Archive for October, 2018

Rewterz Threat Advisory – Microsoft Windows Zero-day ‘Arbitrary Windows file delete’ vulnerability

A new ‘windows file-delete vulnerability’ with PoC is posted online that may lead to local privilege escalation via DLL hijacking.






PUBLISH DATE:  30-10-2018






This new bug with Proof-of-Concept was found leaked on Twitter by a researcher SandboxEscaper. The bug can be exploited to cause arbitrary windows file deletion and gain escalated privileges via DLL hijacking. The 0 Day vulnerability is still unpatched by the vendor. However, 0Patch has released a free micro-patch for fixing the bug.






The researcher who has found this bug said, “[It’s] Not the same bug I posted a while back, this doesn’t write garbage to files but actually deletes them. meaning you can delete application DLL’s and hope they go look for them in user write-able locations. Or delete stuff used by system services c:\windows\temp and hijack them.”


This ‘Deletebug’ vulnerability in Microsoft Data Sharing Service (dssvc.dll) lets non-admins abuse a new Windows service to delete any file without checking permissions. Once the deletebug.exe deletes pci.sys on the computer, it can no longer be restarted to make sure you test on a virtual machine, for reverting to a state before you ran deletebug.exe.


The vulnerability hasn’t been patched by Microsoft, however, a free micro-patch was released by 0Patch that fixes the bug in Microsoft Data Sharing Service. The micro-patch adds impersonation to the DeleteFileW call, hence blocking the exploit.


The Delete operation is then denied access due to the impersonation, as shown in the figure below. The vulnerability is reported in Windows 10 / Server 2016 whereas Windows 7 And Windows 8 aren’t affected.








Windows 10 and Server 2016 & 2019






Until Microsoft releases a patch, this arbitrary-delete vulnerability for fully updated Windows 10 1803 is fixed by 0Patch in a free micro-patch. Users with online 0patch Agents will have it auto-applied within 60 minutes.


All users can download the micro-patch from



If you think you’re a victim of a cyber-attack, immediately send an e-mail to








BankIslami hit by Cyber Attack, $6 Million Stolen

Editor’s Note: This post was originally published on 28th October 2018 and is being continuously updated with latest information.


Hackers have waged a sophisticated cyber-attack against BankIslami, an Islamic bank in Pakistan, resulting in the theft of around $6 million via fraudulent payments through ATM and POS from different countries. Reports claim that 5000 accounts have been compromised in this attack and that it might be the biggest cyber-attack in the history of Pakistan.


The alleged security breach first came to light on October 27, when certain abnormal transactions were detected by the bank on one of its international payment card scheme. Also, customers of the bank received automated messages about their payment cards being used in different countries. The bank tried to hide the breach until the hackers possibly used dark web to publish information of payment cards and PINs for sale for about $75. The bank has temporarily shutdown all transactions routing through international payment scheme.


State Bank of Pakistan (SBP) Directives


“As a result of security breach of payment cards of one of the banks in Pakistan yesterday and their unauthorized use on different delivery channels i.e. at ATMs and POS in different countries, the bank has temporarily restricted usage of its cards for overseas transactions,” State Bank said in a statement yesterday.


SBP instructed the affected bank to take all necessary measures to trace the vulnerability and fix it immediately.


The affected bank has also been directed to issue advisory on precautionary measures that should be taken by customers.


  • To make sure that resources are deployed to ensure the 24/7 real-time monitoring of card operations related systems and transactions. Additionally, coordinate immediately with all the payment schemes, switch operators and media service providers integrated with the banks, to identify any malicious activity of suspicious transactions.


  • To foster arrangements to ensure security of all payments cards in the country and monitor on real-time basis the usage activity for their cards, especially for overseas transactions.


SBP said that it would continue to assess these developments in coordination with banks and take further measures, if required. The banks across Pakistan are directed to ensure that security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in future.


Attack Vector


Apparently, FASTCash schemes can possibly be an attack vector for this hack, which remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.


When a payment card is used in an ATM or PoS machine, the machine communicates with the bank’s switch application server to validate the transaction, and then accepts or declines based on bank balance. The malware installed on the compromised switch application servers fraudulently intercepts transaction request associated with the attackers’ payment card. It then responds with fake but legitimate-looking affirmative response without checking their available balance with the core banking systems. Eventually, machine is fooled into processing or spitting out large amounts of cash without sending a notification to the bank.


