article/mbz493/privacy-is-becoming-a-luxury-what-data-
leaks-are-like-for-the-poor

Cyber Incidents and Cyber Crime

Gearbest security lapse exposes millions of shopping orders
Gearbest, a Chinese online shopping giant, has exposed millions of user profiles and
shopping orders, security researchers have found.
Security researcher Noam Rotem found an Elasticsearch server leaking millions of
records each week, including customer data, orders, and payment records. The server
wasn’t protected with a password, allowing anyone to search the data.
https://techcrunch.com/2019/03/14/gearbest-orders-exposed/

Sportswear brand FILA falls victim to GMO infection
Sportswear brand FILA is the latest company to fall victim to the card-stealing
JavaScript infection that menaced British Airways and Ticketmaster last year.
Russian security house Group-IB said it discovered and reported to FILA UK an
infection known as GMO that was active on the site for the last four months and may
have sniffed the payment card information of thousands of customers.

https://www.theregister.co.uk/2019/03/14/fila_uk_hacked/

Ad Network Sizmek Probes Account Breach
Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security
incident in which a hacker was reselling access to a user account with the ability to
modify ads and analytics for a number of big-name advertisers.
In a recent posting to a Russian-language cybercrime forum, an individual who’s been
known to sell access to hacked online accounts kicked off an auction for “the admin
panel of a big American ad platform.”

https://krebsonsecurity.com/2019/03/ad-network-sizmek-probes-account-breach/

Pakistani Government Site Compromised, Logs Visitor Keystrokes
A Pakistani government site used as a tracking platform for passport applications has
been compromised to deliver a ScanBox framework payload which captures the visitors'
machine information and logs their keystrokes.
The breached website is tracking.dgip.gov[.]pk, a sub-domain of the Directorate General
of Immigration & Passport of the Pakistani government.
https://www.bleepingcomputer.com/news/security/pakistani-government-site-
compromised-logs-visitor-keystrokes/

Ransomware attack pays off as Delaware Guidance Services gives in to criminals
The Delaware Guidance Services (DGS) for Children and Youth is the latest
organization to pay off the cybercriminals who locked up their network with a
ransomware attack.
The Dover, Del., based organization said in a letter to its patients and guardians that the
attack took place on December 25, 2018. Files containing personal information, such as
name, address, birth date, Social Security Number, and medical information were
affected. DGS is a not-for-profit provider of comprehensive psychiatric services for
children and their families in Delaware.

https://www.scmagazine.com/home/security-news/ransomware-attack-pays-off-as-
delaware-guidance-services-gives-in-to-criminals/

Massachusetts Emerson hospital notifies 6,300 patients of vendor data breach
Concord, Mass.-based Emerson Hospital sent letters to 6,314 patients alerting them of
a May2018 cybersecurity attack that may have affected their information, according to
the HIPAA Journal.
The security incident, which happened between May 9-17, was the result of a former
MiraMed Global Services, a company that helps hospitals collect payments, who sent
patient files to an unauthorized third party.

https://www.beckershospitalreview.com/cybersecurity/massachusetts-hospital-notifies-
6-300-patients-of-vendor-data-breach.html

Facebook, WhatsApp, Instagram, Messenger suffers severe outage
Facebook along with some of its most prominent family of apps were down on
Wednesday leaving users around the globe unable to use their favorite services for a
prolonged period of time.
It was the longest outage in the history of Facebook, but at the time of writing the cause
of the interruption has not been made public.

https://www.welivesecurity.com/2019/03/14/facebook-suffer-severe-outage/

Government, Law, and Critical Infrastructure

Purveyor of Cracked Netflix, Hulu, Spotify Accounts Arrested
A Sydney man is accused of selling nearly 1 million compromised accounts, for a
significant profit.
A Sydney man has been arrested after allegedly selling hundreds of thousands of
compromised account details for subscription streaming services, including for Netflix,
Hulu and music streaming service Spotify – raking in about $212,000 ($300,000 AUD)
in profit in the process.
https://threatpost.com/cracked-netflix-hulu-spotify-accounts-arrested/142791/

ICE using automated license plate reader database to spy on immigrants
U.S. Immigration and Customs Enforcement (ICE) have tapped a large surveillance
database to spy on immigrants, according to the American Civil Liberties Union (ACLU)
of Northern California.
“It is appalling that ICE has added this mass surveillance database to its arsenal, and
that local law enforcement agencies and private companies are aiding the agency in its
surveillance efforts,” Vasudha Talla, a staff attorney with the organization, said in a
release. “Local law enforcement agencies must immediately stop sharing their
residents’ information with this rogue and immoral agency.”
https://www.scmagazine.com/home/security-news/ice-using-automated-license-plate-
reader-database-to-spy-on-immigrants/
U.S. Immigration and Customs Enforcement (ICE) database tracks nearly 60% of U.S.
population without a warrant
https://thenextweb.com/politics/2019/03/13/report-ice-database-tracks-nearly-60-of-us-
population-without-a-warrant/
https://www.aclunc.org/docs/DOCS_031319.pdf

U.S. Senators want to know how many times they've been hacked
Two US senators have requested the US Senate Sergeant at Arms to disclose details
about cyber-attacks against the Senate and its members.
The request has been made in a letter signed today by Ron Wyden (D-Ore.) and Tom
Cotton (R-Ark.), both members of the US Senate Intelligence Committee.

https://www.zdnet.com/article/us-senators-want-to-know-how-many-times-theyve-been-
hacked/

U.S. Navy taken to task for cybersecurity flaws
The U.S. Navy is prepared to face and defeat the nation’s enemies in all physical
environments, but is losing an on-going cyberwar with China, according to its own
assessment of the situation.
A 57-page report compiled by the Navy and delivered by Navy Secretary Richard
Spencer, and read and reported on by the Wall Street Journal, states the Chinese have
been attacking both the branch itself along with its suppliers and third-party vendors to
steal secrets and gain an military advantage. The report cites the Navy for not

anticipating a cyber campaign to be run against its contractors and for not informing
those companies of the threat, the WSJ said.

https://www.scmagazine.com/home/security-news/government-and-defense/u-s-navy-
taken-to-task-for-cybersecurity-flaws/

Security Industry Tools and Reports

Carbon Black: 2019 Cyberattack Landscape in Canada (PDF, requires registration)
https://www.carbonblack.com/resources/threat-research/global-threat-report-series/

ISACA: State of Cybersecurity 2019
Summary: https://cybersecurity.isaca.org/state-of-cybersecurity
Report (PDF, requires registration): http://www.isaca.org/Knowledge-
Center/Research/Documents/cyber/state-of-cybersecurity-2019-part-
1_res_eng_0319.pdf

Redscan: How well do organizations respond to data breaches?
https://www.redscan.com/news/redscan-foi-research-ico-breach-reporting/
Infographic (PDF): https://www.redscan.com/wp-content/uploads/2019/03/ICO-Breach-
infographic.pdf