The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: March 15, 2021)
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Service Stop - T1489
Tags: WannaCry, DEARCRY, WCry, WanaCry, DearCry, North America
(published: March 10, 2021)
A newly discovered sophisticated backdoor has been targeting Linux endpoints and servers. Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed to be developed by Chinese nation-state actors. The backdoor masquerades itself as polkit daemon. named it RedXOR for its network data encoding scheme based on XOR.
Analyst Comment: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
MITRE ATT&CK: [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Execution through API - T1106 | [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Custom Command and Control Protocol - T1094 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Winnti umbrella, RedXOR, Winnti, China
(published: March 10, 2021)
F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution (RCE) vulnerabilities affecting most BIG-IP and BIG-IQ software versions. The four critical vulnerabilities listed below also include a pre-auth RCE security flaw (“CVE-2021-22986”) which allows unauthenticated attackers to execute arbitrary commands on compromised devices. F5 claims that 48 of the Fortune 50 rely on F5.
Analyst Comment: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Command-Line Interface - T1059
Tags: RCE, Pioneer Kitten, CVE-2021-22992, CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2020-5902, Government, MilitaryChina
(published: March 9, 2021)
Check Point Research recently discovered a new Dropper spreading via the official Google Play store, which downloads and installs the AlienBot Banker and MRAT. This Dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect detection, completes the evaluation period successfully. The malware's ability to remain undetected demonstrates the importance of why a mobile security solution is needed.
Analyst Comment: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Furthermore, this story shows the potential of malicious applications bypassing the security measures of application stores and therefore it is crucial that all permissions of an application be examined prior to download.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Exploitation of Remote Services - T1210 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Process Injection - T1055
Tags: MRAT, Adwind, AlienBot, TeamViewer, Banking And Finance, Middle East
(published: March 8, 2021)
Trend Micro has expanded upon research published by Anomali last month regarding recent activity of a suspected Iranian government linked actor. This campaign, dubbed "Earth Vetala" by Trend Micro, leverages spearphishing emails with OneHub (a popular file-sharing service) to download a malicious .zip file that downloads and installs a remote access tool developed by RemoteUtilities. These attacks seem to mainly target organizations located in Azerbaijan, Bahrain, Israel, Saudi Arabia, and the UAE.
Analyst Comment: In addition to defense in depth and endpoint protections, it is important for organizations to continue to train their workforce about methods to detect phishing emails. Where possible, notifications around software installations, including legitimate software not authorized by the organization would allow for early detection of this type of attack.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Spearphishing Link - T1192
Tags: APT34, MuddyWater, OneHub
(published: March 8, 2021)
Over 100 versions of the QNAP NAS firmware vulnerable attack, released prior to the company's August 2020 update correcting the problem. The vulnerability, tracked as “CVE-2020-2506”, is an improper-access-control vulnerability that allows attackers to obtain control of a device. The second flaw is a command injection vulnerability that could allow remote attackers to run arbitrary commands. It is unclear what the history of UnityMiner is and who is behind it, as there doesn't appear to be any previous reports on the malware.
Analyst Comment: Firmware updates are an important part of defense in depth, and should be integrated into organizations patch management policy. Monitoring and alerting on the relevant CVEs would also be beneficial.
MITRE ATT&CK: [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Connection Proxy - T1090
Tags: manaRequest.cgi, Mirai, CVE-2020-2496, CVE-2020-2506, CVE-2020-2495, CVE-2020-2507, North America, China
(published: March 8, 2021)
Over the years, multiple critical vulnerabilities have been found in dnsmasq. These vulnerabilities can lead to DNS cache poisoning, denial of service (DoS) and possibly remote code execution (RCE). This blog will review these vulnerabilities in the open source DNS resolver.
Analyst Comment: DNS visibility and security is central to securing modern systems. DNS is frequently used in various stages of attacks, and proper monitoring can be critical to detecting and disrupting attacks
MITRE ATT&CK: [MITRE ATT&CK] Uncommonly Used Port - T1065 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Credentials from Web Browsers - T1503 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: frec, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681, CVE-2020-25687, CVE-2020-25686, CVE-2020-25685, CVE-2020-25684
Topics:Anomali Cyber Watch