Rewterz had published important advisories on similar attacks earlier this month, Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash and North Korean State-Funded APT38 Launches Financially Motivated Attacks Worldwide that include mitigation recommendations for institutions that have payment processing systems.


“Since at least 2014, hacker group involved in FASTCash campaign has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources,” FireEye researchers said in a blog post.


Based on known attacks, an APT attacker spends an average of 155 days camped out in an attacked organization’s networks, whereas, in one case they had two years of access to a victim’s network, FireEye says.


“APT attacker executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom-developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye says.


“The group is careful, calculated and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions and system technologies to achieve its goals.”


The U.S. Computer Emergency Readiness Team issued an alert about “malicious cyber activity by the North Korean government” – which it refers to as Hidden Cobra – perpetrating an ATM cash-out scheme, which the U.S. government refers to as “FASTCash.”


US-CERT’s “Hidden Cobra – FASTCash Campaign” alert says that the attack campaign has been operating since 2016 and so far targeted institutions in Asia and Africa with malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”


“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees,” US-CERT says, “Hidden Cobra actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server.”


Attackers will likely move beyond targeting banks, US-CERT warns. “The U.S. government assesses that Hidden Cobra actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” it says.


Pakistani Banks Card Data on Dark Web


As you are probably aware that some of the analysis are connecting this attack with Pakistani banks’ cards data being up for sale on dark web. According to various sources, a report is being circulated regarding the sale of Pakistani banks’ card data that shows that more than 8000 cards of different banks are available for sale on the dark web and carding websites.


Rewterz Threat Intelligence Team has carried out an in-depth analysis and appears to assume that this report has been created based on a 3rd category Dark Web Card Shop. Mostly, 3rd category shops are easily accessible and doesn’t ensure reliable data. The cards dump was posted on a shop yesterday, however, it was taken down by the seller on the same day. Based on further analysis, the dump consisted of old skimmed cards data of different banks, so probably 99.9% of the data is either bogus or blocked cards. Research shows that reliable and authentic data is available on 1st category card shops which have verified cards available and they are on sale with refund offer if it doesn’t work.  Our threat intelligence team is further investigating and endeavouring to acquire all the data available for cards so that further analysis can be carried out.


Therefore, it can be assumed that in order to create a chaos and further exploit the mayhem in Pakistan, the seller consolidated all the skimmed cards data available from past and posted together.


According to our intelligence, the hackers have done a targeted and sophisticated attack on local bank, similar to what we have seen in FashCASH. Skimmed cards don’t have capacity of launching an attack on this scale.




  • Implement chip and Personal Identification Number (PIN) requirements for debit cards.
  • Validate card-generated authorization request cryptograms.
  • Use issuer-generated authorization response cryptograms for response messages.
  • Require card-generated authorization response cryptogram validation to verify legitimate response messages.
  • Require two-factor authentication before any user can access the switch application server.
  • Verify that perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
  • Verify that perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system.
  • Configure the switch application server to log transactions. Routinely audit transactions and system logs.
  • Develop a baseline of expected software, users, and logons. Monitor switch application servers for unusual software installations, updates, account changes, or other activity outside of expected behavior.
  • Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.


Rewterz’s SOC team has released specific recommendations for the internal security monitoring and incident response teams, to help them detect such advanced APT attacks.


Integration for Cyber Security Monitoring Visibility


Following should be enabled and integrated to detect such advance APT attacks on your centralized security monitoring platform, such as SIEM or Log Management:


  • Network flows for visibility of inbound/outbound traffic and network insight.
  • Detailed system and application auditing besides standard logs.
  • Process tracking and network share object auditing.
  • Command line parameter should be enabled once the process tracking is enabled, this will help analysts to understand the parameters passed in the process by the attacker.
  • Authentication events.
  • Database events.
  • Advance malware events.


Use Cases for Cyber Security Monitoring of Switch Application Servers (SWIFT, IRIS, Nimbus, etc.)


  • Outbound connections towards external and local networks from switch application servers.
  • Inbound connections from external and local networks towards servers.
  • Excessive internal and external connections.
  • Excessive connections made by any process in application servers.
  • Application servers’ traffic on unknown and high ports.
  • Traffic deviations.
  • IoCs’ hits on servers from advance malware.
  • Administrators’ traffic who manage switch application servers.
  • Any activity being performed on servers by administrators.
  • All the authentication performed by processes and services on switch application servers.
  • All authentication attempts on servers.
  • Monitor applications and services that are talking to other systems.
  • Monitor all the extensions and processes of these systems with their path of execution, specifically for bin, js, ps1, exe, vbs, png, rtf, docm, xlsm, xltm, bat, jar, msi, scr, hta, cmd, vbe, txt, jse, lnk, and inf.
  • All privileged user activities who have logged in switch application servers.
  • File share activities of privileged users.

