November 23, 2021
-
Anomali Threat Research
,

Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Data breach, Data leak, Malspam, Phishing, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/UXXrXitxQjivsvmmAcpb"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/" target="_blank">Emotet malware is back and rebuilding its botnet via TrickBot</a></h3> <p>(published: November 15, 2021)</p> <p>After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.<br/> <b>Analyst Comment:</b> Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.</p> <p><b><em>***For Anomali ThreatStream Customers***</em></b><br/> <em>To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.</em></p> <p><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905084" target="_blank">[MITRE ATT&amp;CK] Shared Modules - T1129</a> | <a href="https://ui.threatstream.com/ttp/947266" target="_blank">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947117" target="_blank">[MITRE ATT&amp;CK] Automated Collection - T1119</a><br/> <b>Tags:</b> Emotet, Trickbot, phishing, ransomware</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.infosecurity-magazine.com/news/wind-turbine-giant-offline-after/" target="_blank">Wind Turbine Giant Offline After Cyber Incident</a></h3> <p>(published: November 22, 2021)</p> <p>The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by nearly 500% in 2020. The attack appears to have started on Friday, November 18, 2021. Researchers warn that these attacks will likely continue to increase, especially given the news that the Emotet botnet is undergoing a resurgence.<br/> <b>Analyst Comment:</b> A robust and tested backup and disaster recovery program can assist organizations prevent extended outages due to a cyber attack. Data loss prevention (DLP) as well as monitoring can also assist prevention of an initial attack from rapidly spreading across an organization.<br/> <b>Tags:</b> data breach, Europe, energy, manufacturing</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-fatpipe-vpn-zero-day-actively-exploited/" target="_blank">Patch Now! FatPipe VPN Zero-day Actively Exploited</a></h3> <p>(published: November 18, 2021)</p> <p>A patch has been made available to fix a flaw in FatPipe VPN products MPVPN, WARP, and IPVPN. This flaw has been actively exploited by malicious actors for at least six months. Users of the affected products are encouraged to upgrade immediately to versions 10.1.2r60p93 and 10.2.2r44p1 or later. If users are unable to immediately upgrade, they are encouraged to disable the web administration UI from being accessed from the WAN interfaces and/or setting access control lists (ACLs) to only allow access from trusted sources.<br/> <b>Analyst Comment:</b> The work arounds as described by FatPipe regarding this vulnerability are good ones for all devices on the network, especially those that have a web administration tool. If access from the internet to these devices cannot be turned off, then using regularly updated ACLs to limit access to trusted devices should be required. Regular audits and updates, especially for critical network devices should be part of everyone's defense in depth program.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947258" target="_blank">[MITRE ATT&amp;CK] Bypass User Account Control - T1088</a> | <a href="https://ui.threatstream.com/ttp/947247" target="_blank">[MITRE ATT&amp;CK] Web Shell - T1100</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947094" target="_blank">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947217" target="_blank">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a> | <a href="https://ui.threatstream.com/ttp/3905767" target="_blank">[MITRE ATT&amp;CK] Modify Authentication Process - T1556</a><br/> <b>Tags:</b> FatPipe VPN, web shell, zero-day</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/redcurl-corporate-espionage-hackers-resume-attacks-with-updated-tools/" target="_blank">RedCurl Corporate Espionage Hackers Resume Attacks with Updated Tools</a></h3> <p>(published: November 18, 2021)</p> <p>The advanced persistent threat (APT) group known as RedCurl, which has been active since 2018, has resurfaced in a new set of attacks utilizing updated tools. This group, believed to consist of sophisticated hackers, engages in corporate espionage and is known for staying hidden in victim organizations for two to six months during an attack before exfiltration of corporate information. The group appears to have stopped activity for seven months before resuming with significantly updated tools and attack techniques. The latest attacks include one of Russia’s largest wholesale companies, and another organization that they have previously breached.<br/> <b>Analyst Comment:</b> Telemetry and monitoring are critical pieces of an organization's security posture, especially to detect an APT after initial compromise to prevent data breaches. As many of these attacks begin with spearphishing, users should be trained to detect these emails and always use caution when opening attachments or links from emails.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947153" target="_blank">[MITRE ATT&amp;CK] Scheduled Transfer - T1029</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a><br/> <b>Tags:</b> APT, RedCurl, spearphishing, FSABIN, CHABIN1, CHABIN2, LNK</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft" target="_blank">Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities</a></h3> <p>(published: November 17, 2021)</p> <p>Cybersecurity and Infrastructure Security Agency (CISA), along with other US government agencies and Australian and United Kingdom cyber security agencies have issued a joint alert highlighting ongoing malicious activity by Iranian government sponsored actors. These attacks leverage well known vulnerabilities in Microsoft Exchange and Fortinet devices to attack a wide range of organizations across various sectors. The actors can leverage the initial access gained via these flaws to perform data exfiltration, ransomware, lateral movement, and other attacks.<br/> <b>Analyst Comment:</b> Administrators should take special care to update their devices as well as making sure that they are minimally exposed to the external internet. This alongside good internal telemetry can ameliorate a large number of potential threats.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> APT, CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, Fortinet, Iran, Microsoft Exchange, ProxyShell</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/microsoft/new-microsoft-emergency-updates-fix-windows-server-auth-issues/" target="_blank">New Microsoft emergency updates fix Windows Server auth issues</a></h3> <p>(published: November 15, 2021)</p> <p>Microsoft has released a set of out-of-band patches to fix an issue breaking single sign-on (SSO) introduced by the November 9, 2021 security updates. When the security updates are applied to a Windows server domain controller, it can cause failures for users attempting to use Kerberos tickets from Service for User to Self (S4U2self). Administrators of affected Windows server versions are encouraged to download and install the new patches, which are not automatically available via Windows Update.<br/> <b>Analyst Comment:</b> In addition to regular updates, it is also important for administrators to check for any issues resulting from security updates. Having good asset and vulnerability programs is a vital part of defense in depth and can assist with identifying devices that need updating.<br/> <b>Tags:</b> Kerberos, Microsoft, Windows Server</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank">Uncovering MosesStaff techniques: Ideology over Money</a></h3> <p>(published: November 15, 2021)</p> <p>Researchers describe the techniques of the threat actor group MosesStaff, which has been targeting Israeali organizations starting in September, 2021. These attacks appear to be ideologically motivated and involve data exfiltration and encrypting affected devices with no ransom demands. Attackers get initial access to the network by exploiting known vulnerabilities in public facing applications and then move laterally using tools like PsExec, WMIC, and powershell. Bootloader is installed as one of the initial steps to ensure that, even if subsequent encryption using DiskCryptor did not complete, ​​ the user cannot access the computers. The researchers provide a detailed walkthrough of the infection chain utilized in these attacks, as well as analysis of their two main tools, PyDCrypt and DCSrv.<br/> <b>Analyst Comment:</b> Regular patching is a critical component of an organization's defense in depth program, as actors continue to exploit vulnerabilities that have patches available. Having good internal telemetry, protections, and a process of least permissions can often prevent wide exploitation of an attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><br/> <b>Tags:</b> DCSrv, Israel, MosesStaff, PyDCrypt</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://threatpost.com/intel-processor-bug-encryption-keys/176355/" target="_blank">High-Severity Intel Processor Bug Exposes Encryption Keys</a></h3> <p>(published: November 15, 2021)</p> <p>Researchers have discovered a security flaw in Intel processors that would allow actors to acquire encryption keys and read encrypted files. This flaw has been given the Common Vulnerabilities and Exposures (CVE) identifier of CVE-2021-0146, and is a result of debugging capabilities that are not protected well enough and have excessive permissions for unauthenticated users. This flaw is found in a range of Intel processors that are used in laptops, desktops, and IOT devices.<br/> <b>Analyst Comment:</b> Users with affected processors are encouraged to update the UEFI BIOS with patches provided by the device manufacturer. Asset management and updates are critical to maintaining an organization's security, especially for sensitive devices, even if encryption has been implemented.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947118" target="_blank">[MITRE ATT&amp;CK] Clipboard Data - T1115</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> CVE-2021-0146, encryption, intel, UEFI</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.