June 1, 2021
Anomali Threat Research

Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Agrius, Conti, North Korea, JSWorm, Nobelium, Phishing, Strrat</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-060221.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank">New Sophisticated Email-based Attack From NOBELIUM</a></h3> <p>(published: May 28, 2021)</p> <p>NOBELIUM, the threat actor behind SolarWinds attacks, has been conducting a widespread email campaign against more than 150 organizations. Using attached HTML files containing JavaScript, the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion. Once detonated, the attackers have persistent access to a victims’ system for additional objectives such as data harvesting/exfiltration, monitoring, and lateral movement.<br /> <b>Analyst Comment:</b> Be sure to update and monitor email filter rules constantly. As noted in the report, many organizations managed to block these malicious emails; however, some payloads successfully bypassed cloud security due to incorrect/poorly implemented filter rules.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947106" target="_blank">[MITRE ATT&CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><br /> <b>Tags:</b> Nobelium, SolarWinds, TearDrop, CVE-2021-1879, Government, Military</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://securelist.com/evolution-of-jsworm-ransomware/102428/" target="_blank">Evolution of JSWorm Ransomware</a></h3> <p>(published: May 25, 2021)</p> <p>JSWorm ransomware was discovered in 2019, and since then different variants have gained notoriety under different names such as Nemty, Nefilim, and Offwhite, among others. It has been used to target multiple industries with the largest concentration in engineering, and others including finance, healthcare, and energy. While the underlying code has been rewritten from C++ to Golang (and back again), along with revolving distribution methods, JSWorm remains a consistent threat.<br /> <b>Analyst Comment:</b> Ransomware threats often affect organisations in two ways. First encrypting operational critical documents and data. In these cases EDR solutions will help to block potential Ransomwares and data backup solutions will help for restoring files in case an attack is successful. Secondly, sensitive customer and business files are exfiltrated and leaked online by ransomware gangs. DLP solutions will help to identify and block potential data exfiltration attempts. Whereas network segregation and encryption of critical data will play an important role in reducing the risk.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947165" target="_blank">[MITRE ATT&CK] Private Keys - T1145</a> | <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947082" target="_blank">[MITRE ATT&CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947101" target="_blank">[MITRE ATT&CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947257" target="_blank">[MITRE ATT&CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947118" target="_blank">[MITRE ATT&CK] Clipboard Data - T1115</a> | <a href="https://ui.threatstream.com/ttp/947267" target="_blank">[MITRE ATT&CK] Drive-by Compromise - T1189</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a><br /> <b>Tags:</b> JSWorm, Nemty, Offwhite, Fusion, Telegram, Nefilim, Milihpen, Gangbang, RIG Exploit Kit, Trik Botnet, EU & UK, North America, South America, Russia, China, Healthcare, Engineering, Finance, Energy</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://threatpost.com/agrius-wiper-attacks-israeli-targets/166474/" target="_blank">Threat Actor ‘Agrius’ Emerges to Launch Wiper Attacks Against Israeli Targets</a></h3> <p>(published: May 25, 2021)</p> <p>Cyber Operations in Israel have been carried out since mid-2020 by a threat group dubbed ‘Agrius’, targeting military and political organizations to commit espionage. The attacks look like ransomware in order to give the appearance of financial motives, but the malware was wiping systems instead. Agrius uses ProtonVPN to mask their traffic when attacking targets using ‘Apostle’ malware. Apostle has been identified as an ASPXSpy variant, which is open-source and has been used in other state-sponsored attacks. It has recently been updated to a fully-fledged ransomware tool, giving more legitimacy to the misdirection of money.<br /> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947247" target="_blank">[MITRE ATT&CK] Web Shell - T1100</a> | <a href="https://ui.threatstream.com/ttp/2402541" target="_blank">[MITRE ATT&CK] Data Destruction - T1485</a><br /> <b>Tags:</b> Apostle, ASPXSpy, Agrius, Israel, Russia, Pakistan, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.darkreading.com/threat-intelligence/macos-zero-day-let-attackers-bypass-privacy-preferences/d/d-id/1341131?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple" target="_blank">MacOS Zero-Day Let Attackers Bypass Privacy Preferences</a></h3> <p>(published: May 25, 2021)</p> <p>Threat actors have been leveraging vulnerabilities (CVE-2021-30663, CVE-2021-30713, CVE-2021-30665) within MacOS to bypass the Transparency Consent and Control framework, enabling them to control which resources are accessible. This allowed for the theft of browser cookies, enabled screenshot capabilities, and access the system disk without the user being aware. Apple has released patches for the associated vulnerabilities.