The Worst Data Breaches of 2018

In 2017, the world witnessed more data breaches than any year prior. There were total of 1,293 data breaches, compromising more than 174 million records. As we end the near of October, this disturbing trend has nothing but continued this year as well.


As employees and business consumers, we shall be concerned about these threats and our most precious assets. Protecting user data has become increasingly important amid stricter regulation implementation.


Companies are no longer just required to announce that their systems have been breached but also pay fines that can reach up to 4 percent of their annual turnover. The increasing sophistication of cyber-attacks coupled with the overall lack of cybersecurity has led to the greatest data breaches and the loss of data records on a global scale.



This year, big names such as Google, Facebook, Nadra, Uber, Careem, and British Airways have joined the ever-growing list of breach victims. Data breaches can result in loss of millions, even billions, of private records and sensitive data, affecting not just the breached organization but also the concerned victims whose critical assets may have been stolen.



As we end the near of 2018, it’s time to tally up this year’s breaches. Below we offer what we believe are the most significant data breaches to hit the globe, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised. This list is not in order of rank.






Earlier this year Google discovered a vulnerability in an API for the company’s social networking effort Google+, which made it possible for third-party app developers to access data from the friends of the app users.





According to the Wall Street Journal, more than 500,000 Google Plus users had their data exposed this past spring through a third-party application. Google not only exposed this data but then it chose not to disclose it, fearing reputational damage.


Exposed data included names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
In response, parent company Alphabet decided to shut down Google+ completely and for good.






Facebook security breach which was discovered in September 2018, was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them, exposing accounts of nearly 50 million users.




The vulnerability was introduced on the site in July 2017, but Facebook didn’t know about it until September 16, 2018, when it spotted an unusual activity. This could potentially mean the hackers could have had access to user data for a long time, as Facebook is not sure right now when the attack began.


Zuckerberg said that the attackers were using Facebook developer APIs to obtain some information, like “name, gender, and hometowns” that’s linked to a user’s profile page.






Earlier this year, we witnessed the biggest data breach in the history of Pakistan as reports claimed that Punjab Information Technology Board (PITB) is responsible for creating vulnerable mobile applications directly connected with the API of NADRA, which can request details of any Pakistani citizen using different means.




According to WikiLeaks and Julian Assange, American and British intelligence agencies acquired access to NADRA’s database and got hold of the identification records of Pakistanis.

According to an Information Security expert Faiz Ahmed Shuja, the CEO of Rewterz, the data was leaked due to unregulated e-governance apps, such as those that sold online tickets of cricket matches in Pakistan.


NADRA provides access to different government organizations, for example, when you go to buy a mobile phone SIM, you provide your fingerprints, that are used to match with your NADRA data to verify your identity.


He further said:

NADRA had given this kind of access to different government departments as well as the Punjab Information Technology Board (PITB) who launched an application to sell cricket match tickets. People would give their ID credentials and get their tickets; these applications have been misused. The authority should provide only what is required to government apps instead of giving them complete access to all its data.”





In September 2018, reports confirmed that ride-hailing firm Uber will pay £133m to settle all legal action over the cyber-attack that exposed data from 57 million customers and drivers in 2016.
Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States.



After numerous reports of the firm following this incident, Uber only revealed some information about the data breach in November 2017. It has now been confirmed that the company paid the hackers $100,000 (£761,71) to hide the data breach.



British Airways



British Airways revealed on 6 September that the passengers who made a booking or updated the booking from or the BA app became victim of a data breach affecting 380,000 transactions, involving stolen personal and financial information, but not passport or flight details.



The data was compromised over a two-week period between 21 August and 5 September, during which a ‘sophisticated’ attack was carried out on both the company’s website and app.


We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over and app,” Alex Cruz, CEO of BA told the BBC’s program today.

The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.



He said that customers at risk are now being contacted and advised to ask their bank or credit card provider on how to manage the data breach.


“Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimize the loss of data.”






Careem, in a public statement issued on April 23, said that it “has identified a cyber incident involving unauthorized access to the system we use to store data”. The breach involved access to Careem’s data storage system for 14 million riders and 558,800 captains.




