March 17, 2021
Anomali Threat Research

Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, AlientBot, Clast82, China, DearCry, RedXOR,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="" /><br /> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Google: This Spectre proof-of-concept shows how dangerous these attacks can be</a></h3> <p>(published: March 15, 2021)</p> <p>Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser&#39;s JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88&#39;s V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.<br /> <b>Analyst Comment:</b> As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.<br /> <b>Tags:</b> CVE-2017-5753</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="" target="_blank">Threat Assessment: DearCry Ransomware</a></h3> <p>(published: March 12, 2021)</p> <p>A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.<br /> <b>Analyst Comment:</b> Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted - T1022</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&CK] Email Collection - T1114</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] System Service Discovery - T1007</a> | <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="" target="_blank">[MITRE ATT&CK] Service Stop - T1489</a><br /> <b>Tags:</b> WannaCry, DEARCRY, WCry, WanaCry, DearCry, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="" target="_blank">New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor</a></h3> <p>(published: March 10, 2021)</p> <p>A newly discovered sophisticated backdoor has been targeting Linux endpoints and servers. Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed to be developed by Chinese nation-state actors. The backdoor masquerades itself as polkit daemon. named it RedXOR for its network data encoding scheme based on XOR.<br /> <b>Analyst Comment:</b> Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] File Deletion - T1107</a> | <a href="" target="_blank">[MITRE ATT&CK] Rootkit - T1014</a> | <a href="" target="_blank">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="" target="_blank">[MITRE ATT&CK] Hidden Files and Directories - T1158</a> | <a href="" target="_blank">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&CK] Scripting - T1064</a> | <a href="" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="" target="_blank">[MITRE ATT&CK] Execution through API - T1106</a> | <a href="" target="_blank">[MITRE ATT&CK] Disabling Security Tools - T1089</a> | <a href="" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Custom Command and Control Protocol - T1094</a> | <a href="" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a><br /> <b>Tags:</b> Winnti umbrella, RedXOR, Winnti, China</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="" target="_blank">F5 urges customers to patch critical BIG-IP pre-auth RCE bug</a></h3> <p>(published: March 10, 2021)</p> <p>F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions. The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (“CVE-2021-22986”) which allows unauthenticated attackers to execute arbitrary commands on compromised devices. F5 claims that 48 of the Fortune 50 rely on F5.<br /> <b>Analyst Comment:</b> It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] System Service Discovery - T1007</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a><br /> <b>Tags:</b> RCE, Pioneer Kitten, CVE-2021-22992, CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2020-5902, Government, MilitaryChina</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="" target="_blank">Clast82 – A new Dropper on Google Play Dropping the AlienBot Banker and MRAT</a></h3> <p>(published: March 9, 2021)</p> <p>Check Point Research recently discovered a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully. The malware&#39;s ability to remain undetected demonstrates the importance of why a mobile security solution is needed.<br /> <b>Analyst Comment:</b> Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Furthermore, this story shows the potential of malicious applications bypassing the security measures of application stores and therefore it is crucial that all permissions of an application be examined prior to download.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation of Remote Services - T1210</a> | <a href="" target="_blank">[MITRE ATT&CK] Create Account - T1136</a> | <a href="" target="_blank">[MITRE ATT&CK] Process Injection - T1055</a><br /> <b>Tags:</b> MRAT, Adwind, AlienBot, TeamViewer, Banking And Finance, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="" target="_blank">Iranian Hackers Using Remote Utilities Software to Spy On Its Targets</a></h3> <p>(published: March 8, 2021)</p> <p>Trend Micro has expanded upon research published by Anomali last month regarding recent activity of a suspected Iranian government linked actor. This campaign, dubbed "Earth Vetala" by Trend Micro, leverages spearphishing emails with OneHub (a popular file-sharing service) to download a malicious .zip file that downloads and installs a remote access tool developed by RemoteUtilities. These attacks seem to mainly target organizations located in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE.<br /> <b>Analyst Comment:</b> In addition to defense in depth and endpoint protections, it is important for organizations to continue to train their workforce about methods to detect phishing emails. Where possible, notifications around software installations, including legitimate software not authorized by the organization would allow for early detection of this type of attack.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Spearphishing Link - T1192</a><br /> <b>Tags:</b> APT34, MuddyWater, OneHub</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="" target="_blank">Crypto-Miner Campaign Targets Unpatched QNAP NAS Devices</a></h3> <p>(published: March 8, 2021)</p> <p>Over 100 versions of the QNAP NAS firmware vulnerable attack, released prior to the company&#39;s August 2020 update correcting the problem. The vulnerability, tracked as “CVE-2020-2506”, is an improper-access-control vulnerability that allows attackers to obtain control of a device. The second flaw is a command injection vulnerability that could allow remote attackers to run arbitrary commands. It is unclear what the history of UnityMiner is and who is behind it, as there doesn&#39;t appear to be any previous reports on the malware.<br /> <b>Analyst Comment:</b> Firmware updates are an important part of defense in depth, and should be integrated into organizations patch management policy. Monitoring and alerting on the relevant CVEs would also be beneficial.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&CK] Peripheral Device Discovery - T1120</a> | <a href="" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Connection Proxy - T1090</a><br /> <b>Tags:</b> manaRequest.cgi, Mirai, CVE-2020-2496, CVE-2020-2506, CVE-2020-2495, CVE-2020-2507, North America, China</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="" target="_blank">Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning</a></h3> <p>(published: March 8, 2021)</p> <p>Over the years, multiple critical vulnerabilities have been found in dnsmasq. These vulnerabilities can lead to DNS cache poisoning, denial of service (DoS) and possibly remote code execution (RCE). This blog will review these vulnerabilities in the open source DNS resolver.<br /> <b>Analyst Comment:</b> DNS visibility and security is central to securing modern systems. DNS is frequently used in various stages of attacks, and proper monitoring can be critical to detecting and disrupting attacks<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Uncommonly Used Port - T1065</a> | <a href="" target="_blank">[MITRE ATT&CK] System Time Discovery - T1124</a> | <a href="" target="_blank">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="" target="_blank">[MITRE ATT&CK] Credentials from Web Browsers - T1503</a> | <a href="" target="_blank">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="" target="_blank">[MITRE ATT&CK] BITS Jobs - T1197</a> | <a href="" target="_blank">[MITRE ATT&CK] Install Root Certificate - T1130</a><br /> <b>Tags:</b> frec, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681, CVE-2020-25687, CVE-2020-25686, CVE-2020-25685, CVE-2020-25684</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.