<br /> <b>Analyst Comment:</b> Always make sure to keep systems up to date with the latest patches to prevent systems from being vulnerable to known exploits.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947079" target="_blank">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947101" target="_blank">[MITRE ATT&CK] Code Signing - T1116</a><br /> <b>Tags:</b> XCSSET, CVE-2021-30663, CVE-2021-30713, CVE-2021-30665</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-cryptocore-multi-million-dollar-heists/" target="_blank">North Korean Hackers Behind CryptoCore Multi-Million Dollar Heists</a></h3> <p>(published: May 24, 2021)</p> <p>Reports from ClearSky, F-Secure, JPCERT/CC and NTT Security show that the North Korea-sponsored Lazarus group has engaged in widespread theft over the past three years. This has involved breaching cryptocurrency exchanges in the U.S., Israel, Europe, and Japan. Since 2018, the group has relied on spearphishing attacks as an initial foothold into the exchanges, which are leveraged into RAT and infostealer malware infections. The CryptoCore campaign is responsible for at least five breaches, stealing an estimated $200 million dollars.<br /> <b>Analyst Comment:</b> If engaging in cryptocurrency exchanges, only transfer what is being traded. Keep all other funds stored offline in a hardware wallet to reduce the risk of theft by malicious actors<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947143" target="_blank">[MITRE ATT&CK] Bash History - T1139</a> | <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947210" target="_blank">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a><br /> <b>Tags:</b> Lazarus, CryptoCore, CryptoMimic, EU & UK, North America, Russia, North Korea, Banking & Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.zdnet.com/article/fbi-identifies-16-conti-ransomware-attacks-striking-us-healthcare-first-responders/#ftag=RSSbaffb68" target="_blank">FBI identifies 16 Conti Ransomware Attacks Striking US Healthcare, First Responders</a></h3> <p>(published: May 24, 2021)</p> <p>The Conti ransomware group has been linked to at least 16 recent attacks against healthcare organizations in the US, as well as over 400 attacks worldwide. Using open RDP (Remote Desktop Protocol) ports, stolen credentials or phishing emails, the Conti group will gain access to data and not only encrypt it, but also exfiltrate it in an effort to double-up on extortion money from affected targets. This group also attacked Ireland’s Health Service Executive on May 14th and demanded $20 million in ransom to decrypt the data and prevent data leaks.<br /> <b>Analyst Comment:</b> Ransomware becomes much less effective with proper backup and restoration strategies. These will mitigate downtime and prevent the need to payout massive sums of money for decrypters that don&#39;t work (as well as fueling the ransomware industry). If you are an organization that falls victim to ransomware, scan for infections and try to isolate the infected systems.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> Conti, Cobalt Strike, Emotet, Sodinokibi, Mimikatz, Trickbot, Nefilim, EU & UK, North America, Healthcare, Military</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.zdnet.com/article/this-massive-phishing-campaign-delivers-password-stealing-malware-disguised-as-ransomware/#ftag=RSSbaffb68" target="_blank">This Massive Phishing Campaign Delivers Password-Stealing Malware Disguised as Ransomware</a></h3> <p>(published: May 24, 2021)</p> <p>Strrat, a Java-based malware, is currently being delivered a PDF document via a phishing campaign using compromised email accounts. Once the PDF is opened, a connection is made to an external IP and a RAT is downloaded and installed. The victim will see that files have a “.crimson” extension added to them, along with a fake ransomware message. No data is actually encrypted. The strategy is to harvest user credentials and other valuable information while the victim deals with a supposedly-encrypted hard drive.<br /> <b>Analyst Comment:</b> Don&#39;t open attachments from unknown senders pertaining to sensitive subjects (such as finances) without first verifying through a known good communication channel. Doing so will reduce your risk of malware infection.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947268" target="_blank">[MITRE ATT&CK] Hidden Files and Directories - T1158</a> | <a href="https://ui.threatstream.com/ttp/947180" target="_blank">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947087" target="_blank">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947252" target="_blank">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947118" target="_blank">[MITRE ATT&CK] Clipboard Data - T1115</a><br /> <b>Tags:</b> Strrat, Phishing, Infostealer, Ransomware, Banking & Finance, Military</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.