The breach affects all customers and captains who signed up with the service before January 14, 2018. Close to three out of every four users have been a victim of this breach.



On January 14 of this year, we became aware that online criminals gained access to our computer systems which hold customer and captain account data. Customers and captains who have signed up with us since that date are not affected,” stated the company on its ‘blog’ section.

IT experts and customers are now accusing the company for its neglectfulness and not reporting this incident until more than three months.


The company has also warned users to take safety measures on their own, and be vigilant over their bank account usage and credit card transactions, hinting that there could be a possibility of misuse. It has also asked users to “update” passwords and implement “good password management.”

A Cybersecurity Fiasco: Chinese Spies Plant a Microchip to Tamper US Tech-Giants’ Server



Bloomberg Businessweek reported earlier this month that Chinese spies allegedly exploited the technical supply chain of 30 major US companies, including Apple and Amazon by planting tiny microchips on motherboards used on their servers.


The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.


The chips, which Bloomberg said have been the subject of a top-secret U.S. government investigation started in 2015, would allow attackers to covertly modify these servers, bypass software security checks, gather intellectual property, trade secrets and essentially give the Chinese government a complete backdoor into these American companies’ network.


If true, this might be one of the largest corporate espionage and hardware hacking programs in the history of cybersecurity.





However, the impacted companies such as Apple and Amazon are fiercely disputing the claims. Meanwhile, Supermicro and Chinese Ministry of Foreign Affairs have also strongly denied Bloomberg’s findings by releasing lengthy statements.


Some highlights from the responses released by Apple, Supermicro and Amazon, according to a Bloomberg report are listed below:





“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”






“While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.

Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.”






“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.


We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.”






These assertive statements are leading national security experts to question who exactly is telling the truth. The prospect of this kind of attack is very real, but the fact that both Bloomberg and the companies named in the story are rivaling is confusing everyone, and a sign that we are probably not done hearing about this story anytime soon.


However, If the Bloomberg story turns out to be true, Amazon and Apple would seem to be lying and invalidating a potential global security risk. Ultimately, a deeper look into this potential attack shall be conceded.

Rewterz Threat Advisory – CVE-2018-3253 – Oracle ‘Virtual Directory Manager’ Vulnerability

Oracle Virtual Directory is vulnerable to information disclosure, data manipulation or Denial of Service attack, and can be exploited by a malicious user with low privileges.






PUBLISH DATE:  23-10-2018






A vulnerability was found in Oracle Virtual Directory, which if exploited by malicious users may lead to disclosure of sensitive information, manipulation of data, or may cause a DoS (Denial of Service). Oracle has released updates for patching the vulnerability.






The Vulnerability lies in the Oracle Virtual Directory component of Oracle Fusion Middleware (subcomponent: Virtual Directory Manager). A successful exploit can lead to disclosure of sensitive information or data manipulation like unauthorized updates, manipulation of access privileges to the oracle virtual directory, unauthorized read access or partial denial of service of the Oracle Virtual Directory.



The vulnerability has been reported in two of the supported versions of Oracle virtual directory, that are and



The Active directory password hash was found to be stored on the oracle virtual directory which was readable for all authenticated users and computer objects by default, including the ones with low privileges. Researchers were able to exploit it to crack passwords.



The vulnerability can be exploited by a malicious user with network access via HTTP to compromise the directory. In short, an attack on the Oracle Virtual Directory may impact the confidentiality, Integrity and Availability of the organization using a vulnerable version of the directory.






Oracle Virtual Directory 11.x


The vulnerability is reported in versions and






Oracle has recently released updates to patch this vulnerability. Apply the available updates to ensure proper and timely precautionary measures. Follow the link for help:

(users may need to log-in to access the contents of the URL)



If you think you’re a victim of a cyber-attack, immediately send an email to

Rewterz Threat Advisory – GhostDNS campaign: Trusted binaries abused, DLL Hijacking and Code Injection

A new DNS hijacking campaign called GhostDNS is observed in Brazil, that redirects e-banking customers to phishing webpages.






PUBLISH DATE:  22-10-2018






A DNS hijacking campaign arising from Brazil with the name GhostDNS was found to be affecting over 100,000 compromised home routers. The campaign aimed to redirect Brazilian e-banking customers to specially crafted phishing web pages.


