Threat Report

Wednesday January 9, 2019

It’s clear that ransomware is ruling the new year, so today we’re covering activity from three ransomware campaigns. We’ll also be checking out a recent 0day discovered in the wild that has been bringing home the cache for some lucky attacker. But first, let’s start with a high-profile data breach.

Humana healthcare provider discloses data breach

According to a breach notification filing with the California Attorney General’s Office, healthcare management provider, Humana, disclosed that attackers compromised an associate, Bankers Life, and stated that the incident impacted a limited number of Humana customers. The statement disclosed that between May 30 and September 13, 2018, an unauthorized actor used employee system credentials to gain access to certain secure Bankers Life websites, potentially granting them access to a limited number of customers’ information.

Potentially exposed information included name, address, date of birth, last four digits of their social security number, and health insurance policy coverage details. Bankers Life learned of the incident on August 7 and Humana was notified of the malicious activity on October 25, 2018. The number of customers impacted was not disclosed. Humana states that the offenders did not access full social security numbers, banking or credit card information, or personal health or medical records. But the data that was stolen is enough to social someone into identity theft. In public statements the company, shamelessly and ironically, recommends a Bankers Life identity protection service to the victims for identity theft protect. They couldn’t keep customer data secure before so what makes anyone think they deserve the right to more of your data. If they feel strongly about the suggested consumer response for the damage they have inflicted, they should be giving away the service to all of those affected.

Recent side channel 0day steals data from Operating System’s cache

Security researchers from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel, shared their findings with Bleeping Computer about a new side channel attack that targets an Operating System’s page cache. Side channel attack is a race condition that fulfilled using a malicious process for a successful local attack.

Researchers disclosed the flaw to the affected vendors after they detected an exploitation attempt against Windows and Linux machines. Researchers noticed that the actors had been executing the exploit through a “page cache” named “minicore” dubbed CVE-2019-5489 on Linux and “QueryWorkingSetEx” on Windows. CVE-2019-5489 is a race condition that allows an attacker to observed page cache access patterns of other processes on the infected system.

Users and organizations should be ready to install security updates to limit their exposure to threats. No indicators of compromise were released with researchers’ findings, however, an in-depth technical analysis is available for review.

Vidar and GandCrab: Stealer and ransomware combo observed in the wild

Malwarebytes security researchers recently discovered a prolific malvertising campaign that targets high-traffic torrent and streaming sites and redirects users towards two malicious payloads. Malwarebytes noticed that the actors had been executing the exploit through two malicious payloads. First is Vidar, a malware that targets vast amounts of victims’ information. Second is GandCrab, one of the most active families of file-encrypting malware currently in operation. Once executed, the actors will send a ransom note demanding either Bitcoin or Dash in exchange for retrieving the files. Users and organizations must keep the software and firmware up to date with timely patch updates to prevent any potential attacks. The following indicators of compromise were released with Malwarebytes’ findings.

Domains

- Kolobkoproms[.]ug
- ovz1[.]fl1nt1kk[.]10301[.]vps[.]myjino[.]ru

Hashes

- abf3fdb17799f468e850d823f845647738b6674451383156473f1742ffbd61ec
- e99daf10e6cb98e93f82dbe344e6d6b483b9073e80b128c163034f68de63be33

New wave MongoLock ransomware immediately deletes files

Trend Micro reports sightings of a new wave of MongoLock ransomware attacks, whereby files are immediately deleted instead of encrypted and further scans are automatically performed to delete additional files.

Researchers state that MongoLock was first sighted in the wild in December 2018. The ransomware message claims that the files are saved in the cybercriminals’ servers and demands a payment of 0.1 Bitcoin be paid within 24 hours.

Trend Micro states that the highest number of infections are in South Korea, Great Britain, the United States, Argentina, Canada, Germany, Taiwan, and Hong Kong. The campaign was sighted targeting databases with weak security settings, and the ransomware was hosted on PythonAnywhere, a Python-based online integrated development environment (IDE) and web hosting service. Researchers state that any host using hxxp://{user-defined}.pythonanywhere.com may be vulnerable to abuse. The following indicators of compromise were released with researchers’ findings.

Hash

698be23b36765ac66f53c43c19ea84d9be0c3d7d81983726724df6173236defa

IP Address

104[.]27[.]178[.]191

URLs

- hxxp://update[.]pythonanywhere[.]com/d
- hxxps://s[.]rapid7[.]xyz 

Loki variant new campaign: Uses ”.ace” attachments via fake DHL Express quotation

Security researchers shared their findings with My Online Security, after they observed the new campaign for Loki variant that targets victims via malicious documents to gather information. The malicious attachment named “.ace”, contains a password-stealing component that encrypts victim’s files. The following list of file extensions contains malicious attachment: js, exe, com, pif, scr, hta, vbs, wsf, jse, and jar. Researchers noticed that the actors had been executing the exploit through a “.ace” malicious file.

Once executed, it will encrypt victim’s files and the actors will demand for a ransom to recover the files. Users and organizations should always be cautious when viewing email content that pretends to be legitimate from a company and asks for personal information to avoid any potential attacks. The following indicators of compromise were released with researchers’ findings.

Hashes

- 6e98fd04a2b9f62eb8682152fc93e60c
- 6a904e3d3449f6254364d2170719247c1356fd7c 

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn