Anomali Cyber Watch: APT, Finance Ransomware and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China Chopper, Gozi, Hafnium, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Ransomware Gang Plans to Call Victim's Business Partners About Attacks

(published: March 6, 2021)

The REvil ransomware operation, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) where the ransomware operators develop the malware and payment site. As part of this deal, the REvil developers earn between 20-30% of ransom payments, and the affiliates make the remaining 70-80%. The new tactics include a free service where the threat actors will perform VOIP (Voice Over IP) calls to the media and victim's business partners with information about the attack.
Recommendation: An interesting development in the ongoing growth of ransomware attacks is the concurrent growth in the customer service provided by threat actors. As far back as 2017, threat actors reportedly offered victims customer service portals and even direct contact to help facilitate ransom payments. As this latest report indicates, cybercriminals continue to evolve on the service side of their industry, now offering to act directly with media and third parties as a means to either drive payments or punish victims who refuse to pay ransoms.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] External Remote Services - T1133
Tags: REvil, SunCrypt, Sodinokibi, Locker, Avaddon, Avaddon ransomware, Ragnar Locker

Ongoing Phishing Attacks Target US Brokers with Fake FINRA Audits

(published: March 5, 2021)

The US Financial Industry Regulatory Authority (FINRA), the non-governmental securities regulator that supervises over 624K brokers responsible for billions of dollars, issued a regulatory notice warning US brokerage firms and brokers of an ongoing phishing campaign using fake compliance audit alerts to harvest information. The financial regulator says that the phishing messages are being sent from a recently registered web domain spoofing a legitimate FINRA website and recommending that "anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident."
Recommendation: While FINRA rarely issues regulatory notices, they have published four in the past year with this being the second to target brokers specifically. The use of spoofed domain names that closely resemble legitimate domains associated with FINRA, combined with email lures that focus on a high impact topic of audits and appear to be written without many of the obvious errors in grammar and syntax, are consistent with some of the better crafted phishing campaigns of more professionalized threat actors or groups.
Tags: Phishing, Banking, Finance

Maza Russian Cybercriminal Forum Suffers Data Breach

(published: March 4, 2021)

The Maza cybercrime forum, also known as Mazafaka, reportedly suffered a data breach leading to the leak of user information on or about 3 March 2021. The forum, which has been online since at least 2003, is a closed and heavily-restricted conclave for Russian-speaking threat actors that has been connected to carding operations and the discussion of malware, exploits, spam, and money laundering. According to Flashpoint, approxiamately 2,000 accounts were exposed, including user IDs, usernames, email addresses, passwords (both hashed and obfuscated), and links to messenger apps that included Skype, MSN, and Aim.
Recommendation: This is not the first time Maza has been compromised. In 2011, a hack of the same forum was attributed to rival group DirectConnection, who were later hacked as retaliation. Russian threat actor Aleksei Burkov, known by the alias "Kopa," was suspected of serving as an administrator for both Maza and DirectConnection. Considering Burkov was recently sentenced to nine years in a U.S. prison for operating the CardPlanet forum, and that two additional Russian cybercrime forums (Verified and Crdclub) were also recently reported to be compromised, speculation that Burkov may be helping U.S. authorities is understandable. Russian cybercriminals have expressed concerns that their identities may have been exposed. Increased fear and distrust withiin the cybercrime community is usually a prominent, albeit temporary, result of disruptions like these.
Tags: Cybercrime, Banking, Finance, Russia

Microsoft Reveals 3 New Malware Strains Used by SolarWinds Hackers

(published: March 4, 2021)

Microsoft has revealed information on newly found malware the SolarWinds hackers deployed on victims' networks as second-stage payloads. The company now tracks the "sophisticated attacker" who used the Sunburst backdoor and Teardrop malware during the Solarwinds supply-chain attack as Nobelium. The Nobelium hackers used these malware strains during late-stage activity between August and September 2020. Still, it is believed that Nobelium dropped them on victims' systems as early as June 2020.
Recommendation: The attack on SolarWinds continues to be analyzed, with new discoveries every week. The additional strains reported on by Microsoft included a Go-based malware used to create a command-and-control (C2) backdoor, a VBScript-based malware for maintaining persistence, and another Go-based malware most likely used for detecting servers and redirectors between infected devices and the C2 server. While none of this new information points to a specific actor or group, it all supports ealier assessments that this was almost certainly a very sophisticated, nation-state sponsored actor or group. Widespread reporting continues to point the finger at China, while Beijing has followed their customary pattern of denying any involvement in cyber attacks.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Windows Management Instrumentation - T1047
Tags: UNC2452, StellarParticle, SolarStorm, Solarwinds, Dark Halo, Nobelium, GldMax, Sibot, GoldFinder, Teardrop, Sunburst, Banking, Finance

Ransomware is a Multi-billion Industry and it Keeps Growing

(published: March 4, 2021)

Global cybersecurity company Group-IB recently reported that instances of ransomware attacks increased by 150% over the past year, wih the average ransom more than doubling to $170,000 per event. On the top end of this trend, ransomware groups Maze, DoppelPaymer, ProLock, and RagnarLocker have been demanding ransoms that average $1-2M per event while the most lucrative ransomware event of the year was the $34M ransom that Ryuk ransomware actors extracted from an unnamed victim. The primary vectors for compromise were reportedly Remote Desktop Protocol (RDP), phishing, and the exploitation of public-facing applications such as Citrix, WebLogic, VPN servers, and Microsoft Exchange. Botnets continue to be ransomware actors' tool of choice for initial access, and the actors have been observed spending an average of 13 days inside compromised networks - likely increasing control, identifying targeted data, and removing backups - before deploying encyption.
Recommendation: Ransomware continues to be one of the most prevalent types of cyberattacks because it is relatively easy, tools are inexpensive to acquire, attacks continue to be successful, and the profit potential remains high. As ransomware is often delivered via phishing emails, threat actors can target thousands of companies simultaneously with little effort. If only a small percentage of those phishing emails result in compromises, the campaign is still likely to be wildly profitable.Additionally, as Remote Desktop Protocols (RDP) continue to be an area where poor security is common, threat actors are increasingly using this as a ransomware attack vector. Despite a growing list of public ransomware attacks, the large body of companies with poor security cultures supports the assessment that this trend of increasing ransomware attacks is likley to continue for the foreseeable future.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] External Remote Services - T1133
Tags: Maze, DoppelPaymer, Group-IB, Ryuk, IcedID, Conti, Qakbot, Egregor, Trickbot, ProLock, RagnarLocker, Banking And Finance, EU, UK

Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

(published: March 3, 2021)

A recent spate of attacks targeting several large enterprises, including but not limited to Amazon, Lyft, Slack and Zillow, appears to be the work of unidentified threat actors who have weaponized security researcher Alex Birsan’s proof-of-concept exploit around “dependency confusion.” Birsan’s research showed that rogue code could be easily injected into developer projects by loading the malicious code into a public repository and waiting for that code to be ingested by targeted companies. Hoping to duplicate Birsan’s results, but with malicious intent, copycat hunters uploaded over 275 packages to an open-source repository for software packages within 48 hours of Birsan’s research be published. Because packages are uploaded to public repositories, there is little barrier to entry for malicious actors. Additionally, because updates from open-source repositories are often automatic, malicious code in the repository will likely automatically infect victims in the next update cycle.
Recommendation: Just as with the recent SolarWinds compromise, malicious actors learned of a systemic weakness identified in legitimate research and weaponized it almost instantly. Organizations working on open-source development projects should disable automatic updates of unvetted code and will be challenged with balancing the time and effort of reviewing all code coming in from open-source repositories against the risk of compromise that comes with trusting that code.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Trusted Relationship - T1199
Tags: Banking, Finance

Microsoft Exchange Zero-Day Attackers Spy on U.S. Targets

(published: March 3, 2021)

Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. The culprit is believed to be a China-sponsored advanced persistent threat group known as Hafnium, which has a history of targeting assets in the United States with cyber-espionage campaigns. The four zero-day bugs were used to gain initial access to targeted servers and achieve remote code execution (RCE). Hafnium operators then deployed web shells on the compromised servers to steal data and expand the attack. Following web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity: • Using Procdump to dump the LSASS process memory • Using 7-Zip to compress stolen data into ZIP files for exfiltration • Adding and using Exchange PowerShell snap-ins to export mailbox data • Using the Nishang Invoke-PowerShellTcpOneLine reverse shell • Downloading PowerCat from GitHub, then using it to open a connection to a remote server The attackers were also able to download the Exchange offline address book from compromised systems.
Recommendation: Hafnium appears to be operating from primarily US-based, leased virtual private servers which will present challenges for blocking of network traffic and confident attribution. Microsoft has labeled Hafnium as "highly skilled and sophisticated, " but Red Canary offered some consolation to vicims by noting that Hafnium's "post-exploitation activity is very detectable." As we expect this campaign to grow, with additional threat actors and groups likely to try to capitalize on the opportunity, it is vital that organizations using Microsoft Exchange Server apply the latest patches immediately.
MITRE ATT&CK: [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Redundant Access - T1108 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Process Discovery - T1057
Tags: China Chopper, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, Banking And Finance, Government, Healthcare, North America, China

The Ursnif Banking Trojan has Hit Over 100 Italian Banks

(published: March 3, 2021)

Avast Threat Labs discovered attacks against at least 100 banks in Italy through the use of Ursnif, a banking Trojan that has existed since at least 2007. The unidentified threat actors responsible for these attacks have shown a keen interest in Italian banking institutions, resulting in the loss of customer credentials and financial data. In one particular instance, an unnamed payment processor had over 1,700 sets of credentials stolen by the malware. Avast shared its findings with the victim banks they were able to identify, CERTFin Italy, and a financial services data exchange managed by the Bank of Italy and the Italian Banking Association (ABI).
Recommendation: This campaign is consistent with previously reported compromises utilizing Ursnif and targeting the banking industry in Italy and the United States. While this particular reporting did not identify specific tactics, techniques and procedurs (TTP) used against Italian banks, Ursnif has been associated with a long list of MITRE ATT&CK techniques attached to this report.
MITRE ATT&CK: [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man in the Browser - T1185 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Connection Proxy - T1090 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Replication Through Removable Media - T1091 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Taint Shared Content - T1080 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Windows Management Instrumentation - T1047
Tags: Gozi, Ursnif, Dreambot, Banking And Finance, EU & UK, Russia

Passwords, Private Posts Exposed in Hack of Gab Social Network

(published: March 1, 2021)

The self-proclaimed "transparency collective" known as Distributed Denial of Secrets (DDoSecrets) reportedly received more than 70 gigabytes of data exfiltrated from the Gab social media network. DDoSecrets stated that a hacker was able to obtain the exposed data - including individual and group profiles, hashed account passwords, and 40 million public and private messages - through an SQL injection vulnerability in the site. DDoSecrets claimed no role in the hack, instead crediting “JaXpArO and my Little Anonymous Revival Project.”
Recommendation: Gab CEO Andrew Torba initially denied the breach through a statement on the Gab website before later confirming the breach via Twitter. The significance of this breach is that, unlike most other social media platforms, Gab caters to far-right and alt-right users, including conspiracy theorists and neo-Nazis. The trove of released information of user identities and specific conversations will likely be of significant interest to law enforcement, especially those supporting ongoing investigations into the 6 January attack on the U.S. Capitol.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: Social Media, Gab, Breach


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.