Security researchers at Cybereason found out that trusted and signed binaries of companies like HP, NVIDIA, RealTek and VMware were also being misused. The attackers hid malicious code in them which was to be loaded by hijacking a DLL. They also went as far as directly injecting it into trusted programs.






To operate quietly, attackers are abusing trusted and signed binaries, and are hijacking DLLs, to utilize trusted programs as their “malware launchers”. The PowerShell scripts used for execution in this campaign are identical to those previously associated with Brazilian and Chilean campaigns. Some Portuguese references found in the scripts provide evidence that the attackers have Portuguese links.



A reference in an RTF file to two entries by the name of “Equation.3” indicates that attackers are exploiting a Microsoft Office Memory Corruption Vulnerability in their attacks (CVE-2017-11882).



The vulnerability is one of remote code execution which when exploited lets the attacker run arbitrary code in the context of the current user. This means that an attacker could take control of the affected system and install programs; view, change, or delete data; or create new accounts with full user rights if the current user is logged in with administrative privileges.


A list of threat indicators is available to make sure systems are fully protected against these threat indicators.






Following is a list of threat indicators associated with the campaign.


  • e0247073e68070413235a8aa92008de2970e1bf0
  • 9B6016D9523DE39BF2E5F854549CED9A3F35BE85
  • 4F66783ACE879E221C0DB62A92C21FFE587F7B3B
  • 5C1AD7C4CD06316172E4AA579C9EB9159C72DBAA
  • 08359247B1F9069AA07F015921035F362185D665
  • 87358CC245FDF172EC532C2B1C729E1A6F9CB18E
  • 9422FAFBC54983EFB10A75A18F039A149F3C1CB2
  • 8E12FF6CFC217D5C9A6D1A7487634E50ABEB672E
  • 75A29FEC62A95B4C820454CD82DDF70742A67602
  • 0EA42E64F4C8653D865EEA79EB3B37B81206CAC1
  • 934BF6E81040089253C209A6B4286A235C240473
  • 7C5F9C7541FE56FA11703156086D9F9D9C735800
  • BBC8628F92209364C79EC38284DC772B81100BD7
  • 0EA42E64F4C8653D865EEA79EB3B37B81206CAC1
  • 2203714D747145F9363A6F0DE0D5E7F2FEA792AA
  • 222D89261CB18D5EB26AC84041BFA0E1B399A2D5
  • B77DD8A56F480F052E262ABF9FB856E8B9F8757D
  • 363E4734F757BDEB89868EFE94907774A327695E
  • Cl[.]ly
  • Flashplayers2018[.]com
  • Javadownloadbrasil[.]site
  • Musicalad[.]com[.]br
  • Nfmicrosoft[.]com
  • netframework2018-microsoft[.]com
  • hxxp://185.135.9[.]102/suspiro/index.php
  • hxxp://198.50.138[.]133/latex/index.php
  • hxxp://198.50.138[.]131/hilton/index.php
  • hxxp://[.]br/images/contA/ponto.php
  • hxxp://[.]ly/items/1k3W1B0G0a3P0O41220g/
  • hxxp://flashplayers2018[.]com/WEBFLASH_IESS.DOC
  • hxxp://x.ss2[.]us/x.cer – SSL certificate
  • hxxps://[.]zip
  • hxxps://cl[.]ly/0a5f7eb35382/download/flatrom.jpg
  • hxxps://cl[.]ly/0b2E2g2c3y2L/download/newpepe.png
  • hxxps://cl[.]ly/694965a97454/download/xalita.jpg
  • hxxps://cl[.]ly/8a89ef6803d6/download/paulo.jpg
  • hxxps://cl[.]ly/f6f5fac35d25/download/testepepeu.jpg
  • hxxps://[.]ly/items/2y1A3w3I3K12242b0r36/
  • hxxps://supgmx.egnyte[.]com/dd/PPlFR0ONrE/
  • 135.9[.]102
  • 50.138[.]133
  • 50.138[.]131






Organizations may consider to block these threat indicators as per their security rules. However, to avoid impacts on your organization, the IP/Domain blocking requires diligence. Moreover, the attackers seem to be exploiting an old Microsoft Office Memory Corruption Vulnerability (CVE 2017-11882) in order to execute code. Therefore, all users should ensure that this vulnerability is addressed and patched.



Since the phishing techniques are also evolving at an exponential rate, employee training and awareness programs about social engineering and phishing scams should be considered.



If you think you’re the victim of a cyber-attack, immediately send an e-mail to


Copyright © Rewterz. All rights reserved.